README revision 73188
138032Speter 264562Sgshapiro SENDMAIL CONFIGURATION FILES 338032Speter 464562SgshapiroThis document describes the sendmail configuration files. This package 564562Sgshapirorequires a post-V7 version of m4; if you are running the 4.2bsd, SysV.2, or 664562Sgshapiro7th Edition version. SunOS's /usr/5bin/m4 or BSD-Net/2's m4 both work. 764562SgshapiroGNU m4 version 1.1 or later also works. Unfortunately, the M4 on BSDI 1.0 838032Speterdoesn't work -- you'll have to use a Net/2 or GNU version. GNU m4 is 966494Sgshapiroavailable from ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the 1071345Sgshapirolatest version). EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x 1164562Sgshapirois fine). Use GNU m4 on this platform. 1238032Speter 1364562SgshapiroTo get started, you may want to look at tcpproto.mc (for TCP-only sites), 1464562Sgshapirouucpproto.mc (for UUCP-only sites), and clientproto.mc (for clusters of 1564562Sgshapiroclients using a single mail host). Others are versions previously used at 1664562SgshapiroBerkeley. For example, ucbvax has gone away, but ucbvax.mc demonstrates 1764562Sgshapirosome interesting techniques. 1838032Speter 1938032Speter******************************************************************* 2038032Speter*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** 2138032Speter*** Berkeley-specific assumptions built in, such as the name *** 2264562Sgshapiro*** of their UUCP-relay. You'll want to create your own *** 2364562Sgshapiro*** domain description, and use that in place of *** 2438032Speter*** domain/Berkeley.EDU.m4. *** 2538032Speter******************************************************************* 2638032Speter 2738032Speter 2838032Speter+--------------------------+ 2938032Speter| INTRODUCTION AND EXAMPLE | 3038032Speter+--------------------------+ 3138032Speter 3238032SpeterConfiguration files are contained in the subdirectory "cf", with a 3338032Spetersuffix ".mc". They must be run through "m4" to produce a ".cf" file. 3438032SpeterYou must pre-load "cf.m4": 3538032Speter 3638032Speter m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf 3738032Speter 3864562SgshapiroAlternatively, you can simply: 3964562Sgshapiro 4064562Sgshapiro cd ${CFDIR}/cf 4164562Sgshapiro ./Build config.cf 4264562Sgshapiro 4338032Speterwhere ${CFDIR} is the root of the cf directory and config.mc is the 4438032Spetername of your configuration file. If you are running a version of M4 4538032Speterthat understands the __file__ builtin (versions of GNU m4 >= 0.75 do 4638032Speterthis, but the versions distributed with 4.4BSD and derivatives do not) 4738032Speteror the -I flag (ditto), then ${CFDIR} can be in an arbitrary directory. 4838032SpeterFor "traditional" versions, ${CFDIR} ***MUST*** be "..", or you MUST 4938032Speteruse -D_CF_DIR_=/path/to/cf/dir/ -- note the trailing slash! For example: 5038032Speter 5138032Speter m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 config.mc > config.cf 5238032Speter 5338032SpeterLet's examine a typical .mc file: 5438032Speter 5538032Speter divert(-1) 5638032Speter # 5773188Sgshapiro # Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. 5864562Sgshapiro # All rights reserved. 5938032Speter # Copyright (c) 1983 Eric P. Allman. All rights reserved. 6038032Speter # Copyright (c) 1988, 1993 6138032Speter # The Regents of the University of California. All rights reserved. 6238032Speter # 6338032Speter # By using this file, you agree to the terms and conditions set 6438032Speter # forth in the LICENSE file which can be found at the top level of 6538032Speter # the sendmail distribution. 6638032Speter # 6738032Speter 6838032Speter # 6938032Speter # This is a Berkeley-specific configuration file for HP-UX 9.x. 7038032Speter # It applies only to the Computer Science Division at Berkeley, 7138032Speter # and should not be used elsewhere. It is provided on the sendmail 7238032Speter # distribution as a sample only. To create your own configuration 7338032Speter # file, create an appropriate domain file in ../domain, change the 7438032Speter # `DOMAIN' macro below to reference that file, and copy the result 7538032Speter # to a name of your own choosing. 7638032Speter # 7738032Speter divert(0) 7838032Speter 7938032SpeterThe divert(-1) will delete the crud in the resulting output file. 8038032SpeterThe copyright notice can be replaced by whatever your lawyers require; 8164562Sgshapiroour lawyers require the one that is included in these files. A copyleft 8238032Speteris a copyright by another name. The divert(0) restores regular output. 8338032Speter 8438032Speter VERSIONID(`<SCCS or RCS version id>') 8538032Speter 8638032SpeterVERSIONID is a macro that stuffs the version information into the 8764562Sgshapiroresulting file. You could use SCCS, RCS, CVS, something else, or 8838032Speteromit it completely. This is not the same as the version id included 8938032Speterin SMTP greeting messages -- this is defined in m4/version.m4. 9038032Speter 9164562Sgshapiro OSTYPE(`hpux9')dnl 9238032Speter 9338032SpeterYou must specify an OSTYPE to properly configure things such as the 9438032Speterpathname of the help and status files, the flags needed for the local 9538032Spetermailer, and other important things. If you omit it, you will get an 9638032Spetererror when you try to build the configuration. Look at the ostype 9738032Speterdirectory for the list of known operating system types. 9838032Speter 9964562Sgshapiro DOMAIN(`CS.Berkeley.EDU')dnl 10038032Speter 10138032SpeterThis example is specific to the Computer Science Division at Berkeley. 10264562SgshapiroYou can use "DOMAIN(`generic')" to get a sufficiently bland definition 10338032Speterthat may well work for you, or you can create a customized domain 10438032Speterdefinition appropriate for your environment. 10538032Speter 10664562Sgshapiro MAILER(`local') 10764562Sgshapiro MAILER(`smtp') 10838032Speter 10964562SgshapiroThese describe the mailers used at the default CS site. The 11038032Speterlocal mailer is always included automatically. Beware: MAILER 11138032Speterdeclarations should always be at the end of the configuration file, 11264562Sgshapiroand MAILER(`smtp') should always precede MAILER(`procmail'), and 11364562SgshapiroMAILER(`uucp'). The general rules are that the order should be: 11438032Speter 11538032Speter VERSIONID 11638032Speter OSTYPE 11738032Speter DOMAIN 11838032Speter FEATURE 11938032Speter local macro definitions 12038032Speter MAILER 12164562Sgshapiro LOCAL_RULE_* 12264562Sgshapiro LOCAL_RULESETS 12338032Speter 12464562SgshapiroThere are a few exceptions to this rule. Local macro definitions which 12564562Sgshapiroinfluence a FEATURE() should be done before that feature. For example, 12664562Sgshapiroa define(`PROCMAIL_MAILER_PATH', ...) should be done before 12764562SgshapiroFEATURE(`local_procmail'). 12838032Speter 12964562Sgshapiro 13038032Speter+----------------------------+ 13138032Speter| A BRIEF INTRODUCTION TO M4 | 13238032Speter+----------------------------+ 13338032Speter 13438032SpeterSendmail uses the M4 macro processor to ``compile'' the configuration 13538032Speterfiles. The most important thing to know is that M4 is stream-based, 13638032Speterthat is, it doesn't understand about lines. For this reason, in some 13738032Speterplaces you may see the word ``dnl'', which stands for ``delete 13838032Speterthrough newline''; essentially, it deletes all characters starting 13938032Speterat the ``dnl'' up to and including the next newline character. In 14038032Spetermost cases sendmail uses this only to avoid lots of unnecessary 14138032Speterblank lines in the output. 14238032Speter 14338032SpeterOther important directives are define(A, B) which defines the macro 14438032Speter``A'' to have value ``B''. Macros are expanded as they are read, so 14538032Speterone normally quotes both values to prevent expansion. For example, 14638032Speter 14738032Speter define(`SMART_HOST', `smart.foo.com') 14838032Speter 14938032SpeterOne word of warning: M4 macros are expanded even in lines that appear 15038032Speterto be comments. For example, if you have 15138032Speter 15264562Sgshapiro # See FEATURE(`foo') above 15338032Speter 15464562Sgshapiroit will not do what you expect, because the FEATURE(`foo') will be 15538032Speterexpanded. This also applies to 15638032Speter 15738032Speter # And then define the $X macro to be the return address 15838032Speter 15938032Speterbecause ``define'' is an M4 keyword. If you want to use them, surround 16038032Speterthem with directed quotes, `like this'. 16138032Speter 16238032Speter+----------------+ 16338032Speter| FILE LOCATIONS | 16438032Speter+----------------+ 16538032Speter 16638032Spetersendmail 8.9 has introduced a new configuration directory for sendmail 16738032Speterrelated files, /etc/mail. The new files available for sendmail 8.9 -- 16864562Sgshapirothe class {R} /etc/mail/relay-domains and the access database 16964562Sgshapiro/etc/mail/access -- take advantage of this new directory. Beginning with 17064562Sgshapiro8.10, all files will use this directory by default (some options may be 17164562Sgshapiroset by OSTYPE() files). This new directory should help to restore 17264562Sgshapirouniformity to sendmail's file locations. 17338032Speter 17464562SgshapiroBelow is a table of some of the common changes: 17564562Sgshapiro 17664562SgshapiroOld filename New filename 17764562Sgshapiro------------ ------------ 17864562Sgshapiro/etc/bitdomain /etc/mail/bitdomain 17964562Sgshapiro/etc/domaintable /etc/mail/domaintable 18064562Sgshapiro/etc/genericstable /etc/mail/genericstable 18164562Sgshapiro/etc/uudomain /etc/mail/uudomain 18264562Sgshapiro/etc/virtusertable /etc/mail/virtusertable 18364562Sgshapiro/etc/userdb /etc/mail/userdb 18464562Sgshapiro 18564562Sgshapiro/etc/aliases /etc/mail/aliases 18664562Sgshapiro/etc/sendmail/aliases /etc/mail/aliases 18764562Sgshapiro/etc/ucbmail/aliases /etc/mail/aliases 18864562Sgshapiro/usr/adm/sendmail/aliases /etc/mail/aliases 18964562Sgshapiro/usr/lib/aliases /etc/mail/aliases 19064562Sgshapiro/usr/lib/mail/aliases /etc/mail/aliases 19164562Sgshapiro/usr/ucblib/aliases /etc/mail/aliases 19264562Sgshapiro 19364562Sgshapiro/etc/sendmail.cw /etc/mail/local-host-names 19464562Sgshapiro/etc/mail/sendmail.cw /etc/mail/local-host-names 19564562Sgshapiro/etc/sendmail/sendmail.cw /etc/mail/local-host-names 19664562Sgshapiro 19764562Sgshapiro/etc/sendmail.ct /etc/mail/trusted-users 19864562Sgshapiro 19964562Sgshapiro/etc/sendmail.oE /etc/mail/error-header 20064562Sgshapiro 20164562Sgshapiro/etc/sendmail.hf /etc/mail/helpfile 20264562Sgshapiro/etc/mail/sendmail.hf /etc/mail/helpfile 20364562Sgshapiro/usr/ucblib/sendmail.hf /etc/mail/helpfile 20464562Sgshapiro/etc/ucbmail/sendmail.hf /etc/mail/helpfile 20564562Sgshapiro/usr/lib/sendmail.hf /etc/mail/helpfile 20664562Sgshapiro/usr/share/lib/sendmail.hf /etc/mail/helpfile 20764562Sgshapiro/usr/share/misc/sendmail.hf /etc/mail/helpfile 20864562Sgshapiro/share/misc/sendmail.hf /etc/mail/helpfile 20964562Sgshapiro 21064562Sgshapiro/etc/service.switch /etc/mail/service.switch 21164562Sgshapiro 21264562Sgshapiro/etc/sendmail.st /etc/mail/statistics 21364562Sgshapiro/etc/mail/sendmail.st /etc/mail/statistics 21464562Sgshapiro/etc/mailer/sendmail.st /etc/mail/statistics 21564562Sgshapiro/etc/sendmail/sendmail.st /etc/mail/statistics 21664562Sgshapiro/usr/lib/sendmail.st /etc/mail/statistics 21764562Sgshapiro/usr/ucblib/sendmail.st /etc/mail/statistics 21864562Sgshapiro 21964562SgshapiroNote that all of these paths actually use a new m4 macro MAIL_SETTINGS_DIR 22064562Sgshapiroto create the pathnames. The default value of this variable is 22164562Sgshapiro`/etc/mail/'. If you set this macro to a different value, you MUST include 22264562Sgshapiroa trailing slash. 22364562Sgshapiro 22438032Speter+--------+ 22538032Speter| OSTYPE | 22638032Speter+--------+ 22738032Speter 22838032SpeterYou MUST define an operating system environment, or the configuration 22938032Speterfile build will puke. There are several environments available; look 23038032Speterat the "ostype" directory for the current list. This macro changes 23138032Speterthings like the location of the alias file and queue directory. Some 23238032Speterof these files are identical to one another. 23338032Speter 23438032SpeterIt is IMPERATIVE that the OSTYPE occur before any MAILER definitions. 23538032SpeterIn general, the OSTYPE macro should go immediately after any version 23638032Speterinformation, and MAILER definitions should always go last. 23738032Speter 23838032SpeterOperating system definitions are usually easy to write. They may define 23938032Speterthe following variables (everything defaults, so an ostype file may be 24038032Speterempty). Unfortunately, the list of configuration-supported systems is 24138032Speternot as broad as the list of source-supported systems, since many of 24238032Speterthe source contributors do not include corresponding ostype files. 24338032Speter 24464562SgshapiroALIAS_FILE [/etc/mail/aliases] The location of the text version 24538032Speter of the alias file(s). It can be a comma-separated 24638032Speter list of names (but be sure you quote values with 24738032Speter commas in them -- for example, use 24838032Speter define(`ALIAS_FILE', `a,b') 24938032Speter to get "a" and "b" both listed as alias files; 25038032Speter otherwise the define() primitive only sees "a"). 25164562SgshapiroHELP_FILE [/etc/mail/helpfile] The name of the file 25238032Speter containing information printed in response to 25338032Speter the SMTP HELP command. 25438032SpeterQUEUE_DIR [/var/spool/mqueue] The directory containing 25564562Sgshapiro queue files. To use multiple queues, supply 25664562Sgshapiro a value ending with an asterisk. For 25773188Sgshapiro example, /var/spool/mqueue/qd* will use all of the 25864562Sgshapiro directories or symbolic links to directories 25973188Sgshapiro beginning with 'qd' in /var/spool/mqueue as queue 26064562Sgshapiro directories. The names 'qf', 'df', and 'xf' are 26173188Sgshapiro reserved as specific subdirectories for the 26273188Sgshapiro corresponding queue file types as explained in 26373188Sgshapiro doc/op/op.me. 26464562SgshapiroSTATUS_FILE [/etc/mail/statistics] The file containing status 26538032Speter information. 26638032SpeterLOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. 26764562SgshapiroLOCAL_MAILER_FLAGS [Prmn9] The flags used by the local mailer. The 26864562Sgshapiro flags lsDFMAw5:/|@q are always included. 26938032SpeterLOCAL_MAILER_ARGS [mail -d $u] The arguments passed to deliver local 27038032Speter mail. 27138032SpeterLOCAL_MAILER_MAX [undefined] If defined, the maximum size of local 27238032Speter mail that you are willing to accept. 27364562SgshapiroLOCAL_MAILER_MAXMSGS [undefined] If defined, the maximum number of 27464562Sgshapiro messages to deliver in a single connection. Only 27564562Sgshapiro useful for LMTP local mailers. 27638032SpeterLOCAL_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 27738032Speter that ARRIVE from an address that resolves to the 27838032Speter local mailer and which are converted to MIME will be 27938032Speter labeled with this character set. 28064562SgshapiroLOCAL_MAILER_EOL [undefined] If defined, the string to use as the 28164562Sgshapiro end of line for the local mailer. 28264562SgshapiroLOCAL_MAILER_DSN_DIAGNOSTIC_CODE 28364562Sgshapiro [X-Unix] The DSN Diagnostic-Code value for the 28464562Sgshapiro local mailer. This should be changed with care. 28538032SpeterLOCAL_SHELL_PATH [/bin/sh] The shell used to deliver piped email. 28638032SpeterLOCAL_SHELL_FLAGS [eu9] The flags used by the shell mailer. The 28738032Speter flags lsDFM are always included. 28838032SpeterLOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog" 28938032Speter mail. 29038032SpeterLOCAL_SHELL_DIR [$z:/] The directory search path in which the 29138032Speter shell should run. 29238032SpeterUSENET_MAILER_PATH [/usr/lib/news/inews] The name of the program 29338032Speter used to submit news. 29464562SgshapiroUSENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. 29538032SpeterUSENET_MAILER_ARGS [-m -h -n] The command line arguments for the 29638032Speter usenet mailer. 29738032SpeterUSENET_MAILER_MAX [100000] The maximum size of messages that will 29838032Speter be accepted by the usenet mailer. 29938032SpeterSMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default 30064562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 30164562Sgshapiro "esmtp" mailer adds `a'; "smtp8" adds `8'; and 30264562Sgshapiro "dsmtp" adds `%'. 30364562SgshapiroRELAY_MAILER_FLAGS [undefined] Flags added to the relay mailer. Default 30464562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 30564562Sgshapiro relay mailer adds `a8'. If this is not defined, 30664562Sgshapiro then SMTP_MAILER_FLAGS is used. 30738032SpeterSMTP_MAILER_MAX [undefined] The maximum size of messages that will 30864562Sgshapiro be transported using the smtp, smtp8, esmtp, or dsmtp 30938032Speter mailers. 31064562SgshapiroSMTP_MAILER_MAXMSGS [undefined] If defined, the maximum number of 31164562Sgshapiro messages to deliver in a single connection for the 31264562Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 31366494SgshapiroSMTP_MAILER_ARGS [TCP $h] The arguments passed to the smtp mailer. 31438032Speter About the only reason you would want to change this 31538032Speter would be to change the default port. 31666494SgshapiroESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer. 31766494SgshapiroSMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer. 31866494SgshapiroDSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer. 31966494SgshapiroRELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer. 32064562SgshapiroRELAY_MAILER_MAXMSGS [undefined] If defined, the maximum number of 32164562Sgshapiro messages to deliver in a single connection for the 32264562Sgshapiro relay mailer. 32338032SpeterSMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 32438032Speter that ARRIVE from an address that resolves to one of 32538032Speter the SMTP mailers and which are converted to MIME will 32638032Speter be labeled with this character set. 32738032SpeterUUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail. 32838032SpeterUUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default 32938032Speter flags are `DFMhuU' (and `m' for uucp-new mailer, 33038032Speter minus `U' for uucp-dom mailer). 33138032SpeterUUCP_MAILER_ARGS [uux - -r -z -a$g -gC $h!rmail ($u)] The arguments 33238032Speter passed to the UUCP mailer. 33338032SpeterUUCP_MAILER_MAX [100000] The maximum size message accepted for 33438032Speter transmission by the UUCP mailers. 33538032SpeterUUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 33638032Speter that ARRIVE from an address that resolves to one of 33738032Speter the UUCP mailers and which are converted to MIME will 33838032Speter be labeled with this character set. 33938032SpeterFAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to 34038032Speter submit FAX messages. 34138032SpeterFAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX 34238032Speter mailer. 34338032SpeterFAX_MAILER_MAX [100000] The maximum size message accepted for 34438032Speter transmission by FAX. 34538032SpeterPOP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer. 34664562SgshapiroPOP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq 34738032Speter are always added. 34838032SpeterPOP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer. 34938032SpeterPROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail 35043730Speter program. This is also used by 35143730Speter FEATURE(`local_procmail'). 35238032SpeterPROCMAIL_MAILER_FLAGS [SPhnu9] Flags added to Procmail mailer. Flags 35364562Sgshapiro DFM are always set. This is NOT used by 35443730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_FLAGS 35538032Speter instead. 35638032SpeterPROCMAIL_MAILER_ARGS [procmail -Y -m $h $f $u] The arguments passed to 35738032Speter the Procmail mailer. This is NOT used by 35843730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_ARGS 35938032Speter instead. 36038032SpeterPROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that 36138032Speter will be accepted by the procmail mailer. 36238032SpeterMAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer. 36338032SpeterMAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer. 36438032SpeterMAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11 36538032Speter mailer. 36638032SpeterPH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery 36738032Speter program. 36864562SgshapiroPH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM 36964562Sgshapiro are always set. 37038032SpeterPH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer. 37164562SgshapiroCYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The 37238032Speter flags lsDFMnPq are always included. 37338032SpeterCYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver 37438032Speter cyrus mail. 37538032SpeterCYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed 37638032Speter to deliver cyrus mail. 37738032SpeterCYRUS_MAILER_MAX [undefined] If set, the maximum size message that 37838032Speter will be accepted by the cyrus mailer. 37938032SpeterCYRUS_MAILER_USER [cyrus:mail] The user and group to become when 38038032Speter running the cyrus mailer. 38164562SgshapiroCYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer. 38264562Sgshapiro The flags lsDFMnP are always included. 38338032SpeterCYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed 38438032Speter to deliver cyrusbb mail. 38538032SpeterconfEBINDIR [/usr/libexec] The directory for executables. 38643730Speter Currently used for FEATURE(`local_lmtp') and 38743730Speter FEATURE(`smrsh'). 38864562SgshapiroQPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer. 38964562SgshapiroQPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver 39064562Sgshapiro qpage mail. 39164562SgshapiroQPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed 39264562Sgshapiro to deliver qpage mail. 39364562SgshapiroQPAGE_MAILER_MAX [4096] If set, the maximum size message that 39464562Sgshapiro will be accepted by the qpage mailer. 