README revision 80785
138032Speter 264562Sgshapiro SENDMAIL CONFIGURATION FILES 338032Speter 464562SgshapiroThis document describes the sendmail configuration files. This package 564562Sgshapirorequires a post-V7 version of m4; if you are running the 4.2bsd, SysV.2, or 664562Sgshapiro7th Edition version. SunOS's /usr/5bin/m4 or BSD-Net/2's m4 both work. 764562SgshapiroGNU m4 version 1.1 or later also works. Unfortunately, the M4 on BSDI 1.0 838032Speterdoesn't work -- you'll have to use a Net/2 or GNU version. GNU m4 is 966494Sgshapiroavailable from ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the 1071345Sgshapirolatest version). EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x 1164562Sgshapirois fine). Use GNU m4 on this platform. 1238032Speter 1364562SgshapiroTo get started, you may want to look at tcpproto.mc (for TCP-only sites), 1464562Sgshapirouucpproto.mc (for UUCP-only sites), and clientproto.mc (for clusters of 1564562Sgshapiroclients using a single mail host). Others are versions previously used at 1664562SgshapiroBerkeley. For example, ucbvax has gone away, but ucbvax.mc demonstrates 1764562Sgshapirosome interesting techniques. 1838032Speter 1938032Speter******************************************************************* 2038032Speter*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** 2138032Speter*** Berkeley-specific assumptions built in, such as the name *** 2264562Sgshapiro*** of their UUCP-relay. You'll want to create your own *** 2364562Sgshapiro*** domain description, and use that in place of *** 2438032Speter*** domain/Berkeley.EDU.m4. *** 2538032Speter******************************************************************* 2638032Speter 2738032Speter 2838032Speter+--------------------------+ 2938032Speter| INTRODUCTION AND EXAMPLE | 3038032Speter+--------------------------+ 3138032Speter 3238032SpeterConfiguration files are contained in the subdirectory "cf", with a 3338032Spetersuffix ".mc". They must be run through "m4" to produce a ".cf" file. 3438032SpeterYou must pre-load "cf.m4": 3538032Speter 3638032Speter m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf 3738032Speter 3864562SgshapiroAlternatively, you can simply: 3964562Sgshapiro 4064562Sgshapiro cd ${CFDIR}/cf 4164562Sgshapiro ./Build config.cf 4264562Sgshapiro 4338032Speterwhere ${CFDIR} is the root of the cf directory and config.mc is the 4438032Spetername of your configuration file. If you are running a version of M4 4538032Speterthat understands the __file__ builtin (versions of GNU m4 >= 0.75 do 4638032Speterthis, but the versions distributed with 4.4BSD and derivatives do not) 4738032Speteror the -I flag (ditto), then ${CFDIR} can be in an arbitrary directory. 4838032SpeterFor "traditional" versions, ${CFDIR} ***MUST*** be "..", or you MUST 4938032Speteruse -D_CF_DIR_=/path/to/cf/dir/ -- note the trailing slash! For example: 5038032Speter 5138032Speter m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 config.mc > config.cf 5238032Speter 5338032SpeterLet's examine a typical .mc file: 5438032Speter 5538032Speter divert(-1) 5638032Speter # 5773188Sgshapiro # Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. 5864562Sgshapiro # All rights reserved. 5938032Speter # Copyright (c) 1983 Eric P. Allman. All rights reserved. 6038032Speter # Copyright (c) 1988, 1993 6138032Speter # The Regents of the University of California. All rights reserved. 6238032Speter # 6338032Speter # By using this file, you agree to the terms and conditions set 6438032Speter # forth in the LICENSE file which can be found at the top level of 6538032Speter # the sendmail distribution. 6638032Speter # 6738032Speter 6838032Speter # 6938032Speter # This is a Berkeley-specific configuration file for HP-UX 9.x. 7038032Speter # It applies only to the Computer Science Division at Berkeley, 7138032Speter # and should not be used elsewhere. It is provided on the sendmail 7238032Speter # distribution as a sample only. To create your own configuration 7338032Speter # file, create an appropriate domain file in ../domain, change the 7438032Speter # `DOMAIN' macro below to reference that file, and copy the result 7538032Speter # to a name of your own choosing. 7638032Speter # 7738032Speter divert(0) 7838032Speter 7938032SpeterThe divert(-1) will delete the crud in the resulting output file. 8038032SpeterThe copyright notice can be replaced by whatever your lawyers require; 8164562Sgshapiroour lawyers require the one that is included in these files. A copyleft 8238032Speteris a copyright by another name. The divert(0) restores regular output. 8338032Speter 8438032Speter VERSIONID(`<SCCS or RCS version id>') 8538032Speter 8638032SpeterVERSIONID is a macro that stuffs the version information into the 8764562Sgshapiroresulting file. You could use SCCS, RCS, CVS, something else, or 8838032Speteromit it completely. This is not the same as the version id included 8938032Speterin SMTP greeting messages -- this is defined in m4/version.m4. 9038032Speter 9164562Sgshapiro OSTYPE(`hpux9')dnl 9238032Speter 9338032SpeterYou must specify an OSTYPE to properly configure things such as the 9438032Speterpathname of the help and status files, the flags needed for the local 9538032Spetermailer, and other important things. If you omit it, you will get an 9638032Spetererror when you try to build the configuration. Look at the ostype 9738032Speterdirectory for the list of known operating system types. 9838032Speter 9964562Sgshapiro DOMAIN(`CS.Berkeley.EDU')dnl 10038032Speter 10138032SpeterThis example is specific to the Computer Science Division at Berkeley. 10264562SgshapiroYou can use "DOMAIN(`generic')" to get a sufficiently bland definition 10338032Speterthat may well work for you, or you can create a customized domain 10438032Speterdefinition appropriate for your environment. 10538032Speter 10664562Sgshapiro MAILER(`local') 10764562Sgshapiro MAILER(`smtp') 10838032Speter 10964562SgshapiroThese describe the mailers used at the default CS site. The 11038032Speterlocal mailer is always included automatically. Beware: MAILER 11138032Speterdeclarations should always be at the end of the configuration file, 11264562Sgshapiroand MAILER(`smtp') should always precede MAILER(`procmail'), and 11364562SgshapiroMAILER(`uucp'). The general rules are that the order should be: 11438032Speter 11538032Speter VERSIONID 11638032Speter OSTYPE 11738032Speter DOMAIN 11838032Speter FEATURE 11938032Speter local macro definitions 12038032Speter MAILER 12164562Sgshapiro LOCAL_RULE_* 12264562Sgshapiro LOCAL_RULESETS 12338032Speter 12464562SgshapiroThere are a few exceptions to this rule. Local macro definitions which 12564562Sgshapiroinfluence a FEATURE() should be done before that feature. For example, 12664562Sgshapiroa define(`PROCMAIL_MAILER_PATH', ...) should be done before 12764562SgshapiroFEATURE(`local_procmail'). 12838032Speter 12964562Sgshapiro 13038032Speter+----------------------------+ 13138032Speter| A BRIEF INTRODUCTION TO M4 | 13238032Speter+----------------------------+ 13338032Speter 13438032SpeterSendmail uses the M4 macro processor to ``compile'' the configuration 13538032Speterfiles. The most important thing to know is that M4 is stream-based, 13638032Speterthat is, it doesn't understand about lines. For this reason, in some 13738032Speterplaces you may see the word ``dnl'', which stands for ``delete 13838032Speterthrough newline''; essentially, it deletes all characters starting 13938032Speterat the ``dnl'' up to and including the next newline character. In 14038032Spetermost cases sendmail uses this only to avoid lots of unnecessary 14138032Speterblank lines in the output. 14238032Speter 14338032SpeterOther important directives are define(A, B) which defines the macro 14438032Speter``A'' to have value ``B''. Macros are expanded as they are read, so 14538032Speterone normally quotes both values to prevent expansion. For example, 14638032Speter 14738032Speter define(`SMART_HOST', `smart.foo.com') 14838032Speter 14938032SpeterOne word of warning: M4 macros are expanded even in lines that appear 15038032Speterto be comments. For example, if you have 15138032Speter 15264562Sgshapiro # See FEATURE(`foo') above 15338032Speter 15464562Sgshapiroit will not do what you expect, because the FEATURE(`foo') will be 15538032Speterexpanded. This also applies to 15638032Speter 15738032Speter # And then define the $X macro to be the return address 15838032Speter 15938032Speterbecause ``define'' is an M4 keyword. If you want to use them, surround 16038032Speterthem with directed quotes, `like this'. 