README revision 182352
138032Speter 264562Sgshapiro SENDMAIL CONFIGURATION FILES 338032Speter 490792SgshapiroThis document describes the sendmail configuration files. It 590792Sgshapiroexplains how to create a sendmail.cf file for use with sendmail. 690792SgshapiroIt also describes how to set options for sendmail which are explained 790792Sgshapiroin the Sendmail Installation and Operation guide (doc/op/op.me). 838032Speter 990792SgshapiroTo get started, you may want to look at tcpproto.mc (for TCP-only 1090792Sgshapirosites) and clientproto.mc (for clusters of clients using a single 1190792Sgshapiromail host), or the generic-*.mc files as operating system-specific 1290792Sgshapiroexamples. 1338032Speter 1490792SgshapiroTable of Content: 1538032Speter 1690792SgshapiroINTRODUCTION AND EXAMPLE 1790792SgshapiroA BRIEF INTRODUCTION TO M4 1890792SgshapiroFILE LOCATIONS 1990792SgshapiroOSTYPE 2090792SgshapiroDOMAINS 2190792SgshapiroMAILERS 2290792SgshapiroFEATURES 2390792SgshapiroHACKS 2490792SgshapiroSITE CONFIGURATION 2590792SgshapiroUSING UUCP MAILERS 2690792SgshapiroTWEAKING RULESETS 2790792SgshapiroMASQUERADING AND RELAYING 2890792SgshapiroUSING LDAP FOR ALIASES, MAPS, AND CLASSES 2990792SgshapiroLDAP ROUTING 3090792SgshapiroANTI-SPAM CONFIGURATION CONTROL 31132943SgshapiroCONNECTION CONTROL 3290792SgshapiroSTARTTLS 3390792SgshapiroSMTP AUTHENTICATION 3490792SgshapiroADDING NEW MAILERS OR RULESETS 3590792SgshapiroADDING NEW MAIL FILTERS 3690792SgshapiroQUEUE GROUP DEFINITIONS 3790792SgshapiroNON-SMTP BASED CONFIGURATIONS 3890792SgshapiroWHO AM I? 3990792SgshapiroACCEPTING MAIL FOR MULTIPLE NAMES 4090792SgshapiroUSING MAILERTABLES 4190792SgshapiroUSING USERDB TO MAP FULL NAMES 4290792SgshapiroMISCELLANEOUS SPECIAL FEATURES 4390792SgshapiroSECURITY NOTES 4490792SgshapiroTWEAKING CONFIGURATION OPTIONS 4590792SgshapiroMESSAGE SUBMISSION PROGRAM 4690792SgshapiroFORMAT OF FILES AND MAPS 4790792SgshapiroDIRECTORY LAYOUT 4890792SgshapiroADMINISTRATIVE DETAILS 4938032Speter 5090792Sgshapiro 5138032Speter+--------------------------+ 5238032Speter| INTRODUCTION AND EXAMPLE | 5338032Speter+--------------------------+ 5438032Speter 5538032SpeterConfiguration files are contained in the subdirectory "cf", with a 5638032Spetersuffix ".mc". They must be run through "m4" to produce a ".cf" file. 5738032SpeterYou must pre-load "cf.m4": 5838032Speter 5938032Speter m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf 6038032Speter 6164562SgshapiroAlternatively, you can simply: 6264562Sgshapiro 6364562Sgshapiro cd ${CFDIR}/cf 6464562Sgshapiro ./Build config.cf 6564562Sgshapiro 6638032Speterwhere ${CFDIR} is the root of the cf directory and config.mc is the 6738032Spetername of your configuration file. If you are running a version of M4 6838032Speterthat understands the __file__ builtin (versions of GNU m4 >= 0.75 do 6938032Speterthis, but the versions distributed with 4.4BSD and derivatives do not) 7038032Speteror the -I flag (ditto), then ${CFDIR} can be in an arbitrary directory. 7138032SpeterFor "traditional" versions, ${CFDIR} ***MUST*** be "..", or you MUST 7238032Speteruse -D_CF_DIR_=/path/to/cf/dir/ -- note the trailing slash! For example: 7338032Speter 7438032Speter m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 config.mc > config.cf 7538032Speter 7638032SpeterLet's examine a typical .mc file: 7738032Speter 7838032Speter divert(-1) 7938032Speter # 80157001Sgshapiro # Copyright (c) 1998-2005 Sendmail, Inc. and its suppliers. 8164562Sgshapiro # All rights reserved. 8238032Speter # Copyright (c) 1983 Eric P. Allman. All rights reserved. 8338032Speter # Copyright (c) 1988, 1993 8438032Speter # The Regents of the University of California. All rights reserved. 8538032Speter # 8638032Speter # By using this file, you agree to the terms and conditions set 8738032Speter # forth in the LICENSE file which can be found at the top level of 8838032Speter # the sendmail distribution. 8938032Speter # 9038032Speter 9138032Speter # 9238032Speter # This is a Berkeley-specific configuration file for HP-UX 9.x. 9338032Speter # It applies only to the Computer Science Division at Berkeley, 9438032Speter # and should not be used elsewhere. It is provided on the sendmail 9538032Speter # distribution as a sample only. To create your own configuration 9638032Speter # file, create an appropriate domain file in ../domain, change the 9738032Speter # `DOMAIN' macro below to reference that file, and copy the result 9838032Speter # to a name of your own choosing. 9938032Speter # 10038032Speter divert(0) 10138032Speter 10238032SpeterThe divert(-1) will delete the crud in the resulting output file. 10338032SpeterThe copyright notice can be replaced by whatever your lawyers require; 10464562Sgshapiroour lawyers require the one that is included in these files. A copyleft 10538032Speteris a copyright by another name. The divert(0) restores regular output. 10638032Speter 10738032Speter VERSIONID(`<SCCS or RCS version id>') 10838032Speter 10938032SpeterVERSIONID is a macro that stuffs the version information into the 11064562Sgshapiroresulting file. You could use SCCS, RCS, CVS, something else, or 11138032Speteromit it completely. This is not the same as the version id included 11238032Speterin SMTP greeting messages -- this is defined in m4/version.m4. 11338032Speter 11464562Sgshapiro OSTYPE(`hpux9')dnl 11538032Speter 11638032SpeterYou must specify an OSTYPE to properly configure things such as the 11738032Speterpathname of the help and status files, the flags needed for the local 11838032Spetermailer, and other important things. If you omit it, you will get an 11938032Spetererror when you try to build the configuration. Look at the ostype 12038032Speterdirectory for the list of known operating system types. 12138032Speter 12264562Sgshapiro DOMAIN(`CS.Berkeley.EDU')dnl 12338032Speter 12438032SpeterThis example is specific to the Computer Science Division at Berkeley. 12564562SgshapiroYou can use "DOMAIN(`generic')" to get a sufficiently bland definition 12638032Speterthat may well work for you, or you can create a customized domain 12738032Speterdefinition appropriate for your environment. 12838032Speter 12964562Sgshapiro MAILER(`local') 13064562Sgshapiro MAILER(`smtp') 13138032Speter 13290792SgshapiroThese describe the mailers used at the default CS site. The local 13390792Sgshapiromailer is always included automatically. Beware: MAILER declarations 134132943Sgshapiroshould only be followed by LOCAL_* sections. The general rules are 135132943Sgshapirothat the order should be: 13638032Speter 13738032Speter VERSIONID 13838032Speter OSTYPE 13938032Speter DOMAIN 14038032Speter FEATURE 14138032Speter local macro definitions 14238032Speter MAILER 14390792Sgshapiro LOCAL_CONFIG 14464562Sgshapiro LOCAL_RULE_* 14564562Sgshapiro LOCAL_RULESETS 14638032Speter 14764562SgshapiroThere are a few exceptions to this rule. Local macro definitions which 14864562Sgshapiroinfluence a FEATURE() should be done before that feature. For example, 14964562Sgshapiroa define(`PROCMAIL_MAILER_PATH', ...) should be done before 15064562SgshapiroFEATURE(`local_procmail'). 15138032Speter 15290792Sgshapiro******************************************************************* 15390792Sgshapiro*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** 15490792Sgshapiro*** Berkeley-specific assumptions built in, such as the name *** 15590792Sgshapiro*** of their UUCP-relay. You'll want to create your own *** 15690792Sgshapiro*** domain description, and use that in place of *** 15790792Sgshapiro*** domain/Berkeley.EDU.m4. *** 15890792Sgshapiro******************************************************************* 15964562Sgshapiro 16090792Sgshapiro 16138032Speter+----------------------------+ 16238032Speter| A BRIEF INTRODUCTION TO M4 | 16338032Speter+----------------------------+ 16438032Speter 16538032SpeterSendmail uses the M4 macro processor to ``compile'' the configuration 16638032Speterfiles. The most important thing to know is that M4 is stream-based, 16738032Speterthat is, it doesn't understand about lines. For this reason, in some 16838032Speterplaces you may see the word ``dnl'', which stands for ``delete 16938032Speterthrough newline''; essentially, it deletes all characters starting 17038032Speterat the ``dnl'' up to and including the next newline character. In 17138032Spetermost cases sendmail uses this only to avoid lots of unnecessary 17238032Speterblank lines in the output. 17338032Speter 17438032SpeterOther important directives are define(A, B) which defines the macro 17538032Speter``A'' to have value ``B''. Macros are expanded as they are read, so 17638032Speterone normally quotes both values to prevent expansion. For example, 17738032Speter 17838032Speter define(`SMART_HOST', `smart.foo.com') 17938032Speter 18038032SpeterOne word of warning: M4 macros are expanded even in lines that appear 18138032Speterto be comments. For example, if you have 18238032Speter 18364562Sgshapiro # See FEATURE(`foo') above 18438032Speter 18564562Sgshapiroit will not do what you expect, because the FEATURE(`foo') will be 18638032Speterexpanded. This also applies to 18738032Speter 18838032Speter # And then define the $X macro to be the return address 18938032Speter 19038032Speterbecause ``define'' is an M4 keyword. If you want to use them, surround 19138032Speterthem with directed quotes, `like this'. 19238032Speter 193110560SgshapiroSince m4 uses single quotes (opening "`" and closing "'") to quote 194110560Sgshapiroarguments, those quotes can't be used in arguments. For example, 195110560Sgshapiroit is not possible to define a rejection message containing a single 196110560Sgshapiroquote. Usually there are simple workarounds by changing those 197110560Sgshapiromessages; in the worst case it might be ok to change the value 198110560Sgshapirodirectly in the generated .cf file, which however is not advised. 19990792Sgshapiro 200110560Sgshapiro 20190792SgshapiroNotice: 20290792Sgshapiro------- 20390792Sgshapiro 20490792SgshapiroThis package requires a post-V7 version of m4; if you are running the 20590792Sgshapiro4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or 20690792SgshapiroBSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works. 20790792SgshapiroUnfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a 20890792SgshapiroNet/2 or GNU version. GNU m4 is available from 20990792Sgshapiroftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version). 21090792SgshapiroEXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU 21190792Sgshapirom4 on this platform. 21290792Sgshapiro 21390792Sgshapiro 21438032Speter+----------------+ 21538032Speter| FILE LOCATIONS | 21638032Speter+----------------+ 21738032Speter 21838032Spetersendmail 8.9 has introduced a new configuration directory for sendmail 21938032Speterrelated files, /etc/mail. The new files available for sendmail 8.9 -- 22064562Sgshapirothe class {R} /etc/mail/relay-domains and the access database 22164562Sgshapiro/etc/mail/access -- take advantage of this new directory. Beginning with 22264562Sgshapiro8.10, all files will use this directory by default (some options may be 22364562Sgshapiroset by OSTYPE() files). This new directory should help to restore 22464562Sgshapirouniformity to sendmail's file locations. 22538032Speter 22664562SgshapiroBelow is a table of some of the common changes: 22764562Sgshapiro 22864562SgshapiroOld filename New filename 22964562Sgshapiro------------ ------------ 23064562Sgshapiro/etc/bitdomain /etc/mail/bitdomain 23164562Sgshapiro/etc/domaintable /etc/mail/domaintable 23264562Sgshapiro/etc/genericstable /etc/mail/genericstable 23364562Sgshapiro/etc/uudomain /etc/mail/uudomain 23464562Sgshapiro/etc/virtusertable /etc/mail/virtusertable 23564562Sgshapiro/etc/userdb /etc/mail/userdb 23664562Sgshapiro 23764562Sgshapiro/etc/aliases /etc/mail/aliases 23864562Sgshapiro/etc/sendmail/aliases /etc/mail/aliases 23964562Sgshapiro/etc/ucbmail/aliases /etc/mail/aliases 24064562Sgshapiro/usr/adm/sendmail/aliases /etc/mail/aliases 24164562Sgshapiro/usr/lib/aliases /etc/mail/aliases 24264562Sgshapiro/usr/lib/mail/aliases /etc/mail/aliases 24364562Sgshapiro/usr/ucblib/aliases /etc/mail/aliases 24464562Sgshapiro 24564562Sgshapiro/etc/sendmail.cw /etc/mail/local-host-names 24664562Sgshapiro/etc/mail/sendmail.cw /etc/mail/local-host-names 24764562Sgshapiro/etc/sendmail/sendmail.cw /etc/mail/local-host-names 24864562Sgshapiro 24964562Sgshapiro/etc/sendmail.ct /etc/mail/trusted-users 25064562Sgshapiro 25164562Sgshapiro/etc/sendmail.oE /etc/mail/error-header 25264562Sgshapiro 25364562Sgshapiro/etc/sendmail.hf /etc/mail/helpfile 25464562Sgshapiro/etc/mail/sendmail.hf /etc/mail/helpfile 25564562Sgshapiro/usr/ucblib/sendmail.hf /etc/mail/helpfile 25664562Sgshapiro/etc/ucbmail/sendmail.hf /etc/mail/helpfile 25764562Sgshapiro/usr/lib/sendmail.hf /etc/mail/helpfile 25864562Sgshapiro/usr/share/lib/sendmail.hf /etc/mail/helpfile 25964562Sgshapiro/usr/share/misc/sendmail.hf /etc/mail/helpfile 26064562Sgshapiro/share/misc/sendmail.hf /etc/mail/helpfile 26164562Sgshapiro 26264562Sgshapiro/etc/service.switch /etc/mail/service.switch 26364562Sgshapiro 26464562Sgshapiro/etc/sendmail.st /etc/mail/statistics 26564562Sgshapiro/etc/mail/sendmail.st /etc/mail/statistics 26664562Sgshapiro/etc/mailer/sendmail.st /etc/mail/statistics 26764562Sgshapiro/etc/sendmail/sendmail.st /etc/mail/statistics 26864562Sgshapiro/usr/lib/sendmail.st /etc/mail/statistics 26964562Sgshapiro/usr/ucblib/sendmail.st /etc/mail/statistics 27064562Sgshapiro 27164562SgshapiroNote that all of these paths actually use a new m4 macro MAIL_SETTINGS_DIR 27264562Sgshapiroto create the pathnames. The default value of this variable is 27364562Sgshapiro`/etc/mail/'. If you set this macro to a different value, you MUST include 27464562Sgshapiroa trailing slash. 27564562Sgshapiro 27680785SgshapiroNotice: all filenames used in a .mc (or .cf) file should be absolute 27780785Sgshapiro(starting at the root, i.e., with '/'). Relative filenames most 27880785Sgshapirolikely cause surprises during operations (unless otherwise noted). 27980785Sgshapiro 28080785Sgshapiro 28138032Speter+--------+ 28238032Speter| OSTYPE | 28338032Speter+--------+ 28438032Speter 28538032SpeterYou MUST define an operating system environment, or the configuration 28638032Speterfile build will puke. There are several environments available; look 28738032Speterat the "ostype" directory for the current list. This macro changes 28838032Speterthings like the location of the alias file and queue directory. Some 28938032Speterof these files are identical to one another. 29038032Speter 29138032SpeterIt is IMPERATIVE that the OSTYPE occur before any MAILER definitions. 29238032SpeterIn general, the OSTYPE macro should go immediately after any version 29338032Speterinformation, and MAILER definitions should always go last. 29438032Speter 29538032SpeterOperating system definitions are usually easy to write. They may define 29638032Speterthe following variables (everything defaults, so an ostype file may be 29738032Speterempty). Unfortunately, the list of configuration-supported systems is 29838032Speternot as broad as the list of source-supported systems, since many of 29938032Speterthe source contributors do not include corresponding ostype files. 30038032Speter 30164562SgshapiroALIAS_FILE [/etc/mail/aliases] The location of the text version 30238032Speter of the alias file(s). It can be a comma-separated 30338032Speter list of names (but be sure you quote values with 30438032Speter commas in them -- for example, use 30538032Speter define(`ALIAS_FILE', `a,b') 30638032Speter to get "a" and "b" both listed as alias files; 30738032Speter otherwise the define() primitive only sees "a"). 30864562SgshapiroHELP_FILE [/etc/mail/helpfile] The name of the file 30938032Speter containing information printed in response to 31038032Speter the SMTP HELP command. 31138032SpeterQUEUE_DIR [/var/spool/mqueue] The directory containing 31264562Sgshapiro queue files. To use multiple queues, supply 31364562Sgshapiro a value ending with an asterisk. For 31473188Sgshapiro example, /var/spool/mqueue/qd* will use all of the 31564562Sgshapiro directories or symbolic links to directories 31673188Sgshapiro beginning with 'qd' in /var/spool/mqueue as queue 31764562Sgshapiro directories. The names 'qf', 'df', and 'xf' are 31873188Sgshapiro reserved as specific subdirectories for the 31973188Sgshapiro corresponding queue file types as explained in 32090792Sgshapiro doc/op/op.me. See also QUEUE GROUP DEFINITIONS. 32190792SgshapiroMSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing 32290792Sgshapiro queue files for the MSP (Mail Submission Program, 32390792Sgshapiro see sendmail/SECURITY). 32464562SgshapiroSTATUS_FILE [/etc/mail/statistics] The file containing status 32538032Speter information. 32638032SpeterLOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. 32764562SgshapiroLOCAL_MAILER_FLAGS [Prmn9] The flags used by the local mailer. The 32864562Sgshapiro flags lsDFMAw5:/|@q are always included. 32938032SpeterLOCAL_MAILER_ARGS [mail -d $u] The arguments passed to deliver local 33038032Speter mail. 33138032SpeterLOCAL_MAILER_MAX [undefined] If defined, the maximum size of local 33238032Speter mail that you are willing to accept. 33364562SgshapiroLOCAL_MAILER_MAXMSGS [undefined] If defined, the maximum number of 33464562Sgshapiro messages to deliver in a single connection. Only 33564562Sgshapiro useful for LMTP local mailers. 33638032SpeterLOCAL_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 33738032Speter that ARRIVE from an address that resolves to the 33838032Speter local mailer and which are converted to MIME will be 33938032Speter labeled with this character set. 34064562SgshapiroLOCAL_MAILER_EOL [undefined] If defined, the string to use as the 34164562Sgshapiro end of line for the local mailer. 34264562SgshapiroLOCAL_MAILER_DSN_DIAGNOSTIC_CODE 34364562Sgshapiro [X-Unix] The DSN Diagnostic-Code value for the 34464562Sgshapiro local mailer. This should be changed with care. 34538032SpeterLOCAL_SHELL_PATH [/bin/sh] The shell used to deliver piped email. 34638032SpeterLOCAL_SHELL_FLAGS [eu9] The flags used by the shell mailer. The 34738032Speter flags lsDFM are always included. 34838032SpeterLOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog" 34938032Speter mail. 35038032SpeterLOCAL_SHELL_DIR [$z:/] The directory search path in which the 35138032Speter shell should run. 35290792SgshapiroLOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. 35338032SpeterUSENET_MAILER_PATH [/usr/lib/news/inews] The name of the program 35438032Speter used to submit news. 35564562SgshapiroUSENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. 35638032SpeterUSENET_MAILER_ARGS [-m -h -n] The command line arguments for the 35790792Sgshapiro usenet mailer. NOTE: Some versions of inews 35890792Sgshapiro (such as those shipped with newer versions of INN) 35990792Sgshapiro use different flags. Double check the defaults 36090792Sgshapiro against the inews man page. 361102528SgshapiroUSENET_MAILER_MAX [undefined] The maximum size of messages that will 36238032Speter be accepted by the usenet mailer. 36390792SgshapiroUSENET_MAILER_QGRP [undefined] The queue group for the usenet mailer. 36438032SpeterSMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default 36564562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 36664562Sgshapiro "esmtp" mailer adds `a'; "smtp8" adds `8'; and 36764562Sgshapiro "dsmtp" adds `%'. 36864562SgshapiroRELAY_MAILER_FLAGS [undefined] Flags added to the relay mailer. Default 36964562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 37064562Sgshapiro relay mailer adds `a8'. If this is not defined, 37164562Sgshapiro then SMTP_MAILER_FLAGS is used. 37238032SpeterSMTP_MAILER_MAX [undefined] The maximum size of messages that will 37364562Sgshapiro be transported using the smtp, smtp8, esmtp, or dsmtp 37438032Speter mailers. 37564562SgshapiroSMTP_MAILER_MAXMSGS [undefined] If defined, the maximum number of 37664562Sgshapiro messages to deliver in a single connection for the 37764562Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 37894334SgshapiroSMTP_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 37994334Sgshapiro recipients to deliver in a single connection for the 38094334Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 38166494SgshapiroSMTP_MAILER_ARGS [TCP $h] The arguments passed to the smtp mailer. 38238032Speter About the only reason you would want to change this 38338032Speter would be to change the default port. 38466494SgshapiroESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer. 38566494SgshapiroSMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer. 38666494SgshapiroDSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer. 38766494SgshapiroRELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer. 38890792SgshapiroSMTP_MAILER_QGRP [undefined] The queue group for the smtp mailer. 38990792SgshapiroESMTP_MAILER_QGRP [undefined] The queue group for the esmtp mailer. 39090792SgshapiroSMTP8_MAILER_QGRP [undefined] The queue group for the smtp8 mailer. 39190792SgshapiroDSMTP_MAILER_QGRP [undefined] The queue group for the dsmtp mailer. 39290792SgshapiroRELAY_MAILER_QGRP [undefined] The queue group for the relay mailer. 39364562SgshapiroRELAY_MAILER_MAXMSGS [undefined] If defined, the maximum number of 39464562Sgshapiro messages to deliver in a single connection for the 39564562Sgshapiro relay mailer. 39638032SpeterSMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 39738032Speter that ARRIVE from an address that resolves to one of 39838032Speter the SMTP mailers and which are converted to MIME will 39938032Speter be labeled with this character set. 400168515SgshapiroSMTP_MAILER_LL [990] The maximum line length for SMTP mailers 401168515Sgshapiro (except the relay mailer). 402168515SgshapiroRELAY_MAILER_LL [2040] The maximum line length for the relay mailer. 40338032SpeterUUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail. 40438032SpeterUUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default 40538032Speter flags are `DFMhuU' (and `m' for uucp-new mailer, 40638032Speter minus `U' for uucp-dom mailer). 40738032SpeterUUCP_MAILER_ARGS [uux - -r -z -a$g -gC $h!rmail ($u)] The arguments 40838032Speter passed to the UUCP mailer. 40938032SpeterUUCP_MAILER_MAX [100000] The maximum size message accepted for 41038032Speter transmission by the UUCP mailers. 41138032SpeterUUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 41238032Speter that ARRIVE from an address that resolves to one of 41338032Speter the UUCP mailers and which are converted to MIME will 41438032Speter be labeled with this character set. 41590792SgshapiroUUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. 41638032SpeterFAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to 41738032Speter submit FAX messages. 41838032SpeterFAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX 41938032Speter mailer. 42038032SpeterFAX_MAILER_MAX [100000] The maximum size message accepted for 42138032Speter transmission by FAX. 42238032SpeterPOP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer. 42364562SgshapiroPOP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq 42438032Speter are always added. 42538032SpeterPOP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer. 42690792SgshapiroPOP_MAILER_QGRP [undefined] The queue group for the pop mailer. 42738032SpeterPROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail 42843730Speter program. This is also used by 42943730Speter FEATURE(`local_procmail'). 43038032SpeterPROCMAIL_MAILER_FLAGS [SPhnu9] Flags added to Procmail mailer. Flags 43164562Sgshapiro DFM are always set. This is NOT used by 43243730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_FLAGS 43338032Speter instead. 43438032SpeterPROCMAIL_MAILER_ARGS [procmail -Y -m $h $f $u] The arguments passed to 43538032Speter the Procmail mailer. This is NOT used by 43643730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_ARGS 43738032Speter instead. 43838032SpeterPROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that 43938032Speter will be accepted by the procmail mailer. 44090792SgshapiroPROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. 44138032SpeterMAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer. 44238032SpeterMAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer. 44338032SpeterMAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11 44438032Speter mailer. 44590792SgshapiroMAIL11_MAILER_QGRP [undefined] The queue group for the mail11 mailer. 44638032SpeterPH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery 44738032Speter program. 44864562SgshapiroPH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM 44964562Sgshapiro are always set. 45038032SpeterPH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer. 45190792SgshapiroPH_MAILER_QGRP [undefined] The queue group for the ph mailer. 45264562SgshapiroCYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The 45338032Speter flags lsDFMnPq are always included. 45438032SpeterCYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver 45538032Speter cyrus mail. 45638032SpeterCYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed 45738032Speter to deliver cyrus mail. 45838032SpeterCYRUS_MAILER_MAX [undefined] If set, the maximum size message that 45938032Speter will be accepted by the cyrus mailer. 46038032SpeterCYRUS_MAILER_USER [cyrus:mail] The user and group to become when 46138032Speter running the cyrus mailer. 46290792SgshapiroCYRUS_MAILER_QGRP [undefined] The queue group for the cyrus mailer. 46364562SgshapiroCYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer. 46464562Sgshapiro The flags lsDFMnP are always included. 46538032SpeterCYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed 46638032Speter to deliver cyrusbb mail. 46798121SgshapiroCYRUSV2_MAILER_FLAGS [A@/:|m] The flags used by the cyrusv2 mailer. The 46898121Sgshapiro flags lsDFMnqXz are always included. 46998121SgshapiroCYRUSV2_MAILER_MAXMSGS [undefined] If defined, the maximum number of 47098121Sgshapiro messages to deliver in a single connection for the 47198121Sgshapiro cyrusv2 mailer. 47298121SgshapiroCYRUSV2_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 47398121Sgshapiro recipients to deliver in a single connection for the 47498121Sgshapiro cyrusv2 mailer. 47598121SgshapiroCYRUSV2_MAILER_ARGS [FILE /var/imap/socket/lmtp] The arguments passed 47698121Sgshapiro to the cyrusv2 mailer. This can be used to 47798121Sgshapiro change the name of the Unix domain socket, or 47898121Sgshapiro to switch to delivery via TCP (e.g., `TCP $h lmtp') 47998121SgshapiroCYRUSV2_MAILER_QGRP [undefined] The queue group for the cyrusv2 mailer. 480110560SgshapiroCYRUSV2_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 481110560Sgshapiro that ARRIVE from an address that resolves to one the 482110560Sgshapiro Cyrus mailer and which are converted to MIME will 483110560Sgshapiro be labeled with this character set. 48438032SpeterconfEBINDIR [/usr/libexec] The directory for executables. 48543730Speter Currently used for FEATURE(`local_lmtp') and 48643730Speter FEATURE(`smrsh'). 48764562SgshapiroQPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer. 48864562SgshapiroQPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver 48964562Sgshapiro qpage mail. 49064562SgshapiroQPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed 49164562Sgshapiro to deliver qpage mail. 49264562SgshapiroQPAGE_MAILER_MAX [4096] If set, the maximum size message that 49364562Sgshapiro will be accepted by the qpage mailer. 49490792SgshapiroQPAGE_MAILER_QGRP [undefined] The queue group for the qpage mailer. 49590792SgshapiroLOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. 49638032Speter 49764562SgshapiroNote: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: 498157001SgshapiroMODIFY_MAILER_FLAGS(`Name', `change') where Name is the first part 499157001Sgshapiroof the macro Name_MAILER_FLAGS (note: that means Name is entirely in 500157001Sgshapiroupper case) and change can be: flags that should be used directly 501157001Sgshapiro(thus overriding the default value), or if it starts with `+' (`-') 502157001Sgshapirothen those flags are added to (removed from) the default value. 503157001SgshapiroExample: 50438032Speter 50564562Sgshapiro MODIFY_MAILER_FLAGS(`LOCAL', `+e') 50638032Speter 50790792Sgshapirowill add the flag `e' to LOCAL_MAILER_FLAGS. Notice: there are 50890792Sgshapiroseveral smtp mailers all of which are manipulated individually. 50990792SgshapiroSee the section MAILERS for the available mailer names. 51064562SgshapiroWARNING: The FEATUREs local_lmtp and local_procmail set LOCAL_MAILER_FLAGS 51164562Sgshapirounconditionally, i.e., without respecting any definitions in an 51264562SgshapiroOSTYPE setting. 51364562Sgshapiro 51464562Sgshapiro 51538032Speter+---------+ 51638032Speter| DOMAINS | 51738032Speter+---------+ 51838032Speter 51938032SpeterYou will probably want to collect domain-dependent defines into one 52064562Sgshapirofile, referenced by the DOMAIN macro. For example, the Berkeley 52138032Speterdomain file includes definitions for several internal distinguished 52238032Speterhosts: 52338032Speter 52438032SpeterUUCP_RELAY The host that will accept UUCP-addressed email. 52538032Speter If not defined, all UUCP sites must be directly 52638032Speter connected. 52738032SpeterBITNET_RELAY The host that will accept BITNET-addressed email. 52838032Speter If not defined, the .BITNET pseudo-domain won't work. 52938032SpeterDECNET_RELAY The host that will accept DECNET-addressed email. 53038032Speter If not defined, the .DECNET pseudo-domain and addresses 53138032Speter of the form node::user will not work. 53238032SpeterFAX_RELAY The host that will accept mail to the .FAX pseudo-domain. 53338032Speter The "fax" mailer overrides this value. 53471345SgshapiroLOCAL_RELAY The site that will handle unqualified names -- that 53582017Sgshapiro is, names without an @domain extension. 53671345Sgshapiro Normally MAIL_HUB is preferred for this function. 53771345Sgshapiro LOCAL_RELAY is mostly useful in conjunction with 53890792Sgshapiro FEATURE(`stickyhost') -- see the discussion of 53971345Sgshapiro stickyhost below. If not set, they are assumed to 54071345Sgshapiro belong on this machine. This allows you to have a 54171345Sgshapiro central site to store a company- or department-wide 54271345Sgshapiro alias database. This only works at small sites, 54371345Sgshapiro and only with some user agents. 54438032SpeterLUSER_RELAY The site that will handle lusers -- that is, apparently 54564562Sgshapiro local names that aren't local accounts or aliases. To 54664562Sgshapiro specify a local user instead of a site, set this to 54764562Sgshapiro ``local:username''. 54838032Speter 54938032SpeterAny of these can be either ``mailer:hostname'' (in which case the 55038032Spetermailer is the internal mailer name, such as ``uucp-new'' and the hostname 55138032Speteris the name of the host as appropriate for that mailer) or just a 55238032Speter``hostname'', in which case a default mailer type (usually ``relay'', 55338032Spetera variant on SMTP) is used. WARNING: if you have a wildcard MX 55438032Speterrecord matching your domain, you probably want to define these to 55538032Speterhave a trailing dot so that you won't get the mail diverted back 55638032Speterto yourself. 55738032Speter 55838032SpeterThe domain file can also be used to define a domain name, if needed 55938032Speter(using "DD<domain>") and set certain site-wide features. If all hosts 56038032Speterat your site masquerade behind one email name, you could also use 56138032SpeterMASQUERADE_AS here. 56238032Speter 56338032SpeterYou do not have to define a domain -- in particular, if you are a 56438032Spetersingle machine sitting off somewhere, it is probably more work than 56538032Speterit's worth. This is just a mechanism for combining "domain dependent 56638032Speterknowledge" into one place. 56738032Speter 56890792Sgshapiro 56938032Speter+---------+ 57038032Speter| MAILERS | 57138032Speter+---------+ 57238032Speter 57338032SpeterThere are fewer mailers supported in this version than the previous 57438032Speterversion, owing mostly to a simpler world. As a general rule, put the 57590792SgshapiroMAILER definitions last in your .mc file. 57638032Speter 57738032Speterlocal The local and prog mailers. You will almost always 57838032Speter need these; the only exception is if you relay ALL 57938032Speter your mail to another site. This mailer is included 58038032Speter automatically. 