README revision 266527
138032Speter 264562Sgshapiro SENDMAIL CONFIGURATION FILES 338032Speter 490792SgshapiroThis document describes the sendmail configuration files. It 590792Sgshapiroexplains how to create a sendmail.cf file for use with sendmail. 690792SgshapiroIt also describes how to set options for sendmail which are explained 790792Sgshapiroin the Sendmail Installation and Operation guide (doc/op/op.me). 838032Speter 990792SgshapiroTo get started, you may want to look at tcpproto.mc (for TCP-only 1090792Sgshapirosites) and clientproto.mc (for clusters of clients using a single 1190792Sgshapiromail host), or the generic-*.mc files as operating system-specific 1290792Sgshapiroexamples. 1338032Speter 1490792SgshapiroTable of Content: 1538032Speter 1690792SgshapiroINTRODUCTION AND EXAMPLE 1790792SgshapiroA BRIEF INTRODUCTION TO M4 1890792SgshapiroFILE LOCATIONS 1990792SgshapiroOSTYPE 2090792SgshapiroDOMAINS 2190792SgshapiroMAILERS 2290792SgshapiroFEATURES 2390792SgshapiroHACKS 2490792SgshapiroSITE CONFIGURATION 2590792SgshapiroUSING UUCP MAILERS 2690792SgshapiroTWEAKING RULESETS 2790792SgshapiroMASQUERADING AND RELAYING 2890792SgshapiroUSING LDAP FOR ALIASES, MAPS, AND CLASSES 2990792SgshapiroLDAP ROUTING 3090792SgshapiroANTI-SPAM CONFIGURATION CONTROL 31132943SgshapiroCONNECTION CONTROL 3290792SgshapiroSTARTTLS 3390792SgshapiroSMTP AUTHENTICATION 3490792SgshapiroADDING NEW MAILERS OR RULESETS 3590792SgshapiroADDING NEW MAIL FILTERS 3690792SgshapiroQUEUE GROUP DEFINITIONS 3790792SgshapiroNON-SMTP BASED CONFIGURATIONS 3890792SgshapiroWHO AM I? 3990792SgshapiroACCEPTING MAIL FOR MULTIPLE NAMES 4090792SgshapiroUSING MAILERTABLES 4190792SgshapiroUSING USERDB TO MAP FULL NAMES 4290792SgshapiroMISCELLANEOUS SPECIAL FEATURES 4390792SgshapiroSECURITY NOTES 4490792SgshapiroTWEAKING CONFIGURATION OPTIONS 4590792SgshapiroMESSAGE SUBMISSION PROGRAM 4690792SgshapiroFORMAT OF FILES AND MAPS 4790792SgshapiroDIRECTORY LAYOUT 4890792SgshapiroADMINISTRATIVE DETAILS 4938032Speter 5090792Sgshapiro 5138032Speter+--------------------------+ 5238032Speter| INTRODUCTION AND EXAMPLE | 5338032Speter+--------------------------+ 5438032Speter 5538032SpeterConfiguration files are contained in the subdirectory "cf", with a 5638032Spetersuffix ".mc". They must be run through "m4" to produce a ".cf" file. 5738032SpeterYou must pre-load "cf.m4": 5838032Speter 5938032Speter m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf 6038032Speter 6164562SgshapiroAlternatively, you can simply: 6264562Sgshapiro 6364562Sgshapiro cd ${CFDIR}/cf 6464562Sgshapiro ./Build config.cf 6564562Sgshapiro 6638032Speterwhere ${CFDIR} is the root of the cf directory and config.mc is the 6738032Spetername of your configuration file. If you are running a version of M4 6838032Speterthat understands the __file__ builtin (versions of GNU m4 >= 0.75 do 6938032Speterthis, but the versions distributed with 4.4BSD and derivatives do not) 7038032Speteror the -I flag (ditto), then ${CFDIR} can be in an arbitrary directory. 7138032SpeterFor "traditional" versions, ${CFDIR} ***MUST*** be "..", or you MUST 7238032Speteruse -D_CF_DIR_=/path/to/cf/dir/ -- note the trailing slash! For example: 7338032Speter 7438032Speter m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 config.mc > config.cf 7538032Speter 7638032SpeterLet's examine a typical .mc file: 7738032Speter 7838032Speter divert(-1) 7938032Speter # 80261194Sgshapiro # Copyright (c) 1998-2005 Proofpoint, Inc. and its suppliers. 8164562Sgshapiro # All rights reserved. 8238032Speter # Copyright (c) 1983 Eric P. Allman. All rights reserved. 8338032Speter # Copyright (c) 1988, 1993 8438032Speter # The Regents of the University of California. All rights reserved. 8538032Speter # 8638032Speter # By using this file, you agree to the terms and conditions set 8738032Speter # forth in the LICENSE file which can be found at the top level of 8838032Speter # the sendmail distribution. 8938032Speter # 9038032Speter 9138032Speter # 9238032Speter # This is a Berkeley-specific configuration file for HP-UX 9.x. 9338032Speter # It applies only to the Computer Science Division at Berkeley, 9438032Speter # and should not be used elsewhere. It is provided on the sendmail 9538032Speter # distribution as a sample only. To create your own configuration 9638032Speter # file, create an appropriate domain file in ../domain, change the 9738032Speter # `DOMAIN' macro below to reference that file, and copy the result 9838032Speter # to a name of your own choosing. 9938032Speter # 10038032Speter divert(0) 10138032Speter 10238032SpeterThe divert(-1) will delete the crud in the resulting output file. 10338032SpeterThe copyright notice can be replaced by whatever your lawyers require; 10464562Sgshapiroour lawyers require the one that is included in these files. A copyleft 10538032Speteris a copyright by another name. The divert(0) restores regular output. 10638032Speter 10738032Speter VERSIONID(`<SCCS or RCS version id>') 10838032Speter 10938032SpeterVERSIONID is a macro that stuffs the version information into the 11064562Sgshapiroresulting file. You could use SCCS, RCS, CVS, something else, or 11138032Speteromit it completely. This is not the same as the version id included 11238032Speterin SMTP greeting messages -- this is defined in m4/version.m4. 11338032Speter 11464562Sgshapiro OSTYPE(`hpux9')dnl 11538032Speter 11638032SpeterYou must specify an OSTYPE to properly configure things such as the 11738032Speterpathname of the help and status files, the flags needed for the local 11838032Spetermailer, and other important things. If you omit it, you will get an 11938032Spetererror when you try to build the configuration. Look at the ostype 12038032Speterdirectory for the list of known operating system types. 12138032Speter 12264562Sgshapiro DOMAIN(`CS.Berkeley.EDU')dnl 12338032Speter 12438032SpeterThis example is specific to the Computer Science Division at Berkeley. 12564562SgshapiroYou can use "DOMAIN(`generic')" to get a sufficiently bland definition 12638032Speterthat may well work for you, or you can create a customized domain 12738032Speterdefinition appropriate for your environment. 12838032Speter 12964562Sgshapiro MAILER(`local') 13064562Sgshapiro MAILER(`smtp') 13138032Speter 13290792SgshapiroThese describe the mailers used at the default CS site. The local 13390792Sgshapiromailer is always included automatically. Beware: MAILER declarations 134132943Sgshapiroshould only be followed by LOCAL_* sections. The general rules are 135132943Sgshapirothat the order should be: 13638032Speter 13738032Speter VERSIONID 13838032Speter OSTYPE 13938032Speter DOMAIN 14038032Speter FEATURE 14138032Speter local macro definitions 14238032Speter MAILER 14390792Sgshapiro LOCAL_CONFIG 14464562Sgshapiro LOCAL_RULE_* 14564562Sgshapiro LOCAL_RULESETS 14638032Speter 14764562SgshapiroThere are a few exceptions to this rule. Local macro definitions which 14864562Sgshapiroinfluence a FEATURE() should be done before that feature. For example, 14964562Sgshapiroa define(`PROCMAIL_MAILER_PATH', ...) should be done before 15064562SgshapiroFEATURE(`local_procmail'). 15138032Speter 15290792Sgshapiro******************************************************************* 15390792Sgshapiro*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** 15490792Sgshapiro*** Berkeley-specific assumptions built in, such as the name *** 15590792Sgshapiro*** of their UUCP-relay. You'll want to create your own *** 15690792Sgshapiro*** domain description, and use that in place of *** 15790792Sgshapiro*** domain/Berkeley.EDU.m4. *** 15890792Sgshapiro******************************************************************* 15964562Sgshapiro 16090792Sgshapiro 16138032Speter+----------------------------+ 16238032Speter| A BRIEF INTRODUCTION TO M4 | 16338032Speter+----------------------------+ 16438032Speter 16538032SpeterSendmail uses the M4 macro processor to ``compile'' the configuration 16638032Speterfiles. The most important thing to know is that M4 is stream-based, 16738032Speterthat is, it doesn't understand about lines. For this reason, in some 16838032Speterplaces you may see the word ``dnl'', which stands for ``delete 16938032Speterthrough newline''; essentially, it deletes all characters starting 17038032Speterat the ``dnl'' up to and including the next newline character. In 17138032Spetermost cases sendmail uses this only to avoid lots of unnecessary 17238032Speterblank lines in the output. 17338032Speter 17438032SpeterOther important directives are define(A, B) which defines the macro 17538032Speter``A'' to have value ``B''. Macros are expanded as they are read, so 17638032Speterone normally quotes both values to prevent expansion. For example, 17738032Speter 17838032Speter define(`SMART_HOST', `smart.foo.com') 17938032Speter 18038032SpeterOne word of warning: M4 macros are expanded even in lines that appear 18138032Speterto be comments. For example, if you have 18238032Speter 18364562Sgshapiro # See FEATURE(`foo') above 18438032Speter 18564562Sgshapiroit will not do what you expect, because the FEATURE(`foo') will be 18638032Speterexpanded. This also applies to 18738032Speter 18838032Speter # And then define the $X macro to be the return address 18938032Speter 19038032Speterbecause ``define'' is an M4 keyword. If you want to use them, surround 19138032Speterthem with directed quotes, `like this'. 19238032Speter 193110560SgshapiroSince m4 uses single quotes (opening "`" and closing "'") to quote 194110560Sgshapiroarguments, those quotes can't be used in arguments. For example, 195110560Sgshapiroit is not possible to define a rejection message containing a single 196110560Sgshapiroquote. Usually there are simple workarounds by changing those 197110560Sgshapiromessages; in the worst case it might be ok to change the value 198110560Sgshapirodirectly in the generated .cf file, which however is not advised. 19990792Sgshapiro 200110560Sgshapiro 20190792SgshapiroNotice: 20290792Sgshapiro------- 20390792Sgshapiro 20490792SgshapiroThis package requires a post-V7 version of m4; if you are running the 20590792Sgshapiro4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or 20690792SgshapiroBSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works. 20790792SgshapiroUnfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a 20890792SgshapiroNet/2 or GNU version. GNU m4 is available from 20990792Sgshapiroftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version). 21090792SgshapiroEXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU 21190792Sgshapirom4 on this platform. 21290792Sgshapiro 21390792Sgshapiro 21438032Speter+----------------+ 21538032Speter| FILE LOCATIONS | 21638032Speter+----------------+ 21738032Speter 21838032Spetersendmail 8.9 has introduced a new configuration directory for sendmail 21938032Speterrelated files, /etc/mail. The new files available for sendmail 8.9 -- 22064562Sgshapirothe class {R} /etc/mail/relay-domains and the access database 22164562Sgshapiro/etc/mail/access -- take advantage of this new directory. Beginning with 22264562Sgshapiro8.10, all files will use this directory by default (some options may be 22364562Sgshapiroset by OSTYPE() files). This new directory should help to restore 22464562Sgshapirouniformity to sendmail's file locations. 22538032Speter 22664562SgshapiroBelow is a table of some of the common changes: 22764562Sgshapiro 22864562SgshapiroOld filename New filename 22964562Sgshapiro------------ ------------ 23064562Sgshapiro/etc/bitdomain /etc/mail/bitdomain 23164562Sgshapiro/etc/domaintable /etc/mail/domaintable 23264562Sgshapiro/etc/genericstable /etc/mail/genericstable 23364562Sgshapiro/etc/uudomain /etc/mail/uudomain 23464562Sgshapiro/etc/virtusertable /etc/mail/virtusertable 23564562Sgshapiro/etc/userdb /etc/mail/userdb 23664562Sgshapiro 23764562Sgshapiro/etc/aliases /etc/mail/aliases 23864562Sgshapiro/etc/sendmail/aliases /etc/mail/aliases 23964562Sgshapiro/etc/ucbmail/aliases /etc/mail/aliases 24064562Sgshapiro/usr/adm/sendmail/aliases /etc/mail/aliases 24164562Sgshapiro/usr/lib/aliases /etc/mail/aliases 24264562Sgshapiro/usr/lib/mail/aliases /etc/mail/aliases 24364562Sgshapiro/usr/ucblib/aliases /etc/mail/aliases 24464562Sgshapiro 24564562Sgshapiro/etc/sendmail.cw /etc/mail/local-host-names 24664562Sgshapiro/etc/mail/sendmail.cw /etc/mail/local-host-names 24764562Sgshapiro/etc/sendmail/sendmail.cw /etc/mail/local-host-names 24864562Sgshapiro 24964562Sgshapiro/etc/sendmail.ct /etc/mail/trusted-users 25064562Sgshapiro 25164562Sgshapiro/etc/sendmail.oE /etc/mail/error-header 25264562Sgshapiro 25364562Sgshapiro/etc/sendmail.hf /etc/mail/helpfile 25464562Sgshapiro/etc/mail/sendmail.hf /etc/mail/helpfile 25564562Sgshapiro/usr/ucblib/sendmail.hf /etc/mail/helpfile 25664562Sgshapiro/etc/ucbmail/sendmail.hf /etc/mail/helpfile 25764562Sgshapiro/usr/lib/sendmail.hf /etc/mail/helpfile 25864562Sgshapiro/usr/share/lib/sendmail.hf /etc/mail/helpfile 25964562Sgshapiro/usr/share/misc/sendmail.hf /etc/mail/helpfile 26064562Sgshapiro/share/misc/sendmail.hf /etc/mail/helpfile 26164562Sgshapiro 26264562Sgshapiro/etc/service.switch /etc/mail/service.switch 26364562Sgshapiro 26464562Sgshapiro/etc/sendmail.st /etc/mail/statistics 26564562Sgshapiro/etc/mail/sendmail.st /etc/mail/statistics 26664562Sgshapiro/etc/mailer/sendmail.st /etc/mail/statistics 26764562Sgshapiro/etc/sendmail/sendmail.st /etc/mail/statistics 26864562Sgshapiro/usr/lib/sendmail.st /etc/mail/statistics 26964562Sgshapiro/usr/ucblib/sendmail.st /etc/mail/statistics 27064562Sgshapiro 27164562SgshapiroNote that all of these paths actually use a new m4 macro MAIL_SETTINGS_DIR 27264562Sgshapiroto create the pathnames. The default value of this variable is 27364562Sgshapiro`/etc/mail/'. If you set this macro to a different value, you MUST include 27464562Sgshapiroa trailing slash. 27564562Sgshapiro 27680785SgshapiroNotice: all filenames used in a .mc (or .cf) file should be absolute 27780785Sgshapiro(starting at the root, i.e., with '/'). Relative filenames most 27880785Sgshapirolikely cause surprises during operations (unless otherwise noted). 27980785Sgshapiro 28080785Sgshapiro 28138032Speter+--------+ 28238032Speter| OSTYPE | 28338032Speter+--------+ 28438032Speter 28538032SpeterYou MUST define an operating system environment, or the configuration 28638032Speterfile build will puke. There are several environments available; look 28738032Speterat the "ostype" directory for the current list. This macro changes 28838032Speterthings like the location of the alias file and queue directory. Some 28938032Speterof these files are identical to one another. 29038032Speter 29138032SpeterIt is IMPERATIVE that the OSTYPE occur before any MAILER definitions. 29238032SpeterIn general, the OSTYPE macro should go immediately after any version 29338032Speterinformation, and MAILER definitions should always go last. 29438032Speter 29538032SpeterOperating system definitions are usually easy to write. They may define 29638032Speterthe following variables (everything defaults, so an ostype file may be 29738032Speterempty). Unfortunately, the list of configuration-supported systems is 29838032Speternot as broad as the list of source-supported systems, since many of 29938032Speterthe source contributors do not include corresponding ostype files. 30038032Speter 30164562SgshapiroALIAS_FILE [/etc/mail/aliases] The location of the text version 30238032Speter of the alias file(s). It can be a comma-separated 30338032Speter list of names (but be sure you quote values with 30438032Speter commas in them -- for example, use 30538032Speter define(`ALIAS_FILE', `a,b') 30638032Speter to get "a" and "b" both listed as alias files; 30738032Speter otherwise the define() primitive only sees "a"). 30864562SgshapiroHELP_FILE [/etc/mail/helpfile] The name of the file 30938032Speter containing information printed in response to 31038032Speter the SMTP HELP command. 31138032SpeterQUEUE_DIR [/var/spool/mqueue] The directory containing 31264562Sgshapiro queue files. To use multiple queues, supply 31364562Sgshapiro a value ending with an asterisk. For 31473188Sgshapiro example, /var/spool/mqueue/qd* will use all of the 31564562Sgshapiro directories or symbolic links to directories 31673188Sgshapiro beginning with 'qd' in /var/spool/mqueue as queue 31764562Sgshapiro directories. The names 'qf', 'df', and 'xf' are 31873188Sgshapiro reserved as specific subdirectories for the 31973188Sgshapiro corresponding queue file types as explained in 32090792Sgshapiro doc/op/op.me. See also QUEUE GROUP DEFINITIONS. 32190792SgshapiroMSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing 32290792Sgshapiro queue files for the MSP (Mail Submission Program, 32390792Sgshapiro see sendmail/SECURITY). 32464562SgshapiroSTATUS_FILE [/etc/mail/statistics] The file containing status 32538032Speter information. 32638032SpeterLOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. 32764562SgshapiroLOCAL_MAILER_FLAGS [Prmn9] The flags used by the local mailer. The 32864562Sgshapiro flags lsDFMAw5:/|@q are always included. 32938032SpeterLOCAL_MAILER_ARGS [mail -d $u] The arguments passed to deliver local 33038032Speter mail. 33138032SpeterLOCAL_MAILER_MAX [undefined] If defined, the maximum size of local 33238032Speter mail that you are willing to accept. 33364562SgshapiroLOCAL_MAILER_MAXMSGS [undefined] If defined, the maximum number of 33464562Sgshapiro messages to deliver in a single connection. Only 33564562Sgshapiro useful for LMTP local mailers. 33638032SpeterLOCAL_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 33738032Speter that ARRIVE from an address that resolves to the 33838032Speter local mailer and which are converted to MIME will be 33938032Speter labeled with this character set. 34064562SgshapiroLOCAL_MAILER_EOL [undefined] If defined, the string to use as the 34164562Sgshapiro end of line for the local mailer. 34264562SgshapiroLOCAL_MAILER_DSN_DIAGNOSTIC_CODE 34364562Sgshapiro [X-Unix] The DSN Diagnostic-Code value for the 34464562Sgshapiro local mailer. This should be changed with care. 34538032SpeterLOCAL_SHELL_PATH [/bin/sh] The shell used to deliver piped email. 34638032SpeterLOCAL_SHELL_FLAGS [eu9] The flags used by the shell mailer. The 34738032Speter flags lsDFM are always included. 34838032SpeterLOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog" 34938032Speter mail. 35038032SpeterLOCAL_SHELL_DIR [$z:/] The directory search path in which the 35138032Speter shell should run. 35290792SgshapiroLOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. 35338032SpeterUSENET_MAILER_PATH [/usr/lib/news/inews] The name of the program 35438032Speter used to submit news. 35564562SgshapiroUSENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. 35638032SpeterUSENET_MAILER_ARGS [-m -h -n] The command line arguments for the 35790792Sgshapiro usenet mailer. NOTE: Some versions of inews 35890792Sgshapiro (such as those shipped with newer versions of INN) 35990792Sgshapiro use different flags. Double check the defaults 36090792Sgshapiro against the inews man page. 361102528SgshapiroUSENET_MAILER_MAX [undefined] The maximum size of messages that will 36238032Speter be accepted by the usenet mailer. 36390792SgshapiroUSENET_MAILER_QGRP [undefined] The queue group for the usenet mailer. 36438032SpeterSMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default 36564562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 36664562Sgshapiro "esmtp" mailer adds `a'; "smtp8" adds `8'; and 36764562Sgshapiro "dsmtp" adds `%'. 36864562SgshapiroRELAY_MAILER_FLAGS [undefined] Flags added to the relay mailer. Default 36964562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 37064562Sgshapiro relay mailer adds `a8'. If this is not defined, 37164562Sgshapiro then SMTP_MAILER_FLAGS is used. 37238032SpeterSMTP_MAILER_MAX [undefined] The maximum size of messages that will 37364562Sgshapiro be transported using the smtp, smtp8, esmtp, or dsmtp 37438032Speter mailers. 37564562SgshapiroSMTP_MAILER_MAXMSGS [undefined] If defined, the maximum number of 37664562Sgshapiro messages to deliver in a single connection for the 37764562Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 37894334SgshapiroSMTP_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 37994334Sgshapiro recipients to deliver in a single connection for the 38094334Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 38166494SgshapiroSMTP_MAILER_ARGS [TCP $h] The arguments passed to the smtp mailer. 38238032Speter About the only reason you would want to change this 38338032Speter would be to change the default port. 38466494SgshapiroESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer. 38566494SgshapiroSMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer. 38666494SgshapiroDSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer. 38766494SgshapiroRELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer. 38890792SgshapiroSMTP_MAILER_QGRP [undefined] The queue group for the smtp mailer. 38990792SgshapiroESMTP_MAILER_QGRP [undefined] The queue group for the esmtp mailer. 39090792SgshapiroSMTP8_MAILER_QGRP [undefined] The queue group for the smtp8 mailer. 39190792SgshapiroDSMTP_MAILER_QGRP [undefined] The queue group for the dsmtp mailer. 39290792SgshapiroRELAY_MAILER_QGRP [undefined] The queue group for the relay mailer. 39364562SgshapiroRELAY_MAILER_MAXMSGS [undefined] If defined, the maximum number of 39464562Sgshapiro messages to deliver in a single connection for the 39564562Sgshapiro relay mailer. 39638032SpeterSMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 39738032Speter that ARRIVE from an address that resolves to one of 39838032Speter the SMTP mailers and which are converted to MIME will 39938032Speter be labeled with this character set. 400168515SgshapiroSMTP_MAILER_LL [990] The maximum line length for SMTP mailers 401168515Sgshapiro (except the relay mailer). 402168515SgshapiroRELAY_MAILER_LL [2040] The maximum line length for the relay mailer. 40338032SpeterUUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail. 40438032SpeterUUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default 40538032Speter flags are `DFMhuU' (and `m' for uucp-new mailer, 40638032Speter minus `U' for uucp-dom mailer). 40738032SpeterUUCP_MAILER_ARGS [uux - -r -z -a$g -gC $h!rmail ($u)] The arguments 40838032Speter passed to the UUCP mailer. 40938032SpeterUUCP_MAILER_MAX [100000] The maximum size message accepted for 41038032Speter transmission by the UUCP mailers. 41138032SpeterUUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 41238032Speter that ARRIVE from an address that resolves to one of 41338032Speter the UUCP mailers and which are converted to MIME will 41438032Speter be labeled with this character set. 41590792SgshapiroUUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. 41638032SpeterFAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to 41738032Speter submit FAX messages. 41838032SpeterFAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX 41938032Speter mailer. 42038032SpeterFAX_MAILER_MAX [100000] The maximum size message accepted for 42138032Speter transmission by FAX. 42238032SpeterPOP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer. 42364562SgshapiroPOP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq 42438032Speter are always added. 42538032SpeterPOP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer. 42690792SgshapiroPOP_MAILER_QGRP [undefined] The queue group for the pop mailer. 42738032SpeterPROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail 42843730Speter program. This is also used by 42943730Speter FEATURE(`local_procmail'). 43038032SpeterPROCMAIL_MAILER_FLAGS [SPhnu9] Flags added to Procmail mailer. Flags 43164562Sgshapiro DFM are always set. This is NOT used by 43243730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_FLAGS 43338032Speter instead. 43438032SpeterPROCMAIL_MAILER_ARGS [procmail -Y -m $h $f $u] The arguments passed to 43538032Speter the Procmail mailer. This is NOT used by 43643730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_ARGS 43738032Speter instead. 43838032SpeterPROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that 43938032Speter will be accepted by the procmail mailer. 44090792SgshapiroPROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. 44138032SpeterMAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer. 44238032SpeterMAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer. 44338032SpeterMAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11 44438032Speter mailer. 44590792SgshapiroMAIL11_MAILER_QGRP [undefined] The queue group for the mail11 mailer. 44638032SpeterPH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery 44738032Speter program. 44864562SgshapiroPH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM 44964562Sgshapiro are always set. 45038032SpeterPH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer. 45190792SgshapiroPH_MAILER_QGRP [undefined] The queue group for the ph mailer. 45264562SgshapiroCYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The 45338032Speter flags lsDFMnPq are always included. 45438032SpeterCYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver 45538032Speter cyrus mail. 45638032SpeterCYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed 45738032Speter to deliver cyrus mail. 45838032SpeterCYRUS_MAILER_MAX [undefined] If set, the maximum size message that 45938032Speter will be accepted by the cyrus mailer. 46038032SpeterCYRUS_MAILER_USER [cyrus:mail] The user and group to become when 46138032Speter running the cyrus mailer. 46290792SgshapiroCYRUS_MAILER_QGRP [undefined] The queue group for the cyrus mailer. 46364562SgshapiroCYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer. 46464562Sgshapiro The flags lsDFMnP are always included. 46538032SpeterCYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed 46638032Speter to deliver cyrusbb mail. 46798121SgshapiroCYRUSV2_MAILER_FLAGS [A@/:|m] The flags used by the cyrusv2 mailer. The 46898121Sgshapiro flags lsDFMnqXz are always included. 46998121SgshapiroCYRUSV2_MAILER_MAXMSGS [undefined] If defined, the maximum number of 47098121Sgshapiro messages to deliver in a single connection for the 47198121Sgshapiro cyrusv2 mailer. 47298121SgshapiroCYRUSV2_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 47398121Sgshapiro recipients to deliver in a single connection for the 47498121Sgshapiro cyrusv2 mailer. 47598121SgshapiroCYRUSV2_MAILER_ARGS [FILE /var/imap/socket/lmtp] The arguments passed 47698121Sgshapiro to the cyrusv2 mailer. This can be used to 47798121Sgshapiro change the name of the Unix domain socket, or 47898121Sgshapiro to switch to delivery via TCP (e.g., `TCP $h lmtp') 47998121SgshapiroCYRUSV2_MAILER_QGRP [undefined] The queue group for the cyrusv2 mailer. 480110560SgshapiroCYRUSV2_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 481110560Sgshapiro that ARRIVE from an address that resolves to one the 482110560Sgshapiro Cyrus mailer and which are converted to MIME will 483110560Sgshapiro be labeled with this character set. 48438032SpeterconfEBINDIR [/usr/libexec] The directory for executables. 48543730Speter Currently used for FEATURE(`local_lmtp') and 48643730Speter FEATURE(`smrsh'). 48764562SgshapiroQPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer. 48864562SgshapiroQPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver 48964562Sgshapiro qpage mail. 49064562SgshapiroQPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed 49164562Sgshapiro to deliver qpage mail. 49264562SgshapiroQPAGE_MAILER_MAX [4096] If set, the maximum size message that 49364562Sgshapiro will be accepted by the qpage mailer. 49490792SgshapiroQPAGE_MAILER_QGRP [undefined] The queue group for the qpage mailer. 49590792SgshapiroLOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. 49638032Speter 49764562SgshapiroNote: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: 498157001SgshapiroMODIFY_MAILER_FLAGS(`Name', `change') where Name is the first part 499157001Sgshapiroof the macro Name_MAILER_FLAGS (note: that means Name is entirely in 500157001Sgshapiroupper case) and change can be: flags that should be used directly 501157001Sgshapiro(thus overriding the default value), or if it starts with `+' (`-') 502157001Sgshapirothen those flags are added to (removed from) the default value. 503157001SgshapiroExample: 50438032Speter 50564562Sgshapiro MODIFY_MAILER_FLAGS(`LOCAL', `+e') 50638032Speter 50790792Sgshapirowill add the flag `e' to LOCAL_MAILER_FLAGS. Notice: there are 50890792Sgshapiroseveral smtp mailers all of which are manipulated individually. 50990792SgshapiroSee the section MAILERS for the available mailer names. 51064562SgshapiroWARNING: The FEATUREs local_lmtp and local_procmail set LOCAL_MAILER_FLAGS 51164562Sgshapirounconditionally, i.e., without respecting any definitions in an 51264562SgshapiroOSTYPE setting. 51364562Sgshapiro 51464562Sgshapiro 51538032Speter+---------+ 51638032Speter| DOMAINS | 51738032Speter+---------+ 51838032Speter 51938032SpeterYou will probably want to collect domain-dependent defines into one 52064562Sgshapirofile, referenced by the DOMAIN macro. For example, the Berkeley 52138032Speterdomain file includes definitions for several internal distinguished 52238032Speterhosts: 52338032Speter 52438032SpeterUUCP_RELAY The host that will accept UUCP-addressed email. 52538032Speter If not defined, all UUCP sites must be directly 52638032Speter connected. 52738032SpeterBITNET_RELAY The host that will accept BITNET-addressed email. 52838032Speter If not defined, the .BITNET pseudo-domain won't work. 52938032SpeterDECNET_RELAY The host that will accept DECNET-addressed email. 53038032Speter If not defined, the .DECNET pseudo-domain and addresses 53138032Speter of the form node::user will not work. 53238032SpeterFAX_RELAY The host that will accept mail to the .FAX pseudo-domain. 53338032Speter The "fax" mailer overrides this value. 53471345SgshapiroLOCAL_RELAY The site that will handle unqualified names -- that 53582017Sgshapiro is, names without an @domain extension. 53671345Sgshapiro Normally MAIL_HUB is preferred for this function. 53771345Sgshapiro LOCAL_RELAY is mostly useful in conjunction with 53890792Sgshapiro FEATURE(`stickyhost') -- see the discussion of 53971345Sgshapiro stickyhost below. If not set, they are assumed to 54071345Sgshapiro belong on this machine. This allows you to have a 54171345Sgshapiro central site to store a company- or department-wide 54271345Sgshapiro alias database. This only works at small sites, 54371345Sgshapiro and only with some user agents. 54438032SpeterLUSER_RELAY The site that will handle lusers -- that is, apparently 54564562Sgshapiro local names that aren't local accounts or aliases. To 54664562Sgshapiro specify a local user instead of a site, set this to 54764562Sgshapiro ``local:username''. 54838032Speter 54938032SpeterAny of these can be either ``mailer:hostname'' (in which case the 55038032Spetermailer is the internal mailer name, such as ``uucp-new'' and the hostname 55138032Speteris the name of the host as appropriate for that mailer) or just a 55238032Speter``hostname'', in which case a default mailer type (usually ``relay'', 55338032Spetera variant on SMTP) is used. WARNING: if you have a wildcard MX 55438032Speterrecord matching your domain, you probably want to define these to 55538032Speterhave a trailing dot so that you won't get the mail diverted back 55638032Speterto yourself. 55738032Speter 55838032SpeterThe domain file can also be used to define a domain name, if needed 55938032Speter(using "DD<domain>") and set certain site-wide features. If all hosts 56038032Speterat your site masquerade behind one email name, you could also use 56138032SpeterMASQUERADE_AS here. 56238032Speter 56338032SpeterYou do not have to define a domain -- in particular, if you are a 56438032Spetersingle machine sitting off somewhere, it is probably more work than 56538032Speterit's worth. This is just a mechanism for combining "domain dependent 56638032Speterknowledge" into one place. 56738032Speter 56890792Sgshapiro 56938032Speter+---------+ 57038032Speter| MAILERS | 57138032Speter+---------+ 57238032Speter 57338032SpeterThere are fewer mailers supported in this version than the previous 57438032Speterversion, owing mostly to a simpler world. As a general rule, put the 57590792SgshapiroMAILER definitions last in your .mc file. 57638032Speter 57738032Speterlocal The local and prog mailers. You will almost always 57838032Speter need these; the only exception is if you relay ALL 57938032Speter your mail to another site. This mailer is included 58038032Speter automatically. 