16138032Speter 16238032Speter+----------------+ 16338032Speter| FILE LOCATIONS | 16438032Speter+----------------+ 16538032Speter 16638032Spetersendmail 8.9 has introduced a new configuration directory for sendmail 16738032Speterrelated files, /etc/mail. The new files available for sendmail 8.9 -- 16864562Sgshapirothe class {R} /etc/mail/relay-domains and the access database 16964562Sgshapiro/etc/mail/access -- take advantage of this new directory. Beginning with 17064562Sgshapiro8.10, all files will use this directory by default (some options may be 17164562Sgshapiroset by OSTYPE() files). This new directory should help to restore 17264562Sgshapirouniformity to sendmail's file locations. 17338032Speter 17464562SgshapiroBelow is a table of some of the common changes: 17564562Sgshapiro 17664562SgshapiroOld filename New filename 17764562Sgshapiro------------ ------------ 17864562Sgshapiro/etc/bitdomain /etc/mail/bitdomain 17964562Sgshapiro/etc/domaintable /etc/mail/domaintable 18064562Sgshapiro/etc/genericstable /etc/mail/genericstable 18164562Sgshapiro/etc/uudomain /etc/mail/uudomain 18264562Sgshapiro/etc/virtusertable /etc/mail/virtusertable 18364562Sgshapiro/etc/userdb /etc/mail/userdb 18464562Sgshapiro 18564562Sgshapiro/etc/aliases /etc/mail/aliases 18664562Sgshapiro/etc/sendmail/aliases /etc/mail/aliases 18764562Sgshapiro/etc/ucbmail/aliases /etc/mail/aliases 18864562Sgshapiro/usr/adm/sendmail/aliases /etc/mail/aliases 18964562Sgshapiro/usr/lib/aliases /etc/mail/aliases 19064562Sgshapiro/usr/lib/mail/aliases /etc/mail/aliases 19164562Sgshapiro/usr/ucblib/aliases /etc/mail/aliases 19264562Sgshapiro 19364562Sgshapiro/etc/sendmail.cw /etc/mail/local-host-names 19464562Sgshapiro/etc/mail/sendmail.cw /etc/mail/local-host-names 19564562Sgshapiro/etc/sendmail/sendmail.cw /etc/mail/local-host-names 19664562Sgshapiro 19764562Sgshapiro/etc/sendmail.ct /etc/mail/trusted-users 19864562Sgshapiro 19964562Sgshapiro/etc/sendmail.oE /etc/mail/error-header 20064562Sgshapiro 20164562Sgshapiro/etc/sendmail.hf /etc/mail/helpfile 20264562Sgshapiro/etc/mail/sendmail.hf /etc/mail/helpfile 20364562Sgshapiro/usr/ucblib/sendmail.hf /etc/mail/helpfile 20464562Sgshapiro/etc/ucbmail/sendmail.hf /etc/mail/helpfile 20564562Sgshapiro/usr/lib/sendmail.hf /etc/mail/helpfile 20664562Sgshapiro/usr/share/lib/sendmail.hf /etc/mail/helpfile 20764562Sgshapiro/usr/share/misc/sendmail.hf /etc/mail/helpfile 20864562Sgshapiro/share/misc/sendmail.hf /etc/mail/helpfile 20964562Sgshapiro 21064562Sgshapiro/etc/service.switch /etc/mail/service.switch 21164562Sgshapiro 21264562Sgshapiro/etc/sendmail.st /etc/mail/statistics 21364562Sgshapiro/etc/mail/sendmail.st /etc/mail/statistics 21464562Sgshapiro/etc/mailer/sendmail.st /etc/mail/statistics 21564562Sgshapiro/etc/sendmail/sendmail.st /etc/mail/statistics 21664562Sgshapiro/usr/lib/sendmail.st /etc/mail/statistics 21764562Sgshapiro/usr/ucblib/sendmail.st /etc/mail/statistics 21864562Sgshapiro 21964562SgshapiroNote that all of these paths actually use a new m4 macro MAIL_SETTINGS_DIR 22064562Sgshapiroto create the pathnames. The default value of this variable is 22164562Sgshapiro`/etc/mail/'. If you set this macro to a different value, you MUST include 22264562Sgshapiroa trailing slash. 22364562Sgshapiro 22480785SgshapiroNotice: all filenames used in a .mc (or .cf) file should be absolute 22580785Sgshapiro(starting at the root, i.e., with '/'). Relative filenames most 22680785Sgshapirolikely cause surprises during operations (unless otherwise noted). 22780785Sgshapiro 22880785Sgshapiro 22938032Speter+--------+ 23038032Speter| OSTYPE | 23138032Speter+--------+ 23238032Speter 23338032SpeterYou MUST define an operating system environment, or the configuration 23438032Speterfile build will puke. There are several environments available; look 23538032Speterat the "ostype" directory for the current list. This macro changes 23638032Speterthings like the location of the alias file and queue directory. Some 23738032Speterof these files are identical to one another. 23838032Speter 23938032SpeterIt is IMPERATIVE that the OSTYPE occur before any MAILER definitions. 24038032SpeterIn general, the OSTYPE macro should go immediately after any version 24138032Speterinformation, and MAILER definitions should always go last. 24238032Speter 24338032SpeterOperating system definitions are usually easy to write. They may define 24438032Speterthe following variables (everything defaults, so an ostype file may be 24538032Speterempty). Unfortunately, the list of configuration-supported systems is 24638032Speternot as broad as the list of source-supported systems, since many of 24738032Speterthe source contributors do not include corresponding ostype files. 24838032Speter 24964562SgshapiroALIAS_FILE [/etc/mail/aliases] The location of the text version 25038032Speter of the alias file(s). It can be a comma-separated 25138032Speter list of names (but be sure you quote values with 25238032Speter commas in them -- for example, use 25338032Speter define(`ALIAS_FILE', `a,b') 25438032Speter to get "a" and "b" both listed as alias files; 25538032Speter otherwise the define() primitive only sees "a"). 25664562SgshapiroHELP_FILE [/etc/mail/helpfile] The name of the file 25738032Speter containing information printed in response to 25838032Speter the SMTP HELP command. 25938032SpeterQUEUE_DIR [/var/spool/mqueue] The directory containing 26064562Sgshapiro queue files. To use multiple queues, supply 26164562Sgshapiro a value ending with an asterisk. For 26273188Sgshapiro example, /var/spool/mqueue/qd* will use all of the 26364562Sgshapiro directories or symbolic links to directories 26473188Sgshapiro beginning with 'qd' in /var/spool/mqueue as queue 26564562Sgshapiro directories. The names 'qf', 'df', and 'xf' are 26673188Sgshapiro reserved as specific subdirectories for the 26773188Sgshapiro corresponding queue file types as explained in 26873188Sgshapiro doc/op/op.me. 26964562SgshapiroSTATUS_FILE [/etc/mail/statistics] The file containing status 27038032Speter information. 27138032SpeterLOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. 27264562SgshapiroLOCAL_MAILER_FLAGS [Prmn9] The flags used by the local mailer. The 27364562Sgshapiro flags lsDFMAw5:/|@q are always included. 27438032SpeterLOCAL_MAILER_ARGS [mail -d $u] The arguments passed to deliver local 27538032Speter mail. 27638032SpeterLOCAL_MAILER_MAX [undefined] If defined, the maximum size of local 27738032Speter mail that you are willing to accept. 27864562SgshapiroLOCAL_MAILER_MAXMSGS [undefined] If defined, the maximum number of 27964562Sgshapiro messages to deliver in a single connection. Only 28064562Sgshapiro useful for LMTP local mailers. 28138032SpeterLOCAL_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 28238032Speter that ARRIVE from an address that resolves to the 28338032Speter local mailer and which are converted to MIME will be 28438032Speter labeled with this character set. 28564562SgshapiroLOCAL_MAILER_EOL [undefined] If defined, the string to use as the 28664562Sgshapiro end of line for the local mailer. 28764562SgshapiroLOCAL_MAILER_DSN_DIAGNOSTIC_CODE 28864562Sgshapiro [X-Unix] The DSN Diagnostic-Code value for the 28964562Sgshapiro local mailer. This should be changed with care. 29038032SpeterLOCAL_SHELL_PATH [/bin/sh] The shell used to deliver piped email. 29138032SpeterLOCAL_SHELL_FLAGS [eu9] The flags used by the shell mailer. The 29238032Speter flags lsDFM are always included. 29338032SpeterLOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog" 29438032Speter mail. 29538032SpeterLOCAL_SHELL_DIR [$z:/] The directory search path in which the 29638032Speter shell should run. 29738032SpeterUSENET_MAILER_PATH [/usr/lib/news/inews] The name of the program 29838032Speter used to submit news. 29964562SgshapiroUSENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. 30038032SpeterUSENET_MAILER_ARGS [-m -h -n] The command line arguments for the 30138032Speter usenet mailer. 30238032SpeterUSENET_MAILER_MAX [100000] The maximum size of messages that will 30338032Speter be accepted by the usenet mailer. 30438032SpeterSMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default 30564562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 30664562Sgshapiro "esmtp" mailer adds `a'; "smtp8" adds `8'; and 30764562Sgshapiro "dsmtp" adds `%'. 30864562SgshapiroRELAY_MAILER_FLAGS [undefined] Flags added to the relay mailer. Default 30964562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 31064562Sgshapiro relay mailer adds `a8'. If this is not defined, 31164562Sgshapiro then SMTP_MAILER_FLAGS is used. 31238032SpeterSMTP_MAILER_MAX [undefined] The maximum size of messages that will 31364562Sgshapiro be transported using the smtp, smtp8, esmtp, or dsmtp 31438032Speter mailers. 