39538032Speter 39664562SgshapiroNote: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: 39764562SgshapiroMODIFY_MAILER_FLAGS(`Name', `change') where Name is the first part of 39864562Sgshapirothe macro Name_MAILER_FLAGS and change can be: flags that should 39964562Sgshapirobe used directly (thus overriding the default value), or if it 40064562Sgshapirostarts with `+' (`-') then those flags are added to (removed from) 40164562Sgshapirothe default value. Example: 40238032Speter 40364562Sgshapiro MODIFY_MAILER_FLAGS(`LOCAL', `+e') 40438032Speter 40564562Sgshapirowill add the flag `e' to LOCAL_MAILER_FLAGS. 40664562SgshapiroWARNING: The FEATUREs local_lmtp and local_procmail set LOCAL_MAILER_FLAGS 40764562Sgshapirounconditionally, i.e., without respecting any definitions in an 40864562SgshapiroOSTYPE setting. 40964562Sgshapiro 41064562Sgshapiro 41138032Speter+---------+ 41238032Speter| DOMAINS | 41338032Speter+---------+ 41438032Speter 41538032SpeterYou will probably want to collect domain-dependent defines into one 41664562Sgshapirofile, referenced by the DOMAIN macro. For example, the Berkeley 41738032Speterdomain file includes definitions for several internal distinguished 41838032Speterhosts: 41938032Speter 42038032SpeterUUCP_RELAY The host that will accept UUCP-addressed email. 42138032Speter If not defined, all UUCP sites must be directly 42238032Speter connected. 42338032SpeterBITNET_RELAY The host that will accept BITNET-addressed email. 42438032Speter If not defined, the .BITNET pseudo-domain won't work. 42538032SpeterDECNET_RELAY The host that will accept DECNET-addressed email. 42638032Speter If not defined, the .DECNET pseudo-domain and addresses 42738032Speter of the form node::user will not work. 42838032SpeterFAX_RELAY The host that will accept mail to the .FAX pseudo-domain. 42938032Speter The "fax" mailer overrides this value. 43071345SgshapiroLOCAL_RELAY The site that will handle unqualified names -- that 43171345Sgshapiro is, names with out an @domain extension. 43271345Sgshapiro Normally MAIL_HUB is preferred for this function. 43371345Sgshapiro LOCAL_RELAY is mostly useful in conjunction with 43471345Sgshapiro FEATURE(stickyhost) -- see the discussion of 43571345Sgshapiro stickyhost below. If not set, they are assumed to 43671345Sgshapiro belong on this machine. This allows you to have a 43771345Sgshapiro central site to store a company- or department-wide 43871345Sgshapiro alias database. This only works at small sites, 43971345Sgshapiro and only with some user agents. 44038032SpeterLUSER_RELAY The site that will handle lusers -- that is, apparently 44164562Sgshapiro local names that aren't local accounts or aliases. To 44264562Sgshapiro specify a local user instead of a site, set this to 44364562Sgshapiro ``local:username''. 44438032Speter 44538032SpeterAny of these can be either ``mailer:hostname'' (in which case the 44638032Spetermailer is the internal mailer name, such as ``uucp-new'' and the hostname 44738032Speteris the name of the host as appropriate for that mailer) or just a 44838032Speter``hostname'', in which case a default mailer type (usually ``relay'', 44938032Spetera variant on SMTP) is used. WARNING: if you have a wildcard MX 45038032Speterrecord matching your domain, you probably want to define these to 45138032Speterhave a trailing dot so that you won't get the mail diverted back 45238032Speterto yourself. 45338032Speter 45438032SpeterThe domain file can also be used to define a domain name, if needed 45538032Speter(using "DD<domain>") and set certain site-wide features. If all hosts 45638032Speterat your site masquerade behind one email name, you could also use 45738032SpeterMASQUERADE_AS here. 45838032Speter 45938032SpeterYou do not have to define a domain -- in particular, if you are a 46038032Spetersingle machine sitting off somewhere, it is probably more work than 46138032Speterit's worth. This is just a mechanism for combining "domain dependent 46238032Speterknowledge" into one place. 46338032Speter 46438032Speter+---------+ 46538032Speter| MAILERS | 46638032Speter+---------+ 46738032Speter 46838032SpeterThere are fewer mailers supported in this version than the previous 46938032Speterversion, owing mostly to a simpler world. As a general rule, put the 47064562SgshapiroMAILER definitions last in your .mc file, and always put MAILER(`smtp') 47164562Sgshapirobefore MAILER(`uucp') and MAILER(`procmail') -- several features and 47264562Sgshapirodefinitions will modify the definition of mailers, and the smtp mailer 47364562Sgshapiromodifies the UUCP mailer. Moreover, MAILER(`cyrus'), MAILER(`pop'), 47464562SgshapiroMAILER(`phquery'), and MAILER(`usenet') must be defined after 47564562SgshapiroMAILER(`local'). 47638032Speter 47738032Speterlocal The local and prog mailers. You will almost always 47838032Speter need these; the only exception is if you relay ALL 47938032Speter your mail to another site. This mailer is included 48038032Speter automatically. 48138032Speter 48238032Spetersmtp The Simple Mail Transport Protocol mailer. This does 48338032Speter not hide hosts behind a gateway or another other 48438032Speter such hack; it assumes a world where everyone is 48538032Speter running the name server. This file actually defines 48664562Sgshapiro five mailers: "smtp" for regular (old-style) SMTP to 48738032Speter other servers, "esmtp" for extended SMTP to other 48838032Speter servers, "smtp8" to do SMTP to other servers without 48938032Speter converting 8-bit data to MIME (essentially, this is 49038032Speter your statement that you know the other end is 8-bit 49164562Sgshapiro clean even if it doesn't say so), "dsmtp" to do on 49264562Sgshapiro demand delivery, and "relay" for transmission to the 49364562Sgshapiro RELAY_HOST, LUSER_RELAY, or MAIL_HUB. 49438032Speter 49566494Sgshapirouucp The UNIX-to-UNIX Copy Program mailer. Actually, this 49638032Speter defines two mailers, "uucp-old" (a.k.a. "uucp") and 49738032Speter "uucp-new" (a.k.a. "suucp"). The latter is for when you 49838032Speter know that the UUCP mailer at the other end can handle 49938032Speter multiple recipients in one transfer. If the smtp mailer 50038032Speter is also included in your configuration, two other mailers 50138032Speter ("uucp-dom" and "uucp-uudom") are also defined [warning: 50238032Speter you MUST specify MAILER(smtp) before MAILER(uucp)]. When you 50338032Speter include the uucp mailer, sendmail looks for all names in 50464562Sgshapiro class {U} and sends them to the uucp-old mailer; all 50564562Sgshapiro names in class {Y} are sent to uucp-new; and all 50664562Sgshapiro names in class {Z} are sent to uucp-uudom. Note that 50738032Speter this is a function of what version of rmail runs on 50838032Speter the receiving end, and hence may be out of your control. 50938032Speter See the section below describing UUCP mailers in more 51038032Speter detail. 51138032Speter 51238032Speterusenet Usenet (network news) delivery. If this is specified, 51338032Speter an extra rule is added to ruleset 0 that forwards all 51438032Speter local email for users named ``group.usenet'' to the 51538032Speter ``inews'' program. Note that this works for all groups, 51638032Speter and may be considered a security problem. 51738032Speter 51838032Speterfax Facsimile transmission. This is experimental and based 51938032Speter on Sam Leffler's HylaFAX software. For more information, 52071345Sgshapiro see http://www.hylafax.org/. 52138032Speter 52238032Speterpop Post Office Protocol. 52338032Speter 52438032Speterprocmail An interface to procmail (does not come with sendmail). 52538032Speter This is designed to be used in mailertables. For example, 52638032Speter a common question is "how do I forward all mail for a given 52738032Speter domain to a single person?". If you have this mailer 52838032Speter defined, you could set up a mailertable reading: 52938032Speter 53038032Speter host.com procmail:/etc/procmailrcs/host.com 53138032Speter 53238032Speter with the file /etc/procmailrcs/host.com reading: 53338032Speter 53438032Speter :0 # forward mail for host.com 53538032Speter ! -oi -f $1 person@other.host 53638032Speter 53738032Speter This would arrange for (anything)@host.com to be sent 53838032Speter to person@other.host. Within the procmail script, $1 is 53938032Speter the name of the sender and $2 is the name of the recipient. 54043730Speter If you use this with FEATURE(`local_procmail'), the FEATURE 54138032Speter should be listed first. 54238032Speter 54338032Spetermail11 The DECnet mail11 mailer, useful only if you have the mail11 54438032Speter program from gatekeeper.dec.com:/pub/DEC/gwtools (and 54538032Speter DECnet, of course). This is for Phase IV DECnet support; 54638032Speter if you have Phase V at your site you may have additional 54738032Speter problems. 54838032Speter 54938032Speterphquery The phquery program. This is somewhat counterintuitively 55038032Speter referenced as the "ph" mailer internally. It can be used 55138032Speter to do CCSO name server lookups. The phquery program, which 55238032Speter this mailer uses, is distributed with the ph client. 55338032Speter 55438032Spetercyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to 55538032Speter a local cyrus user. this mailer can make use of the 55638032Speter "user+detail@local.host" syntax; it will deliver the mail to 55738032Speter the user's "detail" mailbox if the mailbox's ACL permits. 55838032Speter The cyrusbb mailer delivers to a system-wide cyrus mailbox 55964562Sgshapiro if the mailbox's ACL permits. The cyrus mailer must be 56064562Sgshapiro defined after the local mailer. 56138032Speter 56264562Sgshapiroqpage A mailer for QuickPage, a pager interface. See 56364562Sgshapiro http://www.qpage.org/ for further information. 56438032Speter 56538032SpeterThe local mailer accepts addresses of the form "user+detail", where 56638032Speterthe "+detail" is not used for mailbox matching but is available 56743730Speterto certain local mail programs (in particular, see 56843730SpeterFEATURE(`local_procmail')). For example, "eric", "eric+sendmail", and 56943730Speter"eric+sww" all indicate the same user, but additional arguments <null>, 57043730Speter"sendmail", and "sww" may be provided for use in sorting mail. 57138032Speter 57238032Speter 57338032Speter+----------+ 57438032Speter| FEATURES | 57538032Speter+----------+ 57638032Speter 57738032SpeterSpecial features can be requested using the "FEATURE" macro. For 57838032Speterexample, the .mc line: 57938032Speter 58043730Speter FEATURE(`use_cw_file') 58138032Speter 58264562Sgshapirotells sendmail that you want to have it read an /etc/mail/local-host-names 58364562Sgshapirofile to get values for class {w}. The FEATURE may contain up to 9 58464562Sgshapirooptional parameters -- for example: 58538032Speter 58643730Speter FEATURE(`mailertable', `dbm /usr/lib/mailertable') 58738032Speter 58838032SpeterThe default database map type for the table features can be set with 58964562Sgshapiro 59038032Speter define(`DATABASE_MAP_TYPE', `dbm') 59138032Speter 59238032Speterwhich would set it to use ndbm databases. The default is the Berkeley DB 59338032Speterhash database format. Note that you must still declare a database map type 59438032Speterif you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used 59564562Sgshapiroif no argument is given for the FEATURE. It must be specified before any 59664562Sgshapirofeature that uses a map. 59738032Speter 59838032SpeterAvailable features are: 59938032Speter 60064562Sgshapirouse_cw_file Read the file /etc/mail/local-host-names file to get 60164562Sgshapiro alternate names for this host. This might be used if you 60264562Sgshapiro were on a host that MXed for a dynamic set of other hosts. 60364562Sgshapiro If the set is static, just including the line "Cw<name1> 60464562Sgshapiro <name2> ..." (where the names are fully qualified domain 60564562Sgshapiro names) is probably superior. The actual filename can be 60664562Sgshapiro overridden by redefining confCW_FILE. 60738032Speter 60864562Sgshapirouse_ct_file Read the file /etc/mail/trusted-users file to get the 60964562Sgshapiro names of users that will be ``trusted'', that is, able to 61064562Sgshapiro set their envelope from address using -f without generating 61164562Sgshapiro a warning message. The actual filename can be overridden 61264562Sgshapiro by redefining confCT_FILE. 61338032Speter 61438032Speterredirect Reject all mail addressed to "address.REDIRECT" with 61564562Sgshapiro a ``551 User has moved; please try <address>'' message. 61638032Speter If this is set, you can alias people who have left 61738032Speter to their new address with ".REDIRECT" appended. 61838032Speter 61964562Sgshapironouucp Don't route UUCP addresses. This feature takes one 62064562Sgshapiro parameter: 62164562Sgshapiro `reject': reject addresses which have "!" in the local 62264562Sgshapiro part unless it originates from a system 62364562Sgshapiro that is allowed to relay. 62464562Sgshapiro `nospecial': don't do anything special with "!". 62564562Sgshapiro Warnings: 1. See the NOTICE in the ANTI-SPAM section. 62664562Sgshapiro 2. don't remove "!" from OperatorChars if `reject' is 62764562Sgshapiro given as parameter. 62838032Speter 62964562Sgshapironocanonify Don't pass addresses to $[ ... $] for canonification 63071345Sgshapiro by default, i.e., host/domain names are considered canonical, 63171345Sgshapiro except for unqualified names, which must not be used in this 63271345Sgshapiro mode (violation of the standard). It can be changed by 63371345Sgshapiro setting the DaemonPortOptions modifiers (M=). That is, 63464562Sgshapiro FEATURE(`nocanonify') will be overridden by setting the 63564562Sgshapiro 'c' flag. Conversely, if FEATURE(`nocanonify') is not used, 63664562Sgshapiro it can be emulated by setting the 'C' flag 63764562Sgshapiro (DaemonPortOptions=Modifiers=C). This would generally only 63864562Sgshapiro be used by sites that only act as mail gateways or which have 63964562Sgshapiro user agents that do full canonification themselves. You may 64064562Sgshapiro also want to use 64164562Sgshapiro "define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')" to turn off 64264562Sgshapiro the usual resolver options that do a similar thing. 64338032Speter 64464562Sgshapiro An exception list for FEATURE(`nocanonify') can be 64564562Sgshapiro specified with CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, 64664562Sgshapiro i.e., a list of domains which are nevertheless passed to 64764562Sgshapiro $[ ... $] for canonification. This is useful to turn on 64864562Sgshapiro canonification for local domains, e.g., use 64964562Sgshapiro CANONIFY_DOMAIN(`my.domain my') to canonify addresses 65064562Sgshapiro which end in "my.domain" or "my". 65164562Sgshapiro Another way to require canonification in the local 65264562Sgshapiro domain is CANONIFY_DOMAIN(`$=m'). 65364562Sgshapiro 65464562Sgshapiro A trailing dot is added to addresses with more than 65564562Sgshapiro one component in it such that other features which 65664562Sgshapiro expect a trailing dot (e.g., virtusertable) will 65764562Sgshapiro still work. 65864562Sgshapiro 65964562Sgshapiro If `canonify_hosts' is specified as parameter, i.e., 66064562Sgshapiro FEATURE(`nocanonify', `canonify_hosts'), then 66164562Sgshapiro addresses which have only a hostname, e.g., 66264562Sgshapiro <user@host>, will be canonified (and hopefully fully 66364562Sgshapiro qualified), too. 66464562Sgshapiro 66571345Sgshapirostickyhost This feature is sometimes used with LOCAL_RELAY, 66671345Sgshapiro although it can be used for a different effect with 66771345Sgshapiro MAIL_HUB. 66838032Speter 66973188Sgshapiro When used without MAIL_HUB, email sent to 67071345Sgshapiro "user@local.host" are marked as "sticky" -- that 67171345Sgshapiro is, the local addresses aren't matched against UDB, 67271345Sgshapiro don't go through ruleset 5, and are not forwarded to 67371345Sgshapiro the LOCAL_RELAY (if defined). 67471345Sgshapiro 67571345Sgshapiro With MAIL_HUB, mail addressed to "user@local.host" 67671345Sgshapiro is forwarded to the mail hub, with the envelope 67771345Sgshapiro address still remaining "user@local.host". 67871345Sgshapiro Without stickyhost, the envelope would be changed 67971345Sgshapiro to "user@mail_hub", in order to protect against 68071345Sgshapiro mailing loops. 68171345Sgshapiro 68238032Spetermailertable Include a "mailer table" which can be used to override 68364562Sgshapiro routing for particular domains (which are not in class {w}, 68464562Sgshapiro i.e. local host names). The argument of the FEATURE may be 68564562Sgshapiro the key definition. If none is specified, the definition 68664562Sgshapiro used is: 68743730Speter 68864562Sgshapiro hash /etc/mail/mailertable 68943730Speter 69038032Speter Keys in this database are fully qualified domain names 69138032Speter or partial domains preceded by a dot -- for example, 69264562Sgshapiro "vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". As a 69364562Sgshapiro special case of the latter, "." matches any domain not 69464562Sgshapiro covered by other keys. Values must be of the form: 69538032Speter mailer:domain 69638032Speter where "mailer" is the internal mailer name, and "domain" 69738032Speter is where to send the message. These maps are not 69838032Speter reflected into the message header. As a special case, 69938032Speter the forms: 70038032Speter local:user 70138032Speter will forward to the indicated user using the local mailer, 70238032Speter local: 70338032Speter will forward to the original user in the e-mail address 70438032Speter using the local mailer, and 70538032Speter error:code message 70664562Sgshapiro error:D.S.N:code message 70764562Sgshapiro will give an error message with the indicated SMTP reply 70864562Sgshapiro code and message, where D.S.N is an RFC 1893 compliant 70964562Sgshapiro error code. 71038032Speter 71138032Speterdomaintable Include a "domain table" which can be used to provide 71238032Speter domain name mapping. Use of this should really be 71338032Speter limited to your own domains. It may be useful if you 71438032Speter change names (e.g., your company changes names from 71538032Speter oldname.com to newname.com). The argument of the 71638032Speter FEATURE may be the key definition. If none is specified, 71738032Speter the definition used is: 71843730Speter 71964562Sgshapiro hash /etc/mail/domaintable 72043730Speter 72138032Speter The key in this table is the domain name; the value is 72238032Speter the new (fully qualified) domain. Anything in the 72338032Speter domaintable is reflected into headers; that is, this 72438032Speter is done in ruleset 3. 72538032Speter 72638032Speterbitdomain Look up bitnet hosts in a table to try to turn them into 72738032Speter internet addresses. The table can be built using the 72838032Speter bitdomain program contributed by John Gardiner Myers. 72938032Speter The argument of the FEATURE may be the key definition; if 73038032Speter none is specified, the definition used is: 73143730Speter 73264562Sgshapiro hash /etc/mail/bitdomain 73343730Speter 73438032Speter Keys are the bitnet hostname; values are the corresponding 73538032Speter internet hostname. 73638032Speter 73738032Speteruucpdomain Similar feature for UUCP hosts. The default map definition 73838032Speter is: 73943730Speter 74064562Sgshapiro hash /etc/mail/uudomain 74143730Speter 74238032Speter At the moment there is no automagic tool to build this 74338032Speter database. 74438032Speter 74538032Speteralways_add_domain 74638032Speter Include the local host domain even on locally delivered 74738032Speter mail. Normally it is not added on unqualified names. 74838032Speter However, if you use a shared message store but do not use 74938032Speter the same user name space everywhere, you may need the host 75038032Speter name on local names. 75138032Speter 75238032Speterallmasquerade If masquerading is enabled (using MASQUERADE_AS), this 75338032Speter feature will cause recipient addresses to also masquerade 75438032Speter as being from the masquerade host. Normally they get 75538032Speter the local hostname. Although this may be right for 75638032Speter ordinary users, it can break local aliases. For example, 75738032Speter if you send to "localalias", the originating sendmail will 75838032Speter find that alias and send to all members, but send the 75938032Speter message with "To: localalias@masqueradehost". Since that 76038032Speter alias likely does not exist, replies will fail. Use this 76138032Speter feature ONLY if you can guarantee that the ENTIRE 76238032Speter namespace on your masquerade host supersets all the 76338032Speter local entries. 76438032Speter 76538032Speterlimited_masquerade 76664562Sgshapiro Normally, any hosts listed in class {w} are masqueraded. If 76764562Sgshapiro this feature is given, only the hosts listed in class {M} (see 76864562Sgshapiro below: MASQUERADE_DOMAIN) are masqueraded. This is useful 76964562Sgshapiro if you have several domains with disjoint namespaces hosted 77064562Sgshapiro on the same machine. 77138032Speter 77238032Spetermasquerade_entire_domain 77364562Sgshapiro If masquerading is enabled (using MASQUERADE_AS) and 77438032Speter MASQUERADE_DOMAIN (see below) is set, this feature will 77538032Speter cause addresses to be rewritten such that the masquerading 77638032Speter domains are actually entire domains to be hidden. All 77738032Speter hosts within the masquerading domains will be rewritten 77838032Speter to the masquerade name (used in MASQUERADE_AS). For example, 77938032Speter if you have: 78038032Speter 78164562Sgshapiro MASQUERADE_AS(`masq.com') 78264562Sgshapiro MASQUERADE_DOMAIN(`foo.org') 78364562Sgshapiro MASQUERADE_DOMAIN(`bar.com') 78438032Speter 78538032Speter then *foo.org and *bar.com are converted to masq.com. Without 78638032Speter this feature, only foo.org and bar.com are masqueraded. 