58138032Speter 58238032Spetersmtp The Simple Mail Transport Protocol mailer. This does 58338032Speter not hide hosts behind a gateway or another other 58438032Speter such hack; it assumes a world where everyone is 58538032Speter running the name server. This file actually defines 58664562Sgshapiro five mailers: "smtp" for regular (old-style) SMTP to 58738032Speter other servers, "esmtp" for extended SMTP to other 58838032Speter servers, "smtp8" to do SMTP to other servers without 58938032Speter converting 8-bit data to MIME (essentially, this is 59038032Speter your statement that you know the other end is 8-bit 59164562Sgshapiro clean even if it doesn't say so), "dsmtp" to do on 59264562Sgshapiro demand delivery, and "relay" for transmission to the 59364562Sgshapiro RELAY_HOST, LUSER_RELAY, or MAIL_HUB. 59438032Speter 59566494Sgshapirouucp The UNIX-to-UNIX Copy Program mailer. Actually, this 59638032Speter defines two mailers, "uucp-old" (a.k.a. "uucp") and 59738032Speter "uucp-new" (a.k.a. "suucp"). The latter is for when you 59838032Speter know that the UUCP mailer at the other end can handle 59938032Speter multiple recipients in one transfer. If the smtp mailer 60090792Sgshapiro is included in your configuration, two other mailers 60190792Sgshapiro ("uucp-dom" and "uucp-uudom") are also defined [warning: you 60290792Sgshapiro MUST specify MAILER(`smtp') before MAILER(`uucp')]. When you 60338032Speter include the uucp mailer, sendmail looks for all names in 60464562Sgshapiro class {U} and sends them to the uucp-old mailer; all 60564562Sgshapiro names in class {Y} are sent to uucp-new; and all 60664562Sgshapiro names in class {Z} are sent to uucp-uudom. Note that 60738032Speter this is a function of what version of rmail runs on 60838032Speter the receiving end, and hence may be out of your control. 60938032Speter See the section below describing UUCP mailers in more 61038032Speter detail. 61138032Speter 61238032Speterusenet Usenet (network news) delivery. If this is specified, 61338032Speter an extra rule is added to ruleset 0 that forwards all 61438032Speter local email for users named ``group.usenet'' to the 61538032Speter ``inews'' program. Note that this works for all groups, 61638032Speter and may be considered a security problem. 61738032Speter 61838032Speterfax Facsimile transmission. This is experimental and based 61938032Speter on Sam Leffler's HylaFAX software. For more information, 62071345Sgshapiro see http://www.hylafax.org/. 62138032Speter 62238032Speterpop Post Office Protocol. 62338032Speter 62438032Speterprocmail An interface to procmail (does not come with sendmail). 62538032Speter This is designed to be used in mailertables. For example, 62638032Speter a common question is "how do I forward all mail for a given 62738032Speter domain to a single person?". If you have this mailer 62838032Speter defined, you could set up a mailertable reading: 62938032Speter 63038032Speter host.com procmail:/etc/procmailrcs/host.com 63138032Speter 63238032Speter with the file /etc/procmailrcs/host.com reading: 63338032Speter 63438032Speter :0 # forward mail for host.com 63538032Speter ! -oi -f $1 person@other.host 63638032Speter 63738032Speter This would arrange for (anything)@host.com to be sent 638111823Sgshapiro to person@other.host. In a procmail script, $1 is the 639111823Sgshapiro name of the sender and $2 is the name of the recipient. 64043730Speter If you use this with FEATURE(`local_procmail'), the FEATURE 64138032Speter should be listed first. 64238032Speter 64390792Sgshapiro Of course there are other ways to solve this particular 64490792Sgshapiro problem, e.g., a catch-all entry in a virtusertable. 64590792Sgshapiro 64638032Spetermail11 The DECnet mail11 mailer, useful only if you have the mail11 64738032Speter program from gatekeeper.dec.com:/pub/DEC/gwtools (and 64838032Speter DECnet, of course). This is for Phase IV DECnet support; 64938032Speter if you have Phase V at your site you may have additional 65038032Speter problems. 65138032Speter 65238032Speterphquery The phquery program. This is somewhat counterintuitively 65338032Speter referenced as the "ph" mailer internally. It can be used 65438032Speter to do CCSO name server lookups. The phquery program, which 65538032Speter this mailer uses, is distributed with the ph client. 65638032Speter 65738032Spetercyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to 65838032Speter a local cyrus user. this mailer can make use of the 65990792Sgshapiro "user+detail@local.host" syntax (see 66090792Sgshapiro FEATURE(`preserve_local_plus_detail')); it will deliver the 66190792Sgshapiro mail to the user's "detail" mailbox if the mailbox's ACL 66290792Sgshapiro permits. The cyrusbb mailer delivers to a system-wide 66390792Sgshapiro cyrus mailbox if the mailbox's ACL permits. The cyrus 66490792Sgshapiro mailer must be defined after the local mailer. 66538032Speter 66698121Sgshapirocyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to 66798121Sgshapiro local cyrus users via LMTP. This mailer can make use of the 66898121Sgshapiro "user+detail@local.host" syntax (see 66998121Sgshapiro FEATURE(`preserve_local_plus_detail')); it will deliver the 67098121Sgshapiro mail to the user's "detail" mailbox if the mailbox's ACL 67198121Sgshapiro permits. The cyrusv2 mailer must be defined after the 67298121Sgshapiro local mailer. 67398121Sgshapiro 67464562Sgshapiroqpage A mailer for QuickPage, a pager interface. See 67564562Sgshapiro http://www.qpage.org/ for further information. 67638032Speter 67738032SpeterThe local mailer accepts addresses of the form "user+detail", where 67838032Speterthe "+detail" is not used for mailbox matching but is available 67943730Speterto certain local mail programs (in particular, see 68043730SpeterFEATURE(`local_procmail')). For example, "eric", "eric+sendmail", and 68143730Speter"eric+sww" all indicate the same user, but additional arguments <null>, 68243730Speter"sendmail", and "sww" may be provided for use in sorting mail. 68338032Speter 68438032Speter 68538032Speter+----------+ 68638032Speter| FEATURES | 68738032Speter+----------+ 68838032Speter 68938032SpeterSpecial features can be requested using the "FEATURE" macro. For 69038032Speterexample, the .mc line: 69138032Speter 69243730Speter FEATURE(`use_cw_file') 69338032Speter 69464562Sgshapirotells sendmail that you want to have it read an /etc/mail/local-host-names 69590792Sgshapirofile to get values for class {w}. A FEATURE may contain up to 9 69664562Sgshapirooptional parameters -- for example: 69738032Speter 69843730Speter FEATURE(`mailertable', `dbm /usr/lib/mailertable') 69938032Speter 70038032SpeterThe default database map type for the table features can be set with 70164562Sgshapiro 70238032Speter define(`DATABASE_MAP_TYPE', `dbm') 70338032Speter 70438032Speterwhich would set it to use ndbm databases. The default is the Berkeley DB 70538032Speterhash database format. Note that you must still declare a database map type 70638032Speterif you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used 70764562Sgshapiroif no argument is given for the FEATURE. It must be specified before any 70864562Sgshapirofeature that uses a map. 70938032Speter 71090792SgshapiroAlso, features which can take a map definition as an argument can also take 71190792Sgshapirothe special keyword `LDAP'. If that keyword is used, the map will use the 71290792SgshapiroLDAP definition described in the ``USING LDAP FOR ALIASES, MAPS, AND 71390792SgshapiroCLASSES'' section below. 71490792Sgshapiro 71538032SpeterAvailable features are: 71638032Speter 71764562Sgshapirouse_cw_file Read the file /etc/mail/local-host-names file to get 71864562Sgshapiro alternate names for this host. This might be used if you 71964562Sgshapiro were on a host that MXed for a dynamic set of other hosts. 72064562Sgshapiro If the set is static, just including the line "Cw<name1> 72164562Sgshapiro <name2> ..." (where the names are fully qualified domain 72264562Sgshapiro names) is probably superior. The actual filename can be 72364562Sgshapiro overridden by redefining confCW_FILE. 72438032Speter 72564562Sgshapirouse_ct_file Read the file /etc/mail/trusted-users file to get the 72664562Sgshapiro names of users that will be ``trusted'', that is, able to 72764562Sgshapiro set their envelope from address using -f without generating 72864562Sgshapiro a warning message. The actual filename can be overridden 72964562Sgshapiro by redefining confCT_FILE. 73038032Speter 73138032Speterredirect Reject all mail addressed to "address.REDIRECT" with 73264562Sgshapiro a ``551 User has moved; please try <address>'' message. 73338032Speter If this is set, you can alias people who have left 73438032Speter to their new address with ".REDIRECT" appended. 73538032Speter 73664562Sgshapironouucp Don't route UUCP addresses. This feature takes one 73764562Sgshapiro parameter: 73864562Sgshapiro `reject': reject addresses which have "!" in the local 73964562Sgshapiro part unless it originates from a system 74064562Sgshapiro that is allowed to relay. 74164562Sgshapiro `nospecial': don't do anything special with "!". 74290792Sgshapiro Warnings: 1. See the notice in the anti-spam section. 74364562Sgshapiro 2. don't remove "!" from OperatorChars if `reject' is 74464562Sgshapiro given as parameter. 74538032Speter 74664562Sgshapironocanonify Don't pass addresses to $[ ... $] for canonification 74771345Sgshapiro by default, i.e., host/domain names are considered canonical, 74871345Sgshapiro except for unqualified names, which must not be used in this 74971345Sgshapiro mode (violation of the standard). It can be changed by 75071345Sgshapiro setting the DaemonPortOptions modifiers (M=). That is, 75164562Sgshapiro FEATURE(`nocanonify') will be overridden by setting the 75264562Sgshapiro 'c' flag. Conversely, if FEATURE(`nocanonify') is not used, 75364562Sgshapiro it can be emulated by setting the 'C' flag 75464562Sgshapiro (DaemonPortOptions=Modifiers=C). This would generally only 75564562Sgshapiro be used by sites that only act as mail gateways or which have 75664562Sgshapiro user agents that do full canonification themselves. You may 75764562Sgshapiro also want to use 75864562Sgshapiro "define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')" to turn off 75964562Sgshapiro the usual resolver options that do a similar thing. 76038032Speter 76164562Sgshapiro An exception list for FEATURE(`nocanonify') can be 76264562Sgshapiro specified with CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, 76364562Sgshapiro i.e., a list of domains which are nevertheless passed to 76464562Sgshapiro $[ ... $] for canonification. This is useful to turn on 76564562Sgshapiro canonification for local domains, e.g., use 76664562Sgshapiro CANONIFY_DOMAIN(`my.domain my') to canonify addresses 76764562Sgshapiro which end in "my.domain" or "my". 76864562Sgshapiro Another way to require canonification in the local 76964562Sgshapiro domain is CANONIFY_DOMAIN(`$=m'). 77064562Sgshapiro 77164562Sgshapiro A trailing dot is added to addresses with more than 77264562Sgshapiro one component in it such that other features which 77364562Sgshapiro expect a trailing dot (e.g., virtusertable) will 77464562Sgshapiro still work. 77564562Sgshapiro 77664562Sgshapiro If `canonify_hosts' is specified as parameter, i.e., 77764562Sgshapiro FEATURE(`nocanonify', `canonify_hosts'), then 77864562Sgshapiro addresses which have only a hostname, e.g., 77964562Sgshapiro <user@host>, will be canonified (and hopefully fully 78064562Sgshapiro qualified), too. 78164562Sgshapiro 78271345Sgshapirostickyhost This feature is sometimes used with LOCAL_RELAY, 78371345Sgshapiro although it can be used for a different effect with 78471345Sgshapiro MAIL_HUB. 78538032Speter 78673188Sgshapiro When used without MAIL_HUB, email sent to 78771345Sgshapiro "user@local.host" are marked as "sticky" -- that 78871345Sgshapiro is, the local addresses aren't matched against UDB, 78971345Sgshapiro don't go through ruleset 5, and are not forwarded to 79071345Sgshapiro the LOCAL_RELAY (if defined). 79171345Sgshapiro 79271345Sgshapiro With MAIL_HUB, mail addressed to "user@local.host" 79371345Sgshapiro is forwarded to the mail hub, with the envelope 79471345Sgshapiro address still remaining "user@local.host". 79571345Sgshapiro Without stickyhost, the envelope would be changed 79671345Sgshapiro to "user@mail_hub", in order to protect against 79771345Sgshapiro mailing loops. 79871345Sgshapiro 79938032Spetermailertable Include a "mailer table" which can be used to override 80064562Sgshapiro routing for particular domains (which are not in class {w}, 80164562Sgshapiro i.e. local host names). The argument of the FEATURE may be 80264562Sgshapiro the key definition. If none is specified, the definition 80364562Sgshapiro used is: 80443730Speter 80564562Sgshapiro hash /etc/mail/mailertable 80643730Speter 80738032Speter Keys in this database are fully qualified domain names 80838032Speter or partial domains preceded by a dot -- for example, 80964562Sgshapiro "vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". As a 81064562Sgshapiro special case of the latter, "." matches any domain not 81164562Sgshapiro covered by other keys. Values must be of the form: 81238032Speter mailer:domain 81338032Speter where "mailer" is the internal mailer name, and "domain" 81438032Speter is where to send the message. These maps are not 81538032Speter reflected into the message header. As a special case, 81638032Speter the forms: 81738032Speter local:user 81838032Speter will forward to the indicated user using the local mailer, 81938032Speter local: 82038032Speter will forward to the original user in the e-mail address 82138032Speter using the local mailer, and 82238032Speter error:code message 82364562Sgshapiro error:D.S.N:code message 82464562Sgshapiro will give an error message with the indicated SMTP reply 82564562Sgshapiro code and message, where D.S.N is an RFC 1893 compliant 82664562Sgshapiro error code. 82738032Speter 82838032Speterdomaintable Include a "domain table" which can be used to provide 82938032Speter domain name mapping. Use of this should really be 83038032Speter limited to your own domains. It may be useful if you 83138032Speter change names (e.g., your company changes names from 83238032Speter oldname.com to newname.com). The argument of the 83338032Speter FEATURE may be the key definition. If none is specified, 83438032Speter the definition used is: 83543730Speter 83664562Sgshapiro hash /etc/mail/domaintable 83743730Speter 83838032Speter The key in this table is the domain name; the value is 83938032Speter the new (fully qualified) domain. Anything in the 84038032Speter domaintable is reflected into headers; that is, this 84138032Speter is done in ruleset 3. 84238032Speter 84338032Speterbitdomain Look up bitnet hosts in a table to try to turn them into 84438032Speter internet addresses. The table can be built using the 84538032Speter bitdomain program contributed by John Gardiner Myers. 84638032Speter The argument of the FEATURE may be the key definition; if 84738032Speter none is specified, the definition used is: 84843730Speter 84964562Sgshapiro hash /etc/mail/bitdomain 85043730Speter 85138032Speter Keys are the bitnet hostname; values are the corresponding 85238032Speter internet hostname. 85338032Speter 85438032Speteruucpdomain Similar feature for UUCP hosts. The default map definition 85538032Speter is: 85643730Speter 85764562Sgshapiro hash /etc/mail/uudomain 85843730Speter 85938032Speter At the moment there is no automagic tool to build this 86038032Speter database. 86138032Speter 86238032Speteralways_add_domain 86338032Speter Include the local host domain even on locally delivered 86438032Speter mail. Normally it is not added on unqualified names. 86538032Speter However, if you use a shared message store but do not use 86638032Speter the same user name space everywhere, you may need the host 86790792Sgshapiro name on local names. An optional argument specifies 86890792Sgshapiro another domain to be added than the local. 86938032Speter 87038032Speterallmasquerade If masquerading is enabled (using MASQUERADE_AS), this 87138032Speter feature will cause recipient addresses to also masquerade 87238032Speter as being from the masquerade host. Normally they get 87338032Speter the local hostname. Although this may be right for 87438032Speter ordinary users, it can break local aliases. For example, 87538032Speter if you send to "localalias", the originating sendmail will 87638032Speter find that alias and send to all members, but send the 87738032Speter message with "To: localalias@masqueradehost". Since that 87838032Speter alias likely does not exist, replies will fail. Use this 87938032Speter feature ONLY if you can guarantee that the ENTIRE 88038032Speter namespace on your masquerade host supersets all the 88138032Speter local entries. 88238032Speter 88338032Speterlimited_masquerade 88464562Sgshapiro Normally, any hosts listed in class {w} are masqueraded. If 88564562Sgshapiro this feature is given, only the hosts listed in class {M} (see 88664562Sgshapiro below: MASQUERADE_DOMAIN) are masqueraded. This is useful 88764562Sgshapiro if you have several domains with disjoint namespaces hosted 88864562Sgshapiro on the same machine. 88938032Speter 89038032Spetermasquerade_entire_domain 89164562Sgshapiro If masquerading is enabled (using MASQUERADE_AS) and 89238032Speter MASQUERADE_DOMAIN (see below) is set, this feature will 89338032Speter cause addresses to be rewritten such that the masquerading 89438032Speter domains are actually entire domains to be hidden. All 89538032Speter hosts within the masquerading domains will be rewritten 89638032Speter to the masquerade name (used in MASQUERADE_AS). For example, 89738032Speter if you have: 89838032Speter 89964562Sgshapiro MASQUERADE_AS(`masq.com') 90064562Sgshapiro MASQUERADE_DOMAIN(`foo.org') 90164562Sgshapiro MASQUERADE_DOMAIN(`bar.com') 90238032Speter 90338032Speter then *foo.org and *bar.com are converted to masq.com. Without 90438032Speter this feature, only foo.org and bar.com are masqueraded. 90538032Speter 90638032Speter NOTE: only domains within your jurisdiction and 90738032Speter current hierarchy should be masqueraded using this. 90838032Speter 90990792Sgshapirolocal_no_masquerade 91090792Sgshapiro This feature prevents the local mailer from masquerading even 91190792Sgshapiro if MASQUERADE_AS is used. MASQUERADE_AS will only have effect 91290792Sgshapiro on addresses of mail going outside the local domain. 91390792Sgshapiro 914110560Sgshapiromasquerade_envelope 915110560Sgshapiro If masquerading is enabled (using MASQUERADE_AS) or the 916110560Sgshapiro genericstable is in use, this feature will cause envelope 917110560Sgshapiro addresses to also masquerade as being from the masquerade 918110560Sgshapiro host. Normally only the header addresses are masqueraded. 919110560Sgshapiro 92064562Sgshapirogenericstable This feature will cause unqualified addresses (i.e., without 92164562Sgshapiro a domain) and addresses with a domain listed in class {G} 92264562Sgshapiro to be looked up in a map and turned into another ("generic") 92364562Sgshapiro form, which can change both the domain name and the user name. 92490792Sgshapiro Notice: if you use an MSP (as it is default starting with 92590792Sgshapiro 8.12), the MTA will only receive qualified addresses from the 92690792Sgshapiro MSP (as required by the RFCs). Hence you need to add your 92790792Sgshapiro domain to class {G}. This feature is similar to the userdb 92890792Sgshapiro functionality. The same types of addresses as for 92990792Sgshapiro masquerading are looked up, i.e., only header sender 93090792Sgshapiro addresses unless the allmasquerade and/or masquerade_envelope 93190792Sgshapiro features are given. Qualified addresses must have the domain 93290792Sgshapiro part in class {G}; entries can be added to this class by the 93390792Sgshapiro macros GENERICS_DOMAIN or GENERICS_DOMAIN_FILE (analogously 93490792Sgshapiro to MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE, see below). 93538032Speter 93643730Speter The argument of FEATURE(`genericstable') may be the map 93738032Speter definition; the default map definition is: 93838032Speter 93964562Sgshapiro hash /etc/mail/genericstable 94038032Speter 94164562Sgshapiro The key for this table is either the full address, the domain 94264562Sgshapiro (with a leading @; the localpart is passed as first argument) 94364562Sgshapiro or the unqualified username (tried in the order mentioned); 94464562Sgshapiro the value is the new user address. If the new user address 94564562Sgshapiro does not include a domain, it will be qualified in the standard 94664562Sgshapiro manner, i.e., using $j or the masquerade name. Note that the 94738032Speter address being looked up must be fully qualified. For local 94843730Speter mail, it is necessary to use FEATURE(`always_add_domain') 94943730Speter for the addresses to be qualified. 95064562Sgshapiro The "+detail" of an address is passed as %1, so entries like 95138032Speter 95264562Sgshapiro old+*@foo.org new+%1@example.com 95364562Sgshapiro gen+*@foo.org %1@example.com 95464562Sgshapiro 95564562Sgshapiro and other forms are possible. 95664562Sgshapiro 95764562Sgshapirogenerics_entire_domain 95864562Sgshapiro If the genericstable is enabled and GENERICS_DOMAIN or 95964562Sgshapiro GENERICS_DOMAIN_FILE is used, this feature will cause 96064562Sgshapiro addresses to be searched in the map if their domain 96164562Sgshapiro parts are subdomains of elements in class {G}. 96264562Sgshapiro 96338032Spetervirtusertable A domain-specific form of aliasing, allowing multiple 96438032Speter virtual domains to be hosted on one machine. For example, 965157001Sgshapiro if the virtuser table contains: 96638032Speter 96738032Speter info@foo.com foo-info 96838032Speter info@bar.com bar-info 96990792Sgshapiro joe@bar.com error:nouser 550 No such user here 97090792Sgshapiro jax@bar.com error:5.7.0:550 Address invalid 97164562Sgshapiro @baz.org jane@example.net 97238032Speter 97338032Speter then mail addressed to info@foo.com will be sent to the 97438032Speter address foo-info, mail addressed to info@bar.com will be 97564562Sgshapiro delivered to bar-info, and mail addressed to anyone at baz.org 97664562Sgshapiro will be sent to jane@example.net, mail to joe@bar.com will 97764562Sgshapiro be rejected with the specified error message, and mail to 97864562Sgshapiro jax@bar.com will also have a RFC 1893 compliant error code 97990792Sgshapiro 5.7.0. 98038032Speter 98164562Sgshapiro The username from the original address is passed 98264562Sgshapiro as %1 allowing: 98338032Speter 98464562Sgshapiro @foo.org %1@example.com 98538032Speter 98664562Sgshapiro meaning someone@foo.org will be sent to someone@example.com. 98764562Sgshapiro Additionally, if the local part consists of "user+detail" 98890792Sgshapiro then "detail" is passed as %2 and "+detail" is passed as %3 98990792Sgshapiro when a match against user+* is attempted, so entries like 99064562Sgshapiro 99164562Sgshapiro old+*@foo.org new+%2@example.com 99264562Sgshapiro gen+*@foo.org %2@example.com 99390792Sgshapiro +*@foo.org %1%3@example.com 99490792Sgshapiro X++@foo.org Z%3@example.com 99590792Sgshapiro @bar.org %1%3 99664562Sgshapiro 99764562Sgshapiro and other forms are possible. Note: to preserve "+detail" 99890792Sgshapiro for a default case (@domain) %1%3 must be used as RHS. 99990792Sgshapiro There are two wildcards after "+": "+" matches only a non-empty 100090792Sgshapiro detail, "*" matches also empty details, e.g., user+@foo.org 100190792Sgshapiro matches +*@foo.org but not ++@foo.org. This can be used 100290792Sgshapiro to ensure that the parameters %2 and %3 are not empty. 100364562Sgshapiro 100438032Speter All the host names on the left hand side (foo.com, bar.com, 100590792Sgshapiro and baz.org) must be in class {w} or class {VirtHost}. The 100664562Sgshapiro latter can be defined by the macros VIRTUSER_DOMAIN or 100764562Sgshapiro VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 100864562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or 100964562Sgshapiro VIRTUSER_DOMAIN_FILE is used, then the entries of class 101064562Sgshapiro {VirtHost} are added to class {R}, i.e., relaying is allowed 1011182352Sgshapiro to (and from) those domains, which by default includes also 1012182352Sgshapiro all subdomains (see relay_hosts_only). The default map 1013182352Sgshapiro definition is: 101438032Speter 101564562Sgshapiro hash /etc/mail/virtusertable 101638032Speter 101738032Speter A new definition can be specified as the second argument of 101838032Speter the FEATURE macro, such as 101938032Speter 102064562Sgshapiro FEATURE(`virtusertable', `dbm /etc/mail/virtusers') 102138032Speter 102264562Sgshapirovirtuser_entire_domain 102364562Sgshapiro If the virtusertable is enabled and VIRTUSER_DOMAIN or 102464562Sgshapiro VIRTUSER_DOMAIN_FILE is used, this feature will cause 102564562Sgshapiro addresses to be searched in the map if their domain 102664562Sgshapiro parts are subdomains of elements in class {VirtHost}. 102764562Sgshapiro 102864562Sgshapiroldap_routing Implement LDAP-based e-mail recipient routing according to 102964562Sgshapiro the Internet Draft draft-lachman-laser-ldap-mail-routing-01. 103064562Sgshapiro This provides a method to re-route addresses with a 103164562Sgshapiro domain portion in class {LDAPRoute} to either a 103264562Sgshapiro different mail host or a different address. Hosts can 103364562Sgshapiro be added to this class using LDAPROUTE_DOMAIN and 103464562Sgshapiro LDAPROUTE_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 103564562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 103664562Sgshapiro 103764562Sgshapiro See the LDAP ROUTING section below for more information. 103864562Sgshapiro 103964562Sgshapironullclient This is a special case -- it creates a configuration file 104064562Sgshapiro containing nothing but support for forwarding all mail to a 104164562Sgshapiro central hub via a local SMTP-based network. The argument 104264562Sgshapiro is the name of that hub. 104364562Sgshapiro 104438032Speter The only other feature that should be used in conjunction 104564562Sgshapiro with this one is FEATURE(`nocanonify'). No mailers 104638032Speter should be defined. No aliasing or forwarding is done. 104738032Speter 104838032Speterlocal_lmtp Use an LMTP capable local mailer. The argument to this 104938032Speter feature is the pathname of an LMTP capable mailer. By 105038032Speter default, mail.local is used. This is expected to be the 105138032Speter mail.local which came with the 8.9 distribution which is 105238032Speter LMTP capable. The path to mail.local is set by the 105338032Speter confEBINDIR m4 variable -- making the default 105438032Speter LOCAL_MAILER_PATH /usr/libexec/mail.local. 1055132943Sgshapiro If a different LMTP capable mailer is used, its pathname 1056132943Sgshapiro can be specified as second parameter and the arguments 1057132943Sgshapiro passed to it (A=) as third parameter, e.g., 1058132943Sgshapiro 1059132943Sgshapiro FEATURE(`local_lmtp', `/usr/local/bin/lmtp', `lmtp') 1060132943Sgshapiro 106164562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 106264562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 106338032Speter 106464562Sgshapirolocal_procmail Use procmail or another delivery agent as the local mailer. 106564562Sgshapiro The argument to this feature is the pathname of the 106664562Sgshapiro delivery agent, which defaults to PROCMAIL_MAILER_PATH. 106764562Sgshapiro Note that this does NOT use PROCMAIL_MAILER_FLAGS or 106864562Sgshapiro PROCMAIL_MAILER_ARGS for the local mailer; tweak 106964562Sgshapiro LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS instead, or 107064562Sgshapiro specify the appropriate parameters. When procmail is used, 107164562Sgshapiro the local mailer can make use of the 107264562Sgshapiro "user+indicator@local.host" syntax; normally the +indicator 107364562Sgshapiro is just tossed, but by default it is passed as the -a 107464562Sgshapiro argument to procmail. 107538032Speter 107664562Sgshapiro This feature can take up to three arguments: 107764562Sgshapiro 107864562Sgshapiro 1. Path to the mailer program 107964562Sgshapiro [default: /usr/local/bin/procmail] 108064562Sgshapiro 2. Argument vector including name of the program 108164562Sgshapiro [default: procmail -Y -a $h -d $u] 108264562Sgshapiro 3. Flags for the mailer [default: SPfhn9] 108364562Sgshapiro 108464562Sgshapiro Empty arguments cause the defaults to be taken. 1085110560Sgshapiro Note that if you are on a system with a broken 1086110560Sgshapiro setreuid() call, you may need to add -f $f to the procmail 1087110560Sgshapiro argument vector to pass the proper sender to procmail. 108864562Sgshapiro 108964562Sgshapiro For example, this allows it to use the maildrop 109064562Sgshapiro (http://www.flounder.net/~mrsam/maildrop/) mailer instead 109164562Sgshapiro by specifying: 109264562Sgshapiro 109364562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/maildrop', 109464562Sgshapiro `maildrop -d $u') 109564562Sgshapiro 109664562Sgshapiro or scanmails using: 109764562Sgshapiro 109864562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/scanmails') 109964562Sgshapiro 110064562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 110164562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 110264562Sgshapiro 110338032Speterbestmx_is_local Accept mail as though locally addressed for any host that 110438032Speter lists us as the best possible MX record. This generates 110538032Speter additional DNS traffic, but should be OK for low to 110638032Speter medium traffic hosts. The argument may be a set of 110738032Speter domains, which will limit the feature to only apply to 110838032Speter these domains -- this will reduce unnecessary DNS 110938032Speter traffic. THIS FEATURE IS FUNDAMENTALLY INCOMPATIBLE WITH 111038032Speter WILDCARD MX RECORDS!!! If you have a wildcard MX record 111138032Speter that matches your domain, you cannot use this feature. 111238032Speter 111338032Spetersmrsh Use the SendMail Restricted SHell (smrsh) provided 111438032Speter with the distribution instead of /bin/sh for mailing 111538032Speter to programs. This improves the ability of the local 111638032Speter system administrator to control what gets run via 111738032Speter e-mail. If an argument is provided it is used as the 111838032Speter pathname to smrsh; otherwise, the path defined by 111938032Speter confEBINDIR is used for the smrsh binary -- by default, 112038032Speter /usr/libexec/smrsh is assumed. 112138032Speter 112238032Speterpromiscuous_relay 112338032Speter By default, the sendmail configuration files do not permit 112438032Speter mail relaying (that is, accepting mail from outside your 112564562Sgshapiro local host (class {w}) and sending it to another host than 112664562Sgshapiro your local host). This option sets your site to allow 112764562Sgshapiro mail relaying from any site to any site. In almost all 112864562Sgshapiro cases, it is better to control relaying more carefully 112964562Sgshapiro with the access map, class {R}, or authentication. Domains 113064562Sgshapiro can be added to class {R} by the macros RELAY_DOMAIN or 113164562Sgshapiro RELAY_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 113264562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 113338032Speter 113438032Speterrelay_entire_domain 113598121Sgshapiro This option allows any host in your domain as defined by 113698121Sgshapiro class {m} to use your server for relaying. Notice: make 113798121Sgshapiro sure that your domain is not just a top level domain, 113898121Sgshapiro e.g., com. This can happen if you give your host a name 113998121Sgshapiro like example.com instead of host.example.com. 114038032Speter 114138032Speterrelay_hosts_only 114238032Speter By default, names that are listed as RELAY in the access 114398121Sgshapiro db and class {R} are treated as domain names, not host names. 