31564562SgshapiroSMTP_MAILER_MAXMSGS [undefined] If defined, the maximum number of 31664562Sgshapiro messages to deliver in a single connection for the 31764562Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 31866494SgshapiroSMTP_MAILER_ARGS [TCP $h] The arguments passed to the smtp mailer. 31938032Speter About the only reason you would want to change this 32038032Speter would be to change the default port. 32166494SgshapiroESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer. 32266494SgshapiroSMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer. 32366494SgshapiroDSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer. 32466494SgshapiroRELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer. 32564562SgshapiroRELAY_MAILER_MAXMSGS [undefined] If defined, the maximum number of 32664562Sgshapiro messages to deliver in a single connection for the 32764562Sgshapiro relay mailer. 32838032SpeterSMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 32938032Speter that ARRIVE from an address that resolves to one of 33038032Speter the SMTP mailers and which are converted to MIME will 33138032Speter be labeled with this character set. 33238032SpeterUUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail. 33338032SpeterUUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default 33438032Speter flags are `DFMhuU' (and `m' for uucp-new mailer, 33538032Speter minus `U' for uucp-dom mailer). 33638032SpeterUUCP_MAILER_ARGS [uux - -r -z -a$g -gC $h!rmail ($u)] The arguments 33738032Speter passed to the UUCP mailer. 33838032SpeterUUCP_MAILER_MAX [100000] The maximum size message accepted for 33938032Speter transmission by the UUCP mailers. 34038032SpeterUUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 34138032Speter that ARRIVE from an address that resolves to one of 34238032Speter the UUCP mailers and which are converted to MIME will 34338032Speter be labeled with this character set. 34438032SpeterFAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to 34538032Speter submit FAX messages. 34638032SpeterFAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX 34738032Speter mailer. 34838032SpeterFAX_MAILER_MAX [100000] The maximum size message accepted for 34938032Speter transmission by FAX. 35038032SpeterPOP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer. 35164562SgshapiroPOP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq 35238032Speter are always added. 35338032SpeterPOP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer. 35438032SpeterPROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail 35543730Speter program. This is also used by 35643730Speter FEATURE(`local_procmail'). 35738032SpeterPROCMAIL_MAILER_FLAGS [SPhnu9] Flags added to Procmail mailer. Flags 35864562Sgshapiro DFM are always set. This is NOT used by 35943730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_FLAGS 36038032Speter instead. 36138032SpeterPROCMAIL_MAILER_ARGS [procmail -Y -m $h $f $u] The arguments passed to 36238032Speter the Procmail mailer. This is NOT used by 36343730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_ARGS 36438032Speter instead. 36538032SpeterPROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that 36638032Speter will be accepted by the procmail mailer. 36738032SpeterMAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer. 36838032SpeterMAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer. 36938032SpeterMAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11 37038032Speter mailer. 37138032SpeterPH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery 37238032Speter program. 37364562SgshapiroPH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM 37464562Sgshapiro are always set. 37538032SpeterPH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer. 37664562SgshapiroCYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The 37738032Speter flags lsDFMnPq are always included. 37838032SpeterCYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver 37938032Speter cyrus mail. 38038032SpeterCYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed 38138032Speter to deliver cyrus mail. 38238032SpeterCYRUS_MAILER_MAX [undefined] If set, the maximum size message that 38338032Speter will be accepted by the cyrus mailer. 38438032SpeterCYRUS_MAILER_USER [cyrus:mail] The user and group to become when 38538032Speter running the cyrus mailer. 38664562SgshapiroCYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer. 38764562Sgshapiro The flags lsDFMnP are always included. 38838032SpeterCYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed 38938032Speter to deliver cyrusbb mail. 39038032SpeterconfEBINDIR [/usr/libexec] The directory for executables. 39143730Speter Currently used for FEATURE(`local_lmtp') and 39243730Speter FEATURE(`smrsh'). 39364562SgshapiroQPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer. 39464562SgshapiroQPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver 39564562Sgshapiro qpage mail. 39664562SgshapiroQPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed 39764562Sgshapiro to deliver qpage mail. 39864562SgshapiroQPAGE_MAILER_MAX [4096] If set, the maximum size message that 39964562Sgshapiro will be accepted by the qpage mailer. 40038032Speter 40164562SgshapiroNote: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: 40264562SgshapiroMODIFY_MAILER_FLAGS(`Name', `change') where Name is the first part of 40364562Sgshapirothe macro Name_MAILER_FLAGS and change can be: flags that should 40464562Sgshapirobe used directly (thus overriding the default value), or if it 40564562Sgshapirostarts with `+' (`-') then those flags are added to (removed from) 40664562Sgshapirothe default value. Example: 40738032Speter 40864562Sgshapiro MODIFY_MAILER_FLAGS(`LOCAL', `+e') 40938032Speter 41064562Sgshapirowill add the flag `e' to LOCAL_MAILER_FLAGS. 41164562SgshapiroWARNING: The FEATUREs local_lmtp and local_procmail set LOCAL_MAILER_FLAGS 41264562Sgshapirounconditionally, i.e., without respecting any definitions in an 41364562SgshapiroOSTYPE setting. 41464562Sgshapiro 41564562Sgshapiro 41638032Speter+---------+ 41738032Speter| DOMAINS | 41838032Speter+---------+ 41938032Speter 42038032SpeterYou will probably want to collect domain-dependent defines into one 42164562Sgshapirofile, referenced by the DOMAIN macro. For example, the Berkeley 42238032Speterdomain file includes definitions for several internal distinguished 42338032Speterhosts: 42438032Speter 42538032SpeterUUCP_RELAY The host that will accept UUCP-addressed email. 42638032Speter If not defined, all UUCP sites must be directly 42738032Speter connected. 42838032SpeterBITNET_RELAY The host that will accept BITNET-addressed email. 42938032Speter If not defined, the .BITNET pseudo-domain won't work. 43038032SpeterDECNET_RELAY The host that will accept DECNET-addressed email. 43138032Speter If not defined, the .DECNET pseudo-domain and addresses 43238032Speter of the form node::user will not work. 43338032SpeterFAX_RELAY The host that will accept mail to the .FAX pseudo-domain. 43438032Speter The "fax" mailer overrides this value. 43571345SgshapiroLOCAL_RELAY The site that will handle unqualified names -- that 43671345Sgshapiro is, names with out an @domain extension. 43771345Sgshapiro Normally MAIL_HUB is preferred for this function. 43871345Sgshapiro LOCAL_RELAY is mostly useful in conjunction with 43971345Sgshapiro FEATURE(stickyhost) -- see the discussion of 44071345Sgshapiro stickyhost below. If not set, they are assumed to 44171345Sgshapiro belong on this machine. This allows you to have a 44271345Sgshapiro central site to store a company- or department-wide 44371345Sgshapiro alias database. This only works at small sites, 44471345Sgshapiro and only with some user agents. 44538032SpeterLUSER_RELAY The site that will handle lusers -- that is, apparently 44664562Sgshapiro local names that aren't local accounts or aliases. To 44764562Sgshapiro specify a local user instead of a site, set this to 44864562Sgshapiro ``local:username''. 44938032Speter 45038032SpeterAny of these can be either ``mailer:hostname'' (in which case the 45138032Spetermailer is the internal mailer name, such as ``uucp-new'' and the hostname 45238032Speteris the name of the host as appropriate for that mailer) or just a 45338032Speter``hostname'', in which case a default mailer type (usually ``relay'', 45438032Spetera variant on SMTP) is used. WARNING: if you have a wildcard MX 45538032Speterrecord matching your domain, you probably want to define these to 45638032Speterhave a trailing dot so that you won't get the mail diverted back 45738032Speterto yourself. 