58138032Speter 58238032Spetersmtp The Simple Mail Transport Protocol mailer. This does 58338032Speter not hide hosts behind a gateway or another other 58438032Speter such hack; it assumes a world where everyone is 58538032Speter running the name server. This file actually defines 58664562Sgshapiro five mailers: "smtp" for regular (old-style) SMTP to 58738032Speter other servers, "esmtp" for extended SMTP to other 58838032Speter servers, "smtp8" to do SMTP to other servers without 58938032Speter converting 8-bit data to MIME (essentially, this is 59038032Speter your statement that you know the other end is 8-bit 59164562Sgshapiro clean even if it doesn't say so), "dsmtp" to do on 59264562Sgshapiro demand delivery, and "relay" for transmission to the 59364562Sgshapiro RELAY_HOST, LUSER_RELAY, or MAIL_HUB. 59438032Speter 59566494Sgshapirouucp The UNIX-to-UNIX Copy Program mailer. Actually, this 59638032Speter defines two mailers, "uucp-old" (a.k.a. "uucp") and 59738032Speter "uucp-new" (a.k.a. "suucp"). The latter is for when you 59838032Speter know that the UUCP mailer at the other end can handle 59938032Speter multiple recipients in one transfer. If the smtp mailer 60090792Sgshapiro is included in your configuration, two other mailers 60190792Sgshapiro ("uucp-dom" and "uucp-uudom") are also defined [warning: you 60290792Sgshapiro MUST specify MAILER(`smtp') before MAILER(`uucp')]. When you 60338032Speter include the uucp mailer, sendmail looks for all names in 60464562Sgshapiro class {U} and sends them to the uucp-old mailer; all 60564562Sgshapiro names in class {Y} are sent to uucp-new; and all 60664562Sgshapiro names in class {Z} are sent to uucp-uudom. Note that 60738032Speter this is a function of what version of rmail runs on 60838032Speter the receiving end, and hence may be out of your control. 60938032Speter See the section below describing UUCP mailers in more 61038032Speter detail. 61138032Speter 61238032Speterusenet Usenet (network news) delivery. If this is specified, 61338032Speter an extra rule is added to ruleset 0 that forwards all 61438032Speter local email for users named ``group.usenet'' to the 61538032Speter ``inews'' program. Note that this works for all groups, 61638032Speter and may be considered a security problem. 61738032Speter 61838032Speterfax Facsimile transmission. This is experimental and based 61938032Speter on Sam Leffler's HylaFAX software. For more information, 62071345Sgshapiro see http://www.hylafax.org/. 62138032Speter 62238032Speterpop Post Office Protocol. 62338032Speter 62438032Speterprocmail An interface to procmail (does not come with sendmail). 62538032Speter This is designed to be used in mailertables. For example, 62638032Speter a common question is "how do I forward all mail for a given 62738032Speter domain to a single person?". If you have this mailer 62838032Speter defined, you could set up a mailertable reading: 62938032Speter 63038032Speter host.com procmail:/etc/procmailrcs/host.com 63138032Speter 63238032Speter with the file /etc/procmailrcs/host.com reading: 63338032Speter 63438032Speter :0 # forward mail for host.com 63538032Speter ! -oi -f $1 person@other.host 63638032Speter 63738032Speter This would arrange for (anything)@host.com to be sent 638111823Sgshapiro to person@other.host. In a procmail script, $1 is the 639111823Sgshapiro name of the sender and $2 is the name of the recipient. 64043730Speter If you use this with FEATURE(`local_procmail'), the FEATURE 64138032Speter should be listed first. 64238032Speter 64390792Sgshapiro Of course there are other ways to solve this particular 64490792Sgshapiro problem, e.g., a catch-all entry in a virtusertable. 64590792Sgshapiro 64638032Spetermail11 The DECnet mail11 mailer, useful only if you have the mail11 64738032Speter program from gatekeeper.dec.com:/pub/DEC/gwtools (and 64838032Speter DECnet, of course). This is for Phase IV DECnet support; 64938032Speter if you have Phase V at your site you may have additional 65038032Speter problems. 65138032Speter 65238032Speterphquery The phquery program. This is somewhat counterintuitively 65338032Speter referenced as the "ph" mailer internally. It can be used 65438032Speter to do CCSO name server lookups. The phquery program, which 65538032Speter this mailer uses, is distributed with the ph client. 65638032Speter 65738032Spetercyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to 65838032Speter a local cyrus user. this mailer can make use of the 65990792Sgshapiro "user+detail@local.host" syntax (see 66090792Sgshapiro FEATURE(`preserve_local_plus_detail')); it will deliver the 66190792Sgshapiro mail to the user's "detail" mailbox if the mailbox's ACL 66290792Sgshapiro permits. The cyrusbb mailer delivers to a system-wide 66390792Sgshapiro cyrus mailbox if the mailbox's ACL permits. The cyrus 66490792Sgshapiro mailer must be defined after the local mailer. 66538032Speter 66698121Sgshapirocyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to 66798121Sgshapiro local cyrus users via LMTP. This mailer can make use of the 66898121Sgshapiro "user+detail@local.host" syntax (see 66998121Sgshapiro FEATURE(`preserve_local_plus_detail')); it will deliver the 67098121Sgshapiro mail to the user's "detail" mailbox if the mailbox's ACL 67198121Sgshapiro permits. The cyrusv2 mailer must be defined after the 67298121Sgshapiro local mailer. 67398121Sgshapiro 67464562Sgshapiroqpage A mailer for QuickPage, a pager interface. See 67564562Sgshapiro http://www.qpage.org/ for further information. 67638032Speter 67738032SpeterThe local mailer accepts addresses of the form "user+detail", where 67838032Speterthe "+detail" is not used for mailbox matching but is available 67943730Speterto certain local mail programs (in particular, see 68043730SpeterFEATURE(`local_procmail')). For example, "eric", "eric+sendmail", and 68143730Speter"eric+sww" all indicate the same user, but additional arguments <null>, 68243730Speter"sendmail", and "sww" may be provided for use in sorting mail. 68338032Speter 68438032Speter 68538032Speter+----------+ 68638032Speter| FEATURES | 68738032Speter+----------+ 68838032Speter 68938032SpeterSpecial features can be requested using the "FEATURE" macro. For 69038032Speterexample, the .mc line: 69138032Speter 69243730Speter FEATURE(`use_cw_file') 69338032Speter 69464562Sgshapirotells sendmail that you want to have it read an /etc/mail/local-host-names 69590792Sgshapirofile to get values for class {w}. A FEATURE may contain up to 9 69664562Sgshapirooptional parameters -- for example: 69738032Speter 69843730Speter FEATURE(`mailertable', `dbm /usr/lib/mailertable') 69938032Speter 70038032SpeterThe default database map type for the table features can be set with 70164562Sgshapiro 70238032Speter define(`DATABASE_MAP_TYPE', `dbm') 70338032Speter 70438032Speterwhich would set it to use ndbm databases. The default is the Berkeley DB 70538032Speterhash database format. Note that you must still declare a database map type 70638032Speterif you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used 70764562Sgshapiroif no argument is given for the FEATURE. It must be specified before any 70864562Sgshapirofeature that uses a map. 70938032Speter 71090792SgshapiroAlso, features which can take a map definition as an argument can also take 71190792Sgshapirothe special keyword `LDAP'. If that keyword is used, the map will use the 71290792SgshapiroLDAP definition described in the ``USING LDAP FOR ALIASES, MAPS, AND 71390792SgshapiroCLASSES'' section below. 71490792Sgshapiro 71538032SpeterAvailable features are: 71638032Speter 71764562Sgshapirouse_cw_file Read the file /etc/mail/local-host-names file to get 71864562Sgshapiro alternate names for this host. This might be used if you 71964562Sgshapiro were on a host that MXed for a dynamic set of other hosts. 72064562Sgshapiro If the set is static, just including the line "Cw<name1> 72164562Sgshapiro <name2> ..." (where the names are fully qualified domain 72264562Sgshapiro names) is probably superior. The actual filename can be 72364562Sgshapiro overridden by redefining confCW_FILE. 72438032Speter 72564562Sgshapirouse_ct_file Read the file /etc/mail/trusted-users file to get the 72664562Sgshapiro names of users that will be ``trusted'', that is, able to 72764562Sgshapiro set their envelope from address using -f without generating 72864562Sgshapiro a warning message. The actual filename can be overridden 72964562Sgshapiro by redefining confCT_FILE. 73038032Speter 73138032Speterredirect Reject all mail addressed to "address.REDIRECT" with 73264562Sgshapiro a ``551 User has moved; please try <address>'' message. 73338032Speter If this is set, you can alias people who have left 73438032Speter to their new address with ".REDIRECT" appended. 73538032Speter 73664562Sgshapironouucp Don't route UUCP addresses. This feature takes one 73764562Sgshapiro parameter: 73864562Sgshapiro `reject': reject addresses which have "!" in the local 73964562Sgshapiro part unless it originates from a system 74064562Sgshapiro that is allowed to relay. 74164562Sgshapiro `nospecial': don't do anything special with "!". 74290792Sgshapiro Warnings: 1. See the notice in the anti-spam section. 74364562Sgshapiro 2. don't remove "!" from OperatorChars if `reject' is 74464562Sgshapiro given as parameter. 74538032Speter 74664562Sgshapironocanonify Don't pass addresses to $[ ... $] for canonification 74771345Sgshapiro by default, i.e., host/domain names are considered canonical, 74871345Sgshapiro except for unqualified names, which must not be used in this 74971345Sgshapiro mode (violation of the standard). It can be changed by 75071345Sgshapiro setting the DaemonPortOptions modifiers (M=). That is, 75164562Sgshapiro FEATURE(`nocanonify') will be overridden by setting the 75264562Sgshapiro 'c' flag. Conversely, if FEATURE(`nocanonify') is not used, 75364562Sgshapiro it can be emulated by setting the 'C' flag 75464562Sgshapiro (DaemonPortOptions=Modifiers=C). This would generally only 75564562Sgshapiro be used by sites that only act as mail gateways or which have 75664562Sgshapiro user agents that do full canonification themselves. You may 75764562Sgshapiro also want to use 75864562Sgshapiro "define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')" to turn off 75964562Sgshapiro the usual resolver options that do a similar thing. 76038032Speter 76164562Sgshapiro An exception list for FEATURE(`nocanonify') can be 76264562Sgshapiro specified with CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, 76364562Sgshapiro i.e., a list of domains which are nevertheless passed to 76464562Sgshapiro $[ ... $] for canonification. This is useful to turn on 76564562Sgshapiro canonification for local domains, e.g., use 76664562Sgshapiro CANONIFY_DOMAIN(`my.domain my') to canonify addresses 76764562Sgshapiro which end in "my.domain" or "my". 76864562Sgshapiro Another way to require canonification in the local 76964562Sgshapiro domain is CANONIFY_DOMAIN(`$=m'). 77064562Sgshapiro 77164562Sgshapiro A trailing dot is added to addresses with more than 77264562Sgshapiro one component in it such that other features which 77364562Sgshapiro expect a trailing dot (e.g., virtusertable) will 77464562Sgshapiro still work. 77564562Sgshapiro 77664562Sgshapiro If `canonify_hosts' is specified as parameter, i.e., 77764562Sgshapiro FEATURE(`nocanonify', `canonify_hosts'), then 77864562Sgshapiro addresses which have only a hostname, e.g., 77964562Sgshapiro <user@host>, will be canonified (and hopefully fully 78064562Sgshapiro qualified), too. 78164562Sgshapiro 78271345Sgshapirostickyhost This feature is sometimes used with LOCAL_RELAY, 78371345Sgshapiro although it can be used for a different effect with 78471345Sgshapiro MAIL_HUB. 78538032Speter 78673188Sgshapiro When used without MAIL_HUB, email sent to 78771345Sgshapiro "user@local.host" are marked as "sticky" -- that 78871345Sgshapiro is, the local addresses aren't matched against UDB, 78971345Sgshapiro don't go through ruleset 5, and are not forwarded to 79071345Sgshapiro the LOCAL_RELAY (if defined). 79171345Sgshapiro 79271345Sgshapiro With MAIL_HUB, mail addressed to "user@local.host" 79371345Sgshapiro is forwarded to the mail hub, with the envelope 79471345Sgshapiro address still remaining "user@local.host". 79571345Sgshapiro Without stickyhost, the envelope would be changed 79671345Sgshapiro to "user@mail_hub", in order to protect against 79771345Sgshapiro mailing loops. 79871345Sgshapiro 79938032Spetermailertable Include a "mailer table" which can be used to override 80064562Sgshapiro routing for particular domains (which are not in class {w}, 80164562Sgshapiro i.e. local host names). The argument of the FEATURE may be 80264562Sgshapiro the key definition. If none is specified, the definition 80364562Sgshapiro used is: 80443730Speter 80564562Sgshapiro hash /etc/mail/mailertable 80643730Speter 80738032Speter Keys in this database are fully qualified domain names 80838032Speter or partial domains preceded by a dot -- for example, 80964562Sgshapiro "vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". As a 81064562Sgshapiro special case of the latter, "." matches any domain not 81164562Sgshapiro covered by other keys. Values must be of the form: 81238032Speter mailer:domain 81338032Speter where "mailer" is the internal mailer name, and "domain" 81438032Speter is where to send the message. These maps are not 81538032Speter reflected into the message header. As a special case, 81638032Speter the forms: 81738032Speter local:user 81838032Speter will forward to the indicated user using the local mailer, 81938032Speter local: 82038032Speter will forward to the original user in the e-mail address 82138032Speter using the local mailer, and 82238032Speter error:code message 82364562Sgshapiro error:D.S.N:code message 82464562Sgshapiro will give an error message with the indicated SMTP reply 82564562Sgshapiro code and message, where D.S.N is an RFC 1893 compliant 82664562Sgshapiro error code. 82738032Speter 82838032Speterdomaintable Include a "domain table" which can be used to provide 82938032Speter domain name mapping. Use of this should really be 83038032Speter limited to your own domains. It may be useful if you 83138032Speter change names (e.g., your company changes names from 83238032Speter oldname.com to newname.com). The argument of the 83338032Speter FEATURE may be the key definition. If none is specified, 83438032Speter the definition used is: 83543730Speter 83664562Sgshapiro hash /etc/mail/domaintable 83743730Speter 83838032Speter The key in this table is the domain name; the value is 83938032Speter the new (fully qualified) domain. Anything in the 84038032Speter domaintable is reflected into headers; that is, this 84138032Speter is done in ruleset 3. 84238032Speter 84338032Speterbitdomain Look up bitnet hosts in a table to try to turn them into 84438032Speter internet addresses. The table can be built using the 84538032Speter bitdomain program contributed by John Gardiner Myers. 84638032Speter The argument of the FEATURE may be the key definition; if 84738032Speter none is specified, the definition used is: 84843730Speter 84964562Sgshapiro hash /etc/mail/bitdomain 85043730Speter 85138032Speter Keys are the bitnet hostname; values are the corresponding 85238032Speter internet hostname. 85338032Speter 85438032Speteruucpdomain Similar feature for UUCP hosts. The default map definition 85538032Speter is: 85643730Speter 85764562Sgshapiro hash /etc/mail/uudomain 85843730Speter 85938032Speter At the moment there is no automagic tool to build this 86038032Speter database. 86138032Speter 86238032Speteralways_add_domain 86338032Speter Include the local host domain even on locally delivered 86438032Speter mail. Normally it is not added on unqualified names. 86538032Speter However, if you use a shared message store but do not use 86638032Speter the same user name space everywhere, you may need the host 86790792Sgshapiro name on local names. An optional argument specifies 86890792Sgshapiro another domain to be added than the local. 86938032Speter 87038032Speterallmasquerade If masquerading is enabled (using MASQUERADE_AS), this 87138032Speter feature will cause recipient addresses to also masquerade 87238032Speter as being from the masquerade host. Normally they get 87338032Speter the local hostname. Although this may be right for 87438032Speter ordinary users, it can break local aliases. For example, 87538032Speter if you send to "localalias", the originating sendmail will 87638032Speter find that alias and send to all members, but send the 87738032Speter message with "To: localalias@masqueradehost". Since that 87838032Speter alias likely does not exist, replies will fail. Use this 87938032Speter feature ONLY if you can guarantee that the ENTIRE 88038032Speter namespace on your masquerade host supersets all the 88138032Speter local entries. 88238032Speter 88338032Speterlimited_masquerade 88464562Sgshapiro Normally, any hosts listed in class {w} are masqueraded. If 88564562Sgshapiro this feature is given, only the hosts listed in class {M} (see 88664562Sgshapiro below: MASQUERADE_DOMAIN) are masqueraded. This is useful 88764562Sgshapiro if you have several domains with disjoint namespaces hosted 88864562Sgshapiro on the same machine. 88938032Speter 89038032Spetermasquerade_entire_domain 89164562Sgshapiro If masquerading is enabled (using MASQUERADE_AS) and 89238032Speter MASQUERADE_DOMAIN (see below) is set, this feature will 89338032Speter cause addresses to be rewritten such that the masquerading 89438032Speter domains are actually entire domains to be hidden. All 89538032Speter hosts within the masquerading domains will be rewritten 89638032Speter to the masquerade name (used in MASQUERADE_AS). For example, 89738032Speter if you have: 89838032Speter 89964562Sgshapiro MASQUERADE_AS(`masq.com') 90064562Sgshapiro MASQUERADE_DOMAIN(`foo.org') 90164562Sgshapiro MASQUERADE_DOMAIN(`bar.com') 90238032Speter 90338032Speter then *foo.org and *bar.com are converted to masq.com. Without 90438032Speter this feature, only foo.org and bar.com are masqueraded. 90538032Speter 90638032Speter NOTE: only domains within your jurisdiction and 90738032Speter current hierarchy should be masqueraded using this. 90838032Speter 90990792Sgshapirolocal_no_masquerade 91090792Sgshapiro This feature prevents the local mailer from masquerading even 91190792Sgshapiro if MASQUERADE_AS is used. MASQUERADE_AS will only have effect 91290792Sgshapiro on addresses of mail going outside the local domain. 91390792Sgshapiro 914110560Sgshapiromasquerade_envelope 915110560Sgshapiro If masquerading is enabled (using MASQUERADE_AS) or the 916110560Sgshapiro genericstable is in use, this feature will cause envelope 917110560Sgshapiro addresses to also masquerade as being from the masquerade 918110560Sgshapiro host. Normally only the header addresses are masqueraded. 919110560Sgshapiro 92064562Sgshapirogenericstable This feature will cause unqualified addresses (i.e., without 92164562Sgshapiro a domain) and addresses with a domain listed in class {G} 92264562Sgshapiro to be looked up in a map and turned into another ("generic") 92364562Sgshapiro form, which can change both the domain name and the user name. 92490792Sgshapiro Notice: if you use an MSP (as it is default starting with 92590792Sgshapiro 8.12), the MTA will only receive qualified addresses from the 92690792Sgshapiro MSP (as required by the RFCs). Hence you need to add your 92790792Sgshapiro domain to class {G}. This feature is similar to the userdb 92890792Sgshapiro functionality. The same types of addresses as for 92990792Sgshapiro masquerading are looked up, i.e., only header sender 93090792Sgshapiro addresses unless the allmasquerade and/or masquerade_envelope 93190792Sgshapiro features are given. Qualified addresses must have the domain 93290792Sgshapiro part in class {G}; entries can be added to this class by the 93390792Sgshapiro macros GENERICS_DOMAIN or GENERICS_DOMAIN_FILE (analogously 93490792Sgshapiro to MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE, see below). 93538032Speter 93643730Speter The argument of FEATURE(`genericstable') may be the map 93738032Speter definition; the default map definition is: 93838032Speter 93964562Sgshapiro hash /etc/mail/genericstable 94038032Speter 94164562Sgshapiro The key for this table is either the full address, the domain 94264562Sgshapiro (with a leading @; the localpart is passed as first argument) 94364562Sgshapiro or the unqualified username (tried in the order mentioned); 94464562Sgshapiro the value is the new user address. If the new user address 94564562Sgshapiro does not include a domain, it will be qualified in the standard 94664562Sgshapiro manner, i.e., using $j or the masquerade name. Note that the 94738032Speter address being looked up must be fully qualified. For local 94843730Speter mail, it is necessary to use FEATURE(`always_add_domain') 94943730Speter for the addresses to be qualified. 95064562Sgshapiro The "+detail" of an address is passed as %1, so entries like 95138032Speter 95264562Sgshapiro old+*@foo.org new+%1@example.com 95364562Sgshapiro gen+*@foo.org %1@example.com 95464562Sgshapiro 95564562Sgshapiro and other forms are possible. 95664562Sgshapiro 95764562Sgshapirogenerics_entire_domain 95864562Sgshapiro If the genericstable is enabled and GENERICS_DOMAIN or 95964562Sgshapiro GENERICS_DOMAIN_FILE is used, this feature will cause 96064562Sgshapiro addresses to be searched in the map if their domain 96164562Sgshapiro parts are subdomains of elements in class {G}. 96264562Sgshapiro 96338032Spetervirtusertable A domain-specific form of aliasing, allowing multiple 96438032Speter virtual domains to be hosted on one machine. For example, 965157001Sgshapiro if the virtuser table contains: 96638032Speter 96738032Speter info@foo.com foo-info 96838032Speter info@bar.com bar-info 96990792Sgshapiro joe@bar.com error:nouser 550 No such user here 97090792Sgshapiro jax@bar.com error:5.7.0:550 Address invalid 97164562Sgshapiro @baz.org jane@example.net 97238032Speter 97338032Speter then mail addressed to info@foo.com will be sent to the 97438032Speter address foo-info, mail addressed to info@bar.com will be 97564562Sgshapiro delivered to bar-info, and mail addressed to anyone at baz.org 97664562Sgshapiro will be sent to jane@example.net, mail to joe@bar.com will 97764562Sgshapiro be rejected with the specified error message, and mail to 97864562Sgshapiro jax@bar.com will also have a RFC 1893 compliant error code 97990792Sgshapiro 5.7.0. 98038032Speter 98164562Sgshapiro The username from the original address is passed 98264562Sgshapiro as %1 allowing: 98338032Speter 98464562Sgshapiro @foo.org %1@example.com 98538032Speter 98664562Sgshapiro meaning someone@foo.org will be sent to someone@example.com. 98764562Sgshapiro Additionally, if the local part consists of "user+detail" 98890792Sgshapiro then "detail" is passed as %2 and "+detail" is passed as %3 98990792Sgshapiro when a match against user+* is attempted, so entries like 99064562Sgshapiro 99164562Sgshapiro old+*@foo.org new+%2@example.com 99264562Sgshapiro gen+*@foo.org %2@example.com 99390792Sgshapiro +*@foo.org %1%3@example.com 99490792Sgshapiro X++@foo.org Z%3@example.com 99590792Sgshapiro @bar.org %1%3 99664562Sgshapiro 99764562Sgshapiro and other forms are possible. Note: to preserve "+detail" 99890792Sgshapiro for a default case (@domain) %1%3 must be used as RHS. 99990792Sgshapiro There are two wildcards after "+": "+" matches only a non-empty 100090792Sgshapiro detail, "*" matches also empty details, e.g., user+@foo.org 100190792Sgshapiro matches +*@foo.org but not ++@foo.org. This can be used 100290792Sgshapiro to ensure that the parameters %2 and %3 are not empty. 100364562Sgshapiro 100438032Speter All the host names on the left hand side (foo.com, bar.com, 100590792Sgshapiro and baz.org) must be in class {w} or class {VirtHost}. The 100664562Sgshapiro latter can be defined by the macros VIRTUSER_DOMAIN or 100764562Sgshapiro VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 100864562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or 100964562Sgshapiro VIRTUSER_DOMAIN_FILE is used, then the entries of class 101064562Sgshapiro {VirtHost} are added to class {R}, i.e., relaying is allowed 1011182352Sgshapiro to (and from) those domains, which by default includes also 1012182352Sgshapiro all subdomains (see relay_hosts_only). The default map 1013182352Sgshapiro definition is: 101438032Speter 101564562Sgshapiro hash /etc/mail/virtusertable 101638032Speter 101738032Speter A new definition can be specified as the second argument of 101838032Speter the FEATURE macro, such as 101938032Speter 102064562Sgshapiro FEATURE(`virtusertable', `dbm /etc/mail/virtusers') 102138032Speter 102264562Sgshapirovirtuser_entire_domain 102364562Sgshapiro If the virtusertable is enabled and VIRTUSER_DOMAIN or 102464562Sgshapiro VIRTUSER_DOMAIN_FILE is used, this feature will cause 102564562Sgshapiro addresses to be searched in the map if their domain 102664562Sgshapiro parts are subdomains of elements in class {VirtHost}. 102764562Sgshapiro 102864562Sgshapiroldap_routing Implement LDAP-based e-mail recipient routing according to 102964562Sgshapiro the Internet Draft draft-lachman-laser-ldap-mail-routing-01. 103064562Sgshapiro This provides a method to re-route addresses with a 103164562Sgshapiro domain portion in class {LDAPRoute} to either a 103264562Sgshapiro different mail host or a different address. Hosts can 103364562Sgshapiro be added to this class using LDAPROUTE_DOMAIN and 103464562Sgshapiro LDAPROUTE_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 103564562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 103664562Sgshapiro 103764562Sgshapiro See the LDAP ROUTING section below for more information. 103864562Sgshapiro 103964562Sgshapironullclient This is a special case -- it creates a configuration file 104064562Sgshapiro containing nothing but support for forwarding all mail to a 104164562Sgshapiro central hub via a local SMTP-based network. The argument 104264562Sgshapiro is the name of that hub. 104364562Sgshapiro 104438032Speter The only other feature that should be used in conjunction 104564562Sgshapiro with this one is FEATURE(`nocanonify'). No mailers 104638032Speter should be defined. No aliasing or forwarding is done. 104738032Speter 104838032Speterlocal_lmtp Use an LMTP capable local mailer. The argument to this 104938032Speter feature is the pathname of an LMTP capable mailer. By 105038032Speter default, mail.local is used. This is expected to be the 105138032Speter mail.local which came with the 8.9 distribution which is 105238032Speter LMTP capable. The path to mail.local is set by the 105338032Speter confEBINDIR m4 variable -- making the default 105438032Speter LOCAL_MAILER_PATH /usr/libexec/mail.local. 1055132943Sgshapiro If a different LMTP capable mailer is used, its pathname 1056132943Sgshapiro can be specified as second parameter and the arguments 1057132943Sgshapiro passed to it (A=) as third parameter, e.g., 1058132943Sgshapiro 1059132943Sgshapiro FEATURE(`local_lmtp', `/usr/local/bin/lmtp', `lmtp') 1060132943Sgshapiro 106164562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 106264562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 106338032Speter 106464562Sgshapirolocal_procmail Use procmail or another delivery agent as the local mailer. 106564562Sgshapiro The argument to this feature is the pathname of the 106664562Sgshapiro delivery agent, which defaults to PROCMAIL_MAILER_PATH. 106764562Sgshapiro Note that this does NOT use PROCMAIL_MAILER_FLAGS or 106864562Sgshapiro PROCMAIL_MAILER_ARGS for the local mailer; tweak 106964562Sgshapiro LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS instead, or 107064562Sgshapiro specify the appropriate parameters. When procmail is used, 107164562Sgshapiro the local mailer can make use of the 107264562Sgshapiro "user+indicator@local.host" syntax; normally the +indicator 107364562Sgshapiro is just tossed, but by default it is passed as the -a 107464562Sgshapiro argument to procmail. 107538032Speter 107664562Sgshapiro This feature can take up to three arguments: 107764562Sgshapiro 107864562Sgshapiro 1. Path to the mailer program 107964562Sgshapiro [default: /usr/local/bin/procmail] 108064562Sgshapiro 2. Argument vector including name of the program 108164562Sgshapiro [default: procmail -Y -a $h -d $u] 108264562Sgshapiro 3. Flags for the mailer [default: SPfhn9] 108364562Sgshapiro 108464562Sgshapiro Empty arguments cause the defaults to be taken. 1085110560Sgshapiro Note that if you are on a system with a broken 1086110560Sgshapiro setreuid() call, you may need to add -f $f to the procmail 1087110560Sgshapiro argument vector to pass the proper sender to procmail. 108864562Sgshapiro 108964562Sgshapiro For example, this allows it to use the maildrop 109064562Sgshapiro (http://www.flounder.net/~mrsam/maildrop/) mailer instead 109164562Sgshapiro by specifying: 109264562Sgshapiro 109364562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/maildrop', 109464562Sgshapiro `maildrop -d $u') 109564562Sgshapiro 109664562Sgshapiro or scanmails using: 109764562Sgshapiro 109864562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/scanmails') 109964562Sgshapiro 110064562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 110164562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 110264562Sgshapiro 110338032Speterbestmx_is_local Accept mail as though locally addressed for any host that 110438032Speter lists us as the best possible MX record. This generates 110538032Speter additional DNS traffic, but should be OK for low to 110638032Speter medium traffic hosts. The argument may be a set of 110738032Speter domains, which will limit the feature to only apply to 110838032Speter these domains -- this will reduce unnecessary DNS 110938032Speter traffic. THIS FEATURE IS FUNDAMENTALLY INCOMPATIBLE WITH 111038032Speter WILDCARD MX RECORDS!!! If you have a wildcard MX record 111138032Speter that matches your domain, you cannot use this feature. 111238032Speter 111338032Spetersmrsh Use the SendMail Restricted SHell (smrsh) provided 111438032Speter with the distribution instead of /bin/sh for mailing 111538032Speter to programs. This improves the ability of the local 111638032Speter system administrator to control what gets run via 111738032Speter e-mail. If an argument is provided it is used as the 111838032Speter pathname to smrsh; otherwise, the path defined by 111938032Speter confEBINDIR is used for the smrsh binary -- by default, 112038032Speter /usr/libexec/smrsh is assumed. 112138032Speter 112238032Speterpromiscuous_relay 112338032Speter By default, the sendmail configuration files do not permit 112438032Speter mail relaying (that is, accepting mail from outside your 112564562Sgshapiro local host (class {w}) and sending it to another host than 112664562Sgshapiro your local host). This option sets your site to allow 112764562Sgshapiro mail relaying from any site to any site. In almost all 112864562Sgshapiro cases, it is better to control relaying more carefully 112964562Sgshapiro with the access map, class {R}, or authentication. Domains 113064562Sgshapiro can be added to class {R} by the macros RELAY_DOMAIN or 113164562Sgshapiro RELAY_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 113264562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 113338032Speter 113438032Speterrelay_entire_domain 113598121Sgshapiro This option allows any host in your domain as defined by 113698121Sgshapiro class {m} to use your server for relaying. Notice: make 113798121Sgshapiro sure that your domain is not just a top level domain, 113898121Sgshapiro e.g., com. This can happen if you give your host a name 113998121Sgshapiro like example.com instead of host.example.com. 114038032Speter 114138032Speterrelay_hosts_only 114238032Speter By default, names that are listed as RELAY in the access 114398121Sgshapiro db and class {R} are treated as domain names, not host names. 