114438032Speter For example, if you specify ``foo.com'', then mail to or 114538032Speter from foo.com, abc.foo.com, or a.very.deep.domain.foo.com 114638032Speter will all be accepted for relaying. This feature changes 1147244833Sgshapiro the behaviour to look up individual host names only. 114838032Speter 114938032Speterrelay_based_on_MX 115038032Speter Turns on the ability to allow relaying based on the MX 115142575Speter records of the host portion of an incoming recipient; that 115242575Speter is, if an MX record for host foo.com points to your site, 115342575Speter you will accept and relay mail addressed to foo.com. See 115438032Speter description below for more information before using this 115542575Speter feature. Also, see the KNOWNBUGS entry regarding bestmx 115642575Speter map lookups. 115738032Speter 115843730Speter FEATURE(`relay_based_on_MX') does not necessarily allow 115942575Speter routing of these messages which you expect to be allowed, 116042575Speter if route address syntax (or %-hack syntax) is used. If 116142575Speter this is a problem, add entries to the access-table or use 116243730Speter FEATURE(`loose_relay_check'). 116342575Speter 116464562Sgshapirorelay_mail_from 116564562Sgshapiro Allows relaying if the mail sender is listed as RELAY in 1166110560Sgshapiro the access map. If an optional argument `domain' (this 1167110560Sgshapiro is the literal word `domain', not a placeholder) is given, 116890792Sgshapiro relaying can be allowed just based on the domain portion 116990792Sgshapiro of the sender address. This feature should only be used if 117090792Sgshapiro absolutely necessary as the sender address can be easily 117198121Sgshapiro forged. Use of this feature requires the "From:" tag to 117298121Sgshapiro be used for the key in the access map; see the discussion 117390792Sgshapiro of tags and FEATURE(`relay_mail_from') in the section on 117490792Sgshapiro anti-spam configuration control. 117564562Sgshapiro 117638032Speterrelay_local_from 117738032Speter Allows relaying if the domain portion of the mail sender 117838032Speter is a local host. This should only be used if absolutely 117942575Speter necessary as it opens a window for spammers. Specifically, 118042575Speter they can send mail to your mail server that claims to be 118142575Speter from your domain (either directly or via a routed address), 118242575Speter and you will go ahead and relay it out to arbitrary hosts 118342575Speter on the Internet. 118464562Sgshapiro 118538032Speteraccept_unqualified_senders 118638032Speter Normally, MAIL FROM: commands in the SMTP session will be 118738032Speter refused if the connection is a network connection and the 118838032Speter sender address does not include a domain name. If your 1189157001Sgshapiro setup sends local mail unqualified (i.e., MAIL FROM:<joe>), 119038032Speter you will need to use this feature to accept unqualified 119164562Sgshapiro sender addresses. Setting the DaemonPortOptions modifier 119264562Sgshapiro 'u' overrides the default behavior, i.e., unqualified 119364562Sgshapiro addresses are accepted even without this FEATURE. 119464562Sgshapiro If this FEATURE is not used, the DaemonPortOptions modifier 119564562Sgshapiro 'f' can be used to enforce fully qualified addresses. 119664562Sgshapiro 119738032Speteraccept_unresolvable_domains 119838032Speter Normally, MAIL FROM: commands in the SMTP session will be 119964562Sgshapiro refused if the host part of the argument to MAIL FROM: 120064562Sgshapiro cannot be located in the host name service (e.g., an A or 120164562Sgshapiro MX record in DNS). If you are inside a firewall that has 120264562Sgshapiro only a limited view of the Internet host name space, this 120364562Sgshapiro could cause problems. In this case you probably want to 120464562Sgshapiro use this feature to accept all domains on input, even if 120564562Sgshapiro they are unresolvable. 120638032Speter 120738032Speteraccess_db Turns on the access database feature. The access db gives 120838032Speter you the ability to allow or refuse to accept mail from 120990792Sgshapiro specified domains for administrative reasons. Moreover, 121090792Sgshapiro it can control the behavior of sendmail in various situations. 121190792Sgshapiro By default, the access database specification is: 121238032Speter 121390792Sgshapiro hash -T<TMPF> /etc/mail/access 121443730Speter 121590792Sgshapiro See the anti-spam configuration control section for further 121690792Sgshapiro important information about this feature. Notice: 121790792Sgshapiro "-T<TMPF>" is meant literal, do not replace it by anything. 121843730Speter 121938032Speterblacklist_recipients 122038032Speter Turns on the ability to block incoming mail for certain 122138032Speter recipient usernames, hostnames, or addresses. For 122238032Speter example, you can block incoming mail to user nobody, 122338032Speter host foo.mydomain.com, or guest@bar.mydomain.com. 122438032Speter These specifications are put in the access db as 122564562Sgshapiro described in the anti-spam configuration control section 122664562Sgshapiro later in this document. 122738032Speter 122871345Sgshapirodelay_checks The rulesets check_mail and check_relay will not be called 122971345Sgshapiro when a client connects or issues a MAIL command, respectively. 123071345Sgshapiro Instead, those rulesets will be called by the check_rcpt 123171345Sgshapiro ruleset; they will be skipped under certain circumstances. 123290792Sgshapiro See "Delay all checks" in the anti-spam configuration control 123390792Sgshapiro section. Note: this feature is incompatible to the versions 123490792Sgshapiro in 8.10 and 8.11. 123571345Sgshapiro 1236132943Sgshapirouse_client_ptr If this feature is enabled then check_relay will override 1237132943Sgshapiro its first argument with $&{client_ptr}. This is useful for 1238132943Sgshapiro rejections based on the unverified hostname of client, 1239132943Sgshapiro which turns on the same behavior as in earlier sendmail 1240132943Sgshapiro versions when delay_checks was not in use. See doc/op/op.* 1241132943Sgshapiro about check_relay, {client_name}, and {client_ptr}. 1242132943Sgshapiro 1243168515Sgshapirodnsbl Turns on rejection, discarding, or quarantining of hosts 1244168515Sgshapiro found in a DNS based list. The first argument is used as 1245168515Sgshapiro the domain in which blocked hosts are listed. A second 1246168515Sgshapiro argument can be used to change the default error message, 1247168515Sgshapiro or select one of the operations `discard' and `quarantine'. 1248168515Sgshapiro Without that second argument, the error message will be 1249168515Sgshapiro 125098841Sgshapiro Rejected: IP-ADDRESS listed at SERVER 1251168515Sgshapiro 125290792Sgshapiro where IP-ADDRESS and SERVER are replaced by the appropriate 125390792Sgshapiro information. By default, temporary lookup failures are 125490792Sgshapiro ignored. This behavior can be changed by specifying a 125590792Sgshapiro third argument, which must be either `t' or a full error 125690792Sgshapiro message. See the anti-spam configuration control section for 125790792Sgshapiro an example. The dnsbl feature can be included several times 125890792Sgshapiro to query different DNS based rejection lists. See also 125990792Sgshapiro enhdnsbl for an enhanced version. 126064562Sgshapiro 1261110560Sgshapiro Set the DNSBL_MAP mc option to change the default map 1262110560Sgshapiro definition from `host'. Set the DNSBL_MAP_OPT mc option 1263110560Sgshapiro to add additional options to the map specification used. 1264110560Sgshapiro 126598121Sgshapiro Some DNS based rejection lists cause failures if asked 126698121Sgshapiro for AAAA records. If your sendmail version is compiled 126798121Sgshapiro with IPv6 support (NETINET6) and you experience this 126898121Sgshapiro problem, add 126998121Sgshapiro 127098121Sgshapiro define(`DNSBL_MAP', `dns -R A') 127198121Sgshapiro 127298121Sgshapiro before the first use of this feature. Alternatively you 1273111823Sgshapiro can use enhdnsbl instead (see below). Moreover, this 1274111823Sgshapiro statement can be used to reduce the number of DNS retries, 1275111823Sgshapiro e.g., 127698121Sgshapiro 1277111823Sgshapiro define(`DNSBL_MAP', `dns -R A -r2') 1278111823Sgshapiro 1279111823Sgshapiro See below (EDNSBL_TO) for an explanation. 1280111823Sgshapiro 128190792Sgshapiroenhdnsbl Enhanced version of dnsbl (see above). Further arguments 128290792Sgshapiro (up to 5) can be used to specify specific return values 128390792Sgshapiro from lookups. Temporary lookup failures are ignored unless 128490792Sgshapiro a third argument is given, which must be either `t' or a full 128590792Sgshapiro error message. By default, any successful lookup will 128690792Sgshapiro generate an error. Otherwise the result of the lookup is 128790792Sgshapiro compared with the supplied argument(s), and only if a match 128890792Sgshapiro occurs an error is generated. For example, 128990792Sgshapiro 129090792Sgshapiro FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.') 129190792Sgshapiro 129290792Sgshapiro will reject the e-mail if the lookup returns the value 129390792Sgshapiro ``127.0.0.2.'', or generate a 451 response if the lookup 129490792Sgshapiro temporarily failed. The arguments can contain metasymbols 129590792Sgshapiro as they are allowed in the LHS of rules. As the example 129690792Sgshapiro shows, the default values are also used if an empty argument, 129790792Sgshapiro i.e., `', is specified. This feature requires that sendmail 129890792Sgshapiro has been compiled with the flag DNSMAP (see sendmail/README). 129990792Sgshapiro 1300110560Sgshapiro Set the EDNSBL_TO mc option to change the DNS retry count 1301111823Sgshapiro from the default value of 5, this can be very useful when 1302111823Sgshapiro a DNS server is not responding, which in turn may cause 1303111823Sgshapiro clients to time out (an entry stating 1304110560Sgshapiro 1305111823Sgshapiro did not issue MAIL/EXPN/VRFY/ETRN 1306111823Sgshapiro 1307111823Sgshapiro will be logged). 1308111823Sgshapiro 1309132943Sgshapiroratecontrol Enable simple ruleset to do connection rate control 1310132943Sgshapiro checking. This requires entries in access_db of the form 1311132943Sgshapiro 1312132943Sgshapiro ClientRate:IP.ADD.RE.SS LIMIT 1313132943Sgshapiro 1314132943Sgshapiro The RHS specifies the maximum number of connections 1315132943Sgshapiro (an integer number) over the time interval defined 1316132943Sgshapiro by ConnectionRateWindowSize, where 0 means unlimited. 1317132943Sgshapiro 1318132943Sgshapiro Take the following example: 1319132943Sgshapiro 1320132943Sgshapiro ClientRate:10.1.2.3 4 1321132943Sgshapiro ClientRate:127.0.0.1 0 1322132943Sgshapiro ClientRate: 10 1323132943Sgshapiro 1324132943Sgshapiro 10.1.2.3 can only make up to 4 connections, the 1325132943Sgshapiro general limit it 10, and 127.0.0.1 can make an unlimited 1326132943Sgshapiro number of connections per ConnectionRateWindowSize. 1327132943Sgshapiro 1328132943Sgshapiro See also CONNECTION CONTROL. 1329132943Sgshapiro 1330132943Sgshapiroconncontrol Enable a simple check of the number of incoming SMTP 1331132943Sgshapiro connections. This requires entries in access_db of the 1332132943Sgshapiro form 1333132943Sgshapiro 1334132943Sgshapiro ClientConn:IP.ADD.RE.SS LIMIT 1335132943Sgshapiro 1336132943Sgshapiro The RHS specifies the maximum number of open connections 1337132943Sgshapiro (an integer number). 1338132943Sgshapiro 1339132943Sgshapiro Take the following example: 1340132943Sgshapiro 1341132943Sgshapiro ClientConn:10.1.2.3 4 1342132943Sgshapiro ClientConn:127.0.0.1 0 1343132943Sgshapiro ClientConn: 10 1344132943Sgshapiro 1345132943Sgshapiro 10.1.2.3 can only have up to 4 open connections, the 1346132943Sgshapiro general limit it 10, and 127.0.0.1 does not have any 1347132943Sgshapiro explicit limit. 1348132943Sgshapiro 1349132943Sgshapiro See also CONNECTION CONTROL. 1350132943Sgshapiro 1351132943Sgshapiromtamark Experimental support for "Marking Mail Transfer Agents in 1352132943Sgshapiro Reverse DNS with TXT RRs" (MTAMark), see 1353132943Sgshapiro draft-stumpf-dns-mtamark-01. Optional arguments are: 1354132943Sgshapiro 1355132943Sgshapiro 1. Error message, default: 1356132943Sgshapiro 1357132943Sgshapiro 550 Rejected: $&{client_addr} not listed as MTA 1358132943Sgshapiro 1359132943Sgshapiro 2. Temporary lookup failures are ignored unless a second 1360132943Sgshapiro argument is given, which must be either `t' or a full 1361132943Sgshapiro error message. 1362132943Sgshapiro 1363132943Sgshapiro 3. Lookup prefix, default: _perm._smtp._srv. This should 1364132943Sgshapiro not be changed unless the draft changes it. 1365132943Sgshapiro 1366132943Sgshapiro Example: 1367132943Sgshapiro 1368132943Sgshapiro FEATURE(`mtamark', `', `t') 1369132943Sgshapiro 137090792Sgshapirolookupdotdomain Look up also .domain in the access map. This allows to 137190792Sgshapiro match only subdomains. It does not work well with 137290792Sgshapiro FEATURE(`relay_hosts_only'), because most lookups for 137390792Sgshapiro subdomains are suppressed by the latter feature. 137490792Sgshapiro 137538032Speterloose_relay_check 137664562Sgshapiro Normally, if % addressing is used for a recipient, e.g. 137764562Sgshapiro user%site@othersite, and othersite is in class {R}, the 137838032Speter check_rcpt ruleset will strip @othersite and recheck 137938032Speter user@site for relaying. This feature changes that 138038032Speter behavior. It should not be needed for most installations. 138138032Speter 138290792Sgshapiroauthinfo Provide a separate map for client side authentication 138390792Sgshapiro information. See SMTP AUTHENTICATION for details. 138490792Sgshapiro By default, the authinfo database specification is: 138590792Sgshapiro 138690792Sgshapiro hash /etc/mail/authinfo 138790792Sgshapiro 138890792Sgshapiropreserve_luser_host 138990792Sgshapiro Preserve the name of the recipient host if LUSER_RELAY is 139090792Sgshapiro used. Without this option, the domain part of the 139190792Sgshapiro recipient address will be replaced by the host specified as 139290792Sgshapiro LUSER_RELAY. This feature only works if the hostname is 139390792Sgshapiro passed to the mailer (see mailer triple in op.me). Note 139490792Sgshapiro that in the default configuration the local mailer does not 139590792Sgshapiro receive the hostname, i.e., the mailer triple has an empty 139690792Sgshapiro hostname. 139790792Sgshapiro 139890792Sgshapiropreserve_local_plus_detail 139990792Sgshapiro Preserve the +detail portion of the address when passing 140090792Sgshapiro address to local delivery agent. Disables alias and 140190792Sgshapiro .forward +detail stripping (e.g., given user+detail, only 140290792Sgshapiro that address will be looked up in the alias file; user+* and 140390792Sgshapiro user will not be looked up). Only use if the local 140490792Sgshapiro delivery agent in use supports +detail addressing. 1405261194Sgshapiro Moreover, this will most likely not work if the 'w' flag 1406261194Sgshapiro for the local mailer is set as the entire local address 1407261194Sgshapiro including +detail is passed to the user lookup function. 140890792Sgshapiro 140990792Sgshapirocompat_check Enable ruleset check_compat to look up pairs of addresses 141090792Sgshapiro with the Compat: tag -- Compat:sender<@>recipient -- in the 141190792Sgshapiro access map. Valid values for the RHS include 141290792Sgshapiro DISCARD silently discard recipient 141390792Sgshapiro TEMP: return a temporary error 141490792Sgshapiro ERROR: return a permanent error 141590792Sgshapiro In the last two cases, a 4xy/5xy SMTP reply code should 141690792Sgshapiro follow the colon. 141790792Sgshapiro 141864562Sgshapirono_default_msa Don't generate the default MSA daemon, i.e., 141964562Sgshapiro DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') 142064562Sgshapiro To define a MSA daemon with other parameters, use this 142164562Sgshapiro FEATURE and introduce new settings via DAEMON_OPTIONS(). 142238032Speter 142390792Sgshapiromsp Defines config file for Message Submission Program. 142494334Sgshapiro See sendmail/SECURITY for details and cf/cf/submit.mc how 142594334Sgshapiro to use it. An optional argument can be used to override 142694334Sgshapiro the default of `[localhost]' to use as host to send all 142794334Sgshapiro e-mails to. Note that MX records will be used if the 142894334Sgshapiro specified hostname is not in square brackets (e.g., 142994334Sgshapiro [hostname]). If `MSA' is specified as second argument then 143094334Sgshapiro port 587 is used to contact the server. Example: 143190792Sgshapiro 143290792Sgshapiro FEATURE(`msp', `', `MSA') 143390792Sgshapiro 143490792Sgshapiro Some more hints about possible changes can be found below 143590792Sgshapiro in the section MESSAGE SUBMISSION PROGRAM. 143690792Sgshapiro 1437110560Sgshapiro Note: Due to many problems, submit.mc uses 143898121Sgshapiro 143998121Sgshapiro FEATURE(`msp', `[127.0.0.1]') 144098121Sgshapiro 1441110560Sgshapiro by default. If you have a machine with IPv6 only, 1442110560Sgshapiro change it to 1443110560Sgshapiro 1444110560Sgshapiro FEATURE(`msp', `[IPv6:::1]') 1445110560Sgshapiro 1446110560Sgshapiro If you want to continue using '[localhost]', (the behavior 1447110560Sgshapiro up to 8.12.6), use 1448110560Sgshapiro 1449110560Sgshapiro FEATURE(`msp') 1450110560Sgshapiro 145190792Sgshapiroqueuegroup A simple example how to select a queue group based 145290792Sgshapiro on the full e-mail address or the domain of the 145390792Sgshapiro recipient. Selection is done via entries in the 145490792Sgshapiro access map using the tag QGRP:, for example: 145590792Sgshapiro 145690792Sgshapiro QGRP:example.com main 145790792Sgshapiro QGRP:friend@some.org others 145890792Sgshapiro QGRP:my.domain local 145990792Sgshapiro 146090792Sgshapiro where "main", "others", and "local" are names of 146190792Sgshapiro queue groups. If an argument is specified, it is used 146290792Sgshapiro as default queue group. 146390792Sgshapiro 146494334Sgshapiro Note: please read the warning in doc/op/op.me about 146594334Sgshapiro queue groups and possible queue manipulations. 146694334Sgshapiro 1467132943Sgshapirogreet_pause Adds the greet_pause ruleset which enables open proxy 1468132943Sgshapiro and SMTP slamming protection. The feature can take an 1469132943Sgshapiro argument specifying the milliseconds to wait: 1470132943Sgshapiro 1471132943Sgshapiro FEATURE(`greet_pause', `5000') dnl 5 seconds 1472132943Sgshapiro 1473132943Sgshapiro If FEATURE(`access_db') is enabled, an access database 1474132943Sgshapiro lookup with the GreetPause tag is done using client 1475132943Sgshapiro hostname, domain, IP address, or subnet to determine the 1476132943Sgshapiro pause time: 1477132943Sgshapiro 1478132943Sgshapiro GreetPause:my.domain 0 1479132943Sgshapiro GreetPause:example.com 5000 1480132943Sgshapiro GreetPause:10.1.2 2000 1481132943Sgshapiro GreetPause:127.0.0.1 0 1482132943Sgshapiro 1483132943Sgshapiro When using FEATURE(`access_db'), the optional 1484132943Sgshapiro FEATURE(`greet_pause') argument becomes the default if 1485132943Sgshapiro nothing is found in the access database. A ruleset called 1486132943Sgshapiro Local_greet_pause can be used for local modifications, e.g., 1487132943Sgshapiro 1488132943Sgshapiro LOCAL_RULESETS 1489132943Sgshapiro SLocal_greet_pause 1490132943Sgshapiro R$* $: $&{daemon_flags} 1491132943Sgshapiro R$* a $* $# 0 1492132943Sgshapiro 1493168515Sgshapiroblock_bad_helo Reject messages from SMTP clients which provide a HELO/EHLO 1494168515Sgshapiro argument which is either unqualified, or is one of our own 1495168515Sgshapiro names (i.e., the server name instead of the client name). 1496168515Sgshapiro This check is performed at RCPT stage and disabled for the 1497168515Sgshapiro following cases: 1498168515Sgshapiro - authenticated sessions, 1499168515Sgshapiro - connections from IP addresses in class $={R}. 1500168515Sgshapiro Currently access_db lookups can not be used to 1501168515Sgshapiro (selectively) disable this test, moreover, 1502168515Sgshapiro FEATURE(`delay_checks') 1503168515Sgshapiro is required. 1504168515Sgshapiro 1505168515Sgshapirorequire_rdns Reject mail from connecting SMTP clients without proper 1506168515Sgshapiro rDNS (reverse DNS), functional gethostbyaddr() resolution. 1507168515Sgshapiro Note: this feature will cause false positives, i.e., there 1508168515Sgshapiro are legitimate MTAs that do not have proper DNS entries. 1509168515Sgshapiro Rejecting mails from those MTAs is a local policy decision. 1510168515Sgshapiro 1511168515Sgshapiro The basic policy is to reject message with a 5xx error if 1512168515Sgshapiro the IP address fails to resolve. However, if this is a 1513168515Sgshapiro temporary failure, a 4xx temporary failure is returned. 1514168515Sgshapiro If the look-up succeeds, but returns an apparently forged 1515168515Sgshapiro value, this is treated as a temporary failure with a 4xx 1516168515Sgshapiro error code. 1517168515Sgshapiro 1518168515Sgshapiro EXCEPTIONS: 1519168515Sgshapiro 1520168515Sgshapiro Exceptions based on access entries are discussed below. 1521168515Sgshapiro Any IP address matched using $=R (the "relay-domains" file) 1522168515Sgshapiro is excepted from the rules. Since we have explicitly 1523168515Sgshapiro allowed relaying for this host, based on IP address, we 1524168515Sgshapiro ignore the rDNS failure. 1525168515Sgshapiro 1526168515Sgshapiro The philosophical assumption here is that most users do 1527168515Sgshapiro not control their rDNS. They should be able to send mail 1528168515Sgshapiro through their ISP, whether or not they have valid rDNS. 1529168515Sgshapiro The class $=R, roughly speaking, contains those IP addresses 1530168515Sgshapiro and address ranges for which we are the ISP, or are acting 1531168515Sgshapiro as if the ISP. 1532168515Sgshapiro 1533168515Sgshapiro If `delay_checks' is in effect (recommended), then any 1534168515Sgshapiro sender who has authenticated is also excepted from the 1535168515Sgshapiro restrictions. This happens because the rules produced by 1536168515Sgshapiro this FEATURE() will not be applied to authenticated senders 1537168515Sgshapiro (assuming `delay_checks'). 1538168515Sgshapiro 1539168515Sgshapiro ACCESS MAP ENTRIES: 1540168515Sgshapiro 1541168515Sgshapiro Entries such as 1542168515Sgshapiro Connect:1.2.3.4 OK 1543168515Sgshapiro Connect:1.2 RELAY 1544168515Sgshapiro will whitelist IP address 1.2.3.4, so that the rDNS 1545168515Sgshapiro blocking does apply to that IP address 1546168515Sgshapiro 1547168515Sgshapiro Entries such as 1548168515Sgshapiro Connect:1.2.3.4 REJECT 1549168515Sgshapiro will have the effect of forcing a temporary failure for 1550168515Sgshapiro that address to be treated as a permanent failure. 1551168515Sgshapiro 1552168515Sgshapirobadmx Reject envelope sender addresses (MAIL) whose domain part 1553168515Sgshapiro resolves to a "bad" MX record. By default these are 1554168515Sgshapiro MX records which resolve to A records that match the 1555168515Sgshapiro regular expression: 1556168515Sgshapiro 1557168515Sgshapiro ^(127\.|10\.|0\.0\.0\.0) 1558168515Sgshapiro 1559168515Sgshapiro This default regular expression can be overridden by 1560168515Sgshapiro specifying an argument, e.g., 1561168515Sgshapiro 1562168515Sgshapiro FEATURE(`badmx', `^127\.0\.0\.1') 1563168515Sgshapiro 1564168515Sgshapiro Note: this feature requires that the sendmail binary 1565168515Sgshapiro has been compiled with the options MAP_REGEX and 1566168515Sgshapiro DNSMAP. 1567168515Sgshapiro 156838032Speter+-------+ 156938032Speter| HACKS | 157038032Speter+-------+ 157138032Speter 157238032SpeterSome things just can't be called features. To make this clear, 157338032Speterthey go in the hack subdirectory and are referenced using the HACK 157438032Spetermacro. These will tend to be site-dependent. The release 157538032Speterincludes the Berkeley-dependent "cssubdomain" hack (that makes 157638032Spetersendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU; 157764562Sgshapirothis is intended as a short-term aid while moving hosts into 157838032Spetersubdomains. 157938032Speter 158038032Speter 158138032Speter+--------------------+ 158238032Speter| SITE CONFIGURATION | 158338032Speter+--------------------+ 158438032Speter 158538032Speter ***************************************************** 158638032Speter * This section is really obsolete, and is preserved * 158738032Speter * only for back compatibility. You should plan on * 158890792Sgshapiro * using mailertables for new installations. In * 158938032Speter * particular, it doesn't work for the newer forms * 159038032Speter * of UUCP mailers, such as uucp-uudom. * 159138032Speter ***************************************************** 159238032Speter 159338032SpeterComplex sites will need more local configuration information, such as 159438032Speterlists of UUCP hosts they speak with directly. This can get a bit more 159538032Spetertricky. For an example of a "complex" site, see cf/ucbvax.mc. 159638032Speter 159738032SpeterThe SITECONFIG macro allows you to indirectly reference site-dependent 159838032Speterconfiguration information stored in the siteconfig subdirectory. For 159938032Speterexample, the line 160038032Speter 160164562Sgshapiro SITECONFIG(`uucp.ucbvax', `ucbvax', `U') 160238032Speter 160338032Speterreads the file uucp.ucbvax for local connection information. The 160438032Spetersecond parameter is the local name (in this case just "ucbvax" since 160538032Speterit is locally connected, and hence a UUCP hostname). The third 160638032Speterparameter is the name of both a macro to store the local name (in 160764562Sgshapirothis case, {U}) and the name of the class (e.g., {U}) in which to store 160838032Speterthe host information read from the file. Another SITECONFIG line reads 160938032Speter 161064562Sgshapiro SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W') 161138032Speter 161238032SpeterThis says that the file uucp.ucbarpa contains the list of UUCP sites 161364562Sgshapiroconnected to ucbarpa.Berkeley.EDU. Class {W} will be used to 161438032Speterstore this list, and $W is defined to be ucbarpa.Berkeley.EDU, that 161538032Speteris, the name of the relay to which the hosts listed in uucp.ucbarpa 161664562Sgshapiroare connected. [The machine ucbarpa is gone now, but this 161764562Sgshapiroout-of-date configuration file has been left around to demonstrate 161864562Sgshapirohow you might do this.] 161938032Speter 162038032SpeterNote that the case of SITECONFIG with a third parameter of ``U'' is 162138032Speterspecial; the second parameter is assumed to be the UUCP name of the 162238032Speterlocal site, rather than the name of a remote site, and the UUCP name 162364562Sgshapirois entered into class {w} (the list of local hostnames) as $U.UUCP. 162438032Speter 162538032SpeterThe siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing 162638032Spetermore than a sequence of SITE macros describing connectivity. For 162738032Speterexample: 162838032Speter 162964562Sgshapiro SITE(`cnmat') 163064562Sgshapiro SITE(`sgi olympus') 163138032Speter 163238032SpeterThe second example demonstrates that you can use two names on the 163338032Spetersame line; these are usually aliases for the same host (or are at 163438032Speterleast in the same company). 163538032Speter 1636132943SgshapiroThe macro LOCAL_UUCP can be used to add rules into the generated 1637132943Sgshapirocf file at the place where MAILER(`uucp') inserts its rules. This 1638132943Sgshapiroshould only be used if really necessary. 163938032Speter 164038032Speter+--------------------+ 164138032Speter| USING UUCP MAILERS | 164238032Speter+--------------------+ 164338032Speter 164438032SpeterIt's hard to get UUCP mailers right because of the extremely ad hoc 164538032Speternature of UUCP addressing. These config files are really designed 164638032Speterfor domain-based addressing, even for UUCP sites. 164738032Speter 164838032SpeterThere are four UUCP mailers available. The choice of which one to 164938032Speteruse is partly a matter of local preferences and what is running at 165038032Speterthe other end of your UUCP connection. Unlike good protocols that 165138032Speterdefine what will go over the wire, UUCP uses the policy that you 165238032Spetershould do what is right for the other end; if they change, you have 165338032Speterto change. This makes it hard to do the right thing, and discourages 165438032Speterpeople from updating their software. In general, if you can avoid 165538032SpeterUUCP, please do. 165638032Speter 165738032SpeterThe major choice is whether to go for a domainized scheme or a 165838032Speternon-domainized scheme. This depends entirely on what the other 165938032Speterend will recognize. If at all possible, you should encourage the 166038032Speterother end to go to a domain-based system -- non-domainized addresses 166138032Speterdon't work entirely properly. 166238032Speter 166338032SpeterThe four mailers are: 166438032Speter 166538032Speter uucp-old (obsolete name: "uucp") 166638032Speter This is the oldest, the worst (but the closest to UUCP) way of 1667147078Sgshapiro sending messages across UUCP connections. It does bangify 166838032Speter everything and prepends $U (your UUCP name) to the sender's 166938032Speter address (which can already be a bang path itself). It can 167038032Speter only send to one address at a time, so it spends a lot of 167138032Speter time copying duplicates of messages. Avoid this if at all 167238032Speter possible. 167338032Speter 167438032Speter uucp-new (obsolete name: "suucp") 167538032Speter The same as above, except that it assumes that in one rmail 167638032Speter command you can specify several recipients. It still has a 167738032Speter lot of other problems. 167838032Speter 167938032Speter uucp-dom 168038032Speter This UUCP mailer keeps everything as domain addresses. 168138032Speter Basically, it uses the SMTP mailer rewriting rules. This mailer 168290792Sgshapiro is only included if MAILER(`smtp') is specified before 168390792Sgshapiro MAILER(`uucp'). 168438032Speter 168538032Speter Unfortunately, a lot of UUCP mailer transport agents require 168638032Speter bangified addresses in the envelope, although you can use 168738032Speter domain-based addresses in the message header. (The envelope 168838032Speter shows up as the From_ line on UNIX mail.) So.... 168938032Speter 169038032Speter uucp-uudom 169138032Speter This is a cross between uucp-new (for the envelope addresses) 169238032Speter and uucp-dom (for the header addresses). It bangifies the 169338032Speter envelope sender (From_ line in messages) without adding the 169438032Speter local hostname, unless there is no host name on the address 169538032Speter at all (e.g., "wolf") or the host component is a UUCP host name 169638032Speter instead of a domain name ("somehost!wolf" instead of 169764562Sgshapiro "some.dom.ain!wolf"). This is also included only if MAILER(`smtp') 169890792Sgshapiro is also specified earlier. 169938032Speter 170038032SpeterExamples: 170138032Speter 170264562SgshapiroOn host grasp.insa-lyon.fr (UUCP host name "grasp"), the following 170364562Sgshapirosummarizes the sender rewriting for various mailers. 170438032Speter 170566494SgshapiroMailer sender rewriting in the envelope 170638032Speter------ ------ ------------------------- 170738032Speteruucp-{old,new} wolf grasp!wolf 170838032Speteruucp-dom wolf wolf@grasp.insa-lyon.fr 170938032Speteruucp-uudom wolf grasp.insa-lyon.fr!wolf 171038032Speter 171138032Speteruucp-{old,new} wolf@fr.net grasp!fr.net!wolf 171238032Speteruucp-dom wolf@fr.net wolf@fr.net 171338032Speteruucp-uudom wolf@fr.net fr.net!wolf 171438032Speter 171538032Speteruucp-{old,new} somehost!wolf grasp!somehost!wolf 171638032Speteruucp-dom somehost!wolf somehost!wolf@grasp.insa-lyon.fr 171738032Speteruucp-uudom somehost!wolf grasp.insa-lyon.fr!somehost!wolf 171838032Speter 171938032SpeterIf you are using one of the domainized UUCP mailers, you really want 172038032Speterto convert all UUCP addresses to domain format -- otherwise, it will 172138032Speterdo it for you (and probably not the way you expected). For example, 172238032Speterif you have the address foo!bar!baz (and you are not sending to foo), 172338032Speterthe heuristics will add the @uucp.relay.name or @local.host.name to 172438032Speterthis address. However, if you map foo to foo.host.name first, it 172538032Speterwill not add the local hostname. You can do this using the uucpdomain 172638032Speterfeature. 172738032Speter 172838032Speter 172938032Speter+-------------------+ 173038032Speter| TWEAKING RULESETS | 173138032Speter+-------------------+ 173238032Speter 173338032SpeterFor more complex configurations, you can define special rules. 