78738032Speter 78838032Speter NOTE: only domains within your jurisdiction and 78938032Speter current hierarchy should be masqueraded using this. 79038032Speter 79164562Sgshapirogenericstable This feature will cause unqualified addresses (i.e., without 79264562Sgshapiro a domain) and addresses with a domain listed in class {G} 79364562Sgshapiro to be looked up in a map and turned into another ("generic") 79464562Sgshapiro form, which can change both the domain name and the user name. 79564562Sgshapiro This is similar to the userdb functionality. The same types of 79664562Sgshapiro addresses as for masquerading are looked up, i.e., only header 79738032Speter sender addresses unless the allmasquerade and/or 79838032Speter masquerade_envelope features are given. Qualified addresses 79964562Sgshapiro must have the domain part in class {G}; entries can 80064562Sgshapiro be added to this class by the macros GENERICS_DOMAIN or 80164562Sgshapiro GENERICS_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 80264562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 80338032Speter 80443730Speter The argument of FEATURE(`genericstable') may be the map 80538032Speter definition; the default map definition is: 80638032Speter 80764562Sgshapiro hash /etc/mail/genericstable 80838032Speter 80964562Sgshapiro The key for this table is either the full address, the domain 81064562Sgshapiro (with a leading @; the localpart is passed as first argument) 81164562Sgshapiro or the unqualified username (tried in the order mentioned); 81264562Sgshapiro the value is the new user address. If the new user address 81364562Sgshapiro does not include a domain, it will be qualified in the standard 81464562Sgshapiro manner, i.e., using $j or the masquerade name. Note that the 81538032Speter address being looked up must be fully qualified. For local 81643730Speter mail, it is necessary to use FEATURE(`always_add_domain') 81743730Speter for the addresses to be qualified. 81864562Sgshapiro The "+detail" of an address is passed as %1, so entries like 81938032Speter 82064562Sgshapiro old+*@foo.org new+%1@example.com 82164562Sgshapiro gen+*@foo.org %1@example.com 82264562Sgshapiro 82364562Sgshapiro and other forms are possible. 82464562Sgshapiro 82564562Sgshapirogenerics_entire_domain 82664562Sgshapiro If the genericstable is enabled and GENERICS_DOMAIN or 82764562Sgshapiro GENERICS_DOMAIN_FILE is used, this feature will cause 82864562Sgshapiro addresses to be searched in the map if their domain 82964562Sgshapiro parts are subdomains of elements in class {G}. 83064562Sgshapiro 83138032Spetervirtusertable A domain-specific form of aliasing, allowing multiple 83238032Speter virtual domains to be hosted on one machine. For example, 83338032Speter if the virtuser table contained: 83438032Speter 83538032Speter info@foo.com foo-info 83638032Speter info@bar.com bar-info 83764562Sgshapiro joe@bar.com error:nouser No such user here 83864562Sgshapiro jax@bar.com error:D.S.N:unavailable Address invalid 83964562Sgshapiro @baz.org jane@example.net 84038032Speter 84138032Speter then mail addressed to info@foo.com will be sent to the 84238032Speter address foo-info, mail addressed to info@bar.com will be 84364562Sgshapiro delivered to bar-info, and mail addressed to anyone at baz.org 84464562Sgshapiro will be sent to jane@example.net, mail to joe@bar.com will 84564562Sgshapiro be rejected with the specified error message, and mail to 84664562Sgshapiro jax@bar.com will also have a RFC 1893 compliant error code 84764562Sgshapiro D.S.N. 84838032Speter 84964562Sgshapiro The username from the original address is passed 85064562Sgshapiro as %1 allowing: 85138032Speter 85264562Sgshapiro @foo.org %1@example.com 85338032Speter 85464562Sgshapiro meaning someone@foo.org will be sent to someone@example.com. 85564562Sgshapiro Additionally, if the local part consists of "user+detail" 85664562Sgshapiro then "detail" is passed as %2 when a match against user+* 85764562Sgshapiro is attempted, so entries like 85864562Sgshapiro 85964562Sgshapiro old+*@foo.org new+%2@example.com 86064562Sgshapiro gen+*@foo.org %2@example.com 86164562Sgshapiro +*@foo.org %1+%2@example.com 86264562Sgshapiro 86364562Sgshapiro and other forms are possible. Note: to preserve "+detail" 86464562Sgshapiro for a default case (@domain) +*@domain must be used as 86564562Sgshapiro exemplified above. 86664562Sgshapiro 86738032Speter All the host names on the left hand side (foo.com, bar.com, 86864562Sgshapiro and baz.org) must be in class {w} or class {VirtHost}, the 86964562Sgshapiro latter can be defined by the macros VIRTUSER_DOMAIN or 87064562Sgshapiro VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 87164562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or 87264562Sgshapiro VIRTUSER_DOMAIN_FILE is used, then the entries of class 87364562Sgshapiro {VirtHost} are added to class {R}, i.e., relaying is allowed 87464562Sgshapiro to (and from) those domains. The default map definition is: 87538032Speter 87664562Sgshapiro hash /etc/mail/virtusertable 87738032Speter 87838032Speter A new definition can be specified as the second argument of 87938032Speter the FEATURE macro, such as 88038032Speter 88164562Sgshapiro FEATURE(`virtusertable', `dbm /etc/mail/virtusers') 88238032Speter 88364562Sgshapirovirtuser_entire_domain 88464562Sgshapiro If the virtusertable is enabled and VIRTUSER_DOMAIN or 88564562Sgshapiro VIRTUSER_DOMAIN_FILE is used, this feature will cause 88664562Sgshapiro addresses to be searched in the map if their domain 88764562Sgshapiro parts are subdomains of elements in class {VirtHost}. 88864562Sgshapiro 88964562Sgshapiroldap_routing Implement LDAP-based e-mail recipient routing according to 89064562Sgshapiro the Internet Draft draft-lachman-laser-ldap-mail-routing-01. 89164562Sgshapiro This provides a method to re-route addresses with a 89264562Sgshapiro domain portion in class {LDAPRoute} to either a 89364562Sgshapiro different mail host or a different address. Hosts can 89464562Sgshapiro be added to this class using LDAPROUTE_DOMAIN and 89564562Sgshapiro LDAPROUTE_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 89664562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 89764562Sgshapiro 89864562Sgshapiro See the LDAP ROUTING section below for more information. 89964562Sgshapiro 90064562Sgshapironodns If you aren't running DNS at your site (for example, 90164562Sgshapiro you are UUCP-only connected). It's hard to consider 90238032Speter this a "feature", but hey, it had to go somewhere. 90338032Speter Actually, as of 8.7 this is a no-op -- remove "dns" from 90438032Speter the hosts service switch entry instead. 90538032Speter 90664562Sgshapironullclient This is a special case -- it creates a configuration file 90764562Sgshapiro containing nothing but support for forwarding all mail to a 90864562Sgshapiro central hub via a local SMTP-based network. The argument 90964562Sgshapiro is the name of that hub. 91064562Sgshapiro 91138032Speter The only other feature that should be used in conjunction 91264562Sgshapiro with this one is FEATURE(`nocanonify'). No mailers 91338032Speter should be defined. No aliasing or forwarding is done. 91438032Speter 91538032Speterlocal_lmtp Use an LMTP capable local mailer. The argument to this 91638032Speter feature is the pathname of an LMTP capable mailer. By 91738032Speter default, mail.local is used. This is expected to be the 91838032Speter mail.local which came with the 8.9 distribution which is 91938032Speter LMTP capable. The path to mail.local is set by the 92038032Speter confEBINDIR m4 variable -- making the default 92138032Speter LOCAL_MAILER_PATH /usr/libexec/mail.local. 92264562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 92364562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 92438032Speter 92564562Sgshapirolocal_procmail Use procmail or another delivery agent as the local mailer. 92664562Sgshapiro The argument to this feature is the pathname of the 92764562Sgshapiro delivery agent, which defaults to PROCMAIL_MAILER_PATH. 92864562Sgshapiro Note that this does NOT use PROCMAIL_MAILER_FLAGS or 92964562Sgshapiro PROCMAIL_MAILER_ARGS for the local mailer; tweak 93064562Sgshapiro LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS instead, or 93164562Sgshapiro specify the appropriate parameters. When procmail is used, 93264562Sgshapiro the local mailer can make use of the 93364562Sgshapiro "user+indicator@local.host" syntax; normally the +indicator 93464562Sgshapiro is just tossed, but by default it is passed as the -a 93564562Sgshapiro argument to procmail. 93638032Speter 93764562Sgshapiro This feature can take up to three arguments: 93864562Sgshapiro 93964562Sgshapiro 1. Path to the mailer program 94064562Sgshapiro [default: /usr/local/bin/procmail] 94164562Sgshapiro 2. Argument vector including name of the program 94264562Sgshapiro [default: procmail -Y -a $h -d $u] 94364562Sgshapiro 3. Flags for the mailer [default: SPfhn9] 94464562Sgshapiro 94564562Sgshapiro Empty arguments cause the defaults to be taken. 94664562Sgshapiro 94764562Sgshapiro For example, this allows it to use the maildrop 94864562Sgshapiro (http://www.flounder.net/~mrsam/maildrop/) mailer instead 94964562Sgshapiro by specifying: 95064562Sgshapiro 95164562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/maildrop', 95264562Sgshapiro `maildrop -d $u') 95364562Sgshapiro 95464562Sgshapiro or scanmails using: 95564562Sgshapiro 95664562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/scanmails') 95764562Sgshapiro 95864562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 95964562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 96064562Sgshapiro 96138032Speterbestmx_is_local Accept mail as though locally addressed for any host that 96238032Speter lists us as the best possible MX record. This generates 96338032Speter additional DNS traffic, but should be OK for low to 96438032Speter medium traffic hosts. The argument may be a set of 96538032Speter domains, which will limit the feature to only apply to 96638032Speter these domains -- this will reduce unnecessary DNS 96738032Speter traffic. THIS FEATURE IS FUNDAMENTALLY INCOMPATIBLE WITH 96838032Speter WILDCARD MX RECORDS!!! If you have a wildcard MX record 96938032Speter that matches your domain, you cannot use this feature. 97038032Speter 97138032Spetersmrsh Use the SendMail Restricted SHell (smrsh) provided 97238032Speter with the distribution instead of /bin/sh for mailing 97338032Speter to programs. This improves the ability of the local 97438032Speter system administrator to control what gets run via 97538032Speter e-mail. If an argument is provided it is used as the 97638032Speter pathname to smrsh; otherwise, the path defined by 97738032Speter confEBINDIR is used for the smrsh binary -- by default, 97838032Speter /usr/libexec/smrsh is assumed. 97938032Speter 98038032Speterpromiscuous_relay 98138032Speter By default, the sendmail configuration files do not permit 98238032Speter mail relaying (that is, accepting mail from outside your 98364562Sgshapiro local host (class {w}) and sending it to another host than 98464562Sgshapiro your local host). This option sets your site to allow 98564562Sgshapiro mail relaying from any site to any site. In almost all 98664562Sgshapiro cases, it is better to control relaying more carefully 98764562Sgshapiro with the access map, class {R}, or authentication. Domains 98864562Sgshapiro can be added to class {R} by the macros RELAY_DOMAIN or 98964562Sgshapiro RELAY_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 99064562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 99138032Speter 99238032Speterrelay_entire_domain 99338032Speter By default, only hosts listed as RELAY in the access db 99438032Speter will be allowed to relay. This option also allows any 99564562Sgshapiro host in your domain as defined by class {m}. 99638032Speter 99738032Speterrelay_hosts_only 99838032Speter By default, names that are listed as RELAY in the access 99964562Sgshapiro db and class {R} are domain names, not host names. 100038032Speter For example, if you specify ``foo.com'', then mail to or 100138032Speter from foo.com, abc.foo.com, or a.very.deep.domain.foo.com 100238032Speter will all be accepted for relaying. This feature changes 100338032Speter the behaviour to lookup individual host names only. 100438032Speter 100538032Speterrelay_based_on_MX 100638032Speter Turns on the ability to allow relaying based on the MX 100742575Speter records of the host portion of an incoming recipient; that 100842575Speter is, if an MX record for host foo.com points to your site, 100942575Speter you will accept and relay mail addressed to foo.com. See 101038032Speter description below for more information before using this 101142575Speter feature. Also, see the KNOWNBUGS entry regarding bestmx 101242575Speter map lookups. 101338032Speter 101443730Speter FEATURE(`relay_based_on_MX') does not necessarily allow 101542575Speter routing of these messages which you expect to be allowed, 101642575Speter if route address syntax (or %-hack syntax) is used. If 101742575Speter this is a problem, add entries to the access-table or use 101843730Speter FEATURE(`loose_relay_check'). 101942575Speter 102064562Sgshapirorelay_mail_from 102164562Sgshapiro Allows relaying if the mail sender is listed as RELAY in 102264562Sgshapiro the access map. If an optional argument `domain' is given, 102364562Sgshapiro the domain portion of the mail sender is checked too. 102464562Sgshapiro This should only be used if absolutely necessary as the 102564562Sgshapiro sender address can be easily forged. Use of this feature 102664562Sgshapiro requires the "From:" tag be prepended to the key in the 102764562Sgshapiro access map; see the discussion of tags and 102864562Sgshapiro FEATURE(`relay_mail_from') in the section on ANTI-SPAM 102964562Sgshapiro CONFIGURATION CONTROL. 103064562Sgshapiro 103138032Speterrelay_local_from 103238032Speter Allows relaying if the domain portion of the mail sender 103338032Speter is a local host. This should only be used if absolutely 103442575Speter necessary as it opens a window for spammers. Specifically, 103542575Speter they can send mail to your mail server that claims to be 103642575Speter from your domain (either directly or via a routed address), 103742575Speter and you will go ahead and relay it out to arbitrary hosts 103842575Speter on the Internet. 103964562Sgshapiro 104038032Speteraccept_unqualified_senders 104138032Speter Normally, MAIL FROM: commands in the SMTP session will be 104238032Speter refused if the connection is a network connection and the 104338032Speter sender address does not include a domain name. If your 104464562Sgshapiro setup sends local mail unqualified (i.e., MAIL FROM: <joe>), 104538032Speter you will need to use this feature to accept unqualified 104664562Sgshapiro sender addresses. Setting the DaemonPortOptions modifier 104764562Sgshapiro 'u' overrides the default behavior, i.e., unqualified 104864562Sgshapiro addresses are accepted even without this FEATURE. 104964562Sgshapiro If this FEATURE is not used, the DaemonPortOptions modifier 105064562Sgshapiro 'f' can be used to enforce fully qualified addresses. 105164562Sgshapiro 105238032Speteraccept_unresolvable_domains 105338032Speter Normally, MAIL FROM: commands in the SMTP session will be 105464562Sgshapiro refused if the host part of the argument to MAIL FROM: 105564562Sgshapiro cannot be located in the host name service (e.g., an A or 105664562Sgshapiro MX record in DNS). If you are inside a firewall that has 105764562Sgshapiro only a limited view of the Internet host name space, this 105864562Sgshapiro could cause problems. In this case you probably want to 105964562Sgshapiro use this feature to accept all domains on input, even if 106064562Sgshapiro they are unresolvable. 106138032Speter 106238032Speteraccess_db Turns on the access database feature. The access db gives 106338032Speter you the ability to allow or refuse to accept mail from 106438032Speter specified domains for administrative reasons. By default, 106543730Speter the access database specification is: 106638032Speter 106764562Sgshapiro hash /etc/mail/access 106843730Speter 106964562Sgshapiro The format of the database is described in the anti-spam 107064562Sgshapiro configuration control section later in this document. 107143730Speter 107238032Speterblacklist_recipients 107338032Speter Turns on the ability to block incoming mail for certain 107438032Speter recipient usernames, hostnames, or addresses. For 107538032Speter example, you can block incoming mail to user nobody, 107638032Speter host foo.mydomain.com, or guest@bar.mydomain.com. 107738032Speter These specifications are put in the access db as 107864562Sgshapiro described in the anti-spam configuration control section 107964562Sgshapiro later in this document. 108038032Speter 108171345Sgshapirodelay_checks The rulesets check_mail and check_relay will not be called 108271345Sgshapiro when a client connects or issues a MAIL command, respectively. 108371345Sgshapiro Instead, those rulesets will be called by the check_rcpt 108471345Sgshapiro ruleset; they will be skipped under certain circumstances. 108571345Sgshapiro See "Delay all checks" in "ANTI-SPAM CONFIGURATION CONTROL". 108671345Sgshapiro 108764562Sgshapirorbl This feature is deprecated! Please use dnsbl instead. 108864562Sgshapiro Turns on rejection of hosts found in the Realtime Blackhole 108964562Sgshapiro List. If an argument is provided it is used as the domain 109064562Sgshapiro in which blocked hosts are listed; otherwise, the main 109164562Sgshapiro RBL domain rbl.maps.vix.com is used. For details, see 109238032Speter http://maps.vix.com/rbl/. 109338032Speter 109464562Sgshapirodnsbl Turns on rejection of hosts found in an DNS based rejection 109564562Sgshapiro list. If an argument is provided it is used as the domain 109664562Sgshapiro in which blocked hosts are listed; otherwise it defaults to 109771345Sgshapiro blackholes.mail-abuse.org. An explanation for an DNS based 109871345Sgshapiro rejection list can be found http://mail-abuse.org/rbl/. A 109971345Sgshapiro second argument can be used to change the default error 110071345Sgshapiro message of Mail from $&{client_addr} refused by blackhole site 110171345Sgshapiro SERVER where SERVER is replaced by the first argument. This 110271345Sgshapiro feature can be included several times to query different DNS 110371345Sgshapiro based rejection lists. 110464562Sgshapiro 110538032Speterloose_relay_check 110664562Sgshapiro Normally, if % addressing is used for a recipient, e.g. 110764562Sgshapiro user%site@othersite, and othersite is in class {R}, the 110838032Speter check_rcpt ruleset will strip @othersite and recheck 110938032Speter user@site for relaying. This feature changes that 111038032Speter behavior. It should not be needed for most installations. 111138032Speter 111264562Sgshapirono_default_msa Don't generate the default MSA daemon, i.e., 111364562Sgshapiro DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') 111464562Sgshapiro To define a MSA daemon with other parameters, use this 111564562Sgshapiro FEATURE and introduce new settings via DAEMON_OPTIONS(). 111638032Speter 111738032Speter+-------+ 111838032Speter| HACKS | 111938032Speter+-------+ 112038032Speter 112138032SpeterSome things just can't be called features. To make this clear, 112238032Speterthey go in the hack subdirectory and are referenced using the HACK 112338032Spetermacro. These will tend to be site-dependent. The release 112438032Speterincludes the Berkeley-dependent "cssubdomain" hack (that makes 112538032Spetersendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU; 112664562Sgshapirothis is intended as a short-term aid while moving hosts into 112738032Spetersubdomains. 112838032Speter 112938032Speter 113038032Speter+--------------------+ 113138032Speter| SITE CONFIGURATION | 113238032Speter+--------------------+ 113338032Speter 113438032Speter ***************************************************** 113538032Speter * This section is really obsolete, and is preserved * 113638032Speter * only for back compatibility. You should plan on * 113738032Speter * using mailertables for new installations. In * 113838032Speter * particular, it doesn't work for the newer forms * 113938032Speter * of UUCP mailers, such as uucp-uudom. * 114038032Speter ***************************************************** 114138032Speter 114238032SpeterComplex sites will need more local configuration information, such as 114338032Speterlists of UUCP hosts they speak with directly. This can get a bit more 114438032Spetertricky. For an example of a "complex" site, see cf/ucbvax.mc. 114538032Speter 114638032SpeterThe SITECONFIG macro allows you to indirectly reference site-dependent 114738032Speterconfiguration information stored in the siteconfig subdirectory. For 114838032Speterexample, the line 114938032Speter 115064562Sgshapiro SITECONFIG(`uucp.ucbvax', `ucbvax', `U') 115138032Speter 115238032Speterreads the file uucp.ucbvax for local connection information. The 115338032Spetersecond parameter is the local name (in this case just "ucbvax" since 115438032Speterit is locally connected, and hence a UUCP hostname). The third 115538032Speterparameter is the name of both a macro to store the local name (in 115664562Sgshapirothis case, {U}) and the name of the class (e.g., {U}) in which to store 115738032Speterthe host information read from the file. Another SITECONFIG line reads 115838032Speter 115964562Sgshapiro SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W') 116038032Speter 116138032SpeterThis says that the file uucp.ucbarpa contains the list of UUCP sites 116264562Sgshapiroconnected to ucbarpa.Berkeley.EDU. Class {W} will be used to 116338032Speterstore this list, and $W is defined to be ucbarpa.Berkeley.EDU, that 116438032Speteris, the name of the relay to which the hosts listed in uucp.ucbarpa 116564562Sgshapiroare connected. [The machine ucbarpa is gone now, but this 116664562Sgshapiroout-of-date configuration file has been left around to demonstrate 116764562Sgshapirohow you might do this.] 116838032Speter 116938032SpeterNote that the case of SITECONFIG with a third parameter of ``U'' is 117038032Speterspecial; the second parameter is assumed to be the UUCP name of the 117138032Speterlocal site, rather than the name of a remote site, and the UUCP name 117264562Sgshapirois entered into class {w} (the list of local hostnames) as $U.UUCP. 117338032Speter 117438032SpeterThe siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing 117538032Spetermore than a sequence of SITE macros describing connectivity. For 117638032Speterexample: 117738032Speter 117864562Sgshapiro SITE(`cnmat') 117964562Sgshapiro SITE(`sgi olympus') 118038032Speter 118138032SpeterThe second example demonstrates that you can use two names on the 118238032Spetersame line; these are usually aliases for the same host (or are at 118338032Speterleast in the same company). 