114438032Speter For example, if you specify ``foo.com'', then mail to or 114538032Speter from foo.com, abc.foo.com, or a.very.deep.domain.foo.com 114638032Speter will all be accepted for relaying. This feature changes 114738032Speter the behaviour to lookup individual host names only. 114838032Speter 114938032Speterrelay_based_on_MX 115038032Speter Turns on the ability to allow relaying based on the MX 115142575Speter records of the host portion of an incoming recipient; that 115242575Speter is, if an MX record for host foo.com points to your site, 115342575Speter you will accept and relay mail addressed to foo.com. See 115438032Speter description below for more information before using this 115542575Speter feature. Also, see the KNOWNBUGS entry regarding bestmx 115642575Speter map lookups. 115738032Speter 115843730Speter FEATURE(`relay_based_on_MX') does not necessarily allow 115942575Speter routing of these messages which you expect to be allowed, 116042575Speter if route address syntax (or %-hack syntax) is used. If 116142575Speter this is a problem, add entries to the access-table or use 116243730Speter FEATURE(`loose_relay_check'). 116342575Speter 116464562Sgshapirorelay_mail_from 116564562Sgshapiro Allows relaying if the mail sender is listed as RELAY in 1166110560Sgshapiro the access map. If an optional argument `domain' (this 1167110560Sgshapiro is the literal word `domain', not a placeholder) is given, 116890792Sgshapiro relaying can be allowed just based on the domain portion 116990792Sgshapiro of the sender address. This feature should only be used if 117090792Sgshapiro absolutely necessary as the sender address can be easily 117198121Sgshapiro forged. Use of this feature requires the "From:" tag to 117298121Sgshapiro be used for the key in the access map; see the discussion 117390792Sgshapiro of tags and FEATURE(`relay_mail_from') in the section on 117490792Sgshapiro anti-spam configuration control. 117564562Sgshapiro 117638032Speterrelay_local_from 117738032Speter Allows relaying if the domain portion of the mail sender 117838032Speter is a local host. This should only be used if absolutely 117942575Speter necessary as it opens a window for spammers. Specifically, 118042575Speter they can send mail to your mail server that claims to be 118142575Speter from your domain (either directly or via a routed address), 118242575Speter and you will go ahead and relay it out to arbitrary hosts 118342575Speter on the Internet. 118464562Sgshapiro 118538032Speteraccept_unqualified_senders 118638032Speter Normally, MAIL FROM: commands in the SMTP session will be 118738032Speter refused if the connection is a network connection and the 118838032Speter sender address does not include a domain name. If your 1189157001Sgshapiro setup sends local mail unqualified (i.e., MAIL FROM:<joe>), 119038032Speter you will need to use this feature to accept unqualified 119164562Sgshapiro sender addresses. Setting the DaemonPortOptions modifier 119264562Sgshapiro 'u' overrides the default behavior, i.e., unqualified 119364562Sgshapiro addresses are accepted even without this FEATURE. 119464562Sgshapiro If this FEATURE is not used, the DaemonPortOptions modifier 119564562Sgshapiro 'f' can be used to enforce fully qualified addresses. 119664562Sgshapiro 119738032Speteraccept_unresolvable_domains 119838032Speter Normally, MAIL FROM: commands in the SMTP session will be 119964562Sgshapiro refused if the host part of the argument to MAIL FROM: 120064562Sgshapiro cannot be located in the host name service (e.g., an A or 120164562Sgshapiro MX record in DNS). If you are inside a firewall that has 120264562Sgshapiro only a limited view of the Internet host name space, this 120364562Sgshapiro could cause problems. In this case you probably want to 120464562Sgshapiro use this feature to accept all domains on input, even if 120564562Sgshapiro they are unresolvable. 120638032Speter 120738032Speteraccess_db Turns on the access database feature. The access db gives 120838032Speter you the ability to allow or refuse to accept mail from 120990792Sgshapiro specified domains for administrative reasons. Moreover, 121090792Sgshapiro it can control the behavior of sendmail in various situations. 121190792Sgshapiro By default, the access database specification is: 121238032Speter 121390792Sgshapiro hash -T<TMPF> /etc/mail/access 121443730Speter 121590792Sgshapiro See the anti-spam configuration control section for further 121690792Sgshapiro important information about this feature. Notice: 121790792Sgshapiro "-T<TMPF>" is meant literal, do not replace it by anything. 121843730Speter 121938032Speterblacklist_recipients 122038032Speter Turns on the ability to block incoming mail for certain 122138032Speter recipient usernames, hostnames, or addresses. For 122238032Speter example, you can block incoming mail to user nobody, 122338032Speter host foo.mydomain.com, or guest@bar.mydomain.com. 122438032Speter These specifications are put in the access db as 122564562Sgshapiro described in the anti-spam configuration control section 122664562Sgshapiro later in this document. 122738032Speter 122871345Sgshapirodelay_checks The rulesets check_mail and check_relay will not be called 122971345Sgshapiro when a client connects or issues a MAIL command, respectively. 123071345Sgshapiro Instead, those rulesets will be called by the check_rcpt 123171345Sgshapiro ruleset; they will be skipped under certain circumstances. 123290792Sgshapiro See "Delay all checks" in the anti-spam configuration control 123390792Sgshapiro section. Note: this feature is incompatible to the versions 123490792Sgshapiro in 8.10 and 8.11. 123571345Sgshapiro 1236132943Sgshapirouse_client_ptr If this feature is enabled then check_relay will override 1237132943Sgshapiro its first argument with $&{client_ptr}. This is useful for 1238132943Sgshapiro rejections based on the unverified hostname of client, 1239132943Sgshapiro which turns on the same behavior as in earlier sendmail 1240132943Sgshapiro versions when delay_checks was not in use. See doc/op/op.* 1241132943Sgshapiro about check_relay, {client_name}, and {client_ptr}. 1242132943Sgshapiro 1243168515Sgshapirodnsbl Turns on rejection, discarding, or quarantining of hosts 1244168515Sgshapiro found in a DNS based list. The first argument is used as 1245168515Sgshapiro the domain in which blocked hosts are listed. A second 1246168515Sgshapiro argument can be used to change the default error message, 1247168515Sgshapiro or select one of the operations `discard' and `quarantine'. 1248168515Sgshapiro Without that second argument, the error message will be 1249168515Sgshapiro 125098841Sgshapiro Rejected: IP-ADDRESS listed at SERVER 1251168515Sgshapiro 125290792Sgshapiro where IP-ADDRESS and SERVER are replaced by the appropriate 125390792Sgshapiro information. By default, temporary lookup failures are 125490792Sgshapiro ignored. This behavior can be changed by specifying a 125590792Sgshapiro third argument, which must be either `t' or a full error 125690792Sgshapiro message. See the anti-spam configuration control section for 125790792Sgshapiro an example. The dnsbl feature can be included several times 125890792Sgshapiro to query different DNS based rejection lists. See also 125990792Sgshapiro enhdnsbl for an enhanced version. 126064562Sgshapiro 1261110560Sgshapiro Set the DNSBL_MAP mc option to change the default map 1262110560Sgshapiro definition from `host'. Set the DNSBL_MAP_OPT mc option 1263110560Sgshapiro to add additional options to the map specification used. 1264110560Sgshapiro 126598121Sgshapiro Some DNS based rejection lists cause failures if asked 126698121Sgshapiro for AAAA records. If your sendmail version is compiled 126798121Sgshapiro with IPv6 support (NETINET6) and you experience this 126898121Sgshapiro problem, add 126998121Sgshapiro 127098121Sgshapiro define(`DNSBL_MAP', `dns -R A') 127198121Sgshapiro 127298121Sgshapiro before the first use of this feature. Alternatively you 1273111823Sgshapiro can use enhdnsbl instead (see below). Moreover, this 1274111823Sgshapiro statement can be used to reduce the number of DNS retries, 1275111823Sgshapiro e.g., 127698121Sgshapiro 1277111823Sgshapiro define(`DNSBL_MAP', `dns -R A -r2') 1278111823Sgshapiro 1279111823Sgshapiro See below (EDNSBL_TO) for an explanation. 1280111823Sgshapiro 128190792Sgshapiroenhdnsbl Enhanced version of dnsbl (see above). Further arguments 128290792Sgshapiro (up to 5) can be used to specify specific return values 128390792Sgshapiro from lookups. Temporary lookup failures are ignored unless 128490792Sgshapiro a third argument is given, which must be either `t' or a full 128590792Sgshapiro error message. By default, any successful lookup will 128690792Sgshapiro generate an error. Otherwise the result of the lookup is 128790792Sgshapiro compared with the supplied argument(s), and only if a match 128890792Sgshapiro occurs an error is generated. For example, 128990792Sgshapiro 129090792Sgshapiro FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.') 129190792Sgshapiro 129290792Sgshapiro will reject the e-mail if the lookup returns the value 129390792Sgshapiro ``127.0.0.2.'', or generate a 451 response if the lookup 129490792Sgshapiro temporarily failed. The arguments can contain metasymbols 129590792Sgshapiro as they are allowed in the LHS of rules. As the example 129690792Sgshapiro shows, the default values are also used if an empty argument, 129790792Sgshapiro i.e., `', is specified. This feature requires that sendmail 129890792Sgshapiro has been compiled with the flag DNSMAP (see sendmail/README). 129990792Sgshapiro 1300110560Sgshapiro Set the EDNSBL_TO mc option to change the DNS retry count 1301111823Sgshapiro from the default value of 5, this can be very useful when 1302111823Sgshapiro a DNS server is not responding, which in turn may cause 1303111823Sgshapiro clients to time out (an entry stating 1304110560Sgshapiro 1305111823Sgshapiro did not issue MAIL/EXPN/VRFY/ETRN 1306111823Sgshapiro 1307111823Sgshapiro will be logged). 1308111823Sgshapiro 1309132943Sgshapiroratecontrol Enable simple ruleset to do connection rate control 1310132943Sgshapiro checking. This requires entries in access_db of the form 1311132943Sgshapiro 1312132943Sgshapiro ClientRate:IP.ADD.RE.SS LIMIT 1313132943Sgshapiro 1314132943Sgshapiro The RHS specifies the maximum number of connections 1315132943Sgshapiro (an integer number) over the time interval defined 1316132943Sgshapiro by ConnectionRateWindowSize, where 0 means unlimited. 1317132943Sgshapiro 1318132943Sgshapiro Take the following example: 1319132943Sgshapiro 1320132943Sgshapiro ClientRate:10.1.2.3 4 1321132943Sgshapiro ClientRate:127.0.0.1 0 1322132943Sgshapiro ClientRate: 10 1323132943Sgshapiro 1324132943Sgshapiro 10.1.2.3 can only make up to 4 connections, the 1325132943Sgshapiro general limit it 10, and 127.0.0.1 can make an unlimited 1326132943Sgshapiro number of connections per ConnectionRateWindowSize. 1327132943Sgshapiro 1328132943Sgshapiro See also CONNECTION CONTROL. 1329132943Sgshapiro 1330132943Sgshapiroconncontrol Enable a simple check of the number of incoming SMTP 1331132943Sgshapiro connections. This requires entries in access_db of the 1332132943Sgshapiro form 1333132943Sgshapiro 1334132943Sgshapiro ClientConn:IP.ADD.RE.SS LIMIT 1335132943Sgshapiro 1336132943Sgshapiro The RHS specifies the maximum number of open connections 1337132943Sgshapiro (an integer number). 1338132943Sgshapiro 1339132943Sgshapiro Take the following example: 1340132943Sgshapiro 1341132943Sgshapiro ClientConn:10.1.2.3 4 1342132943Sgshapiro ClientConn:127.0.0.1 0 1343132943Sgshapiro ClientConn: 10 1344132943Sgshapiro 1345132943Sgshapiro 10.1.2.3 can only have up to 4 open connections, the 1346132943Sgshapiro general limit it 10, and 127.0.0.1 does not have any 1347132943Sgshapiro explicit limit. 1348132943Sgshapiro 1349132943Sgshapiro See also CONNECTION CONTROL. 1350132943Sgshapiro 1351132943Sgshapiromtamark Experimental support for "Marking Mail Transfer Agents in 1352132943Sgshapiro Reverse DNS with TXT RRs" (MTAMark), see 1353132943Sgshapiro draft-stumpf-dns-mtamark-01. Optional arguments are: 1354132943Sgshapiro 1355132943Sgshapiro 1. Error message, default: 1356132943Sgshapiro 1357132943Sgshapiro 550 Rejected: $&{client_addr} not listed as MTA 1358132943Sgshapiro 1359132943Sgshapiro 2. Temporary lookup failures are ignored unless a second 1360132943Sgshapiro argument is given, which must be either `t' or a full 1361132943Sgshapiro error message. 1362132943Sgshapiro 1363132943Sgshapiro 3. Lookup prefix, default: _perm._smtp._srv. This should 1364132943Sgshapiro not be changed unless the draft changes it. 1365132943Sgshapiro 1366132943Sgshapiro Example: 1367132943Sgshapiro 1368132943Sgshapiro FEATURE(`mtamark', `', `t') 1369132943Sgshapiro 137090792Sgshapirolookupdotdomain Look up also .domain in the access map. This allows to 137190792Sgshapiro match only subdomains. It does not work well with 137290792Sgshapiro FEATURE(`relay_hosts_only'), because most lookups for 137390792Sgshapiro subdomains are suppressed by the latter feature. 137490792Sgshapiro 137538032Speterloose_relay_check 137664562Sgshapiro Normally, if % addressing is used for a recipient, e.g. 137764562Sgshapiro user%site@othersite, and othersite is in class {R}, the 137838032Speter check_rcpt ruleset will strip @othersite and recheck 137938032Speter user@site for relaying. This feature changes that 138038032Speter behavior. It should not be needed for most installations. 138138032Speter 138290792Sgshapiroauthinfo Provide a separate map for client side authentication 138390792Sgshapiro information. See SMTP AUTHENTICATION for details. 138490792Sgshapiro By default, the authinfo database specification is: 138590792Sgshapiro 138690792Sgshapiro hash /etc/mail/authinfo 138790792Sgshapiro 138890792Sgshapiropreserve_luser_host 138990792Sgshapiro Preserve the name of the recipient host if LUSER_RELAY is 139090792Sgshapiro used. Without this option, the domain part of the 139190792Sgshapiro recipient address will be replaced by the host specified as 139290792Sgshapiro LUSER_RELAY. This feature only works if the hostname is 139390792Sgshapiro passed to the mailer (see mailer triple in op.me). Note 139490792Sgshapiro that in the default configuration the local mailer does not 139590792Sgshapiro receive the hostname, i.e., the mailer triple has an empty 139690792Sgshapiro hostname. 139790792Sgshapiro 139890792Sgshapiropreserve_local_plus_detail 139990792Sgshapiro Preserve the +detail portion of the address when passing 140090792Sgshapiro address to local delivery agent. Disables alias and 140190792Sgshapiro .forward +detail stripping (e.g., given user+detail, only 140290792Sgshapiro that address will be looked up in the alias file; user+* and 140390792Sgshapiro user will not be looked up). Only use if the local 140490792Sgshapiro delivery agent in use supports +detail addressing. 140590792Sgshapiro 140690792Sgshapirocompat_check Enable ruleset check_compat to look up pairs of addresses 140790792Sgshapiro with the Compat: tag -- Compat:sender<@>recipient -- in the 140890792Sgshapiro access map. Valid values for the RHS include 140990792Sgshapiro DISCARD silently discard recipient 141090792Sgshapiro TEMP: return a temporary error 141190792Sgshapiro ERROR: return a permanent error 141290792Sgshapiro In the last two cases, a 4xy/5xy SMTP reply code should 141390792Sgshapiro follow the colon. 141490792Sgshapiro 141564562Sgshapirono_default_msa Don't generate the default MSA daemon, i.e., 141664562Sgshapiro DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') 141764562Sgshapiro To define a MSA daemon with other parameters, use this 141864562Sgshapiro FEATURE and introduce new settings via DAEMON_OPTIONS(). 141938032Speter 142090792Sgshapiromsp Defines config file for Message Submission Program. 142194334Sgshapiro See sendmail/SECURITY for details and cf/cf/submit.mc how 142294334Sgshapiro to use it. An optional argument can be used to override 142394334Sgshapiro the default of `[localhost]' to use as host to send all 142494334Sgshapiro e-mails to. Note that MX records will be used if the 142594334Sgshapiro specified hostname is not in square brackets (e.g., 142694334Sgshapiro [hostname]). If `MSA' is specified as second argument then 142794334Sgshapiro port 587 is used to contact the server. Example: 142890792Sgshapiro 142990792Sgshapiro FEATURE(`msp', `', `MSA') 143090792Sgshapiro 143190792Sgshapiro Some more hints about possible changes can be found below 143290792Sgshapiro in the section MESSAGE SUBMISSION PROGRAM. 143390792Sgshapiro 1434110560Sgshapiro Note: Due to many problems, submit.mc uses 143598121Sgshapiro 143698121Sgshapiro FEATURE(`msp', `[127.0.0.1]') 143798121Sgshapiro 1438110560Sgshapiro by default. If you have a machine with IPv6 only, 1439110560Sgshapiro change it to 1440110560Sgshapiro 1441110560Sgshapiro FEATURE(`msp', `[IPv6:::1]') 1442110560Sgshapiro 1443110560Sgshapiro If you want to continue using '[localhost]', (the behavior 1444110560Sgshapiro up to 8.12.6), use 1445110560Sgshapiro 1446110560Sgshapiro FEATURE(`msp') 1447110560Sgshapiro 144890792Sgshapiroqueuegroup A simple example how to select a queue group based 144990792Sgshapiro on the full e-mail address or the domain of the 145090792Sgshapiro recipient. Selection is done via entries in the 145190792Sgshapiro access map using the tag QGRP:, for example: 145290792Sgshapiro 145390792Sgshapiro QGRP:example.com main 145490792Sgshapiro QGRP:friend@some.org others 145590792Sgshapiro QGRP:my.domain local 145690792Sgshapiro 145790792Sgshapiro where "main", "others", and "local" are names of 145890792Sgshapiro queue groups. If an argument is specified, it is used 145990792Sgshapiro as default queue group. 146090792Sgshapiro 146194334Sgshapiro Note: please read the warning in doc/op/op.me about 146294334Sgshapiro queue groups and possible queue manipulations. 146394334Sgshapiro 1464132943Sgshapirogreet_pause Adds the greet_pause ruleset which enables open proxy 1465132943Sgshapiro and SMTP slamming protection. The feature can take an 1466132943Sgshapiro argument specifying the milliseconds to wait: 1467132943Sgshapiro 1468132943Sgshapiro FEATURE(`greet_pause', `5000') dnl 5 seconds 1469132943Sgshapiro 1470132943Sgshapiro If FEATURE(`access_db') is enabled, an access database 1471132943Sgshapiro lookup with the GreetPause tag is done using client 1472132943Sgshapiro hostname, domain, IP address, or subnet to determine the 1473132943Sgshapiro pause time: 1474132943Sgshapiro 1475132943Sgshapiro GreetPause:my.domain 0 1476132943Sgshapiro GreetPause:example.com 5000 1477132943Sgshapiro GreetPause:10.1.2 2000 1478132943Sgshapiro GreetPause:127.0.0.1 0 1479132943Sgshapiro 1480132943Sgshapiro When using FEATURE(`access_db'), the optional 1481132943Sgshapiro FEATURE(`greet_pause') argument becomes the default if 1482132943Sgshapiro nothing is found in the access database. A ruleset called 1483132943Sgshapiro Local_greet_pause can be used for local modifications, e.g., 1484132943Sgshapiro 1485132943Sgshapiro LOCAL_RULESETS 1486132943Sgshapiro SLocal_greet_pause 1487132943Sgshapiro R$* $: $&{daemon_flags} 1488132943Sgshapiro R$* a $* $# 0 1489132943Sgshapiro 1490168515Sgshapiroblock_bad_helo Reject messages from SMTP clients which provide a HELO/EHLO 1491168515Sgshapiro argument which is either unqualified, or is one of our own 1492168515Sgshapiro names (i.e., the server name instead of the client name). 1493168515Sgshapiro This check is performed at RCPT stage and disabled for the 1494168515Sgshapiro following cases: 1495168515Sgshapiro - authenticated sessions, 1496168515Sgshapiro - connections from IP addresses in class $={R}. 1497168515Sgshapiro Currently access_db lookups can not be used to 1498168515Sgshapiro (selectively) disable this test, moreover, 1499168515Sgshapiro FEATURE(`delay_checks') 1500168515Sgshapiro is required. 1501168515Sgshapiro 1502168515Sgshapirorequire_rdns Reject mail from connecting SMTP clients without proper 1503168515Sgshapiro rDNS (reverse DNS), functional gethostbyaddr() resolution. 1504168515Sgshapiro Note: this feature will cause false positives, i.e., there 1505168515Sgshapiro are legitimate MTAs that do not have proper DNS entries. 1506168515Sgshapiro Rejecting mails from those MTAs is a local policy decision. 1507168515Sgshapiro 1508168515Sgshapiro The basic policy is to reject message with a 5xx error if 1509168515Sgshapiro the IP address fails to resolve. However, if this is a 1510168515Sgshapiro temporary failure, a 4xx temporary failure is returned. 1511168515Sgshapiro If the look-up succeeds, but returns an apparently forged 1512168515Sgshapiro value, this is treated as a temporary failure with a 4xx 1513168515Sgshapiro error code. 1514168515Sgshapiro 1515168515Sgshapiro EXCEPTIONS: 1516168515Sgshapiro 1517168515Sgshapiro Exceptions based on access entries are discussed below. 1518168515Sgshapiro Any IP address matched using $=R (the "relay-domains" file) 1519168515Sgshapiro is excepted from the rules. Since we have explicitly 1520168515Sgshapiro allowed relaying for this host, based on IP address, we 1521168515Sgshapiro ignore the rDNS failure. 1522168515Sgshapiro 1523168515Sgshapiro The philosophical assumption here is that most users do 1524168515Sgshapiro not control their rDNS. They should be able to send mail 1525168515Sgshapiro through their ISP, whether or not they have valid rDNS. 1526168515Sgshapiro The class $=R, roughly speaking, contains those IP addresses 1527168515Sgshapiro and address ranges for which we are the ISP, or are acting 1528168515Sgshapiro as if the ISP. 1529168515Sgshapiro 1530168515Sgshapiro If `delay_checks' is in effect (recommended), then any 1531168515Sgshapiro sender who has authenticated is also excepted from the 1532168515Sgshapiro restrictions. This happens because the rules produced by 1533168515Sgshapiro this FEATURE() will not be applied to authenticated senders 1534168515Sgshapiro (assuming `delay_checks'). 1535168515Sgshapiro 1536168515Sgshapiro ACCESS MAP ENTRIES: 1537168515Sgshapiro 1538168515Sgshapiro Entries such as 1539168515Sgshapiro Connect:1.2.3.4 OK 1540168515Sgshapiro Connect:1.2 RELAY 1541168515Sgshapiro will whitelist IP address 1.2.3.4, so that the rDNS 1542168515Sgshapiro blocking does apply to that IP address 1543168515Sgshapiro 1544168515Sgshapiro Entries such as 1545168515Sgshapiro Connect:1.2.3.4 REJECT 1546168515Sgshapiro will have the effect of forcing a temporary failure for 1547168515Sgshapiro that address to be treated as a permanent failure. 1548168515Sgshapiro 1549168515Sgshapirobadmx Reject envelope sender addresses (MAIL) whose domain part 1550168515Sgshapiro resolves to a "bad" MX record. By default these are 1551168515Sgshapiro MX records which resolve to A records that match the 1552168515Sgshapiro regular expression: 1553168515Sgshapiro 1554168515Sgshapiro ^(127\.|10\.|0\.0\.0\.0) 1555168515Sgshapiro 1556168515Sgshapiro This default regular expression can be overridden by 1557168515Sgshapiro specifying an argument, e.g., 1558168515Sgshapiro 1559168515Sgshapiro FEATURE(`badmx', `^127\.0\.0\.1') 1560168515Sgshapiro 1561168515Sgshapiro Note: this feature requires that the sendmail binary 1562168515Sgshapiro has been compiled with the options MAP_REGEX and 1563168515Sgshapiro DNSMAP. 1564168515Sgshapiro 156538032Speter+-------+ 156638032Speter| HACKS | 156738032Speter+-------+ 156838032Speter 156938032SpeterSome things just can't be called features. To make this clear, 157038032Speterthey go in the hack subdirectory and are referenced using the HACK 157138032Spetermacro. These will tend to be site-dependent. The release 157238032Speterincludes the Berkeley-dependent "cssubdomain" hack (that makes 157338032Spetersendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU; 157464562Sgshapirothis is intended as a short-term aid while moving hosts into 157538032Spetersubdomains. 157638032Speter 157738032Speter 157838032Speter+--------------------+ 157938032Speter| SITE CONFIGURATION | 158038032Speter+--------------------+ 158138032Speter 158238032Speter ***************************************************** 158338032Speter * This section is really obsolete, and is preserved * 158438032Speter * only for back compatibility. You should plan on * 158590792Sgshapiro * using mailertables for new installations. In * 158638032Speter * particular, it doesn't work for the newer forms * 158738032Speter * of UUCP mailers, such as uucp-uudom. * 158838032Speter ***************************************************** 158938032Speter 159038032SpeterComplex sites will need more local configuration information, such as 159138032Speterlists of UUCP hosts they speak with directly. This can get a bit more 159238032Spetertricky. For an example of a "complex" site, see cf/ucbvax.mc. 159338032Speter 159438032SpeterThe SITECONFIG macro allows you to indirectly reference site-dependent 159538032Speterconfiguration information stored in the siteconfig subdirectory. For 159638032Speterexample, the line 159738032Speter 159864562Sgshapiro SITECONFIG(`uucp.ucbvax', `ucbvax', `U') 159938032Speter 160038032Speterreads the file uucp.ucbvax for local connection information. The 160138032Spetersecond parameter is the local name (in this case just "ucbvax" since 160238032Speterit is locally connected, and hence a UUCP hostname). The third 160338032Speterparameter is the name of both a macro to store the local name (in 160464562Sgshapirothis case, {U}) and the name of the class (e.g., {U}) in which to store 160538032Speterthe host information read from the file. Another SITECONFIG line reads 160638032Speter 160764562Sgshapiro SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W') 160838032Speter 160938032SpeterThis says that the file uucp.ucbarpa contains the list of UUCP sites 161064562Sgshapiroconnected to ucbarpa.Berkeley.EDU. Class {W} will be used to 161138032Speterstore this list, and $W is defined to be ucbarpa.Berkeley.EDU, that 161238032Speteris, the name of the relay to which the hosts listed in uucp.ucbarpa 161364562Sgshapiroare connected. [The machine ucbarpa is gone now, but this 161464562Sgshapiroout-of-date configuration file has been left around to demonstrate 161564562Sgshapirohow you might do this.] 161638032Speter 161738032SpeterNote that the case of SITECONFIG with a third parameter of ``U'' is 161838032Speterspecial; the second parameter is assumed to be the UUCP name of the 161938032Speterlocal site, rather than the name of a remote site, and the UUCP name 162064562Sgshapirois entered into class {w} (the list of local hostnames) as $U.UUCP. 162138032Speter 162238032SpeterThe siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing 162338032Spetermore than a sequence of SITE macros describing connectivity. For 162438032Speterexample: 162538032Speter 162664562Sgshapiro SITE(`cnmat') 162764562Sgshapiro SITE(`sgi olympus') 162838032Speter 162938032SpeterThe second example demonstrates that you can use two names on the 163038032Spetersame line; these are usually aliases for the same host (or are at 163138032Speterleast in the same company). 163238032Speter 1633132943SgshapiroThe macro LOCAL_UUCP can be used to add rules into the generated 1634132943Sgshapirocf file at the place where MAILER(`uucp') inserts its rules. This 1635132943Sgshapiroshould only be used if really necessary. 163638032Speter 163738032Speter+--------------------+ 163838032Speter| USING UUCP MAILERS | 163938032Speter+--------------------+ 164038032Speter 164138032SpeterIt's hard to get UUCP mailers right because of the extremely ad hoc 164238032Speternature of UUCP addressing. These config files are really designed 164338032Speterfor domain-based addressing, even for UUCP sites. 164438032Speter 164538032SpeterThere are four UUCP mailers available. The choice of which one to 164638032Speteruse is partly a matter of local preferences and what is running at 164738032Speterthe other end of your UUCP connection. Unlike good protocols that 164838032Speterdefine what will go over the wire, UUCP uses the policy that you 164938032Spetershould do what is right for the other end; if they change, you have 165038032Speterto change. This makes it hard to do the right thing, and discourages 165138032Speterpeople from updating their software. In general, if you can avoid 165238032SpeterUUCP, please do. 165338032Speter 165438032SpeterThe major choice is whether to go for a domainized scheme or a 165538032Speternon-domainized scheme. This depends entirely on what the other 165638032Speterend will recognize. If at all possible, you should encourage the 165738032Speterother end to go to a domain-based system -- non-domainized addresses 165838032Speterdon't work entirely properly. 165938032Speter 166038032SpeterThe four mailers are: 166138032Speter 166238032Speter uucp-old (obsolete name: "uucp") 166338032Speter This is the oldest, the worst (but the closest to UUCP) way of 1664147078Sgshapiro sending messages across UUCP connections. It does bangify 166538032Speter everything and prepends $U (your UUCP name) to the sender's 166638032Speter address (which can already be a bang path itself). It can 166738032Speter only send to one address at a time, so it spends a lot of 166838032Speter time copying duplicates of messages. Avoid this if at all 166938032Speter possible. 167038032Speter 167138032Speter uucp-new (obsolete name: "suucp") 167238032Speter The same as above, except that it assumes that in one rmail 167338032Speter command you can specify several recipients. It still has a 167438032Speter lot of other problems. 167538032Speter 167638032Speter uucp-dom 167738032Speter This UUCP mailer keeps everything as domain addresses. 167838032Speter Basically, it uses the SMTP mailer rewriting rules. This mailer 167990792Sgshapiro is only included if MAILER(`smtp') is specified before 168090792Sgshapiro MAILER(`uucp'). 168138032Speter 168238032Speter Unfortunately, a lot of UUCP mailer transport agents require 168338032Speter bangified addresses in the envelope, although you can use 168438032Speter domain-based addresses in the message header. (The envelope 168538032Speter shows up as the From_ line on UNIX mail.) So.... 168638032Speter 168738032Speter uucp-uudom 168838032Speter This is a cross between uucp-new (for the envelope addresses) 168938032Speter and uucp-dom (for the header addresses). It bangifies the 169038032Speter envelope sender (From_ line in messages) without adding the 169138032Speter local hostname, unless there is no host name on the address 169238032Speter at all (e.g., "wolf") or the host component is a UUCP host name 169338032Speter instead of a domain name ("somehost!wolf" instead of 169464562Sgshapiro "some.dom.ain!wolf"). This is also included only if MAILER(`smtp') 169590792Sgshapiro is also specified earlier. 169638032Speter 169738032SpeterExamples: 169838032Speter 169964562SgshapiroOn host grasp.insa-lyon.fr (UUCP host name "grasp"), the following 170064562Sgshapirosummarizes the sender rewriting for various mailers. 170138032Speter 170266494SgshapiroMailer sender rewriting in the envelope 170338032Speter------ ------ ------------------------- 170438032Speteruucp-{old,new} wolf grasp!wolf 170538032Speteruucp-dom wolf wolf@grasp.insa-lyon.fr 170638032Speteruucp-uudom wolf grasp.insa-lyon.fr!wolf 170738032Speter 170838032Speteruucp-{old,new} wolf@fr.net grasp!fr.net!wolf 170938032Speteruucp-dom wolf@fr.net wolf@fr.net 171038032Speteruucp-uudom wolf@fr.net fr.net!wolf 171138032Speter 171238032Speteruucp-{old,new} somehost!wolf grasp!somehost!wolf 171338032Speteruucp-dom somehost!wolf somehost!wolf@grasp.insa-lyon.fr 171438032Speteruucp-uudom somehost!wolf grasp.insa-lyon.fr!somehost!wolf 171538032Speter 171638032SpeterIf you are using one of the domainized UUCP mailers, you really want 171738032Speterto convert all UUCP addresses to domain format -- otherwise, it will 171838032Speterdo it for you (and probably not the way you expected). For example, 171938032Speterif you have the address foo!bar!baz (and you are not sending to foo), 172038032Speterthe heuristics will add the @uucp.relay.name or @local.host.name to 172138032Speterthis address. However, if you map foo to foo.host.name first, it 172238032Speterwill not add the local hostname. You can do this using the uucpdomain 172338032Speterfeature. 172438032Speter 172538032Speter 172638032Speter+-------------------+ 172738032Speter| TWEAKING RULESETS | 172838032Speter+-------------------+ 172938032Speter 173038032SpeterFor more complex configurations, you can define special rules. 173138032SpeterThe macro LOCAL_RULE_3 introduces rules that are used in canonicalizing 173238032Speterthe names. Any modifications made here are reflected in the header. 