173438032SpeterThe macro LOCAL_RULE_3 introduces rules that are used in canonicalizing 173538032Speterthe names. Any modifications made here are reflected in the header. 173638032Speter 173738032SpeterA common use is to convert old UUCP addresses to SMTP addresses using 173838032Speterthe UUCPSMTP macro. For example: 173938032Speter 174038032Speter LOCAL_RULE_3 174164562Sgshapiro UUCPSMTP(`decvax', `decvax.dec.com') 174264562Sgshapiro UUCPSMTP(`research', `research.att.com') 174338032Speter 174438032Speterwill cause addresses of the form "decvax!user" and "research!user" 174538032Speterto be converted to "user@decvax.dec.com" and "user@research.att.com" 174638032Speterrespectively. 174738032Speter 174838032SpeterThis could also be used to look up hosts in a database map: 174938032Speter 175038032Speter LOCAL_RULE_3 175138032Speter R$* < @ $+ > $* $: $1 < @ $(hostmap $2 $) > $3 175238032Speter 175338032SpeterThis map would be defined in the LOCAL_CONFIG portion, as shown below. 175438032Speter 175538032SpeterSimilarly, LOCAL_RULE_0 can be used to introduce new parsing rules. 175638032SpeterFor example, new rules are needed to parse hostnames that you accept 175738032Spetervia MX records. For example, you might have: 175838032Speter 175938032Speter LOCAL_RULE_0 176038032Speter R$+ <@ host.dom.ain.> $#uucp $@ cnmat $: $1 < @ host.dom.ain.> 176138032Speter 176238032SpeterYou would use this if you had installed an MX record for cnmat.Berkeley.EDU 176338032Speterpointing at this host; this rule catches the message and forwards it on 176438032Speterusing UUCP. 176538032Speter 176638032SpeterYou can also tweak rulesets 1 and 2 using LOCAL_RULE_1 and LOCAL_RULE_2. 176738032SpeterThese rulesets are normally empty. 176838032Speter 176938032SpeterA similar macro is LOCAL_CONFIG. This introduces lines added after the 177064562Sgshapiroboilerplate option setting but before rulesets. Do not declare rulesets in 177164562Sgshapirothe LOCAL_CONFIG section. It can be used to declare local database maps or 177264562Sgshapirowhatever. For example: 177338032Speter 177438032Speter LOCAL_CONFIG 177564562Sgshapiro Khostmap hash /etc/mail/hostmap 177638032Speter Kyplocal nis -m hosts.byname 177738032Speter 177838032Speter 177938032Speter+---------------------------+ 178038032Speter| MASQUERADING AND RELAYING | 178138032Speter+---------------------------+ 178238032Speter 178338032SpeterYou can have your host masquerade as another using 178438032Speter 178564562Sgshapiro MASQUERADE_AS(`host.domain') 178638032Speter 178738032SpeterThis causes mail being sent to be labeled as coming from the 178838032Speterindicated host.domain, rather than $j. One normally masquerades as 178964562Sgshapiroone of one's own subdomains (for example, it's unlikely that 179064562SgshapiroBerkeley would choose to masquerade as an MIT site). This 179164562Sgshapirobehaviour is modified by a plethora of FEATUREs; in particular, see 179264562Sgshapiromasquerade_envelope, allmasquerade, limited_masquerade, and 179364562Sgshapiromasquerade_entire_domain. 179438032Speter 179538032SpeterThe masquerade name is not normally canonified, so it is important 179638032Speterthat it be your One True Name, that is, fully qualified and not a 179738032SpeterCNAME. However, if you use a CNAME, the receiving side may canonify 179838032Speterit for you, so don't think you can cheat CNAME mapping this way. 179938032Speter 180038032SpeterNormally the only addresses that are masqueraded are those that come 180164562Sgshapirofrom this host (that is, are either unqualified or in class {w}, the list 180264562Sgshapiroof local domain names). You can augment this list, which is realized 180364562Sgshapiroby class {M} using 180438032Speter 180564562Sgshapiro MASQUERADE_DOMAIN(`otherhost.domain') 180638032Speter 180738032SpeterThe effect of this is that although mail to user@otherhost.domain 180838032Speterwill not be delivered locally, any mail including any user@otherhost.domain 180938032Speterwill, when relayed, be rewritten to have the MASQUERADE_AS address. 181038032SpeterThis can be a space-separated list of names. 181138032Speter 181238032SpeterIf these names are in a file, you can use 181338032Speter 181464562Sgshapiro MASQUERADE_DOMAIN_FILE(`filename') 181538032Speter 181664562Sgshapiroto read the list of names from the indicated file (i.e., to add 181764562Sgshapiroelements to class {M}). 181838032Speter 181964562SgshapiroTo exempt hosts or subdomains from being masqueraded, you can use 182064562Sgshapiro 182164562Sgshapiro MASQUERADE_EXCEPTION(`host.domain') 182264562Sgshapiro 182364562SgshapiroThis can come handy if you want to masquerade a whole domain 182490792Sgshapiroexcept for one (or a few) host(s). If these names are in a file, 182590792Sgshapiroyou can use 182664562Sgshapiro 182790792Sgshapiro MASQUERADE_EXCEPTION_FILE(`filename') 182890792Sgshapiro 182938032SpeterNormally only header addresses are masqueraded. If you want to 183038032Spetermasquerade the envelope as well, use 183138032Speter 183243730Speter FEATURE(`masquerade_envelope') 183338032Speter 183438032SpeterThere are always users that need to be "exposed" -- that is, their 183538032Speterinternal site name should be displayed instead of the masquerade name. 183664562SgshapiroRoot is an example (which has been "exposed" by default prior to 8.10). 183764562SgshapiroYou can add users to this list using 183838032Speter 183964562Sgshapiro EXPOSED_USER(`usernames') 184038032Speter 184190792SgshapiroThis adds users to class {E}; you could also use 184238032Speter 184390792Sgshapiro EXPOSED_USER_FILE(`filename') 184438032Speter 184538032SpeterYou can also arrange to relay all unqualified names (that is, names 184638032Speterwithout @host) to a relay host. For example, if you have a central 184738032Speteremail server, you might relay to that host so that users don't have 184838032Speterto have .forward files or aliases. You can do this using 184938032Speter 185043730Speter define(`LOCAL_RELAY', `mailer:hostname') 185138032Speter 185238032SpeterThe ``mailer:'' can be omitted, in which case the mailer defaults to 185338032Speter"relay". There are some user names that you don't want relayed, perhaps 185438032Speterbecause of local aliases. A common example is root, which may be 185538032Speterlocally aliased. You can add entries to this list using 185638032Speter 185764562Sgshapiro LOCAL_USER(`usernames') 185838032Speter 185990792SgshapiroThis adds users to class {L}; you could also use 186038032Speter 186190792Sgshapiro LOCAL_USER_FILE(`filename') 186238032Speter 186338032SpeterIf you want all incoming mail sent to a centralized hub, as for a 186438032Spetershared /var/spool/mail scheme, use 186538032Speter 186643730Speter define(`MAIL_HUB', `mailer:hostname') 186738032Speter 186838032SpeterAgain, ``mailer:'' defaults to "relay". If you define both LOCAL_RELAY 186943730Speterand MAIL_HUB _AND_ you have FEATURE(`stickyhost'), unqualified names will 187038032Speterbe sent to the LOCAL_RELAY and other local names will be sent to MAIL_HUB. 187164562SgshapiroNote: there is a (long standing) bug which keeps this combination from 187264562Sgshapiroworking for addresses of the form user+detail. 187364562SgshapiroNames in class {L} will be delivered locally, so you MUST have aliases or 187438032Speter.forward files for them. 187538032Speter 187638032SpeterFor example, if you are on machine mastodon.CS.Berkeley.EDU and you have 187743730SpeterFEATURE(`stickyhost'), the following combinations of settings will have the 187838032Speterindicated effects: 187938032Speter 188038032Speteremail sent to.... eric eric@mastodon.CS.Berkeley.EDU 188138032Speter 188238032SpeterLOCAL_RELAY set to mail.CS.Berkeley.EDU (delivered locally) 188338032Spetermail.CS.Berkeley.EDU (no local aliasing) (aliasing done) 188438032Speter 188538032SpeterMAIL_HUB set to mammoth.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 188638032Spetermammoth.CS.Berkeley.EDU (aliasing done) (aliasing done) 188738032Speter 188838032SpeterBoth LOCAL_RELAY and mail.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 188938032SpeterMAIL_HUB set as above (no local aliasing) (aliasing done) 189038032Speter 189143730SpeterIf you do not have FEATURE(`stickyhost') set, then LOCAL_RELAY and 189238032SpeterMAIL_HUB act identically, with MAIL_HUB taking precedence. 189338032Speter 189438032SpeterIf you want all outgoing mail to go to a central relay site, define 189538032SpeterSMART_HOST as well. Briefly: 189638032Speter 189738032Speter LOCAL_RELAY applies to unqualified names (e.g., "eric"). 189838032Speter MAIL_HUB applies to names qualified with the name of the 189938032Speter local host (e.g., "eric@mastodon.CS.Berkeley.EDU"). 190064562Sgshapiro SMART_HOST applies to names qualified with other hosts or 190164562Sgshapiro bracketed addresses (e.g., "eric@mastodon.CS.Berkeley.EDU" 190264562Sgshapiro or "eric@[127.0.0.1]"). 190338032Speter 190438032SpeterHowever, beware that other relays (e.g., UUCP_RELAY, BITNET_RELAY, 190538032SpeterDECNET_RELAY, and FAX_RELAY) take precedence over SMART_HOST, so if you 190638032Speterreally want absolutely everything to go to a single central site you will 190738032Speterneed to unset all the other relays -- or better yet, find or build a 190838032Speterminimal config file that does this. 190938032Speter 191038032SpeterFor duplicate suppression to work properly, the host name is best 191138032Speterspecified with a terminal dot: 191238032Speter 191338032Speter define(`MAIL_HUB', `host.domain.') 191438032Speter note the trailing dot ---^ 191538032Speter 191638032Speter 191790792Sgshapiro+-------------------------------------------+ 191890792Sgshapiro| USING LDAP FOR ALIASES, MAPS, AND CLASSES | 191990792Sgshapiro+-------------------------------------------+ 192090792Sgshapiro 192190792SgshapiroLDAP can be used for aliases, maps, and classes by either specifying your 192290792Sgshapiroown LDAP map specification or using the built-in default LDAP map 192390792Sgshapirospecification. The built-in default specifications all provide lookups 192490792Sgshapirowhich match against either the machine's fully qualified hostname (${j}) or 192590792Sgshapiroa "cluster". The cluster allows you to share LDAP entries among a large 192690792Sgshapironumber of machines without having to enter each of the machine names into 192790792Sgshapiroeach LDAP entry. To set the LDAP cluster name to use for a particular 192890792Sgshapiromachine or set of machines, set the confLDAP_CLUSTER m4 variable to a 192990792Sgshapirounique name. For example: 193090792Sgshapiro 193190792Sgshapiro define(`confLDAP_CLUSTER', `Servers') 193290792Sgshapiro 193390792SgshapiroHere, the word `Servers' will be the cluster name. As an example, assume 193490792Sgshapirothat smtp.sendmail.org, etrn.sendmail.org, and mx.sendmail.org all belong 193590792Sgshapiroto the Servers cluster. 193690792Sgshapiro 193790792SgshapiroSome of the LDAP LDIF examples below show use of the Servers cluster. 193890792SgshapiroEvery entry must have either a sendmailMTAHost or sendmailMTACluster 193990792Sgshapiroattribute or it will be ignored. Be careful as mixing clusters and 194090792Sgshapiroindividual host records can have surprising results (see the CAUTION 194190792Sgshapirosections below). 194290792Sgshapiro 194390792SgshapiroSee the file cf/sendmail.schema for the actual LDAP schemas. Note that 194490792Sgshapirothis schema (and therefore the lookups and examples below) is experimental 194590792Sgshapiroat this point as it has had little public review. Therefore, it may change 1946157001Sgshapiroin future versions. Feedback via sendmail-YYYY@support.sendmail.org is 1947157001Sgshapiroencouraged (replace YYYY with the current year, e.g., 2005). 194890792Sgshapiro 194990792Sgshapiro------- 195090792SgshapiroAliases 195190792Sgshapiro------- 195290792Sgshapiro 195390792SgshapiroThe ALIAS_FILE (O AliasFile) option can be set to use LDAP for alias 195490792Sgshapirolookups. To use the default schema, simply use: 195590792Sgshapiro 195690792Sgshapiro define(`ALIAS_FILE', `ldap:') 195790792Sgshapiro 195890792SgshapiroBy doing so, you will use the default schema which expands to a map 195990792Sgshapirodeclared as follows: 196090792Sgshapiro 196190792Sgshapiro ldap -k (&(objectClass=sendmailMTAAliasObject) 196290792Sgshapiro (sendmailMTAAliasGrouping=aliases) 196390792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 196490792Sgshapiro (sendmailMTAHost=$j)) 196590792Sgshapiro (sendmailMTAKey=%0)) 1966132943Sgshapiro -v sendmailMTAAliasValue,sendmailMTAAliasSearch:FILTER:sendmailMTAAliasObject,sendmailMTAAliasURL:URL:sendmailMTAAliasObject 196790792Sgshapiro 1968132943Sgshapiro 196990792SgshapiroNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 197090792Sgshapiroused when the binary expands the `ldap:' token as the AliasFile option is 197190792Sgshapironot actually macro-expanded when read from the sendmail.cf file. 197290792Sgshapiro 197390792SgshapiroExample LDAP LDIF entries might be: 197490792Sgshapiro 197590792Sgshapiro dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org 197690792Sgshapiro objectClass: sendmailMTA 197790792Sgshapiro objectClass: sendmailMTAAlias 197890792Sgshapiro objectClass: sendmailMTAAliasObject 197990792Sgshapiro sendmailMTAAliasGrouping: aliases 198090792Sgshapiro sendmailMTAHost: etrn.sendmail.org 198190792Sgshapiro sendmailMTAKey: sendmail-list 198290792Sgshapiro sendmailMTAAliasValue: ca@example.org 198390792Sgshapiro sendmailMTAAliasValue: eric 198490792Sgshapiro sendmailMTAAliasValue: gshapiro@example.com 198590792Sgshapiro 198690792Sgshapiro dn: sendmailMTAKey=owner-sendmail-list, dc=sendmail, dc=org 198790792Sgshapiro objectClass: sendmailMTA 198890792Sgshapiro objectClass: sendmailMTAAlias 198990792Sgshapiro objectClass: sendmailMTAAliasObject 199090792Sgshapiro sendmailMTAAliasGrouping: aliases 199190792Sgshapiro sendmailMTAHost: etrn.sendmail.org 199290792Sgshapiro sendmailMTAKey: owner-sendmail-list 199390792Sgshapiro sendmailMTAAliasValue: eric 199490792Sgshapiro 199590792Sgshapiro dn: sendmailMTAKey=postmaster, dc=sendmail, dc=org 199690792Sgshapiro objectClass: sendmailMTA 199790792Sgshapiro objectClass: sendmailMTAAlias 199890792Sgshapiro objectClass: sendmailMTAAliasObject 199990792Sgshapiro sendmailMTAAliasGrouping: aliases 200090792Sgshapiro sendmailMTACluster: Servers 200190792Sgshapiro sendmailMTAKey: postmaster 200290792Sgshapiro sendmailMTAAliasValue: eric 200390792Sgshapiro 200490792SgshapiroHere, the aliases sendmail-list and owner-sendmail-list will be available 200590792Sgshapiroonly on etrn.sendmail.org but the postmaster alias will be available on 200690792Sgshapiroevery machine in the Servers cluster (including etrn.sendmail.org). 200790792Sgshapiro 200890792SgshapiroCAUTION: aliases are additive so that entries like these: 200990792Sgshapiro 201090792Sgshapiro dn: sendmailMTAKey=bob, dc=sendmail, dc=org 201190792Sgshapiro objectClass: sendmailMTA 201290792Sgshapiro objectClass: sendmailMTAAlias 201390792Sgshapiro objectClass: sendmailMTAAliasObject 201490792Sgshapiro sendmailMTAAliasGrouping: aliases 201590792Sgshapiro sendmailMTACluster: Servers 201690792Sgshapiro sendmailMTAKey: bob 201790792Sgshapiro sendmailMTAAliasValue: eric 201890792Sgshapiro 201994334Sgshapiro dn: sendmailMTAKey=bobetrn, dc=sendmail, dc=org 202090792Sgshapiro objectClass: sendmailMTA 202190792Sgshapiro objectClass: sendmailMTAAlias 202290792Sgshapiro objectClass: sendmailMTAAliasObject 202390792Sgshapiro sendmailMTAAliasGrouping: aliases 202490792Sgshapiro sendmailMTAHost: etrn.sendmail.org 202590792Sgshapiro sendmailMTAKey: bob 202690792Sgshapiro sendmailMTAAliasValue: gshapiro 202790792Sgshapiro 202890792Sgshapirowould mean that on all of the hosts in the cluster, mail to bob would go to 202990792Sgshapiroeric EXCEPT on etrn.sendmail.org in which case it would go to BOTH eric and 203090792Sgshapirogshapiro. 203190792Sgshapiro 203290792SgshapiroIf you prefer not to use the default LDAP schema for your aliases, you can 203390792Sgshapirospecify the map parameters when setting ALIAS_FILE. For example: 203490792Sgshapiro 203590792Sgshapiro define(`ALIAS_FILE', `ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember') 203690792Sgshapiro 203790792Sgshapiro---- 203890792SgshapiroMaps 203990792Sgshapiro---- 204090792Sgshapiro 204190792SgshapiroFEATURE()'s which take an optional map definition argument (e.g., access, 204290792Sgshapiromailertable, virtusertable, etc.) can instead take the special keyword 204390792Sgshapiro`LDAP', e.g.: 204490792Sgshapiro 204590792Sgshapiro FEATURE(`access_db', `LDAP') 204690792Sgshapiro FEATURE(`virtusertable', `LDAP') 204790792Sgshapiro 204890792SgshapiroWhen this keyword is given, that map will use LDAP lookups consisting of 204990792Sgshapirothe objectClass sendmailMTAClassObject, the attribute sendmailMTAMapName 205090792Sgshapirowith the map name, a search attribute of sendmailMTAKey, and the value 205190792Sgshapiroattribute sendmailMTAMapValue. 205290792Sgshapiro 205390792SgshapiroThe values for sendmailMTAMapName are: 205490792Sgshapiro 205590792Sgshapiro FEATURE() sendmailMTAMapName 205690792Sgshapiro --------- ------------------ 205790792Sgshapiro access_db access 205890792Sgshapiro authinfo authinfo 205990792Sgshapiro bitdomain bitdomain 206090792Sgshapiro domaintable domain 206190792Sgshapiro genericstable generics 206290792Sgshapiro mailertable mailer 206390792Sgshapiro uucpdomain uucpdomain 206490792Sgshapiro virtusertable virtuser 206590792Sgshapiro 206690792SgshapiroFor example, FEATURE(`mailertable', `LDAP') would use the map definition: 206790792Sgshapiro 206890792Sgshapiro Kmailertable ldap -k (&(objectClass=sendmailMTAMapObject) 206990792Sgshapiro (sendmailMTAMapName=mailer) 207090792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 207190792Sgshapiro (sendmailMTAHost=$j)) 207290792Sgshapiro (sendmailMTAKey=%0)) 2073132943Sgshapiro -1 -v sendmailMTAMapValue,sendmailMTAMapSearch:FILTER:sendmailMTAMapObject,sendmailMTAMapURL:URL:sendmailMTAMapObject 207490792Sgshapiro 207590792SgshapiroAn example LDAP LDIF entry using this map might be: 207690792Sgshapiro 207790792Sgshapiro dn: sendmailMTAMapName=mailer, dc=sendmail, dc=org 207890792Sgshapiro objectClass: sendmailMTA 207990792Sgshapiro objectClass: sendmailMTAMap 208090792Sgshapiro sendmailMTACluster: Servers 208190792Sgshapiro sendmailMTAMapName: mailer 208290792Sgshapiro 208390792Sgshapiro dn: sendmailMTAKey=example.com, sendmailMTAMapName=mailer, dc=sendmail, dc=org 208490792Sgshapiro objectClass: sendmailMTA 208590792Sgshapiro objectClass: sendmailMTAMap 208690792Sgshapiro objectClass: sendmailMTAMapObject 208790792Sgshapiro sendmailMTAMapName: mailer 208890792Sgshapiro sendmailMTACluster: Servers 208990792Sgshapiro sendmailMTAKey: example.com 209090792Sgshapiro sendmailMTAMapValue: relay:[smtp.example.com] 209190792Sgshapiro 209290792SgshapiroCAUTION: If your LDAP database contains the record above and *ALSO* a host 209390792Sgshapirospecific record such as: 209490792Sgshapiro 209590792Sgshapiro dn: sendmailMTAKey=example.com@etrn, sendmailMTAMapName=mailer, dc=sendmail, dc=org 209690792Sgshapiro objectClass: sendmailMTA 209790792Sgshapiro objectClass: sendmailMTAMap 209890792Sgshapiro objectClass: sendmailMTAMapObject 209990792Sgshapiro sendmailMTAMapName: mailer 210090792Sgshapiro sendmailMTAHost: etrn.sendmail.org 210190792Sgshapiro sendmailMTAKey: example.com 210290792Sgshapiro sendmailMTAMapValue: relay:[mx.example.com] 210390792Sgshapiro 210490792Sgshapirothen these entries will give unexpected results. When the lookup is done 210590792Sgshapiroon etrn.sendmail.org, the effect is that there is *NO* match at all as maps 210690792Sgshapirorequire a single match. Since the host etrn.sendmail.org is also in the 210790792SgshapiroServers cluster, LDAP would return two answers for the example.com map key 210890792Sgshapiroin which case sendmail would treat this as no match at all. 210990792Sgshapiro 211090792SgshapiroIf you prefer not to use the default LDAP schema for your maps, you can 211190792Sgshapirospecify the map parameters when using the FEATURE(). For example: 211290792Sgshapiro 211390792Sgshapiro FEATURE(`access_db', `ldap:-1 -k (&(objectClass=mapDatabase)(key=%0)) -v value') 211490792Sgshapiro 211590792Sgshapiro------- 211690792SgshapiroClasses 211790792Sgshapiro------- 211890792Sgshapiro 211990792SgshapiroNormally, classes can be filled via files or programs. As of 8.12, they 212090792Sgshapirocan also be filled via map lookups using a new syntax: 212190792Sgshapiro 212290792Sgshapiro F{ClassName}mapkey@mapclass:mapspec 212390792Sgshapiro 212490792Sgshapiromapkey is optional and if not provided the map key will be empty. This can 212590792Sgshapirobe used with LDAP to read classes from LDAP. Note that the lookup is only 212690792Sgshapirodone when sendmail is initially started. Use the special value `@LDAP' to 212790792Sgshapirouse the default LDAP schema. For example: 212890792Sgshapiro 212990792Sgshapiro RELAY_DOMAIN_FILE(`@LDAP') 213090792Sgshapiro 213190792Sgshapirowould put all of the attribute sendmailMTAClassValue values of LDAP records 213290792Sgshapirowith objectClass sendmailMTAClass and an attribute sendmailMTAClassName of 213390792Sgshapiro'R' into class $={R}. In other words, it is equivalent to the LDAP map 213490792Sgshapirospecification: 213590792Sgshapiro 213690792Sgshapiro F{R}@ldap:-k (&(objectClass=sendmailMTAClass) 213790792Sgshapiro (sendmailMTAClassName=R) 213890792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 213990792Sgshapiro (sendmailMTAHost=$j))) 2140132943Sgshapiro -v sendmailMTAClassValue,sendmailMTAClassSearch:FILTER:sendmailMTAClass,sendmailMTAClassURL:URL:sendmailMTAClass 214190792Sgshapiro 214290792SgshapiroNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 214390792Sgshapiroused when the binary expands the `@LDAP' token as class declarations are 214490792Sgshapironot actually macro-expanded when read from the sendmail.cf file. 214590792Sgshapiro 214690792SgshapiroThis can be used with class related commands such as RELAY_DOMAIN_FILE(), 214790792SgshapiroMASQUERADE_DOMAIN_FILE(), etc: 214890792Sgshapiro 214990792Sgshapiro Command sendmailMTAClassName 215090792Sgshapiro ------- -------------------- 215190792Sgshapiro CANONIFY_DOMAIN_FILE() Canonify 215290792Sgshapiro EXPOSED_USER_FILE() E 215390792Sgshapiro GENERICS_DOMAIN_FILE() G 215490792Sgshapiro LDAPROUTE_DOMAIN_FILE() LDAPRoute 215590792Sgshapiro LDAPROUTE_EQUIVALENT_FILE() LDAPRouteEquiv 215690792Sgshapiro LOCAL_USER_FILE() L 215790792Sgshapiro MASQUERADE_DOMAIN_FILE() M 215890792Sgshapiro MASQUERADE_EXCEPTION_FILE() N 215990792Sgshapiro RELAY_DOMAIN_FILE() R 216090792Sgshapiro VIRTUSER_DOMAIN_FILE() VirtHost 216190792Sgshapiro 216290792SgshapiroYou can also add your own as any 'F'ile class of the form: 216390792Sgshapiro 216490792Sgshapiro F{ClassName}@LDAP 216590792Sgshapiro ^^^^^^^^^ 216690792Sgshapirowill use "ClassName" for the sendmailMTAClassName. 216790792Sgshapiro 216890792SgshapiroAn example LDAP LDIF entry would look like: 216990792Sgshapiro 217090792Sgshapiro dn: sendmailMTAClassName=R, dc=sendmail, dc=org 217190792Sgshapiro objectClass: sendmailMTA 217290792Sgshapiro objectClass: sendmailMTAClass 217390792Sgshapiro sendmailMTACluster: Servers 217490792Sgshapiro sendmailMTAClassName: R 217590792Sgshapiro sendmailMTAClassValue: sendmail.org 217690792Sgshapiro sendmailMTAClassValue: example.com 217790792Sgshapiro sendmailMTAClassValue: 10.56.23 217890792Sgshapiro 217990792SgshapiroCAUTION: If your LDAP database contains the record above and *ALSO* a host 218090792Sgshapirospecific record such as: 218190792Sgshapiro 218290792Sgshapiro dn: sendmailMTAClassName=R@etrn.sendmail.org, dc=sendmail, dc=org 218390792Sgshapiro objectClass: sendmailMTA 218490792Sgshapiro objectClass: sendmailMTAClass 218590792Sgshapiro sendmailMTAHost: etrn.sendmail.org 218690792Sgshapiro sendmailMTAClassName: R 218790792Sgshapiro sendmailMTAClassValue: example.com 218890792Sgshapiro 218990792Sgshapirothe result will be similar to the aliases caution above. When the lookup 219090792Sgshapirois done on etrn.sendmail.org, $={R} would contain all of the entries (from 219190792Sgshapiroboth the cluster match and the host match). In other words, the effective 219290792Sgshapirois additive. 219390792Sgshapiro 219490792SgshapiroIf you prefer not to use the default LDAP schema for your classes, you can 219590792Sgshapirospecify the map parameters when using the class command. For example: 219690792Sgshapiro 219790792Sgshapiro VIRTUSER_DOMAIN_FILE(`@ldap:-k (&(objectClass=virtHosts)(host=*)) -v host') 219890792Sgshapiro 219990792SgshapiroRemember, macros can not be used in a class declaration as the binary does 220090792Sgshapironot expand them. 220190792Sgshapiro 220290792Sgshapiro 220364562Sgshapiro+--------------+ 220464562Sgshapiro| LDAP ROUTING | 220564562Sgshapiro+--------------+ 220664562Sgshapiro 220764562SgshapiroFEATURE(`ldap_routing') can be used to implement the IETF Internet Draft 220864562SgshapiroLDAP Schema for Intranet Mail Routing 220964562Sgshapiro(draft-lachman-laser-ldap-mail-routing-01). This feature enables 221064562SgshapiroLDAP-based rerouting of a particular address to either a different host 221164562Sgshapiroor a different address. The LDAP lookup is first attempted on the full 221264562Sgshapiroaddress (e.g., user@example.com) and then on the domain portion 221364562Sgshapiro(e.g., @example.com). Be sure to setup your domain for LDAP routing using 221464562SgshapiroLDAPROUTE_DOMAIN(), e.g.: 221564562Sgshapiro 221664562Sgshapiro LDAPROUTE_DOMAIN(`example.com') 221764562Sgshapiro 221890792SgshapiroAdditionally, you can specify equivalent domains for LDAP routing using 221990792SgshapiroLDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE(). 'Equivalent' 222090792Sgshapirohostnames are mapped to $M (the masqueraded hostname for the server) before 222190792Sgshapirothe LDAP query. For example, if the mail is addressed to 222290792Sgshapirouser@host1.example.com, normally the LDAP lookup would only be done for 222390792Sgshapiro'user@host1.example.com' and '@host1.example.com'. However, if 222490792SgshapiroLDAPROUTE_EQUIVALENT(`host1.example.com') is used, the lookups would also be 222590792Sgshapirodone on 'user@example.com' and '@example.com' after attempting the 222690792Sgshapirohost1.example.com lookups. 222790792Sgshapiro 222864562SgshapiroBy default, the feature will use the schemas as specified in the draft 222964562Sgshapiroand will not reject addresses not found by the LDAP lookup. However, 223064562Sgshapirothis behavior can be changed by giving additional arguments to the FEATURE() 223164562Sgshapirocommand: 223264562Sgshapiro 2233132943Sgshapiro FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>, 2234132943Sgshapiro <detail>, <nodomain>, <tempfail>) 223564562Sgshapiro 2236244833Sgshapirowhere <mailHost> is a map definition describing how to look up an alternative 223764562Sgshapiromail host for a particular address; <mailRoutingAddress> is a map definition 2238244833Sgshapirodescribing how to look up an alternative address for a particular address; 223964562Sgshapirothe <bounce> argument, if present and not the word "passthru", dictates 224064562Sgshapirothat mail should be bounced if neither a mailHost nor mailRoutingAddress 2241132943Sgshapirois found, if set to "sendertoo", the sender will be rejected if not 2242132943Sgshapirofound in LDAP; and <detail> indicates what actions to take if the address 224390792Sgshapirocontains +detail information -- `strip' tries the lookup with the +detail 224490792Sgshapiroand if no matches are found, strips the +detail and tries the lookup again; 224590792Sgshapiro`preserve', does the same as `strip' but if a mailRoutingAddress match is 2246132943Sgshapirofound, the +detail information is copied to the new address; the <nodomain> 2247132943Sgshapiroargument, if present, will prevent the @domain lookup if the full 2248132943Sgshapiroaddress is not found in LDAP; the <tempfail> argument, if set to 2249132943Sgshapiro"tempfail", instructs the rules to give an SMTP 4XX temporary 2250132943Sgshapiroerror if the LDAP server gives the MTA a temporary failure, or if set to 2251132943Sgshapiro"queue" (the default), the MTA will locally queue the mail. 225264562Sgshapiro 225364562SgshapiroThe default <mailHost> map definition is: 225464562Sgshapiro 225594334Sgshapiro ldap -1 -T<TMPF> -v mailHost -k (&(objectClass=inetLocalMailRecipient) 225664562Sgshapiro (mailLocalAddress=%0)) 225764562Sgshapiro 225864562SgshapiroThe default <mailRoutingAddress> map definition is: 225964562Sgshapiro 226094334Sgshapiro ldap -1 -T<TMPF> -v mailRoutingAddress 226194334Sgshapiro -k (&(objectClass=inetLocalMailRecipient) 226294334Sgshapiro (mailLocalAddress=%0)) 226364562Sgshapiro 226464562SgshapiroNote that neither includes the LDAP server hostname (-h server) or base DN 226564562Sgshapiro(-b o=org,c=COUNTRY), both necessary for LDAP queries. It is presumed that 226664562Sgshapiroyour .mc file contains a setting for the confLDAP_DEFAULT_SPEC option with 226764562Sgshapirothese settings. If this is not the case, the map definitions should be 226894334Sgshapirochanged as described above. The "-T<TMPF>" is required in any user 226994334Sgshapirospecified map definition to catch temporary errors. 227064562Sgshapiro 227164562SgshapiroThe following possibilities exist as a result of an LDAP lookup on an 227264562Sgshapiroaddress: 227364562Sgshapiro 227464562Sgshapiro mailHost is mailRoutingAddress is Results in 227564562Sgshapiro ----------- --------------------- ---------- 227664562Sgshapiro set to a set mail delivered to 227764562Sgshapiro "local" host mailRoutingAddress 227864562Sgshapiro 227964562Sgshapiro set to a not set delivered to 228064562Sgshapiro "local" host original address 228164562Sgshapiro 228264562Sgshapiro set to a set mailRoutingAddress 228364562Sgshapiro remote host relayed to mailHost 228464562Sgshapiro 228564562Sgshapiro set to a not set original address 228664562Sgshapiro remote host relayed to mailHost 228764562Sgshapiro 228864562Sgshapiro not set set mail delivered to 228964562Sgshapiro mailRoutingAddress 229064562Sgshapiro 229164562Sgshapiro not set not set delivered to 229264562Sgshapiro original address *OR* 229364562Sgshapiro bounced as unknown user 229464562Sgshapiro 229590792SgshapiroThe term "local" host above means the host specified is in class {w}. If 229690792Sgshapirothe result would mean sending the mail to a different host, that host is 229790792Sgshapirolooked up in the mailertable before delivery. 229890792Sgshapiro 229964562SgshapiroNote that the last case depends on whether the third argument is given 230064562Sgshapiroto the FEATURE() command. The default is to deliver the message to the 230164562Sgshapirooriginal address. 230264562Sgshapiro 230364562SgshapiroThe LDAP entries should be set up with an objectClass of 230464562SgshapiroinetLocalMailRecipient and the address be listed in a mailLocalAddress 230564562Sgshapiroattribute. If present, there must be only one mailHost attribute and it 230664562Sgshapiromust contain a fully qualified host name as its value. Similarly, if 230764562Sgshapiropresent, there must be only one mailRoutingAddress attribute and it must 230890792Sgshapirocontain an RFC 822 compliant address. Some example LDAP records (in LDIF 230964562Sgshapiroformat): 231064562Sgshapiro 231164562Sgshapiro dn: uid=tom, o=example.com, c=US 231264562Sgshapiro objectClass: inetLocalMailRecipient 231364562Sgshapiro mailLocalAddress: tom@example.com 231464562Sgshapiro mailRoutingAddress: thomas@mailhost.example.com 231564562Sgshapiro 231664562SgshapiroThis would deliver mail for tom@example.com to thomas@mailhost.example.com. 231764562Sgshapiro 231864562Sgshapiro dn: uid=dick, o=example.com, c=US 231964562Sgshapiro objectClass: inetLocalMailRecipient 232064562Sgshapiro mailLocalAddress: dick@example.com 232164562Sgshapiro mailHost: eng.example.com 232264562Sgshapiro 232364562SgshapiroThis would relay mail for dick@example.com to the same address but redirect 232490792Sgshapirothe mail to MX records listed for the host eng.example.com (unless the 232590792Sgshapiromailertable overrides). 