118438032Speter 118538032Speter 118638032Speter+--------------------+ 118738032Speter| USING UUCP MAILERS | 118838032Speter+--------------------+ 118938032Speter 119038032SpeterIt's hard to get UUCP mailers right because of the extremely ad hoc 119138032Speternature of UUCP addressing. These config files are really designed 119238032Speterfor domain-based addressing, even for UUCP sites. 119338032Speter 119438032SpeterThere are four UUCP mailers available. The choice of which one to 119538032Speteruse is partly a matter of local preferences and what is running at 119638032Speterthe other end of your UUCP connection. Unlike good protocols that 119738032Speterdefine what will go over the wire, UUCP uses the policy that you 119838032Spetershould do what is right for the other end; if they change, you have 119938032Speterto change. This makes it hard to do the right thing, and discourages 120038032Speterpeople from updating their software. In general, if you can avoid 120138032SpeterUUCP, please do. 120238032Speter 120338032SpeterThe major choice is whether to go for a domainized scheme or a 120438032Speternon-domainized scheme. This depends entirely on what the other 120538032Speterend will recognize. If at all possible, you should encourage the 120638032Speterother end to go to a domain-based system -- non-domainized addresses 120738032Speterdon't work entirely properly. 120838032Speter 120938032SpeterThe four mailers are: 121038032Speter 121138032Speter uucp-old (obsolete name: "uucp") 121238032Speter This is the oldest, the worst (but the closest to UUCP) way of 121338032Speter sending messages accros UUCP connections. It does bangify 121438032Speter everything and prepends $U (your UUCP name) to the sender's 121538032Speter address (which can already be a bang path itself). It can 121638032Speter only send to one address at a time, so it spends a lot of 121738032Speter time copying duplicates of messages. Avoid this if at all 121838032Speter possible. 121938032Speter 122038032Speter uucp-new (obsolete name: "suucp") 122138032Speter The same as above, except that it assumes that in one rmail 122238032Speter command you can specify several recipients. It still has a 122338032Speter lot of other problems. 122438032Speter 122538032Speter uucp-dom 122638032Speter This UUCP mailer keeps everything as domain addresses. 122738032Speter Basically, it uses the SMTP mailer rewriting rules. This mailer 122864562Sgshapiro is only included if MAILER(`smtp') is also specified. 122938032Speter 123038032Speter Unfortunately, a lot of UUCP mailer transport agents require 123138032Speter bangified addresses in the envelope, although you can use 123238032Speter domain-based addresses in the message header. (The envelope 123338032Speter shows up as the From_ line on UNIX mail.) So.... 123438032Speter 123538032Speter uucp-uudom 123638032Speter This is a cross between uucp-new (for the envelope addresses) 123738032Speter and uucp-dom (for the header addresses). It bangifies the 123838032Speter envelope sender (From_ line in messages) without adding the 123938032Speter local hostname, unless there is no host name on the address 124038032Speter at all (e.g., "wolf") or the host component is a UUCP host name 124138032Speter instead of a domain name ("somehost!wolf" instead of 124264562Sgshapiro "some.dom.ain!wolf"). This is also included only if MAILER(`smtp') 124338032Speter is also specified. 124438032Speter 124538032SpeterExamples: 124638032Speter 124764562SgshapiroOn host grasp.insa-lyon.fr (UUCP host name "grasp"), the following 124864562Sgshapirosummarizes the sender rewriting for various mailers. 124938032Speter 125066494SgshapiroMailer sender rewriting in the envelope 125138032Speter------ ------ ------------------------- 125238032Speteruucp-{old,new} wolf grasp!wolf 125338032Speteruucp-dom wolf wolf@grasp.insa-lyon.fr 125438032Speteruucp-uudom wolf grasp.insa-lyon.fr!wolf 125538032Speter 125638032Speteruucp-{old,new} wolf@fr.net grasp!fr.net!wolf 125738032Speteruucp-dom wolf@fr.net wolf@fr.net 125838032Speteruucp-uudom wolf@fr.net fr.net!wolf 125938032Speter 126038032Speteruucp-{old,new} somehost!wolf grasp!somehost!wolf 126138032Speteruucp-dom somehost!wolf somehost!wolf@grasp.insa-lyon.fr 126238032Speteruucp-uudom somehost!wolf grasp.insa-lyon.fr!somehost!wolf 126338032Speter 126438032SpeterIf you are using one of the domainized UUCP mailers, you really want 126538032Speterto convert all UUCP addresses to domain format -- otherwise, it will 126638032Speterdo it for you (and probably not the way you expected). For example, 126738032Speterif you have the address foo!bar!baz (and you are not sending to foo), 126838032Speterthe heuristics will add the @uucp.relay.name or @local.host.name to 126938032Speterthis address. However, if you map foo to foo.host.name first, it 127038032Speterwill not add the local hostname. You can do this using the uucpdomain 127138032Speterfeature. 127238032Speter 127338032Speter 127438032Speter+-------------------+ 127538032Speter| TWEAKING RULESETS | 127638032Speter+-------------------+ 127738032Speter 127838032SpeterFor more complex configurations, you can define special rules. 127938032SpeterThe macro LOCAL_RULE_3 introduces rules that are used in canonicalizing 128038032Speterthe names. Any modifications made here are reflected in the header. 128138032Speter 128238032SpeterA common use is to convert old UUCP addresses to SMTP addresses using 128338032Speterthe UUCPSMTP macro. For example: 128438032Speter 128538032Speter LOCAL_RULE_3 128664562Sgshapiro UUCPSMTP(`decvax', `decvax.dec.com') 128764562Sgshapiro UUCPSMTP(`research', `research.att.com') 128838032Speter 128938032Speterwill cause addresses of the form "decvax!user" and "research!user" 129038032Speterto be converted to "user@decvax.dec.com" and "user@research.att.com" 129138032Speterrespectively. 129238032Speter 129338032SpeterThis could also be used to look up hosts in a database map: 129438032Speter 129538032Speter LOCAL_RULE_3 129638032Speter R$* < @ $+ > $* $: $1 < @ $(hostmap $2 $) > $3 129738032Speter 129838032SpeterThis map would be defined in the LOCAL_CONFIG portion, as shown below. 129938032Speter 130038032SpeterSimilarly, LOCAL_RULE_0 can be used to introduce new parsing rules. 130138032SpeterFor example, new rules are needed to parse hostnames that you accept 130238032Spetervia MX records. For example, you might have: 130338032Speter 130438032Speter LOCAL_RULE_0 130538032Speter R$+ <@ host.dom.ain.> $#uucp $@ cnmat $: $1 < @ host.dom.ain.> 130638032Speter 130738032SpeterYou would use this if you had installed an MX record for cnmat.Berkeley.EDU 130838032Speterpointing at this host; this rule catches the message and forwards it on 130938032Speterusing UUCP. 131038032Speter 131138032SpeterYou can also tweak rulesets 1 and 2 using LOCAL_RULE_1 and LOCAL_RULE_2. 131238032SpeterThese rulesets are normally empty. 131338032Speter 131438032SpeterA similar macro is LOCAL_CONFIG. This introduces lines added after the 131564562Sgshapiroboilerplate option setting but before rulesets. Do not declare rulesets in 131664562Sgshapirothe LOCAL_CONFIG section. It can be used to declare local database maps or 131764562Sgshapirowhatever. For example: 131838032Speter 131938032Speter LOCAL_CONFIG 132064562Sgshapiro Khostmap hash /etc/mail/hostmap 132138032Speter Kyplocal nis -m hosts.byname 132238032Speter 132338032Speter 132438032Speter+---------------------------+ 132538032Speter| MASQUERADING AND RELAYING | 132638032Speter+---------------------------+ 132738032Speter 132838032SpeterYou can have your host masquerade as another using 132938032Speter 133064562Sgshapiro MASQUERADE_AS(`host.domain') 133138032Speter 133238032SpeterThis causes mail being sent to be labeled as coming from the 133338032Speterindicated host.domain, rather than $j. One normally masquerades as 133464562Sgshapiroone of one's own subdomains (for example, it's unlikely that 133564562SgshapiroBerkeley would choose to masquerade as an MIT site). This 133664562Sgshapirobehaviour is modified by a plethora of FEATUREs; in particular, see 133764562Sgshapiromasquerade_envelope, allmasquerade, limited_masquerade, and 133864562Sgshapiromasquerade_entire_domain. 133938032Speter 134038032SpeterThe masquerade name is not normally canonified, so it is important 134138032Speterthat it be your One True Name, that is, fully qualified and not a 134238032SpeterCNAME. However, if you use a CNAME, the receiving side may canonify 134338032Speterit for you, so don't think you can cheat CNAME mapping this way. 134438032Speter 134538032SpeterNormally the only addresses that are masqueraded are those that come 134664562Sgshapirofrom this host (that is, are either unqualified or in class {w}, the list 134764562Sgshapiroof local domain names). You can augment this list, which is realized 134864562Sgshapiroby class {M} using 134938032Speter 135064562Sgshapiro MASQUERADE_DOMAIN(`otherhost.domain') 135138032Speter 135238032SpeterThe effect of this is that although mail to user@otherhost.domain 135338032Speterwill not be delivered locally, any mail including any user@otherhost.domain 135438032Speterwill, when relayed, be rewritten to have the MASQUERADE_AS address. 135538032SpeterThis can be a space-separated list of names. 135638032Speter 135738032SpeterIf these names are in a file, you can use 135838032Speter 135964562Sgshapiro MASQUERADE_DOMAIN_FILE(`filename') 136038032Speter 136164562Sgshapiroto read the list of names from the indicated file (i.e., to add 136264562Sgshapiroelements to class {M}). 136338032Speter 136464562SgshapiroTo exempt hosts or subdomains from being masqueraded, you can use 136564562Sgshapiro 136664562Sgshapiro MASQUERADE_EXCEPTION(`host.domain') 136764562Sgshapiro 136864562SgshapiroThis can come handy if you want to masquerade a whole domain 136964562Sgshapiroexcept for one (or a few) host(s). 137064562Sgshapiro 137138032SpeterNormally only header addresses are masqueraded. If you want to 137238032Spetermasquerade the envelope as well, use 137338032Speter 137443730Speter FEATURE(`masquerade_envelope') 137538032Speter 137638032SpeterThere are always users that need to be "exposed" -- that is, their 137738032Speterinternal site name should be displayed instead of the masquerade name. 137864562SgshapiroRoot is an example (which has been "exposed" by default prior to 8.10). 137964562SgshapiroYou can add users to this list using 138038032Speter 138164562Sgshapiro EXPOSED_USER(`usernames') 138238032Speter 138364562SgshapiroThis adds users to class {E}; you could also use something like 138438032Speter 138564562Sgshapiro FE/etc/mail/exposed-users 138638032Speter 138738032SpeterYou can also arrange to relay all unqualified names (that is, names 138838032Speterwithout @host) to a relay host. For example, if you have a central 138938032Speteremail server, you might relay to that host so that users don't have 139038032Speterto have .forward files or aliases. You can do this using 139138032Speter 139243730Speter define(`LOCAL_RELAY', `mailer:hostname') 139338032Speter 139438032SpeterThe ``mailer:'' can be omitted, in which case the mailer defaults to 139538032Speter"relay". There are some user names that you don't want relayed, perhaps 139638032Speterbecause of local aliases. A common example is root, which may be 139738032Speterlocally aliased. You can add entries to this list using 139838032Speter 139964562Sgshapiro LOCAL_USER(`usernames') 140038032Speter 140164562SgshapiroThis adds users to class {L}; you could also use something like 140238032Speter 140364562Sgshapiro FL/etc/mail/local-users 140438032Speter 140538032SpeterIf you want all incoming mail sent to a centralized hub, as for a 140638032Spetershared /var/spool/mail scheme, use 140738032Speter 140843730Speter define(`MAIL_HUB', `mailer:hostname') 140938032Speter 141038032SpeterAgain, ``mailer:'' defaults to "relay". If you define both LOCAL_RELAY 141143730Speterand MAIL_HUB _AND_ you have FEATURE(`stickyhost'), unqualified names will 141238032Speterbe sent to the LOCAL_RELAY and other local names will be sent to MAIL_HUB. 141364562SgshapiroNote: there is a (long standing) bug which keeps this combination from 141464562Sgshapiroworking for addresses of the form user+detail. 141564562SgshapiroNames in class {L} will be delivered locally, so you MUST have aliases or 141638032Speter.forward files for them. 141738032Speter 141838032SpeterFor example, if you are on machine mastodon.CS.Berkeley.EDU and you have 141943730SpeterFEATURE(`stickyhost'), the following combinations of settings will have the 142038032Speterindicated effects: 142138032Speter 142238032Speteremail sent to.... eric eric@mastodon.CS.Berkeley.EDU 142338032Speter 142438032SpeterLOCAL_RELAY set to mail.CS.Berkeley.EDU (delivered locally) 142538032Spetermail.CS.Berkeley.EDU (no local aliasing) (aliasing done) 142638032Speter 142738032SpeterMAIL_HUB set to mammoth.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 142838032Spetermammoth.CS.Berkeley.EDU (aliasing done) (aliasing done) 142938032Speter 143038032SpeterBoth LOCAL_RELAY and mail.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 143138032SpeterMAIL_HUB set as above (no local aliasing) (aliasing done) 143238032Speter 143343730SpeterIf you do not have FEATURE(`stickyhost') set, then LOCAL_RELAY and 143438032SpeterMAIL_HUB act identically, with MAIL_HUB taking precedence. 143538032Speter 143638032SpeterIf you want all outgoing mail to go to a central relay site, define 143738032SpeterSMART_HOST as well. Briefly: 143838032Speter 143938032Speter LOCAL_RELAY applies to unqualified names (e.g., "eric"). 144038032Speter MAIL_HUB applies to names qualified with the name of the 144138032Speter local host (e.g., "eric@mastodon.CS.Berkeley.EDU"). 144264562Sgshapiro SMART_HOST applies to names qualified with other hosts or 144364562Sgshapiro bracketed addresses (e.g., "eric@mastodon.CS.Berkeley.EDU" 144464562Sgshapiro or "eric@[127.0.0.1]"). 144538032Speter 144638032SpeterHowever, beware that other relays (e.g., UUCP_RELAY, BITNET_RELAY, 144738032SpeterDECNET_RELAY, and FAX_RELAY) take precedence over SMART_HOST, so if you 144838032Speterreally want absolutely everything to go to a single central site you will 144938032Speterneed to unset all the other relays -- or better yet, find or build a 145038032Speterminimal config file that does this. 145138032Speter 145238032SpeterFor duplicate suppression to work properly, the host name is best 145338032Speterspecified with a terminal dot: 145438032Speter 145538032Speter define(`MAIL_HUB', `host.domain.') 145638032Speter note the trailing dot ---^ 145738032Speter 145838032Speter 145964562Sgshapiro+--------------+ 146064562Sgshapiro| LDAP ROUTING | 146164562Sgshapiro+--------------+ 146264562Sgshapiro 146364562SgshapiroFEATURE(`ldap_routing') can be used to implement the IETF Internet Draft 146464562SgshapiroLDAP Schema for Intranet Mail Routing 146564562Sgshapiro(draft-lachman-laser-ldap-mail-routing-01). This feature enables 146664562SgshapiroLDAP-based rerouting of a particular address to either a different host 146764562Sgshapiroor a different address. The LDAP lookup is first attempted on the full 146864562Sgshapiroaddress (e.g., user@example.com) and then on the domain portion 146964562Sgshapiro(e.g., @example.com). Be sure to setup your domain for LDAP routing using 147064562SgshapiroLDAPROUTE_DOMAIN(), e.g.: 147164562Sgshapiro 147264562Sgshapiro LDAPROUTE_DOMAIN(`example.com') 147364562Sgshapiro 147464562SgshapiroBy default, the feature will use the schemas as specified in the draft 147564562Sgshapiroand will not reject addresses not found by the LDAP lookup. However, 147664562Sgshapirothis behavior can be changed by giving additional arguments to the FEATURE() 147764562Sgshapirocommand: 147864562Sgshapiro 147964562Sgshapiro FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>) 148064562Sgshapiro 148164562Sgshapirowhere <mailHost> is a map definition describing how to lookup an alternative 148264562Sgshapiromail host for a particular address; <mailRoutingAddress> is a map definition 148364562Sgshapirodescribing how to lookup an alternative address for a particular address; and 148464562Sgshapirothe <bounce> argument, if present and not the word "passthru", dictates 148564562Sgshapirothat mail should be bounced if neither a mailHost nor mailRoutingAddress 148664562Sgshapirois found. 148764562Sgshapiro 148864562SgshapiroThe default <mailHost> map definition is: 148964562Sgshapiro 149064562Sgshapiro ldap -1 -v mailHost -k (&(objectClass=inetLocalMailRecipient) 149164562Sgshapiro (mailLocalAddress=%0)) 149264562Sgshapiro 149364562SgshapiroThe default <mailRoutingAddress> map definition is: 149464562Sgshapiro 149564562Sgshapiro ldap -1 -v mailRoutingAddress -k (&(objectClass=inetLocalMailRecipient) 149664562Sgshapiro (mailLocalAddress=%0)) 149764562Sgshapiro 149864562SgshapiroNote that neither includes the LDAP server hostname (-h server) or base DN 149964562Sgshapiro(-b o=org,c=COUNTRY), both necessary for LDAP queries. It is presumed that 150064562Sgshapiroyour .mc file contains a setting for the confLDAP_DEFAULT_SPEC option with 150164562Sgshapirothese settings. If this is not the case, the map definitions should be 150264562Sgshapirochanged as described above. 150364562Sgshapiro 150464562SgshapiroThe following possibilities exist as a result of an LDAP lookup on an 150564562Sgshapiroaddress: 150664562Sgshapiro 150764562Sgshapiro mailHost is mailRoutingAddress is Results in 150864562Sgshapiro ----------- --------------------- ---------- 150964562Sgshapiro set to a set mail delivered to 151064562Sgshapiro "local" host mailRoutingAddress 151164562Sgshapiro 151264562Sgshapiro set to a not set delivered to 151364562Sgshapiro "local" host original address 151464562Sgshapiro 151564562Sgshapiro set to a set mailRoutingAddress 151664562Sgshapiro remote host relayed to mailHost 151764562Sgshapiro 151864562Sgshapiro set to a not set original address 151964562Sgshapiro remote host relayed to mailHost 152064562Sgshapiro 152164562Sgshapiro not set set mail delivered to 152264562Sgshapiro mailRoutingAddress 152364562Sgshapiro 152464562Sgshapiro not set not set delivered to 152564562Sgshapiro original address *OR* 152664562Sgshapiro bounced as unknown user 152764562Sgshapiro 152864562SgshapiroThe term "local" host above means the host specified is in class {w}. 152964562SgshapiroNote that the last case depends on whether the third argument is given 153064562Sgshapiroto the FEATURE() command. The default is to deliver the message to the 153164562Sgshapirooriginal address. 153264562Sgshapiro 153364562SgshapiroThe LDAP entries should be set up with an objectClass of 153464562SgshapiroinetLocalMailRecipient and the address be listed in a mailLocalAddress 153564562Sgshapiroattribute. If present, there must be only one mailHost attribute and it 153664562Sgshapiromust contain a fully qualified host name as its value. Similarly, if 153764562Sgshapiropresent, there must be only one mailRoutingAddress attribute and it must 153864562Sgshapirocontain an RFC 822 compliant address. Some example LDAP records (in ldif 153964562Sgshapiroformat): 154064562Sgshapiro 154164562Sgshapiro dn: uid=tom, o=example.com, c=US 154264562Sgshapiro objectClass: inetLocalMailRecipient 154364562Sgshapiro mailLocalAddress: tom@example.com 154464562Sgshapiro mailRoutingAddress: thomas@mailhost.example.com 154564562Sgshapiro 154664562SgshapiroThis would deliver mail for tom@example.com to thomas@mailhost.example.com. 154764562Sgshapiro 154864562Sgshapiro dn: uid=dick, o=example.com, c=US 154964562Sgshapiro objectClass: inetLocalMailRecipient 155064562Sgshapiro mailLocalAddress: dick@example.com 155164562Sgshapiro mailHost: eng.example.com 155264562Sgshapiro 155364562SgshapiroThis would relay mail for dick@example.com to the same address but redirect 155464562Sgshapirothe mail to MX records listed for the host eng.example.com. 155564562Sgshapiro 155664562Sgshapiro dn: uid=harry, o=example.com, c=US 155764562Sgshapiro objectClass: inetLocalMailRecipient 155864562Sgshapiro mailLocalAddress: harry@example.com 155964562Sgshapiro mailHost: mktmail.example.com 156064562Sgshapiro mailRoutingAddress: harry@mkt.example.com 156164562Sgshapiro 156264562SgshapiroThis would relay mail for harry@example.com to the MX records listed for 156364562Sgshapirothe host mktmail.example.com using the new address harry@mkt.example.com 156464562Sgshapirowhen talking to that host. 156564562Sgshapiro 156664562Sgshapiro dn: uid=virtual.example.com, o=example.com, c=US 156764562Sgshapiro objectClass: inetLocalMailRecipient 156864562Sgshapiro mailLocalAddress: @virtual.example.com 156964562Sgshapiro mailHost: server.example.com 157064562Sgshapiro mailRoutingAddress: virtual@example.com 157164562Sgshapiro 157264562SgshapiroThis would send all mail destined for any username @virtual.example.com to 157364562Sgshapirothe machine server.example.com's MX servers and deliver to the address 157464562Sgshapirovirtual@example.com on that relay machine. 157564562Sgshapiro 157664562Sgshapiro 157738032Speter+---------------------------------+ 157838032Speter| ANTI-SPAM CONFIGURATION CONTROL | 157938032Speter+---------------------------------+ 158038032Speter 158138032SpeterThe primary anti-spam features available in sendmail are: 158238032Speter 158338032Speter* Relaying is denied by default. 158438032Speter* Better checking on sender information. 158538032Speter* Access database. 158638032Speter* Header checks. 158738032Speter 158864562SgshapiroRelaying (transmission of messages from a site outside your host (class 158964562Sgshapiro{w}) to another site except yours) is denied by default. Note that this 159064562Sgshapirochanged in sendmail 8.9; previous versions allowed relaying by default. 159164562SgshapiroIf you really want to revert to the old behaviour, you will need to use 159264562SgshapiroFEATURE(`promiscuous_relay'). You can allow certain domains to relay 159364562Sgshapirothrough your server by adding their domain name or IP address to class 159464562Sgshapiro{R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the access database 159564562Sgshapiro(described below). The file consists (like any other file based class) 159664562Sgshapiroof entries listed on separate lines, e.g., 159738032Speter 159864562Sgshapiro sendmail.org 159964562Sgshapiro 128.32 160064562Sgshapiro 1:2:3:4:5:6:7 160164562Sgshapiro host.mydomain.com 160264562Sgshapiro 160338032SpeterIf you use 160438032Speter 160543730Speter FEATURE(`relay_entire_domain') 160638032Speter 160764562Sgshapirothen any host in any of your local domains (that is, class {m}) 160842575Speterwill be relayed (that is, you will accept mail either to or from any 160942575Speterhost in your domain). 