173338032Speter 173438032SpeterA common use is to convert old UUCP addresses to SMTP addresses using 173538032Speterthe UUCPSMTP macro. For example: 173638032Speter 173738032Speter LOCAL_RULE_3 173864562Sgshapiro UUCPSMTP(`decvax', `decvax.dec.com') 173964562Sgshapiro UUCPSMTP(`research', `research.att.com') 174038032Speter 174138032Speterwill cause addresses of the form "decvax!user" and "research!user" 174238032Speterto be converted to "user@decvax.dec.com" and "user@research.att.com" 174338032Speterrespectively. 174438032Speter 174538032SpeterThis could also be used to look up hosts in a database map: 174638032Speter 174738032Speter LOCAL_RULE_3 174838032Speter R$* < @ $+ > $* $: $1 < @ $(hostmap $2 $) > $3 174938032Speter 175038032SpeterThis map would be defined in the LOCAL_CONFIG portion, as shown below. 175138032Speter 175238032SpeterSimilarly, LOCAL_RULE_0 can be used to introduce new parsing rules. 175338032SpeterFor example, new rules are needed to parse hostnames that you accept 175438032Spetervia MX records. For example, you might have: 175538032Speter 175638032Speter LOCAL_RULE_0 175738032Speter R$+ <@ host.dom.ain.> $#uucp $@ cnmat $: $1 < @ host.dom.ain.> 175838032Speter 175938032SpeterYou would use this if you had installed an MX record for cnmat.Berkeley.EDU 176038032Speterpointing at this host; this rule catches the message and forwards it on 176138032Speterusing UUCP. 176238032Speter 176338032SpeterYou can also tweak rulesets 1 and 2 using LOCAL_RULE_1 and LOCAL_RULE_2. 176438032SpeterThese rulesets are normally empty. 176538032Speter 176638032SpeterA similar macro is LOCAL_CONFIG. This introduces lines added after the 176764562Sgshapiroboilerplate option setting but before rulesets. Do not declare rulesets in 176864562Sgshapirothe LOCAL_CONFIG section. It can be used to declare local database maps or 176964562Sgshapirowhatever. For example: 177038032Speter 177138032Speter LOCAL_CONFIG 177264562Sgshapiro Khostmap hash /etc/mail/hostmap 177338032Speter Kyplocal nis -m hosts.byname 177438032Speter 177538032Speter 177638032Speter+---------------------------+ 177738032Speter| MASQUERADING AND RELAYING | 177838032Speter+---------------------------+ 177938032Speter 178038032SpeterYou can have your host masquerade as another using 178138032Speter 178264562Sgshapiro MASQUERADE_AS(`host.domain') 178338032Speter 178438032SpeterThis causes mail being sent to be labeled as coming from the 178538032Speterindicated host.domain, rather than $j. One normally masquerades as 178664562Sgshapiroone of one's own subdomains (for example, it's unlikely that 178764562SgshapiroBerkeley would choose to masquerade as an MIT site). This 178864562Sgshapirobehaviour is modified by a plethora of FEATUREs; in particular, see 178964562Sgshapiromasquerade_envelope, allmasquerade, limited_masquerade, and 179064562Sgshapiromasquerade_entire_domain. 179138032Speter 179238032SpeterThe masquerade name is not normally canonified, so it is important 179338032Speterthat it be your One True Name, that is, fully qualified and not a 179438032SpeterCNAME. However, if you use a CNAME, the receiving side may canonify 179538032Speterit for you, so don't think you can cheat CNAME mapping this way. 179638032Speter 179738032SpeterNormally the only addresses that are masqueraded are those that come 179864562Sgshapirofrom this host (that is, are either unqualified or in class {w}, the list 179964562Sgshapiroof local domain names). You can augment this list, which is realized 180064562Sgshapiroby class {M} using 180138032Speter 180264562Sgshapiro MASQUERADE_DOMAIN(`otherhost.domain') 180338032Speter 180438032SpeterThe effect of this is that although mail to user@otherhost.domain 180538032Speterwill not be delivered locally, any mail including any user@otherhost.domain 180638032Speterwill, when relayed, be rewritten to have the MASQUERADE_AS address. 180738032SpeterThis can be a space-separated list of names. 180838032Speter 180938032SpeterIf these names are in a file, you can use 181038032Speter 181164562Sgshapiro MASQUERADE_DOMAIN_FILE(`filename') 181238032Speter 181364562Sgshapiroto read the list of names from the indicated file (i.e., to add 181464562Sgshapiroelements to class {M}). 181538032Speter 181664562SgshapiroTo exempt hosts or subdomains from being masqueraded, you can use 181764562Sgshapiro 181864562Sgshapiro MASQUERADE_EXCEPTION(`host.domain') 181964562Sgshapiro 182064562SgshapiroThis can come handy if you want to masquerade a whole domain 182190792Sgshapiroexcept for one (or a few) host(s). If these names are in a file, 182290792Sgshapiroyou can use 182364562Sgshapiro 182490792Sgshapiro MASQUERADE_EXCEPTION_FILE(`filename') 182590792Sgshapiro 182638032SpeterNormally only header addresses are masqueraded. If you want to 182738032Spetermasquerade the envelope as well, use 182838032Speter 182943730Speter FEATURE(`masquerade_envelope') 183038032Speter 183138032SpeterThere are always users that need to be "exposed" -- that is, their 183238032Speterinternal site name should be displayed instead of the masquerade name. 183364562SgshapiroRoot is an example (which has been "exposed" by default prior to 8.10). 183464562SgshapiroYou can add users to this list using 183538032Speter 183664562Sgshapiro EXPOSED_USER(`usernames') 183738032Speter 183890792SgshapiroThis adds users to class {E}; you could also use 183938032Speter 184090792Sgshapiro EXPOSED_USER_FILE(`filename') 184138032Speter 184238032SpeterYou can also arrange to relay all unqualified names (that is, names 184338032Speterwithout @host) to a relay host. For example, if you have a central 184438032Speteremail server, you might relay to that host so that users don't have 184538032Speterto have .forward files or aliases. You can do this using 184638032Speter 184743730Speter define(`LOCAL_RELAY', `mailer:hostname') 184838032Speter 184938032SpeterThe ``mailer:'' can be omitted, in which case the mailer defaults to 185038032Speter"relay". There are some user names that you don't want relayed, perhaps 185138032Speterbecause of local aliases. A common example is root, which may be 185238032Speterlocally aliased. You can add entries to this list using 185338032Speter 185464562Sgshapiro LOCAL_USER(`usernames') 185538032Speter 185690792SgshapiroThis adds users to class {L}; you could also use 185738032Speter 185890792Sgshapiro LOCAL_USER_FILE(`filename') 185938032Speter 186038032SpeterIf you want all incoming mail sent to a centralized hub, as for a 186138032Spetershared /var/spool/mail scheme, use 186238032Speter 186343730Speter define(`MAIL_HUB', `mailer:hostname') 186438032Speter 186538032SpeterAgain, ``mailer:'' defaults to "relay". If you define both LOCAL_RELAY 186643730Speterand MAIL_HUB _AND_ you have FEATURE(`stickyhost'), unqualified names will 186738032Speterbe sent to the LOCAL_RELAY and other local names will be sent to MAIL_HUB. 186864562SgshapiroNote: there is a (long standing) bug which keeps this combination from 186964562Sgshapiroworking for addresses of the form user+detail. 187064562SgshapiroNames in class {L} will be delivered locally, so you MUST have aliases or 187138032Speter.forward files for them. 187238032Speter 187338032SpeterFor example, if you are on machine mastodon.CS.Berkeley.EDU and you have 187443730SpeterFEATURE(`stickyhost'), the following combinations of settings will have the 187538032Speterindicated effects: 187638032Speter 187738032Speteremail sent to.... eric eric@mastodon.CS.Berkeley.EDU 187838032Speter 187938032SpeterLOCAL_RELAY set to mail.CS.Berkeley.EDU (delivered locally) 188038032Spetermail.CS.Berkeley.EDU (no local aliasing) (aliasing done) 188138032Speter 188238032SpeterMAIL_HUB set to mammoth.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 188338032Spetermammoth.CS.Berkeley.EDU (aliasing done) (aliasing done) 188438032Speter 188538032SpeterBoth LOCAL_RELAY and mail.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 188638032SpeterMAIL_HUB set as above (no local aliasing) (aliasing done) 188738032Speter 188843730SpeterIf you do not have FEATURE(`stickyhost') set, then LOCAL_RELAY and 188938032SpeterMAIL_HUB act identically, with MAIL_HUB taking precedence. 189038032Speter 189138032SpeterIf you want all outgoing mail to go to a central relay site, define 189238032SpeterSMART_HOST as well. Briefly: 189338032Speter 189438032Speter LOCAL_RELAY applies to unqualified names (e.g., "eric"). 189538032Speter MAIL_HUB applies to names qualified with the name of the 189638032Speter local host (e.g., "eric@mastodon.CS.Berkeley.EDU"). 189764562Sgshapiro SMART_HOST applies to names qualified with other hosts or 189864562Sgshapiro bracketed addresses (e.g., "eric@mastodon.CS.Berkeley.EDU" 189964562Sgshapiro or "eric@[127.0.0.1]"). 190038032Speter 190138032SpeterHowever, beware that other relays (e.g., UUCP_RELAY, BITNET_RELAY, 190238032SpeterDECNET_RELAY, and FAX_RELAY) take precedence over SMART_HOST, so if you 190338032Speterreally want absolutely everything to go to a single central site you will 190438032Speterneed to unset all the other relays -- or better yet, find or build a 190538032Speterminimal config file that does this. 190638032Speter 190738032SpeterFor duplicate suppression to work properly, the host name is best 190838032Speterspecified with a terminal dot: 190938032Speter 191038032Speter define(`MAIL_HUB', `host.domain.') 191138032Speter note the trailing dot ---^ 191238032Speter 191338032Speter 191490792Sgshapiro+-------------------------------------------+ 191590792Sgshapiro| USING LDAP FOR ALIASES, MAPS, AND CLASSES | 191690792Sgshapiro+-------------------------------------------+ 191790792Sgshapiro 191890792SgshapiroLDAP can be used for aliases, maps, and classes by either specifying your 191990792Sgshapiroown LDAP map specification or using the built-in default LDAP map 192090792Sgshapirospecification. The built-in default specifications all provide lookups 192190792Sgshapirowhich match against either the machine's fully qualified hostname (${j}) or 192290792Sgshapiroa "cluster". The cluster allows you to share LDAP entries among a large 192390792Sgshapironumber of machines without having to enter each of the machine names into 192490792Sgshapiroeach LDAP entry. To set the LDAP cluster name to use for a particular 192590792Sgshapiromachine or set of machines, set the confLDAP_CLUSTER m4 variable to a 192690792Sgshapirounique name. For example: 192790792Sgshapiro 192890792Sgshapiro define(`confLDAP_CLUSTER', `Servers') 192990792Sgshapiro 193090792SgshapiroHere, the word `Servers' will be the cluster name. As an example, assume 193190792Sgshapirothat smtp.sendmail.org, etrn.sendmail.org, and mx.sendmail.org all belong 193290792Sgshapiroto the Servers cluster. 193390792Sgshapiro 193490792SgshapiroSome of the LDAP LDIF examples below show use of the Servers cluster. 193590792SgshapiroEvery entry must have either a sendmailMTAHost or sendmailMTACluster 193690792Sgshapiroattribute or it will be ignored. Be careful as mixing clusters and 193790792Sgshapiroindividual host records can have surprising results (see the CAUTION 193890792Sgshapirosections below). 193990792Sgshapiro 194090792SgshapiroSee the file cf/sendmail.schema for the actual LDAP schemas. Note that 194190792Sgshapirothis schema (and therefore the lookups and examples below) is experimental 194290792Sgshapiroat this point as it has had little public review. Therefore, it may change 1943157001Sgshapiroin future versions. Feedback via sendmail-YYYY@support.sendmail.org is 1944157001Sgshapiroencouraged (replace YYYY with the current year, e.g., 2005). 194590792Sgshapiro 194690792Sgshapiro------- 194790792SgshapiroAliases 194890792Sgshapiro------- 194990792Sgshapiro 195090792SgshapiroThe ALIAS_FILE (O AliasFile) option can be set to use LDAP for alias 195190792Sgshapirolookups. To use the default schema, simply use: 195290792Sgshapiro 195390792Sgshapiro define(`ALIAS_FILE', `ldap:') 195490792Sgshapiro 195590792SgshapiroBy doing so, you will use the default schema which expands to a map 195690792Sgshapirodeclared as follows: 195790792Sgshapiro 195890792Sgshapiro ldap -k (&(objectClass=sendmailMTAAliasObject) 195990792Sgshapiro (sendmailMTAAliasGrouping=aliases) 196090792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 196190792Sgshapiro (sendmailMTAHost=$j)) 196290792Sgshapiro (sendmailMTAKey=%0)) 1963132943Sgshapiro -v sendmailMTAAliasValue,sendmailMTAAliasSearch:FILTER:sendmailMTAAliasObject,sendmailMTAAliasURL:URL:sendmailMTAAliasObject 196490792Sgshapiro 1965132943Sgshapiro 196690792SgshapiroNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 196790792Sgshapiroused when the binary expands the `ldap:' token as the AliasFile option is 196890792Sgshapironot actually macro-expanded when read from the sendmail.cf file. 196990792Sgshapiro 197090792SgshapiroExample LDAP LDIF entries might be: 197190792Sgshapiro 197290792Sgshapiro dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org 197390792Sgshapiro objectClass: sendmailMTA 197490792Sgshapiro objectClass: sendmailMTAAlias 197590792Sgshapiro objectClass: sendmailMTAAliasObject 197690792Sgshapiro sendmailMTAAliasGrouping: aliases 197790792Sgshapiro sendmailMTAHost: etrn.sendmail.org 197890792Sgshapiro sendmailMTAKey: sendmail-list 197990792Sgshapiro sendmailMTAAliasValue: ca@example.org 198090792Sgshapiro sendmailMTAAliasValue: eric 198190792Sgshapiro sendmailMTAAliasValue: gshapiro@example.com 198290792Sgshapiro 198390792Sgshapiro dn: sendmailMTAKey=owner-sendmail-list, dc=sendmail, dc=org 198490792Sgshapiro objectClass: sendmailMTA 198590792Sgshapiro objectClass: sendmailMTAAlias 198690792Sgshapiro objectClass: sendmailMTAAliasObject 198790792Sgshapiro sendmailMTAAliasGrouping: aliases 198890792Sgshapiro sendmailMTAHost: etrn.sendmail.org 198990792Sgshapiro sendmailMTAKey: owner-sendmail-list 199090792Sgshapiro sendmailMTAAliasValue: eric 199190792Sgshapiro 199290792Sgshapiro dn: sendmailMTAKey=postmaster, dc=sendmail, dc=org 199390792Sgshapiro objectClass: sendmailMTA 199490792Sgshapiro objectClass: sendmailMTAAlias 199590792Sgshapiro objectClass: sendmailMTAAliasObject 199690792Sgshapiro sendmailMTAAliasGrouping: aliases 199790792Sgshapiro sendmailMTACluster: Servers 199890792Sgshapiro sendmailMTAKey: postmaster 199990792Sgshapiro sendmailMTAAliasValue: eric 200090792Sgshapiro 200190792SgshapiroHere, the aliases sendmail-list and owner-sendmail-list will be available 200290792Sgshapiroonly on etrn.sendmail.org but the postmaster alias will be available on 200390792Sgshapiroevery machine in the Servers cluster (including etrn.sendmail.org). 200490792Sgshapiro 200590792SgshapiroCAUTION: aliases are additive so that entries like these: 200690792Sgshapiro 200790792Sgshapiro dn: sendmailMTAKey=bob, dc=sendmail, dc=org 200890792Sgshapiro objectClass: sendmailMTA 200990792Sgshapiro objectClass: sendmailMTAAlias 201090792Sgshapiro objectClass: sendmailMTAAliasObject 201190792Sgshapiro sendmailMTAAliasGrouping: aliases 201290792Sgshapiro sendmailMTACluster: Servers 201390792Sgshapiro sendmailMTAKey: bob 201490792Sgshapiro sendmailMTAAliasValue: eric 201590792Sgshapiro 201694334Sgshapiro dn: sendmailMTAKey=bobetrn, dc=sendmail, dc=org 201790792Sgshapiro objectClass: sendmailMTA 201890792Sgshapiro objectClass: sendmailMTAAlias 201990792Sgshapiro objectClass: sendmailMTAAliasObject 202090792Sgshapiro sendmailMTAAliasGrouping: aliases 202190792Sgshapiro sendmailMTAHost: etrn.sendmail.org 202290792Sgshapiro sendmailMTAKey: bob 202390792Sgshapiro sendmailMTAAliasValue: gshapiro 202490792Sgshapiro 202590792Sgshapirowould mean that on all of the hosts in the cluster, mail to bob would go to 202690792Sgshapiroeric EXCEPT on etrn.sendmail.org in which case it would go to BOTH eric and 202790792Sgshapirogshapiro. 202890792Sgshapiro 202990792SgshapiroIf you prefer not to use the default LDAP schema for your aliases, you can 203090792Sgshapirospecify the map parameters when setting ALIAS_FILE. For example: 203190792Sgshapiro 203290792Sgshapiro define(`ALIAS_FILE', `ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember') 203390792Sgshapiro 203490792Sgshapiro---- 203590792SgshapiroMaps 203690792Sgshapiro---- 203790792Sgshapiro 203890792SgshapiroFEATURE()'s which take an optional map definition argument (e.g., access, 203990792Sgshapiromailertable, virtusertable, etc.) can instead take the special keyword 204090792Sgshapiro`LDAP', e.g.: 204190792Sgshapiro 204290792Sgshapiro FEATURE(`access_db', `LDAP') 204390792Sgshapiro FEATURE(`virtusertable', `LDAP') 204490792Sgshapiro 204590792SgshapiroWhen this keyword is given, that map will use LDAP lookups consisting of 204690792Sgshapirothe objectClass sendmailMTAClassObject, the attribute sendmailMTAMapName 204790792Sgshapirowith the map name, a search attribute of sendmailMTAKey, and the value 204890792Sgshapiroattribute sendmailMTAMapValue. 204990792Sgshapiro 205090792SgshapiroThe values for sendmailMTAMapName are: 205190792Sgshapiro 205290792Sgshapiro FEATURE() sendmailMTAMapName 205390792Sgshapiro --------- ------------------ 205490792Sgshapiro access_db access 205590792Sgshapiro authinfo authinfo 205690792Sgshapiro bitdomain bitdomain 205790792Sgshapiro domaintable domain 205890792Sgshapiro genericstable generics 205990792Sgshapiro mailertable mailer 206090792Sgshapiro uucpdomain uucpdomain 206190792Sgshapiro virtusertable virtuser 206290792Sgshapiro 206390792SgshapiroFor example, FEATURE(`mailertable', `LDAP') would use the map definition: 206490792Sgshapiro 206590792Sgshapiro Kmailertable ldap -k (&(objectClass=sendmailMTAMapObject) 206690792Sgshapiro (sendmailMTAMapName=mailer) 206790792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 206890792Sgshapiro (sendmailMTAHost=$j)) 206990792Sgshapiro (sendmailMTAKey=%0)) 2070132943Sgshapiro -1 -v sendmailMTAMapValue,sendmailMTAMapSearch:FILTER:sendmailMTAMapObject,sendmailMTAMapURL:URL:sendmailMTAMapObject 207190792Sgshapiro 207290792SgshapiroAn example LDAP LDIF entry using this map might be: 207390792Sgshapiro 207490792Sgshapiro dn: sendmailMTAMapName=mailer, dc=sendmail, dc=org 207590792Sgshapiro objectClass: sendmailMTA 207690792Sgshapiro objectClass: sendmailMTAMap 207790792Sgshapiro sendmailMTACluster: Servers 207890792Sgshapiro sendmailMTAMapName: mailer 207990792Sgshapiro 208090792Sgshapiro dn: sendmailMTAKey=example.com, sendmailMTAMapName=mailer, dc=sendmail, dc=org 208190792Sgshapiro objectClass: sendmailMTA 208290792Sgshapiro objectClass: sendmailMTAMap 208390792Sgshapiro objectClass: sendmailMTAMapObject 208490792Sgshapiro sendmailMTAMapName: mailer 208590792Sgshapiro sendmailMTACluster: Servers 208690792Sgshapiro sendmailMTAKey: example.com 208790792Sgshapiro sendmailMTAMapValue: relay:[smtp.example.com] 208890792Sgshapiro 208990792SgshapiroCAUTION: If your LDAP database contains the record above and *ALSO* a host 209090792Sgshapirospecific record such as: 209190792Sgshapiro 209290792Sgshapiro dn: sendmailMTAKey=example.com@etrn, sendmailMTAMapName=mailer, dc=sendmail, dc=org 209390792Sgshapiro objectClass: sendmailMTA 209490792Sgshapiro objectClass: sendmailMTAMap 209590792Sgshapiro objectClass: sendmailMTAMapObject 209690792Sgshapiro sendmailMTAMapName: mailer 209790792Sgshapiro sendmailMTAHost: etrn.sendmail.org 209890792Sgshapiro sendmailMTAKey: example.com 209990792Sgshapiro sendmailMTAMapValue: relay:[mx.example.com] 210090792Sgshapiro 210190792Sgshapirothen these entries will give unexpected results. When the lookup is done 210290792Sgshapiroon etrn.sendmail.org, the effect is that there is *NO* match at all as maps 210390792Sgshapirorequire a single match. Since the host etrn.sendmail.org is also in the 210490792SgshapiroServers cluster, LDAP would return two answers for the example.com map key 210590792Sgshapiroin which case sendmail would treat this as no match at all. 210690792Sgshapiro 210790792SgshapiroIf you prefer not to use the default LDAP schema for your maps, you can 210890792Sgshapirospecify the map parameters when using the FEATURE(). For example: 210990792Sgshapiro 211090792Sgshapiro FEATURE(`access_db', `ldap:-1 -k (&(objectClass=mapDatabase)(key=%0)) -v value') 211190792Sgshapiro 211290792Sgshapiro------- 211390792SgshapiroClasses 211490792Sgshapiro------- 211590792Sgshapiro 211690792SgshapiroNormally, classes can be filled via files or programs. As of 8.12, they 211790792Sgshapirocan also be filled via map lookups using a new syntax: 211890792Sgshapiro 211990792Sgshapiro F{ClassName}mapkey@mapclass:mapspec 212090792Sgshapiro 212190792Sgshapiromapkey is optional and if not provided the map key will be empty. This can 212290792Sgshapirobe used with LDAP to read classes from LDAP. Note that the lookup is only 212390792Sgshapirodone when sendmail is initially started. Use the special value `@LDAP' to 212490792Sgshapirouse the default LDAP schema. For example: 212590792Sgshapiro 212690792Sgshapiro RELAY_DOMAIN_FILE(`@LDAP') 212790792Sgshapiro 212890792Sgshapirowould put all of the attribute sendmailMTAClassValue values of LDAP records 212990792Sgshapirowith objectClass sendmailMTAClass and an attribute sendmailMTAClassName of 213090792Sgshapiro'R' into class $={R}. In other words, it is equivalent to the LDAP map 213190792Sgshapirospecification: 213290792Sgshapiro 213390792Sgshapiro F{R}@ldap:-k (&(objectClass=sendmailMTAClass) 213490792Sgshapiro (sendmailMTAClassName=R) 213590792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 213690792Sgshapiro (sendmailMTAHost=$j))) 2137132943Sgshapiro -v sendmailMTAClassValue,sendmailMTAClassSearch:FILTER:sendmailMTAClass,sendmailMTAClassURL:URL:sendmailMTAClass 213890792Sgshapiro 213990792SgshapiroNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 214090792Sgshapiroused when the binary expands the `@LDAP' token as class declarations are 214190792Sgshapironot actually macro-expanded when read from the sendmail.cf file. 214290792Sgshapiro 214390792SgshapiroThis can be used with class related commands such as RELAY_DOMAIN_FILE(), 214490792SgshapiroMASQUERADE_DOMAIN_FILE(), etc: 214590792Sgshapiro 214690792Sgshapiro Command sendmailMTAClassName 214790792Sgshapiro ------- -------------------- 214890792Sgshapiro CANONIFY_DOMAIN_FILE() Canonify 214990792Sgshapiro EXPOSED_USER_FILE() E 215090792Sgshapiro GENERICS_DOMAIN_FILE() G 215190792Sgshapiro LDAPROUTE_DOMAIN_FILE() LDAPRoute 215290792Sgshapiro LDAPROUTE_EQUIVALENT_FILE() LDAPRouteEquiv 215390792Sgshapiro LOCAL_USER_FILE() L 215490792Sgshapiro MASQUERADE_DOMAIN_FILE() M 215590792Sgshapiro MASQUERADE_EXCEPTION_FILE() N 215690792Sgshapiro RELAY_DOMAIN_FILE() R 215790792Sgshapiro VIRTUSER_DOMAIN_FILE() VirtHost 215890792Sgshapiro 215990792SgshapiroYou can also add your own as any 'F'ile class of the form: 216090792Sgshapiro 216190792Sgshapiro F{ClassName}@LDAP 216290792Sgshapiro ^^^^^^^^^ 216390792Sgshapirowill use "ClassName" for the sendmailMTAClassName. 216490792Sgshapiro 216590792SgshapiroAn example LDAP LDIF entry would look like: 216690792Sgshapiro 216790792Sgshapiro dn: sendmailMTAClassName=R, dc=sendmail, dc=org 216890792Sgshapiro objectClass: sendmailMTA 216990792Sgshapiro objectClass: sendmailMTAClass 217090792Sgshapiro sendmailMTACluster: Servers 217190792Sgshapiro sendmailMTAClassName: R 217290792Sgshapiro sendmailMTAClassValue: sendmail.org 217390792Sgshapiro sendmailMTAClassValue: example.com 217490792Sgshapiro sendmailMTAClassValue: 10.56.23 217590792Sgshapiro 217690792SgshapiroCAUTION: If your LDAP database contains the record above and *ALSO* a host 217790792Sgshapirospecific record such as: 217890792Sgshapiro 217990792Sgshapiro dn: sendmailMTAClassName=R@etrn.sendmail.org, dc=sendmail, dc=org 218090792Sgshapiro objectClass: sendmailMTA 218190792Sgshapiro objectClass: sendmailMTAClass 218290792Sgshapiro sendmailMTAHost: etrn.sendmail.org 218390792Sgshapiro sendmailMTAClassName: R 218490792Sgshapiro sendmailMTAClassValue: example.com 218590792Sgshapiro 218690792Sgshapirothe result will be similar to the aliases caution above. When the lookup 218790792Sgshapirois done on etrn.sendmail.org, $={R} would contain all of the entries (from 218890792Sgshapiroboth the cluster match and the host match). In other words, the effective 218990792Sgshapirois additive. 219090792Sgshapiro 219190792SgshapiroIf you prefer not to use the default LDAP schema for your classes, you can 219290792Sgshapirospecify the map parameters when using the class command. For example: 219390792Sgshapiro 219490792Sgshapiro VIRTUSER_DOMAIN_FILE(`@ldap:-k (&(objectClass=virtHosts)(host=*)) -v host') 219590792Sgshapiro 219690792SgshapiroRemember, macros can not be used in a class declaration as the binary does 219790792Sgshapironot expand them. 219890792Sgshapiro 219990792Sgshapiro 220064562Sgshapiro+--------------+ 220164562Sgshapiro| LDAP ROUTING | 220264562Sgshapiro+--------------+ 220364562Sgshapiro 220464562SgshapiroFEATURE(`ldap_routing') can be used to implement the IETF Internet Draft 220564562SgshapiroLDAP Schema for Intranet Mail Routing 220664562Sgshapiro(draft-lachman-laser-ldap-mail-routing-01). This feature enables 220764562SgshapiroLDAP-based rerouting of a particular address to either a different host 220864562Sgshapiroor a different address. The LDAP lookup is first attempted on the full 220964562Sgshapiroaddress (e.g., user@example.com) and then on the domain portion 221064562Sgshapiro(e.g., @example.com). Be sure to setup your domain for LDAP routing using 221164562SgshapiroLDAPROUTE_DOMAIN(), e.g.: 221264562Sgshapiro 221364562Sgshapiro LDAPROUTE_DOMAIN(`example.com') 221464562Sgshapiro 221590792SgshapiroAdditionally, you can specify equivalent domains for LDAP routing using 221690792SgshapiroLDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE(). 'Equivalent' 221790792Sgshapirohostnames are mapped to $M (the masqueraded hostname for the server) before 221890792Sgshapirothe LDAP query. For example, if the mail is addressed to 221990792Sgshapirouser@host1.example.com, normally the LDAP lookup would only be done for 222090792Sgshapiro'user@host1.example.com' and '@host1.example.com'. However, if 222190792SgshapiroLDAPROUTE_EQUIVALENT(`host1.example.com') is used, the lookups would also be 222290792Sgshapirodone on 'user@example.com' and '@example.com' after attempting the 222390792Sgshapirohost1.example.com lookups. 222490792Sgshapiro 222564562SgshapiroBy default, the feature will use the schemas as specified in the draft 222664562Sgshapiroand will not reject addresses not found by the LDAP lookup. However, 222764562Sgshapirothis behavior can be changed by giving additional arguments to the FEATURE() 222864562Sgshapirocommand: 222964562Sgshapiro 2230132943Sgshapiro FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>, 2231132943Sgshapiro <detail>, <nodomain>, <tempfail>) 223264562Sgshapiro 223364562Sgshapirowhere <mailHost> is a map definition describing how to lookup an alternative 223464562Sgshapiromail host for a particular address; <mailRoutingAddress> is a map definition 223590792Sgshapirodescribing how to lookup an alternative address for a particular address; 223664562Sgshapirothe <bounce> argument, if present and not the word "passthru", dictates 223764562Sgshapirothat mail should be bounced if neither a mailHost nor mailRoutingAddress 2238132943Sgshapirois found, if set to "sendertoo", the sender will be rejected if not 2239132943Sgshapirofound in LDAP; and <detail> indicates what actions to take if the address 224090792Sgshapirocontains +detail information -- `strip' tries the lookup with the +detail 224190792Sgshapiroand if no matches are found, strips the +detail and tries the lookup again; 224290792Sgshapiro`preserve', does the same as `strip' but if a mailRoutingAddress match is 2243132943Sgshapirofound, the +detail information is copied to the new address; the <nodomain> 2244132943Sgshapiroargument, if present, will prevent the @domain lookup if the full 2245132943Sgshapiroaddress is not found in LDAP; the <tempfail> argument, if set to 2246132943Sgshapiro"tempfail", instructs the rules to give an SMTP 4XX temporary 2247132943Sgshapiroerror if the LDAP server gives the MTA a temporary failure, or if set to 2248132943Sgshapiro"queue" (the default), the MTA will locally queue the mail. 224964562Sgshapiro 225064562SgshapiroThe default <mailHost> map definition is: 225164562Sgshapiro 225294334Sgshapiro ldap -1 -T<TMPF> -v mailHost -k (&(objectClass=inetLocalMailRecipient) 225364562Sgshapiro (mailLocalAddress=%0)) 225464562Sgshapiro 225564562SgshapiroThe default <mailRoutingAddress> map definition is: 225664562Sgshapiro 225794334Sgshapiro ldap -1 -T<TMPF> -v mailRoutingAddress 225894334Sgshapiro -k (&(objectClass=inetLocalMailRecipient) 225994334Sgshapiro (mailLocalAddress=%0)) 226064562Sgshapiro 226164562SgshapiroNote that neither includes the LDAP server hostname (-h server) or base DN 226264562Sgshapiro(-b o=org,c=COUNTRY), both necessary for LDAP queries. It is presumed that 226364562Sgshapiroyour .mc file contains a setting for the confLDAP_DEFAULT_SPEC option with 226464562Sgshapirothese settings. If this is not the case, the map definitions should be 226594334Sgshapirochanged as described above. The "-T<TMPF>" is required in any user 226694334Sgshapirospecified map definition to catch temporary errors. 226764562Sgshapiro 226864562SgshapiroThe following possibilities exist as a result of an LDAP lookup on an 226964562Sgshapiroaddress: 227064562Sgshapiro 227164562Sgshapiro mailHost is mailRoutingAddress is Results in 227264562Sgshapiro ----------- --------------------- ---------- 227364562Sgshapiro set to a set mail delivered to 227464562Sgshapiro "local" host mailRoutingAddress 227564562Sgshapiro 227664562Sgshapiro set to a not set delivered to 227764562Sgshapiro "local" host original address 227864562Sgshapiro 227964562Sgshapiro set to a set mailRoutingAddress 228064562Sgshapiro remote host relayed to mailHost 228164562Sgshapiro 228264562Sgshapiro set to a not set original address 228364562Sgshapiro remote host relayed to mailHost 228464562Sgshapiro 228564562Sgshapiro not set set mail delivered to 228664562Sgshapiro mailRoutingAddress 228764562Sgshapiro 228864562Sgshapiro not set not set delivered to 228964562Sgshapiro original address *OR* 229064562Sgshapiro bounced as unknown user 229164562Sgshapiro 229290792SgshapiroThe term "local" host above means the host specified is in class {w}. If 229390792Sgshapirothe result would mean sending the mail to a different host, that host is 229490792Sgshapirolooked up in the mailertable before delivery. 229590792Sgshapiro 229664562SgshapiroNote that the last case depends on whether the third argument is given 229764562Sgshapiroto the FEATURE() command. The default is to deliver the message to the 229864562Sgshapirooriginal address. 229964562Sgshapiro 230064562SgshapiroThe LDAP entries should be set up with an objectClass of 230164562SgshapiroinetLocalMailRecipient and the address be listed in a mailLocalAddress 230264562Sgshapiroattribute. If present, there must be only one mailHost attribute and it 230364562Sgshapiromust contain a fully qualified host name as its value. Similarly, if 230464562Sgshapiropresent, there must be only one mailRoutingAddress attribute and it must 230590792Sgshapirocontain an RFC 822 compliant address. Some example LDAP records (in LDIF 230664562Sgshapiroformat): 230764562Sgshapiro 230864562Sgshapiro dn: uid=tom, o=example.com, c=US 230964562Sgshapiro objectClass: inetLocalMailRecipient 231064562Sgshapiro mailLocalAddress: tom@example.com 231164562Sgshapiro mailRoutingAddress: thomas@mailhost.example.com 231264562Sgshapiro 231364562SgshapiroThis would deliver mail for tom@example.com to thomas@mailhost.example.com. 231464562Sgshapiro 231564562Sgshapiro dn: uid=dick, o=example.com, c=US 231664562Sgshapiro objectClass: inetLocalMailRecipient 231764562Sgshapiro mailLocalAddress: dick@example.com 231864562Sgshapiro mailHost: eng.example.com 231964562Sgshapiro 232064562SgshapiroThis would relay mail for dick@example.com to the same address but redirect 232190792Sgshapirothe mail to MX records listed for the host eng.example.com (unless the 232290792Sgshapiromailertable overrides). 