232664562Sgshapiro 232764562Sgshapiro dn: uid=harry, o=example.com, c=US 232864562Sgshapiro objectClass: inetLocalMailRecipient 232964562Sgshapiro mailLocalAddress: harry@example.com 233064562Sgshapiro mailHost: mktmail.example.com 233164562Sgshapiro mailRoutingAddress: harry@mkt.example.com 233264562Sgshapiro 233364562SgshapiroThis would relay mail for harry@example.com to the MX records listed for 233464562Sgshapirothe host mktmail.example.com using the new address harry@mkt.example.com 233564562Sgshapirowhen talking to that host. 233664562Sgshapiro 233764562Sgshapiro dn: uid=virtual.example.com, o=example.com, c=US 233864562Sgshapiro objectClass: inetLocalMailRecipient 233964562Sgshapiro mailLocalAddress: @virtual.example.com 234064562Sgshapiro mailHost: server.example.com 234164562Sgshapiro mailRoutingAddress: virtual@example.com 234264562Sgshapiro 234364562SgshapiroThis would send all mail destined for any username @virtual.example.com to 234464562Sgshapirothe machine server.example.com's MX servers and deliver to the address 234564562Sgshapirovirtual@example.com on that relay machine. 234664562Sgshapiro 234764562Sgshapiro 234838032Speter+---------------------------------+ 234938032Speter| ANTI-SPAM CONFIGURATION CONTROL | 235038032Speter+---------------------------------+ 235138032Speter 235238032SpeterThe primary anti-spam features available in sendmail are: 235338032Speter 235438032Speter* Relaying is denied by default. 235538032Speter* Better checking on sender information. 235638032Speter* Access database. 235738032Speter* Header checks. 235838032Speter 235964562SgshapiroRelaying (transmission of messages from a site outside your host (class 236064562Sgshapiro{w}) to another site except yours) is denied by default. Note that this 236164562Sgshapirochanged in sendmail 8.9; previous versions allowed relaying by default. 236264562SgshapiroIf you really want to revert to the old behaviour, you will need to use 236364562SgshapiroFEATURE(`promiscuous_relay'). You can allow certain domains to relay 236464562Sgshapirothrough your server by adding their domain name or IP address to class 236564562Sgshapiro{R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the access database 236690792Sgshapiro(described below). Note that IPv6 addresses must be prefaced with "IPv6:". 236790792SgshapiroThe file consists (like any other file based class) of entries listed on 236890792Sgshapiroseparate lines, e.g., 236938032Speter 237064562Sgshapiro sendmail.org 237164562Sgshapiro 128.32 237290792Sgshapiro IPv6:2002:c0a8:02c7 237390792Sgshapiro IPv6:2002:c0a8:51d2::23f4 237464562Sgshapiro host.mydomain.com 237590792Sgshapiro [UNIX:localhost] 237664562Sgshapiro 237790792SgshapiroNotice: the last entry allows relaying for connections via a UNIX 237890792Sgshapirosocket to the MTA/MSP. This might be necessary if your configuration 237990792Sgshapirodoesn't allow relaying by other means in that case, e.g., by having 238090792Sgshapirolocalhost.$m in class {R} (make sure $m is not just a top level 238190792Sgshapirodomain). 238290792Sgshapiro 238338032SpeterIf you use 238438032Speter 238543730Speter FEATURE(`relay_entire_domain') 238638032Speter 238764562Sgshapirothen any host in any of your local domains (that is, class {m}) 238842575Speterwill be relayed (that is, you will accept mail either to or from any 238942575Speterhost in your domain). 239038032Speter 239138032SpeterYou can also allow relaying based on the MX records of the host 239238032Speterportion of an incoming recipient address by using 239338032Speter 239443730Speter FEATURE(`relay_based_on_MX') 239538032Speter 239638032SpeterFor example, if your server receives a recipient of user@domain.com 239738032Speterand domain.com lists your server in its MX records, the mail will be 239890792Sgshapiroaccepted for relay to domain.com. This feature may cause problems 239990792Sgshapiroif MX lookups for the recipient domain are slow or time out. In that 240090792Sgshapirocase, mail will be temporarily rejected. It is usually better to 240190792Sgshapiromaintain a list of hosts/domains for which the server acts as relay. 240290792SgshapiroNote also that this feature will stop spammers from using your host 240390792Sgshapiroto relay spam but it will not stop outsiders from using your server 240490792Sgshapiroas a relay for their site (that is, they set up an MX record pointing 240590792Sgshapiroto your mail server, and you will relay mail addressed to them 240690792Sgshapirowithout any prior arrangement). Along the same lines, 240738032Speter 240843730Speter FEATURE(`relay_local_from') 240938032Speter 241038032Speterwill allow relaying if the sender specifies a return path (i.e. 2411157001SgshapiroMAIL FROM:<user@domain>) domain which is a local domain. This is a 241238032Speterdangerous feature as it will allow spammers to spam using your mail 241338032Speterserver by simply specifying a return address of user@your.domain.com. 241438032SpeterIt should not be used unless absolutely necessary. 241564562SgshapiroA slightly better solution is 241638032Speter 241764562Sgshapiro FEATURE(`relay_mail_from') 241864562Sgshapiro 241964562Sgshapirowhich allows relaying if the mail sender is listed as RELAY in the 2420110560Sgshapiroaccess map. If an optional argument `domain' (this is the literal 2421110560Sgshapiroword `domain', not a placeholder) is given, the domain portion of 2422110560Sgshapirothe mail sender is also checked to allowing relaying. This option 2423110560Sgshapiroonly works together with the tag From: for the LHS of the access 2424132943Sgshapiromap entries. This feature allows spammers to abuse your mail server 2425132943Sgshapiroby specifying a return address that you enabled in your access file. 2426132943SgshapiroThis may be harder to figure out for spammers, but it should not 2427132943Sgshapirobe used unless necessary. Instead use SMTP AUTH or STARTTLS to 2428132943Sgshapiroallow relaying for roaming users. 242964562Sgshapiro 243064562Sgshapiro 243190792SgshapiroIf source routing is used in the recipient address (e.g., 2432157001SgshapiroRCPT TO:<user%site.com@othersite.com>), sendmail will check 243338032Speteruser@site.com for relaying if othersite.com is an allowed relay host 243464562Sgshapiroin either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, 243543730Speteror the access database if FEATURE(`access_db') is used. To prevent 243638032Speterthe address from being stripped down, use: 243738032Speter 243843730Speter FEATURE(`loose_relay_check') 243938032Speter 244038032SpeterIf you think you need to use this feature, you probably do not. This 244138032Spetershould only be used for sites which have no control over the addresses 244238032Speterthat they provide a gateway for. Use this FEATURE with caution as it 244338032Spetercan allow spammers to relay through your server if not setup properly. 244438032Speter 244564562SgshapiroNOTICE: It is possible to relay mail through a system which the anti-relay 244664562Sgshapirorules do not prevent: the case of a system that does use FEATURE(`nouucp', 244764562Sgshapiro`nospecial') (system A) and relays local messages to a mail hub (e.g., via 244864562SgshapiroLOCAL_RELAY or LUSER_RELAY) (system B). If system B doesn't use 244964562SgshapiroFEATURE(`nouucp') at all, addresses of the form 245064562Sgshapiro<example.net!user@local.host> would be relayed to <user@example.net>. 245164562SgshapiroSystem A doesn't recognize `!' as an address separator and therefore 245264562Sgshapiroforwards it to the mail hub which in turns relays it because it came from 245364562Sgshapiroa trusted local host. So if a mailserver allows UUCP (bang-format) 245464562Sgshapiroaddresses, all systems from which it allows relaying should do the same 245564562Sgshapiroor reject those addresses. 245664562Sgshapiro 245738032SpeterAs of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has 245838032Speteran unresolvable domain (i.e., one that DNS, your local name service, 245990792Sgshapiroor special case rules in ruleset 3 cannot locate). This also applies 246090792Sgshapiroto addresses that use domain literals, e.g., <user@[1.2.3.4]>, if the 246190792SgshapiroIP address can't be mapped to a host name. If you want to continue 246290792Sgshapiroto accept such domains, e.g., because you are inside a firewall that 246390792Sgshapirohas only a limited view of the Internet host name space (note that you 246490792Sgshapirowill not be able to return mail to them unless you have some "smart 246590792Sgshapirohost" forwarder), use 246638032Speter 246743730Speter FEATURE(`accept_unresolvable_domains') 246838032Speter 246990792SgshapiroAlternatively, you can allow specific addresses by adding them to 247090792Sgshapirothe access map, e.g., 247190792Sgshapiro 247290792Sgshapiro From:unresolvable.domain OK 247390792Sgshapiro From:[1.2.3.4] OK 247490792Sgshapiro From:[1.2.4] OK 247590792Sgshapiro 247690792SgshapiroNotice: domains which are temporarily unresolvable are (temporarily) 247790792Sgshapirorejected with a 451 reply code. If those domains should be accepted 247890792Sgshapiro(which is discouraged) then you can use 247990792Sgshapiro 248090792Sgshapiro LOCAL_CONFIG 248190792Sgshapiro C{ResOk}TEMP 248290792Sgshapiro 248338032Spetersendmail will also refuse mail if the MAIL FROM: parameter is not 248438032Speterfully qualified (i.e., contains a domain as well as a user). If you 248538032Speterwant to continue to accept such senders, use 248638032Speter 248743730Speter FEATURE(`accept_unqualified_senders') 248838032Speter 248964562SgshapiroSetting the DaemonPortOptions modifier 'u' overrides the default behavior, 249064562Sgshapiroi.e., unqualified addresses are accepted even without this FEATURE. If 249164562Sgshapirothis FEATURE is not used, the DaemonPortOptions modifier 'f' can be used 249290792Sgshapiroto enforce fully qualified domain names. 249364562Sgshapiro 249438032SpeterAn ``access'' database can be created to accept or reject mail from 249538032Speterselected domains. For example, you may choose to reject all mail 249638032Speteroriginating from known spammers. To enable such a database, use 249738032Speter 249843730Speter FEATURE(`access_db') 249938032Speter 250090792SgshapiroNotice: the access database is applied to the envelope addresses 250190792Sgshapiroand the connection information, not to the header. 250290792Sgshapiro 250390792SgshapiroThe FEATURE macro can accept as second parameter the key file 250438032Speterdefinition for the database; for example 250538032Speter 250690792Sgshapiro FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map') 250738032Speter 250890792SgshapiroNotice: If a second argument is specified it must contain the option 2509168515Sgshapiro`-T<TMPF>' as shown above. The optional parameters may be 251090792Sgshapiro 2511168515Sgshapiro `skip' enables SKIP as value part (see below). 2512168515Sgshapiro `lookupdotdomain' another way to enable the feature of the 2513168515Sgshapiro same name (see above). 2514168515Sgshapiro `relaytofulladdress' enable entries of the form 2515168515Sgshapiro To:user@example.com RELAY 2516168515Sgshapiro to allow relaying to just a specific 2517168515Sgshapiro e-mail address instead of an entire domain. 2518168515Sgshapiro 251942575SpeterRemember, since /etc/mail/access is a database, after creating the text 252042575Speterfile as described below, you must use makemap to create the database 252142575Spetermap. For example: 252242575Speter 252343730Speter makemap hash /etc/mail/access < /etc/mail/access 252442575Speter 252538032SpeterThe table itself uses e-mail addresses, domain names, and network 252690792Sgshapironumbers as keys. Note that IPv6 addresses must be prefaced with "IPv6:". 252790792SgshapiroFor example, 252838032Speter 2529132943Sgshapiro From:spammer@aol.com REJECT 2530132943Sgshapiro From:cyberspammer.com REJECT 2531132943Sgshapiro Connect:cyberspammer.com REJECT 2532132943Sgshapiro Connect:TLD REJECT 2533132943Sgshapiro Connect:192.168.212 REJECT 2534132943Sgshapiro Connect:IPv6:2002:c0a8:02c7 RELAY 2535132943Sgshapiro Connect:IPv6:2002:c0a8:51d2::23f4 REJECT 253638032Speter 253738032Speterwould refuse mail from spammer@aol.com, any user from cyberspammer.com 253894334Sgshapiro(or any host within the cyberspammer.com domain), any host in the entire 253994334Sgshapirotop level domain TLD, 192.168.212.* network, and the IPv6 address 254094334Sgshapiro2002:c0a8:51d2::23f4. It would allow relay for the IPv6 network 254194334Sgshapiro2002:c0a8:02c7::/48. 254238032Speter 2543132943SgshapiroEntries in the access map should be tagged according to their type. 2544132943SgshapiroThree tags are available: 2545132943Sgshapiro 2546132943Sgshapiro Connect: connection information (${client_addr}, ${client_name}) 2547132943Sgshapiro From: envelope sender 2548132943Sgshapiro To: envelope recipient 2549132943Sgshapiro 2550132943SgshapiroNotice: untagged entries are deprecated. 2551132943Sgshapiro 2552132943SgshapiroIf the required item is looked up in a map, it will be tried first 2553132943Sgshapirowith the corresponding tag in front, then (as fallback to enable 2554132943Sgshapirobackward compatibility) without any tag, unless the specific feature 2555132943Sgshapirorequires a tag. For example, 2556132943Sgshapiro 2557132943Sgshapiro From:spammer@some.dom REJECT 2558132943Sgshapiro To:friend.domain RELAY 2559132943Sgshapiro Connect:friend.domain OK 2560132943Sgshapiro Connect:from.domain RELAY 2561132943Sgshapiro From:good@another.dom OK 2562132943Sgshapiro From:another.dom REJECT 2563132943Sgshapiro 2564132943SgshapiroThis would deny mails from spammer@some.dom but you could still 2565132943Sgshapirosend mail to that address even if FEATURE(`blacklist_recipients') 2566132943Sgshapirois enabled. Your system will allow relaying to friend.domain, but 2567132943Sgshapironot from it (unless enabled by other means). Connections from that 2568132943Sgshapirodomain will be allowed even if it ends up in one of the DNS based 2569132943Sgshapirorejection lists. Relaying is enabled from from.domain but not to 2570132943Sgshapiroit (since relaying is based on the connection information for 2571132943Sgshapirooutgoing relaying, the tag Connect: must be used; for incoming 2572132943Sgshapirorelaying, which is based on the recipient address, To: must be 2573132943Sgshapiroused). The last two entries allow mails from good@another.dom but 2574132943Sgshapiroreject mail from all other addresses with another.dom as domain 2575132943Sgshapiropart. 2576132943Sgshapiro 2577132943Sgshapiro 257838032SpeterThe value part of the map can contain: 257938032Speter 258090792Sgshapiro OK Accept mail even if other rules in the running 258190792Sgshapiro ruleset would reject it, for example, if the domain 258290792Sgshapiro name is unresolvable. "Accept" does not mean 258390792Sgshapiro "relay", but at most acceptance for local 258490792Sgshapiro recipients. That is, OK allows less than RELAY. 2585168515Sgshapiro RELAY Accept mail addressed to the indicated domain 2586168515Sgshapiro (or address if `relaytofulladdress' is set) or 258742575Speter received from the indicated domain for relaying 258842575Speter through your SMTP server. RELAY also serves as 258942575Speter an implicit OK for the other checks. 259042575Speter REJECT Reject the sender or recipient with a general 259138032Speter purpose message. 259242575Speter DISCARD Discard the message completely using the 259371345Sgshapiro $#discard mailer. If it is used in check_compat, 259471345Sgshapiro it affects only the designated recipient, not 259571345Sgshapiro the whole message as it does in all other cases. 259671345Sgshapiro This should only be used if really necessary. 259790792Sgshapiro SKIP This can only be used for host/domain names 259890792Sgshapiro and IP addresses/nets. It will abort the current 259990792Sgshapiro search for this entry without accepting or rejecting 260090792Sgshapiro it but causing the default action. 260166494Sgshapiro ### any text where ### is an RFC 821 compliant error code and 260266494Sgshapiro "any text" is a message to return for the command. 2603157001Sgshapiro The entire string should be quoted to avoid 2604157001Sgshapiro surprises: 2605157001Sgshapiro 2606157001Sgshapiro "### any text" 2607157001Sgshapiro 2608157001Sgshapiro Otherwise sendmail formats the text as email 2609157001Sgshapiro addresses, e.g., it may remove spaces. 2610132943Sgshapiro This type is deprecated, use one of the two 261190792Sgshapiro ERROR: entries below instead. 261264562Sgshapiro ERROR:### any text 261364562Sgshapiro as above, but useful to mark error messages as such. 2614157001Sgshapiro If quotes need to be used to avoid modifications 2615157001Sgshapiro (see above), they should be placed like this: 2616157001Sgshapiro 2617157001Sgshapiro ERROR:"### any text" 2618157001Sgshapiro 261964562Sgshapiro ERROR:D.S.N:### any text 262064562Sgshapiro where D.S.N is an RFC 1893 compliant error code 2621157001Sgshapiro and the rest as above. If quotes need to be used 2622157001Sgshapiro to avoid modifications, they should be placed 2623157001Sgshapiro like this: 2624157001Sgshapiro 2625157001Sgshapiro ERROR:D.S.N:"### any text" 2626157001Sgshapiro 2627132943Sgshapiro QUARANTINE:any text 2628132943Sgshapiro Quarantine the message using the given text as the 2629132943Sgshapiro quarantining reason. 263038032Speter 263138032SpeterFor example: 263238032Speter 2633132943Sgshapiro From:cyberspammer.com ERROR:"550 We don't accept mail from spammers" 2634132943Sgshapiro From:okay.cyberspammer.com OK 2635132943Sgshapiro Connect:sendmail.org RELAY 2636132943Sgshapiro To:sendmail.org RELAY 2637132943Sgshapiro Connect:128.32 RELAY 2638132943Sgshapiro Connect:128.32.2 SKIP 2639132943Sgshapiro Connect:IPv6:1:2:3:4:5:6:7 RELAY 2640132943Sgshapiro Connect:suspicious.example.com QUARANTINE:Mail from suspicious host 2641132943Sgshapiro Connect:[127.0.0.3] OK 2642132943Sgshapiro Connect:[IPv6:1:2:3:4:5:6:7:8] OK 264338032Speter 2644132943Sgshapirowould accept mail from okay.cyberspammer.com, but would reject mail 2645132943Sgshapirofrom all other hosts at cyberspammer.com with the indicated message. 2646132943SgshapiroIt would allow relaying mail from and to any hosts in the sendmail.org 2647132943Sgshapirodomain, and allow relaying from the IPv6 1:2:3:4:5:6:7:* network 2648132943Sgshapiroand from the 128.32.*.* network except for the 128.32.2.* network, 2649132943Sgshapirowhich shows how SKIP is useful to exempt subnets/subdomains. The 2650132943Sgshapirolast two entries are for checks against ${client_name} if the IP 2651132943Sgshapiroaddress doesn't resolve to a hostname (or is considered as "may be 2652132943Sgshapiroforged"). That is, using square brackets means these are host 2653132943Sgshapironames, not network numbers. 265438032Speter 265564562SgshapiroWarning: if you change the RFC 821 compliant error code from the default 265664562Sgshapirovalue of 550, then you should probably also change the RFC 1893 compliant 265764562Sgshapiroerror code to match it. For example, if you use 265864562Sgshapiro 2659132943Sgshapiro To:user@example.com ERROR:450 mailbox full 266064562Sgshapiro 266190792Sgshapirothe error returned would be "450 5.0.0 mailbox full" which is wrong. 266290792SgshapiroUse "ERROR:4.2.2:450 mailbox full" instead. 266364562Sgshapiro 266464562SgshapiroNote, UUCP users may need to add hostname.UUCP to the access database 266590792Sgshapiroor class {R}. 266664562Sgshapiro 266790792SgshapiroIf you also use: 266890792Sgshapiro 266943730Speter FEATURE(`relay_hosts_only') 267038032Speter 267138032Speterthen the above example will allow relaying for sendmail.org, but not 267238032Speterhosts within the sendmail.org domain. Note that this will also require 267364562Sgshapirohosts listed in class {R} to be fully qualified host names. 267438032Speter 267538032SpeterYou can also use the access database to block sender addresses based on 267638032Speterthe username portion of the address. For example: 267738032Speter 2678132943Sgshapiro From:FREE.STEALTH.MAILER@ ERROR:550 Spam not accepted 267938032Speter 268038032SpeterNote that you must include the @ after the username to signify that 268138032Speterthis database entry is for checking only the username portion of the 268238032Spetersender address. 268338032Speter 268438032SpeterIf you use: 268538032Speter 268643730Speter FEATURE(`blacklist_recipients') 268738032Speter 268838032Speterthen you can add entries to the map for local users, hosts in your 268938032Speterdomains, or addresses in your domain which should not receive mail: 269038032Speter 2691132943Sgshapiro To:badlocaluser@ ERROR:550 Mailbox disabled for badlocaluser 2692132943Sgshapiro To:host.my.TLD ERROR:550 That host does not accept mail 2693132943Sgshapiro To:user@other.my.TLD ERROR:550 Mailbox disabled for this recipient 269438032Speter 2695132943SgshapiroThis would prevent a recipient of badlocaluser in any of the local 2696132943Sgshapirodomains (class {w}), any user at host.my.TLD, and the single address 2697132943Sgshapirouser@other.my.TLD from receiving mail. Please note: a local username 2698132943Sgshapiromust be now tagged with an @ (this is consistent with the check of 2699132943Sgshapirothe sender address, and hence it is possible to distinguish between 2700132943Sgshapirohostnames and usernames). Enabling this feature will keep you from 2701132943Sgshapirosending mails to all addresses that have an error message or REJECT 2702132943Sgshapiroas value part in the access map. Taking the example from above: 270338032Speter 270442575Speter spammer@aol.com REJECT 270542575Speter cyberspammer.com REJECT 270642575Speter 270742575SpeterMail can't be sent to spammer@aol.com or anyone at cyberspammer.com. 2708132943SgshapiroThat's why tagged entries should be used. 270942575Speter 2710159609SgshapiroThere are several DNS based blacklists which can be found by 2711159609Sgshapiroquerying a search engine. These are databases of spammers 271290792Sgshapiromaintained in DNS. To use such a database, specify 271338032Speter 2714159609Sgshapiro FEATURE(`dnsbl', `dnsbl.example.com') 271538032Speter 2716159609SgshapiroThis will cause sendmail to reject mail from any site listed in the 2717168515SgshapiroDNS based blacklist. You must select a DNS based blacklist domain 2718159609Sgshapiroto check by specifying an argument to the FEATURE. The default 2719159609Sgshapiroerror message is 272038032Speter 272198841Sgshapiro Rejected: IP-ADDRESS listed at SERVER 272280785Sgshapiro 272390792Sgshapirowhere IP-ADDRESS and SERVER are replaced by the appropriate 272490792Sgshapiroinformation. A second argument can be used to specify a different 2725168515Sgshapirotext or action. For example, 272671345Sgshapiro 2727168515Sgshapiro FEATURE(`dnsbl', `dnsbl.example.com', `quarantine') 2728168515Sgshapiro 2729168515Sgshapirowould quarantine the message if the client IP address is listed 2730168515Sgshapiroat `dnsbl.example.com'. 2731168515Sgshapiro 2732168515SgshapiroBy default, temporary lookup failures are ignored 2733168515Sgshapiroand hence cause the connection not to be rejected by the DNS based 2734168515Sgshapirorejection list. This behavior can be changed by specifying a third 2735168515Sgshapiroargument, which must be either `t' or a full error message. For 2736168515Sgshapiroexample: 2737168515Sgshapiro 273890792Sgshapiro FEATURE(`dnsbl', `dnsbl.example.com', `', 273990792Sgshapiro `"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"') 274071345Sgshapiro 274190792SgshapiroIf `t' is used, the error message is: 274290792Sgshapiro 274390792Sgshapiro 451 Temporary lookup failure of IP-ADDRESS at SERVER 274490792Sgshapiro 274590792Sgshapirowhere IP-ADDRESS and SERVER are replaced by the appropriate 274690792Sgshapiroinformation. 274790792Sgshapiro 274890792SgshapiroThis FEATURE can be included several times to query different 2749159609SgshapiroDNS based rejection lists. 275090792Sgshapiro 275190792SgshapiroNotice: to avoid checking your own local domains against those 275290792Sgshapiroblacklists, use the access_db feature and add: 275390792Sgshapiro 275490792Sgshapiro Connect:10.1 OK 275590792Sgshapiro Connect:127.0.0.1 RELAY 275690792Sgshapiro 275790792Sgshapiroto the access map, where 10.1 is your local network. You may 275890792Sgshapirowant to use "RELAY" instead of "OK" to allow also relaying 2759147078Sgshapiroinstead of just disabling the DNS lookups in the blacklists. 276090792Sgshapiro 276190792Sgshapiro 276238032SpeterThe features described above make use of the check_relay, check_mail, 2763110560Sgshapiroand check_rcpt rulesets. Note that check_relay checks the SMTP 2764110560Sgshapiroclient hostname and IP address when the connection is made to your 2765110560Sgshapiroserver. It does not check if a mail message is being relayed to 2766110560Sgshapiroanother server. That check is done in check_rcpt. If you wish to 2767110560Sgshapiroinclude your own checks, you can put your checks in the rulesets 2768110560SgshapiroLocal_check_relay, Local_check_mail, and Local_check_rcpt. For 2769110560Sgshapiroexample if you wanted to block senders with all numeric usernames 2770110560Sgshapiro(i.e. 2312343@bigisp.com), you would use Local_check_mail and the 2771110560Sgshapiroregex map: 277238032Speter 277364562Sgshapiro LOCAL_CONFIG 277464562Sgshapiro Kallnumbers regex -a@MATCH ^[0-9]+$ 277564562Sgshapiro 277664562Sgshapiro LOCAL_RULESETS 277764562Sgshapiro SLocal_check_mail 277864562Sgshapiro # check address against various regex checks 277938032Speter R$* $: $>Parse0 $>3 $1 278064562Sgshapiro R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $) 278164562Sgshapiro R@MATCH $#error $: 553 Header Error 278238032Speter 278338032SpeterThese rules are called with the original arguments of the corresponding 278438032Spetercheck_* ruleset. If the local ruleset returns $#OK, no further checking 2785132943Sgshapirois done by the features described above and the mail is accepted. If 2786132943Sgshapirothe local ruleset resolves to a mailer (such as $#error or $#discard), 2787132943Sgshapirothe appropriate action is taken. Other results starting with $# are 2788132943Sgshapirointerpreted by sendmail and may lead to unspecified behavior. Note: do 2789132943SgshapiroNOT create a mailer with the name OK. Return values that do not start 2790132943Sgshapirowith $# are ignored, i.e., normal processing continues. 279138032Speter 279264562SgshapiroDelay all checks 279390792Sgshapiro---------------- 279464562Sgshapiro 279564562SgshapiroBy using FEATURE(`delay_checks') the rulesets check_mail and check_relay 279664562Sgshapirowill not be called when a client connects or issues a MAIL command, 279764562Sgshapirorespectively. Instead, those rulesets will be called by the check_rcpt 279864562Sgshapiroruleset; they will be skipped if a sender has been authenticated using 279964562Sgshapiroa "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(). 280064562SgshapiroIf check_mail returns an error then the RCPT TO command will be rejected 280164562Sgshapirowith that error. If it returns some other result starting with $# then 280264562Sgshapirocheck_relay will be skipped. If the sender address (or a part of it) is 280364562Sgshapirolisted in the access map and it has a RHS of OK or RELAY, then check_relay 280464562Sgshapirowill be skipped. This has an interesting side effect: if your domain is 280564562Sgshapiromy.domain and you have 280664562Sgshapiro 280764562Sgshapiro my.domain RELAY 280864562Sgshapiro 2809125820Sgshapiroin the access map, then any e-mail with a sender address of 2810125820Sgshapiro<user@my.domain> will not be rejected by check_relay even though 2811125820Sgshapiroit would match the hostname or IP address. This allows spammers 281264562Sgshapiroto get around DNS based blacklist by faking the sender address. To 281364562Sgshapiroavoid this problem you have to use tagged entries: 281464562Sgshapiro 281564562Sgshapiro To:my.domain RELAY 281664562Sgshapiro Connect:my.domain RELAY 281764562Sgshapiro 281864562Sgshapiroif you need those entries at all (class {R} may take care of them). 281973188Sgshapiro 282064562SgshapiroFEATURE(`delay_checks') can take an optional argument: 282164562Sgshapiro 282264562Sgshapiro FEATURE(`delay_checks', `friend') 282364562Sgshapiro enables spamfriend test 282464562Sgshapiro FEATURE(`delay_checks', `hater') 282564562Sgshapiro enables spamhater test 282664562Sgshapiro 282794334SgshapiroIf such an argument is given, the recipient will be looked up in the 282894334Sgshapiroaccess map (using the tag Spam:). If the argument is `friend', then 282994334Sgshapirothe default behavior is to apply the other rulesets and make a SPAM 283094334Sgshapirofriend the exception. The rulesets check_mail and check_relay will be 283194334Sgshapiroskipped only if the recipient address is found and has RHS FRIEND. If 283294334Sgshapirothe argument is `hater', then the default behavior is to skip the rulesets 283394334Sgshapirocheck_mail and check_relay and make a SPAM hater the exception. The 283494334Sgshapiroother two rulesets will be applied only if the recipient address is 283594334Sgshapirofound and has RHS HATER. 283664562Sgshapiro 283764562SgshapiroThis allows for simple exceptions from the tests, e.g., by activating 283890792Sgshapirothe friend option and having 283964562Sgshapiro 284090792Sgshapiro Spam:abuse@ FRIEND 284164562Sgshapiro 2842110560Sgshapiroin the access map, mail to abuse@localdomain will get through (where 2843110560Sgshapiro"localdomain" is any domain in class {w}). It is also possible to 2844110560Sgshapirospecify a full address or an address with +detail: 284564562Sgshapiro 284690792Sgshapiro Spam:abuse@my.domain FRIEND 284790792Sgshapiro Spam:me+abuse@ FRIEND 284890792Sgshapiro Spam:spam.domain FRIEND 284964562Sgshapiro 285090792SgshapiroNote: The required tag has been changed in 8.12 from To: to Spam:. 285190792SgshapiroThis change is incompatible to previous versions. However, you can 285290792Sgshapiro(for now) simply add the new entries to the access map, the old 285390792Sgshapiroones will be ignored. As soon as you removed the old entries from 285490792Sgshapirothe access map, specify a third parameter (`n') to this feature and 285590792Sgshapirothe backward compatibility rules will not be in the generated .cf 285690792Sgshapirofile. 285764562Sgshapiro 285864562SgshapiroHeader Checks 285990792Sgshapiro------------- 286064562Sgshapiro 286138032SpeterYou can also reject mail on the basis of the contents of headers. 286238032SpeterThis is done by adding a ruleset call to the 'H' header definition command 286338032Speterin sendmail.cf. For example, this can be used to check the validity of 286438032Spetera Message-ID: header: 286538032Speter 2866110560Sgshapiro LOCAL_CONFIG 286738032Speter HMessage-Id: $>CheckMessageId 286838032Speter 2869110560Sgshapiro LOCAL_RULESETS 287038032Speter SCheckMessageId 287138032Speter R< $+ @ $+ > $@ OK 287238032Speter R$* $#error $: 553 Header Error 287338032Speter 287464562SgshapiroThe alternative format: 287538032Speter 287664562Sgshapiro HSubject: $>+CheckSubject 287742575Speter 287864562Sgshapirothat is, $>+ instead of $>, gives the full Subject: header including 287964562Sgshapirocomments to the ruleset (comments in parentheses () are stripped 288064562Sgshapiroby default). 288142575Speter 288264562SgshapiroA default ruleset for headers which don't have a specific ruleset 288364562Sgshapirodefined for them can be given by: 288442575Speter 288564562Sgshapiro H*: $>CheckHdr 288643730Speter 288790792SgshapiroNotice: 288890792Sgshapiro1. All rules act on tokens as explained in doc/op/op.{me,ps,txt}. 288973188SgshapiroThat may cause problems with simple header checks due to the 289090792Sgshapirotokenization. It might be simpler to use a regex map and apply it 289173188Sgshapiroto $&{currHeader}. 289290792Sgshapiro2. There are no default rulesets coming with this distribution of 2893157001Sgshapirosendmail. You can write your own, can search the WWW for examples, 2894157001Sgshapiroor take a look at cf/cf/knecht.mc. 2895157001Sgshapiro3. When using a default ruleset for headers, the name of the header 2896132943Sgshapirocurrently being checked can be found in the $&{hdr_name} macro. 289773188Sgshapiro 289864562SgshapiroAfter all of the headers are read, the check_eoh ruleset will be called for 289964562Sgshapiroany final header-related checks. The ruleset is called with the number of 290064562Sgshapiroheaders and the size of all of the headers in bytes separated by $|. One 290164562Sgshapiroexample usage is to reject messages which do not have a Message-Id: 290264562Sgshapiroheader. However, the Message-Id: header is *NOT* a required header and is 290364562Sgshapironot a guaranteed spam indicator. This ruleset is an example and should 290464562Sgshapiroprobably not be used in production. 