161038032Speter 161138032SpeterYou can also allow relaying based on the MX records of the host 161238032Speterportion of an incoming recipient address by using 161338032Speter 161443730Speter FEATURE(`relay_based_on_MX') 161538032Speter 161638032SpeterFor example, if your server receives a recipient of user@domain.com 161738032Speterand domain.com lists your server in its MX records, the mail will be 161842575Speteraccepted for relay to domain.com. Note that this will stop spammers 161942575Speterfrom using your host to relay spam but it will not stop outsiders from 162042575Speterusing your server as a relay for their site (that is, they set up an 162142575SpeterMX record pointing to your mail server, and you will relay mail addressed 162242575Speterto them without any prior arrangement). Along the same lines, 162338032Speter 162443730Speter FEATURE(`relay_local_from') 162538032Speter 162638032Speterwill allow relaying if the sender specifies a return path (i.e. 162738032SpeterMAIL FROM: <user@domain>) domain which is a local domain. This a 162838032Speterdangerous feature as it will allow spammers to spam using your mail 162938032Speterserver by simply specifying a return address of user@your.domain.com. 163038032SpeterIt should not be used unless absolutely necessary. 163164562SgshapiroA slightly better solution is 163238032Speter 163364562Sgshapiro FEATURE(`relay_mail_from') 163464562Sgshapiro 163564562Sgshapirowhich allows relaying if the mail sender is listed as RELAY in the 163664562Sgshapiroaccess map. If an optional argument `domain' is given, the domain 163764562Sgshapiroportion of the mail sender is also checked to allowing relaying. 163864562SgshapiroThis option only works together with the tag From: for the LHS of 163964562Sgshapirothe access map entries (see below: Finer control...). 164064562Sgshapiro 164164562Sgshapiro 164238032SpeterIf source routing is used in the recipient address (i.e. 164338032SpeterRCPT TO: <user%site.com@othersite.com>), sendmail will check 164438032Speteruser@site.com for relaying if othersite.com is an allowed relay host 164564562Sgshapiroin either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, 164643730Speteror the access database if FEATURE(`access_db') is used. To prevent 164738032Speterthe address from being stripped down, use: 164838032Speter 164943730Speter FEATURE(`loose_relay_check') 165038032Speter 165138032SpeterIf you think you need to use this feature, you probably do not. This 165238032Spetershould only be used for sites which have no control over the addresses 165338032Speterthat they provide a gateway for. Use this FEATURE with caution as it 165438032Spetercan allow spammers to relay through your server if not setup properly. 165538032Speter 165664562SgshapiroNOTICE: It is possible to relay mail through a system which the anti-relay 165764562Sgshapirorules do not prevent: the case of a system that does use FEATURE(`nouucp', 165864562Sgshapiro`nospecial') (system A) and relays local messages to a mail hub (e.g., via 165964562SgshapiroLOCAL_RELAY or LUSER_RELAY) (system B). If system B doesn't use 166064562SgshapiroFEATURE(`nouucp') at all, addresses of the form 166164562Sgshapiro<example.net!user@local.host> would be relayed to <user@example.net>. 166264562SgshapiroSystem A doesn't recognize `!' as an address separator and therefore 166364562Sgshapiroforwards it to the mail hub which in turns relays it because it came from 166464562Sgshapiroa trusted local host. So if a mailserver allows UUCP (bang-format) 166564562Sgshapiroaddresses, all systems from which it allows relaying should do the same 166664562Sgshapiroor reject those addresses. 166764562Sgshapiro 166838032SpeterAs of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has 166938032Speteran unresolvable domain (i.e., one that DNS, your local name service, 167038032Speteror special case rules in ruleset 3 cannot locate). If you want to 167164562Sgshapirocontinue to accept such domains, e.g., because you are inside a 167238032Speterfirewall that has only a limited view of the Internet host name space 167338032Speter(note that you will not be able to return mail to them unless you have 167438032Spetersome "smart host" forwarder), use 167538032Speter 167643730Speter FEATURE(`accept_unresolvable_domains') 167738032Speter 167838032Spetersendmail will also refuse mail if the MAIL FROM: parameter is not 167938032Speterfully qualified (i.e., contains a domain as well as a user). If you 168038032Speterwant to continue to accept such senders, use 168138032Speter 168243730Speter FEATURE(`accept_unqualified_senders') 168338032Speter 168464562SgshapiroSetting the DaemonPortOptions modifier 'u' overrides the default behavior, 168564562Sgshapiroi.e., unqualified addresses are accepted even without this FEATURE. If 168664562Sgshapirothis FEATURE is not used, the DaemonPortOptions modifier 'f' can be used 168764562Sgshapiroto enforce fully qualified addresses. 168864562Sgshapiro 168938032SpeterAn ``access'' database can be created to accept or reject mail from 169038032Speterselected domains. For example, you may choose to reject all mail 169138032Speteroriginating from known spammers. To enable such a database, use 169238032Speter 169343730Speter FEATURE(`access_db') 169438032Speter 169538032SpeterThe FEATURE macro can accept a second parameter giving the key file 169638032Speterdefinition for the database; for example 169738032Speter 169864562Sgshapiro FEATURE(`access_db', `hash /etc/mail/access') 169938032Speter 170042575SpeterRemember, since /etc/mail/access is a database, after creating the text 170142575Speterfile as described below, you must use makemap to create the database 170242575Spetermap. For example: 170342575Speter 170443730Speter makemap hash /etc/mail/access < /etc/mail/access 170542575Speter 170638032SpeterThe table itself uses e-mail addresses, domain names, and network 170738032Speternumbers as keys. For example, 170838032Speter 170938032Speter spammer@aol.com REJECT 171038032Speter cyberspammer.com REJECT 171142575Speter 192.168.212 REJECT 171238032Speter 171338032Speterwould refuse mail from spammer@aol.com, any user from cyberspammer.com 171438032Speter(or any host within the cyberspammer.com domain), and any host on the 171542575Speter192.168.212.* network. 171638032Speter 171738032SpeterThe value part of the map can contain: 171838032Speter 171942575Speter OK Accept mail even if other rules in the 172042575Speter running ruleset would reject it, for example, 172142575Speter if the domain name is unresolvable. 172242575Speter RELAY Accept mail addressed to the indicated domain or 172342575Speter received from the indicated domain for relaying 172442575Speter through your SMTP server. RELAY also serves as 172542575Speter an implicit OK for the other checks. 172642575Speter REJECT Reject the sender or recipient with a general 172738032Speter purpose message. 172842575Speter DISCARD Discard the message completely using the 172971345Sgshapiro $#discard mailer. If it is used in check_compat, 173071345Sgshapiro it affects only the designated recipient, not 173171345Sgshapiro the whole message as it does in all other cases. 173271345Sgshapiro This should only be used if really necessary. 173366494Sgshapiro ### any text where ### is an RFC 821 compliant error code and 173466494Sgshapiro "any text" is a message to return for the command. 173566494Sgshapiro The string should be quoted to avoid surprises, 173666494Sgshapiro e.g., sendmail may remove spaces otherwise. 173764562Sgshapiro ERROR:### any text 173864562Sgshapiro as above, but useful to mark error messages as such. 173964562Sgshapiro ERROR:D.S.N:### any text 174064562Sgshapiro where D.S.N is an RFC 1893 compliant error code 174164562Sgshapiro and the rest as above. 174238032Speter 174338032SpeterFor example: 174438032Speter 174566494Sgshapiro cyberspammer.com ERROR:"550 We don't accept mail from spammers" 174638032Speter okay.cyberspammer.com OK 174764562Sgshapiro sendmail.org RELAY 174838032Speter 128.32 RELAY 174964562Sgshapiro 1:2:3:4:5:6:7 RELAY 175064562Sgshapiro [127.0.0.3] OK 175164562Sgshapiro [1:2:3:4:5:6:7:8] OK 175238032Speter 175364562Sgshapirowould accept mail from okay.cyberspammer.com, but would reject mail from 175464562Sgshapiroall other hosts at cyberspammer.com with the indicated message. It would 175564562Sgshapiroallow relaying mail from and to any hosts in the sendmail.org domain, and 175664562Sgshapiroallow relaying from the 128.32.*.* network and the IPv6 1:2:3:4:5:6:7:* 175764562Sgshapironetwork. The latter two entries are for checks against ${client_name} if 175864562Sgshapirothe IP address doesn't resolve to a hostname (or is considered as "may be 175964562Sgshapiroforged"). 176038032Speter 176164562SgshapiroWarning: if you change the RFC 821 compliant error code from the default 176264562Sgshapirovalue of 550, then you should probably also change the RFC 1893 compliant 176364562Sgshapiroerror code to match it. For example, if you use 176464562Sgshapiro 176564562Sgshapiro user@example.com 450 mailbox full 176664562Sgshapiro 176764562Sgshapirothe error returned would be "450 4.0.0 mailbox full" which is wrong. 176864562SgshapiroUse "450 4.2.2 mailbox full" or "ERROR:4.2.2:450 mailbox full" 176964562Sgshapiroinstead. 177064562Sgshapiro 177164562SgshapiroNote, UUCP users may need to add hostname.UUCP to the access database 177264562Sgshapiroor class {R}. If you also use: 177364562Sgshapiro 177443730Speter FEATURE(`relay_hosts_only') 177538032Speter 177638032Speterthen the above example will allow relaying for sendmail.org, but not 177738032Speterhosts within the sendmail.org domain. Note that this will also require 177864562Sgshapirohosts listed in class {R} to be fully qualified host names. 177938032Speter 178038032SpeterYou can also use the access database to block sender addresses based on 178138032Speterthe username portion of the address. For example: 178238032Speter 178366494Sgshapiro FREE.STEALTH.MAILER@ ERROR:550 Spam not accepted 178438032Speter 178538032SpeterNote that you must include the @ after the username to signify that 178638032Speterthis database entry is for checking only the username portion of the 178738032Spetersender address. 178838032Speter 178938032SpeterIf you use: 179038032Speter 179143730Speter FEATURE(`blacklist_recipients') 179238032Speter 179338032Speterthen you can add entries to the map for local users, hosts in your 179438032Speterdomains, or addresses in your domain which should not receive mail: 179538032Speter 179666494Sgshapiro badlocaluser@ ERROR:550 Mailbox disabled for this username 179766494Sgshapiro host.mydomain.com ERROR:550 That host does not accept mail 179866494Sgshapiro user@otherhost.mydomain.com ERROR:550 Mailbox disabled for this recipient 179938032Speter 180038032SpeterThis would prevent a recipient of badlocaluser@mydomain.com, any 180138032Speteruser at host.mydomain.com, and the single address 180264562Sgshapirouser@otherhost.mydomain.com from receiving mail. Please note: a 180364562Sgshapirolocal username must be now tagged with an @ (this is consistent 180464562Sgshapirowith the check of the sender address, and hence it is possible to 180564562Sgshapirodistinguish between hostnames and usernames). Enabling this feature 180664562Sgshapirowill keep you from sending mails to all addresses that have an 180764562Sgshapiroerror message or REJECT as value part in the access map. Taking 180864562Sgshapirothe example from above: 180938032Speter 181042575Speter spammer@aol.com REJECT 181142575Speter cyberspammer.com REJECT 181242575Speter 181342575SpeterMail can't be sent to spammer@aol.com or anyone at cyberspammer.com. 181442575Speter 181538032SpeterThere is also a ``Realtime Blackhole List'' run by the MAPS project 181638032Speterat http://maps.vix.com/. This is a database maintained in DNS of 181738032Speterspammers. To use this database, use 181838032Speter 181964562Sgshapiro FEATURE(`dnsbl') 182038032Speter 182138032SpeterThis will cause sendmail to reject mail from any site in the 182238032SpeterRealtime Blackhole List database. You can specify an alternative 182364562SgshapiroRBL domain to check by specifying an argument to the FEATURE. 182471345SgshapiroThe default error message is 182538032Speter 182671345Sgshapiro Mail from $&{client_addr} refused by blackhole site DOMAIN 182771345Sgshapiro 182871345Sgshapirowhere DOMAIN is the first argument of the feature. A second argument 182971345Sgshapirocan be used to specify a different text. This FEATURE can be 183071345Sgshapiroincluded several times to query different DNS based rejection lists, 183171345Sgshapiroe.g., the dial-up user list (see http://maps.vix.com/dul/). 183271345Sgshapiro 183338032SpeterThe features described above make use of the check_relay, check_mail, 183438032Speterand check_rcpt rulesets. If you wish to include your own checks, 183538032Speteryou can put your checks in the rulesets Local_check_relay, 183638032SpeterLocal_check_mail, and Local_check_rcpt. For example if you wanted to 183738032Speterblock senders with all numeric usernames (i.e. 2312343@bigisp.com), 183838032Speteryou would use Local_check_mail and the new regex map: 183938032Speter 184064562Sgshapiro LOCAL_CONFIG 184164562Sgshapiro Kallnumbers regex -a@MATCH ^[0-9]+$ 184264562Sgshapiro 184364562Sgshapiro LOCAL_RULESETS 184464562Sgshapiro SLocal_check_mail 184564562Sgshapiro # check address against various regex checks 184638032Speter R$* $: $>Parse0 $>3 $1 184764562Sgshapiro R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $) 184864562Sgshapiro R@MATCH $#error $: 553 Header Error 184938032Speter 185038032SpeterThese rules are called with the original arguments of the corresponding 185138032Spetercheck_* ruleset. If the local ruleset returns $#OK, no further checking 185238032Speteris done by the features described above and the mail is accepted. If the 185338032Speterlocal ruleset resolves to a mailer (such as $#error or $#discard), the 185438032Speterappropriate action is taken. Otherwise, the results of the local 185538032Speterrewriting are ignored. 185638032Speter 185764562SgshapiroFiner control by using tags for the LHS of the access map 185838032Speter 185964562SgshapiroRead this section only if the options listed so far are not sufficient 186064562Sgshapirofor your purposes. There is now the option to tag entries in the 186164562Sgshapiroaccess map according to their type. Three tags are available: 186264562Sgshapiro 186364562Sgshapiro Connect: connection information (${client_addr}, ${client_name}) 186473188Sgshapiro From: envelope sender 186573188Sgshapiro To: envelope recipient 186664562Sgshapiro 186764562SgshapiroIf the required item is looked up in a map, it will be tried first 186864562Sgshapirowith the corresponding tag in front, then (as fallback to enable 186964562Sgshapirobackward compatibility) without any tag. For example, 187064562Sgshapiro 187164562Sgshapiro From:spammer@some.dom REJECT 187264562Sgshapiro To:friend.domain RELAY 187364562Sgshapiro Connect:friend.domain OK 187464562Sgshapiro Connect:from.domain RELAY 187564562Sgshapiro From:good@another.dom OK 187664562Sgshapiro From:another.dom REJECT 187764562Sgshapiro 187864562SgshapiroThis would deny mails from spammer@some.dom but you could still 187964562Sgshapirosend mail to that address even if FEATURE(`blacklist_recipients') 188064562Sgshapirois enabled. Your system will allow relaying to friend.domain, but 188164562Sgshapironot from it (unless enabled by other means). Connections from that 188264562Sgshapirodomain will be allowed even if it ends up in one of the DNS based 188364562Sgshapirorejection lists. Relaying is enabled from from.domain but not to 188464562Sgshapiroit (since relaying is based on the connection information for 188564562Sgshapirooutgoing relaying, the tag Connect: must be used; for incoming 188664562Sgshapirorelaying, which is based on the recipient address, To: must be 188764562Sgshapiroused). The last two entries allow mails from good@another.dom but 188864562Sgshapiroreject mail from all other addresses with another.dom as domain 188964562Sgshapiropart. 189064562Sgshapiro 189164562SgshapiroDelay all checks 189264562Sgshapiro 189364562SgshapiroBy using FEATURE(`delay_checks') the rulesets check_mail and check_relay 189464562Sgshapirowill not be called when a client connects or issues a MAIL command, 189564562Sgshapirorespectively. Instead, those rulesets will be called by the check_rcpt 189664562Sgshapiroruleset; they will be skipped if a sender has been authenticated using 189764562Sgshapiroa "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(). 189864562SgshapiroIf check_mail returns an error then the RCPT TO command will be rejected 189964562Sgshapirowith that error. If it returns some other result starting with $# then 190064562Sgshapirocheck_relay will be skipped. If the sender address (or a part of it) is 190164562Sgshapirolisted in the access map and it has a RHS of OK or RELAY, then check_relay 190264562Sgshapirowill be skipped. This has an interesting side effect: if your domain is 190364562Sgshapiromy.domain and you have 190464562Sgshapiro 190564562Sgshapiro my.domain RELAY 190664562Sgshapiro 190764562Sgshapiroin the access map, then all e-mail with a sender address of 190864562Sgshapiro<user@my.domain> gets through, even if check_relay would reject it 190964562Sgshapiro(e.g., based on the hostname or IP address). This allows spammers 191064562Sgshapiroto get around DNS based blacklist by faking the sender address. To 191164562Sgshapiroavoid this problem you have to use tagged entries: 191264562Sgshapiro 191364562Sgshapiro To:my.domain RELAY 191464562Sgshapiro Connect:my.domain RELAY 191564562Sgshapiro 191664562Sgshapiroif you need those entries at all (class {R} may take care of them). 191773188Sgshapiro 191864562SgshapiroFEATURE(`delay_checks') can take an optional argument: 191964562Sgshapiro 192064562Sgshapiro FEATURE(`delay_checks', `friend') 192164562Sgshapiro enables spamfriend test 192264562Sgshapiro FEATURE(`delay_checks', `hater') 192364562Sgshapiro enables spamhater test 192464562Sgshapiro 192564562SgshapiroIf such an argument is given, the recipient will be looked up in the access 192664562Sgshapiromap (using the tag To:). If the argument is `friend', then the other 192764562Sgshapirorulesets will be skipped if the recipient address is found and has RHS 192864562Sgshapirospamfriend. If the argument is `hater', then the other rulesets will be 192964562Sgshapiroapplied if the recipient address is found and has RHS spamhater. 193064562Sgshapiro 193164562SgshapiroThis allows for simple exceptions from the tests, e.g., by activating 193264562Sgshapirothe spamfriend option and having 193364562Sgshapiro 193464562Sgshapiro To:abuse@ SPAMFRIEND 193564562Sgshapiro 193664562Sgshapiroin the access map, mail to abuse@localdomain will get through. It is 193764562Sgshapiroalso possible to specify a full address or an address with +detail: 193864562Sgshapiro 193964562Sgshapiro To:abuse@abuse.my.domain SPAMFRIEND 194064562Sgshapiro To:me+abuse@ SPAMFRIEND 194164562Sgshapiro 194264562Sgshapiro 194364562SgshapiroHeader Checks 194464562Sgshapiro 194538032SpeterYou can also reject mail on the basis of the contents of headers. 194638032SpeterThis is done by adding a ruleset call to the 'H' header definition command 194738032Speterin sendmail.cf. For example, this can be used to check the validity of 194838032Spetera Message-ID: header: 194938032Speter 195038032Speter LOCAL_RULESETS 195138032Speter HMessage-Id: $>CheckMessageId 195238032Speter 195338032Speter SCheckMessageId 195438032Speter R< $+ @ $+ > $@ OK 195538032Speter R$* $#error $: 553 Header Error 195638032Speter 195764562SgshapiroThe alternative format: 195838032Speter 195964562Sgshapiro HSubject: $>+CheckSubject 196042575Speter 196164562Sgshapirothat is, $>+ instead of $>, gives the full Subject: header including 196264562Sgshapirocomments to the ruleset (comments in parentheses () are stripped 196364562Sgshapiroby default). 196442575Speter 196564562SgshapiroA default ruleset for headers which don't have a specific ruleset 196664562Sgshapirodefined for them can be given by: 196742575Speter 196864562Sgshapiro H*: $>CheckHdr 196943730Speter 197073188SgshapiroNotice: All rules act on tokens as explained in doc/op/op.{me,ps,txt}. 197173188SgshapiroThat may cause problems with simple header checks due to the 197273188Sgshapirotokenization. It might be simpler to use a regex map and apply it 197373188Sgshapiroto $&{currHeader}. 197473188Sgshapiro 197564562SgshapiroAfter all of the headers are read, the check_eoh ruleset will be called for 197664562Sgshapiroany final header-related checks. The ruleset is called with the number of 197764562Sgshapiroheaders and the size of all of the headers in bytes separated by $|. One 197864562Sgshapiroexample usage is to reject messages which do not have a Message-Id: 197964562Sgshapiroheader. However, the Message-Id: header is *NOT* a required header and is 198064562Sgshapironot a guaranteed spam indicator. This ruleset is an example and should 198164562Sgshapiroprobably not be used in production. 198264562Sgshapiro 198364562Sgshapiro LOCAL_CONFIG 198464562Sgshapiro Kstorage macro 198564562Sgshapiro 198664562Sgshapiro LOCAL_RULESETS 198764562Sgshapiro HMessage-Id: $>CheckMessageId 198864562Sgshapiro 198964562Sgshapiro SCheckMessageId 199064562Sgshapiro # Record the presence of the header 199164562Sgshapiro R$* $: $(storage {MessageIdCheck} $@ OK $) $1 199264562Sgshapiro R< $+ @ $+ > $@ OK 199364562Sgshapiro R$* $#error $: 553 Header Error 199464562Sgshapiro 199564562Sgshapiro Scheck_eoh 199664562Sgshapiro # Check the macro 199764562Sgshapiro R$* $: < $&{MessageIdCheck} > 199864562Sgshapiro # Clear the macro for the next message 199964562Sgshapiro R$* $: $(storage {MessageIdCheck} $) $1 200064562Sgshapiro # Has a Message-Id: header 200164562Sgshapiro R< $+ > $@ OK 200264562Sgshapiro # Allow missing Message-Id: from local mail 200364562Sgshapiro R$* $: < $&{client_name} > 200464562Sgshapiro R< > $@ OK 200564562Sgshapiro R< $=w > $@ OK 200664562Sgshapiro # Otherwise, reject the mail 200764562Sgshapiro R$* $#error $: 553 Header Error 200864562Sgshapiro 200966494Sgshapiro+----------+ 201066494Sgshapiro| STARTTLS | 201166494Sgshapiro+----------+ 201264562Sgshapiro 201364562SgshapiroIn this text, cert will be used as an abreviation for X.509 certificate, 201464562SgshapiroDN is the distinguished name of a cert, and CA is a certification authority. 