45838032Speter 45938032SpeterThe domain file can also be used to define a domain name, if needed 46038032Speter(using "DD<domain>") and set certain site-wide features. If all hosts 46138032Speterat your site masquerade behind one email name, you could also use 46238032SpeterMASQUERADE_AS here. 46338032Speter 46438032SpeterYou do not have to define a domain -- in particular, if you are a 46538032Spetersingle machine sitting off somewhere, it is probably more work than 46638032Speterit's worth. This is just a mechanism for combining "domain dependent 46738032Speterknowledge" into one place. 46838032Speter 46938032Speter+---------+ 47038032Speter| MAILERS | 47138032Speter+---------+ 47238032Speter 47338032SpeterThere are fewer mailers supported in this version than the previous 47438032Speterversion, owing mostly to a simpler world. As a general rule, put the 47564562SgshapiroMAILER definitions last in your .mc file, and always put MAILER(`smtp') 47664562Sgshapirobefore MAILER(`uucp') and MAILER(`procmail') -- several features and 47764562Sgshapirodefinitions will modify the definition of mailers, and the smtp mailer 47864562Sgshapiromodifies the UUCP mailer. Moreover, MAILER(`cyrus'), MAILER(`pop'), 47964562SgshapiroMAILER(`phquery'), and MAILER(`usenet') must be defined after 48064562SgshapiroMAILER(`local'). 48138032Speter 48238032Speterlocal The local and prog mailers. You will almost always 48338032Speter need these; the only exception is if you relay ALL 48438032Speter your mail to another site. This mailer is included 48538032Speter automatically. 48638032Speter 48738032Spetersmtp The Simple Mail Transport Protocol mailer. This does 48838032Speter not hide hosts behind a gateway or another other 48938032Speter such hack; it assumes a world where everyone is 49038032Speter running the name server. This file actually defines 49164562Sgshapiro five mailers: "smtp" for regular (old-style) SMTP to 49238032Speter other servers, "esmtp" for extended SMTP to other 49338032Speter servers, "smtp8" to do SMTP to other servers without 49438032Speter converting 8-bit data to MIME (essentially, this is 49538032Speter your statement that you know the other end is 8-bit 49664562Sgshapiro clean even if it doesn't say so), "dsmtp" to do on 49764562Sgshapiro demand delivery, and "relay" for transmission to the 49864562Sgshapiro RELAY_HOST, LUSER_RELAY, or MAIL_HUB. 49938032Speter 50066494Sgshapirouucp The UNIX-to-UNIX Copy Program mailer. Actually, this 50138032Speter defines two mailers, "uucp-old" (a.k.a. "uucp") and 50238032Speter "uucp-new" (a.k.a. "suucp"). The latter is for when you 50338032Speter know that the UUCP mailer at the other end can handle 50438032Speter multiple recipients in one transfer. If the smtp mailer 50538032Speter is also included in your configuration, two other mailers 50638032Speter ("uucp-dom" and "uucp-uudom") are also defined [warning: 50738032Speter you MUST specify MAILER(smtp) before MAILER(uucp)]. When you 50838032Speter include the uucp mailer, sendmail looks for all names in 50964562Sgshapiro class {U} and sends them to the uucp-old mailer; all 51064562Sgshapiro names in class {Y} are sent to uucp-new; and all 51164562Sgshapiro names in class {Z} are sent to uucp-uudom. Note that 51238032Speter this is a function of what version of rmail runs on 51338032Speter the receiving end, and hence may be out of your control. 51438032Speter See the section below describing UUCP mailers in more 51538032Speter detail. 51638032Speter 51738032Speterusenet Usenet (network news) delivery. If this is specified, 51838032Speter an extra rule is added to ruleset 0 that forwards all 51938032Speter local email for users named ``group.usenet'' to the 52038032Speter ``inews'' program. Note that this works for all groups, 52138032Speter and may be considered a security problem. 52238032Speter 52338032Speterfax Facsimile transmission. This is experimental and based 52438032Speter on Sam Leffler's HylaFAX software. For more information, 52571345Sgshapiro see http://www.hylafax.org/. 52638032Speter 52738032Speterpop Post Office Protocol. 52838032Speter 52938032Speterprocmail An interface to procmail (does not come with sendmail). 53038032Speter This is designed to be used in mailertables. For example, 53138032Speter a common question is "how do I forward all mail for a given 53238032Speter domain to a single person?". If you have this mailer 53338032Speter defined, you could set up a mailertable reading: 53438032Speter 53538032Speter host.com procmail:/etc/procmailrcs/host.com 53638032Speter 53738032Speter with the file /etc/procmailrcs/host.com reading: 53838032Speter 53938032Speter :0 # forward mail for host.com 54038032Speter ! -oi -f $1 person@other.host 54138032Speter 54238032Speter This would arrange for (anything)@host.com to be sent 54338032Speter to person@other.host. Within the procmail script, $1 is 54438032Speter the name of the sender and $2 is the name of the recipient. 54543730Speter If you use this with FEATURE(`local_procmail'), the FEATURE 54638032Speter should be listed first. 54738032Speter 54838032Spetermail11 The DECnet mail11 mailer, useful only if you have the mail11 54938032Speter program from gatekeeper.dec.com:/pub/DEC/gwtools (and 55038032Speter DECnet, of course). This is for Phase IV DECnet support; 55138032Speter if you have Phase V at your site you may have additional 55238032Speter problems. 55338032Speter 55438032Speterphquery The phquery program. This is somewhat counterintuitively 55538032Speter referenced as the "ph" mailer internally. It can be used 55638032Speter to do CCSO name server lookups. The phquery program, which 55738032Speter this mailer uses, is distributed with the ph client. 55838032Speter 55938032Spetercyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to 56038032Speter a local cyrus user. this mailer can make use of the 56138032Speter "user+detail@local.host" syntax; it will deliver the mail to 56238032Speter the user's "detail" mailbox if the mailbox's ACL permits. 56338032Speter The cyrusbb mailer delivers to a system-wide cyrus mailbox 56464562Sgshapiro if the mailbox's ACL permits. The cyrus mailer must be 56564562Sgshapiro defined after the local mailer. 56638032Speter 56764562Sgshapiroqpage A mailer for QuickPage, a pager interface. See 56864562Sgshapiro http://www.qpage.org/ for further information. 56938032Speter 57038032SpeterThe local mailer accepts addresses of the form "user+detail", where 57138032Speterthe "+detail" is not used for mailbox matching but is available 57243730Speterto certain local mail programs (in particular, see 57343730SpeterFEATURE(`local_procmail')). For example, "eric", "eric+sendmail", and 57443730Speter"eric+sww" all indicate the same user, but additional arguments <null>, 57543730Speter"sendmail", and "sww" may be provided for use in sorting mail. 57638032Speter 57738032Speter 57838032Speter+----------+ 57938032Speter| FEATURES | 58038032Speter+----------+ 58138032Speter 58238032SpeterSpecial features can be requested using the "FEATURE" macro. For 58338032Speterexample, the .mc line: 58438032Speter 58543730Speter FEATURE(`use_cw_file') 58638032Speter 58764562Sgshapirotells sendmail that you want to have it read an /etc/mail/local-host-names 58864562Sgshapirofile to get values for class {w}. The FEATURE may contain up to 9 58964562Sgshapirooptional parameters -- for example: 59038032Speter 59143730Speter FEATURE(`mailertable', `dbm /usr/lib/mailertable') 59238032Speter 59338032SpeterThe default database map type for the table features can be set with 59464562Sgshapiro 59538032Speter define(`DATABASE_MAP_TYPE', `dbm') 59638032Speter 59738032Speterwhich would set it to use ndbm databases. The default is the Berkeley DB 59838032Speterhash database format. Note that you must still declare a database map type 59938032Speterif you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used 60064562Sgshapiroif no argument is given for the FEATURE. It must be specified before any 60164562Sgshapirofeature that uses a map. 60238032Speter 60338032SpeterAvailable features are: 60438032Speter 60564562Sgshapirouse_cw_file Read the file /etc/mail/local-host-names file to get 60664562Sgshapiro alternate names for this host. This might be used if you 60764562Sgshapiro were on a host that MXed for a dynamic set of other hosts. 60864562Sgshapiro If the set is static, just including the line "Cw<name1> 60964562Sgshapiro <name2> ..." (where the names are fully qualified domain 61064562Sgshapiro names) is probably superior. The actual filename can be 61164562Sgshapiro overridden by redefining confCW_FILE. 61238032Speter 61364562Sgshapirouse_ct_file Read the file /etc/mail/trusted-users file to get the 61464562Sgshapiro names of users that will be ``trusted'', that is, able to 61564562Sgshapiro set their envelope from address using -f without generating 61664562Sgshapiro a warning message. The actual filename can be overridden 61764562Sgshapiro by redefining confCT_FILE. 61838032Speter 61938032Speterredirect Reject all mail addressed to "address.REDIRECT" with 62064562Sgshapiro a ``551 User has moved; please try <address>'' message. 