290564562Sgshapiro 290664562Sgshapiro LOCAL_CONFIG 290764562Sgshapiro Kstorage macro 2908110560Sgshapiro HMessage-Id: $>CheckMessageId 290964562Sgshapiro 291064562Sgshapiro LOCAL_RULESETS 291164562Sgshapiro SCheckMessageId 291264562Sgshapiro # Record the presence of the header 291364562Sgshapiro R$* $: $(storage {MessageIdCheck} $@ OK $) $1 291464562Sgshapiro R< $+ @ $+ > $@ OK 291564562Sgshapiro R$* $#error $: 553 Header Error 291664562Sgshapiro 291764562Sgshapiro Scheck_eoh 291864562Sgshapiro # Check the macro 291964562Sgshapiro R$* $: < $&{MessageIdCheck} > 292064562Sgshapiro # Clear the macro for the next message 292164562Sgshapiro R$* $: $(storage {MessageIdCheck} $) $1 292264562Sgshapiro # Has a Message-Id: header 292364562Sgshapiro R< $+ > $@ OK 292464562Sgshapiro # Allow missing Message-Id: from local mail 292564562Sgshapiro R$* $: < $&{client_name} > 292664562Sgshapiro R< > $@ OK 292764562Sgshapiro R< $=w > $@ OK 292864562Sgshapiro # Otherwise, reject the mail 292964562Sgshapiro R$* $#error $: 553 Header Error 293064562Sgshapiro 2931132943Sgshapiro 2932132943Sgshapiro+--------------------+ 2933132943Sgshapiro| CONNECTION CONTROL | 2934132943Sgshapiro+--------------------+ 2935132943Sgshapiro 2936132943SgshapiroThe features ratecontrol and conncontrol allow to establish connection 2937132943Sgshapirolimits per client IP address or net. These features can limit the 2938132943Sgshapirorate of connections (connections per time unit) or the number of 2939132943Sgshapiroincoming SMTP connections, respectively. If enabled, appropriate 2940132943Sgshapirorulesets are called at the end of check_relay, i.e., after DNS 2941132943Sgshapiroblacklists and generic access_db operations. The features require 2942132943SgshapiroFEATURE(`access_db') to be listed earlier in the mc file. 2943132943Sgshapiro 2944132943SgshapiroNote: FEATURE(`delay_checks') delays those connection control checks 2945132943Sgshapiroafter a recipient address has been received, hence making these 2946132943Sgshapiroconnection control features less useful. To run the checks as early 2947132943Sgshapiroas possible, specify the parameter `nodelay', e.g., 2948132943Sgshapiro 2949132943Sgshapiro FEATURE(`ratecontrol', `nodelay') 2950132943Sgshapiro 2951132943SgshapiroIn that case, FEATURE(`delay_checks') has no effect on connection 2952132943Sgshapirocontrol (and it must be specified earlier in the mc file). 2953132943Sgshapiro 2954132943SgshapiroAn optional second argument `terminate' specifies whether the 2955132943Sgshapirorulesets should return the error code 421 which will cause 2956132943Sgshapirosendmail to terminate the session with that error if it is 2957132943Sgshapiroreturned from check_relay, i.e., not delayed as explained in 2958132943Sgshapirothe previous paragraph. Example: 2959132943Sgshapiro 2960132943Sgshapiro FEATURE(`ratecontrol', `nodelay', `terminate') 2961132943Sgshapiro 2962132943Sgshapiro 296366494Sgshapiro+----------+ 296466494Sgshapiro| STARTTLS | 296566494Sgshapiro+----------+ 296664562Sgshapiro 2967147078SgshapiroIn this text, cert will be used as an abbreviation for X.509 certificate, 296890792SgshapiroDN (CN) is the distinguished (common) name of a cert, and CA is a 296990792Sgshapirocertification authority, which signs (issues) certs. 297064562Sgshapiro 297180785SgshapiroFor STARTTLS to be offered by sendmail you need to set at least 2972147078Sgshapirothese variables (the file names and paths are just examples): 297380785Sgshapiro 297480785Sgshapiro define(`confCACERT_PATH', `/etc/mail/certs/') 297580785Sgshapiro define(`confCACERT', `/etc/mail/certs/CA.cert.pem') 297680785Sgshapiro define(`confSERVER_CERT', `/etc/mail/certs/my.cert.pem') 297780785Sgshapiro define(`confSERVER_KEY', `/etc/mail/certs/my.key.pem') 297880785Sgshapiro 297980785SgshapiroOn systems which do not have the compile flag HASURANDOM set (see 298080785Sgshapirosendmail/README) you also must set confRAND_FILE. 298180785Sgshapiro 298290792SgshapiroSee doc/op/op.{me,ps,txt} for more information about these options, 298390792Sgshapiroespecially the sections ``Certificates for STARTTLS'' and ``PRNG for 298480785SgshapiroSTARTTLS''. 298580785Sgshapiro 298664562SgshapiroMacros related to STARTTLS are: 298764562Sgshapiro 298864562Sgshapiro${cert_issuer} holds the DN of the CA (the cert issuer). 298964562Sgshapiro${cert_subject} holds the DN of the cert (called the cert subject). 299090792Sgshapiro${cn_issuer} holds the CN of the CA (the cert issuer). 299190792Sgshapiro${cn_subject} holds the CN of the cert (called the cert subject). 299264562Sgshapiro${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, 299390792Sgshapiro TLSv1/SSLv3, SSLv3, SSLv2. 299464562Sgshapiro${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, 299564562Sgshapiro EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA. 299664562Sgshapiro${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm 299764562Sgshapiro used for the connection. 299890792Sgshapiro${verify} holds the result of the verification of the presented cert. 299990792Sgshapiro Possible values are: 300090792Sgshapiro OK verification succeeded. 300190792Sgshapiro NO no cert presented. 300290792Sgshapiro NOT no cert requested. 300390792Sgshapiro FAIL cert presented but could not be verified, 300490792Sgshapiro e.g., the cert of the signing CA is missing. 300590792Sgshapiro NONE STARTTLS has not been performed. 300690792Sgshapiro TEMP temporary error occurred. 300790792Sgshapiro PROTOCOL protocol error occurred (SMTP level). 300864562Sgshapiro SOFTWARE STARTTLS handshake failed. 300990792Sgshapiro${server_name} the name of the server of the current outgoing SMTP 301064562Sgshapiro connection. 301190792Sgshapiro${server_addr} the address of the server of the current outgoing SMTP 301264562Sgshapiro connection. 301364562Sgshapiro 301464562SgshapiroRelaying 301590792Sgshapiro-------- 301664562Sgshapiro 3017110560SgshapiroSMTP STARTTLS can allow relaying for remote SMTP clients which have 3018120256Sgshapirosuccessfully authenticated themselves. If the verification of the cert 3019120256Sgshapirofailed (${verify} != OK), relaying is subject to the usual rules. 3020120256SgshapiroOtherwise the DN of the issuer is looked up in the access map using the 3021120256Sgshapirotag CERTISSUER. If the resulting value is RELAY, relaying is allowed. 3022120256SgshapiroIf it is SUBJECT, the DN of the cert subject is looked up next in the 3023120256Sgshapiroaccess map using the tag CERTSUBJECT. If the value is RELAY, relaying 3024120256Sgshapirois allowed. 3025110560Sgshapiro 3026132943SgshapiroTo make things a bit more flexible (or complicated), the values for 302764562Sgshapiro${cert_issuer} and ${cert_subject} can be optionally modified by regular 302864562Sgshapiroexpressions defined in the m4 variables _CERT_REGEX_ISSUER_ and 302990792Sgshapiro_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in 303064562Sgshapirorulesets and map lookups, they are modified as follows: each non-printable 3031110560Sgshapirocharacter and the characters '<', '>', '(', ')', '"', '+', ' ' are replaced 3032110560Sgshapiroby their HEX value with a leading '+'. For example: 303364562Sgshapiro 303464562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email= 303564562Sgshapirodarth+cert@endmail.org 303664562Sgshapiro 303764562Sgshapirois encoded as: 303864562Sgshapiro 303964562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 304064562SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 304164562Sgshapiro 304264562Sgshapiro(line breaks have been inserted for readability). 304364562Sgshapiro 3044110560SgshapiroThe macros which are subject to this encoding are ${cert_subject}, 3045110560Sgshapiro${cert_issuer}, ${cn_subject}, and ${cn_issuer}. 3046110560Sgshapiro 304790792SgshapiroExamples: 304890792Sgshapiro 304990792SgshapiroTo allow relaying for everyone who can present a cert signed by 305090792Sgshapiro 305190792Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 305290792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 305390792Sgshapiro 305490792Sgshapirosimply use: 305590792Sgshapiro 3056110560SgshapiroCertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 305790792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org RELAY 305890792Sgshapiro 305990792SgshapiroTo allow relaying only for a subset of machines that have a cert signed by 306090792Sgshapiro 306190792Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 306290792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 306390792Sgshapiro 306490792Sgshapirouse: 306590792Sgshapiro 3066110560SgshapiroCertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 306790792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org SUBJECT 3068110560SgshapiroCertSubject:/C=US/ST=California/O=endmail.org/OU=private/CN= 306990792SgshapiroDeathStar/Email=deathstar@endmail.org RELAY 307090792Sgshapiro 3071132943SgshapiroNotes: 3072132943Sgshapiro- line breaks have been inserted after "CN=" for readability, 3073132943Sgshapiro each tagged entry must be one (long) line in the access map. 3074132943Sgshapiro- if OpenSSL 0.9.7 or newer is used then the "Email=" part of a DN 3075132943Sgshapiro is replaced by "emailAddress=". 307690792Sgshapiro 307790792SgshapiroOf course it is also possible to write a simple ruleset that allows 307864562Sgshapirorelaying for everyone who can present a cert that can be verified, e.g., 307964562Sgshapiro 308064562SgshapiroLOCAL_RULESETS 308164562SgshapiroSLocal_check_rcpt 308264562SgshapiroR$* $: $&{verify} 308364562SgshapiroROK $# OK 308464562Sgshapiro 308564562SgshapiroAllowing Connections 308690792Sgshapiro-------------------- 308764562Sgshapiro 308890792SgshapiroThe rulesets tls_server, tls_client, and tls_rcpt are used to decide whether 308990792Sgshapiroan SMTP connection is accepted (or should continue). 309064562Sgshapiro 309164562Sgshapirotls_server is called when sendmail acts as client after a STARTTLS command 309290792Sgshapiro(should) have been issued. The parameter is the value of ${verify}. 309364562Sgshapiro 309464562Sgshapirotls_client is called when sendmail acts as server, after a STARTTLS command 309590792Sgshapirohas been issued, and from check_mail. The parameter is the value of 309664562Sgshapiro${verify} and STARTTLS or MAIL, respectively. 309764562Sgshapiro 309890792SgshapiroBoth rulesets behave the same. If no access map is in use, the connection 309964562Sgshapirowill be accepted unless ${verify} is SOFTWARE, in which case the connection 310090792Sgshapirois always aborted. For tls_server/tls_client, ${client_name}/${server_name} 310190792Sgshapirois looked up in the access map using the tag TLS_Srv/TLS_Clt, which is done 310290792Sgshapirowith the ruleset LookUpDomain. If no entry is found, ${client_addr} 310364562Sgshapiro(${server_addr}) is looked up in the access map (same tag, ruleset 310490792SgshapiroLookUpAddr). If this doesn't result in an entry either, just the tag is 310590792Sgshapirolooked up in the access map (included the trailing colon). Notice: 310690792Sgshapirorequiring that e-mail is sent to a server only encrypted, e.g., via 310764562Sgshapiro 310890792SgshapiroTLS_Srv:secure.domain ENCR:112 310990792Sgshapiro 311090792Sgshapirodoesn't necessarily mean that e-mail sent to that domain is encrypted. 311190792SgshapiroIf the domain has multiple MX servers, e.g., 311290792Sgshapiro 311390792Sgshapirosecure.domain. IN MX 10 mail.secure.domain. 311490792Sgshapirosecure.domain. IN MX 50 mail.other.domain. 311590792Sgshapiro 311690792Sgshapirothen mail to user@secure.domain may go unencrypted to mail.other.domain. 311790792Sgshapirotls_rcpt can be used to address this problem. 311890792Sgshapiro 311990792Sgshapirotls_rcpt is called before a RCPT TO: command is sent. The parameter is the 312090792Sgshapirocurrent recipient. This ruleset is only defined if FEATURE(`access_db') 312190792Sgshapirois selected. A recipient address user@domain is looked up in the access 312290792Sgshapiromap in four formats: TLS_Rcpt:user@domain, TLS_Rcpt:user@, TLS_Rcpt:domain, 312390792Sgshapiroand TLS_Rcpt:; the first match is taken. 312490792Sgshapiro 312590792SgshapiroThe result of the lookups is then used to call the ruleset TLS_connection, 312690792Sgshapirowhich checks the requirement specified by the RHS in the access map against 312790792Sgshapirothe actual parameters of the current TLS connection, esp. ${verify} and 312890792Sgshapiro${cipher_bits}. Legal RHSs in the access map are: 312990792Sgshapiro 313064562SgshapiroVERIFY verification must have succeeded 313164562SgshapiroVERIFY:bits verification must have succeeded and ${cipher_bits} must 313264562Sgshapiro be greater than or equal bits. 313364562SgshapiroENCR:bits ${cipher_bits} must be greater than or equal bits. 313464562Sgshapiro 313564562SgshapiroThe RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary 313690792Sgshapiroor permanent error. The default is a temporary error code (403 4.7.0) 313764562Sgshapirounless the macro TLS_PERM_ERR is set during generation of the .cf file. 313864562Sgshapiro 313964562SgshapiroIf a certain level of encryption is required, then it might also be 314064562Sgshapiropossible that this level is provided by the security layer from a SASL 314164562Sgshapiroalgorithm, e.g., DIGEST-MD5. 314264562Sgshapiro 314390792SgshapiroFurthermore, there can be a list of extensions added. Such a list 314490792Sgshapirostarts with '+' and the items are separated by '++'. Allowed 314590792Sgshapiroextensions are: 314690792Sgshapiro 314790792SgshapiroCN:name name must match ${cn_subject} 3148203004SgshapiroCN ${client_name}/${server_name} must match ${cn_subject} 314990792SgshapiroCS:name name must match ${cert_subject} 315090792SgshapiroCI:name name must match ${cert_issuer} 315190792Sgshapiro 315282017SgshapiroExample: e-mail sent to secure.example.com should only use an encrypted 315390792Sgshapiroconnection. E-mail received from hosts within the laptop.example.com domain 315490792Sgshapiroshould only be accepted if they have been authenticated. The host which 315590792Sgshapiroreceives e-mail for darth@endmail.org must present a cert that uses the 315690792SgshapiroCN smtp.endmail.org. 315790792Sgshapiro 315864562SgshapiroTLS_Srv:secure.example.com ENCR:112 315964562SgshapiroTLS_Clt:laptop.example.com PERM+VERIFY:112 316090792SgshapiroTLS_Rcpt:darth@endmail.org ENCR:112+CN:smtp.endmail.org 316164562Sgshapiro 316273188Sgshapiro 316390792SgshapiroDisabling STARTTLS And Setting SMTP Server Features 316490792Sgshapiro--------------------------------------------------- 316573188Sgshapiro 316690792SgshapiroBy default STARTTLS is used whenever possible. However, there are 316790792Sgshapirosome broken MTAs that don't properly implement STARTTLS. To be able 316890792Sgshapiroto send to (or receive from) those MTAs, the ruleset try_tls 316990792Sgshapiro(srv_features) can be used that work together with the access map. 317090792SgshapiroEntries for the access map must be tagged with Try_TLS (Srv_Features) 317190792Sgshapiroand refer to the hostname or IP address of the connecting system. 317290792SgshapiroA default case can be specified by using just the tag. For example, 317390792Sgshapirothe following entries in the access map: 317473188Sgshapiro 317590792Sgshapiro Try_TLS:broken.server NO 317690792Sgshapiro Srv_Features:my.domain v 317790792Sgshapiro Srv_Features: V 317873188Sgshapiro 317990792Sgshapirowill turn off STARTTLS when sending to broken.server (or any host 318090792Sgshapiroin that domain), and request a client certificate during the TLS 318190792Sgshapirohandshake only for hosts in my.domain. The valid entries on the RHS 318290792Sgshapirofor Srv_Features are listed in the Sendmail Installation and 318390792SgshapiroOperations Guide. 318473188Sgshapiro 318573188Sgshapiro 318664562SgshapiroReceived: Header 318790792Sgshapiro---------------- 318864562Sgshapiro 318990792SgshapiroThe Received: header reveals whether STARTTLS has been used. It contains an 319064562Sgshapiroextra line: 319164562Sgshapiro 319290792Sgshapiro(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) 319364562Sgshapiro 319490792Sgshapiro 319566494Sgshapiro+---------------------+ 319666494Sgshapiro| SMTP AUTHENTICATION | 319766494Sgshapiro+---------------------+ 319864562Sgshapiro 319964562SgshapiroThe macros ${auth_authen}, ${auth_author}, and ${auth_type} can be 320064562Sgshapiroused in anti-relay rulesets to allow relaying for those users that 320164562Sgshapiroauthenticated themselves. A very simple example is: 320264562Sgshapiro 320364562SgshapiroSLocal_check_rcpt 320464562SgshapiroR$* $: $&{auth_type} 320564562SgshapiroR$+ $# OK 320664562Sgshapiro 320764562Sgshapirowhich checks whether a user has successfully authenticated using 3208132943Sgshapiroany available mechanism. Depending on the setup of the Cyrus SASL 320964562Sgshapirolibrary, more sophisticated rulesets might be required, e.g., 321064562Sgshapiro 321164562SgshapiroSLocal_check_rcpt 321264562SgshapiroR$* $: $&{auth_type} $| $&{auth_authen} 321364562SgshapiroRDIGEST-MD5 $| $+@$=w $# OK 321464562Sgshapiro 321564562Sgshapiroto allow relaying for users that authenticated using DIGEST-MD5 321664562Sgshapiroand have an identity in the local domains. 321764562Sgshapiro 321890792SgshapiroThe ruleset trust_auth is used to determine whether a given AUTH= 321964562Sgshapiroparameter (that is passed to this ruleset) should be trusted. This 322064562Sgshapiroruleset may make use of the other ${auth_*} macros. Only if the 322164562Sgshapiroruleset resolves to the error mailer, the AUTH= parameter is not 322264562Sgshapirotrusted. A user supplied ruleset Local_trust_auth can be written 322364562Sgshapiroto modify the default behavior, which only trust the AUTH= 322464562Sgshapiroparameter if it is identical to the authenticated user. 322564562Sgshapiro 322664562SgshapiroPer default, relaying is allowed for any user who authenticated 322764562Sgshapirovia a "trusted" mechanism, i.e., one that is defined via 322864562SgshapiroTRUST_AUTH_MECH(`list of mechanisms') 322971345SgshapiroFor example: 323071345SgshapiroTRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5') 323164562Sgshapiro 323264562SgshapiroIf the selected mechanism provides a security layer the number of 323364562Sgshapirobits used for the key of the symmetric cipher is stored in the 323464562Sgshapiromacro ${auth_ssf}. 323564562Sgshapiro 3236132943SgshapiroProviding SMTP AUTH Data when sendmail acts as Client 3237132943Sgshapiro----------------------------------------------------- 3238132943Sgshapiro 323990792SgshapiroIf sendmail acts as client, it needs some information how to 324090792Sgshapiroauthenticate against another MTA. This information can be provided 324190792Sgshapiroby the ruleset authinfo or by the option DefaultAuthInfo. The 324290792Sgshapiroauthinfo ruleset looks up {server_name} using the tag AuthInfo: in 324390792Sgshapirothe access map. If no entry is found, {server_addr} is looked up 324490792Sgshapiroin the same way and finally just the tag AuthInfo: to provide 3245111823Sgshapirodefault values. Note: searches for domain parts or IP nets are 3246111823Sgshapiroonly performed if the access map is used; if the authinfo feature 3247111823Sgshapirois used then only up to three lookups are performed (two exact 3248111823Sgshapiromatches, one default). 324990792Sgshapiro 3250132943SgshapiroNote: If your daemon does client authentication when sending, and 3251132943Sgshapiroif it uses either PLAIN or LOGIN authentication, then you *must* 3252132943Sgshapiroprevent ordinary users from seeing verbose output. Do NOT install 3253132943Sgshapirosendmail set-user-ID. Use PrivacyOptions to turn off verbose output 3254132943Sgshapiro("goaway" works for this). 3255132943Sgshapiro 325690792SgshapiroNotice: the default configuration file causes the option DefaultAuthInfo 325790792Sgshapiroto fail since the ruleset authinfo is in the .cf file. If you really 325890792Sgshapirowant to use DefaultAuthInfo (it is deprecated) then you have to 325990792Sgshapiroremove the ruleset. 326090792Sgshapiro 326190792SgshapiroThe RHS for an AuthInfo: entry in the access map should consists of a 326290792Sgshapirolist of tokens, each of which has the form: "TDstring" (including 326390792Sgshapirothe quotes). T is a tag which describes the item, D is a delimiter, 326490792Sgshapiroeither ':' for simple text or '=' for a base64 encoded string. 326590792SgshapiroValid values for the tag are: 326690792Sgshapiro 326790792Sgshapiro U user (authorization) id 326890792Sgshapiro I authentication id 326990792Sgshapiro P password 327090792Sgshapiro R realm 327190792Sgshapiro M list of mechanisms delimited by spaces 327290792Sgshapiro 327390792SgshapiroExample entries are: 327490792Sgshapiro 327590792SgshapiroAuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5" 3276111823SgshapiroAuthInfo:host.more.dom "U:user" "P=c2VjcmV0" 327790792Sgshapiro 3278111823SgshapiroUser id or authentication id must exist as well as the password. All 327990792Sgshapiroother entries have default values. If one of user or authentication 328090792Sgshapiroid is missing, the existing value is used for the missing item. 328190792SgshapiroIf "R:" is not specified, realm defaults to $j. The list of mechanisms 328290792Sgshapirodefaults to those specified by AuthMechanisms. 328390792Sgshapiro 328490792SgshapiroSince this map contains sensitive information, either the access 328590792Sgshapiromap must be unreadable by everyone but root (or the trusted user) 328690792Sgshapiroor FEATURE(`authinfo') must be used which provides a separate map. 328790792SgshapiroNotice: It is not checked whether the map is actually 328890792Sgshapirogroup/world-unreadable, this is left to the user. 328990792Sgshapiro 329064562Sgshapiro+--------------------------------+ 329138032Speter| ADDING NEW MAILERS OR RULESETS | 329238032Speter+--------------------------------+ 329338032Speter 329438032SpeterSometimes you may need to add entirely new mailers or rulesets. They 329538032Spetershould be introduced with the constructs MAILER_DEFINITIONS and 329638032SpeterLOCAL_RULESETS respectively. For example: 329738032Speter 329838032Speter MAILER_DEFINITIONS 329938032Speter Mmymailer, ... 330038032Speter ... 330138032Speter 330238032Speter LOCAL_RULESETS 330338032Speter Smyruleset 330438032Speter ... 330538032Speter 330690792SgshapiroLocal additions for the rulesets srv_features, try_tls, tls_rcpt, 330790792Sgshapirotls_client, and tls_server can be made using LOCAL_SRV_FEATURES, 330890792SgshapiroLOCAL_TRY_TLS, LOCAL_TLS_RCPT, LOCAL_TLS_CLIENT, and LOCAL_TLS_SERVER, 330990792Sgshapirorespectively. For example, to add a local ruleset that decides 331090792Sgshapirowhether to try STARTTLS in a sendmail client, use: 331138032Speter 331290792Sgshapiro LOCAL_TRY_TLS 331390792Sgshapiro R... 331490792Sgshapiro 331590792SgshapiroNote: you don't need to add a name for the ruleset, it is implicitly 331690792Sgshapirodefined by using the appropriate macro. 331790792Sgshapiro 331890792Sgshapiro 331971345Sgshapiro+-------------------------+ 332071345Sgshapiro| ADDING NEW MAIL FILTERS | 332171345Sgshapiro+-------------------------+ 332264562Sgshapiro 332364562SgshapiroSendmail supports mail filters to filter incoming SMTP messages according 332464562Sgshapiroto the "Sendmail Mail Filter API" documentation. These filters can be 332564562Sgshapiroconfigured in your mc file using the two commands: 332664562Sgshapiro 332764562Sgshapiro MAIL_FILTER(`name', `equates') 332864562Sgshapiro INPUT_MAIL_FILTER(`name', `equates') 332964562Sgshapiro 333064562SgshapiroThe first command, MAIL_FILTER(), simply defines a filter with the given 333164562Sgshapironame and equates. For example: 333264562Sgshapiro 333364562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 333464562Sgshapiro 333564562SgshapiroThis creates the equivalent sendmail.cf entry: 333664562Sgshapiro 333764562Sgshapiro Xarchive, S=local:/var/run/archivesock, F=R 333864562Sgshapiro 333964562SgshapiroThe INPUT_MAIL_FILTER() command performs the same actions as MAIL_FILTER 334064562Sgshapirobut also populates the m4 variable `confINPUT_MAIL_FILTERS' with the name 334164562Sgshapiroof the filter such that the filter will actually be called by sendmail. 334264562Sgshapiro 334364562SgshapiroFor example, the two commands: 334464562Sgshapiro 334564562Sgshapiro INPUT_MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 334664562Sgshapiro INPUT_MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 334764562Sgshapiro 334864562Sgshapiroare equivalent to the three commands: 334964562Sgshapiro 335064562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 335164562Sgshapiro MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 335264562Sgshapiro define(`confINPUT_MAIL_FILTERS', `archive, spamcheck') 335364562Sgshapiro 335464562SgshapiroIn general, INPUT_MAIL_FILTER() should be used unless you need to define 335564562Sgshapiromore filters than you want to use for `confINPUT_MAIL_FILTERS'. 335664562Sgshapiro 335764562SgshapiroNote that setting `confINPUT_MAIL_FILTERS' after any INPUT_MAIL_FILTER() 335864562Sgshapirocommands will clear the list created by the prior INPUT_MAIL_FILTER() 335964562Sgshapirocommands. 336064562Sgshapiro 336164562Sgshapiro 336290792Sgshapiro+-------------------------+ 336390792Sgshapiro| QUEUE GROUP DEFINITIONS | 336490792Sgshapiro+-------------------------+ 336590792Sgshapiro 336690792SgshapiroIn addition to the queue directory (which is the default queue group 336790792Sgshapirocalled "mqueue"), sendmail can deal with multiple queue groups, which 336890792Sgshapiroare collections of queue directories with the same behaviour. Queue 336990792Sgshapirogroups can be defined using the command: 337090792Sgshapiro 337190792Sgshapiro QUEUE_GROUP(`name', `equates') 337290792Sgshapiro 337390792SgshapiroFor details about queue groups, please see doc/op/op.{me,ps,txt}. 337490792Sgshapiro 337538032Speter+-------------------------------+ 337638032Speter| NON-SMTP BASED CONFIGURATIONS | 337738032Speter+-------------------------------+ 337838032Speter 337964562SgshapiroThese configuration files are designed primarily for use by 338064562SgshapiroSMTP-based sites. They may not be well tuned for UUCP-only or 338138032SpeterUUCP-primarily nodes (the latter is defined as a small local net 338264562Sgshapiroconnected to the rest of the world via UUCP). However, there is 338364562Sgshapiroone hook to handle some special cases. 338438032Speter 338538032SpeterYou can define a ``smart host'' that understands a richer address syntax 338638032Speterusing: 338738032Speter 338843730Speter define(`SMART_HOST', `mailer:hostname') 338938032Speter 339038032SpeterIn this case, the ``mailer:'' defaults to "relay". Any messages that 339138032Spetercan't be handled using the usual UUCP rules are passed to this host. 339238032Speter 339338032SpeterIf you are on a local SMTP-based net that connects to the outside 339438032Speterworld via UUCP, you can use LOCAL_NET_CONFIG to add appropriate rules. 339538032SpeterFor example: 339638032Speter 339764562Sgshapiro define(`SMART_HOST', `uucp-new:uunet') 339838032Speter LOCAL_NET_CONFIG 339938032Speter R$* < @ $* .$m. > $* $#smtp $@ $2.$m. $: $1 < @ $2.$m. > $3 340038032Speter 340194334SgshapiroThis will cause all names that end in your domain name ($m) to be sent 340294334Sgshapirovia SMTP; anything else will be sent via uucp-new (smart UUCP) to uunet. 340343730SpeterIf you have FEATURE(`nocanonify'), you may need to omit the dots after 340438032Speterthe $m. If you are running a local DNS inside your domain which is 340538032Speternot otherwise connected to the outside world, you probably want to 340638032Speteruse: 340738032Speter 340843730Speter define(`SMART_HOST', `smtp:fire.wall.com') 340938032Speter LOCAL_NET_CONFIG 341038032Speter R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 341138032Speter 341238032SpeterThat is, send directly only to things you found in your DNS lookup; 341338032Speteranything else goes through SMART_HOST. 341438032Speter 341538032SpeterYou may need to turn off the anti-spam rules in order to accept 341643730SpeterUUCP mail with FEATURE(`promiscuous_relay') and 341743730SpeterFEATURE(`accept_unresolvable_domains'). 341838032Speter 341938032Speter 342038032Speter+-----------+ 342138032Speter| WHO AM I? | 342238032Speter+-----------+ 342338032Speter 342438032SpeterNormally, the $j macro is automatically defined to be your fully 342538032Speterqualified domain name (FQDN). Sendmail does this by getting your 342638032Speterhost name using gethostname and then calling gethostbyname on the 342738032Speterresult. For example, in some environments gethostname returns 342838032Speteronly the root of the host name (such as "foo"); gethostbyname is 342938032Spetersupposed to return the FQDN ("foo.bar.com"). In some (fairly rare) 343038032Spetercases, gethostbyname may fail to return the FQDN. In this case 343138032Speteryou MUST define confDOMAIN_NAME to be your fully qualified domain 343238032Spetername. This is usually done using: 343338032Speter 343438032Speter Dmbar.com 343538032Speter define(`confDOMAIN_NAME', `$w.$m')dnl 343638032Speter 343738032Speter 343864562Sgshapiro+-----------------------------------+ 343964562Sgshapiro| ACCEPTING MAIL FOR MULTIPLE NAMES | 344064562Sgshapiro+-----------------------------------+ 344164562Sgshapiro 344264562SgshapiroIf your host is known by several different names, you need to augment 344364562Sgshapiroclass {w}. This is a list of names by which your host is known, and 344464562Sgshapiroanything sent to an address using a host name in this list will be 344564562Sgshapirotreated as local mail. You can do this in two ways: either create the 344664562Sgshapirofile /etc/mail/local-host-names containing a list of your aliases (one per 344764562Sgshapiroline), and use ``FEATURE(`use_cw_file')'' in the .mc file, or add 344864562Sgshapiro``LOCAL_DOMAIN(`alias.host.name')''. Be sure you use the fully-qualified 344964562Sgshapironame of the host, rather than a short name. 345064562Sgshapiro 345164562SgshapiroIf you want to have different address in different domains, take 345264562Sgshapiroa look at the virtusertable feature, which is also explained at 345364562Sgshapirohttp://www.sendmail.org/virtual-hosting.html 345464562Sgshapiro 345564562Sgshapiro 345638032Speter+--------------------+ 345738032Speter| USING MAILERTABLES | 345838032Speter+--------------------+ 345938032Speter 346043730SpeterTo use FEATURE(`mailertable'), you will have to create an external 346138032Speterdatabase containing the routing information for various domains. 346238032SpeterFor example, a mailertable file in text format might be: 346338032Speter 346438032Speter .my.domain xnet:%1.my.domain 346564562Sgshapiro uuhost1.my.domain uucp-new:uuhost1 346638032Speter .bitnet smtp:relay.bit.net 346738032Speter 346864562SgshapiroThis should normally be stored in /etc/mail/mailertable. The actual 346938032Speterdatabase version of the mailertable is built using: 347038032Speter 347164562Sgshapiro makemap hash /etc/mail/mailertable < /etc/mail/mailertable 347238032Speter 347338032SpeterThe semantics are simple. Any LHS entry that does not begin with 347438032Spetera dot matches the full host name indicated. LHS entries beginning 347566494Sgshapirowith a dot match anything ending with that domain name (including 347666494Sgshapirothe leading dot) -- that is, they can be thought of as having a 347766494Sgshapiroleading ".+" regular expression pattern for a non-empty sequence of 347866494Sgshapirocharacters. Matching is done in order of most-to-least qualified 347966494Sgshapiro-- for example, even though ".my.domain" is listed first in the 348066494Sgshapiroabove example, an entry of "uuhost1.my.domain" will match the second 348166494Sgshapiroentry since it is more explicit. Note: e-mail to "user@my.domain" 348266494Sgshapirodoes not match any entry in the above table. You need to have 348366494Sgshapirosomething like: 348438032Speter 348564562Sgshapiro my.domain esmtp:host.my.domain 348664562Sgshapiro 348738032SpeterThe RHS should always be a "mailer:host" pair. The mailer is the 348890792Sgshapiroconfiguration name of a mailer (that is, an M line in the 348938032Spetersendmail.cf file). The "host" will be the hostname passed to 349038032Speterthat mailer. In domain-based matches (that is, those with leading 349138032Speterdots) the "%1" may be used to interpolate the wildcarded part of 349238032Speterthe host name. For example, the first line above sends everything 349338032Speteraddressed to "anything.my.domain" to that same host name, but using 349438032Speterthe (presumably experimental) xnet mailer. 