201564562Sgshapiro 201664562SgshapiroMacros related to STARTTLS are: 201764562Sgshapiro 201864562Sgshapiro${cert_issuer} holds the DN of the CA (the cert issuer). 201964562Sgshapiro${cert_subject} holds the DN of the cert (called the cert subject). 202064562Sgshapiro${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, 202164562Sgshapiro SSLv3, SSLv2. 202264562Sgshapiro${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, 202364562Sgshapiro EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA. 202464562Sgshapiro${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm 202564562Sgshapiro used for the connection. 202664562Sgshapiro${verify} holds the result of the verification of the presented cert. Possible 202764562Sgshapiro values are: 202864562Sgshapiro OK verification succeeded. 202964562Sgshapiro NO no cert presented. 203064562Sgshapiro FAIL cert presented but could not be verified, e.g., the signing 203164562Sgshapiro CA is missing. 203264562Sgshapiro NONE STARTTLS has not been performed. 203364562Sgshapiro TEMP temporary error occurred. 203464562Sgshapiro PROTOCOL some protocol error occurred. 203564562Sgshapiro SOFTWARE STARTTLS handshake failed. 203664562Sgshapiro${server_name} the name of the server of the current outgoing SMTP 203764562Sgshapiro connection. 203864562Sgshapiro${server_addr} the address of the server of the current outgoing SMTP 203964562Sgshapiro connection. 204064562Sgshapiro 204164562SgshapiroRelaying 204264562Sgshapiro 204364562SgshapiroSMTP STARTTLS can allow relaying for senders who have successfully 204464562Sgshapiroauthenticated themselves. This is done in the ruleset RelayAuth. If the 204564562Sgshapiroverification of the cert failed (${verify} != OK), relaying is subject to 204664562Sgshapirothe usual rules. Otherwise the DN of the issuer is looked up in the access 204764562Sgshapiromap using the tag CERTISSUER. If the resulting value is RELAY, relaying is 204864562Sgshapiroallowed. If it is SUBJECT, the DN of the cert subject is looked up next in 204964562Sgshapirothe access map. using the tag CERTSUBJECT. If the value is RELAY, relaying 205064562Sgshapirois allowed. 205164562Sgshapiro 205264562SgshapiroTo make things a bit more flexible (or complicated), the values for 205364562Sgshapiro${cert_issuer} and ${cert_subject} can be optionally modified by regular 205464562Sgshapiroexpressions defined in the m4 variables _CERT_REGEX_ISSUER_ and 205564562Sgshapiro_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in 205664562Sgshapirorulesets and map lookups, they are modified as follows: each non-printable 205764562Sgshapirocharacter and the characters '<', '>', '(', ')', '"', '+' are replaced by 205864562Sgshapirotheir HEX value with a leading '+'. For example: 205964562Sgshapiro 206064562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email= 206164562Sgshapirodarth+cert@endmail.org 206264562Sgshapiro 206364562Sgshapirois encoded as: 206464562Sgshapiro 206564562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 206664562SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 206764562Sgshapiro 206864562Sgshapiro(line breaks have been inserted for readability). 206964562Sgshapiro 207064562SgshapiroOf course it is also possible to write a simple rulesets that allows 207164562Sgshapirorelaying for everyone who can present a cert that can be verified, e.g., 207264562Sgshapiro 207364562SgshapiroLOCAL_RULESETS 207464562SgshapiroSLocal_check_rcpt 207564562SgshapiroR$* $: $&{verify} 207664562SgshapiroROK $# OK 207764562Sgshapiro 207864562SgshapiroAllowing Connections 207964562Sgshapiro 208064562SgshapiroThe rulesets tls_server and tls_client are used to decide whether an SMTP 208164562Sgshapiroconnection is accepted (or should continue). 208264562Sgshapiro 208364562Sgshapirotls_server is called when sendmail acts as client after a STARTTLS command 208464562Sgshapiro(should) have been issued. The parameter is the value of ${verify}. 208564562Sgshapiro 208664562Sgshapirotls_client is called when sendmail acts as server, after a STARTTLS command 208764562Sgshapirohas been issued, and from check_mail. The parameter is the value of 208864562Sgshapiro${verify} and STARTTLS or MAIL, respectively. 208964562Sgshapiro 209064562SgshapiroBoth rulesets behave the same. If no access map is in use, the connection 209164562Sgshapirowill be accepted unless ${verify} is SOFTWARE, in which case the connection 209264562Sgshapirois always aborted. Otherwise, ${client_name} (${server_name}) is looked 209364562Sgshapiroup in the access map using the tag TLS_Srv (or TLS_Clt), which is done 209464562Sgshapirowith the ruleset LookUpDomain. If no entry is found, ${client_addr} 209564562Sgshapiro(${server_addr}) is looked up in the access map (same tag, ruleset 209664562SgshapiroLookUpAddr). If this doesn't result in an entry either, just the tag is 209764562Sgshapirolooked up in the access map (included the trailing :). The result of the 209864562Sgshapirolookups is then used to call the ruleset tls_connection, which checks the 209964562Sgshapirorequirement specified by the RHS in the access map against the actual 210064562Sgshapiroparameters of the current TLS connection, esp. ${verify} and 210164562Sgshapiro${cipher_bits}. Legal RHSs in the access map are: 210264562Sgshapiro 210364562SgshapiroVERIFY verification must have succeeded 210464562SgshapiroVERIFY:bits verification must have succeeded and ${cipher_bits} must 210564562Sgshapiro be greater than or equal bits. 210664562SgshapiroENCR:bits ${cipher_bits} must be greater than or equal bits. 210764562Sgshapiro 210864562SgshapiroThe RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary 210964562Sgshapiroor permanent error. The default is a temporary error code (403 4.7.0) 211064562Sgshapirounless the macro TLS_PERM_ERR is set during generation of the .cf file. 211164562Sgshapiro 211264562SgshapiroIf a certain level of encryption is required, then it might also be 211364562Sgshapiropossible that this level is provided by the security layer from a SASL 211464562Sgshapiroalgorithm, e.g., DIGEST-MD5. 211564562Sgshapiro 211664562SgshapiroExample: e-mail send to secure.example.com should only use an encrypted 211764562Sgshapiroconnection. e-mail received from hosts within the laptop.example.com domain 211864562Sgshapiroshould only be accepted if they have been authenticated. 211964562SgshapiroTLS_Srv:secure.example.com ENCR:112 212064562SgshapiroTLS_Clt:laptop.example.com PERM+VERIFY:112 212164562Sgshapiro 212273188SgshapiroNotice: requiring that e-mail is sent to a server only encrypted, 212373188Sgshapiroe.g., via 212473188Sgshapiro 212573188SgshapiroTLS_Srv:secure.domain ENCR:112 212673188Sgshapiro 212773188Sgshapirodoesn't necessarily mean that e-mail sent to that domain is encrypted. 212873188SgshapiroIf the domain has multiple MX servers, e.g., 212973188Sgshapiro 213073188Sgshapirosecure.domain. IN MX 10 mail.secure.domain. 213173188Sgshapirosecure.domain. IN MX 50 mail.other.domain. 213273188Sgshapiro 213373188Sgshapirothen mail to user@secure.domain may go unencrypted to mail.other.domain. 213473188Sgshapiro 213573188Sgshapiro 213664562SgshapiroReceived: Header 213764562Sgshapiro 213864562SgshapiroThe Received: header reveals whether STARTTLS has been used. It contains an 213964562Sgshapiroextra line: 214064562Sgshapiro 214164562Sgshapiro(using ${tls_version} with cipher ${cipher} (${cipher_bits} bits) verified ${verify}) 214264562Sgshapiro 214366494Sgshapiro+---------------------+ 214466494Sgshapiro| SMTP AUTHENTICATION | 214566494Sgshapiro+---------------------+ 214664562Sgshapiro 214764562SgshapiroThe macros ${auth_authen}, ${auth_author}, and ${auth_type} can be 214864562Sgshapiroused in anti-relay rulesets to allow relaying for those users that 214964562Sgshapiroauthenticated themselves. A very simple example is: 215064562Sgshapiro 215164562SgshapiroSLocal_check_rcpt 215264562SgshapiroR$* $: $&{auth_type} 215364562SgshapiroR$+ $# OK 215464562Sgshapiro 215564562Sgshapirowhich checks whether a user has successfully authenticated using 215664562Sgshapiroany available mechanism. Depending on the setup of the CYRUS SASL 215764562Sgshapirolibrary, more sophisticated rulesets might be required, e.g., 215864562Sgshapiro 215964562SgshapiroSLocal_check_rcpt 216064562SgshapiroR$* $: $&{auth_type} $| $&{auth_authen} 216164562SgshapiroRDIGEST-MD5 $| $+@$=w $# OK 216264562Sgshapiro 216364562Sgshapiroto allow relaying for users that authenticated using DIGEST-MD5 216464562Sgshapiroand have an identity in the local domains. 216564562Sgshapiro 216664562SgshapiroThe ruleset Strust_auth is used to determine whether a given AUTH= 216764562Sgshapiroparameter (that is passed to this ruleset) should be trusted. This 216864562Sgshapiroruleset may make use of the other ${auth_*} macros. Only if the 216964562Sgshapiroruleset resolves to the error mailer, the AUTH= parameter is not 217064562Sgshapirotrusted. A user supplied ruleset Local_trust_auth can be written 217164562Sgshapiroto modify the default behavior, which only trust the AUTH= 217264562Sgshapiroparameter if it is identical to the authenticated user. 217364562Sgshapiro 217464562SgshapiroPer default, relaying is allowed for any user who authenticated 217564562Sgshapirovia a "trusted" mechanism, i.e., one that is defined via 217664562SgshapiroTRUST_AUTH_MECH(`list of mechanisms') 217771345SgshapiroFor example: 217871345SgshapiroTRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5') 217964562Sgshapiro 218064562SgshapiroIf the selected mechanism provides a security layer the number of 218164562Sgshapirobits used for the key of the symmetric cipher is stored in the 218264562Sgshapiromacro ${auth_ssf}. 218364562Sgshapiro 218464562Sgshapiro+--------------------------------+ 218538032Speter| ADDING NEW MAILERS OR RULESETS | 218638032Speter+--------------------------------+ 218738032Speter 218838032SpeterSometimes you may need to add entirely new mailers or rulesets. They 218938032Spetershould be introduced with the constructs MAILER_DEFINITIONS and 219038032SpeterLOCAL_RULESETS respectively. For example: 219138032Speter 219238032Speter MAILER_DEFINITIONS 219338032Speter Mmymailer, ... 219438032Speter ... 219538032Speter 219638032Speter LOCAL_RULESETS 219738032Speter Smyruleset 219838032Speter ... 219938032Speter 220038032Speter 220164562Sgshapiro#if _FFR_MILTER 220271345Sgshapiro+-------------------------+ 220371345Sgshapiro| ADDING NEW MAIL FILTERS | 220471345Sgshapiro+-------------------------+ 220564562Sgshapiro 220664562SgshapiroSendmail supports mail filters to filter incoming SMTP messages according 220764562Sgshapiroto the "Sendmail Mail Filter API" documentation. These filters can be 220864562Sgshapiroconfigured in your mc file using the two commands: 220964562Sgshapiro 221064562Sgshapiro MAIL_FILTER(`name', `equates') 221164562Sgshapiro INPUT_MAIL_FILTER(`name', `equates') 221264562Sgshapiro 221364562SgshapiroThe first command, MAIL_FILTER(), simply defines a filter with the given 221464562Sgshapironame and equates. For example: 221564562Sgshapiro 221664562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 221764562Sgshapiro 221864562SgshapiroThis creates the equivalent sendmail.cf entry: 221964562Sgshapiro 222064562Sgshapiro Xarchive, S=local:/var/run/archivesock, F=R 222164562Sgshapiro 222264562SgshapiroThe INPUT_MAIL_FILTER() command performs the same actions as MAIL_FILTER 222364562Sgshapirobut also populates the m4 variable `confINPUT_MAIL_FILTERS' with the name 222464562Sgshapiroof the filter such that the filter will actually be called by sendmail. 222564562Sgshapiro 222664562SgshapiroFor example, the two commands: 222764562Sgshapiro 222864562Sgshapiro INPUT_MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 222964562Sgshapiro INPUT_MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 223064562Sgshapiro 223164562Sgshapiroare equivalent to the three commands: 223264562Sgshapiro 223364562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 223464562Sgshapiro MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 223564562Sgshapiro define(`confINPUT_MAIL_FILTERS', `archive, spamcheck') 223664562Sgshapiro 223764562SgshapiroIn general, INPUT_MAIL_FILTER() should be used unless you need to define 223864562Sgshapiromore filters than you want to use for `confINPUT_MAIL_FILTERS'. 223964562Sgshapiro 224064562SgshapiroNote that setting `confINPUT_MAIL_FILTERS' after any INPUT_MAIL_FILTER() 224164562Sgshapirocommands will clear the list created by the prior INPUT_MAIL_FILTER() 224264562Sgshapirocommands. 224364562Sgshapiro#endif /* _FFR_MILTER */ 224464562Sgshapiro 224564562Sgshapiro 224638032Speter+-------------------------------+ 224738032Speter| NON-SMTP BASED CONFIGURATIONS | 224838032Speter+-------------------------------+ 224938032Speter 225064562SgshapiroThese configuration files are designed primarily for use by 225164562SgshapiroSMTP-based sites. They may not be well tuned for UUCP-only or 225238032SpeterUUCP-primarily nodes (the latter is defined as a small local net 225364562Sgshapiroconnected to the rest of the world via UUCP). However, there is 225464562Sgshapiroone hook to handle some special cases. 225538032Speter 225638032SpeterYou can define a ``smart host'' that understands a richer address syntax 225738032Speterusing: 225838032Speter 225943730Speter define(`SMART_HOST', `mailer:hostname') 226038032Speter 226138032SpeterIn this case, the ``mailer:'' defaults to "relay". Any messages that 226238032Spetercan't be handled using the usual UUCP rules are passed to this host. 226338032Speter 226438032SpeterIf you are on a local SMTP-based net that connects to the outside 226538032Speterworld via UUCP, you can use LOCAL_NET_CONFIG to add appropriate rules. 226638032SpeterFor example: 226738032Speter 226864562Sgshapiro define(`SMART_HOST', `uucp-new:uunet') 226938032Speter LOCAL_NET_CONFIG 227038032Speter R$* < @ $* .$m. > $* $#smtp $@ $2.$m. $: $1 < @ $2.$m. > $3 227138032Speter 227238032SpeterThis will cause all names that end in your domain name ($m) via 227364562SgshapiroSMTP; anything else will be sent via uucp-new (smart UUCP) to uunet. 227443730SpeterIf you have FEATURE(`nocanonify'), you may need to omit the dots after 227538032Speterthe $m. If you are running a local DNS inside your domain which is 227638032Speternot otherwise connected to the outside world, you probably want to 227738032Speteruse: 227838032Speter 227943730Speter define(`SMART_HOST', `smtp:fire.wall.com') 228038032Speter LOCAL_NET_CONFIG 228138032Speter R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 228238032Speter 228338032SpeterThat is, send directly only to things you found in your DNS lookup; 228438032Speteranything else goes through SMART_HOST. 228538032Speter 228638032SpeterYou may need to turn off the anti-spam rules in order to accept 228743730SpeterUUCP mail with FEATURE(`promiscuous_relay') and 228843730SpeterFEATURE(`accept_unresolvable_domains'). 228938032Speter 229038032Speter 229138032Speter+-----------+ 229238032Speter| WHO AM I? | 229338032Speter+-----------+ 229438032Speter 229538032SpeterNormally, the $j macro is automatically defined to be your fully 229638032Speterqualified domain name (FQDN). Sendmail does this by getting your 229738032Speterhost name using gethostname and then calling gethostbyname on the 229838032Speterresult. For example, in some environments gethostname returns 229938032Speteronly the root of the host name (such as "foo"); gethostbyname is 230038032Spetersupposed to return the FQDN ("foo.bar.com"). In some (fairly rare) 230138032Spetercases, gethostbyname may fail to return the FQDN. In this case 230238032Speteryou MUST define confDOMAIN_NAME to be your fully qualified domain 230338032Spetername. This is usually done using: 230438032Speter 230538032Speter Dmbar.com 230638032Speter define(`confDOMAIN_NAME', `$w.$m')dnl 230738032Speter 230838032Speter 230964562Sgshapiro+-----------------------------------+ 231064562Sgshapiro| ACCEPTING MAIL FOR MULTIPLE NAMES | 231164562Sgshapiro+-----------------------------------+ 231264562Sgshapiro 231364562SgshapiroIf your host is known by several different names, you need to augment 231464562Sgshapiroclass {w}. This is a list of names by which your host is known, and 231564562Sgshapiroanything sent to an address using a host name in this list will be 231664562Sgshapirotreated as local mail. You can do this in two ways: either create the 231764562Sgshapirofile /etc/mail/local-host-names containing a list of your aliases (one per 231864562Sgshapiroline), and use ``FEATURE(`use_cw_file')'' in the .mc file, or add 231964562Sgshapiro``LOCAL_DOMAIN(`alias.host.name')''. Be sure you use the fully-qualified 232064562Sgshapironame of the host, rather than a short name. 232164562Sgshapiro 232264562SgshapiroIf you want to have different address in different domains, take 232364562Sgshapiroa look at the virtusertable feature, which is also explained at 232464562Sgshapirohttp://www.sendmail.org/virtual-hosting.html 232564562Sgshapiro 232664562Sgshapiro 232738032Speter+--------------------+ 232838032Speter| USING MAILERTABLES | 232938032Speter+--------------------+ 233038032Speter 233143730SpeterTo use FEATURE(`mailertable'), you will have to create an external 233238032Speterdatabase containing the routing information for various domains. 233338032SpeterFor example, a mailertable file in text format might be: 233438032Speter 233538032Speter .my.domain xnet:%1.my.domain 233664562Sgshapiro uuhost1.my.domain uucp-new:uuhost1 233738032Speter .bitnet smtp:relay.bit.net 233838032Speter 233964562SgshapiroThis should normally be stored in /etc/mail/mailertable. The actual 234038032Speterdatabase version of the mailertable is built using: 234138032Speter 234264562Sgshapiro makemap hash /etc/mail/mailertable < /etc/mail/mailertable 234338032Speter 234438032SpeterThe semantics are simple. Any LHS entry that does not begin with 234538032Spetera dot matches the full host name indicated. LHS entries beginning 234666494Sgshapirowith a dot match anything ending with that domain name (including 234766494Sgshapirothe leading dot) -- that is, they can be thought of as having a 234866494Sgshapiroleading ".+" regular expression pattern for a non-empty sequence of 234966494Sgshapirocharacters. Matching is done in order of most-to-least qualified 235066494Sgshapiro-- for example, even though ".my.domain" is listed first in the 235166494Sgshapiroabove example, an entry of "uuhost1.my.domain" will match the second 235266494Sgshapiroentry since it is more explicit. Note: e-mail to "user@my.domain" 235366494Sgshapirodoes not match any entry in the above table. You need to have 235466494Sgshapirosomething like: 235538032Speter 235664562Sgshapiro my.domain esmtp:host.my.domain 235764562Sgshapiro 235838032SpeterThe RHS should always be a "mailer:host" pair. The mailer is the 235964562Sgshapiroconfiguration name of a mailer (that is, an {M} line in the 236038032Spetersendmail.cf file). The "host" will be the hostname passed to 236138032Speterthat mailer. In domain-based matches (that is, those with leading 236238032Speterdots) the "%1" may be used to interpolate the wildcarded part of 236338032Speterthe host name. For example, the first line above sends everything 236438032Speteraddressed to "anything.my.domain" to that same host name, but using 236538032Speterthe (presumably experimental) xnet mailer. 236638032Speter 236738032SpeterIn some cases you may want to temporarily turn off MX records, 236838032Speterparticularly on gateways. For example, you may want to MX 236938032Spetereverything in a domain to one machine that then forwards it 237038032Speterdirectly. To do this, you might use the DNS configuration: 237138032Speter 237238032Speter *.domain. IN MX 0 relay.machine 237338032Speter 237438032Speterand on relay.machine use the mailertable: 237538032Speter 237638032Speter .domain smtp:[gateway.domain] 237738032Speter 237838032SpeterThe [square brackets] turn off MX records for this host only. 237938032SpeterIf you didn't do this, the mailertable would use the MX record 238038032Speteragain, which would give you an MX loop. 238138032Speter 238238032Speter 238338032Speter+--------------------------------+ 238438032Speter| USING USERDB TO MAP FULL NAMES | 238538032Speter+--------------------------------+ 238638032Speter 238738032SpeterThe user database was not originally intended for mapping full names 238838032Speterto login names (e.g., Eric.Allman => eric), but some people are using 238964562Sgshapiroit that way. (it is recommended that you set up aliases for this 239038032Speterpurpose instead -- since you can specify multiple alias files, this 239138032Speteris fairly easy.) The intent was to locate the default maildrop at 239238032Spetera site, but allow you to override this by sending to a specific host. 239338032Speter 239438032SpeterIf you decide to set up the user database in this fashion, it is 239543730Speterimperative that you not use FEATURE(`stickyhost') -- otherwise, 239638032Spetere-mail sent to Full.Name@local.host.name will be rejected. 239738032Speter 239838032SpeterTo build the internal form of the user database, use: 239938032Speter 240064562Sgshapiro makemap btree /etc/mail/userdb < /etc/mail/userdb.txt 240138032Speter 240264562SgshapiroAs a general rule, it is an extremely bad idea to using full names 240364562Sgshapiroas e-mail addresses, since they are not in any sense unique. For 240466494Sgshapiroexample, the UNIX software-development community has at least two 240564562Sgshapirowell-known Peter Deutsches, and at one time Bell Labs had two 240664562SgshapiroStephen R. Bournes with offices along the same hallway. Which one 240764562Sgshapirowill be forced to suffer the indignity of being Stephen_R_Bourne_2? 240864562SgshapiroThe less famous of the two, or the one that was hired later? 240938032Speter 241038032SpeterFinger should handle full names (and be fuzzy). Mail should use 241164562Sgshapirohandles, and not be fuzzy. 