62138032Speter If this is set, you can alias people who have left 62238032Speter to their new address with ".REDIRECT" appended. 62338032Speter 62464562Sgshapironouucp Don't route UUCP addresses. This feature takes one 62564562Sgshapiro parameter: 62664562Sgshapiro `reject': reject addresses which have "!" in the local 62764562Sgshapiro part unless it originates from a system 62864562Sgshapiro that is allowed to relay. 62964562Sgshapiro `nospecial': don't do anything special with "!". 63064562Sgshapiro Warnings: 1. See the NOTICE in the ANTI-SPAM section. 63164562Sgshapiro 2. don't remove "!" from OperatorChars if `reject' is 63264562Sgshapiro given as parameter. 63338032Speter 63464562Sgshapironocanonify Don't pass addresses to $[ ... $] for canonification 63571345Sgshapiro by default, i.e., host/domain names are considered canonical, 63671345Sgshapiro except for unqualified names, which must not be used in this 63771345Sgshapiro mode (violation of the standard). It can be changed by 63871345Sgshapiro setting the DaemonPortOptions modifiers (M=). That is, 63964562Sgshapiro FEATURE(`nocanonify') will be overridden by setting the 64064562Sgshapiro 'c' flag. Conversely, if FEATURE(`nocanonify') is not used, 64164562Sgshapiro it can be emulated by setting the 'C' flag 64264562Sgshapiro (DaemonPortOptions=Modifiers=C). This would generally only 64364562Sgshapiro be used by sites that only act as mail gateways or which have 64464562Sgshapiro user agents that do full canonification themselves. You may 64564562Sgshapiro also want to use 64664562Sgshapiro "define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')" to turn off 64764562Sgshapiro the usual resolver options that do a similar thing. 64838032Speter 64964562Sgshapiro An exception list for FEATURE(`nocanonify') can be 65064562Sgshapiro specified with CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, 65164562Sgshapiro i.e., a list of domains which are nevertheless passed to 65264562Sgshapiro $[ ... $] for canonification. This is useful to turn on 65364562Sgshapiro canonification for local domains, e.g., use 65464562Sgshapiro CANONIFY_DOMAIN(`my.domain my') to canonify addresses 65564562Sgshapiro which end in "my.domain" or "my". 65664562Sgshapiro Another way to require canonification in the local 65764562Sgshapiro domain is CANONIFY_DOMAIN(`$=m'). 65864562Sgshapiro 65964562Sgshapiro A trailing dot is added to addresses with more than 66064562Sgshapiro one component in it such that other features which 66164562Sgshapiro expect a trailing dot (e.g., virtusertable) will 66264562Sgshapiro still work. 66364562Sgshapiro 66464562Sgshapiro If `canonify_hosts' is specified as parameter, i.e., 66564562Sgshapiro FEATURE(`nocanonify', `canonify_hosts'), then 66664562Sgshapiro addresses which have only a hostname, e.g., 66764562Sgshapiro <user@host>, will be canonified (and hopefully fully 66864562Sgshapiro qualified), too. 66964562Sgshapiro 67071345Sgshapirostickyhost This feature is sometimes used with LOCAL_RELAY, 67171345Sgshapiro although it can be used for a different effect with 67271345Sgshapiro MAIL_HUB. 67338032Speter 67473188Sgshapiro When used without MAIL_HUB, email sent to 67571345Sgshapiro "user@local.host" are marked as "sticky" -- that 67671345Sgshapiro is, the local addresses aren't matched against UDB, 67771345Sgshapiro don't go through ruleset 5, and are not forwarded to 67871345Sgshapiro the LOCAL_RELAY (if defined). 67971345Sgshapiro 68071345Sgshapiro With MAIL_HUB, mail addressed to "user@local.host" 68171345Sgshapiro is forwarded to the mail hub, with the envelope 68271345Sgshapiro address still remaining "user@local.host". 68371345Sgshapiro Without stickyhost, the envelope would be changed 68471345Sgshapiro to "user@mail_hub", in order to protect against 68571345Sgshapiro mailing loops. 68671345Sgshapiro 68738032Spetermailertable Include a "mailer table" which can be used to override 68864562Sgshapiro routing for particular domains (which are not in class {w}, 68964562Sgshapiro i.e. local host names). The argument of the FEATURE may be 69064562Sgshapiro the key definition. If none is specified, the definition 69164562Sgshapiro used is: 69243730Speter 69364562Sgshapiro hash /etc/mail/mailertable 69443730Speter 69538032Speter Keys in this database are fully qualified domain names 69638032Speter or partial domains preceded by a dot -- for example, 69764562Sgshapiro "vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". As a 69864562Sgshapiro special case of the latter, "." matches any domain not 69964562Sgshapiro covered by other keys. Values must be of the form: 70038032Speter mailer:domain 70138032Speter where "mailer" is the internal mailer name, and "domain" 70238032Speter is where to send the message. These maps are not 70338032Speter reflected into the message header. As a special case, 70438032Speter the forms: 70538032Speter local:user 70638032Speter will forward to the indicated user using the local mailer, 70738032Speter local: 70838032Speter will forward to the original user in the e-mail address 70938032Speter using the local mailer, and 71038032Speter error:code message 71164562Sgshapiro error:D.S.N:code message 71264562Sgshapiro will give an error message with the indicated SMTP reply 71364562Sgshapiro code and message, where D.S.N is an RFC 1893 compliant 71464562Sgshapiro error code. 71538032Speter 71638032Speterdomaintable Include a "domain table" which can be used to provide 71738032Speter domain name mapping. Use of this should really be 71838032Speter limited to your own domains. It may be useful if you 71938032Speter change names (e.g., your company changes names from 72038032Speter oldname.com to newname.com). The argument of the 72138032Speter FEATURE may be the key definition. If none is specified, 72238032Speter the definition used is: 72343730Speter 72464562Sgshapiro hash /etc/mail/domaintable 72543730Speter 72638032Speter The key in this table is the domain name; the value is 72738032Speter the new (fully qualified) domain. Anything in the 72838032Speter domaintable is reflected into headers; that is, this 72938032Speter is done in ruleset 3. 73038032Speter 73138032Speterbitdomain Look up bitnet hosts in a table to try to turn them into 73238032Speter internet addresses. The table can be built using the 73338032Speter bitdomain program contributed by John Gardiner Myers. 73438032Speter The argument of the FEATURE may be the key definition; if 73538032Speter none is specified, the definition used is: 73643730Speter 73764562Sgshapiro hash /etc/mail/bitdomain 73843730Speter 73938032Speter Keys are the bitnet hostname; values are the corresponding 74038032Speter internet hostname. 74138032Speter 74238032Speteruucpdomain Similar feature for UUCP hosts. The default map definition 74338032Speter is: 74443730Speter 74564562Sgshapiro hash /etc/mail/uudomain 74643730Speter 74738032Speter At the moment there is no automagic tool to build this 74838032Speter database. 74938032Speter 75038032Speteralways_add_domain 75138032Speter Include the local host domain even on locally delivered 75238032Speter mail. Normally it is not added on unqualified names. 75338032Speter However, if you use a shared message store but do not use 75438032Speter the same user name space everywhere, you may need the host 75538032Speter name on local names. 75638032Speter 75738032Speterallmasquerade If masquerading is enabled (using MASQUERADE_AS), this 75838032Speter feature will cause recipient addresses to also masquerade 75938032Speter as being from the masquerade host. Normally they get 76038032Speter the local hostname. Although this may be right for 76138032Speter ordinary users, it can break local aliases. For example, 76238032Speter if you send to "localalias", the originating sendmail will 76338032Speter find that alias and send to all members, but send the 76438032Speter message with "To: localalias@masqueradehost". Since that 76538032Speter alias likely does not exist, replies will fail. Use this 76638032Speter feature ONLY if you can guarantee that the ENTIRE 76738032Speter namespace on your masquerade host supersets all the 76838032Speter local entries. 76938032Speter 77038032Speterlimited_masquerade 77164562Sgshapiro Normally, any hosts listed in class {w} are masqueraded. If 77264562Sgshapiro this feature is given, only the hosts listed in class {M} (see 77364562Sgshapiro below: MASQUERADE_DOMAIN) are masqueraded. This is useful 77464562Sgshapiro if you have several domains with disjoint namespaces hosted 77564562Sgshapiro on the same machine. 