349538032Speter 349638032SpeterIn some cases you may want to temporarily turn off MX records, 349738032Speterparticularly on gateways. For example, you may want to MX 349838032Spetereverything in a domain to one machine that then forwards it 349938032Speterdirectly. To do this, you might use the DNS configuration: 350038032Speter 350138032Speter *.domain. IN MX 0 relay.machine 350238032Speter 350338032Speterand on relay.machine use the mailertable: 350438032Speter 350538032Speter .domain smtp:[gateway.domain] 350638032Speter 350738032SpeterThe [square brackets] turn off MX records for this host only. 350838032SpeterIf you didn't do this, the mailertable would use the MX record 3509120256Sgshapiroagain, which would give you an MX loop. Note that the use of 3510120256Sgshapirowildcard MX records is almost always a bad idea. Please avoid 3511120256Sgshapirousing them if possible. 351238032Speter 351338032Speter 351438032Speter+--------------------------------+ 351538032Speter| USING USERDB TO MAP FULL NAMES | 351638032Speter+--------------------------------+ 351738032Speter 351838032SpeterThe user database was not originally intended for mapping full names 351938032Speterto login names (e.g., Eric.Allman => eric), but some people are using 352064562Sgshapiroit that way. (it is recommended that you set up aliases for this 352138032Speterpurpose instead -- since you can specify multiple alias files, this 352238032Speteris fairly easy.) The intent was to locate the default maildrop at 352338032Spetera site, but allow you to override this by sending to a specific host. 352438032Speter 352538032SpeterIf you decide to set up the user database in this fashion, it is 352643730Speterimperative that you not use FEATURE(`stickyhost') -- otherwise, 352738032Spetere-mail sent to Full.Name@local.host.name will be rejected. 352838032Speter 352938032SpeterTo build the internal form of the user database, use: 353038032Speter 353164562Sgshapiro makemap btree /etc/mail/userdb < /etc/mail/userdb.txt 353238032Speter 353364562SgshapiroAs a general rule, it is an extremely bad idea to using full names 353464562Sgshapiroas e-mail addresses, since they are not in any sense unique. For 353566494Sgshapiroexample, the UNIX software-development community has at least two 353664562Sgshapirowell-known Peter Deutsches, and at one time Bell Labs had two 353764562SgshapiroStephen R. Bournes with offices along the same hallway. Which one 353864562Sgshapirowill be forced to suffer the indignity of being Stephen_R_Bourne_2? 353964562SgshapiroThe less famous of the two, or the one that was hired later? 354038032Speter 354138032SpeterFinger should handle full names (and be fuzzy). Mail should use 354264562Sgshapirohandles, and not be fuzzy. 354338032Speter 354438032Speter 354538032Speter+--------------------------------+ 354638032Speter| MISCELLANEOUS SPECIAL FEATURES | 354738032Speter+--------------------------------+ 354838032Speter 354938032SpeterPlussed users 355038032Speter Sometimes it is convenient to merge configuration on a 355138032Speter centralized mail machine, for example, to forward all 355238032Speter root mail to a mail server. In this case it might be 355338032Speter useful to be able to treat the root addresses as a class 355438032Speter of addresses with subtle differences. You can do this 355538032Speter using plussed users. For example, a client might include 355638032Speter the alias: 355738032Speter 355838032Speter root: root+client1@server 355938032Speter 356038032Speter On the server, this will match an alias for "root+client1". 356138032Speter If that is not found, the alias "root+*" will be tried, 356238032Speter then "root". 356338032Speter 356438032Speter 356538032Speter+----------------+ 356638032Speter| SECURITY NOTES | 356738032Speter+----------------+ 356838032Speter 356938032SpeterA lot of sendmail security comes down to you. Sendmail 8 is much 357038032Spetermore careful about checking for security problems than previous 357138032Speterversions, but there are some things that you still need to watch 357238032Speterfor. In particular: 357338032Speter 357498121Sgshapiro* Make sure the aliases file is not writable except by trusted 357538032Speter system personnel. This includes both the text and database 357638032Speter version. 357738032Speter 357838032Speter* Make sure that other files that sendmail reads, such as the 357938032Speter mailertable, are only writable by trusted system personnel. 358038032Speter 358138032Speter* The queue directory should not be world writable PARTICULARLY 358238032Speter if your system allows "file giveaways" (that is, if a non-root 358338032Speter user can chown any file they own to any other user). 358438032Speter 358538032Speter* If your system allows file giveaways, DO NOT create a publically 358638032Speter writable directory for forward files. This will allow anyone 358738032Speter to steal anyone else's e-mail. Instead, create a script that 358838032Speter copies the .forward file from users' home directories once a 358938032Speter night (if you want the non-NFS-mounted forward directory). 359038032Speter 359138032Speter* If your system allows file giveaways, you'll find that 359238032Speter sendmail is much less trusting of :include: files -- in 359338032Speter particular, you'll have to have /SENDMAIL/ANY/SHELL/ in 359438032Speter /etc/shells before they will be trusted (that is, before 359538032Speter files and programs listed in them will be honored). 359638032Speter 359738032SpeterIn general, file giveaways are a mistake -- if you can turn them 359864562Sgshapirooff, do so. 359938032Speter 360038032Speter 360138032Speter+--------------------------------+ 360238032Speter| TWEAKING CONFIGURATION OPTIONS | 360338032Speter+--------------------------------+ 360438032Speter 360538032SpeterThere are a large number of configuration options that don't normally 3606132943Sgshapironeed to be changed. However, if you feel you need to tweak them, 3607132943Sgshapiroyou can define the following M4 variables. Note that some of these 3608132943Sgshapirovariables require formats that are defined in RFC 2821 or RFC 2822. 3609132943SgshapiroBefore changing them you need to make sure you do not violate those 3610132943Sgshapiro(and other relevant) RFCs. 361138032Speter 3612132943SgshapiroThis list is shown in four columns: the name you define, the default 3613132943Sgshapirovalue for that definition, the option or macro that is affected 3614132943Sgshapiro(either Ox for an option or Dx for a macro), and a brief description. 3615132943SgshapiroGreater detail of the semantics can be found in the Installation 3616132943Sgshapiroand Operations Guide. 3617132943Sgshapiro 361838032SpeterSome options are likely to be deprecated in future versions -- that is, 361938032Speterthe option is only included to provide back-compatibility. These are 362038032Spetermarked with "*". 362138032Speter 362238032SpeterRemember that these options are M4 variables, and hence may need to 362338032Speterbe quoted. In particular, arguments with commas will usually have to 362438032Speterbe ``double quoted, like this phrase'' to avoid having the comma 362538032Speterconfuse things. This is common for alias file definitions and for 362638032Speterthe read timeout. 362738032Speter 3628132943SgshapiroM4 Variable Name Configuration [Default] & Description 362938032Speter================ ============= ======================= 363038032SpeterconfMAILER_NAME $n macro [MAILER-DAEMON] The sender name used 363138032Speter for internally generated outgoing 363238032Speter messages. 363338032SpeterconfDOMAIN_NAME $j macro If defined, sets $j. This should 363438032Speter only be done if your system cannot 363538032Speter determine your local domain name, 363638032Speter and then it should be set to 363738032Speter $w.Foo.COM, where Foo.COM is your 363838032Speter domain name. 363938032SpeterconfCF_VERSION $Z macro If defined, this is appended to the 364038032Speter configuration version name. 364190792SgshapiroconfLDAP_CLUSTER ${sendmailMTACluster} macro 364290792Sgshapiro If defined, this is the LDAP 364390792Sgshapiro cluster to use for LDAP searches 364490792Sgshapiro as described above in ``USING LDAP 364590792Sgshapiro FOR ALIASES, MAPS, AND CLASSES''. 364664562SgshapiroconfFROM_HEADER From: [$?x$x <$g>$|$g$.] The format of an 364738032Speter internally generated From: address. 364838032SpeterconfRECEIVED_HEADER Received: 364938032Speter [$?sfrom $s $.$?_($?s$|from $.$_) 365064562Sgshapiro $.$?{auth_type}(authenticated) 365138032Speter $.by $j ($v/$Z)$?r with $r$. id $i$?u 365238032Speter for $u; $|; 365338032Speter $.$b] 365438032Speter The format of the Received: header 365538032Speter in messages passed through this host. 365638032Speter It is unwise to try to change this. 3657132943SgshapiroconfMESSAGEID_HEADER Message-Id: [<$t.$i@$j>] The format of an 3658132943Sgshapiro internally generated Message-Id: 3659132943Sgshapiro header. 366064562SgshapiroconfCW_FILE Fw class [/etc/mail/local-host-names] Name 366164562Sgshapiro of file used to get the local 366264562Sgshapiro additions to class {w} (local host 366364562Sgshapiro names). 366464562SgshapiroconfCT_FILE Ft class [/etc/mail/trusted-users] Name of 366564562Sgshapiro file used to get the local additions 366664562Sgshapiro to class {t} (trusted users). 366738032SpeterconfCR_FILE FR class [/etc/mail/relay-domains] Name of 366838032Speter file used to get the local additions 366964562Sgshapiro to class {R} (hosts allowed to relay). 367038032SpeterconfTRUSTED_USERS Ct class [no default] Names of users to add to 367138032Speter the list of trusted users. This list 367238032Speter always includes root, uucp, and daemon. 367343730Speter See also FEATURE(`use_ct_file'). 367464562SgshapiroconfTRUSTED_USER TrustedUser [no default] Trusted user for file 367564562Sgshapiro ownership and starting the daemon. 367664562Sgshapiro Not to be confused with 367764562Sgshapiro confTRUSTED_USERS (see above). 367838032SpeterconfSMTP_MAILER - [esmtp] The mailer name used when 367938032Speter SMTP connectivity is required. 368064562Sgshapiro One of "smtp", "smtp8", 368164562Sgshapiro "esmtp", or "dsmtp". 368238032SpeterconfUUCP_MAILER - [uucp-old] The mailer to be used by 368338032Speter default for bang-format recipient 368438032Speter addresses. See also discussion of 368564562Sgshapiro class {U}, class {Y}, and class {Z} 368664562Sgshapiro in the MAILER(`uucp') section. 368738032SpeterconfLOCAL_MAILER - [local] The mailer name used when 368838032Speter local connectivity is required. 368938032Speter Almost always "local". 369038032SpeterconfRELAY_MAILER - [relay] The default mailer name used 369138032Speter for relaying any mail (e.g., to a 369238032Speter BITNET_RELAY, a SMART_HOST, or 369338032Speter whatever). This can reasonably be 369438032Speter "uucp-new" if you are on a 369538032Speter UUCP-connected site. 369638032SpeterconfSEVEN_BIT_INPUT SevenBitInput [False] Force input to seven bits? 369738032SpeterconfEIGHT_BIT_HANDLING EightBitMode [pass8] 8-bit data handling 369838032SpeterconfALIAS_WAIT AliasWait [10m] Time to wait for alias file 369938032Speter rebuild until you get bored and 370038032Speter decide that the apparently pending 370138032Speter rebuild failed. 370238032SpeterconfMIN_FREE_BLOCKS MinFreeBlocks [100] Minimum number of free blocks on 370338032Speter queue filesystem to accept SMTP mail. 370438032Speter (Prior to 8.7 this was minfree/maxsize, 370538032Speter where minfree was the number of free 370638032Speter blocks and maxsize was the maximum 370738032Speter message size. Use confMAX_MESSAGE_SIZE 370838032Speter for the second value now.) 370938032SpeterconfMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages 371038032Speter that will be accepted (in bytes). 371138032SpeterconfBLANK_SUB BlankSub [.] Blank (space) substitution 371238032Speter character. 371338032SpeterconfCON_EXPENSIVE HoldExpensive [False] Avoid connecting immediately 371464562Sgshapiro to mailers marked expensive. 371538032SpeterconfCHECKPOINT_INTERVAL CheckpointInterval 371638032Speter [10] Checkpoint queue files every N 371738032Speter recipients. 371838032SpeterconfDELIVERY_MODE DeliveryMode [background] Default delivery mode. 371938032SpeterconfERROR_MODE ErrorMode [print] Error message mode. 372038032SpeterconfERROR_MESSAGE ErrorHeader [undefined] Error message header/file. 372142575SpeterconfSAVE_FROM_LINES SaveFromLine Save extra leading From_ lines. 372238032SpeterconfTEMP_FILE_MODE TempFileMode [0600] Temporary file mode. 372338032SpeterconfMATCH_GECOS MatchGECOS [False] Match GECOS field. 372438032SpeterconfMAX_HOP MaxHopCount [25] Maximum hop count. 372564562SgshapiroconfIGNORE_DOTS* IgnoreDots [False; always False in -bs or -bd 372664562Sgshapiro mode] Ignore dot as terminator for 372764562Sgshapiro incoming messages? 372838032SpeterconfBIND_OPTS ResolverOptions [undefined] Default options for DNS 372938032Speter resolver. 373038032SpeterconfMIME_FORMAT_ERRORS* SendMimeErrors [True] Send error messages as MIME- 373138032Speter encapsulated messages per RFC 1344. 373238032SpeterconfFORWARD_PATH ForwardPath [$z/.forward.$w:$z/.forward] 373338032Speter The colon-separated list of places to 373438032Speter search for .forward files. N.B.: see 373538032Speter the Security Notes section. 373638032SpeterconfMCI_CACHE_SIZE ConnectionCacheSize 373738032Speter [2] Size of open connection cache. 373838032SpeterconfMCI_CACHE_TIMEOUT ConnectionCacheTimeout 373938032Speter [5m] Open connection cache timeout. 374038032SpeterconfHOST_STATUS_DIRECTORY HostStatusDirectory 374138032Speter [undefined] If set, host status is kept 374238032Speter on disk between sendmail runs in the 374338032Speter named directory tree. This need not be 374438032Speter a full pathname, in which case it is 374538032Speter interpreted relative to the queue 374638032Speter directory. 374738032SpeterconfSINGLE_THREAD_DELIVERY SingleThreadDelivery 374838032Speter [False] If this option and the 374938032Speter HostStatusDirectory option are both 375038032Speter set, single thread deliveries to other 375138032Speter hosts. That is, don't allow any two 375238032Speter sendmails on this host to connect 375338032Speter simultaneously to any other single 375438032Speter host. This can slow down delivery in 375538032Speter some cases, in particular since a 375638032Speter cached but otherwise idle connection 375738032Speter to a host will prevent other sendmails 375838032Speter from connecting to the other host. 375964562SgshapiroconfUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to 376038032Speter deliver error messages. This should 376138032Speter not be necessary because of general 376238032Speter acceptance of the envelope/header 376338032Speter distinction. 376438032SpeterconfLOG_LEVEL LogLevel [9] Log level. 376564562SgshapiroconfME_TOO MeToo [True] Include sender in group 376664562Sgshapiro expansions. This option is 376764562Sgshapiro deprecated and will be removed from 376864562Sgshapiro a future version. 376938032SpeterconfCHECK_ALIASES CheckAliases [False] Check RHS of aliases when 377038032Speter running newaliases. Since this does 377138032Speter DNS lookups on every address, it can 377238032Speter slow down the alias rebuild process 377338032Speter considerably on large alias files. 377438032SpeterconfOLD_STYLE_HEADERS* OldStyleHeaders [True] Assume that headers without 377538032Speter special chars are old style. 377638032SpeterconfPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags. 377738032SpeterconfCOPY_ERRORS_TO PostmasterCopy [undefined] Address for additional 377838032Speter copies of all error messages. 377938032SpeterconfQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function. 378090792SgshapiroconfQUEUE_FILE_MODE QueueFileMode [undefined] Default permissions for 378190792Sgshapiro queue files (octal). If not set, 378290792Sgshapiro sendmail uses 0600 unless its real 378390792Sgshapiro and effective uid are different in 378490792Sgshapiro which case it uses 0644. 378538032SpeterconfDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr 378638032Speter syntax addresses to the minimum 378738032Speter possible. 378838032SpeterconfSAFE_QUEUE* SuperSafe [True] Commit all messages to disk 378938032Speter before forking. 379038032SpeterconfTO_INITIAL Timeout.initial [5m] The timeout waiting for a response 379138032Speter on the initial connect. 379238032SpeterconfTO_CONNECT Timeout.connect [0] The timeout waiting for an initial 379338032Speter connect() to complete. This can only 379438032Speter shorten connection timeouts; the kernel 379538032Speter silently enforces an absolute maximum 379638032Speter (which varies depending on the system). 379738032SpeterconfTO_ICONNECT Timeout.iconnect 379838032Speter [undefined] Like Timeout.connect, but 379938032Speter applies only to the very first attempt 380038032Speter to connect to a host in a message. 380138032Speter This allows a single very fast pass 380238032Speter followed by more careful delivery 380338032Speter attempts in the future. 380490792SgshapiroconfTO_ACONNECT Timeout.aconnect 380590792Sgshapiro [0] The overall timeout waiting for 380690792Sgshapiro all connection for a single delivery 380790792Sgshapiro attempt to succeed. If 0, no overall 380890792Sgshapiro limit is applied. 380938032SpeterconfTO_HELO Timeout.helo [5m] The timeout waiting for a response 381038032Speter to a HELO or EHLO command. 381138032SpeterconfTO_MAIL Timeout.mail [10m] The timeout waiting for a 381238032Speter response to the MAIL command. 381338032SpeterconfTO_RCPT Timeout.rcpt [1h] The timeout waiting for a response 381438032Speter to the RCPT command. 381538032SpeterconfTO_DATAINIT Timeout.datainit 381638032Speter [5m] The timeout waiting for a 354 381738032Speter response from the DATA command. 381838032SpeterconfTO_DATABLOCK Timeout.datablock 381938032Speter [1h] The timeout waiting for a block 382038032Speter during DATA phase. 382138032SpeterconfTO_DATAFINAL Timeout.datafinal 382238032Speter [1h] The timeout waiting for a response 382338032Speter to the final "." that terminates a 382438032Speter message. 382538032SpeterconfTO_RSET Timeout.rset [5m] The timeout waiting for a response 382638032Speter to the RSET command. 382738032SpeterconfTO_QUIT Timeout.quit [2m] The timeout waiting for a response 382838032Speter to the QUIT command. 382938032SpeterconfTO_MISC Timeout.misc [2m] The timeout waiting for a response 383038032Speter to other SMTP commands. 383164562SgshapiroconfTO_COMMAND Timeout.command [1h] In server SMTP, the timeout 383264562Sgshapiro waiting for a command to be issued. 383364562SgshapiroconfTO_IDENT Timeout.ident [5s] The timeout waiting for a 383464562Sgshapiro response to an IDENT query. 383538032SpeterconfTO_FILEOPEN Timeout.fileopen 383638032Speter [60s] The timeout waiting for a file 383738032Speter (e.g., :include: file) to be opened. 383890792SgshapiroconfTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response 383990792Sgshapiro to an LMTP LHLO command. 384090792SgshapiroconfTO_AUTH Timeout.auth [10m] The timeout waiting for a 384190792Sgshapiro response in an AUTH dialogue. 384290792SgshapiroconfTO_STARTTLS Timeout.starttls 384390792Sgshapiro [1h] The timeout waiting for a 384490792Sgshapiro response to an SMTP STARTTLS command. 384564562SgshapiroconfTO_CONTROL Timeout.control 384664562Sgshapiro [2m] The timeout for a complete 384764562Sgshapiro control socket transaction to complete. 384838032SpeterconfTO_QUEUERETURN Timeout.queuereturn 384938032Speter [5d] The timeout before a message is 385038032Speter returned as undeliverable. 385138032SpeterconfTO_QUEUERETURN_NORMAL 385238032Speter Timeout.queuereturn.normal 385338032Speter [undefined] As above, for normal 385438032Speter priority messages. 385538032SpeterconfTO_QUEUERETURN_URGENT 385638032Speter Timeout.queuereturn.urgent 385738032Speter [undefined] As above, for urgent 385838032Speter priority messages. 385938032SpeterconfTO_QUEUERETURN_NONURGENT 386038032Speter Timeout.queuereturn.non-urgent 386138032Speter [undefined] As above, for non-urgent 386238032Speter (low) priority messages. 3863132943SgshapiroconfTO_QUEUERETURN_DSN 3864132943Sgshapiro Timeout.queuereturn.dsn 3865132943Sgshapiro [undefined] As above, for delivery 3866132943Sgshapiro status notification messages. 386738032SpeterconfTO_QUEUEWARN Timeout.queuewarn 386838032Speter [4h] The timeout before a warning 386938032Speter message is sent to the sender telling 387064562Sgshapiro them that the message has been 387164562Sgshapiro deferred. 387238032SpeterconfTO_QUEUEWARN_NORMAL Timeout.queuewarn.normal 387338032Speter [undefined] As above, for normal 387438032Speter priority messages. 387538032SpeterconfTO_QUEUEWARN_URGENT Timeout.queuewarn.urgent 387638032Speter [undefined] As above, for urgent 387738032Speter priority messages. 387838032SpeterconfTO_QUEUEWARN_NONURGENT 387938032Speter Timeout.queuewarn.non-urgent 388038032Speter [undefined] As above, for non-urgent 388138032Speter (low) priority messages. 3882132943SgshapiroconfTO_QUEUEWARN_DSN 3883132943Sgshapiro Timeout.queuewarn.dsn 3884132943Sgshapiro [undefined] As above, for delivery 3885132943Sgshapiro status notification messages. 388638032SpeterconfTO_HOSTSTATUS Timeout.hoststatus 388738032Speter [30m] How long information about host 388838032Speter statuses will be maintained before it 388938032Speter is considered stale and the host should 389038032Speter be retried. This applies both within 389138032Speter a single queue run and to persistent 389238032Speter information (see below). 389364562SgshapiroconfTO_RESOLVER_RETRANS Timeout.resolver.retrans 389464562Sgshapiro [varies] Sets the resolver's 389598121Sgshapiro retransmission time interval (in 389664562Sgshapiro seconds). Sets both 389764562Sgshapiro Timeout.resolver.retrans.first and 389864562Sgshapiro Timeout.resolver.retrans.normal. 389964562SgshapiroconfTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first 390064562Sgshapiro [varies] Sets the resolver's 390198121Sgshapiro retransmission time interval (in 390264562Sgshapiro seconds) for the first attempt to 390364562Sgshapiro deliver a message. 390464562SgshapiroconfTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal 390564562Sgshapiro [varies] Sets the resolver's 390698121Sgshapiro retransmission time interval (in 390764562Sgshapiro seconds) for all resolver lookups 390864562Sgshapiro except the first delivery attempt. 390964562SgshapiroconfTO_RESOLVER_RETRY Timeout.resolver.retry 391064562Sgshapiro [varies] Sets the number of times 391164562Sgshapiro to retransmit a resolver query. 391264562Sgshapiro Sets both 391364562Sgshapiro Timeout.resolver.retry.first and 391464562Sgshapiro Timeout.resolver.retry.normal. 391564562SgshapiroconfTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first 391664562Sgshapiro [varies] Sets the number of times 391764562Sgshapiro to retransmit a resolver query for 391864562Sgshapiro the first attempt to deliver a 391964562Sgshapiro message. 392064562SgshapiroconfTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal 392164562Sgshapiro [varies] Sets the number of times 392264562Sgshapiro to retransmit a resolver query for 392364562Sgshapiro all resolver lookups except the 392464562Sgshapiro first delivery attempt. 392538032SpeterconfTIME_ZONE TimeZoneSpec [USE_SYSTEM] Time zone info -- can be 392638032Speter USE_SYSTEM to use the system's idea, 392738032Speter USE_TZ to use the user's TZ envariable, 392838032Speter or something else to force that value. 392938032SpeterconfDEF_USER_ID DefaultUser [1:1] Default user id. 393038032SpeterconfUSERDB_SPEC UserDatabaseSpec 393164562Sgshapiro [undefined] User database 393264562Sgshapiro specification. 393338032SpeterconfFALLBACK_MX FallbackMXhost [undefined] Fallback MX host. 3934132943SgshapiroconfFALLBACK_SMARTHOST FallbackSmartHost 3935132943Sgshapiro [undefined] Fallback smart host. 393664562SgshapiroconfTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX 393764562Sgshapiro for a host and other arrangements 393864562Sgshapiro haven't been made, try connecting 393964562Sgshapiro to the host directly; normally this 394064562Sgshapiro would be a config error. 394164562SgshapiroconfQUEUE_LA QueueLA [varies] Load average at which 394264562Sgshapiro queue-only function kicks in. 394364562Sgshapiro Default values is (8 * numproc) 394464562Sgshapiro where numproc is the number of 394564562Sgshapiro processors online (if that can be 394664562Sgshapiro determined). 394764562SgshapiroconfREFUSE_LA RefuseLA [varies] Load average at which 394864562Sgshapiro incoming SMTP connections are 394964562Sgshapiro refused. Default values is (12 * 395064562Sgshapiro numproc) where numproc is the 395164562Sgshapiro number of processors online (if 395264562Sgshapiro that can be determined). 3953132943SgshapiroconfREJECT_LOG_INTERVAL RejectLogInterval [3h] Log interval when 3954132943Sgshapiro refusing connections for this long. 395590792SgshapiroconfDELAY_LA DelayLA [0] Load average at which sendmail 395690792Sgshapiro will sleep for one second on most 395790792Sgshapiro SMTP commands and before accepting 395890792Sgshapiro connections. 0 means no limit. 395964562SgshapiroconfMAX_ALIAS_RECURSION MaxAliasRecursion 396064562Sgshapiro [10] Maximum depth of alias recursion. 396138032SpeterconfMAX_DAEMON_CHILDREN MaxDaemonChildren 396238032Speter [undefined] The maximum number of 396338032Speter children the daemon will permit. After 396438032Speter this number, connections will be 396538032Speter rejected. If not set or <= 0, there is 396638032Speter no limit. 396764562SgshapiroconfMAX_HEADERS_LENGTH MaxHeadersLength 396871345Sgshapiro [32768] Maximum length of the sum 396964562Sgshapiro of all headers. 397064562SgshapiroconfMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength 397164562Sgshapiro [undefined] Maximum length of 397264562Sgshapiro certain MIME header field values. 397338032SpeterconfCONNECTION_RATE_THROTTLE ConnectionRateThrottle 397438032Speter [undefined] The maximum number of 397590792Sgshapiro connections permitted per second per 397690792Sgshapiro daemon. After this many connections 397790792Sgshapiro are accepted, further connections 397890792Sgshapiro will be delayed. If not set or <= 0, 397990792Sgshapiro there is no limit. 3980132943SgshapiroconfCONNECTION_RATE_WINDOW_SIZE ConnectionRateWindowSize 3981132943Sgshapiro [60s] Define the length of the 3982132943Sgshapiro interval for which the number of 3983132943Sgshapiro incoming connections is maintained. 398438032SpeterconfWORK_RECIPIENT_FACTOR 398538032Speter RecipientFactor [30000] Cost of each recipient. 398664562SgshapiroconfSEPARATE_PROC ForkEachJob [False] Run all deliveries in a 398764562Sgshapiro separate process. 398838032SpeterconfWORK_CLASS_FACTOR ClassFactor [1800] Priority multiplier for class. 398938032SpeterconfWORK_TIME_FACTOR RetryFactor [90000] Cost of each delivery attempt. 399038032SpeterconfQUEUE_SORT_ORDER QueueSortOrder [Priority] Queue sort algorithm: 399190792Sgshapiro Priority, Host, Filename, Random, 399290792Sgshapiro Modification, or Time. 399338032SpeterconfMIN_QUEUE_AGE MinQueueAge [0] The minimum amount of time a job 399438032Speter must sit in the queue between queue 399538032Speter runs. This allows you to set the 399638032Speter queue run interval low for better 399738032Speter responsiveness without trying all 399838032Speter jobs in each run. 399938032SpeterconfDEF_CHAR_SET DefaultCharSet [unknown-8bit] When converting 400038032Speter unlabeled 8 bit input to MIME, the 400138032Speter character set to use by default. 400238032SpeterconfSERVICE_SWITCH_FILE ServiceSwitchFile 400364562Sgshapiro [/etc/mail/service.switch] The file 400464562Sgshapiro to use for the service switch on 400564562Sgshapiro systems that do not have a 400664562Sgshapiro system-defined switch. 400738032SpeterconfHOSTS_FILE HostsFile [/etc/hosts] The file to use when doing 400838032Speter "file" type access of hosts names. 400938032SpeterconfDIAL_DELAY DialDelay [0s] If a connection fails, wait this 401038032Speter long and try again. Zero means "don't 401138032Speter retry". This is to allow "dial on 401238032Speter demand" connections to have enough time 401338032Speter to complete a connection. 401438032SpeterconfNO_RCPT_ACTION NoRecipientAction 401538032Speter [none] What to do if there are no legal 401638032Speter recipient fields (To:, Cc: or Bcc:) 401738032Speter in the message. Legal values can 401838032Speter be "none" to just leave the 401938032Speter nonconforming message as is, "add-to" 402038032Speter to add a To: header with all the 402138032Speter known recipients (which may expose 402238032Speter blind recipients), "add-apparently-to" 402338032Speter to do the same but use Apparently-To: 402490792Sgshapiro instead of To: (strongly discouraged 402590792Sgshapiro in accordance with IETF standards), 402690792Sgshapiro "add-bcc" to add an empty Bcc: 402790792Sgshapiro header, or "add-to-undisclosed" to 402890792Sgshapiro add the header 402938032Speter ``To: undisclosed-recipients:;''. 403038032SpeterconfSAFE_FILE_ENV SafeFileEnvironment 403138032Speter [undefined] If set, sendmail will do a 403238032Speter chroot() into this directory before 403338032Speter writing files. 403438032SpeterconfCOLON_OK_IN_ADDR ColonOkInAddr [True unless Configuration Level > 6] 403538032Speter If set, colons are treated as a regular 403638032Speter character in addresses. If not set, 403738032Speter they are treated as the introducer to 403838032Speter the RFC 822 "group" syntax. Colons are 403938032Speter handled properly in route-addrs. This 404038032Speter option defaults on for V5 and lower 404138032Speter configuration files. 404238032SpeterconfMAX_QUEUE_RUN_SIZE MaxQueueRunSize [0] If set, limit the maximum size of 404338032Speter any given queue run to this number of 404438032Speter entries. Essentially, this will stop 404564562Sgshapiro reading each queue directory after this 404638032Speter number of entries are reached; it does 404738032Speter _not_ pick the highest priority jobs, 404838032Speter so this should be as large as your 404938032Speter system can tolerate. If not set, there 405038032Speter is no limit. 405190792SgshapiroconfMAX_QUEUE_CHILDREN MaxQueueChildren 405290792Sgshapiro [undefined] Limits the maximum number 405390792Sgshapiro of concurrent queue runners active. 405490792Sgshapiro This is to keep system resources used 405590792Sgshapiro within a reasonable limit. Relates to 4056132943Sgshapiro Queue Groups and ForkEachJob. 405790792SgshapiroconfMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue 405890792Sgshapiro [1] Only active when MaxQueueChildren 405990792Sgshapiro defined. Controls the maximum number 406090792Sgshapiro of queue runners (aka queue children) 406190792Sgshapiro active at the same time in a work 406290792Sgshapiro group. See also MaxQueueChildren. 406338032SpeterconfDONT_EXPAND_CNAMES DontExpandCnames 406438032Speter [False] If set, $[ ... $] lookups that 406538032Speter do DNS based lookups do not expand 406638032Speter CNAME records. This currently violates 406738032Speter the published standards, but the IETF 406838032Speter seems to be moving toward legalizing 406938032Speter this. For example, if "FTP.Foo.ORG" 407038032Speter is a CNAME for "Cruft.Foo.ORG", then 407138032Speter with this option set a lookup of 407238032Speter "FTP" will return "FTP.Foo.ORG"; if 407338032Speter clear it returns "Cruft.FOO.ORG". N.B. 407438032Speter you may not see any effect until your 407538032Speter downstream neighbors stop doing CNAME 407638032Speter lookups as well. 407764562SgshapiroconfFROM_LINE UnixFromLine [From $g $d] The From_ line used 407838032Speter when sending to files or programs. 407938032SpeterconfSINGLE_LINE_FROM_HEADER SingleLineFromHeader 408038032Speter [False] From: lines that have 408138032Speter embedded newlines are unwrapped 408238032Speter onto one line. 408338032SpeterconfALLOW_BOGUS_HELO AllowBogusHELO [False] Allow HELO SMTP command that 408438032Speter does not include a host name. 408538032SpeterconfMUST_QUOTE_CHARS MustQuoteChars [.'] Characters to be quoted in a full 408638032Speter name phrase (@,;:\()[] are automatic). 