241238032Speter 241338032Speter 241438032Speter+--------------------------------+ 241538032Speter| MISCELLANEOUS SPECIAL FEATURES | 241638032Speter+--------------------------------+ 241738032Speter 241838032SpeterPlussed users 241938032Speter Sometimes it is convenient to merge configuration on a 242038032Speter centralized mail machine, for example, to forward all 242138032Speter root mail to a mail server. In this case it might be 242238032Speter useful to be able to treat the root addresses as a class 242338032Speter of addresses with subtle differences. You can do this 242438032Speter using plussed users. For example, a client might include 242538032Speter the alias: 242638032Speter 242738032Speter root: root+client1@server 242838032Speter 242938032Speter On the server, this will match an alias for "root+client1". 243038032Speter If that is not found, the alias "root+*" will be tried, 243138032Speter then "root". 243238032Speter 243338032Speter 243438032Speter+----------------+ 243538032Speter| SECURITY NOTES | 243638032Speter+----------------+ 243738032Speter 243838032SpeterA lot of sendmail security comes down to you. Sendmail 8 is much 243938032Spetermore careful about checking for security problems than previous 244038032Speterversions, but there are some things that you still need to watch 244138032Speterfor. In particular: 244238032Speter 244338032Speter* Make sure the aliases file isn't writable except by trusted 244438032Speter system personnel. This includes both the text and database 244538032Speter version. 244638032Speter 244738032Speter* Make sure that other files that sendmail reads, such as the 244838032Speter mailertable, are only writable by trusted system personnel. 244938032Speter 245038032Speter* The queue directory should not be world writable PARTICULARLY 245138032Speter if your system allows "file giveaways" (that is, if a non-root 245238032Speter user can chown any file they own to any other user). 245338032Speter 245438032Speter* If your system allows file giveaways, DO NOT create a publically 245538032Speter writable directory for forward files. This will allow anyone 245638032Speter to steal anyone else's e-mail. Instead, create a script that 245738032Speter copies the .forward file from users' home directories once a 245838032Speter night (if you want the non-NFS-mounted forward directory). 245938032Speter 246038032Speter* If your system allows file giveaways, you'll find that 246138032Speter sendmail is much less trusting of :include: files -- in 246238032Speter particular, you'll have to have /SENDMAIL/ANY/SHELL/ in 246338032Speter /etc/shells before they will be trusted (that is, before 246438032Speter files and programs listed in them will be honored). 246538032Speter 246638032SpeterIn general, file giveaways are a mistake -- if you can turn them 246764562Sgshapirooff, do so. 246838032Speter 246938032Speter 247038032Speter+--------------------------------+ 247138032Speter| TWEAKING CONFIGURATION OPTIONS | 247238032Speter+--------------------------------+ 247338032Speter 247438032SpeterThere are a large number of configuration options that don't normally 247538032Speterneed to be changed. However, if you feel you need to tweak them, you 247638032Spetercan define the following M4 variables. This list is shown in four 247738032Spetercolumns: the name you define, the default value for that definition, 247838032Speterthe option or macro that is affected (either Ox for an option or Dx 247938032Speterfor a macro), and a brief description. Greater detail of the semantics 248038032Spetercan be found in the Installation and Operations Guide. 248138032Speter 248238032SpeterSome options are likely to be deprecated in future versions -- that is, 248338032Speterthe option is only included to provide back-compatibility. These are 248438032Spetermarked with "*". 248538032Speter 248638032SpeterRemember that these options are M4 variables, and hence may need to 248738032Speterbe quoted. In particular, arguments with commas will usually have to 248838032Speterbe ``double quoted, like this phrase'' to avoid having the comma 248938032Speterconfuse things. This is common for alias file definitions and for 249038032Speterthe read timeout. 249138032Speter 249238032SpeterM4 Variable Name Configuration Description & [Default] 249338032Speter================ ============= ======================= 249438032SpeterconfMAILER_NAME $n macro [MAILER-DAEMON] The sender name used 249538032Speter for internally generated outgoing 249638032Speter messages. 249738032SpeterconfDOMAIN_NAME $j macro If defined, sets $j. This should 249838032Speter only be done if your system cannot 249938032Speter determine your local domain name, 250038032Speter and then it should be set to 250138032Speter $w.Foo.COM, where Foo.COM is your 250238032Speter domain name. 250338032SpeterconfCF_VERSION $Z macro If defined, this is appended to the 250438032Speter configuration version name. 250564562SgshapiroconfFROM_HEADER From: [$?x$x <$g>$|$g$.] The format of an 250638032Speter internally generated From: address. 250738032SpeterconfRECEIVED_HEADER Received: 250838032Speter [$?sfrom $s $.$?_($?s$|from $.$_) 250964562Sgshapiro $.$?{auth_type}(authenticated) 251038032Speter $.by $j ($v/$Z)$?r with $r$. id $i$?u 251138032Speter for $u; $|; 251238032Speter $.$b] 251338032Speter The format of the Received: header 251438032Speter in messages passed through this host. 251538032Speter It is unwise to try to change this. 251664562SgshapiroconfCW_FILE Fw class [/etc/mail/local-host-names] Name 251764562Sgshapiro of file used to get the local 251864562Sgshapiro additions to class {w} (local host 251964562Sgshapiro names). 252064562SgshapiroconfCT_FILE Ft class [/etc/mail/trusted-users] Name of 252164562Sgshapiro file used to get the local additions 252264562Sgshapiro to class {t} (trusted users). 252338032SpeterconfCR_FILE FR class [/etc/mail/relay-domains] Name of 252438032Speter file used to get the local additions 252564562Sgshapiro to class {R} (hosts allowed to relay). 252638032SpeterconfTRUSTED_USERS Ct class [no default] Names of users to add to 252738032Speter the list of trusted users. This list 252838032Speter always includes root, uucp, and daemon. 252943730Speter See also FEATURE(`use_ct_file'). 253064562SgshapiroconfTRUSTED_USER TrustedUser [no default] Trusted user for file 253164562Sgshapiro ownership and starting the daemon. 253264562Sgshapiro Not to be confused with 253364562Sgshapiro confTRUSTED_USERS (see above). 253438032SpeterconfSMTP_MAILER - [esmtp] The mailer name used when 253538032Speter SMTP connectivity is required. 253664562Sgshapiro One of "smtp", "smtp8", 253764562Sgshapiro "esmtp", or "dsmtp". 253838032SpeterconfUUCP_MAILER - [uucp-old] The mailer to be used by 253938032Speter default for bang-format recipient 254038032Speter addresses. See also discussion of 254164562Sgshapiro class {U}, class {Y}, and class {Z} 254264562Sgshapiro in the MAILER(`uucp') section. 254338032SpeterconfLOCAL_MAILER - [local] The mailer name used when 254438032Speter local connectivity is required. 254538032Speter Almost always "local". 254638032SpeterconfRELAY_MAILER - [relay] The default mailer name used 254738032Speter for relaying any mail (e.g., to a 254838032Speter BITNET_RELAY, a SMART_HOST, or 254938032Speter whatever). This can reasonably be 255038032Speter "uucp-new" if you are on a 255138032Speter UUCP-connected site. 255238032SpeterconfSEVEN_BIT_INPUT SevenBitInput [False] Force input to seven bits? 255338032SpeterconfEIGHT_BIT_HANDLING EightBitMode [pass8] 8-bit data handling 255438032SpeterconfALIAS_WAIT AliasWait [10m] Time to wait for alias file 255538032Speter rebuild until you get bored and 255638032Speter decide that the apparently pending 255738032Speter rebuild failed. 255838032SpeterconfMIN_FREE_BLOCKS MinFreeBlocks [100] Minimum number of free blocks on 255938032Speter queue filesystem to accept SMTP mail. 256038032Speter (Prior to 8.7 this was minfree/maxsize, 256138032Speter where minfree was the number of free 256238032Speter blocks and maxsize was the maximum 256338032Speter message size. Use confMAX_MESSAGE_SIZE 256438032Speter for the second value now.) 256538032SpeterconfMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages 256638032Speter that will be accepted (in bytes). 256738032SpeterconfBLANK_SUB BlankSub [.] Blank (space) substitution 256838032Speter character. 256938032SpeterconfCON_EXPENSIVE HoldExpensive [False] Avoid connecting immediately 257064562Sgshapiro to mailers marked expensive. 257138032SpeterconfCHECKPOINT_INTERVAL CheckpointInterval 257238032Speter [10] Checkpoint queue files every N 257338032Speter recipients. 257438032SpeterconfDELIVERY_MODE DeliveryMode [background] Default delivery mode. 257538032SpeterconfAUTO_REBUILD AutoRebuildAliases 257638032Speter [False] Automatically rebuild alias 257738032Speter file if needed. 257864562Sgshapiro There is a potential for a denial 257964562Sgshapiro of service attack if this is set. 258064562Sgshapiro This option is deprecated and will 258164562Sgshapiro be removed from a future version. 258238032SpeterconfERROR_MODE ErrorMode [print] Error message mode. 258338032SpeterconfERROR_MESSAGE ErrorHeader [undefined] Error message header/file. 258442575SpeterconfSAVE_FROM_LINES SaveFromLine Save extra leading From_ lines. 258538032SpeterconfTEMP_FILE_MODE TempFileMode [0600] Temporary file mode. 258638032SpeterconfMATCH_GECOS MatchGECOS [False] Match GECOS field. 258738032SpeterconfMAX_HOP MaxHopCount [25] Maximum hop count. 258864562SgshapiroconfIGNORE_DOTS* IgnoreDots [False; always False in -bs or -bd 258964562Sgshapiro mode] Ignore dot as terminator for 259064562Sgshapiro incoming messages? 259138032SpeterconfBIND_OPTS ResolverOptions [undefined] Default options for DNS 259238032Speter resolver. 259338032SpeterconfMIME_FORMAT_ERRORS* SendMimeErrors [True] Send error messages as MIME- 259438032Speter encapsulated messages per RFC 1344. 259538032SpeterconfFORWARD_PATH ForwardPath [$z/.forward.$w:$z/.forward] 259638032Speter The colon-separated list of places to 259738032Speter search for .forward files. N.B.: see 259838032Speter the Security Notes section. 259938032SpeterconfMCI_CACHE_SIZE ConnectionCacheSize 260038032Speter [2] Size of open connection cache. 260138032SpeterconfMCI_CACHE_TIMEOUT ConnectionCacheTimeout 260238032Speter [5m] Open connection cache timeout. 260338032SpeterconfHOST_STATUS_DIRECTORY HostStatusDirectory 260438032Speter [undefined] If set, host status is kept 260538032Speter on disk between sendmail runs in the 260638032Speter named directory tree. This need not be 260738032Speter a full pathname, in which case it is 260838032Speter interpreted relative to the queue 260938032Speter directory. 261038032SpeterconfSINGLE_THREAD_DELIVERY SingleThreadDelivery 261138032Speter [False] If this option and the 261238032Speter HostStatusDirectory option are both 261338032Speter set, single thread deliveries to other 261438032Speter hosts. That is, don't allow any two 261538032Speter sendmails on this host to connect 261638032Speter simultaneously to any other single 261738032Speter host. This can slow down delivery in 261838032Speter some cases, in particular since a 261938032Speter cached but otherwise idle connection 262038032Speter to a host will prevent other sendmails 262138032Speter from connecting to the other host. 262264562SgshapiroconfUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to 262338032Speter deliver error messages. This should 262438032Speter not be necessary because of general 262538032Speter acceptance of the envelope/header 262638032Speter distinction. 262738032SpeterconfLOG_LEVEL LogLevel [9] Log level. 262864562SgshapiroconfME_TOO MeToo [True] Include sender in group 262964562Sgshapiro expansions. This option is 263064562Sgshapiro deprecated and will be removed from 263164562Sgshapiro a future version. 263238032SpeterconfCHECK_ALIASES CheckAliases [False] Check RHS of aliases when 263338032Speter running newaliases. Since this does 263438032Speter DNS lookups on every address, it can 263538032Speter slow down the alias rebuild process 263638032Speter considerably on large alias files. 263738032SpeterconfOLD_STYLE_HEADERS* OldStyleHeaders [True] Assume that headers without 263838032Speter special chars are old style. 263964562SgshapiroconfCLIENT_OPTIONS ClientPortOptions 264064562Sgshapiro [none] Options for outgoing SMTP client 264164562Sgshapiro connections. 264238032SpeterconfPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags. 264338032SpeterconfCOPY_ERRORS_TO PostmasterCopy [undefined] Address for additional 264438032Speter copies of all error messages. 264538032SpeterconfQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function. 264638032SpeterconfDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr 264738032Speter syntax addresses to the minimum 264838032Speter possible. 264938032SpeterconfSAFE_QUEUE* SuperSafe [True] Commit all messages to disk 265038032Speter before forking. 265138032SpeterconfTO_INITIAL Timeout.initial [5m] The timeout waiting for a response 265238032Speter on the initial connect. 265338032SpeterconfTO_CONNECT Timeout.connect [0] The timeout waiting for an initial 265438032Speter connect() to complete. This can only 265538032Speter shorten connection timeouts; the kernel 265638032Speter silently enforces an absolute maximum 265738032Speter (which varies depending on the system). 265838032SpeterconfTO_ICONNECT Timeout.iconnect 265938032Speter [undefined] Like Timeout.connect, but 266038032Speter applies only to the very first attempt 266138032Speter to connect to a host in a message. 266238032Speter This allows a single very fast pass 266338032Speter followed by more careful delivery 266438032Speter attempts in the future. 266538032SpeterconfTO_HELO Timeout.helo [5m] The timeout waiting for a response 266638032Speter to a HELO or EHLO command. 266738032SpeterconfTO_MAIL Timeout.mail [10m] The timeout waiting for a 266838032Speter response to the MAIL command. 266938032SpeterconfTO_RCPT Timeout.rcpt [1h] The timeout waiting for a response 267038032Speter to the RCPT command. 267138032SpeterconfTO_DATAINIT Timeout.datainit 267238032Speter [5m] The timeout waiting for a 354 267338032Speter response from the DATA command. 267438032SpeterconfTO_DATABLOCK Timeout.datablock 267538032Speter [1h] The timeout waiting for a block 267638032Speter during DATA phase. 267738032SpeterconfTO_DATAFINAL Timeout.datafinal 267838032Speter [1h] The timeout waiting for a response 267938032Speter to the final "." that terminates a 268038032Speter message. 268138032SpeterconfTO_RSET Timeout.rset [5m] The timeout waiting for a response 268238032Speter to the RSET command. 268338032SpeterconfTO_QUIT Timeout.quit [2m] The timeout waiting for a response 268438032Speter to the QUIT command. 268538032SpeterconfTO_MISC Timeout.misc [2m] The timeout waiting for a response 268638032Speter to other SMTP commands. 268764562SgshapiroconfTO_COMMAND Timeout.command [1h] In server SMTP, the timeout 268864562Sgshapiro waiting for a command to be issued. 268964562SgshapiroconfTO_IDENT Timeout.ident [5s] The timeout waiting for a 269064562Sgshapiro response to an IDENT query. 269138032SpeterconfTO_FILEOPEN Timeout.fileopen 269238032Speter [60s] The timeout waiting for a file 269338032Speter (e.g., :include: file) to be opened. 269464562SgshapiroconfTO_CONTROL Timeout.control 269564562Sgshapiro [2m] The timeout for a complete 269664562Sgshapiro control socket transaction to complete. 269738032SpeterconfTO_QUEUERETURN Timeout.queuereturn 269838032Speter [5d] The timeout before a message is 269938032Speter returned as undeliverable. 270038032SpeterconfTO_QUEUERETURN_NORMAL 270138032Speter Timeout.queuereturn.normal 270238032Speter [undefined] As above, for normal 270338032Speter priority messages. 270438032SpeterconfTO_QUEUERETURN_URGENT 270538032Speter Timeout.queuereturn.urgent 270638032Speter [undefined] As above, for urgent 270738032Speter priority messages. 270838032SpeterconfTO_QUEUERETURN_NONURGENT 270938032Speter Timeout.queuereturn.non-urgent 271038032Speter [undefined] As above, for non-urgent 271138032Speter (low) priority messages. 271238032SpeterconfTO_QUEUEWARN Timeout.queuewarn 271338032Speter [4h] The timeout before a warning 271438032Speter message is sent to the sender telling 271564562Sgshapiro them that the message has been 271664562Sgshapiro deferred. 271738032SpeterconfTO_QUEUEWARN_NORMAL Timeout.queuewarn.normal 271838032Speter [undefined] As above, for normal 271938032Speter priority messages. 272038032SpeterconfTO_QUEUEWARN_URGENT Timeout.queuewarn.urgent 272138032Speter [undefined] As above, for urgent 272238032Speter priority messages. 272338032SpeterconfTO_QUEUEWARN_NONURGENT 272438032Speter Timeout.queuewarn.non-urgent 272538032Speter [undefined] As above, for non-urgent 272638032Speter (low) priority messages. 272738032SpeterconfTO_HOSTSTATUS Timeout.hoststatus 272838032Speter [30m] How long information about host 272938032Speter statuses will be maintained before it 273038032Speter is considered stale and the host should 273138032Speter be retried. This applies both within 273238032Speter a single queue run and to persistent 273338032Speter information (see below). 273464562SgshapiroconfTO_RESOLVER_RETRANS Timeout.resolver.retrans 273564562Sgshapiro [varies] Sets the resolver's 273664562Sgshapiro retransmition time interval (in 273764562Sgshapiro seconds). Sets both 273864562Sgshapiro Timeout.resolver.retrans.first and 273964562Sgshapiro Timeout.resolver.retrans.normal. 274064562SgshapiroconfTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first 274164562Sgshapiro [varies] Sets the resolver's 274264562Sgshapiro retransmition time interval (in 274364562Sgshapiro seconds) for the first attempt to 274464562Sgshapiro deliver a message. 274564562SgshapiroconfTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal 274664562Sgshapiro [varies] Sets the resolver's 274764562Sgshapiro retransmition time interval (in 274864562Sgshapiro seconds) for all resolver lookups 274964562Sgshapiro except the first delivery attempt. 275064562SgshapiroconfTO_RESOLVER_RETRY Timeout.resolver.retry 275164562Sgshapiro [varies] Sets the number of times 275264562Sgshapiro to retransmit a resolver query. 275364562Sgshapiro Sets both 275464562Sgshapiro Timeout.resolver.retry.first and 275564562Sgshapiro Timeout.resolver.retry.normal. 275664562SgshapiroconfTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first 275764562Sgshapiro [varies] Sets the number of times 275864562Sgshapiro to retransmit a resolver query for 275964562Sgshapiro the first attempt to deliver a 276064562Sgshapiro message. 276164562SgshapiroconfTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal 276264562Sgshapiro [varies] Sets the number of times 276364562Sgshapiro to retransmit a resolver query for 276464562Sgshapiro all resolver lookups except the 276564562Sgshapiro first delivery attempt. 276638032SpeterconfTIME_ZONE TimeZoneSpec [USE_SYSTEM] Time zone info -- can be 276738032Speter USE_SYSTEM to use the system's idea, 276838032Speter USE_TZ to use the user's TZ envariable, 276938032Speter or something else to force that value. 277038032SpeterconfDEF_USER_ID DefaultUser [1:1] Default user id. 277138032SpeterconfUSERDB_SPEC UserDatabaseSpec 277264562Sgshapiro [undefined] User database 277364562Sgshapiro specification. 277438032SpeterconfFALLBACK_MX FallbackMXhost [undefined] Fallback MX host. 277564562SgshapiroconfTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX 277664562Sgshapiro for a host and other arrangements 277764562Sgshapiro haven't been made, try connecting 277864562Sgshapiro to the host directly; normally this 277964562Sgshapiro would be a config error. 278064562SgshapiroconfQUEUE_LA QueueLA [varies] Load average at which 278164562Sgshapiro queue-only function kicks in. 278264562Sgshapiro Default values is (8 * numproc) 278364562Sgshapiro where numproc is the number of 278464562Sgshapiro processors online (if that can be 278564562Sgshapiro determined). 278664562SgshapiroconfREFUSE_LA RefuseLA [varies] Load average at which 278764562Sgshapiro incoming SMTP connections are 278864562Sgshapiro refused. Default values is (12 * 278964562Sgshapiro numproc) where numproc is the 279064562Sgshapiro number of processors online (if 279164562Sgshapiro that can be determined). 279264562SgshapiroconfMAX_ALIAS_RECURSION MaxAliasRecursion 279364562Sgshapiro [10] Maximum depth of alias recursion. 279438032SpeterconfMAX_DAEMON_CHILDREN MaxDaemonChildren 279538032Speter [undefined] The maximum number of 279638032Speter children the daemon will permit. After 279738032Speter this number, connections will be 279838032Speter rejected. If not set or <= 0, there is 279938032Speter no limit. 280064562SgshapiroconfMAX_HEADERS_LENGTH MaxHeadersLength 280171345Sgshapiro [32768] Maximum length of the sum 280264562Sgshapiro of all headers. 280364562SgshapiroconfMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength 280464562Sgshapiro [undefined] Maximum length of 280564562Sgshapiro certain MIME header field values. 280638032SpeterconfCONNECTION_RATE_THROTTLE ConnectionRateThrottle 280738032Speter [undefined] The maximum number of 280838032Speter connections permitted per second. 280938032Speter After this many connections are 281038032Speter accepted, further connections will be 281138032Speter delayed. If not set or <= 0, there is 281238032Speter no limit. 281338032SpeterconfWORK_RECIPIENT_FACTOR 281438032Speter RecipientFactor [30000] Cost of each recipient. 281564562SgshapiroconfSEPARATE_PROC ForkEachJob [False] Run all deliveries in a 281664562Sgshapiro separate process. 281738032SpeterconfWORK_CLASS_FACTOR ClassFactor [1800] Priority multiplier for class. 281838032SpeterconfWORK_TIME_FACTOR RetryFactor [90000] Cost of each delivery attempt. 281938032SpeterconfQUEUE_SORT_ORDER QueueSortOrder [Priority] Queue sort algorithm: 282064562Sgshapiro Priority, Host, Filename, or Time. 282138032SpeterconfMIN_QUEUE_AGE MinQueueAge [0] The minimum amount of time a job 282238032Speter must sit in the queue between queue 282338032Speter runs. This allows you to set the 282438032Speter queue run interval low for better 282538032Speter responsiveness without trying all 282638032Speter jobs in each run. 282738032SpeterconfDEF_CHAR_SET DefaultCharSet [unknown-8bit] When converting 282838032Speter unlabeled 8 bit input to MIME, the 282938032Speter character set to use by default. 