77638032Speter 77738032Spetermasquerade_entire_domain 77864562Sgshapiro If masquerading is enabled (using MASQUERADE_AS) and 77938032Speter MASQUERADE_DOMAIN (see below) is set, this feature will 78038032Speter cause addresses to be rewritten such that the masquerading 78138032Speter domains are actually entire domains to be hidden. All 78238032Speter hosts within the masquerading domains will be rewritten 78338032Speter to the masquerade name (used in MASQUERADE_AS). For example, 78438032Speter if you have: 78538032Speter 78664562Sgshapiro MASQUERADE_AS(`masq.com') 78764562Sgshapiro MASQUERADE_DOMAIN(`foo.org') 78864562Sgshapiro MASQUERADE_DOMAIN(`bar.com') 78938032Speter 79038032Speter then *foo.org and *bar.com are converted to masq.com. Without 79138032Speter this feature, only foo.org and bar.com are masqueraded. 79238032Speter 79338032Speter NOTE: only domains within your jurisdiction and 79438032Speter current hierarchy should be masqueraded using this. 79538032Speter 79664562Sgshapirogenericstable This feature will cause unqualified addresses (i.e., without 79764562Sgshapiro a domain) and addresses with a domain listed in class {G} 79864562Sgshapiro to be looked up in a map and turned into another ("generic") 79964562Sgshapiro form, which can change both the domain name and the user name. 80064562Sgshapiro This is similar to the userdb functionality. The same types of 80164562Sgshapiro addresses as for masquerading are looked up, i.e., only header 80238032Speter sender addresses unless the allmasquerade and/or 80338032Speter masquerade_envelope features are given. Qualified addresses 80464562Sgshapiro must have the domain part in class {G}; entries can 80564562Sgshapiro be added to this class by the macros GENERICS_DOMAIN or 80664562Sgshapiro GENERICS_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 80764562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 80838032Speter 80943730Speter The argument of FEATURE(`genericstable') may be the map 81038032Speter definition; the default map definition is: 81138032Speter 81264562Sgshapiro hash /etc/mail/genericstable 81338032Speter 81464562Sgshapiro The key for this table is either the full address, the domain 81564562Sgshapiro (with a leading @; the localpart is passed as first argument) 81664562Sgshapiro or the unqualified username (tried in the order mentioned); 81764562Sgshapiro the value is the new user address. If the new user address 81864562Sgshapiro does not include a domain, it will be qualified in the standard 81964562Sgshapiro manner, i.e., using $j or the masquerade name. Note that the 82038032Speter address being looked up must be fully qualified. For local 82143730Speter mail, it is necessary to use FEATURE(`always_add_domain') 82243730Speter for the addresses to be qualified. 82364562Sgshapiro The "+detail" of an address is passed as %1, so entries like 82438032Speter 82564562Sgshapiro old+*@foo.org new+%1@example.com 82664562Sgshapiro gen+*@foo.org %1@example.com 82764562Sgshapiro 82864562Sgshapiro and other forms are possible. 82964562Sgshapiro 83064562Sgshapirogenerics_entire_domain 83164562Sgshapiro If the genericstable is enabled and GENERICS_DOMAIN or 83264562Sgshapiro GENERICS_DOMAIN_FILE is used, this feature will cause 83364562Sgshapiro addresses to be searched in the map if their domain 83464562Sgshapiro parts are subdomains of elements in class {G}. 83564562Sgshapiro 83638032Spetervirtusertable A domain-specific form of aliasing, allowing multiple 83738032Speter virtual domains to be hosted on one machine. For example, 83838032Speter if the virtuser table contained: 83938032Speter 84038032Speter info@foo.com foo-info 84138032Speter info@bar.com bar-info 84264562Sgshapiro joe@bar.com error:nouser No such user here 84364562Sgshapiro jax@bar.com error:D.S.N:unavailable Address invalid 84464562Sgshapiro @baz.org jane@example.net 84538032Speter 84638032Speter then mail addressed to info@foo.com will be sent to the 84738032Speter address foo-info, mail addressed to info@bar.com will be 84864562Sgshapiro delivered to bar-info, and mail addressed to anyone at baz.org 84964562Sgshapiro will be sent to jane@example.net, mail to joe@bar.com will 85064562Sgshapiro be rejected with the specified error message, and mail to 85164562Sgshapiro jax@bar.com will also have a RFC 1893 compliant error code 85264562Sgshapiro D.S.N. 85338032Speter 85464562Sgshapiro The username from the original address is passed 85564562Sgshapiro as %1 allowing: 85638032Speter 85764562Sgshapiro @foo.org %1@example.com 85838032Speter 85964562Sgshapiro meaning someone@foo.org will be sent to someone@example.com. 86064562Sgshapiro Additionally, if the local part consists of "user+detail" 86164562Sgshapiro then "detail" is passed as %2 when a match against user+* 86264562Sgshapiro is attempted, so entries like 86364562Sgshapiro 86464562Sgshapiro old+*@foo.org new+%2@example.com 86564562Sgshapiro gen+*@foo.org %2@example.com 86664562Sgshapiro +*@foo.org %1+%2@example.com 86764562Sgshapiro 86864562Sgshapiro and other forms are possible. Note: to preserve "+detail" 86964562Sgshapiro for a default case (@domain) +*@domain must be used as 87064562Sgshapiro exemplified above. 87164562Sgshapiro 87238032Speter All the host names on the left hand side (foo.com, bar.com, 87364562Sgshapiro and baz.org) must be in class {w} or class {VirtHost}, the 87464562Sgshapiro latter can be defined by the macros VIRTUSER_DOMAIN or 87564562Sgshapiro VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 87664562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or 87764562Sgshapiro VIRTUSER_DOMAIN_FILE is used, then the entries of class 87864562Sgshapiro {VirtHost} are added to class {R}, i.e., relaying is allowed 87964562Sgshapiro to (and from) those domains. The default map definition is: 88038032Speter 88164562Sgshapiro hash /etc/mail/virtusertable 88238032Speter 88338032Speter A new definition can be specified as the second argument of 88438032Speter the FEATURE macro, such as 88538032Speter 88664562Sgshapiro FEATURE(`virtusertable', `dbm /etc/mail/virtusers') 88738032Speter 88864562Sgshapirovirtuser_entire_domain 88964562Sgshapiro If the virtusertable is enabled and VIRTUSER_DOMAIN or 89064562Sgshapiro VIRTUSER_DOMAIN_FILE is used, this feature will cause 89164562Sgshapiro addresses to be searched in the map if their domain 89264562Sgshapiro parts are subdomains of elements in class {VirtHost}. 89364562Sgshapiro 89464562Sgshapiroldap_routing Implement LDAP-based e-mail recipient routing according to 89564562Sgshapiro the Internet Draft draft-lachman-laser-ldap-mail-routing-01. 89664562Sgshapiro This provides a method to re-route addresses with a 89764562Sgshapiro domain portion in class {LDAPRoute} to either a 89864562Sgshapiro different mail host or a different address. Hosts can 89964562Sgshapiro be added to this class using LDAPROUTE_DOMAIN and 90064562Sgshapiro LDAPROUTE_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 90164562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 90264562Sgshapiro 90364562Sgshapiro See the LDAP ROUTING section below for more information. 90464562Sgshapiro 90564562Sgshapironodns If you aren't running DNS at your site (for example, 90664562Sgshapiro you are UUCP-only connected). It's hard to consider 90738032Speter this a "feature", but hey, it had to go somewhere. 90838032Speter Actually, as of 8.7 this is a no-op -- remove "dns" from 90938032Speter the hosts service switch entry instead. 91038032Speter 91164562Sgshapironullclient This is a special case -- it creates a configuration file 91264562Sgshapiro containing nothing but support for forwarding all mail to a 91364562Sgshapiro central hub via a local SMTP-based network. The argument 91464562Sgshapiro is the name of that hub. 91564562Sgshapiro 91638032Speter The only other feature that should be used in conjunction 91764562Sgshapiro with this one is FEATURE(`nocanonify'). No mailers 91838032Speter should be defined. No aliasing or forwarding is done. 91938032Speter 92038032Speterlocal_lmtp Use an LMTP capable local mailer. The argument to this 92138032Speter feature is the pathname of an LMTP capable mailer. By 92238032Speter default, mail.local is used. This is expected to be the 92338032Speter mail.local which came with the 8.9 distribution which is 92438032Speter LMTP capable. The path to mail.local is set by the 92538032Speter confEBINDIR m4 variable -- making the default 92638032Speter LOCAL_MAILER_PATH /usr/libexec/mail.local. 