232364562Sgshapiro 232464562Sgshapiro dn: uid=harry, o=example.com, c=US 232564562Sgshapiro objectClass: inetLocalMailRecipient 232664562Sgshapiro mailLocalAddress: harry@example.com 232764562Sgshapiro mailHost: mktmail.example.com 232864562Sgshapiro mailRoutingAddress: harry@mkt.example.com 232964562Sgshapiro 233064562SgshapiroThis would relay mail for harry@example.com to the MX records listed for 233164562Sgshapirothe host mktmail.example.com using the new address harry@mkt.example.com 233264562Sgshapirowhen talking to that host. 233364562Sgshapiro 233464562Sgshapiro dn: uid=virtual.example.com, o=example.com, c=US 233564562Sgshapiro objectClass: inetLocalMailRecipient 233664562Sgshapiro mailLocalAddress: @virtual.example.com 233764562Sgshapiro mailHost: server.example.com 233864562Sgshapiro mailRoutingAddress: virtual@example.com 233964562Sgshapiro 234064562SgshapiroThis would send all mail destined for any username @virtual.example.com to 234164562Sgshapirothe machine server.example.com's MX servers and deliver to the address 234264562Sgshapirovirtual@example.com on that relay machine. 234364562Sgshapiro 234464562Sgshapiro 234538032Speter+---------------------------------+ 234638032Speter| ANTI-SPAM CONFIGURATION CONTROL | 234738032Speter+---------------------------------+ 234838032Speter 234938032SpeterThe primary anti-spam features available in sendmail are: 235038032Speter 235138032Speter* Relaying is denied by default. 235238032Speter* Better checking on sender information. 235338032Speter* Access database. 235438032Speter* Header checks. 235538032Speter 235664562SgshapiroRelaying (transmission of messages from a site outside your host (class 235764562Sgshapiro{w}) to another site except yours) is denied by default. Note that this 235864562Sgshapirochanged in sendmail 8.9; previous versions allowed relaying by default. 235964562SgshapiroIf you really want to revert to the old behaviour, you will need to use 236064562SgshapiroFEATURE(`promiscuous_relay'). You can allow certain domains to relay 236164562Sgshapirothrough your server by adding their domain name or IP address to class 236264562Sgshapiro{R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the access database 236390792Sgshapiro(described below). Note that IPv6 addresses must be prefaced with "IPv6:". 236490792SgshapiroThe file consists (like any other file based class) of entries listed on 236590792Sgshapiroseparate lines, e.g., 236638032Speter 236764562Sgshapiro sendmail.org 236864562Sgshapiro 128.32 236990792Sgshapiro IPv6:2002:c0a8:02c7 237090792Sgshapiro IPv6:2002:c0a8:51d2::23f4 237164562Sgshapiro host.mydomain.com 237290792Sgshapiro [UNIX:localhost] 237364562Sgshapiro 237490792SgshapiroNotice: the last entry allows relaying for connections via a UNIX 237590792Sgshapirosocket to the MTA/MSP. This might be necessary if your configuration 237690792Sgshapirodoesn't allow relaying by other means in that case, e.g., by having 237790792Sgshapirolocalhost.$m in class {R} (make sure $m is not just a top level 237890792Sgshapirodomain). 237990792Sgshapiro 238038032SpeterIf you use 238138032Speter 238243730Speter FEATURE(`relay_entire_domain') 238338032Speter 238464562Sgshapirothen any host in any of your local domains (that is, class {m}) 238542575Speterwill be relayed (that is, you will accept mail either to or from any 238642575Speterhost in your domain). 238738032Speter 238838032SpeterYou can also allow relaying based on the MX records of the host 238938032Speterportion of an incoming recipient address by using 239038032Speter 239143730Speter FEATURE(`relay_based_on_MX') 239238032Speter 239338032SpeterFor example, if your server receives a recipient of user@domain.com 239438032Speterand domain.com lists your server in its MX records, the mail will be 239590792Sgshapiroaccepted for relay to domain.com. This feature may cause problems 239690792Sgshapiroif MX lookups for the recipient domain are slow or time out. In that 239790792Sgshapirocase, mail will be temporarily rejected. It is usually better to 239890792Sgshapiromaintain a list of hosts/domains for which the server acts as relay. 239990792SgshapiroNote also that this feature will stop spammers from using your host 240090792Sgshapiroto relay spam but it will not stop outsiders from using your server 240190792Sgshapiroas a relay for their site (that is, they set up an MX record pointing 240290792Sgshapiroto your mail server, and you will relay mail addressed to them 240390792Sgshapirowithout any prior arrangement). Along the same lines, 240438032Speter 240543730Speter FEATURE(`relay_local_from') 240638032Speter 240738032Speterwill allow relaying if the sender specifies a return path (i.e. 2408157001SgshapiroMAIL FROM:<user@domain>) domain which is a local domain. This is a 240938032Speterdangerous feature as it will allow spammers to spam using your mail 241038032Speterserver by simply specifying a return address of user@your.domain.com. 241138032SpeterIt should not be used unless absolutely necessary. 241264562SgshapiroA slightly better solution is 241338032Speter 241464562Sgshapiro FEATURE(`relay_mail_from') 241564562Sgshapiro 241664562Sgshapirowhich allows relaying if the mail sender is listed as RELAY in the 2417110560Sgshapiroaccess map. If an optional argument `domain' (this is the literal 2418110560Sgshapiroword `domain', not a placeholder) is given, the domain portion of 2419110560Sgshapirothe mail sender is also checked to allowing relaying. This option 2420110560Sgshapiroonly works together with the tag From: for the LHS of the access 2421132943Sgshapiromap entries. This feature allows spammers to abuse your mail server 2422132943Sgshapiroby specifying a return address that you enabled in your access file. 2423132943SgshapiroThis may be harder to figure out for spammers, but it should not 2424132943Sgshapirobe used unless necessary. Instead use SMTP AUTH or STARTTLS to 2425132943Sgshapiroallow relaying for roaming users. 242664562Sgshapiro 242764562Sgshapiro 242890792SgshapiroIf source routing is used in the recipient address (e.g., 2429157001SgshapiroRCPT TO:<user%site.com@othersite.com>), sendmail will check 243038032Speteruser@site.com for relaying if othersite.com is an allowed relay host 243164562Sgshapiroin either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, 243243730Speteror the access database if FEATURE(`access_db') is used. To prevent 243338032Speterthe address from being stripped down, use: 243438032Speter 243543730Speter FEATURE(`loose_relay_check') 243638032Speter 243738032SpeterIf you think you need to use this feature, you probably do not. This 243838032Spetershould only be used for sites which have no control over the addresses 243938032Speterthat they provide a gateway for. Use this FEATURE with caution as it 244038032Spetercan allow spammers to relay through your server if not setup properly. 244138032Speter 244264562SgshapiroNOTICE: It is possible to relay mail through a system which the anti-relay 244364562Sgshapirorules do not prevent: the case of a system that does use FEATURE(`nouucp', 244464562Sgshapiro`nospecial') (system A) and relays local messages to a mail hub (e.g., via 244564562SgshapiroLOCAL_RELAY or LUSER_RELAY) (system B). If system B doesn't use 244664562SgshapiroFEATURE(`nouucp') at all, addresses of the form 244764562Sgshapiro<example.net!user@local.host> would be relayed to <user@example.net>. 244864562SgshapiroSystem A doesn't recognize `!' as an address separator and therefore 244964562Sgshapiroforwards it to the mail hub which in turns relays it because it came from 245064562Sgshapiroa trusted local host. So if a mailserver allows UUCP (bang-format) 245164562Sgshapiroaddresses, all systems from which it allows relaying should do the same 245264562Sgshapiroor reject those addresses. 245364562Sgshapiro 245438032SpeterAs of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has 245538032Speteran unresolvable domain (i.e., one that DNS, your local name service, 245690792Sgshapiroor special case rules in ruleset 3 cannot locate). This also applies 245790792Sgshapiroto addresses that use domain literals, e.g., <user@[1.2.3.4]>, if the 245890792SgshapiroIP address can't be mapped to a host name. If you want to continue 245990792Sgshapiroto accept such domains, e.g., because you are inside a firewall that 246090792Sgshapirohas only a limited view of the Internet host name space (note that you 246190792Sgshapirowill not be able to return mail to them unless you have some "smart 246290792Sgshapirohost" forwarder), use 246338032Speter 246443730Speter FEATURE(`accept_unresolvable_domains') 246538032Speter 246690792SgshapiroAlternatively, you can allow specific addresses by adding them to 246790792Sgshapirothe access map, e.g., 246890792Sgshapiro 246990792Sgshapiro From:unresolvable.domain OK 247090792Sgshapiro From:[1.2.3.4] OK 247190792Sgshapiro From:[1.2.4] OK 247290792Sgshapiro 247390792SgshapiroNotice: domains which are temporarily unresolvable are (temporarily) 247490792Sgshapirorejected with a 451 reply code. If those domains should be accepted 247590792Sgshapiro(which is discouraged) then you can use 247690792Sgshapiro 247790792Sgshapiro LOCAL_CONFIG 247890792Sgshapiro C{ResOk}TEMP 247990792Sgshapiro 248038032Spetersendmail will also refuse mail if the MAIL FROM: parameter is not 248138032Speterfully qualified (i.e., contains a domain as well as a user). If you 248238032Speterwant to continue to accept such senders, use 248338032Speter 248443730Speter FEATURE(`accept_unqualified_senders') 248538032Speter 248664562SgshapiroSetting the DaemonPortOptions modifier 'u' overrides the default behavior, 248764562Sgshapiroi.e., unqualified addresses are accepted even without this FEATURE. If 248864562Sgshapirothis FEATURE is not used, the DaemonPortOptions modifier 'f' can be used 248990792Sgshapiroto enforce fully qualified domain names. 249064562Sgshapiro 249138032SpeterAn ``access'' database can be created to accept or reject mail from 249238032Speterselected domains. For example, you may choose to reject all mail 249338032Speteroriginating from known spammers. To enable such a database, use 249438032Speter 249543730Speter FEATURE(`access_db') 249638032Speter 249790792SgshapiroNotice: the access database is applied to the envelope addresses 249890792Sgshapiroand the connection information, not to the header. 249990792Sgshapiro 250090792SgshapiroThe FEATURE macro can accept as second parameter the key file 250138032Speterdefinition for the database; for example 250238032Speter 250390792Sgshapiro FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map') 250438032Speter 250590792SgshapiroNotice: If a second argument is specified it must contain the option 2506168515Sgshapiro`-T<TMPF>' as shown above. The optional parameters may be 250790792Sgshapiro 2508168515Sgshapiro `skip' enables SKIP as value part (see below). 2509168515Sgshapiro `lookupdotdomain' another way to enable the feature of the 2510168515Sgshapiro same name (see above). 2511168515Sgshapiro `relaytofulladdress' enable entries of the form 2512168515Sgshapiro To:user@example.com RELAY 2513168515Sgshapiro to allow relaying to just a specific 2514168515Sgshapiro e-mail address instead of an entire domain. 2515168515Sgshapiro 251642575SpeterRemember, since /etc/mail/access is a database, after creating the text 251742575Speterfile as described below, you must use makemap to create the database 251842575Spetermap. For example: 251942575Speter 252043730Speter makemap hash /etc/mail/access < /etc/mail/access 252142575Speter 252238032SpeterThe table itself uses e-mail addresses, domain names, and network 252390792Sgshapironumbers as keys. Note that IPv6 addresses must be prefaced with "IPv6:". 252490792SgshapiroFor example, 252538032Speter 2526132943Sgshapiro From:spammer@aol.com REJECT 2527132943Sgshapiro From:cyberspammer.com REJECT 2528132943Sgshapiro Connect:cyberspammer.com REJECT 2529132943Sgshapiro Connect:TLD REJECT 2530132943Sgshapiro Connect:192.168.212 REJECT 2531132943Sgshapiro Connect:IPv6:2002:c0a8:02c7 RELAY 2532132943Sgshapiro Connect:IPv6:2002:c0a8:51d2::23f4 REJECT 253338032Speter 253438032Speterwould refuse mail from spammer@aol.com, any user from cyberspammer.com 253594334Sgshapiro(or any host within the cyberspammer.com domain), any host in the entire 253694334Sgshapirotop level domain TLD, 192.168.212.* network, and the IPv6 address 253794334Sgshapiro2002:c0a8:51d2::23f4. It would allow relay for the IPv6 network 253894334Sgshapiro2002:c0a8:02c7::/48. 253938032Speter 2540132943SgshapiroEntries in the access map should be tagged according to their type. 2541132943SgshapiroThree tags are available: 2542132943Sgshapiro 2543132943Sgshapiro Connect: connection information (${client_addr}, ${client_name}) 2544132943Sgshapiro From: envelope sender 2545132943Sgshapiro To: envelope recipient 2546132943Sgshapiro 2547132943SgshapiroNotice: untagged entries are deprecated. 2548132943Sgshapiro 2549132943SgshapiroIf the required item is looked up in a map, it will be tried first 2550132943Sgshapirowith the corresponding tag in front, then (as fallback to enable 2551132943Sgshapirobackward compatibility) without any tag, unless the specific feature 2552132943Sgshapirorequires a tag. For example, 2553132943Sgshapiro 2554132943Sgshapiro From:spammer@some.dom REJECT 2555132943Sgshapiro To:friend.domain RELAY 2556132943Sgshapiro Connect:friend.domain OK 2557132943Sgshapiro Connect:from.domain RELAY 2558132943Sgshapiro From:good@another.dom OK 2559132943Sgshapiro From:another.dom REJECT 2560132943Sgshapiro 2561132943SgshapiroThis would deny mails from spammer@some.dom but you could still 2562132943Sgshapirosend mail to that address even if FEATURE(`blacklist_recipients') 2563132943Sgshapirois enabled. Your system will allow relaying to friend.domain, but 2564132943Sgshapironot from it (unless enabled by other means). Connections from that 2565132943Sgshapirodomain will be allowed even if it ends up in one of the DNS based 2566132943Sgshapirorejection lists. Relaying is enabled from from.domain but not to 2567132943Sgshapiroit (since relaying is based on the connection information for 2568132943Sgshapirooutgoing relaying, the tag Connect: must be used; for incoming 2569132943Sgshapirorelaying, which is based on the recipient address, To: must be 2570132943Sgshapiroused). The last two entries allow mails from good@another.dom but 2571132943Sgshapiroreject mail from all other addresses with another.dom as domain 2572132943Sgshapiropart. 2573132943Sgshapiro 2574132943Sgshapiro 257538032SpeterThe value part of the map can contain: 257638032Speter 257790792Sgshapiro OK Accept mail even if other rules in the running 257890792Sgshapiro ruleset would reject it, for example, if the domain 257990792Sgshapiro name is unresolvable. "Accept" does not mean 258090792Sgshapiro "relay", but at most acceptance for local 258190792Sgshapiro recipients. That is, OK allows less than RELAY. 2582168515Sgshapiro RELAY Accept mail addressed to the indicated domain 2583168515Sgshapiro (or address if `relaytofulladdress' is set) or 258442575Speter received from the indicated domain for relaying 258542575Speter through your SMTP server. RELAY also serves as 258642575Speter an implicit OK for the other checks. 258742575Speter REJECT Reject the sender or recipient with a general 258838032Speter purpose message. 258942575Speter DISCARD Discard the message completely using the 259071345Sgshapiro $#discard mailer. If it is used in check_compat, 259171345Sgshapiro it affects only the designated recipient, not 259271345Sgshapiro the whole message as it does in all other cases. 259371345Sgshapiro This should only be used if really necessary. 259490792Sgshapiro SKIP This can only be used for host/domain names 259590792Sgshapiro and IP addresses/nets. It will abort the current 259690792Sgshapiro search for this entry without accepting or rejecting 259790792Sgshapiro it but causing the default action. 259866494Sgshapiro ### any text where ### is an RFC 821 compliant error code and 259966494Sgshapiro "any text" is a message to return for the command. 2600157001Sgshapiro The entire string should be quoted to avoid 2601157001Sgshapiro surprises: 2602157001Sgshapiro 2603157001Sgshapiro "### any text" 2604157001Sgshapiro 2605157001Sgshapiro Otherwise sendmail formats the text as email 2606157001Sgshapiro addresses, e.g., it may remove spaces. 2607132943Sgshapiro This type is deprecated, use one of the two 260890792Sgshapiro ERROR: entries below instead. 260964562Sgshapiro ERROR:### any text 261064562Sgshapiro as above, but useful to mark error messages as such. 2611157001Sgshapiro If quotes need to be used to avoid modifications 2612157001Sgshapiro (see above), they should be placed like this: 2613157001Sgshapiro 2614157001Sgshapiro ERROR:"### any text" 2615157001Sgshapiro 261664562Sgshapiro ERROR:D.S.N:### any text 261764562Sgshapiro where D.S.N is an RFC 1893 compliant error code 2618157001Sgshapiro and the rest as above. If quotes need to be used 2619157001Sgshapiro to avoid modifications, they should be placed 2620157001Sgshapiro like this: 2621157001Sgshapiro 2622157001Sgshapiro ERROR:D.S.N:"### any text" 2623157001Sgshapiro 2624132943Sgshapiro QUARANTINE:any text 2625132943Sgshapiro Quarantine the message using the given text as the 2626132943Sgshapiro quarantining reason. 262738032Speter 262838032SpeterFor example: 262938032Speter 2630132943Sgshapiro From:cyberspammer.com ERROR:"550 We don't accept mail from spammers" 2631132943Sgshapiro From:okay.cyberspammer.com OK 2632132943Sgshapiro Connect:sendmail.org RELAY 2633132943Sgshapiro To:sendmail.org RELAY 2634132943Sgshapiro Connect:128.32 RELAY 2635132943Sgshapiro Connect:128.32.2 SKIP 2636132943Sgshapiro Connect:IPv6:1:2:3:4:5:6:7 RELAY 2637132943Sgshapiro Connect:suspicious.example.com QUARANTINE:Mail from suspicious host 2638132943Sgshapiro Connect:[127.0.0.3] OK 2639132943Sgshapiro Connect:[IPv6:1:2:3:4:5:6:7:8] OK 264038032Speter 2641132943Sgshapirowould accept mail from okay.cyberspammer.com, but would reject mail 2642132943Sgshapirofrom all other hosts at cyberspammer.com with the indicated message. 2643132943SgshapiroIt would allow relaying mail from and to any hosts in the sendmail.org 2644132943Sgshapirodomain, and allow relaying from the IPv6 1:2:3:4:5:6:7:* network 2645132943Sgshapiroand from the 128.32.*.* network except for the 128.32.2.* network, 2646132943Sgshapirowhich shows how SKIP is useful to exempt subnets/subdomains. The 2647132943Sgshapirolast two entries are for checks against ${client_name} if the IP 2648132943Sgshapiroaddress doesn't resolve to a hostname (or is considered as "may be 2649132943Sgshapiroforged"). That is, using square brackets means these are host 2650132943Sgshapironames, not network numbers. 265138032Speter 265264562SgshapiroWarning: if you change the RFC 821 compliant error code from the default 265364562Sgshapirovalue of 550, then you should probably also change the RFC 1893 compliant 265464562Sgshapiroerror code to match it. For example, if you use 265564562Sgshapiro 2656132943Sgshapiro To:user@example.com ERROR:450 mailbox full 265764562Sgshapiro 265890792Sgshapirothe error returned would be "450 5.0.0 mailbox full" which is wrong. 265990792SgshapiroUse "ERROR:4.2.2:450 mailbox full" instead. 266064562Sgshapiro 266164562SgshapiroNote, UUCP users may need to add hostname.UUCP to the access database 266290792Sgshapiroor class {R}. 266364562Sgshapiro 266490792SgshapiroIf you also use: 266590792Sgshapiro 266643730Speter FEATURE(`relay_hosts_only') 266738032Speter 266838032Speterthen the above example will allow relaying for sendmail.org, but not 266938032Speterhosts within the sendmail.org domain. Note that this will also require 267064562Sgshapirohosts listed in class {R} to be fully qualified host names. 267138032Speter 267238032SpeterYou can also use the access database to block sender addresses based on 267338032Speterthe username portion of the address. For example: 267438032Speter 2675132943Sgshapiro From:FREE.STEALTH.MAILER@ ERROR:550 Spam not accepted 267638032Speter 267738032SpeterNote that you must include the @ after the username to signify that 267838032Speterthis database entry is for checking only the username portion of the 267938032Spetersender address. 268038032Speter 268138032SpeterIf you use: 268238032Speter 268343730Speter FEATURE(`blacklist_recipients') 268438032Speter 268538032Speterthen you can add entries to the map for local users, hosts in your 268638032Speterdomains, or addresses in your domain which should not receive mail: 268738032Speter 2688132943Sgshapiro To:badlocaluser@ ERROR:550 Mailbox disabled for badlocaluser 2689132943Sgshapiro To:host.my.TLD ERROR:550 That host does not accept mail 2690132943Sgshapiro To:user@other.my.TLD ERROR:550 Mailbox disabled for this recipient 269138032Speter 2692132943SgshapiroThis would prevent a recipient of badlocaluser in any of the local 2693132943Sgshapirodomains (class {w}), any user at host.my.TLD, and the single address 2694132943Sgshapirouser@other.my.TLD from receiving mail. Please note: a local username 2695132943Sgshapiromust be now tagged with an @ (this is consistent with the check of 2696132943Sgshapirothe sender address, and hence it is possible to distinguish between 2697132943Sgshapirohostnames and usernames). Enabling this feature will keep you from 2698132943Sgshapirosending mails to all addresses that have an error message or REJECT 2699132943Sgshapiroas value part in the access map. Taking the example from above: 270038032Speter 270142575Speter spammer@aol.com REJECT 270242575Speter cyberspammer.com REJECT 270342575Speter 270442575SpeterMail can't be sent to spammer@aol.com or anyone at cyberspammer.com. 2705132943SgshapiroThat's why tagged entries should be used. 270642575Speter 2707159609SgshapiroThere are several DNS based blacklists which can be found by 2708159609Sgshapiroquerying a search engine. These are databases of spammers 270990792Sgshapiromaintained in DNS. To use such a database, specify 271038032Speter 2711159609Sgshapiro FEATURE(`dnsbl', `dnsbl.example.com') 271238032Speter 2713159609SgshapiroThis will cause sendmail to reject mail from any site listed in the 2714168515SgshapiroDNS based blacklist. You must select a DNS based blacklist domain 2715159609Sgshapiroto check by specifying an argument to the FEATURE. The default 2716159609Sgshapiroerror message is 271738032Speter 271898841Sgshapiro Rejected: IP-ADDRESS listed at SERVER 271980785Sgshapiro 272090792Sgshapirowhere IP-ADDRESS and SERVER are replaced by the appropriate 272190792Sgshapiroinformation. A second argument can be used to specify a different 2722168515Sgshapirotext or action. For example, 272371345Sgshapiro 2724168515Sgshapiro FEATURE(`dnsbl', `dnsbl.example.com', `quarantine') 2725168515Sgshapiro 2726168515Sgshapirowould quarantine the message if the client IP address is listed 2727168515Sgshapiroat `dnsbl.example.com'. 2728168515Sgshapiro 2729168515SgshapiroBy default, temporary lookup failures are ignored 2730168515Sgshapiroand hence cause the connection not to be rejected by the DNS based 2731168515Sgshapirorejection list. This behavior can be changed by specifying a third 2732168515Sgshapiroargument, which must be either `t' or a full error message. For 2733168515Sgshapiroexample: 2734168515Sgshapiro 273590792Sgshapiro FEATURE(`dnsbl', `dnsbl.example.com', `', 273690792Sgshapiro `"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"') 273771345Sgshapiro 273890792SgshapiroIf `t' is used, the error message is: 273990792Sgshapiro 274090792Sgshapiro 451 Temporary lookup failure of IP-ADDRESS at SERVER 274190792Sgshapiro 274290792Sgshapirowhere IP-ADDRESS and SERVER are replaced by the appropriate 274390792Sgshapiroinformation. 274490792Sgshapiro 274590792SgshapiroThis FEATURE can be included several times to query different 2746159609SgshapiroDNS based rejection lists. 274790792Sgshapiro 274890792SgshapiroNotice: to avoid checking your own local domains against those 274990792Sgshapiroblacklists, use the access_db feature and add: 275090792Sgshapiro 275190792Sgshapiro Connect:10.1 OK 275290792Sgshapiro Connect:127.0.0.1 RELAY 275390792Sgshapiro 275490792Sgshapiroto the access map, where 10.1 is your local network. You may 275590792Sgshapirowant to use "RELAY" instead of "OK" to allow also relaying 2756147078Sgshapiroinstead of just disabling the DNS lookups in the blacklists. 275790792Sgshapiro 275890792Sgshapiro 275938032SpeterThe features described above make use of the check_relay, check_mail, 2760110560Sgshapiroand check_rcpt rulesets. Note that check_relay checks the SMTP 2761110560Sgshapiroclient hostname and IP address when the connection is made to your 2762110560Sgshapiroserver. It does not check if a mail message is being relayed to 2763110560Sgshapiroanother server. That check is done in check_rcpt. If you wish to 2764110560Sgshapiroinclude your own checks, you can put your checks in the rulesets 2765110560SgshapiroLocal_check_relay, Local_check_mail, and Local_check_rcpt. For 2766110560Sgshapiroexample if you wanted to block senders with all numeric usernames 2767110560Sgshapiro(i.e. 2312343@bigisp.com), you would use Local_check_mail and the 2768110560Sgshapiroregex map: 276938032Speter 277064562Sgshapiro LOCAL_CONFIG 277164562Sgshapiro Kallnumbers regex -a@MATCH ^[0-9]+$ 277264562Sgshapiro 277364562Sgshapiro LOCAL_RULESETS 277464562Sgshapiro SLocal_check_mail 277564562Sgshapiro # check address against various regex checks 277638032Speter R$* $: $>Parse0 $>3 $1 277764562Sgshapiro R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $) 277864562Sgshapiro R@MATCH $#error $: 553 Header Error 277938032Speter 278038032SpeterThese rules are called with the original arguments of the corresponding 278138032Spetercheck_* ruleset. If the local ruleset returns $#OK, no further checking 2782132943Sgshapirois done by the features described above and the mail is accepted. If 2783132943Sgshapirothe local ruleset resolves to a mailer (such as $#error or $#discard), 2784132943Sgshapirothe appropriate action is taken. Other results starting with $# are 2785132943Sgshapirointerpreted by sendmail and may lead to unspecified behavior. Note: do 2786132943SgshapiroNOT create a mailer with the name OK. Return values that do not start 2787132943Sgshapirowith $# are ignored, i.e., normal processing continues. 278838032Speter 278964562SgshapiroDelay all checks 279090792Sgshapiro---------------- 279164562Sgshapiro 279264562SgshapiroBy using FEATURE(`delay_checks') the rulesets check_mail and check_relay 279364562Sgshapirowill not be called when a client connects or issues a MAIL command, 279464562Sgshapirorespectively. Instead, those rulesets will be called by the check_rcpt 279564562Sgshapiroruleset; they will be skipped if a sender has been authenticated using 279664562Sgshapiroa "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(). 279764562SgshapiroIf check_mail returns an error then the RCPT TO command will be rejected 279864562Sgshapirowith that error. If it returns some other result starting with $# then 279964562Sgshapirocheck_relay will be skipped. If the sender address (or a part of it) is 280064562Sgshapirolisted in the access map and it has a RHS of OK or RELAY, then check_relay 280164562Sgshapirowill be skipped. This has an interesting side effect: if your domain is 280264562Sgshapiromy.domain and you have 280364562Sgshapiro 280464562Sgshapiro my.domain RELAY 280564562Sgshapiro 2806125820Sgshapiroin the access map, then any e-mail with a sender address of 2807125820Sgshapiro<user@my.domain> will not be rejected by check_relay even though 2808125820Sgshapiroit would match the hostname or IP address. This allows spammers 280964562Sgshapiroto get around DNS based blacklist by faking the sender address. To 281064562Sgshapiroavoid this problem you have to use tagged entries: 281164562Sgshapiro 281264562Sgshapiro To:my.domain RELAY 281364562Sgshapiro Connect:my.domain RELAY 281464562Sgshapiro 281564562Sgshapiroif you need those entries at all (class {R} may take care of them). 281673188Sgshapiro 281764562SgshapiroFEATURE(`delay_checks') can take an optional argument: 281864562Sgshapiro 281964562Sgshapiro FEATURE(`delay_checks', `friend') 282064562Sgshapiro enables spamfriend test 282164562Sgshapiro FEATURE(`delay_checks', `hater') 282264562Sgshapiro enables spamhater test 282364562Sgshapiro 282494334SgshapiroIf such an argument is given, the recipient will be looked up in the 282594334Sgshapiroaccess map (using the tag Spam:). If the argument is `friend', then 282694334Sgshapirothe default behavior is to apply the other rulesets and make a SPAM 282794334Sgshapirofriend the exception. The rulesets check_mail and check_relay will be 282894334Sgshapiroskipped only if the recipient address is found and has RHS FRIEND. If 282994334Sgshapirothe argument is `hater', then the default behavior is to skip the rulesets 283094334Sgshapirocheck_mail and check_relay and make a SPAM hater the exception. The 283194334Sgshapiroother two rulesets will be applied only if the recipient address is 283294334Sgshapirofound and has RHS HATER. 283364562Sgshapiro 283464562SgshapiroThis allows for simple exceptions from the tests, e.g., by activating 283590792Sgshapirothe friend option and having 283664562Sgshapiro 283790792Sgshapiro Spam:abuse@ FRIEND 283864562Sgshapiro 2839110560Sgshapiroin the access map, mail to abuse@localdomain will get through (where 2840110560Sgshapiro"localdomain" is any domain in class {w}). It is also possible to 2841110560Sgshapirospecify a full address or an address with +detail: 284264562Sgshapiro 284390792Sgshapiro Spam:abuse@my.domain FRIEND 284490792Sgshapiro Spam:me+abuse@ FRIEND 284590792Sgshapiro Spam:spam.domain FRIEND 284664562Sgshapiro 284790792SgshapiroNote: The required tag has been changed in 8.12 from To: to Spam:. 284890792SgshapiroThis change is incompatible to previous versions. However, you can 284990792Sgshapiro(for now) simply add the new entries to the access map, the old 285090792Sgshapiroones will be ignored. As soon as you removed the old entries from 285190792Sgshapirothe access map, specify a third parameter (`n') to this feature and 285290792Sgshapirothe backward compatibility rules will not be in the generated .cf 285390792Sgshapirofile. 285464562Sgshapiro 285564562SgshapiroHeader Checks 285690792Sgshapiro------------- 285764562Sgshapiro 285838032SpeterYou can also reject mail on the basis of the contents of headers. 285938032SpeterThis is done by adding a ruleset call to the 'H' header definition command 286038032Speterin sendmail.cf. For example, this can be used to check the validity of 286138032Spetera Message-ID: header: 286238032Speter 2863110560Sgshapiro LOCAL_CONFIG 286438032Speter HMessage-Id: $>CheckMessageId 286538032Speter 2866110560Sgshapiro LOCAL_RULESETS 286738032Speter SCheckMessageId 286838032Speter R< $+ @ $+ > $@ OK 286938032Speter R$* $#error $: 553 Header Error 287038032Speter 287164562SgshapiroThe alternative format: 287238032Speter 287364562Sgshapiro HSubject: $>+CheckSubject 287442575Speter 287564562Sgshapirothat is, $>+ instead of $>, gives the full Subject: header including 287664562Sgshapirocomments to the ruleset (comments in parentheses () are stripped 287764562Sgshapiroby default). 287842575Speter 287964562SgshapiroA default ruleset for headers which don't have a specific ruleset 288064562Sgshapirodefined for them can be given by: 288142575Speter 288264562Sgshapiro H*: $>CheckHdr 288343730Speter 288490792SgshapiroNotice: 288590792Sgshapiro1. All rules act on tokens as explained in doc/op/op.{me,ps,txt}. 288673188SgshapiroThat may cause problems with simple header checks due to the 288790792Sgshapirotokenization. It might be simpler to use a regex map and apply it 288873188Sgshapiroto $&{currHeader}. 288990792Sgshapiro2. There are no default rulesets coming with this distribution of 2890157001Sgshapirosendmail. You can write your own, can search the WWW for examples, 2891157001Sgshapiroor take a look at cf/cf/knecht.mc. 2892157001Sgshapiro3. When using a default ruleset for headers, the name of the header 2893132943Sgshapirocurrently being checked can be found in the $&{hdr_name} macro. 289473188Sgshapiro 289564562SgshapiroAfter all of the headers are read, the check_eoh ruleset will be called for 289664562Sgshapiroany final header-related checks. The ruleset is called with the number of 289764562Sgshapiroheaders and the size of all of the headers in bytes separated by $|. One 289864562Sgshapiroexample usage is to reject messages which do not have a Message-Id: 289964562Sgshapiroheader. However, the Message-Id: header is *NOT* a required header and is 290064562Sgshapironot a guaranteed spam indicator. This ruleset is an example and should 290164562Sgshapiroprobably not be used in production. 