283038032SpeterconfSERVICE_SWITCH_FILE ServiceSwitchFile 283164562Sgshapiro [/etc/mail/service.switch] The file 283264562Sgshapiro to use for the service switch on 283364562Sgshapiro systems that do not have a 283464562Sgshapiro system-defined switch. 283538032SpeterconfHOSTS_FILE HostsFile [/etc/hosts] The file to use when doing 283638032Speter "file" type access of hosts names. 283738032SpeterconfDIAL_DELAY DialDelay [0s] If a connection fails, wait this 283838032Speter long and try again. Zero means "don't 283938032Speter retry". This is to allow "dial on 284038032Speter demand" connections to have enough time 284138032Speter to complete a connection. 284238032SpeterconfNO_RCPT_ACTION NoRecipientAction 284338032Speter [none] What to do if there are no legal 284438032Speter recipient fields (To:, Cc: or Bcc:) 284538032Speter in the message. Legal values can 284638032Speter be "none" to just leave the 284738032Speter nonconforming message as is, "add-to" 284838032Speter to add a To: header with all the 284938032Speter known recipients (which may expose 285038032Speter blind recipients), "add-apparently-to" 285138032Speter to do the same but use Apparently-To: 285238032Speter instead of To:, "add-bcc" to add an 285338032Speter empty Bcc: header, or 285438032Speter "add-to-undisclosed" to add the header 285538032Speter ``To: undisclosed-recipients:;''. 285638032SpeterconfSAFE_FILE_ENV SafeFileEnvironment 285738032Speter [undefined] If set, sendmail will do a 285838032Speter chroot() into this directory before 285938032Speter writing files. 286038032SpeterconfCOLON_OK_IN_ADDR ColonOkInAddr [True unless Configuration Level > 6] 286138032Speter If set, colons are treated as a regular 286238032Speter character in addresses. If not set, 286338032Speter they are treated as the introducer to 286438032Speter the RFC 822 "group" syntax. Colons are 286538032Speter handled properly in route-addrs. This 286638032Speter option defaults on for V5 and lower 286738032Speter configuration files. 286838032SpeterconfMAX_QUEUE_RUN_SIZE MaxQueueRunSize [0] If set, limit the maximum size of 286938032Speter any given queue run to this number of 287038032Speter entries. Essentially, this will stop 287164562Sgshapiro reading each queue directory after this 287238032Speter number of entries are reached; it does 287338032Speter _not_ pick the highest priority jobs, 287438032Speter so this should be as large as your 287538032Speter system can tolerate. If not set, there 287638032Speter is no limit. 287738032SpeterconfDONT_EXPAND_CNAMES DontExpandCnames 287838032Speter [False] If set, $[ ... $] lookups that 287938032Speter do DNS based lookups do not expand 288038032Speter CNAME records. This currently violates 288138032Speter the published standards, but the IETF 288238032Speter seems to be moving toward legalizing 288338032Speter this. For example, if "FTP.Foo.ORG" 288438032Speter is a CNAME for "Cruft.Foo.ORG", then 288538032Speter with this option set a lookup of 288638032Speter "FTP" will return "FTP.Foo.ORG"; if 288738032Speter clear it returns "Cruft.FOO.ORG". N.B. 288838032Speter you may not see any effect until your 288938032Speter downstream neighbors stop doing CNAME 289038032Speter lookups as well. 289164562SgshapiroconfFROM_LINE UnixFromLine [From $g $d] The From_ line used 289238032Speter when sending to files or programs. 289338032SpeterconfSINGLE_LINE_FROM_HEADER SingleLineFromHeader 289438032Speter [False] From: lines that have 289538032Speter embedded newlines are unwrapped 289638032Speter onto one line. 289738032SpeterconfALLOW_BOGUS_HELO AllowBogusHELO [False] Allow HELO SMTP command that 289838032Speter does not include a host name. 289938032SpeterconfMUST_QUOTE_CHARS MustQuoteChars [.'] Characters to be quoted in a full 290038032Speter name phrase (@,;:\()[] are automatic). 290138032SpeterconfOPERATORS OperatorChars [.:%@!^/[]+] Address operator 290238032Speter characters. 290338032SpeterconfSMTP_LOGIN_MSG SmtpGreetingMessage 290438032Speter [$j Sendmail $v/$Z; $b] 290538032Speter The initial (spontaneous) SMTP 290638032Speter greeting message. The word "ESMTP" 290738032Speter will be inserted between the first and 290838032Speter second words to convince other 290938032Speter sendmails to try to speak ESMTP. 291038032SpeterconfDONT_INIT_GROUPS DontInitGroups [False] If set, the initgroups(3) 291138032Speter routine will never be invoked. You 291238032Speter might want to do this if you are 291338032Speter running NIS and you have a large group 291438032Speter map, since this call does a sequential 291538032Speter scan of the map; in a large site this 291638032Speter can cause your ypserv to run 291738032Speter essentially full time. If you set 291838032Speter this, agents run on behalf of users 291938032Speter will only have their primary 292038032Speter (/etc/passwd) group permissions. 292138032SpeterconfUNSAFE_GROUP_WRITES UnsafeGroupWrites 292238032Speter [False] If set, group-writable 292338032Speter :include: and .forward files are 292438032Speter considered "unsafe", that is, programs 292538032Speter and files cannot be directly referenced 292638032Speter from such files. World-writable files 292738032Speter are always considered unsafe. 292864562SgshapiroconfCONNECT_ONLY_TO ConnectOnlyTo [undefined] override connection 292964562Sgshapiro address (for testing). 293064562SgshapiroconfCONTROL_SOCKET_NAME ControlSocketName 293164562Sgshapiro [undefined] Control socket for daemon 293264562Sgshapiro management. 293338032SpeterconfDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress 293438032Speter [postmaster] If an error occurs when 293538032Speter sending an error message, send that 293638032Speter "double bounce" error message to this 293738032Speter address. 293864562SgshapiroconfDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce 293964562Sgshapiro messages which could not be returned 294064562Sgshapiro to the user or sent to postmaster. 294164562Sgshapiro If not set, the queue file will 294264562Sgshapiro be renamed. 294364562SgshapiroconfRRT_IMPLIES_DSN RrtImpliesDsn [False] Return-Receipt-To: header 294464562Sgshapiro implies DSN request. 294538032SpeterconfRUN_AS_USER RunAsUser [undefined] If set, become this user 294638032Speter when reading and delivering mail. 294738032Speter Causes all file reads (e.g., .forward 294838032Speter and :include: files) to be done as 294938032Speter this user. Also, all programs will 295038032Speter be run as this user, and all output 295138032Speter files will be written as this user. 295238032Speter Intended for use only on firewalls 295338032Speter where users do not have accounts. 295438032SpeterconfMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage 295538032Speter [infinite] If set, allow no more than 295638032Speter the specified number of recipients in 295738032Speter an SMTP envelope. Further recipients 295838032Speter receive a 452 error code (i.e., they 295938032Speter are deferred for the next delivery 296038032Speter attempt). 296138032SpeterconfDONT_PROBE_INTERFACES DontProbeInterfaces 296238032Speter [False] If set, sendmail will _not_ 296338032Speter insert the names and addresses of any 296464562Sgshapiro local interfaces into class {w} 296538032Speter (list of known "equivalent" addresses). 296638032Speter If you set this, you must also include 296738032Speter some support for these addresses (e.g., 296838032Speter in a mailertable entry) -- otherwise, 296938032Speter mail to addresses in this list will 297038032Speter bounce with a configuration error. 297164562SgshapiroconfPID_FILE PidFile [system dependent] Location of pid 297264562Sgshapiro file. 297364562SgshapiroconfPROCESS_TITLE_PREFIX ProcessTitlePrefix 297464562Sgshapiro [undefined] Prefix string for the 297564562Sgshapiro process title shown on 'ps' listings. 297638032SpeterconfDONT_BLAME_SENDMAIL DontBlameSendmail 297738032Speter [safe] Override sendmail's file 297838032Speter safety checks. This will definitely 297938032Speter compromise system security and should 298038032Speter not be used unless absolutely 298138032Speter necessary. 298238032SpeterconfREJECT_MSG - [550 Access denied] The message 298338032Speter given if the access database contains 298438032Speter REJECT in the value portion. 298564562SgshapiroconfDF_BUFFER_SIZE DataFileBufferSize 298664562Sgshapiro [4096] The maximum size of a 298764562Sgshapiro memory-buffered data (df) file 298864562Sgshapiro before a disk-based file is used. 298964562SgshapiroconfXF_BUFFER_SIZE XScriptFileBufferSize 299064562Sgshapiro [4096] The maximum size of a 299164562Sgshapiro memory-buffered transcript (xf) 299264562Sgshapiro file before a disk-based file is 299364562Sgshapiro used. 299464562SgshapiroconfAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5 299564562Sgshapiro CRAM-MD5] List of authentication 299664562Sgshapiro mechanisms for AUTH (separated by 299764562Sgshapiro spaces). The advertised list of 299864562Sgshapiro authentication mechanisms will be the 299964562Sgshapiro intersection of this list and the list 300064562Sgshapiro of available mechanisms as determined 300164562Sgshapiro by the CYRUS SASL library. 300273188SgshapiroconfDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains 300364562Sgshapiro authentication information for 300464562Sgshapiro outgoing connections. This file 300564562Sgshapiro must contain the user id, the 300664562Sgshapiro authorization id, the password 300764562Sgshapiro (plain text), and the realm to use, 300864562Sgshapiro each on a separate line and must be 300964562Sgshapiro readable by root (or the trusted 301064562Sgshapiro user) only. If no realm is 301164562Sgshapiro specified, $j is used. 301238032Speter 301364562Sgshapiro NOTE: Currently, AuthMechanisms is 301464562Sgshapiro used to determine the list of 301564562Sgshapiro mechanisms to use on an outgoing 301664562Sgshapiro connection. Sites which require a 301764562Sgshapiro different list of mechanisms for 301864562Sgshapiro incoming connections and outgoing 301964562Sgshapiro connections will have the ability 302064562Sgshapiro to do this in 8.11 by specifying a 302164562Sgshapiro list of mechanisms as the fifth 302264562Sgshapiro line of the DefaultAuthInfo file. 302364562Sgshapiro If no mechanisms are given in the 302464562Sgshapiro file, AuthMechanisms is used. The 302564562Sgshapiro code for doing so is included as 302664562Sgshapiro in the sendmail source code but 302764562Sgshapiro disabled. It can be enabled by 302864562Sgshapiro recompiling sendmail with: 302964562Sgshapiro -D_FFR_DEFAUTHINFO_MECHS 303064562SgshapiroconfAUTH_OPTIONS AuthOptions [undefined] If this options is 'A' 303164562Sgshapiro then the AUTH= parameter for the 303264562Sgshapiro MAIL FROM command is only issued 303364562Sgshapiro when authentication succeeded. 303464562SgshapiroconfLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map 303564562Sgshapiro specification for LDAP maps. The 303664562Sgshapiro value should only contain LDAP 303764562Sgshapiro specific settings such as "-h host 303864562Sgshapiro -p port -d bindDN", etc. The 303964562Sgshapiro settings will be used for all LDAP 304064562Sgshapiro maps unless they are specified in 304164562Sgshapiro the individual map specification 304264562Sgshapiro ('K' command). 304364562SgshapiroconfCACERT_PATH CACERTPath [undefined] Path to directory 304464562Sgshapiro with certs of CAs. 304564562SgshapiroconfCACERT CACERTFile [undefined] File containing one CA 304664562Sgshapiro cert. 304764562SgshapiroconfSERVER_CERT ServerCertFile [undefined] File containing the 304864562Sgshapiro cert of the server, i.e., this cert 304964562Sgshapiro is used when sendmail acts as 305064562Sgshapiro server. 305164562SgshapiroconfSERVER_KEY ServerKeyFile [undefined] File containing the 305264562Sgshapiro private key belonging to the server 305364562Sgshapiro cert. 305464562SgshapiroconfCLIENT_CERT ClientCertFile [undefined] File containing the 305564562Sgshapiro cert of the client, i.e., this cert 305664562Sgshapiro is used when sendmail acts as 305764562Sgshapiro client. 305864562SgshapiroconfCLIENT_KEY ClientKeyFile [undefined] File containing the 305964562Sgshapiro private key belonging to the client 306064562Sgshapiro cert. 306164562SgshapiroconfDH_PARAMETERS DHParameters [undefined] File containing the 306264562Sgshapiro DH parameters. 306364562SgshapiroconfRAND_FILE RandFile [undefined] File containing random 306466494Sgshapiro data (use prefix file:) or the 306566494Sgshapiro name of the UNIX socket if EGD is 306666494Sgshapiro used (use prefix egd:). STARTTLS 306766494Sgshapiro requires this option if the compile 306866494Sgshapiro flag HASURANDOM is not set (see 306964562Sgshapiro sendmail/README). 307064562Sgshapiro 307138032SpeterSee also the description of OSTYPE for some parameters that can be 307238032Spetertweaked (generally pathnames to mailers). 307338032Speter 307464562SgshapiroDaemonPortOptions are a special case since multiple daemons can be 307564562Sgshapirodefined. This can be done via 307638032Speter 307764562Sgshapiro DAEMON_OPTIONS(`field1=value1,field2=value2,...') 307864562Sgshapiro 307964562SgshapiroIf DAEMON_OPTIONS is not used, then the default is 308064562Sgshapiro 308164562Sgshapiro DAEMON_OPTIONS(`Port=smtp, Name=MTA') 308264562Sgshapiro DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') 308364562Sgshapiro 308464562SgshapiroIf you use one DAEMON_OPTIONS macro, it will alter the parameters 308564562Sgshapiroof the first of these. The second will still be defaulted; it 308664562Sgshapirorepresents a "Message Submission Agent" (MSA) as defined by RFC 308764562Sgshapiro2476 (see below). To turn off the default definition for the MSA, 308864562Sgshapirouse FEATURE(`no_default_msa') (see also FEATURES). If you use 308964562Sgshapiroadditional DAEMON_OPTIONS macros, they will add additional daemons. 309064562Sgshapiro 309164562SgshapiroExample 1: To change the port for the SMTP listener, while 309264562Sgshapirostill using the MSA default, use 309364562Sgshapiro DAEMON_OPTIONS(`Port=925, Name=MTA') 309464562Sgshapiro 309564562SgshapiroExample 2: To change the port for the MSA daemon, while still 309664562Sgshapirousing the default SMTP port, use 309764562Sgshapiro FEATURE(`no_default_msa') 309864562Sgshapiro DAEMON_OPTIONS(`Name=MTA') 309964562Sgshapiro DAEMON_OPTIONS(`Port=987, Name=MSA, M=E') 310064562Sgshapiro 310164562SgshapiroNote that if the first of those DAEMON_OPTIONS lines were omitted, then 310264562Sgshapirothere would be no listener on the standard SMTP port. 310364562Sgshapiro 310464562SgshapiroExample 3: To listen on both IPv4 and IPv6 interfaces, use 310564562Sgshapiro 310664562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v4, Family=inet') 310764562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6') 310864562Sgshapiro 310964562SgshapiroA "Message Submission Agent" still uses all of the same rulesets for 311064562Sgshapiroprocessing the message (and therefore still allows message rejection via 311164562Sgshapirothe check_* rulesets). In accordance with the RFC, the MSA will ensure 311264562Sgshapirothat all domains in the envelope are fully qualified if the message is 311364562Sgshapirorelayed to another MTA. It will also enforce the normal address syntax 311464562Sgshapirorules and log error messages. Additionally, by using the M=a modifier 311564562Sgshapiroyou can require authentication before messages are accepted by the MSA. 311664562SgshapiroFinally, the M=E modifier shown above disables ETRN as required by RFC 311764562Sgshapiro2476. 311864562Sgshapiro 311964562Sgshapiro 312038032Speter+-----------+ 312138032Speter| HIERARCHY | 312238032Speter+-----------+ 312338032Speter 312438032SpeterWithin this directory are several subdirectories, to wit: 312538032Speter 312638032Speterm4 General support routines. These are typically 312738032Speter very important and should not be changed without 312838032Speter very careful consideration. 312938032Speter 313038032Spetercf The configuration files themselves. They have 313138032Speter ".mc" suffixes, and must be run through m4 to 313238032Speter become complete. The resulting output should 313338032Speter have a ".cf" suffix. 313438032Speter 313538032Speterostype Definitions describing a particular operating 313638032Speter system type. These should always be referenced 313738032Speter using the OSTYPE macro in the .mc file. Examples 313838032Speter include "bsd4.3", "bsd4.4", "sunos3.5", and 313938032Speter "sunos4.1". 314038032Speter 314138032Speterdomain Definitions describing a particular domain, referenced 314238032Speter using the DOMAIN macro in the .mc file. These are 314338032Speter site dependent; for example, "CS.Berkeley.EDU.m4" 314438032Speter describes hosts in the CS.Berkeley.EDU subdomain. 314538032Speter 314666494Sgshapiromailer Descriptions of mailers. These are referenced using 314738032Speter the MAILER macro in the .mc file. 314838032Speter 314938032Spetersh Shell files used when building the .cf file from the 315038032Speter .mc file in the cf subdirectory. 315138032Speter 315238032Speterfeature These hold special orthogonal features that you might 315338032Speter want to include. They should be referenced using 315438032Speter the FEATURE macro. 315538032Speter 315638032Speterhack Local hacks. These can be referenced using the HACK 315738032Speter macro. They shouldn't be of more than voyeuristic 315838032Speter interest outside the .Berkeley.EDU domain, but who knows? 315938032Speter 316038032Spetersiteconfig Site configuration -- e.g., tables of locally connected 316138032Speter UUCP sites. 316238032Speter 316338032Speter 316438032Speter+------------------------+ 316538032Speter| ADMINISTRATIVE DETAILS | 316638032Speter+------------------------+ 316738032Speter 316838032SpeterThe following sections detail usage of certain internal parts of the 316938032Spetersendmail.cf file. Read them carefully if you are trying to modify 317038032Speterthe current model. If you find the above descriptions adequate, these 317138032Spetershould be {boring, confusing, tedious, ridiculous} (pick one or more). 317238032Speter 317338032SpeterRULESETS (* means built in to sendmail) 317438032Speter 317538032Speter 0 * Parsing 317638032Speter 1 * Sender rewriting 317738032Speter 2 * Recipient rewriting 317838032Speter 3 * Canonicalization 317938032Speter 4 * Post cleanup 318038032Speter 5 * Local address rewrite (after aliasing) 318138032Speter 1x mailer rules (sender qualification) 318238032Speter 2x mailer rules (recipient qualification) 318338032Speter 3x mailer rules (sender header qualification) 318438032Speter 4x mailer rules (recipient header qualification) 318538032Speter 5x mailer subroutines (general) 318638032Speter 6x mailer subroutines (general) 318738032Speter 7x mailer subroutines (general) 318838032Speter 8x reserved 318938032Speter 90 Mailertable host stripping 319038032Speter 96 Bottom half of Ruleset 3 (ruleset 6 in old sendmail) 319138032Speter 97 Hook for recursive ruleset 0 call (ruleset 7 in old sendmail) 319238032Speter 98 Local part of ruleset 0 (ruleset 8 in old sendmail) 319338032Speter 99 Guaranteed null (for debugging) 319438032Speter 319538032Speter 319638032SpeterMAILERS 319738032Speter 319838032Speter 0 local, prog local and program mailers 319938032Speter 1 [e]smtp, relay SMTP channel 320038032Speter 2 uucp-* UNIX-to-UNIX Copy Program 320138032Speter 3 netnews Network News delivery 320238032Speter 4 fax Sam Leffler's HylaFAX software 320338032Speter 5 mail11 DECnet mailer 320438032Speter 320538032Speter 320638032SpeterMACROS 320738032Speter 320838032Speter A 320938032Speter B Bitnet Relay 321038032Speter C DECnet Relay 321138032Speter D The local domain -- usually not needed 321238032Speter E reserved for X.400 Relay 321338032Speter F FAX Relay 321438032Speter G 321538032Speter H mail Hub (for mail clusters) 321638032Speter I 321738032Speter J 321838032Speter K 321938032Speter L Luser Relay 322064562Sgshapiro M Masquerade (who you claim to be) 322138032Speter N 322238032Speter O 322338032Speter P 322438032Speter Q 322538032Speter R Relay (for unqualified names) 322638032Speter S Smart Host 322738032Speter T 322864562Sgshapiro U my UUCP name (if you have a UUCP connection) 322964562Sgshapiro V UUCP Relay (class {V} hosts) 323064562Sgshapiro W UUCP Relay (class {W} hosts) 323164562Sgshapiro X UUCP Relay (class {X} hosts) 323238032Speter Y UUCP Relay (all other hosts) 323338032Speter Z Version number 323438032Speter 323538032Speter 323638032SpeterCLASSES 323738032Speter 323838032Speter A 323938032Speter B domains that are candidates for bestmx lookup 324038032Speter C 324138032Speter D 324238032Speter E addresses that should not seem to come from $M 324364562Sgshapiro F hosts this system forward for 324438032Speter G domains that should be looked up in genericstable 324538032Speter H 324638032Speter I 324738032Speter J 324838032Speter K 324938032Speter L addresses that should not be forwarded to $R 325038032Speter M domains that should be mapped to $M 325164562Sgshapiro N host/domains that should not be mapped to $M 325238032Speter O operators that indicate network operations (cannot be in local names) 325338032Speter P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc. 325438032Speter Q 325564562Sgshapiro R domains this system is willing to relay (pass anti-spam filters) 325638032Speter S 325738032Speter T 325838032Speter U locally connected UUCP hosts 325938032Speter V UUCP hosts connected to relay $V 326038032Speter W UUCP hosts connected to relay $W 326138032Speter X UUCP hosts connected to relay $X 326238032Speter Y locally connected smart UUCP hosts 326338032Speter Z locally connected domain-ized UUCP hosts 326438032Speter . the class containing only a dot 326538032Speter [ the class containing only a left bracket 326638032Speter 326738032Speter 326838032SpeterM4 DIVERSIONS 326938032Speter 327038032Speter 1 Local host detection and resolution 327138032Speter 2 Local Ruleset 3 additions 327238032Speter 3 Local Ruleset 0 additions 327338032Speter 4 UUCP Ruleset 0 additions 327438032Speter 5 locally interpreted names (overrides $R) 327538032Speter 6 local configuration (at top of file) 327638032Speter 7 mailer definitions 327764562Sgshapiro 8 DNS based blacklists 327838032Speter 9 special local rulesets (1 and 2) 327964562Sgshapiro 328073188Sgshapiro$Revision: 8.383.2.1.2.42 $, Last updated $Date: 2001/02/15 23:40:10 $ 3281