92764562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 92864562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 92938032Speter 93064562Sgshapirolocal_procmail Use procmail or another delivery agent as the local mailer. 93164562Sgshapiro The argument to this feature is the pathname of the 93264562Sgshapiro delivery agent, which defaults to PROCMAIL_MAILER_PATH. 93364562Sgshapiro Note that this does NOT use PROCMAIL_MAILER_FLAGS or 93464562Sgshapiro PROCMAIL_MAILER_ARGS for the local mailer; tweak 93564562Sgshapiro LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS instead, or 93664562Sgshapiro specify the appropriate parameters. When procmail is used, 93764562Sgshapiro the local mailer can make use of the 93864562Sgshapiro "user+indicator@local.host" syntax; normally the +indicator 93964562Sgshapiro is just tossed, but by default it is passed as the -a 94064562Sgshapiro argument to procmail. 94138032Speter 94264562Sgshapiro This feature can take up to three arguments: 94364562Sgshapiro 94464562Sgshapiro 1. Path to the mailer program 94564562Sgshapiro [default: /usr/local/bin/procmail] 94664562Sgshapiro 2. Argument vector including name of the program 94764562Sgshapiro [default: procmail -Y -a $h -d $u] 94864562Sgshapiro 3. Flags for the mailer [default: SPfhn9] 94964562Sgshapiro 95064562Sgshapiro Empty arguments cause the defaults to be taken. 95164562Sgshapiro 95264562Sgshapiro For example, this allows it to use the maildrop 95364562Sgshapiro (http://www.flounder.net/~mrsam/maildrop/) mailer instead 95464562Sgshapiro by specifying: 95564562Sgshapiro 95664562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/maildrop', 95764562Sgshapiro `maildrop -d $u') 95864562Sgshapiro 95964562Sgshapiro or scanmails using: 96064562Sgshapiro 96164562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/scanmails') 96264562Sgshapiro 96364562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 96464562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 96564562Sgshapiro 96638032Speterbestmx_is_local Accept mail as though locally addressed for any host that 96738032Speter lists us as the best possible MX record. This generates 96838032Speter additional DNS traffic, but should be OK for low to 96938032Speter medium traffic hosts. The argument may be a set of 97038032Speter domains, which will limit the feature to only apply to 97138032Speter these domains -- this will reduce unnecessary DNS 97238032Speter traffic. THIS FEATURE IS FUNDAMENTALLY INCOMPATIBLE WITH 97338032Speter WILDCARD MX RECORDS!!! If you have a wildcard MX record 97438032Speter that matches your domain, you cannot use this feature. 97538032Speter 97638032Spetersmrsh Use the SendMail Restricted SHell (smrsh) provided 97738032Speter with the distribution instead of /bin/sh for mailing 97838032Speter to programs. This improves the ability of the local 97938032Speter system administrator to control what gets run via 98038032Speter e-mail. If an argument is provided it is used as the 98138032Speter pathname to smrsh; otherwise, the path defined by 98238032Speter confEBINDIR is used for the smrsh binary -- by default, 98338032Speter /usr/libexec/smrsh is assumed. 98438032Speter 98538032Speterpromiscuous_relay 98638032Speter By default, the sendmail configuration files do not permit 98738032Speter mail relaying (that is, accepting mail from outside your 98864562Sgshapiro local host (class {w}) and sending it to another host than 98964562Sgshapiro your local host). This option sets your site to allow 99064562Sgshapiro mail relaying from any site to any site. In almost all 99164562Sgshapiro cases, it is better to control relaying more carefully 99264562Sgshapiro with the access map, class {R}, or authentication. Domains 99364562Sgshapiro can be added to class {R} by the macros RELAY_DOMAIN or 99464562Sgshapiro RELAY_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 99564562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 99638032Speter 99738032Speterrelay_entire_domain 99838032Speter By default, only hosts listed as RELAY in the access db 99938032Speter will be allowed to relay. This option also allows any 100064562Sgshapiro host in your domain as defined by class {m}. 100138032Speter 100238032Speterrelay_hosts_only 100338032Speter By default, names that are listed as RELAY in the access 100464562Sgshapiro db and class {R} are domain names, not host names. 100538032Speter For example, if you specify ``foo.com'', then mail to or 100638032Speter from foo.com, abc.foo.com, or a.very.deep.domain.foo.com 100738032Speter will all be accepted for relaying. This feature changes 100838032Speter the behaviour to lookup individual host names only. 100938032Speter 101038032Speterrelay_based_on_MX 101138032Speter Turns on the ability to allow relaying based on the MX 101242575Speter records of the host portion of an incoming recipient; that 101342575Speter is, if an MX record for host foo.com points to your site, 101442575Speter you will accept and relay mail addressed to foo.com. See 101538032Speter description below for more information before using this 101642575Speter feature. Also, see the KNOWNBUGS entry regarding bestmx 101742575Speter map lookups. 101838032Speter 101943730Speter FEATURE(`relay_based_on_MX') does not necessarily allow 102042575Speter routing of these messages which you expect to be allowed, 102142575Speter if route address syntax (or %-hack syntax) is used. If 102242575Speter this is a problem, add entries to the access-table or use 102343730Speter FEATURE(`loose_relay_check'). 102442575Speter 102564562Sgshapirorelay_mail_from 102664562Sgshapiro Allows relaying if the mail sender is listed as RELAY in 102764562Sgshapiro the access map. If an optional argument `domain' is given, 102864562Sgshapiro the domain portion of the mail sender is checked too. 102964562Sgshapiro This should only be used if absolutely necessary as the 103064562Sgshapiro sender address can be easily forged. Use of this feature 103164562Sgshapiro requires the "From:" tag be prepended to the key in the 103264562Sgshapiro access map; see the discussion of tags and 103364562Sgshapiro FEATURE(`relay_mail_from') in the section on ANTI-SPAM 103464562Sgshapiro CONFIGURATION CONTROL. 103564562Sgshapiro 103638032Speterrelay_local_from 103738032Speter Allows relaying if the domain portion of the mail sender 103838032Speter is a local host. This should only be used if absolutely 103942575Speter necessary as it opens a window for spammers. Specifically, 104042575Speter they can send mail to your mail server that claims to be 104142575Speter from your domain (either directly or via a routed address), 104242575Speter and you will go ahead and relay it out to arbitrary hosts 104342575Speter on the Internet. 104464562Sgshapiro 104538032Speteraccept_unqualified_senders 104638032Speter Normally, MAIL FROM: commands in the SMTP session will be 104738032Speter refused if the connection is a network connection and the 104838032Speter sender address does not include a domain name. If your 104964562Sgshapiro setup sends local mail unqualified (i.e., MAIL FROM: <joe>), 105038032Speter you will need to use this feature to accept unqualified 105164562Sgshapiro sender addresses. Setting the DaemonPortOptions modifier 105264562Sgshapiro 'u' overrides the default behavior, i.e., unqualified 105364562Sgshapiro addresses are accepted even without this FEATURE. 105464562Sgshapiro If this FEATURE is not used, the DaemonPortOptions modifier 105564562Sgshapiro 'f' can be used to enforce fully qualified addresses. 105664562Sgshapiro 105738032Speteraccept_unresolvable_domains 105838032Speter Normally, MAIL FROM: commands in the SMTP session will be 105964562Sgshapiro refused if the host part of the argument to MAIL FROM: 106064562Sgshapiro cannot be located in the host name service (e.g., an A or 106164562Sgshapiro MX record in DNS). If you are inside a firewall that has 106264562Sgshapiro only a limited view of the Internet host name space, this 106364562Sgshapiro could cause problems. In this case you probably want to 106464562Sgshapiro use this feature to accept all domains on input, even if 106564562Sgshapiro they are unresolvable. 106638032Speter 106738032Speteraccess_db Turns on the access database feature. The access db gives 106838032Speter you the ability to allow or refuse to accept mail from 106938032Speter specified domains for administrative reasons. By default, 107043730Speter the access database specification is: 107138032Speter 107264562Sgshapiro hash /etc/mail/access 107343730Speter 107464562Sgshapiro The format of the database is described in the anti-spam 107564562Sgshapiro configuration control section later in this document. 