290264562Sgshapiro 290364562Sgshapiro LOCAL_CONFIG 290464562Sgshapiro Kstorage macro 2905110560Sgshapiro HMessage-Id: $>CheckMessageId 290664562Sgshapiro 290764562Sgshapiro LOCAL_RULESETS 290864562Sgshapiro SCheckMessageId 290964562Sgshapiro # Record the presence of the header 291064562Sgshapiro R$* $: $(storage {MessageIdCheck} $@ OK $) $1 291164562Sgshapiro R< $+ @ $+ > $@ OK 291264562Sgshapiro R$* $#error $: 553 Header Error 291364562Sgshapiro 291464562Sgshapiro Scheck_eoh 291564562Sgshapiro # Check the macro 291664562Sgshapiro R$* $: < $&{MessageIdCheck} > 291764562Sgshapiro # Clear the macro for the next message 291864562Sgshapiro R$* $: $(storage {MessageIdCheck} $) $1 291964562Sgshapiro # Has a Message-Id: header 292064562Sgshapiro R< $+ > $@ OK 292164562Sgshapiro # Allow missing Message-Id: from local mail 292264562Sgshapiro R$* $: < $&{client_name} > 292364562Sgshapiro R< > $@ OK 292464562Sgshapiro R< $=w > $@ OK 292564562Sgshapiro # Otherwise, reject the mail 292664562Sgshapiro R$* $#error $: 553 Header Error 292764562Sgshapiro 2928132943Sgshapiro 2929132943Sgshapiro+--------------------+ 2930132943Sgshapiro| CONNECTION CONTROL | 2931132943Sgshapiro+--------------------+ 2932132943Sgshapiro 2933132943SgshapiroThe features ratecontrol and conncontrol allow to establish connection 2934132943Sgshapirolimits per client IP address or net. These features can limit the 2935132943Sgshapirorate of connections (connections per time unit) or the number of 2936132943Sgshapiroincoming SMTP connections, respectively. If enabled, appropriate 2937132943Sgshapirorulesets are called at the end of check_relay, i.e., after DNS 2938132943Sgshapiroblacklists and generic access_db operations. The features require 2939132943SgshapiroFEATURE(`access_db') to be listed earlier in the mc file. 2940132943Sgshapiro 2941132943SgshapiroNote: FEATURE(`delay_checks') delays those connection control checks 2942132943Sgshapiroafter a recipient address has been received, hence making these 2943132943Sgshapiroconnection control features less useful. To run the checks as early 2944132943Sgshapiroas possible, specify the parameter `nodelay', e.g., 2945132943Sgshapiro 2946132943Sgshapiro FEATURE(`ratecontrol', `nodelay') 2947132943Sgshapiro 2948132943SgshapiroIn that case, FEATURE(`delay_checks') has no effect on connection 2949132943Sgshapirocontrol (and it must be specified earlier in the mc file). 2950132943Sgshapiro 2951132943SgshapiroAn optional second argument `terminate' specifies whether the 2952132943Sgshapirorulesets should return the error code 421 which will cause 2953132943Sgshapirosendmail to terminate the session with that error if it is 2954132943Sgshapiroreturned from check_relay, i.e., not delayed as explained in 2955132943Sgshapirothe previous paragraph. Example: 2956132943Sgshapiro 2957132943Sgshapiro FEATURE(`ratecontrol', `nodelay', `terminate') 2958132943Sgshapiro 2959132943Sgshapiro 296066494Sgshapiro+----------+ 296166494Sgshapiro| STARTTLS | 296266494Sgshapiro+----------+ 296364562Sgshapiro 2964147078SgshapiroIn this text, cert will be used as an abbreviation for X.509 certificate, 296590792SgshapiroDN (CN) is the distinguished (common) name of a cert, and CA is a 296690792Sgshapirocertification authority, which signs (issues) certs. 296764562Sgshapiro 296880785SgshapiroFor STARTTLS to be offered by sendmail you need to set at least 2969147078Sgshapirothese variables (the file names and paths are just examples): 297080785Sgshapiro 297180785Sgshapiro define(`confCACERT_PATH', `/etc/mail/certs/') 297280785Sgshapiro define(`confCACERT', `/etc/mail/certs/CA.cert.pem') 297380785Sgshapiro define(`confSERVER_CERT', `/etc/mail/certs/my.cert.pem') 297480785Sgshapiro define(`confSERVER_KEY', `/etc/mail/certs/my.key.pem') 297580785Sgshapiro 297680785SgshapiroOn systems which do not have the compile flag HASURANDOM set (see 297780785Sgshapirosendmail/README) you also must set confRAND_FILE. 297880785Sgshapiro 297990792SgshapiroSee doc/op/op.{me,ps,txt} for more information about these options, 298090792Sgshapiroespecially the sections ``Certificates for STARTTLS'' and ``PRNG for 298180785SgshapiroSTARTTLS''. 298280785Sgshapiro 298364562SgshapiroMacros related to STARTTLS are: 298464562Sgshapiro 298564562Sgshapiro${cert_issuer} holds the DN of the CA (the cert issuer). 298664562Sgshapiro${cert_subject} holds the DN of the cert (called the cert subject). 298790792Sgshapiro${cn_issuer} holds the CN of the CA (the cert issuer). 298890792Sgshapiro${cn_subject} holds the CN of the cert (called the cert subject). 298964562Sgshapiro${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, 299090792Sgshapiro TLSv1/SSLv3, SSLv3, SSLv2. 299164562Sgshapiro${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, 299264562Sgshapiro EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA. 299364562Sgshapiro${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm 299464562Sgshapiro used for the connection. 299590792Sgshapiro${verify} holds the result of the verification of the presented cert. 299690792Sgshapiro Possible values are: 299790792Sgshapiro OK verification succeeded. 299890792Sgshapiro NO no cert presented. 299990792Sgshapiro NOT no cert requested. 300090792Sgshapiro FAIL cert presented but could not be verified, 300190792Sgshapiro e.g., the cert of the signing CA is missing. 300290792Sgshapiro NONE STARTTLS has not been performed. 300390792Sgshapiro TEMP temporary error occurred. 300490792Sgshapiro PROTOCOL protocol error occurred (SMTP level). 300564562Sgshapiro SOFTWARE STARTTLS handshake failed. 300690792Sgshapiro${server_name} the name of the server of the current outgoing SMTP 300764562Sgshapiro connection. 300890792Sgshapiro${server_addr} the address of the server of the current outgoing SMTP 300964562Sgshapiro connection. 301064562Sgshapiro 301164562SgshapiroRelaying 301290792Sgshapiro-------- 301364562Sgshapiro 3014110560SgshapiroSMTP STARTTLS can allow relaying for remote SMTP clients which have 3015120256Sgshapirosuccessfully authenticated themselves. If the verification of the cert 3016120256Sgshapirofailed (${verify} != OK), relaying is subject to the usual rules. 3017120256SgshapiroOtherwise the DN of the issuer is looked up in the access map using the 3018120256Sgshapirotag CERTISSUER. If the resulting value is RELAY, relaying is allowed. 3019120256SgshapiroIf it is SUBJECT, the DN of the cert subject is looked up next in the 3020120256Sgshapiroaccess map using the tag CERTSUBJECT. If the value is RELAY, relaying 3021120256Sgshapirois allowed. 3022110560Sgshapiro 3023132943SgshapiroTo make things a bit more flexible (or complicated), the values for 302464562Sgshapiro${cert_issuer} and ${cert_subject} can be optionally modified by regular 302564562Sgshapiroexpressions defined in the m4 variables _CERT_REGEX_ISSUER_ and 302690792Sgshapiro_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in 302764562Sgshapirorulesets and map lookups, they are modified as follows: each non-printable 3028110560Sgshapirocharacter and the characters '<', '>', '(', ')', '"', '+', ' ' are replaced 3029110560Sgshapiroby their HEX value with a leading '+'. For example: 303064562Sgshapiro 303164562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email= 303264562Sgshapirodarth+cert@endmail.org 303364562Sgshapiro 303464562Sgshapirois encoded as: 303564562Sgshapiro 303664562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 303764562SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 303864562Sgshapiro 303964562Sgshapiro(line breaks have been inserted for readability). 304064562Sgshapiro 3041110560SgshapiroThe macros which are subject to this encoding are ${cert_subject}, 3042110560Sgshapiro${cert_issuer}, ${cn_subject}, and ${cn_issuer}. 3043110560Sgshapiro 304490792SgshapiroExamples: 304590792Sgshapiro 304690792SgshapiroTo allow relaying for everyone who can present a cert signed by 304790792Sgshapiro 304890792Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 304990792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 305090792Sgshapiro 305190792Sgshapirosimply use: 305290792Sgshapiro 3053110560SgshapiroCertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 305490792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org RELAY 305590792Sgshapiro 305690792SgshapiroTo allow relaying only for a subset of machines that have a cert signed by 305790792Sgshapiro 305890792Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 305990792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 306090792Sgshapiro 306190792Sgshapirouse: 306290792Sgshapiro 3063110560SgshapiroCertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 306490792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org SUBJECT 3065110560SgshapiroCertSubject:/C=US/ST=California/O=endmail.org/OU=private/CN= 306690792SgshapiroDeathStar/Email=deathstar@endmail.org RELAY 306790792Sgshapiro 3068132943SgshapiroNotes: 3069132943Sgshapiro- line breaks have been inserted after "CN=" for readability, 3070132943Sgshapiro each tagged entry must be one (long) line in the access map. 3071132943Sgshapiro- if OpenSSL 0.9.7 or newer is used then the "Email=" part of a DN 3072132943Sgshapiro is replaced by "emailAddress=". 307390792Sgshapiro 307490792SgshapiroOf course it is also possible to write a simple ruleset that allows 307564562Sgshapirorelaying for everyone who can present a cert that can be verified, e.g., 307664562Sgshapiro 307764562SgshapiroLOCAL_RULESETS 307864562SgshapiroSLocal_check_rcpt 307964562SgshapiroR$* $: $&{verify} 308064562SgshapiroROK $# OK 308164562Sgshapiro 308264562SgshapiroAllowing Connections 308390792Sgshapiro-------------------- 308464562Sgshapiro 308590792SgshapiroThe rulesets tls_server, tls_client, and tls_rcpt are used to decide whether 308690792Sgshapiroan SMTP connection is accepted (or should continue). 308764562Sgshapiro 308864562Sgshapirotls_server is called when sendmail acts as client after a STARTTLS command 308990792Sgshapiro(should) have been issued. The parameter is the value of ${verify}. 309064562Sgshapiro 309164562Sgshapirotls_client is called when sendmail acts as server, after a STARTTLS command 309290792Sgshapirohas been issued, and from check_mail. The parameter is the value of 309364562Sgshapiro${verify} and STARTTLS or MAIL, respectively. 309464562Sgshapiro 309590792SgshapiroBoth rulesets behave the same. If no access map is in use, the connection 309664562Sgshapirowill be accepted unless ${verify} is SOFTWARE, in which case the connection 309790792Sgshapirois always aborted. For tls_server/tls_client, ${client_name}/${server_name} 309890792Sgshapirois looked up in the access map using the tag TLS_Srv/TLS_Clt, which is done 309990792Sgshapirowith the ruleset LookUpDomain. If no entry is found, ${client_addr} 310064562Sgshapiro(${server_addr}) is looked up in the access map (same tag, ruleset 310190792SgshapiroLookUpAddr). If this doesn't result in an entry either, just the tag is 310290792Sgshapirolooked up in the access map (included the trailing colon). Notice: 310390792Sgshapirorequiring that e-mail is sent to a server only encrypted, e.g., via 310464562Sgshapiro 310590792SgshapiroTLS_Srv:secure.domain ENCR:112 310690792Sgshapiro 310790792Sgshapirodoesn't necessarily mean that e-mail sent to that domain is encrypted. 310890792SgshapiroIf the domain has multiple MX servers, e.g., 310990792Sgshapiro 311090792Sgshapirosecure.domain. IN MX 10 mail.secure.domain. 311190792Sgshapirosecure.domain. IN MX 50 mail.other.domain. 311290792Sgshapiro 311390792Sgshapirothen mail to user@secure.domain may go unencrypted to mail.other.domain. 311490792Sgshapirotls_rcpt can be used to address this problem. 311590792Sgshapiro 311690792Sgshapirotls_rcpt is called before a RCPT TO: command is sent. The parameter is the 311790792Sgshapirocurrent recipient. This ruleset is only defined if FEATURE(`access_db') 311890792Sgshapirois selected. A recipient address user@domain is looked up in the access 311990792Sgshapiromap in four formats: TLS_Rcpt:user@domain, TLS_Rcpt:user@, TLS_Rcpt:domain, 312090792Sgshapiroand TLS_Rcpt:; the first match is taken. 312190792Sgshapiro 312290792SgshapiroThe result of the lookups is then used to call the ruleset TLS_connection, 312390792Sgshapirowhich checks the requirement specified by the RHS in the access map against 312490792Sgshapirothe actual parameters of the current TLS connection, esp. ${verify} and 312590792Sgshapiro${cipher_bits}. Legal RHSs in the access map are: 312690792Sgshapiro 312764562SgshapiroVERIFY verification must have succeeded 312864562SgshapiroVERIFY:bits verification must have succeeded and ${cipher_bits} must 312964562Sgshapiro be greater than or equal bits. 313064562SgshapiroENCR:bits ${cipher_bits} must be greater than or equal bits. 313164562Sgshapiro 313264562SgshapiroThe RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary 313390792Sgshapiroor permanent error. The default is a temporary error code (403 4.7.0) 313464562Sgshapirounless the macro TLS_PERM_ERR is set during generation of the .cf file. 313564562Sgshapiro 313664562SgshapiroIf a certain level of encryption is required, then it might also be 313764562Sgshapiropossible that this level is provided by the security layer from a SASL 313864562Sgshapiroalgorithm, e.g., DIGEST-MD5. 313964562Sgshapiro 314090792SgshapiroFurthermore, there can be a list of extensions added. Such a list 314190792Sgshapirostarts with '+' and the items are separated by '++'. Allowed 314290792Sgshapiroextensions are: 314390792Sgshapiro 314490792SgshapiroCN:name name must match ${cn_subject} 314590792SgshapiroCN ${server_name} must match ${cn_subject} 314690792SgshapiroCS:name name must match ${cert_subject} 314790792SgshapiroCI:name name must match ${cert_issuer} 314890792Sgshapiro 314982017SgshapiroExample: e-mail sent to secure.example.com should only use an encrypted 315090792Sgshapiroconnection. E-mail received from hosts within the laptop.example.com domain 315190792Sgshapiroshould only be accepted if they have been authenticated. The host which 315290792Sgshapiroreceives e-mail for darth@endmail.org must present a cert that uses the 315390792SgshapiroCN smtp.endmail.org. 315490792Sgshapiro 315564562SgshapiroTLS_Srv:secure.example.com ENCR:112 315664562SgshapiroTLS_Clt:laptop.example.com PERM+VERIFY:112 315790792SgshapiroTLS_Rcpt:darth@endmail.org ENCR:112+CN:smtp.endmail.org 315864562Sgshapiro 315973188Sgshapiro 316090792SgshapiroDisabling STARTTLS And Setting SMTP Server Features 316190792Sgshapiro--------------------------------------------------- 316273188Sgshapiro 316390792SgshapiroBy default STARTTLS is used whenever possible. However, there are 316490792Sgshapirosome broken MTAs that don't properly implement STARTTLS. To be able 316590792Sgshapiroto send to (or receive from) those MTAs, the ruleset try_tls 316690792Sgshapiro(srv_features) can be used that work together with the access map. 316790792SgshapiroEntries for the access map must be tagged with Try_TLS (Srv_Features) 316890792Sgshapiroand refer to the hostname or IP address of the connecting system. 316990792SgshapiroA default case can be specified by using just the tag. For example, 317090792Sgshapirothe following entries in the access map: 317173188Sgshapiro 317290792Sgshapiro Try_TLS:broken.server NO 317390792Sgshapiro Srv_Features:my.domain v 317490792Sgshapiro Srv_Features: V 317573188Sgshapiro 317690792Sgshapirowill turn off STARTTLS when sending to broken.server (or any host 317790792Sgshapiroin that domain), and request a client certificate during the TLS 317890792Sgshapirohandshake only for hosts in my.domain. The valid entries on the RHS 317990792Sgshapirofor Srv_Features are listed in the Sendmail Installation and 318090792SgshapiroOperations Guide. 318173188Sgshapiro 318273188Sgshapiro 318364562SgshapiroReceived: Header 318490792Sgshapiro---------------- 318564562Sgshapiro 318690792SgshapiroThe Received: header reveals whether STARTTLS has been used. It contains an 318764562Sgshapiroextra line: 318864562Sgshapiro 318990792Sgshapiro(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) 319064562Sgshapiro 319190792Sgshapiro 319266494Sgshapiro+---------------------+ 319366494Sgshapiro| SMTP AUTHENTICATION | 319466494Sgshapiro+---------------------+ 319564562Sgshapiro 319664562SgshapiroThe macros ${auth_authen}, ${auth_author}, and ${auth_type} can be 319764562Sgshapiroused in anti-relay rulesets to allow relaying for those users that 319864562Sgshapiroauthenticated themselves. A very simple example is: 319964562Sgshapiro 320064562SgshapiroSLocal_check_rcpt 320164562SgshapiroR$* $: $&{auth_type} 320264562SgshapiroR$+ $# OK 320364562Sgshapiro 320464562Sgshapirowhich checks whether a user has successfully authenticated using 3205132943Sgshapiroany available mechanism. Depending on the setup of the Cyrus SASL 320664562Sgshapirolibrary, more sophisticated rulesets might be required, e.g., 320764562Sgshapiro 320864562SgshapiroSLocal_check_rcpt 320964562SgshapiroR$* $: $&{auth_type} $| $&{auth_authen} 321064562SgshapiroRDIGEST-MD5 $| $+@$=w $# OK 321164562Sgshapiro 321264562Sgshapiroto allow relaying for users that authenticated using DIGEST-MD5 321364562Sgshapiroand have an identity in the local domains. 321464562Sgshapiro 321590792SgshapiroThe ruleset trust_auth is used to determine whether a given AUTH= 321664562Sgshapiroparameter (that is passed to this ruleset) should be trusted. This 321764562Sgshapiroruleset may make use of the other ${auth_*} macros. Only if the 321864562Sgshapiroruleset resolves to the error mailer, the AUTH= parameter is not 321964562Sgshapirotrusted. A user supplied ruleset Local_trust_auth can be written 322064562Sgshapiroto modify the default behavior, which only trust the AUTH= 322164562Sgshapiroparameter if it is identical to the authenticated user. 322264562Sgshapiro 322364562SgshapiroPer default, relaying is allowed for any user who authenticated 322464562Sgshapirovia a "trusted" mechanism, i.e., one that is defined via 322564562SgshapiroTRUST_AUTH_MECH(`list of mechanisms') 322671345SgshapiroFor example: 322771345SgshapiroTRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5') 322864562Sgshapiro 322964562SgshapiroIf the selected mechanism provides a security layer the number of 323064562Sgshapirobits used for the key of the symmetric cipher is stored in the 323164562Sgshapiromacro ${auth_ssf}. 323264562Sgshapiro 3233132943SgshapiroProviding SMTP AUTH Data when sendmail acts as Client 3234132943Sgshapiro----------------------------------------------------- 3235132943Sgshapiro 323690792SgshapiroIf sendmail acts as client, it needs some information how to 323790792Sgshapiroauthenticate against another MTA. This information can be provided 323890792Sgshapiroby the ruleset authinfo or by the option DefaultAuthInfo. The 323990792Sgshapiroauthinfo ruleset looks up {server_name} using the tag AuthInfo: in 324090792Sgshapirothe access map. If no entry is found, {server_addr} is looked up 324190792Sgshapiroin the same way and finally just the tag AuthInfo: to provide 3242111823Sgshapirodefault values. Note: searches for domain parts or IP nets are 3243111823Sgshapiroonly performed if the access map is used; if the authinfo feature 3244111823Sgshapirois used then only up to three lookups are performed (two exact 3245111823Sgshapiromatches, one default). 324690792Sgshapiro 3247132943SgshapiroNote: If your daemon does client authentication when sending, and 3248132943Sgshapiroif it uses either PLAIN or LOGIN authentication, then you *must* 3249132943Sgshapiroprevent ordinary users from seeing verbose output. Do NOT install 3250132943Sgshapirosendmail set-user-ID. Use PrivacyOptions to turn off verbose output 3251132943Sgshapiro("goaway" works for this). 3252132943Sgshapiro 325390792SgshapiroNotice: the default configuration file causes the option DefaultAuthInfo 325490792Sgshapiroto fail since the ruleset authinfo is in the .cf file. If you really 325590792Sgshapirowant to use DefaultAuthInfo (it is deprecated) then you have to 325690792Sgshapiroremove the ruleset. 325790792Sgshapiro 325890792SgshapiroThe RHS for an AuthInfo: entry in the access map should consists of a 325990792Sgshapirolist of tokens, each of which has the form: "TDstring" (including 326090792Sgshapirothe quotes). T is a tag which describes the item, D is a delimiter, 326190792Sgshapiroeither ':' for simple text or '=' for a base64 encoded string. 326290792SgshapiroValid values for the tag are: 326390792Sgshapiro 326490792Sgshapiro U user (authorization) id 326590792Sgshapiro I authentication id 326690792Sgshapiro P password 326790792Sgshapiro R realm 326890792Sgshapiro M list of mechanisms delimited by spaces 326990792Sgshapiro 327090792SgshapiroExample entries are: 327190792Sgshapiro 327290792SgshapiroAuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5" 3273111823SgshapiroAuthInfo:host.more.dom "U:user" "P=c2VjcmV0" 327490792Sgshapiro 3275111823SgshapiroUser id or authentication id must exist as well as the password. All 327690792Sgshapiroother entries have default values. If one of user or authentication 327790792Sgshapiroid is missing, the existing value is used for the missing item. 327890792SgshapiroIf "R:" is not specified, realm defaults to $j. The list of mechanisms 327990792Sgshapirodefaults to those specified by AuthMechanisms. 328090792Sgshapiro 328190792SgshapiroSince this map contains sensitive information, either the access 328290792Sgshapiromap must be unreadable by everyone but root (or the trusted user) 328390792Sgshapiroor FEATURE(`authinfo') must be used which provides a separate map. 328490792SgshapiroNotice: It is not checked whether the map is actually 328590792Sgshapirogroup/world-unreadable, this is left to the user. 328690792Sgshapiro 328764562Sgshapiro+--------------------------------+ 328838032Speter| ADDING NEW MAILERS OR RULESETS | 328938032Speter+--------------------------------+ 329038032Speter 329138032SpeterSometimes you may need to add entirely new mailers or rulesets. They 329238032Spetershould be introduced with the constructs MAILER_DEFINITIONS and 329338032SpeterLOCAL_RULESETS respectively. For example: 329438032Speter 329538032Speter MAILER_DEFINITIONS 329638032Speter Mmymailer, ... 329738032Speter ... 329838032Speter 329938032Speter LOCAL_RULESETS 330038032Speter Smyruleset 330138032Speter ... 330238032Speter 330390792SgshapiroLocal additions for the rulesets srv_features, try_tls, tls_rcpt, 330490792Sgshapirotls_client, and tls_server can be made using LOCAL_SRV_FEATURES, 330590792SgshapiroLOCAL_TRY_TLS, LOCAL_TLS_RCPT, LOCAL_TLS_CLIENT, and LOCAL_TLS_SERVER, 330690792Sgshapirorespectively. For example, to add a local ruleset that decides 330790792Sgshapirowhether to try STARTTLS in a sendmail client, use: 330838032Speter 330990792Sgshapiro LOCAL_TRY_TLS 331090792Sgshapiro R... 331190792Sgshapiro 331290792SgshapiroNote: you don't need to add a name for the ruleset, it is implicitly 331390792Sgshapirodefined by using the appropriate macro. 331490792Sgshapiro 331590792Sgshapiro 331671345Sgshapiro+-------------------------+ 331771345Sgshapiro| ADDING NEW MAIL FILTERS | 331871345Sgshapiro+-------------------------+ 331964562Sgshapiro 332064562SgshapiroSendmail supports mail filters to filter incoming SMTP messages according 332164562Sgshapiroto the "Sendmail Mail Filter API" documentation. These filters can be 332264562Sgshapiroconfigured in your mc file using the two commands: 332364562Sgshapiro 332464562Sgshapiro MAIL_FILTER(`name', `equates') 332564562Sgshapiro INPUT_MAIL_FILTER(`name', `equates') 332664562Sgshapiro 332764562SgshapiroThe first command, MAIL_FILTER(), simply defines a filter with the given 332864562Sgshapironame and equates. For example: 332964562Sgshapiro 333064562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 333164562Sgshapiro 333264562SgshapiroThis creates the equivalent sendmail.cf entry: 333364562Sgshapiro 333464562Sgshapiro Xarchive, S=local:/var/run/archivesock, F=R 333564562Sgshapiro 333664562SgshapiroThe INPUT_MAIL_FILTER() command performs the same actions as MAIL_FILTER 333764562Sgshapirobut also populates the m4 variable `confINPUT_MAIL_FILTERS' with the name 333864562Sgshapiroof the filter such that the filter will actually be called by sendmail. 333964562Sgshapiro 334064562SgshapiroFor example, the two commands: 334164562Sgshapiro 334264562Sgshapiro INPUT_MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 334364562Sgshapiro INPUT_MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 334464562Sgshapiro 334564562Sgshapiroare equivalent to the three commands: 334664562Sgshapiro 334764562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 334864562Sgshapiro MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 334964562Sgshapiro define(`confINPUT_MAIL_FILTERS', `archive, spamcheck') 335064562Sgshapiro 335164562SgshapiroIn general, INPUT_MAIL_FILTER() should be used unless you need to define 335264562Sgshapiromore filters than you want to use for `confINPUT_MAIL_FILTERS'. 335364562Sgshapiro 335464562SgshapiroNote that setting `confINPUT_MAIL_FILTERS' after any INPUT_MAIL_FILTER() 335564562Sgshapirocommands will clear the list created by the prior INPUT_MAIL_FILTER() 335664562Sgshapirocommands. 335764562Sgshapiro 335864562Sgshapiro 335990792Sgshapiro+-------------------------+ 336090792Sgshapiro| QUEUE GROUP DEFINITIONS | 336190792Sgshapiro+-------------------------+ 336290792Sgshapiro 336390792SgshapiroIn addition to the queue directory (which is the default queue group 336490792Sgshapirocalled "mqueue"), sendmail can deal with multiple queue groups, which 336590792Sgshapiroare collections of queue directories with the same behaviour. Queue 336690792Sgshapirogroups can be defined using the command: 336790792Sgshapiro 336890792Sgshapiro QUEUE_GROUP(`name', `equates') 336990792Sgshapiro 337090792SgshapiroFor details about queue groups, please see doc/op/op.{me,ps,txt}. 337190792Sgshapiro 337238032Speter+-------------------------------+ 337338032Speter| NON-SMTP BASED CONFIGURATIONS | 337438032Speter+-------------------------------+ 337538032Speter 337664562SgshapiroThese configuration files are designed primarily for use by 337764562SgshapiroSMTP-based sites. They may not be well tuned for UUCP-only or 337838032SpeterUUCP-primarily nodes (the latter is defined as a small local net 337964562Sgshapiroconnected to the rest of the world via UUCP). However, there is 338064562Sgshapiroone hook to handle some special cases. 338138032Speter 338238032SpeterYou can define a ``smart host'' that understands a richer address syntax 338338032Speterusing: 338438032Speter 338543730Speter define(`SMART_HOST', `mailer:hostname') 338638032Speter 338738032SpeterIn this case, the ``mailer:'' defaults to "relay". Any messages that 338838032Spetercan't be handled using the usual UUCP rules are passed to this host. 338938032Speter 339038032SpeterIf you are on a local SMTP-based net that connects to the outside 339138032Speterworld via UUCP, you can use LOCAL_NET_CONFIG to add appropriate rules. 339238032SpeterFor example: 339338032Speter 339464562Sgshapiro define(`SMART_HOST', `uucp-new:uunet') 339538032Speter LOCAL_NET_CONFIG 339638032Speter R$* < @ $* .$m. > $* $#smtp $@ $2.$m. $: $1 < @ $2.$m. > $3 339738032Speter 339894334SgshapiroThis will cause all names that end in your domain name ($m) to be sent 339994334Sgshapirovia SMTP; anything else will be sent via uucp-new (smart UUCP) to uunet. 340043730SpeterIf you have FEATURE(`nocanonify'), you may need to omit the dots after 340138032Speterthe $m. If you are running a local DNS inside your domain which is 340238032Speternot otherwise connected to the outside world, you probably want to 340338032Speteruse: 340438032Speter 340543730Speter define(`SMART_HOST', `smtp:fire.wall.com') 340638032Speter LOCAL_NET_CONFIG 340738032Speter R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 340838032Speter 340938032SpeterThat is, send directly only to things you found in your DNS lookup; 341038032Speteranything else goes through SMART_HOST. 341138032Speter 341238032SpeterYou may need to turn off the anti-spam rules in order to accept 341343730SpeterUUCP mail with FEATURE(`promiscuous_relay') and 341443730SpeterFEATURE(`accept_unresolvable_domains'). 341538032Speter 341638032Speter 341738032Speter+-----------+ 341838032Speter| WHO AM I? | 341938032Speter+-----------+ 342038032Speter 342138032SpeterNormally, the $j macro is automatically defined to be your fully 342238032Speterqualified domain name (FQDN). Sendmail does this by getting your 342338032Speterhost name using gethostname and then calling gethostbyname on the 342438032Speterresult. For example, in some environments gethostname returns 342538032Speteronly the root of the host name (such as "foo"); gethostbyname is 342638032Spetersupposed to return the FQDN ("foo.bar.com"). In some (fairly rare) 342738032Spetercases, gethostbyname may fail to return the FQDN. In this case 342838032Speteryou MUST define confDOMAIN_NAME to be your fully qualified domain 342938032Spetername. This is usually done using: 343038032Speter 343138032Speter Dmbar.com 343238032Speter define(`confDOMAIN_NAME', `$w.$m')dnl 343338032Speter 343438032Speter 343564562Sgshapiro+-----------------------------------+ 343664562Sgshapiro| ACCEPTING MAIL FOR MULTIPLE NAMES | 343764562Sgshapiro+-----------------------------------+ 343864562Sgshapiro 343964562SgshapiroIf your host is known by several different names, you need to augment 344064562Sgshapiroclass {w}. This is a list of names by which your host is known, and 344164562Sgshapiroanything sent to an address using a host name in this list will be 344264562Sgshapirotreated as local mail. You can do this in two ways: either create the 344364562Sgshapirofile /etc/mail/local-host-names containing a list of your aliases (one per 344464562Sgshapiroline), and use ``FEATURE(`use_cw_file')'' in the .mc file, or add 344564562Sgshapiro``LOCAL_DOMAIN(`alias.host.name')''. Be sure you use the fully-qualified 344664562Sgshapironame of the host, rather than a short name. 344764562Sgshapiro 344864562SgshapiroIf you want to have different address in different domains, take 344964562Sgshapiroa look at the virtusertable feature, which is also explained at 345064562Sgshapirohttp://www.sendmail.org/virtual-hosting.html 345164562Sgshapiro 345264562Sgshapiro 345338032Speter+--------------------+ 345438032Speter| USING MAILERTABLES | 345538032Speter+--------------------+ 345638032Speter 345743730SpeterTo use FEATURE(`mailertable'), you will have to create an external 345838032Speterdatabase containing the routing information for various domains. 345938032SpeterFor example, a mailertable file in text format might be: 346038032Speter 346138032Speter .my.domain xnet:%1.my.domain 346264562Sgshapiro uuhost1.my.domain uucp-new:uuhost1 346338032Speter .bitnet smtp:relay.bit.net 346438032Speter 346564562SgshapiroThis should normally be stored in /etc/mail/mailertable. The actual 346638032Speterdatabase version of the mailertable is built using: 346738032Speter 346864562Sgshapiro makemap hash /etc/mail/mailertable < /etc/mail/mailertable 346938032Speter 347038032SpeterThe semantics are simple. Any LHS entry that does not begin with 347138032Spetera dot matches the full host name indicated. LHS entries beginning 347266494Sgshapirowith a dot match anything ending with that domain name (including 347366494Sgshapirothe leading dot) -- that is, they can be thought of as having a 347466494Sgshapiroleading ".+" regular expression pattern for a non-empty sequence of 347566494Sgshapirocharacters. Matching is done in order of most-to-least qualified 347666494Sgshapiro-- for example, even though ".my.domain" is listed first in the 347766494Sgshapiroabove example, an entry of "uuhost1.my.domain" will match the second 347866494Sgshapiroentry since it is more explicit. Note: e-mail to "user@my.domain" 347966494Sgshapirodoes not match any entry in the above table. You need to have 348066494Sgshapirosomething like: 348138032Speter 348264562Sgshapiro my.domain esmtp:host.my.domain 348364562Sgshapiro 348438032SpeterThe RHS should always be a "mailer:host" pair. The mailer is the 348590792Sgshapiroconfiguration name of a mailer (that is, an M line in the 348638032Spetersendmail.cf file). The "host" will be the hostname passed to 348738032Speterthat mailer. In domain-based matches (that is, those with leading 348838032Speterdots) the "%1" may be used to interpolate the wildcarded part of 348938032Speterthe host name. For example, the first line above sends everything 349038032Speteraddressed to "anything.my.domain" to that same host name, but using 349138032Speterthe (presumably experimental) xnet mailer. 