408738032SpeterconfOPERATORS OperatorChars [.:%@!^/[]+] Address operator 408838032Speter characters. 408938032SpeterconfSMTP_LOGIN_MSG SmtpGreetingMessage 409038032Speter [$j Sendmail $v/$Z; $b] 409138032Speter The initial (spontaneous) SMTP 409238032Speter greeting message. The word "ESMTP" 409338032Speter will be inserted between the first and 409438032Speter second words to convince other 409538032Speter sendmails to try to speak ESMTP. 409638032SpeterconfDONT_INIT_GROUPS DontInitGroups [False] If set, the initgroups(3) 409738032Speter routine will never be invoked. You 409838032Speter might want to do this if you are 409938032Speter running NIS and you have a large group 410038032Speter map, since this call does a sequential 410138032Speter scan of the map; in a large site this 410238032Speter can cause your ypserv to run 410338032Speter essentially full time. If you set 410438032Speter this, agents run on behalf of users 410538032Speter will only have their primary 410638032Speter (/etc/passwd) group permissions. 410738032SpeterconfUNSAFE_GROUP_WRITES UnsafeGroupWrites 4108157001Sgshapiro [True] If set, group-writable 410938032Speter :include: and .forward files are 411038032Speter considered "unsafe", that is, programs 411138032Speter and files cannot be directly referenced 411238032Speter from such files. World-writable files 411338032Speter are always considered unsafe. 4114157001Sgshapiro Notice: this option is deprecated and 4115157001Sgshapiro will be removed in future versions; 4116157001Sgshapiro Set GroupWritableForwardFileSafe 4117157001Sgshapiro and GroupWritableIncludeFileSafe in 4118157001Sgshapiro DontBlameSendmail if required. 411964562SgshapiroconfCONNECT_ONLY_TO ConnectOnlyTo [undefined] override connection 412064562Sgshapiro address (for testing). 412164562SgshapiroconfCONTROL_SOCKET_NAME ControlSocketName 412264562Sgshapiro [undefined] Control socket for daemon 412364562Sgshapiro management. 412438032SpeterconfDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress 412538032Speter [postmaster] If an error occurs when 412638032Speter sending an error message, send that 412738032Speter "double bounce" error message to this 412890792Sgshapiro address. If it expands to an empty 412990792Sgshapiro string, double bounces are dropped. 4130168515SgshapiroconfSOFT_BOUNCE SoftBounce [False] If set, issue temporary errors 4131168515Sgshapiro (4xy) instead of permanent errors 4132168515Sgshapiro (5xy). This can be useful during 4133168515Sgshapiro testing of a new configuration to 4134168515Sgshapiro avoid erroneous bouncing of mails. 413564562SgshapiroconfDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce 413664562Sgshapiro messages which could not be returned 413764562Sgshapiro to the user or sent to postmaster. 413864562Sgshapiro If not set, the queue file will 413964562Sgshapiro be renamed. 414064562SgshapiroconfRRT_IMPLIES_DSN RrtImpliesDsn [False] Return-Receipt-To: header 414164562Sgshapiro implies DSN request. 414238032SpeterconfRUN_AS_USER RunAsUser [undefined] If set, become this user 414338032Speter when reading and delivering mail. 414438032Speter Causes all file reads (e.g., .forward 414538032Speter and :include: files) to be done as 414638032Speter this user. Also, all programs will 414738032Speter be run as this user, and all output 414838032Speter files will be written as this user. 414938032SpeterconfMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage 415038032Speter [infinite] If set, allow no more than 415138032Speter the specified number of recipients in 415238032Speter an SMTP envelope. Further recipients 415338032Speter receive a 452 error code (i.e., they 415438032Speter are deferred for the next delivery 415538032Speter attempt). 4156125820SgshapiroconfBAD_RCPT_THROTTLE BadRcptThrottle [infinite] If set and the specified 4157125820Sgshapiro number of recipients in a single SMTP 4158125820Sgshapiro transaction have been rejected, sleep 4159125820Sgshapiro for one second after each subsequent 4160125820Sgshapiro RCPT command in that transaction. 416138032SpeterconfDONT_PROBE_INTERFACES DontProbeInterfaces 416238032Speter [False] If set, sendmail will _not_ 416338032Speter insert the names and addresses of any 416464562Sgshapiro local interfaces into class {w} 416538032Speter (list of known "equivalent" addresses). 416638032Speter If you set this, you must also include 416738032Speter some support for these addresses (e.g., 416838032Speter in a mailertable entry) -- otherwise, 416938032Speter mail to addresses in this list will 417038032Speter bounce with a configuration error. 417190792Sgshapiro If set to "loopback" (without 417290792Sgshapiro quotes), sendmail will skip 417390792Sgshapiro loopback interfaces (e.g., "lo0"). 417464562SgshapiroconfPID_FILE PidFile [system dependent] Location of pid 417564562Sgshapiro file. 417664562SgshapiroconfPROCESS_TITLE_PREFIX ProcessTitlePrefix 417764562Sgshapiro [undefined] Prefix string for the 417864562Sgshapiro process title shown on 'ps' listings. 417938032SpeterconfDONT_BLAME_SENDMAIL DontBlameSendmail 418038032Speter [safe] Override sendmail's file 418138032Speter safety checks. This will definitely 418238032Speter compromise system security and should 418338032Speter not be used unless absolutely 418438032Speter necessary. 418538032SpeterconfREJECT_MSG - [550 Access denied] The message 418638032Speter given if the access database contains 418738032Speter REJECT in the value portion. 418890792SgshapiroconfRELAY_MSG - [550 Relaying denied] The message 418990792Sgshapiro given if an unauthorized relaying 419090792Sgshapiro attempt is rejected. 419164562SgshapiroconfDF_BUFFER_SIZE DataFileBufferSize 419264562Sgshapiro [4096] The maximum size of a 419364562Sgshapiro memory-buffered data (df) file 419464562Sgshapiro before a disk-based file is used. 419564562SgshapiroconfXF_BUFFER_SIZE XScriptFileBufferSize 419664562Sgshapiro [4096] The maximum size of a 419764562Sgshapiro memory-buffered transcript (xf) 419864562Sgshapiro file before a disk-based file is 419964562Sgshapiro used. 420064562SgshapiroconfAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5 420164562Sgshapiro CRAM-MD5] List of authentication 420264562Sgshapiro mechanisms for AUTH (separated by 420364562Sgshapiro spaces). The advertised list of 420464562Sgshapiro authentication mechanisms will be the 420564562Sgshapiro intersection of this list and the list 420664562Sgshapiro of available mechanisms as determined 4207132943Sgshapiro by the Cyrus SASL library. 4208132943SgshapiroconfAUTH_REALM AuthRealm [undefined] The authentication realm 4209132943Sgshapiro that is passed to the Cyrus SASL 4210132943Sgshapiro library. If no realm is specified, 4211132943Sgshapiro $j is used. 421273188SgshapiroconfDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains 421364562Sgshapiro authentication information for 421490792Sgshapiro outgoing connections. This file must 421590792Sgshapiro contain the user id, the authorization 421690792Sgshapiro id, the password (plain text), the 421790792Sgshapiro realm to use, and the list of 421890792Sgshapiro mechanisms to try, each on a separate 421990792Sgshapiro line and must be readable by root (or 422090792Sgshapiro the trusted user) only. If no realm 422190792Sgshapiro is specified, $j is used. If no 422290792Sgshapiro mechanisms are given in the file, 422390792Sgshapiro AuthMechanisms is used. Notice: this 422490792Sgshapiro option is deprecated and will be 422590792Sgshapiro removed in future versions; it doesn't 422690792Sgshapiro work for the MSP since it can't read 422790792Sgshapiro the file. Use the authinfo ruleset 422890792Sgshapiro instead. See also the section SMTP 422990792Sgshapiro AUTHENTICATION. 423090792SgshapiroconfAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' 423164562Sgshapiro then the AUTH= parameter for the 423264562Sgshapiro MAIL FROM command is only issued 423364562Sgshapiro when authentication succeeded. 4234147078Sgshapiro See doc/op/op.me for more options 4235147078Sgshapiro and details. 423690792SgshapiroconfAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption 423790792Sgshapiro strength for the security layer in 423890792Sgshapiro SMTP AUTH (SASL). Default is 423990792Sgshapiro essentially unlimited. 424090792SgshapiroconfTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client 424190792Sgshapiro verification is performed, i.e., 424290792Sgshapiro the server doesn't ask for a 424390792Sgshapiro certificate. 424464562SgshapiroconfLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map 424564562Sgshapiro specification for LDAP maps. The 424664562Sgshapiro value should only contain LDAP 424764562Sgshapiro specific settings such as "-h host 424864562Sgshapiro -p port -d bindDN", etc. The 424964562Sgshapiro settings will be used for all LDAP 425064562Sgshapiro maps unless they are specified in 425164562Sgshapiro the individual map specification 425264562Sgshapiro ('K' command). 4253110560SgshapiroconfCACERT_PATH CACertPath [undefined] Path to directory 425464562Sgshapiro with certs of CAs. 4255110560SgshapiroconfCACERT CACertFile [undefined] File containing one CA 425664562Sgshapiro cert. 425764562SgshapiroconfSERVER_CERT ServerCertFile [undefined] File containing the 425864562Sgshapiro cert of the server, i.e., this cert 425964562Sgshapiro is used when sendmail acts as 426064562Sgshapiro server. 426164562SgshapiroconfSERVER_KEY ServerKeyFile [undefined] File containing the 426264562Sgshapiro private key belonging to the server 426364562Sgshapiro cert. 426464562SgshapiroconfCLIENT_CERT ClientCertFile [undefined] File containing the 426564562Sgshapiro cert of the client, i.e., this cert 426664562Sgshapiro is used when sendmail acts as 426764562Sgshapiro client. 426864562SgshapiroconfCLIENT_KEY ClientKeyFile [undefined] File containing the 426964562Sgshapiro private key belonging to the client 427064562Sgshapiro cert. 4271132943SgshapiroconfCRL CRLFile [undefined] File containing certificate 4272132943Sgshapiro revocation status, useful for X.509v3 4273132943Sgshapiro authentication. Note that CRL requires 4274132943Sgshapiro at least OpenSSL version 0.9.7. 427564562SgshapiroconfDH_PARAMETERS DHParameters [undefined] File containing the 427664562Sgshapiro DH parameters. 427764562SgshapiroconfRAND_FILE RandFile [undefined] File containing random 427866494Sgshapiro data (use prefix file:) or the 427966494Sgshapiro name of the UNIX socket if EGD is 428066494Sgshapiro used (use prefix egd:). STARTTLS 428166494Sgshapiro requires this option if the compile 428266494Sgshapiro flag HASURANDOM is not set (see 428364562Sgshapiro sendmail/README). 428490792SgshapiroconfNICE_QUEUE_RUN NiceQueueRun [undefined] If set, the priority of 428590792Sgshapiro queue runners is set the given value 428690792Sgshapiro (nice(3)). 428790792SgshapiroconfDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers 428890792Sgshapiro [undefined] Defines {daemon_flags} 428990792Sgshapiro for direct submissions. 4290157001SgshapiroconfUSE_MSP UseMSP [undefined] Use as mail submission 429190792Sgshapiro program, see sendmail/SECURITY. 429290792SgshapiroconfDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By 429390792Sgshapiro SMTP Service Extension (RFC 2852). 4294132943SgshapiroconfREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can 4295132943Sgshapiro be used to turn off the compile time 4296132943Sgshapiro flag REQUIRES_DIR_FSYNC at runtime. 4297132943Sgshapiro See sendmail/README for details. 429890792SgshapiroconfSHARED_MEMORY_KEY SharedMemoryKey [0] Key for shared memory. 4299168515SgshapiroconfSHARED_MEMORY_KEY_FILE 4300168515Sgshapiro SharedMemoryKeyFile 4301168515Sgshapiro [undefined] File where the 4302168515Sgshapiro automatically selected key for 4303168515Sgshapiro shared memory is stored. 430490792SgshapiroconfFAST_SPLIT FastSplit [1] If set to a value greater than 430590792Sgshapiro zero, the initial MX lookups on 430690792Sgshapiro addresses is suppressed when they 430790792Sgshapiro are sorted which may result in 430890792Sgshapiro faster envelope splitting. If the 430990792Sgshapiro mail is submitted directly from the 431090792Sgshapiro command line, then the value also 431190792Sgshapiro limits the number of processes to 431290792Sgshapiro deliver the envelopes. 431390792SgshapiroconfMAILBOX_DATABASE MailboxDatabase [pw] Type of lookup to find 431490792Sgshapiro information about local mailboxes. 431590792SgshapiroconfDEQUOTE_OPTS - [empty] Additional options for the 431690792Sgshapiro dequote map. 4317168515SgshapiroconfMAX_NOOP_COMMANDS MaxNOOPCommands [20] Maximum number of "useless" 4318168515Sgshapiro commands before the SMTP server 4319168515Sgshapiro will slow down responding. 4320168515SgshapiroconfHELO_NAME HeloName If defined, use as name for EHLO/HELO 4321168515Sgshapiro command (instead of $j). 432290792SgshapiroconfINPUT_MAIL_FILTERS InputMailFilters 432390792Sgshapiro A comma separated list of filters 432490792Sgshapiro which determines which filters and 432590792Sgshapiro the invocation sequence are 432690792Sgshapiro contacted for incoming SMTP 432790792Sgshapiro messages. If none are set, no 432890792Sgshapiro filters will be contacted. 432990792SgshapiroconfMILTER_LOG_LEVEL Milter.LogLevel [9] Log level for input mail filter 433090792Sgshapiro actions, defaults to LogLevel. 433190792SgshapiroconfMILTER_MACROS_CONNECT Milter.macros.connect 4332110560Sgshapiro [j, _, {daemon_name}, {if_name}, 4333110560Sgshapiro {if_addr}] Macros to transmit to 4334110560Sgshapiro milters when a session connection 4335110560Sgshapiro starts. 433690792SgshapiroconfMILTER_MACROS_HELO Milter.macros.helo 4337110560Sgshapiro [{tls_version}, {cipher}, 4338110560Sgshapiro {cipher_bits}, {cert_subject}, 4339110560Sgshapiro {cert_issuer}] Macros to transmit to 4340110560Sgshapiro milters after HELO/EHLO command. 434190792SgshapiroconfMILTER_MACROS_ENVFROM Milter.macros.envfrom 4342110560Sgshapiro [i, {auth_type}, {auth_authen}, 4343110560Sgshapiro {auth_ssf}, {auth_author}, 4344110560Sgshapiro {mail_mailer}, {mail_host}, 4345110560Sgshapiro {mail_addr}] Macros to transmit to 4346110560Sgshapiro milters after MAIL FROM command. 434790792SgshapiroconfMILTER_MACROS_ENVRCPT Milter.macros.envrcpt 4348110560Sgshapiro [{rcpt_mailer}, {rcpt_host}, 4349110560Sgshapiro {rcpt_addr}] Macros to transmit to 4350110560Sgshapiro milters after RCPT TO command. 4351132943SgshapiroconfMILTER_MACROS_EOM Milter.macros.eom 4352132943Sgshapiro [{msg_id}] Macros to transmit to 4353168515Sgshapiro milters after the terminating 4354168515Sgshapiro DATA '.' is received. 4355168515SgshapiroconfMILTER_MACROS_EOH Milter.macros.eoh 4356168515Sgshapiro Macros to transmit to milters 4357168515Sgshapiro after the end of headers. 4358168515SgshapiroconfMILTER_MACROS_DATA Milter.macros.data 4359168515Sgshapiro Macros to transmit to milters 4360168515Sgshapiro after DATA command is received. 436164562Sgshapiro 436290792Sgshapiro 436338032SpeterSee also the description of OSTYPE for some parameters that can be 436438032Spetertweaked (generally pathnames to mailers). 436538032Speter 436690792SgshapiroClientPortOptions and DaemonPortOptions are special cases since multiple 436790792Sgshapiroclients/daemons can be defined. This can be done via 436838032Speter 436990792Sgshapiro CLIENT_OPTIONS(`field1=value1,field2=value2,...') 437064562Sgshapiro DAEMON_OPTIONS(`field1=value1,field2=value2,...') 437164562Sgshapiro 437290792SgshapiroNote that multiple CLIENT_OPTIONS() commands (and therefore multiple 437390792SgshapiroClientPortOptions settings) are allowed in order to give settings for each 437490792Sgshapiroprotocol family (e.g., one for Family=inet and one for Family=inet6). A 437590792Sgshapirorestriction placed on one family only affects outgoing connections on that 437690792Sgshapiroparticular family. 437790792Sgshapiro 437864562SgshapiroIf DAEMON_OPTIONS is not used, then the default is 437964562Sgshapiro 438064562Sgshapiro DAEMON_OPTIONS(`Port=smtp, Name=MTA') 438164562Sgshapiro DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') 438264562Sgshapiro 438364562SgshapiroIf you use one DAEMON_OPTIONS macro, it will alter the parameters 438464562Sgshapiroof the first of these. The second will still be defaulted; it 438564562Sgshapirorepresents a "Message Submission Agent" (MSA) as defined by RFC 438664562Sgshapiro2476 (see below). To turn off the default definition for the MSA, 438764562Sgshapirouse FEATURE(`no_default_msa') (see also FEATURES). If you use 438864562Sgshapiroadditional DAEMON_OPTIONS macros, they will add additional daemons. 438964562Sgshapiro 439064562SgshapiroExample 1: To change the port for the SMTP listener, while 439164562Sgshapirostill using the MSA default, use 439264562Sgshapiro DAEMON_OPTIONS(`Port=925, Name=MTA') 439364562Sgshapiro 439464562SgshapiroExample 2: To change the port for the MSA daemon, while still 439564562Sgshapirousing the default SMTP port, use 439664562Sgshapiro FEATURE(`no_default_msa') 439764562Sgshapiro DAEMON_OPTIONS(`Name=MTA') 439864562Sgshapiro DAEMON_OPTIONS(`Port=987, Name=MSA, M=E') 439964562Sgshapiro 440064562SgshapiroNote that if the first of those DAEMON_OPTIONS lines were omitted, then 440164562Sgshapirothere would be no listener on the standard SMTP port. 440264562Sgshapiro 440364562SgshapiroExample 3: To listen on both IPv4 and IPv6 interfaces, use 440464562Sgshapiro 440564562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v4, Family=inet') 440664562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6') 440764562Sgshapiro 440864562SgshapiroA "Message Submission Agent" still uses all of the same rulesets for 440964562Sgshapiroprocessing the message (and therefore still allows message rejection via 441064562Sgshapirothe check_* rulesets). In accordance with the RFC, the MSA will ensure 4411110560Sgshapirothat all domains in envelope addresses are fully qualified if the message 4412110560Sgshapirois relayed to another MTA. It will also enforce the normal address syntax 4413110560Sgshapirorules and log error messages. Additionally, by using the M=a modifier you 4414110560Sgshapirocan require authentication before messages are accepted by the MSA. 4415110560SgshapiroNotice: Do NOT use the 'a' modifier on a public accessible MTA! Finally, 4416110560Sgshapirothe M=E modifier shown above disables ETRN as required by RFC 2476. 441764562Sgshapiro 441890792SgshapiroMail filters can be defined using the INPUT_MAIL_FILTER() and MAIL_FILTER() 441990792Sgshapirocommands: 442064562Sgshapiro 442190792Sgshapiro INPUT_MAIL_FILTER(`sample', `S=local:/var/run/f1.sock') 442290792Sgshapiro MAIL_FILTER(`myfilter', `S=inet:3333@localhost') 442338032Speter 442490792SgshapiroThe INPUT_MAIL_FILTER() command causes the filter(s) to be called in the 442590792Sgshapirosame order they were specified by also setting confINPUT_MAIL_FILTERS. A 442690792Sgshapirofilter can be defined without adding it to the input filter list by using 442790792SgshapiroMAIL_FILTER() instead of INPUT_MAIL_FILTER() in your .mc file. 442890792SgshapiroAlternatively, you can reset the list of filters and their order by setting 442990792SgshapiroconfINPUT_MAIL_FILTERS option after all INPUT_MAIL_FILTER() commands in 443090792Sgshapiroyour .mc file. 443190792Sgshapiro 443290792Sgshapiro 443390792Sgshapiro+----------------------------+ 443490792Sgshapiro| MESSAGE SUBMISSION PROGRAM | 443590792Sgshapiro+----------------------------+ 443690792Sgshapiro 443790792SgshapiroThe purpose of the message submission program (MSP) is explained 443890792Sgshapiroin sendmail/SECURITY. This section contains a list of caveats and 443990792Sgshapiroa few hints how for those who want to tweak the default configuration 444090792Sgshapirofor it (which is installed as submit.cf). 444190792Sgshapiro 444290792SgshapiroNotice: do not add options/features to submit.mc unless you are 444390792Sgshapiroabsolutely sure you need them. Options you may want to change 444490792Sgshapiroinclude: 444590792Sgshapiro 444694334Sgshapiro- confTRUSTED_USERS, FEATURE(`use_ct_file'), and confCT_FILE for 444798121Sgshapiro avoiding X-Authentication warnings. 444894334Sgshapiro- confTIME_ZONE to change it from the default `USE_TZ'. 444990792Sgshapiro- confDELIVERY_MODE is set to interactive in msp.m4 instead 445090792Sgshapiro of the default background mode. 445198121Sgshapiro- FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses 445298121Sgshapiro to the LOCAL_RELAY instead of the default relay. 445398121Sgshapiro- confRAND_FILE if you use STARTTLS and sendmail is not compiled with 445498121Sgshapiro the flag HASURANDOM. 445590792Sgshapiro 445698121SgshapiroThe MSP performs hostname canonicalization by default. As also 445798121Sgshapiroexplained in sendmail/SECURITY, mail may end up for various DNS 445898121Sgshapirorelated reasons in the MSP queue. This problem can be minimized by 445998121Sgshapirousing 446098121Sgshapiro 446198121Sgshapiro FEATURE(`nocanonify', `canonify_hosts') 446298121Sgshapiro define(`confDIRECT_SUBMISSION_MODIFIERS', `C') 446398121Sgshapiro 446498121SgshapiroSee the discussion about nocanonify for possible side effects. 446598121Sgshapiro 446690792SgshapiroSome things are not intended to work with the MSP. These include 446790792Sgshapirofeatures that influence the delivery process (e.g., mailertable, 446890792Sgshapiroaliases), or those that are only important for a SMTP server (e.g., 446990792Sgshapirovirtusertable, DaemonPortOptions, multiple queues). Moreover, 447090792Sgshapirorelaxing certain restrictions (RestrictQueueRun, permissions on 447190792Sgshapiroqueue directory) or adding features (e.g., enabling prog/file mailer) 447290792Sgshapirocan cause security problems. 447390792Sgshapiro 447490792SgshapiroOther things don't work well with the MSP and require tweaking or 447590792Sgshapiroworkarounds. For example, to allow for client authentication it 447690792Sgshapirois not just sufficient to provide a client certificate and the 447790792Sgshapirocorresponding key, but it is also necessary to make the key group 447890792Sgshapiro(smmsp) readable and tell sendmail not to complain about that, i.e., 447990792Sgshapiro 448090792Sgshapiro define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') 448190792Sgshapiro 448290792SgshapiroIf the MSP should actually use AUTH then the necessary data 448390792Sgshapiroshould be placed in a map as explained in SMTP AUTHENTICATION: 448490792Sgshapiro 448590792SgshapiroFEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') 448690792Sgshapiro 448790792Sgshapiro/etc/mail/msp-authinfo should contain an entry like: 448890792Sgshapiro 448990792Sgshapiro AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" 449090792Sgshapiro 449190792SgshapiroThe file and the map created by makemap should be owned by smmsp, 449290792Sgshapiroits group should be smmsp, and it should have mode 640. The database 449390792Sgshapiroused by the MTA for AUTH must have a corresponding entry. 449490792SgshapiroAdditionally the MTA must trust this authentication data so the AUTH= 449590792Sgshapiropart will be relayed on to the next hop. This can be achieved by 449690792Sgshapiroadding the following to your sendmail.mc file: 449790792Sgshapiro 449890792Sgshapiro LOCAL_RULESETS 449990792Sgshapiro SLocal_trust_auth 450090792Sgshapiro R$* $: $&{auth_authen} 450190792Sgshapiro Rsmmsp $# OK 450290792Sgshapiro 4503132943SgshapiroNote: the authentication data can leak to local users who invoke 4504132943Sgshapirothe MSP with debug options or even with -v. For that reason either 4505132943Sgshapiroan authentication mechanism that does not show the password in the 4506132943SgshapiroAUTH dialogue (e.g., DIGEST-MD5) or a different authentication 4507132943Sgshapiromethod like STARTTLS should be used. 4508132943Sgshapiro 450990792Sgshapirofeature/msp.m4 defines almost all settings for the MSP. Most of 451090792Sgshapirothose should not be changed at all. Some of the features and options 451190792Sgshapirocan be overridden if really necessary. It is a bit tricky to do 451290792Sgshapirothis, because it depends on the actual way the option is defined 451390792Sgshapiroin feature/msp.m4. If it is directly defined (i.e., define()) then 451490792Sgshapirothe modified value must be defined after 451590792Sgshapiro 451690792Sgshapiro FEATURE(`msp') 451790792Sgshapiro 451890792SgshapiroIf it is conditionally defined (i.e., ifdef()) then the desired 451990792Sgshapirovalue must be defined before the FEATURE line in the .mc file. 452090792SgshapiroTo see how the options are defined read feature/msp.m4. 452190792Sgshapiro 452290792Sgshapiro 452390792Sgshapiro+--------------------------+ 452490792Sgshapiro| FORMAT OF FILES AND MAPS | 452590792Sgshapiro+--------------------------+ 452690792Sgshapiro 452790792SgshapiroFiles that define classes, i.e., F{classname}, consist of lines 452890792Sgshapiroeach of which contains a single element of the class. For example, 452990792Sgshapiro/etc/mail/local-host-names may have the following content: 453090792Sgshapiro 453190792Sgshapiromy.domain 453290792Sgshapiroanother.domain 453390792Sgshapiro 453490792SgshapiroMaps must be created using makemap(8) , e.g., 453590792Sgshapiro 453690792Sgshapiro makemap hash MAP < MAP 453790792Sgshapiro 453890792SgshapiroIn general, a text file from which a map is created contains lines 453990792Sgshapiroof the form 454090792Sgshapiro 454190792Sgshapirokey value 454290792Sgshapiro 454390792Sgshapirowhere 'key' and 'value' are also called LHS and RHS, respectively. 454490792SgshapiroBy default, the delimiter between LHS and RHS is a non-empty sequence 454590792Sgshapiroof white space characters. 454690792Sgshapiro 454790792Sgshapiro 454890792Sgshapiro+------------------+ 454990792Sgshapiro| DIRECTORY LAYOUT | 455090792Sgshapiro+------------------+ 455190792Sgshapiro 455238032SpeterWithin this directory are several subdirectories, to wit: 455338032Speter 455438032Speterm4 General support routines. These are typically 455538032Speter very important and should not be changed without 455638032Speter very careful consideration. 455738032Speter 455838032Spetercf The configuration files themselves. They have 455938032Speter ".mc" suffixes, and must be run through m4 to 456038032Speter become complete. The resulting output should 456138032Speter have a ".cf" suffix. 456238032Speter 456338032Speterostype Definitions describing a particular operating 456438032Speter system type. These should always be referenced 456538032Speter using the OSTYPE macro in the .mc file. Examples 456638032Speter include "bsd4.3", "bsd4.4", "sunos3.5", and 456738032Speter "sunos4.1". 456838032Speter 456938032Speterdomain Definitions describing a particular domain, referenced 457038032Speter using the DOMAIN macro in the .mc file. These are 457138032Speter site dependent; for example, "CS.Berkeley.EDU.m4" 457238032Speter describes hosts in the CS.Berkeley.EDU subdomain. 457338032Speter 457466494Sgshapiromailer Descriptions of mailers. These are referenced using 457538032Speter the MAILER macro in the .mc file. 457638032Speter 457738032Spetersh Shell files used when building the .cf file from the 457838032Speter .mc file in the cf subdirectory. 457938032Speter 458038032Speterfeature These hold special orthogonal features that you might 458138032Speter want to include. They should be referenced using 458238032Speter the FEATURE macro. 458338032Speter 458438032Speterhack Local hacks. These can be referenced using the HACK 458538032Speter macro. They shouldn't be of more than voyeuristic 458638032Speter interest outside the .Berkeley.EDU domain, but who knows? 458738032Speter 458838032Spetersiteconfig Site configuration -- e.g., tables of locally connected 458938032Speter UUCP sites. 459038032Speter 459138032Speter 459238032Speter+------------------------+ 459338032Speter| ADMINISTRATIVE DETAILS | 459438032Speter+------------------------+ 459538032Speter 459638032SpeterThe following sections detail usage of certain internal parts of the 459738032Spetersendmail.cf file. Read them carefully if you are trying to modify 459838032Speterthe current model. If you find the above descriptions adequate, these 459938032Spetershould be {boring, confusing, tedious, ridiculous} (pick one or more). 460038032Speter 460138032SpeterRULESETS (* means built in to sendmail) 460238032Speter 460338032Speter 0 * Parsing 460438032Speter 1 * Sender rewriting 460538032Speter 2 * Recipient rewriting 460638032Speter 3 * Canonicalization 460738032Speter 4 * Post cleanup 460838032Speter 5 * Local address rewrite (after aliasing) 460938032Speter 1x mailer rules (sender qualification) 461038032Speter 2x mailer rules (recipient qualification) 461138032Speter 3x mailer rules (sender header qualification) 461238032Speter 4x mailer rules (recipient header qualification) 461338032Speter 5x mailer subroutines (general) 461438032Speter 6x mailer subroutines (general) 461538032Speter 7x mailer subroutines (general) 461638032Speter 8x reserved 461738032Speter 90 Mailertable host stripping 461838032Speter 96 Bottom half of Ruleset 3 (ruleset 6 in old sendmail) 461938032Speter 97 Hook for recursive ruleset 0 call (ruleset 7 in old sendmail) 462038032Speter 98 Local part of ruleset 0 (ruleset 8 in old sendmail) 462138032Speter 462238032Speter 462338032SpeterMAILERS 462438032Speter 462538032Speter 0 local, prog local and program mailers 462638032Speter 1 [e]smtp, relay SMTP channel 462738032Speter 2 uucp-* UNIX-to-UNIX Copy Program 462838032Speter 3 netnews Network News delivery 462938032Speter 4 fax Sam Leffler's HylaFAX software 463038032Speter 5 mail11 DECnet mailer 463138032Speter 463238032Speter 463338032SpeterMACROS 463438032Speter 463538032Speter A 463638032Speter B Bitnet Relay 463738032Speter C DECnet Relay 463838032Speter D The local domain -- usually not needed 463938032Speter E reserved for X.400 Relay 464038032Speter F FAX Relay 464138032Speter G 464238032Speter H mail Hub (for mail clusters) 464338032Speter I 464438032Speter J 464538032Speter K 464638032Speter L Luser Relay 464764562Sgshapiro M Masquerade (who you claim to be) 464838032Speter N 464938032Speter O 465038032Speter P 465138032Speter Q 465238032Speter R Relay (for unqualified names) 465338032Speter S Smart Host 465438032Speter T 465564562Sgshapiro U my UUCP name (if you have a UUCP connection) 465664562Sgshapiro V UUCP Relay (class {V} hosts) 465764562Sgshapiro W UUCP Relay (class {W} hosts) 465864562Sgshapiro X UUCP Relay (class {X} hosts) 465938032Speter Y UUCP Relay (all other hosts) 466038032Speter Z Version number 466138032Speter 466238032Speter 466338032SpeterCLASSES 466438032Speter 466538032Speter A 466638032Speter B domains that are candidates for bestmx lookup 466738032Speter C 466838032Speter D 466938032Speter E addresses that should not seem to come from $M 467064562Sgshapiro F hosts this system forward for 467138032Speter G domains that should be looked up in genericstable 467238032Speter H 467338032Speter I 467438032Speter J 467538032Speter K 467638032Speter L addresses that should not be forwarded to $R 467738032Speter M domains that should be mapped to $M 467864562Sgshapiro N host/domains that should not be mapped to $M 467938032Speter O operators that indicate network operations (cannot be in local names) 468038032Speter P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc. 468138032Speter Q 468264562Sgshapiro R domains this system is willing to relay (pass anti-spam filters) 468338032Speter S 468438032Speter T 468538032Speter U locally connected UUCP hosts 468638032Speter V UUCP hosts connected to relay $V 468738032Speter W UUCP hosts connected to relay $W 468838032Speter X UUCP hosts connected to relay $X 468938032Speter Y locally connected smart UUCP hosts 469038032Speter Z locally connected domain-ized UUCP hosts 469138032Speter . the class containing only a dot 469238032Speter [ the class containing only a left bracket 469338032Speter 469438032Speter 469538032SpeterM4 DIVERSIONS 469638032Speter 469738032Speter 1 Local host detection and resolution 469838032Speter 2 Local Ruleset 3 additions 469938032Speter 3 Local Ruleset 0 additions 470038032Speter 4 UUCP Ruleset 0 additions 470138032Speter 5 locally interpreted names (overrides $R) 470238032Speter 6 local configuration (at top of file) 470338032Speter 7 mailer definitions 470464562Sgshapiro 8 DNS based blacklists 470538032Speter 9 special local rulesets (1 and 2) 470664562Sgshapiro 4707266527Sgshapiro$Revision: 8.730 $, Last updated $Date: 2014-01-16 15:55:51 $ 4708