349238032Speter 349338032SpeterIn some cases you may want to temporarily turn off MX records, 349438032Speterparticularly on gateways. For example, you may want to MX 349538032Spetereverything in a domain to one machine that then forwards it 349638032Speterdirectly. To do this, you might use the DNS configuration: 349738032Speter 349838032Speter *.domain. IN MX 0 relay.machine 349938032Speter 350038032Speterand on relay.machine use the mailertable: 350138032Speter 350238032Speter .domain smtp:[gateway.domain] 350338032Speter 350438032SpeterThe [square brackets] turn off MX records for this host only. 350538032SpeterIf you didn't do this, the mailertable would use the MX record 3506120256Sgshapiroagain, which would give you an MX loop. Note that the use of 3507120256Sgshapirowildcard MX records is almost always a bad idea. Please avoid 3508120256Sgshapirousing them if possible. 350938032Speter 351038032Speter 351138032Speter+--------------------------------+ 351238032Speter| USING USERDB TO MAP FULL NAMES | 351338032Speter+--------------------------------+ 351438032Speter 351538032SpeterThe user database was not originally intended for mapping full names 351638032Speterto login names (e.g., Eric.Allman => eric), but some people are using 351764562Sgshapiroit that way. (it is recommended that you set up aliases for this 351838032Speterpurpose instead -- since you can specify multiple alias files, this 351938032Speteris fairly easy.) The intent was to locate the default maildrop at 352038032Spetera site, but allow you to override this by sending to a specific host. 352138032Speter 352238032SpeterIf you decide to set up the user database in this fashion, it is 352343730Speterimperative that you not use FEATURE(`stickyhost') -- otherwise, 352438032Spetere-mail sent to Full.Name@local.host.name will be rejected. 352538032Speter 352638032SpeterTo build the internal form of the user database, use: 352738032Speter 352864562Sgshapiro makemap btree /etc/mail/userdb < /etc/mail/userdb.txt 352938032Speter 353064562SgshapiroAs a general rule, it is an extremely bad idea to using full names 353164562Sgshapiroas e-mail addresses, since they are not in any sense unique. For 353266494Sgshapiroexample, the UNIX software-development community has at least two 353364562Sgshapirowell-known Peter Deutsches, and at one time Bell Labs had two 353464562SgshapiroStephen R. Bournes with offices along the same hallway. Which one 353564562Sgshapirowill be forced to suffer the indignity of being Stephen_R_Bourne_2? 353664562SgshapiroThe less famous of the two, or the one that was hired later? 353738032Speter 353838032SpeterFinger should handle full names (and be fuzzy). Mail should use 353964562Sgshapirohandles, and not be fuzzy. 354038032Speter 354138032Speter 354238032Speter+--------------------------------+ 354338032Speter| MISCELLANEOUS SPECIAL FEATURES | 354438032Speter+--------------------------------+ 354538032Speter 354638032SpeterPlussed users 354738032Speter Sometimes it is convenient to merge configuration on a 354838032Speter centralized mail machine, for example, to forward all 354938032Speter root mail to a mail server. In this case it might be 355038032Speter useful to be able to treat the root addresses as a class 355138032Speter of addresses with subtle differences. You can do this 355238032Speter using plussed users. For example, a client might include 355338032Speter the alias: 355438032Speter 355538032Speter root: root+client1@server 355638032Speter 355738032Speter On the server, this will match an alias for "root+client1". 355838032Speter If that is not found, the alias "root+*" will be tried, 355938032Speter then "root". 356038032Speter 356138032Speter 356238032Speter+----------------+ 356338032Speter| SECURITY NOTES | 356438032Speter+----------------+ 356538032Speter 356638032SpeterA lot of sendmail security comes down to you. Sendmail 8 is much 356738032Spetermore careful about checking for security problems than previous 356838032Speterversions, but there are some things that you still need to watch 356938032Speterfor. In particular: 357038032Speter 357198121Sgshapiro* Make sure the aliases file is not writable except by trusted 357238032Speter system personnel. This includes both the text and database 357338032Speter version. 357438032Speter 357538032Speter* Make sure that other files that sendmail reads, such as the 357638032Speter mailertable, are only writable by trusted system personnel. 357738032Speter 357838032Speter* The queue directory should not be world writable PARTICULARLY 357938032Speter if your system allows "file giveaways" (that is, if a non-root 358038032Speter user can chown any file they own to any other user). 358138032Speter 358238032Speter* If your system allows file giveaways, DO NOT create a publically 358338032Speter writable directory for forward files. This will allow anyone 358438032Speter to steal anyone else's e-mail. Instead, create a script that 358538032Speter copies the .forward file from users' home directories once a 358638032Speter night (if you want the non-NFS-mounted forward directory). 358738032Speter 358838032Speter* If your system allows file giveaways, you'll find that 358938032Speter sendmail is much less trusting of :include: files -- in 359038032Speter particular, you'll have to have /SENDMAIL/ANY/SHELL/ in 359138032Speter /etc/shells before they will be trusted (that is, before 359238032Speter files and programs listed in them will be honored). 359338032Speter 359438032SpeterIn general, file giveaways are a mistake -- if you can turn them 359564562Sgshapirooff, do so. 359638032Speter 359738032Speter 359838032Speter+--------------------------------+ 359938032Speter| TWEAKING CONFIGURATION OPTIONS | 360038032Speter+--------------------------------+ 360138032Speter 360238032SpeterThere are a large number of configuration options that don't normally 3603132943Sgshapironeed to be changed. However, if you feel you need to tweak them, 3604132943Sgshapiroyou can define the following M4 variables. Note that some of these 3605132943Sgshapirovariables require formats that are defined in RFC 2821 or RFC 2822. 3606132943SgshapiroBefore changing them you need to make sure you do not violate those 3607132943Sgshapiro(and other relevant) RFCs. 360838032Speter 3609132943SgshapiroThis list is shown in four columns: the name you define, the default 3610132943Sgshapirovalue for that definition, the option or macro that is affected 3611132943Sgshapiro(either Ox for an option or Dx for a macro), and a brief description. 3612132943SgshapiroGreater detail of the semantics can be found in the Installation 3613132943Sgshapiroand Operations Guide. 3614132943Sgshapiro 361538032SpeterSome options are likely to be deprecated in future versions -- that is, 361638032Speterthe option is only included to provide back-compatibility. These are 361738032Spetermarked with "*". 361838032Speter 361938032SpeterRemember that these options are M4 variables, and hence may need to 362038032Speterbe quoted. In particular, arguments with commas will usually have to 362138032Speterbe ``double quoted, like this phrase'' to avoid having the comma 362238032Speterconfuse things. This is common for alias file definitions and for 362338032Speterthe read timeout. 362438032Speter 3625132943SgshapiroM4 Variable Name Configuration [Default] & Description 362638032Speter================ ============= ======================= 362738032SpeterconfMAILER_NAME $n macro [MAILER-DAEMON] The sender name used 362838032Speter for internally generated outgoing 362938032Speter messages. 363038032SpeterconfDOMAIN_NAME $j macro If defined, sets $j. This should 363138032Speter only be done if your system cannot 363238032Speter determine your local domain name, 363338032Speter and then it should be set to 363438032Speter $w.Foo.COM, where Foo.COM is your 363538032Speter domain name. 363638032SpeterconfCF_VERSION $Z macro If defined, this is appended to the 363738032Speter configuration version name. 363890792SgshapiroconfLDAP_CLUSTER ${sendmailMTACluster} macro 363990792Sgshapiro If defined, this is the LDAP 364090792Sgshapiro cluster to use for LDAP searches 364190792Sgshapiro as described above in ``USING LDAP 364290792Sgshapiro FOR ALIASES, MAPS, AND CLASSES''. 364364562SgshapiroconfFROM_HEADER From: [$?x$x <$g>$|$g$.] The format of an 364438032Speter internally generated From: address. 364538032SpeterconfRECEIVED_HEADER Received: 364638032Speter [$?sfrom $s $.$?_($?s$|from $.$_) 364764562Sgshapiro $.$?{auth_type}(authenticated) 364838032Speter $.by $j ($v/$Z)$?r with $r$. id $i$?u 364938032Speter for $u; $|; 365038032Speter $.$b] 365138032Speter The format of the Received: header 365238032Speter in messages passed through this host. 365338032Speter It is unwise to try to change this. 3654132943SgshapiroconfMESSAGEID_HEADER Message-Id: [<$t.$i@$j>] The format of an 3655132943Sgshapiro internally generated Message-Id: 3656132943Sgshapiro header. 365764562SgshapiroconfCW_FILE Fw class [/etc/mail/local-host-names] Name 365864562Sgshapiro of file used to get the local 365964562Sgshapiro additions to class {w} (local host 366064562Sgshapiro names). 366164562SgshapiroconfCT_FILE Ft class [/etc/mail/trusted-users] Name of 366264562Sgshapiro file used to get the local additions 366364562Sgshapiro to class {t} (trusted users). 366438032SpeterconfCR_FILE FR class [/etc/mail/relay-domains] Name of 366538032Speter file used to get the local additions 366664562Sgshapiro to class {R} (hosts allowed to relay). 366738032SpeterconfTRUSTED_USERS Ct class [no default] Names of users to add to 366838032Speter the list of trusted users. This list 366938032Speter always includes root, uucp, and daemon. 367043730Speter See also FEATURE(`use_ct_file'). 367164562SgshapiroconfTRUSTED_USER TrustedUser [no default] Trusted user for file 367264562Sgshapiro ownership and starting the daemon. 367364562Sgshapiro Not to be confused with 367464562Sgshapiro confTRUSTED_USERS (see above). 367538032SpeterconfSMTP_MAILER - [esmtp] The mailer name used when 367638032Speter SMTP connectivity is required. 367764562Sgshapiro One of "smtp", "smtp8", 367864562Sgshapiro "esmtp", or "dsmtp". 367938032SpeterconfUUCP_MAILER - [uucp-old] The mailer to be used by 368038032Speter default for bang-format recipient 368138032Speter addresses. See also discussion of 368264562Sgshapiro class {U}, class {Y}, and class {Z} 368364562Sgshapiro in the MAILER(`uucp') section. 368438032SpeterconfLOCAL_MAILER - [local] The mailer name used when 368538032Speter local connectivity is required. 368638032Speter Almost always "local". 368738032SpeterconfRELAY_MAILER - [relay] The default mailer name used 368838032Speter for relaying any mail (e.g., to a 368938032Speter BITNET_RELAY, a SMART_HOST, or 369038032Speter whatever). This can reasonably be 369138032Speter "uucp-new" if you are on a 369238032Speter UUCP-connected site. 369338032SpeterconfSEVEN_BIT_INPUT SevenBitInput [False] Force input to seven bits? 369438032SpeterconfEIGHT_BIT_HANDLING EightBitMode [pass8] 8-bit data handling 369538032SpeterconfALIAS_WAIT AliasWait [10m] Time to wait for alias file 369638032Speter rebuild until you get bored and 369738032Speter decide that the apparently pending 369838032Speter rebuild failed. 369938032SpeterconfMIN_FREE_BLOCKS MinFreeBlocks [100] Minimum number of free blocks on 370038032Speter queue filesystem to accept SMTP mail. 370138032Speter (Prior to 8.7 this was minfree/maxsize, 370238032Speter where minfree was the number of free 370338032Speter blocks and maxsize was the maximum 370438032Speter message size. Use confMAX_MESSAGE_SIZE 370538032Speter for the second value now.) 370638032SpeterconfMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages 370738032Speter that will be accepted (in bytes). 370838032SpeterconfBLANK_SUB BlankSub [.] Blank (space) substitution 370938032Speter character. 371038032SpeterconfCON_EXPENSIVE HoldExpensive [False] Avoid connecting immediately 371164562Sgshapiro to mailers marked expensive. 371238032SpeterconfCHECKPOINT_INTERVAL CheckpointInterval 371338032Speter [10] Checkpoint queue files every N 371438032Speter recipients. 371538032SpeterconfDELIVERY_MODE DeliveryMode [background] Default delivery mode. 371638032SpeterconfERROR_MODE ErrorMode [print] Error message mode. 371738032SpeterconfERROR_MESSAGE ErrorHeader [undefined] Error message header/file. 371842575SpeterconfSAVE_FROM_LINES SaveFromLine Save extra leading From_ lines. 371938032SpeterconfTEMP_FILE_MODE TempFileMode [0600] Temporary file mode. 372038032SpeterconfMATCH_GECOS MatchGECOS [False] Match GECOS field. 372138032SpeterconfMAX_HOP MaxHopCount [25] Maximum hop count. 372264562SgshapiroconfIGNORE_DOTS* IgnoreDots [False; always False in -bs or -bd 372364562Sgshapiro mode] Ignore dot as terminator for 372464562Sgshapiro incoming messages? 372538032SpeterconfBIND_OPTS ResolverOptions [undefined] Default options for DNS 372638032Speter resolver. 372738032SpeterconfMIME_FORMAT_ERRORS* SendMimeErrors [True] Send error messages as MIME- 372838032Speter encapsulated messages per RFC 1344. 372938032SpeterconfFORWARD_PATH ForwardPath [$z/.forward.$w:$z/.forward] 373038032Speter The colon-separated list of places to 373138032Speter search for .forward files. N.B.: see 373238032Speter the Security Notes section. 373338032SpeterconfMCI_CACHE_SIZE ConnectionCacheSize 373438032Speter [2] Size of open connection cache. 373538032SpeterconfMCI_CACHE_TIMEOUT ConnectionCacheTimeout 373638032Speter [5m] Open connection cache timeout. 373738032SpeterconfHOST_STATUS_DIRECTORY HostStatusDirectory 373838032Speter [undefined] If set, host status is kept 373938032Speter on disk between sendmail runs in the 374038032Speter named directory tree. This need not be 374138032Speter a full pathname, in which case it is 374238032Speter interpreted relative to the queue 374338032Speter directory. 374438032SpeterconfSINGLE_THREAD_DELIVERY SingleThreadDelivery 374538032Speter [False] If this option and the 374638032Speter HostStatusDirectory option are both 374738032Speter set, single thread deliveries to other 374838032Speter hosts. That is, don't allow any two 374938032Speter sendmails on this host to connect 375038032Speter simultaneously to any other single 375138032Speter host. This can slow down delivery in 375238032Speter some cases, in particular since a 375338032Speter cached but otherwise idle connection 375438032Speter to a host will prevent other sendmails 375538032Speter from connecting to the other host. 375664562SgshapiroconfUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to 375738032Speter deliver error messages. This should 375838032Speter not be necessary because of general 375938032Speter acceptance of the envelope/header 376038032Speter distinction. 376138032SpeterconfLOG_LEVEL LogLevel [9] Log level. 376264562SgshapiroconfME_TOO MeToo [True] Include sender in group 376364562Sgshapiro expansions. This option is 376464562Sgshapiro deprecated and will be removed from 376564562Sgshapiro a future version. 376638032SpeterconfCHECK_ALIASES CheckAliases [False] Check RHS of aliases when 376738032Speter running newaliases. Since this does 376838032Speter DNS lookups on every address, it can 376938032Speter slow down the alias rebuild process 377038032Speter considerably on large alias files. 377138032SpeterconfOLD_STYLE_HEADERS* OldStyleHeaders [True] Assume that headers without 377238032Speter special chars are old style. 377338032SpeterconfPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags. 377438032SpeterconfCOPY_ERRORS_TO PostmasterCopy [undefined] Address for additional 377538032Speter copies of all error messages. 377638032SpeterconfQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function. 377790792SgshapiroconfQUEUE_FILE_MODE QueueFileMode [undefined] Default permissions for 377890792Sgshapiro queue files (octal). If not set, 377990792Sgshapiro sendmail uses 0600 unless its real 378090792Sgshapiro and effective uid are different in 378190792Sgshapiro which case it uses 0644. 378238032SpeterconfDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr 378338032Speter syntax addresses to the minimum 378438032Speter possible. 378538032SpeterconfSAFE_QUEUE* SuperSafe [True] Commit all messages to disk 378638032Speter before forking. 378738032SpeterconfTO_INITIAL Timeout.initial [5m] The timeout waiting for a response 378838032Speter on the initial connect. 378938032SpeterconfTO_CONNECT Timeout.connect [0] The timeout waiting for an initial 379038032Speter connect() to complete. This can only 379138032Speter shorten connection timeouts; the kernel 379238032Speter silently enforces an absolute maximum 379338032Speter (which varies depending on the system). 379438032SpeterconfTO_ICONNECT Timeout.iconnect 379538032Speter [undefined] Like Timeout.connect, but 379638032Speter applies only to the very first attempt 379738032Speter to connect to a host in a message. 379838032Speter This allows a single very fast pass 379938032Speter followed by more careful delivery 380038032Speter attempts in the future. 380190792SgshapiroconfTO_ACONNECT Timeout.aconnect 380290792Sgshapiro [0] The overall timeout waiting for 380390792Sgshapiro all connection for a single delivery 380490792Sgshapiro attempt to succeed. If 0, no overall 380590792Sgshapiro limit is applied. 380638032SpeterconfTO_HELO Timeout.helo [5m] The timeout waiting for a response 380738032Speter to a HELO or EHLO command. 380838032SpeterconfTO_MAIL Timeout.mail [10m] The timeout waiting for a 380938032Speter response to the MAIL command. 381038032SpeterconfTO_RCPT Timeout.rcpt [1h] The timeout waiting for a response 381138032Speter to the RCPT command. 381238032SpeterconfTO_DATAINIT Timeout.datainit 381338032Speter [5m] The timeout waiting for a 354 381438032Speter response from the DATA command. 381538032SpeterconfTO_DATABLOCK Timeout.datablock 381638032Speter [1h] The timeout waiting for a block 381738032Speter during DATA phase. 381838032SpeterconfTO_DATAFINAL Timeout.datafinal 381938032Speter [1h] The timeout waiting for a response 382038032Speter to the final "." that terminates a 382138032Speter message. 382238032SpeterconfTO_RSET Timeout.rset [5m] The timeout waiting for a response 382338032Speter to the RSET command. 382438032SpeterconfTO_QUIT Timeout.quit [2m] The timeout waiting for a response 382538032Speter to the QUIT command. 382638032SpeterconfTO_MISC Timeout.misc [2m] The timeout waiting for a response 382738032Speter to other SMTP commands. 382864562SgshapiroconfTO_COMMAND Timeout.command [1h] In server SMTP, the timeout 382964562Sgshapiro waiting for a command to be issued. 383064562SgshapiroconfTO_IDENT Timeout.ident [5s] The timeout waiting for a 383164562Sgshapiro response to an IDENT query. 383238032SpeterconfTO_FILEOPEN Timeout.fileopen 383338032Speter [60s] The timeout waiting for a file 383438032Speter (e.g., :include: file) to be opened. 383590792SgshapiroconfTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response 383690792Sgshapiro to an LMTP LHLO command. 383790792SgshapiroconfTO_AUTH Timeout.auth [10m] The timeout waiting for a 383890792Sgshapiro response in an AUTH dialogue. 383990792SgshapiroconfTO_STARTTLS Timeout.starttls 384090792Sgshapiro [1h] The timeout waiting for a 384190792Sgshapiro response to an SMTP STARTTLS command. 384264562SgshapiroconfTO_CONTROL Timeout.control 384364562Sgshapiro [2m] The timeout for a complete 384464562Sgshapiro control socket transaction to complete. 384538032SpeterconfTO_QUEUERETURN Timeout.queuereturn 384638032Speter [5d] The timeout before a message is 384738032Speter returned as undeliverable. 384838032SpeterconfTO_QUEUERETURN_NORMAL 384938032Speter Timeout.queuereturn.normal 385038032Speter [undefined] As above, for normal 385138032Speter priority messages. 385238032SpeterconfTO_QUEUERETURN_URGENT 385338032Speter Timeout.queuereturn.urgent 385438032Speter [undefined] As above, for urgent 385538032Speter priority messages. 385638032SpeterconfTO_QUEUERETURN_NONURGENT 385738032Speter Timeout.queuereturn.non-urgent 385838032Speter [undefined] As above, for non-urgent 385938032Speter (low) priority messages. 3860132943SgshapiroconfTO_QUEUERETURN_DSN 3861132943Sgshapiro Timeout.queuereturn.dsn 3862132943Sgshapiro [undefined] As above, for delivery 3863132943Sgshapiro status notification messages. 386438032SpeterconfTO_QUEUEWARN Timeout.queuewarn 386538032Speter [4h] The timeout before a warning 386638032Speter message is sent to the sender telling 386764562Sgshapiro them that the message has been 386864562Sgshapiro deferred. 386938032SpeterconfTO_QUEUEWARN_NORMAL Timeout.queuewarn.normal 387038032Speter [undefined] As above, for normal 387138032Speter priority messages. 387238032SpeterconfTO_QUEUEWARN_URGENT Timeout.queuewarn.urgent 387338032Speter [undefined] As above, for urgent 387438032Speter priority messages. 387538032SpeterconfTO_QUEUEWARN_NONURGENT 387638032Speter Timeout.queuewarn.non-urgent 387738032Speter [undefined] As above, for non-urgent 387838032Speter (low) priority messages. 3879132943SgshapiroconfTO_QUEUEWARN_DSN 3880132943Sgshapiro Timeout.queuewarn.dsn 3881132943Sgshapiro [undefined] As above, for delivery 3882132943Sgshapiro status notification messages. 388338032SpeterconfTO_HOSTSTATUS Timeout.hoststatus 388438032Speter [30m] How long information about host 388538032Speter statuses will be maintained before it 388638032Speter is considered stale and the host should 388738032Speter be retried. This applies both within 388838032Speter a single queue run and to persistent 388938032Speter information (see below). 389064562SgshapiroconfTO_RESOLVER_RETRANS Timeout.resolver.retrans 389164562Sgshapiro [varies] Sets the resolver's 389298121Sgshapiro retransmission time interval (in 389364562Sgshapiro seconds). Sets both 389464562Sgshapiro Timeout.resolver.retrans.first and 389564562Sgshapiro Timeout.resolver.retrans.normal. 389664562SgshapiroconfTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first 389764562Sgshapiro [varies] Sets the resolver's 389898121Sgshapiro retransmission time interval (in 389964562Sgshapiro seconds) for the first attempt to 390064562Sgshapiro deliver a message. 390164562SgshapiroconfTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal 390264562Sgshapiro [varies] Sets the resolver's 390398121Sgshapiro retransmission time interval (in 390464562Sgshapiro seconds) for all resolver lookups 390564562Sgshapiro except the first delivery attempt. 390664562SgshapiroconfTO_RESOLVER_RETRY Timeout.resolver.retry 390764562Sgshapiro [varies] Sets the number of times 390864562Sgshapiro to retransmit a resolver query. 390964562Sgshapiro Sets both 391064562Sgshapiro Timeout.resolver.retry.first and 391164562Sgshapiro Timeout.resolver.retry.normal. 391264562SgshapiroconfTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first 391364562Sgshapiro [varies] Sets the number of times 391464562Sgshapiro to retransmit a resolver query for 391564562Sgshapiro the first attempt to deliver a 391664562Sgshapiro message. 391764562SgshapiroconfTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal 391864562Sgshapiro [varies] Sets the number of times 391964562Sgshapiro to retransmit a resolver query for 392064562Sgshapiro all resolver lookups except the 392164562Sgshapiro first delivery attempt. 392238032SpeterconfTIME_ZONE TimeZoneSpec [USE_SYSTEM] Time zone info -- can be 392338032Speter USE_SYSTEM to use the system's idea, 392438032Speter USE_TZ to use the user's TZ envariable, 392538032Speter or something else to force that value. 392638032SpeterconfDEF_USER_ID DefaultUser [1:1] Default user id. 392738032SpeterconfUSERDB_SPEC UserDatabaseSpec 392864562Sgshapiro [undefined] User database 392964562Sgshapiro specification. 393038032SpeterconfFALLBACK_MX FallbackMXhost [undefined] Fallback MX host. 3931132943SgshapiroconfFALLBACK_SMARTHOST FallbackSmartHost 3932132943Sgshapiro [undefined] Fallback smart host. 393364562SgshapiroconfTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX 393464562Sgshapiro for a host and other arrangements 393564562Sgshapiro haven't been made, try connecting 393664562Sgshapiro to the host directly; normally this 393764562Sgshapiro would be a config error. 393864562SgshapiroconfQUEUE_LA QueueLA [varies] Load average at which 393964562Sgshapiro queue-only function kicks in. 394064562Sgshapiro Default values is (8 * numproc) 394164562Sgshapiro where numproc is the number of 394264562Sgshapiro processors online (if that can be 394364562Sgshapiro determined). 394464562SgshapiroconfREFUSE_LA RefuseLA [varies] Load average at which 394564562Sgshapiro incoming SMTP connections are 394664562Sgshapiro refused. Default values is (12 * 394764562Sgshapiro numproc) where numproc is the 394864562Sgshapiro number of processors online (if 394964562Sgshapiro that can be determined). 3950132943SgshapiroconfREJECT_LOG_INTERVAL RejectLogInterval [3h] Log interval when 3951132943Sgshapiro refusing connections for this long. 395290792SgshapiroconfDELAY_LA DelayLA [0] Load average at which sendmail 395390792Sgshapiro will sleep for one second on most 395490792Sgshapiro SMTP commands and before accepting 395590792Sgshapiro connections. 0 means no limit. 395664562SgshapiroconfMAX_ALIAS_RECURSION MaxAliasRecursion 395764562Sgshapiro [10] Maximum depth of alias recursion. 395838032SpeterconfMAX_DAEMON_CHILDREN MaxDaemonChildren 395938032Speter [undefined] The maximum number of 396038032Speter children the daemon will permit. After 396138032Speter this number, connections will be 396238032Speter rejected. If not set or <= 0, there is 396338032Speter no limit. 396464562SgshapiroconfMAX_HEADERS_LENGTH MaxHeadersLength 396571345Sgshapiro [32768] Maximum length of the sum 396664562Sgshapiro of all headers. 396764562SgshapiroconfMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength 396864562Sgshapiro [undefined] Maximum length of 396964562Sgshapiro certain MIME header field values. 397038032SpeterconfCONNECTION_RATE_THROTTLE ConnectionRateThrottle 397138032Speter [undefined] The maximum number of 397290792Sgshapiro connections permitted per second per 397390792Sgshapiro daemon. After this many connections 397490792Sgshapiro are accepted, further connections 397590792Sgshapiro will be delayed. If not set or <= 0, 397690792Sgshapiro there is no limit. 3977132943SgshapiroconfCONNECTION_RATE_WINDOW_SIZE ConnectionRateWindowSize 3978132943Sgshapiro [60s] Define the length of the 3979132943Sgshapiro interval for which the number of 3980132943Sgshapiro incoming connections is maintained. 398138032SpeterconfWORK_RECIPIENT_FACTOR 398238032Speter RecipientFactor [30000] Cost of each recipient. 398364562SgshapiroconfSEPARATE_PROC ForkEachJob [False] Run all deliveries in a 398464562Sgshapiro separate process. 398538032SpeterconfWORK_CLASS_FACTOR ClassFactor [1800] Priority multiplier for class. 398638032SpeterconfWORK_TIME_FACTOR RetryFactor [90000] Cost of each delivery attempt. 398738032SpeterconfQUEUE_SORT_ORDER QueueSortOrder [Priority] Queue sort algorithm: 398890792Sgshapiro Priority, Host, Filename, Random, 398990792Sgshapiro Modification, or Time. 399038032SpeterconfMIN_QUEUE_AGE MinQueueAge [0] The minimum amount of time a job 399138032Speter must sit in the queue between queue 399238032Speter runs. This allows you to set the 399338032Speter queue run interval low for better 399438032Speter responsiveness without trying all 399538032Speter jobs in each run. 399638032SpeterconfDEF_CHAR_SET DefaultCharSet [unknown-8bit] When converting 399738032Speter unlabeled 8 bit input to MIME, the 399838032Speter character set to use by default. 399938032SpeterconfSERVICE_SWITCH_FILE ServiceSwitchFile 400064562Sgshapiro [/etc/mail/service.switch] The file 400164562Sgshapiro to use for the service switch on 400264562Sgshapiro systems that do not have a 400364562Sgshapiro system-defined switch. 400438032SpeterconfHOSTS_FILE HostsFile [/etc/hosts] The file to use when doing 400538032Speter "file" type access of hosts names. 400638032SpeterconfDIAL_DELAY DialDelay [0s] If a connection fails, wait this 400738032Speter long and try again. Zero means "don't 400838032Speter retry". This is to allow "dial on 400938032Speter demand" connections to have enough time 401038032Speter to complete a connection. 401138032SpeterconfNO_RCPT_ACTION NoRecipientAction 401238032Speter [none] What to do if there are no legal 401338032Speter recipient fields (To:, Cc: or Bcc:) 401438032Speter in the message. Legal values can 401538032Speter be "none" to just leave the 401638032Speter nonconforming message as is, "add-to" 401738032Speter to add a To: header with all the 401838032Speter known recipients (which may expose 401938032Speter blind recipients), "add-apparently-to" 402038032Speter to do the same but use Apparently-To: 402190792Sgshapiro instead of To: (strongly discouraged 402290792Sgshapiro in accordance with IETF standards), 402390792Sgshapiro "add-bcc" to add an empty Bcc: 402490792Sgshapiro header, or "add-to-undisclosed" to 402590792Sgshapiro add the header 402638032Speter ``To: undisclosed-recipients:;''. 402738032SpeterconfSAFE_FILE_ENV SafeFileEnvironment 402838032Speter [undefined] If set, sendmail will do a 402938032Speter chroot() into this directory before 403038032Speter writing files. 403138032SpeterconfCOLON_OK_IN_ADDR ColonOkInAddr [True unless Configuration Level > 6] 403238032Speter If set, colons are treated as a regular 403338032Speter character in addresses. If not set, 403438032Speter they are treated as the introducer to 403538032Speter the RFC 822 "group" syntax. Colons are 403638032Speter handled properly in route-addrs. This 403738032Speter option defaults on for V5 and lower 403838032Speter configuration files. 403938032SpeterconfMAX_QUEUE_RUN_SIZE MaxQueueRunSize [0] If set, limit the maximum size of 404038032Speter any given queue run to this number of 404138032Speter entries. Essentially, this will stop 404264562Sgshapiro reading each queue directory after this 404338032Speter number of entries are reached; it does 404438032Speter _not_ pick the highest priority jobs, 404538032Speter so this should be as large as your 404638032Speter system can tolerate. If not set, there 404738032Speter is no limit. 404890792SgshapiroconfMAX_QUEUE_CHILDREN MaxQueueChildren 404990792Sgshapiro [undefined] Limits the maximum number 405090792Sgshapiro of concurrent queue runners active. 405190792Sgshapiro This is to keep system resources used 405290792Sgshapiro within a reasonable limit. Relates to 4053132943Sgshapiro Queue Groups and ForkEachJob. 405490792SgshapiroconfMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue 405590792Sgshapiro [1] Only active when MaxQueueChildren 405690792Sgshapiro defined. Controls the maximum number 405790792Sgshapiro of queue runners (aka queue children) 405890792Sgshapiro active at the same time in a work 405990792Sgshapiro group. See also MaxQueueChildren. 406038032SpeterconfDONT_EXPAND_CNAMES DontExpandCnames 406138032Speter [False] If set, $[ ... $] lookups that 406238032Speter do DNS based lookups do not expand 406338032Speter CNAME records. This currently violates 406438032Speter the published standards, but the IETF 406538032Speter seems to be moving toward legalizing 406638032Speter this. For example, if "FTP.Foo.ORG" 406738032Speter is a CNAME for "Cruft.Foo.ORG", then 406838032Speter with this option set a lookup of 406938032Speter "FTP" will return "FTP.Foo.ORG"; if 407038032Speter clear it returns "Cruft.FOO.ORG". N.B. 407138032Speter you may not see any effect until your 407238032Speter downstream neighbors stop doing CNAME 407338032Speter lookups as well. 407464562SgshapiroconfFROM_LINE UnixFromLine [From $g $d] The From_ line used 407538032Speter when sending to files or programs. 407638032SpeterconfSINGLE_LINE_FROM_HEADER SingleLineFromHeader 407738032Speter [False] From: lines that have 407838032Speter embedded newlines are unwrapped 407938032Speter onto one line. 408038032SpeterconfALLOW_BOGUS_HELO AllowBogusHELO [False] Allow HELO SMTP command that 408138032Speter does not include a host name. 408238032SpeterconfMUST_QUOTE_CHARS MustQuoteChars [.'] Characters to be quoted in a full 408338032Speter name phrase (@,;:\()[] are automatic). 408438032SpeterconfOPERATORS OperatorChars [.:%@!^/[]+] Address operator 408538032Speter characters. 408638032SpeterconfSMTP_LOGIN_MSG SmtpGreetingMessage 408738032Speter [$j Sendmail $v/$Z; $b] 408838032Speter The initial (spontaneous) SMTP 408938032Speter greeting message. The word "ESMTP" 409038032Speter will be inserted between the first and 409138032Speter second words to convince other 409238032Speter sendmails to try to speak ESMTP. 409338032SpeterconfDONT_INIT_GROUPS DontInitGroups [False] If set, the initgroups(3) 409438032Speter routine will never be invoked. You 409538032Speter might want to do this if you are 409638032Speter running NIS and you have a large group 409738032Speter map, since this call does a sequential 409838032Speter scan of the map; in a large site this 409938032Speter can cause your ypserv to run 410038032Speter essentially full time. If you set 410138032Speter this, agents run on behalf of users 410238032Speter will only have their primary 410338032Speter (/etc/passwd) group permissions. 410438032SpeterconfUNSAFE_GROUP_WRITES UnsafeGroupWrites 4105157001Sgshapiro [True] If set, group-writable 410638032Speter :include: and .forward files are 410738032Speter considered "unsafe", that is, programs 410838032Speter and files cannot be directly referenced 410938032Speter from such files. World-writable files 411038032Speter are always considered unsafe. 4111157001Sgshapiro Notice: this option is deprecated and 4112157001Sgshapiro will be removed in future versions; 4113157001Sgshapiro Set GroupWritableForwardFileSafe 4114157001Sgshapiro and GroupWritableIncludeFileSafe in 4115157001Sgshapiro DontBlameSendmail if required. 411664562SgshapiroconfCONNECT_ONLY_TO ConnectOnlyTo [undefined] override connection 411764562Sgshapiro address (for testing). 411864562SgshapiroconfCONTROL_SOCKET_NAME ControlSocketName 411964562Sgshapiro [undefined] Control socket for daemon 412064562Sgshapiro management. 412138032SpeterconfDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress 412238032Speter [postmaster] If an error occurs when 412338032Speter sending an error message, send that 412438032Speter "double bounce" error message to this 412590792Sgshapiro address. If it expands to an empty 412690792Sgshapiro string, double bounces are dropped. 4127168515SgshapiroconfSOFT_BOUNCE SoftBounce [False] If set, issue temporary errors 4128168515Sgshapiro (4xy) instead of permanent errors 4129168515Sgshapiro (5xy). This can be useful during 4130168515Sgshapiro testing of a new configuration to 4131168515Sgshapiro avoid erroneous bouncing of mails. 413264562SgshapiroconfDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce 413364562Sgshapiro messages which could not be returned 413464562Sgshapiro to the user or sent to postmaster. 413564562Sgshapiro If not set, the queue file will 413664562Sgshapiro be renamed. 413764562SgshapiroconfRRT_IMPLIES_DSN RrtImpliesDsn [False] Return-Receipt-To: header 413864562Sgshapiro implies DSN request. 413938032SpeterconfRUN_AS_USER RunAsUser [undefined] If set, become this user 414038032Speter when reading and delivering mail. 414138032Speter Causes all file reads (e.g., .forward 414238032Speter and :include: files) to be done as 414338032Speter this user. Also, all programs will 414438032Speter be run as this user, and all output 414538032Speter files will be written as this user. 414638032SpeterconfMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage 414738032Speter [infinite] If set, allow no more than 414838032Speter the specified number of recipients in 414938032Speter an SMTP envelope. Further recipients 415038032Speter receive a 452 error code (i.e., they 415138032Speter are deferred for the next delivery 415238032Speter attempt). 4153125820SgshapiroconfBAD_RCPT_THROTTLE BadRcptThrottle [infinite] If set and the specified 4154125820Sgshapiro number of recipients in a single SMTP 4155125820Sgshapiro transaction have been rejected, sleep 4156125820Sgshapiro for one second after each subsequent 4157125820Sgshapiro RCPT command in that transaction. 415838032SpeterconfDONT_PROBE_INTERFACES DontProbeInterfaces 415938032Speter [False] If set, sendmail will _not_ 416038032Speter insert the names and addresses of any 416164562Sgshapiro local interfaces into class {w} 416238032Speter (list of known "equivalent" addresses). 416338032Speter If you set this, you must also include 416438032Speter some support for these addresses (e.g., 416538032Speter in a mailertable entry) -- otherwise, 416638032Speter mail to addresses in this list will 416738032Speter bounce with a configuration error. 416890792Sgshapiro If set to "loopback" (without 416990792Sgshapiro quotes), sendmail will skip 417090792Sgshapiro loopback interfaces (e.g., "lo0"). 417164562SgshapiroconfPID_FILE PidFile [system dependent] Location of pid 417264562Sgshapiro file. 417364562SgshapiroconfPROCESS_TITLE_PREFIX ProcessTitlePrefix 417464562Sgshapiro [undefined] Prefix string for the 417564562Sgshapiro process title shown on 'ps' listings. 417638032SpeterconfDONT_BLAME_SENDMAIL DontBlameSendmail 417738032Speter [safe] Override sendmail's file 417838032Speter safety checks. This will definitely 417938032Speter compromise system security and should 418038032Speter not be used unless absolutely 418138032Speter necessary. 418238032SpeterconfREJECT_MSG - [550 Access denied] The message 418338032Speter given if the access database contains 418438032Speter REJECT in the value portion. 418590792SgshapiroconfRELAY_MSG - [550 Relaying denied] The message 418690792Sgshapiro given if an unauthorized relaying 418790792Sgshapiro attempt is rejected. 418864562SgshapiroconfDF_BUFFER_SIZE DataFileBufferSize 418964562Sgshapiro [4096] The maximum size of a 419064562Sgshapiro memory-buffered data (df) file 419164562Sgshapiro before a disk-based file is used. 419264562SgshapiroconfXF_BUFFER_SIZE XScriptFileBufferSize 419364562Sgshapiro [4096] The maximum size of a 419464562Sgshapiro memory-buffered transcript (xf) 419564562Sgshapiro file before a disk-based file is 419664562Sgshapiro used. 419764562SgshapiroconfAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5 419864562Sgshapiro CRAM-MD5] List of authentication 419964562Sgshapiro mechanisms for AUTH (separated by 420064562Sgshapiro spaces). The advertised list of 420164562Sgshapiro authentication mechanisms will be the 420264562Sgshapiro intersection of this list and the list 420364562Sgshapiro of available mechanisms as determined 4204132943Sgshapiro by the Cyrus SASL library. 4205132943SgshapiroconfAUTH_REALM AuthRealm [undefined] The authentication realm 4206132943Sgshapiro that is passed to the Cyrus SASL 4207132943Sgshapiro library. If no realm is specified, 4208132943Sgshapiro $j is used. 420973188SgshapiroconfDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains 421064562Sgshapiro authentication information for 421190792Sgshapiro outgoing connections. This file must 421290792Sgshapiro contain the user id, the authorization 421390792Sgshapiro id, the password (plain text), the 421490792Sgshapiro realm to use, and the list of 421590792Sgshapiro mechanisms to try, each on a separate 421690792Sgshapiro line and must be readable by root (or 421790792Sgshapiro the trusted user) only. If no realm 421890792Sgshapiro is specified, $j is used. If no 421990792Sgshapiro mechanisms are given in the file, 422090792Sgshapiro AuthMechanisms is used. Notice: this 422190792Sgshapiro option is deprecated and will be 422290792Sgshapiro removed in future versions; it doesn't 422390792Sgshapiro work for the MSP since it can't read 422490792Sgshapiro the file. Use the authinfo ruleset 422590792Sgshapiro instead. See also the section SMTP 422690792Sgshapiro AUTHENTICATION. 422790792SgshapiroconfAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' 422864562Sgshapiro then the AUTH= parameter for the 422964562Sgshapiro MAIL FROM command is only issued 423064562Sgshapiro when authentication succeeded. 4231147078Sgshapiro See doc/op/op.me for more options 4232147078Sgshapiro and details. 423390792SgshapiroconfAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption 423490792Sgshapiro strength for the security layer in 423590792Sgshapiro SMTP AUTH (SASL). Default is 423690792Sgshapiro essentially unlimited. 423790792SgshapiroconfTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client 423890792Sgshapiro verification is performed, i.e., 423990792Sgshapiro the server doesn't ask for a 424090792Sgshapiro certificate. 424164562SgshapiroconfLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map 424264562Sgshapiro specification for LDAP maps. The 424364562Sgshapiro value should only contain LDAP 424464562Sgshapiro specific settings such as "-h host 424564562Sgshapiro -p port -d bindDN", etc. The 424664562Sgshapiro settings will be used for all LDAP 424764562Sgshapiro maps unless they are specified in 424864562Sgshapiro the individual map specification 424964562Sgshapiro ('K' command). 4250110560SgshapiroconfCACERT_PATH CACertPath [undefined] Path to directory 425164562Sgshapiro with certs of CAs. 4252110560SgshapiroconfCACERT CACertFile [undefined] File containing one CA 425364562Sgshapiro cert. 425464562SgshapiroconfSERVER_CERT ServerCertFile [undefined] File containing the 425564562Sgshapiro cert of the server, i.e., this cert 425664562Sgshapiro is used when sendmail acts as 425764562Sgshapiro server. 425864562SgshapiroconfSERVER_KEY ServerKeyFile [undefined] File containing the 425964562Sgshapiro private key belonging to the server 426064562Sgshapiro cert. 426164562SgshapiroconfCLIENT_CERT ClientCertFile [undefined] File containing the 426264562Sgshapiro cert of the client, i.e., this cert 426364562Sgshapiro is used when sendmail acts as 426464562Sgshapiro client. 426564562SgshapiroconfCLIENT_KEY ClientKeyFile [undefined] File containing the 426664562Sgshapiro private key belonging to the client 426764562Sgshapiro cert. 4268132943SgshapiroconfCRL CRLFile [undefined] File containing certificate 4269132943Sgshapiro revocation status, useful for X.509v3 4270132943Sgshapiro authentication. Note that CRL requires 4271132943Sgshapiro at least OpenSSL version 0.9.7. 427264562SgshapiroconfDH_PARAMETERS DHParameters [undefined] File containing the 427364562Sgshapiro DH parameters. 427464562SgshapiroconfRAND_FILE RandFile [undefined] File containing random 427566494Sgshapiro data (use prefix file:) or the 427666494Sgshapiro name of the UNIX socket if EGD is 427766494Sgshapiro used (use prefix egd:). STARTTLS 427866494Sgshapiro requires this option if the compile 427966494Sgshapiro flag HASURANDOM is not set (see 428064562Sgshapiro sendmail/README). 428190792SgshapiroconfNICE_QUEUE_RUN NiceQueueRun [undefined] If set, the priority of 428290792Sgshapiro queue runners is set the given value 428390792Sgshapiro (nice(3)). 428490792SgshapiroconfDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers 428590792Sgshapiro [undefined] Defines {daemon_flags} 428690792Sgshapiro for direct submissions. 4287157001SgshapiroconfUSE_MSP UseMSP [undefined] Use as mail submission 428890792Sgshapiro program, see sendmail/SECURITY. 428990792SgshapiroconfDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By 429090792Sgshapiro SMTP Service Extension (RFC 2852). 4291132943SgshapiroconfREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can 4292132943Sgshapiro be used to turn off the compile time 4293132943Sgshapiro flag REQUIRES_DIR_FSYNC at runtime. 4294132943Sgshapiro See sendmail/README for details. 429590792SgshapiroconfSHARED_MEMORY_KEY SharedMemoryKey [0] Key for shared memory. 4296168515SgshapiroconfSHARED_MEMORY_KEY_FILE 4297168515Sgshapiro SharedMemoryKeyFile 4298168515Sgshapiro [undefined] File where the 4299168515Sgshapiro automatically selected key for 4300168515Sgshapiro shared memory is stored. 430190792SgshapiroconfFAST_SPLIT FastSplit [1] If set to a value greater than 430290792Sgshapiro zero, the initial MX lookups on 430390792Sgshapiro addresses is suppressed when they 430490792Sgshapiro are sorted which may result in 430590792Sgshapiro faster envelope splitting. If the 430690792Sgshapiro mail is submitted directly from the 430790792Sgshapiro command line, then the value also 430890792Sgshapiro limits the number of processes to 430990792Sgshapiro deliver the envelopes. 431090792SgshapiroconfMAILBOX_DATABASE MailboxDatabase [pw] Type of lookup to find 431190792Sgshapiro information about local mailboxes. 431290792SgshapiroconfDEQUOTE_OPTS - [empty] Additional options for the 431390792Sgshapiro dequote map. 4314168515SgshapiroconfMAX_NOOP_COMMANDS MaxNOOPCommands [20] Maximum number of "useless" 4315168515Sgshapiro commands before the SMTP server 4316168515Sgshapiro will slow down responding. 4317168515SgshapiroconfHELO_NAME HeloName If defined, use as name for EHLO/HELO 4318168515Sgshapiro command (instead of $j). 431990792SgshapiroconfINPUT_MAIL_FILTERS InputMailFilters 432090792Sgshapiro A comma separated list of filters 432190792Sgshapiro which determines which filters and 432290792Sgshapiro the invocation sequence are 432390792Sgshapiro contacted for incoming SMTP 432490792Sgshapiro messages. If none are set, no 432590792Sgshapiro filters will be contacted. 432690792SgshapiroconfMILTER_LOG_LEVEL Milter.LogLevel [9] Log level for input mail filter 432790792Sgshapiro actions, defaults to LogLevel. 432890792SgshapiroconfMILTER_MACROS_CONNECT Milter.macros.connect 4329110560Sgshapiro [j, _, {daemon_name}, {if_name}, 4330110560Sgshapiro {if_addr}] Macros to transmit to 4331110560Sgshapiro milters when a session connection 4332110560Sgshapiro starts. 433390792SgshapiroconfMILTER_MACROS_HELO Milter.macros.helo 4334110560Sgshapiro [{tls_version}, {cipher}, 4335110560Sgshapiro {cipher_bits}, {cert_subject}, 4336110560Sgshapiro {cert_issuer}] Macros to transmit to 4337110560Sgshapiro milters after HELO/EHLO command. 433890792SgshapiroconfMILTER_MACROS_ENVFROM Milter.macros.envfrom 4339110560Sgshapiro [i, {auth_type}, {auth_authen}, 4340110560Sgshapiro {auth_ssf}, {auth_author}, 4341110560Sgshapiro {mail_mailer}, {mail_host}, 4342110560Sgshapiro {mail_addr}] Macros to transmit to 4343110560Sgshapiro milters after MAIL FROM command. 434490792SgshapiroconfMILTER_MACROS_ENVRCPT Milter.macros.envrcpt 4345110560Sgshapiro [{rcpt_mailer}, {rcpt_host}, 4346110560Sgshapiro {rcpt_addr}] Macros to transmit to 4347110560Sgshapiro milters after RCPT TO command. 4348132943SgshapiroconfMILTER_MACROS_EOM Milter.macros.eom 4349132943Sgshapiro [{msg_id}] Macros to transmit to 4350168515Sgshapiro milters after the terminating 4351168515Sgshapiro DATA '.' is received. 4352168515SgshapiroconfMILTER_MACROS_EOH Milter.macros.eoh 4353168515Sgshapiro Macros to transmit to milters 4354168515Sgshapiro after the end of headers. 4355168515SgshapiroconfMILTER_MACROS_DATA Milter.macros.data 4356168515Sgshapiro Macros to transmit to milters 4357168515Sgshapiro after DATA command is received. 435864562Sgshapiro 435990792Sgshapiro 436038032SpeterSee also the description of OSTYPE for some parameters that can be 436138032Spetertweaked (generally pathnames to mailers). 436238032Speter 436390792SgshapiroClientPortOptions and DaemonPortOptions are special cases since multiple 436490792Sgshapiroclients/daemons can be defined. This can be done via 436538032Speter 436690792Sgshapiro CLIENT_OPTIONS(`field1=value1,field2=value2,...') 436764562Sgshapiro DAEMON_OPTIONS(`field1=value1,field2=value2,...') 436864562Sgshapiro 436990792SgshapiroNote that multiple CLIENT_OPTIONS() commands (and therefore multiple 437090792SgshapiroClientPortOptions settings) are allowed in order to give settings for each 437190792Sgshapiroprotocol family (e.g., one for Family=inet and one for Family=inet6). A 437290792Sgshapirorestriction placed on one family only affects outgoing connections on that 437390792Sgshapiroparticular family. 437490792Sgshapiro 437564562SgshapiroIf DAEMON_OPTIONS is not used, then the default is 437664562Sgshapiro 437764562Sgshapiro DAEMON_OPTIONS(`Port=smtp, Name=MTA') 437864562Sgshapiro DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') 437964562Sgshapiro 438064562SgshapiroIf you use one DAEMON_OPTIONS macro, it will alter the parameters 438164562Sgshapiroof the first of these. The second will still be defaulted; it 438264562Sgshapirorepresents a "Message Submission Agent" (MSA) as defined by RFC 438364562Sgshapiro2476 (see below). To turn off the default definition for the MSA, 438464562Sgshapirouse FEATURE(`no_default_msa') (see also FEATURES). If you use 438564562Sgshapiroadditional DAEMON_OPTIONS macros, they will add additional daemons. 438664562Sgshapiro 438764562SgshapiroExample 1: To change the port for the SMTP listener, while 438864562Sgshapirostill using the MSA default, use 438964562Sgshapiro DAEMON_OPTIONS(`Port=925, Name=MTA') 439064562Sgshapiro 439164562SgshapiroExample 2: To change the port for the MSA daemon, while still 439264562Sgshapirousing the default SMTP port, use 439364562Sgshapiro FEATURE(`no_default_msa') 439464562Sgshapiro DAEMON_OPTIONS(`Name=MTA') 439564562Sgshapiro DAEMON_OPTIONS(`Port=987, Name=MSA, M=E') 439664562Sgshapiro 439764562SgshapiroNote that if the first of those DAEMON_OPTIONS lines were omitted, then 439864562Sgshapirothere would be no listener on the standard SMTP port. 439964562Sgshapiro 440064562SgshapiroExample 3: To listen on both IPv4 and IPv6 interfaces, use 440164562Sgshapiro 440264562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v4, Family=inet') 440364562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6') 440464562Sgshapiro 440564562SgshapiroA "Message Submission Agent" still uses all of the same rulesets for 440664562Sgshapiroprocessing the message (and therefore still allows message rejection via 440764562Sgshapirothe check_* rulesets). In accordance with the RFC, the MSA will ensure 4408110560Sgshapirothat all domains in envelope addresses are fully qualified if the message 4409110560Sgshapirois relayed to another MTA. It will also enforce the normal address syntax 4410110560Sgshapirorules and log error messages. Additionally, by using the M=a modifier you 4411110560Sgshapirocan require authentication before messages are accepted by the MSA. 4412110560SgshapiroNotice: Do NOT use the 'a' modifier on a public accessible MTA! Finally, 4413110560Sgshapirothe M=E modifier shown above disables ETRN as required by RFC 2476. 441464562Sgshapiro 441590792SgshapiroMail filters can be defined using the INPUT_MAIL_FILTER() and MAIL_FILTER() 441690792Sgshapirocommands: 441764562Sgshapiro 441890792Sgshapiro INPUT_MAIL_FILTER(`sample', `S=local:/var/run/f1.sock') 441990792Sgshapiro MAIL_FILTER(`myfilter', `S=inet:3333@localhost') 442038032Speter 442190792SgshapiroThe INPUT_MAIL_FILTER() command causes the filter(s) to be called in the 442290792Sgshapirosame order they were specified by also setting confINPUT_MAIL_FILTERS. A 442390792Sgshapirofilter can be defined without adding it to the input filter list by using 442490792SgshapiroMAIL_FILTER() instead of INPUT_MAIL_FILTER() in your .mc file. 442590792SgshapiroAlternatively, you can reset the list of filters and their order by setting 442690792SgshapiroconfINPUT_MAIL_FILTERS option after all INPUT_MAIL_FILTER() commands in 442790792Sgshapiroyour .mc file. 442890792Sgshapiro 442990792Sgshapiro 443090792Sgshapiro+----------------------------+ 443190792Sgshapiro| MESSAGE SUBMISSION PROGRAM | 443290792Sgshapiro+----------------------------+ 443390792Sgshapiro 443490792SgshapiroThe purpose of the message submission program (MSP) is explained 443590792Sgshapiroin sendmail/SECURITY. This section contains a list of caveats and 443690792Sgshapiroa few hints how for those who want to tweak the default configuration 443790792Sgshapirofor it (which is installed as submit.cf). 443890792Sgshapiro 443990792SgshapiroNotice: do not add options/features to submit.mc unless you are 444090792Sgshapiroabsolutely sure you need them. Options you may want to change 444190792Sgshapiroinclude: 444290792Sgshapiro 444394334Sgshapiro- confTRUSTED_USERS, FEATURE(`use_ct_file'), and confCT_FILE for 444498121Sgshapiro avoiding X-Authentication warnings. 444594334Sgshapiro- confTIME_ZONE to change it from the default `USE_TZ'. 444690792Sgshapiro- confDELIVERY_MODE is set to interactive in msp.m4 instead 444790792Sgshapiro of the default background mode. 444898121Sgshapiro- FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses 444998121Sgshapiro to the LOCAL_RELAY instead of the default relay. 445098121Sgshapiro- confRAND_FILE if you use STARTTLS and sendmail is not compiled with 445198121Sgshapiro the flag HASURANDOM. 445290792Sgshapiro 445398121SgshapiroThe MSP performs hostname canonicalization by default. As also 445498121Sgshapiroexplained in sendmail/SECURITY, mail may end up for various DNS 445598121Sgshapirorelated reasons in the MSP queue. This problem can be minimized by 445698121Sgshapirousing 445798121Sgshapiro 445898121Sgshapiro FEATURE(`nocanonify', `canonify_hosts') 445998121Sgshapiro define(`confDIRECT_SUBMISSION_MODIFIERS', `C') 446098121Sgshapiro 446198121SgshapiroSee the discussion about nocanonify for possible side effects. 446298121Sgshapiro 446390792SgshapiroSome things are not intended to work with the MSP. These include 446490792Sgshapirofeatures that influence the delivery process (e.g., mailertable, 446590792Sgshapiroaliases), or those that are only important for a SMTP server (e.g., 446690792Sgshapirovirtusertable, DaemonPortOptions, multiple queues). Moreover, 446790792Sgshapirorelaxing certain restrictions (RestrictQueueRun, permissions on 446890792Sgshapiroqueue directory) or adding features (e.g., enabling prog/file mailer) 446990792Sgshapirocan cause security problems. 447090792Sgshapiro 447190792SgshapiroOther things don't work well with the MSP and require tweaking or 447290792Sgshapiroworkarounds. For example, to allow for client authentication it 447390792Sgshapirois not just sufficient to provide a client certificate and the 447490792Sgshapirocorresponding key, but it is also necessary to make the key group 447590792Sgshapiro(smmsp) readable and tell sendmail not to complain about that, i.e., 447690792Sgshapiro 447790792Sgshapiro define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') 447890792Sgshapiro 447990792SgshapiroIf the MSP should actually use AUTH then the necessary data 448090792Sgshapiroshould be placed in a map as explained in SMTP AUTHENTICATION: 448190792Sgshapiro 448290792SgshapiroFEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') 448390792Sgshapiro 448490792Sgshapiro/etc/mail/msp-authinfo should contain an entry like: 448590792Sgshapiro 448690792Sgshapiro AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" 448790792Sgshapiro 448890792SgshapiroThe file and the map created by makemap should be owned by smmsp, 448990792Sgshapiroits group should be smmsp, and it should have mode 640. The database 449090792Sgshapiroused by the MTA for AUTH must have a corresponding entry. 449190792SgshapiroAdditionally the MTA must trust this authentication data so the AUTH= 449290792Sgshapiropart will be relayed on to the next hop. This can be achieved by 449390792Sgshapiroadding the following to your sendmail.mc file: 449490792Sgshapiro 449590792Sgshapiro LOCAL_RULESETS 449690792Sgshapiro SLocal_trust_auth 449790792Sgshapiro R$* $: $&{auth_authen} 449890792Sgshapiro Rsmmsp $# OK 449990792Sgshapiro 4500132943SgshapiroNote: the authentication data can leak to local users who invoke 4501132943Sgshapirothe MSP with debug options or even with -v. For that reason either 4502132943Sgshapiroan authentication mechanism that does not show the password in the 4503132943SgshapiroAUTH dialogue (e.g., DIGEST-MD5) or a different authentication 4504132943Sgshapiromethod like STARTTLS should be used. 4505132943Sgshapiro 450690792Sgshapirofeature/msp.m4 defines almost all settings for the MSP. Most of 450790792Sgshapirothose should not be changed at all. Some of the features and options 450890792Sgshapirocan be overridden if really necessary. It is a bit tricky to do 450990792Sgshapirothis, because it depends on the actual way the option is defined 451090792Sgshapiroin feature/msp.m4. If it is directly defined (i.e., define()) then 451190792Sgshapirothe modified value must be defined after 451290792Sgshapiro 451390792Sgshapiro FEATURE(`msp') 451490792Sgshapiro 451590792SgshapiroIf it is conditionally defined (i.e., ifdef()) then the desired 451690792Sgshapirovalue must be defined before the FEATURE line in the .mc file. 451790792SgshapiroTo see how the options are defined read feature/msp.m4. 451890792Sgshapiro 451990792Sgshapiro 452090792Sgshapiro+--------------------------+ 452190792Sgshapiro| FORMAT OF FILES AND MAPS | 452290792Sgshapiro+--------------------------+ 452390792Sgshapiro 452490792SgshapiroFiles that define classes, i.e., F{classname}, consist of lines 452590792Sgshapiroeach of which contains a single element of the class. For example, 452690792Sgshapiro/etc/mail/local-host-names may have the following content: 452790792Sgshapiro 452890792Sgshapiromy.domain 452990792Sgshapiroanother.domain 453090792Sgshapiro 453190792SgshapiroMaps must be created using makemap(8) , e.g., 453290792Sgshapiro 453390792Sgshapiro makemap hash MAP < MAP 453490792Sgshapiro 453590792SgshapiroIn general, a text file from which a map is created contains lines 453690792Sgshapiroof the form 453790792Sgshapiro 453890792Sgshapirokey value 453990792Sgshapiro 454090792Sgshapirowhere 'key' and 'value' are also called LHS and RHS, respectively. 454190792SgshapiroBy default, the delimiter between LHS and RHS is a non-empty sequence 454290792Sgshapiroof white space characters. 454390792Sgshapiro 454490792Sgshapiro 454590792Sgshapiro+------------------+ 454690792Sgshapiro| DIRECTORY LAYOUT | 454790792Sgshapiro+------------------+ 454890792Sgshapiro 454938032SpeterWithin this directory are several subdirectories, to wit: 455038032Speter 455138032Speterm4 General support routines. These are typically 455238032Speter very important and should not be changed without 455338032Speter very careful consideration. 455438032Speter 455538032Spetercf The configuration files themselves. They have 455638032Speter ".mc" suffixes, and must be run through m4 to 455738032Speter become complete. The resulting output should 455838032Speter have a ".cf" suffix. 455938032Speter 456038032Speterostype Definitions describing a particular operating 456138032Speter system type. These should always be referenced 456238032Speter using the OSTYPE macro in the .mc file. Examples 456338032Speter include "bsd4.3", "bsd4.4", "sunos3.5", and 456438032Speter "sunos4.1". 456538032Speter 456638032Speterdomain Definitions describing a particular domain, referenced 456738032Speter using the DOMAIN macro in the .mc file. These are 456838032Speter site dependent; for example, "CS.Berkeley.EDU.m4" 456938032Speter describes hosts in the CS.Berkeley.EDU subdomain. 457038032Speter 457166494Sgshapiromailer Descriptions of mailers. These are referenced using 457238032Speter the MAILER macro in the .mc file. 457338032Speter 457438032Spetersh Shell files used when building the .cf file from the 457538032Speter .mc file in the cf subdirectory. 457638032Speter 457738032Speterfeature These hold special orthogonal features that you might 457838032Speter want to include. They should be referenced using 457938032Speter the FEATURE macro. 458038032Speter 458138032Speterhack Local hacks. These can be referenced using the HACK 458238032Speter macro. They shouldn't be of more than voyeuristic 458338032Speter interest outside the .Berkeley.EDU domain, but who knows? 458438032Speter 458538032Spetersiteconfig Site configuration -- e.g., tables of locally connected 458638032Speter UUCP sites. 458738032Speter 458838032Speter 458938032Speter+------------------------+ 459038032Speter| ADMINISTRATIVE DETAILS | 459138032Speter+------------------------+ 459238032Speter 459338032SpeterThe following sections detail usage of certain internal parts of the 459438032Spetersendmail.cf file. Read them carefully if you are trying to modify 459538032Speterthe current model. If you find the above descriptions adequate, these 459638032Spetershould be {boring, confusing, tedious, ridiculous} (pick one or more). 459738032Speter 459838032SpeterRULESETS (* means built in to sendmail) 459938032Speter 460038032Speter 0 * Parsing 460138032Speter 1 * Sender rewriting 460238032Speter 2 * Recipient rewriting 460338032Speter 3 * Canonicalization 460438032Speter 4 * Post cleanup 460538032Speter 5 * Local address rewrite (after aliasing) 460638032Speter 1x mailer rules (sender qualification) 460738032Speter 2x mailer rules (recipient qualification) 460838032Speter 3x mailer rules (sender header qualification) 460938032Speter 4x mailer rules (recipient header qualification) 461038032Speter 5x mailer subroutines (general) 461138032Speter 6x mailer subroutines (general) 461238032Speter 7x mailer subroutines (general) 461338032Speter 8x reserved 461438032Speter 90 Mailertable host stripping 461538032Speter 96 Bottom half of Ruleset 3 (ruleset 6 in old sendmail) 461638032Speter 97 Hook for recursive ruleset 0 call (ruleset 7 in old sendmail) 461738032Speter 98 Local part of ruleset 0 (ruleset 8 in old sendmail) 461838032Speter 461938032Speter 462038032SpeterMAILERS 462138032Speter 462238032Speter 0 local, prog local and program mailers 462338032Speter 1 [e]smtp, relay SMTP channel 462438032Speter 2 uucp-* UNIX-to-UNIX Copy Program 462538032Speter 3 netnews Network News delivery 462638032Speter 4 fax Sam Leffler's HylaFAX software 462738032Speter 5 mail11 DECnet mailer 462838032Speter 462938032Speter 463038032SpeterMACROS 463138032Speter 463238032Speter A 463338032Speter B Bitnet Relay 463438032Speter C DECnet Relay 463538032Speter D The local domain -- usually not needed 463638032Speter E reserved for X.400 Relay 463738032Speter F FAX Relay 463838032Speter G 463938032Speter H mail Hub (for mail clusters) 464038032Speter I 464138032Speter J 464238032Speter K 464338032Speter L Luser Relay 464464562Sgshapiro M Masquerade (who you claim to be) 464538032Speter N 464638032Speter O 464738032Speter P 464838032Speter Q 464938032Speter R Relay (for unqualified names) 465038032Speter S Smart Host 465138032Speter T 465264562Sgshapiro U my UUCP name (if you have a UUCP connection) 465364562Sgshapiro V UUCP Relay (class {V} hosts) 465464562Sgshapiro W UUCP Relay (class {W} hosts) 465564562Sgshapiro X UUCP Relay (class {X} hosts) 465638032Speter Y UUCP Relay (all other hosts) 465738032Speter Z Version number 465838032Speter 465938032Speter 466038032SpeterCLASSES 466138032Speter 466238032Speter A 466338032Speter B domains that are candidates for bestmx lookup 466438032Speter C 466538032Speter D 466638032Speter E addresses that should not seem to come from $M 466764562Sgshapiro F hosts this system forward for 466838032Speter G domains that should be looked up in genericstable 466938032Speter H 467038032Speter I 467138032Speter J 467238032Speter K 467338032Speter L addresses that should not be forwarded to $R 467438032Speter M domains that should be mapped to $M 467564562Sgshapiro N host/domains that should not be mapped to $M 467638032Speter O operators that indicate network operations (cannot be in local names) 467738032Speter P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc. 467838032Speter Q 467964562Sgshapiro R domains this system is willing to relay (pass anti-spam filters) 468038032Speter S 468138032Speter T 468238032Speter U locally connected UUCP hosts 468338032Speter V UUCP hosts connected to relay $V 468438032Speter W UUCP hosts connected to relay $W 468538032Speter X UUCP hosts connected to relay $X 468638032Speter Y locally connected smart UUCP hosts 468738032Speter Z locally connected domain-ized UUCP hosts 468838032Speter . the class containing only a dot 468938032Speter [ the class containing only a left bracket 469038032Speter 469138032Speter 469238032SpeterM4 DIVERSIONS 469338032Speter 469438032Speter 1 Local host detection and resolution 469538032Speter 2 Local Ruleset 3 additions 469638032Speter 3 Local Ruleset 0 additions 469738032Speter 4 UUCP Ruleset 0 additions 469838032Speter 5 locally interpreted names (overrides $R) 469938032Speter 6 local configuration (at top of file) 470038032Speter 7 mailer definitions 470164562Sgshapiro 8 DNS based blacklists 470238032Speter 9 special local rulesets (1 and 2) 470364562Sgshapiro 4704182352Sgshapiro$Revision: 8.724 $, Last updated $Date: 2008/02/15 23:05:32 $ 4705