107643730Speter 107738032Speterblacklist_recipients 107838032Speter Turns on the ability to block incoming mail for certain 107938032Speter recipient usernames, hostnames, or addresses. For 108038032Speter example, you can block incoming mail to user nobody, 108138032Speter host foo.mydomain.com, or guest@bar.mydomain.com. 108238032Speter These specifications are put in the access db as 108364562Sgshapiro described in the anti-spam configuration control section 108464562Sgshapiro later in this document. 108538032Speter 108671345Sgshapirodelay_checks The rulesets check_mail and check_relay will not be called 108771345Sgshapiro when a client connects or issues a MAIL command, respectively. 108871345Sgshapiro Instead, those rulesets will be called by the check_rcpt 108971345Sgshapiro ruleset; they will be skipped under certain circumstances. 109071345Sgshapiro See "Delay all checks" in "ANTI-SPAM CONFIGURATION CONTROL". 109171345Sgshapiro 109264562Sgshapirorbl This feature is deprecated! Please use dnsbl instead. 109364562Sgshapiro Turns on rejection of hosts found in the Realtime Blackhole 109464562Sgshapiro List. If an argument is provided it is used as the domain 109580785Sgshapiro in which blocked hosts are listed; otherwise, the main RBL 109680785Sgshapiro domain rbl.maps.vix.com is used (see NOTE below). For 109780785Sgshapiro details, see http://maps.vix.com/rbl/. 109838032Speter 109964562Sgshapirodnsbl Turns on rejection of hosts found in an DNS based rejection 110064562Sgshapiro list. If an argument is provided it is used as the domain 110164562Sgshapiro in which blocked hosts are listed; otherwise it defaults to 110271345Sgshapiro blackholes.mail-abuse.org. An explanation for an DNS based 110371345Sgshapiro rejection list can be found http://mail-abuse.org/rbl/. A 110471345Sgshapiro second argument can be used to change the default error 110571345Sgshapiro message of Mail from $&{client_addr} refused by blackhole site 110671345Sgshapiro SERVER where SERVER is replaced by the first argument. This 110771345Sgshapiro feature can be included several times to query different DNS 110871345Sgshapiro based rejection lists. 110964562Sgshapiro 111080785Sgshapiro NOTE: The default DNS blacklist, blackholes.mail-abuse.org, 111180785Sgshapiro is a service offered by the Mail Abuse Prevention System 111280785Sgshapiro (MAPS). As of July 31, 2001, MAPS is a subscription 111380785Sgshapiro service, so using that network address won't work if you 111480785Sgshapiro haven't subscribed. Contact MAPS to subscribe 111580785Sgshapiro (http://mail-abuse.org/). 111680785Sgshapiro 111738032Speterloose_relay_check 111864562Sgshapiro Normally, if % addressing is used for a recipient, e.g. 111964562Sgshapiro user%site@othersite, and othersite is in class {R}, the 112038032Speter check_rcpt ruleset will strip @othersite and recheck 112138032Speter user@site for relaying. This feature changes that 112238032Speter behavior. It should not be needed for most installations. 112338032Speter 112464562Sgshapirono_default_msa Don't generate the default MSA daemon, i.e., 112564562Sgshapiro DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') 112664562Sgshapiro To define a MSA daemon with other parameters, use this 112764562Sgshapiro FEATURE and introduce new settings via DAEMON_OPTIONS(). 112838032Speter 112938032Speter+-------+ 113038032Speter| HACKS | 113138032Speter+-------+ 113238032Speter 113338032SpeterSome things just can't be called features. To make this clear, 113438032Speterthey go in the hack subdirectory and are referenced using the HACK 113538032Spetermacro. These will tend to be site-dependent. The release 113638032Speterincludes the Berkeley-dependent "cssubdomain" hack (that makes 113738032Spetersendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU; 113864562Sgshapirothis is intended as a short-term aid while moving hosts into 113938032Spetersubdomains. 114038032Speter 114138032Speter 114238032Speter+--------------------+ 114338032Speter| SITE CONFIGURATION | 114438032Speter+--------------------+ 114538032Speter 114638032Speter ***************************************************** 114738032Speter * This section is really obsolete, and is preserved * 114838032Speter * only for back compatibility. You should plan on * 114938032Speter * using mailertables for new installations. In * 115038032Speter * particular, it doesn't work for the newer forms * 115138032Speter * of UUCP mailers, such as uucp-uudom. * 115238032Speter ***************************************************** 115338032Speter 115438032SpeterComplex sites will need more local configuration information, such as 115538032Speterlists of UUCP hosts they speak with directly. This can get a bit more 115638032Spetertricky. For an example of a "complex" site, see cf/ucbvax.mc. 115738032Speter 115838032SpeterThe SITECONFIG macro allows you to indirectly reference site-dependent 115938032Speterconfiguration information stored in the siteconfig subdirectory. For 116038032Speterexample, the line 116138032Speter 116264562Sgshapiro SITECONFIG(`uucp.ucbvax', `ucbvax', `U') 116338032Speter 116438032Speterreads the file uucp.ucbvax for local connection information. The 116538032Spetersecond parameter is the local name (in this case just "ucbvax" since 116638032Speterit is locally connected, and hence a UUCP hostname). The third 116738032Speterparameter is the name of both a macro to store the local name (in 116864562Sgshapirothis case, {U}) and the name of the class (e.g., {U}) in which to store 116938032Speterthe host information read from the file. Another SITECONFIG line reads 117038032Speter 117164562Sgshapiro SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W') 117238032Speter 117338032SpeterThis says that the file uucp.ucbarpa contains the list of UUCP sites 117464562Sgshapiroconnected to ucbarpa.Berkeley.EDU. Class {W} will be used to 117538032Speterstore this list, and $W is defined to be ucbarpa.Berkeley.EDU, that 117638032Speteris, the name of the relay to which the hosts listed in uucp.ucbarpa 117764562Sgshapiroare connected. [The machine ucbarpa is gone now, but this 117864562Sgshapiroout-of-date configuration file has been left around to demonstrate 117964562Sgshapirohow you might do this.] 118038032Speter 118138032SpeterNote that the case of SITECONFIG with a third parameter of ``U'' is 118238032Speterspecial; the second parameter is assumed to be the UUCP name of the 118338032Speterlocal site, rather than the name of a remote site, and the UUCP name 118464562Sgshapirois entered into class {w} (the list of local hostnames) as $U.UUCP. 118538032Speter 118638032SpeterThe siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing 118738032Spetermore than a sequence of SITE macros describing connectivity. For 118838032Speterexample: 118938032Speter 119064562Sgshapiro SITE(`cnmat') 119164562Sgshapiro SITE(`sgi olympus') 119238032Speter 119338032SpeterThe second example demonstrates that you can use two names on the 119438032Spetersame line; these are usually aliases for the same host (or are at 119538032Speterleast in the same company). 119638032Speter 119738032Speter 119838032Speter+--------------------+ 119938032Speter| USING UUCP MAILERS | 120038032Speter+--------------------+ 120138032Speter 120238032SpeterIt's hard to get UUCP mailers right because of the extremely ad hoc 120338032Speternature of UUCP addressing. These config files are really designed 120438032Speterfor domain-based addressing, even for UUCP sites. 120538032Speter 120638032SpeterThere are four UUCP mailers available. The choice of which one to 120738032Speteruse is partly a matter of local preferences and what is running at 120838032Speterthe other end of your UUCP connection. Unlike good protocols that 120938032Speterdefine what will go over the wire, UUCP uses the policy that you 121038032Spetershould do what is right for the other end; if they change, you have 121138032Speterto change. This makes it hard to do the right thing, and discourages 121238032Speterpeople from updating their software. In general, if you can avoid 121338032SpeterUUCP, please do. 121438032Speter 121538032SpeterThe major choice is whether to go for a domainized scheme or a 121638032Speternon-domainized scheme. This depends entirely on what the other 121738032Speterend will recognize. If at all possible, you should encourage the 121838032Speterother end to go to a domain-based system -- non-domainized addresses 121938032Speterdon't work entirely properly. 122038032Speter 122138032SpeterThe four mailers are: 122238032Speter 122338032Speter uucp-old (obsolete name: "uucp") 122438032Speter This is the oldest, the worst (but the closest to UUCP) way of 122538032Speter sending messages accros UUCP connections. It does bangify 122638032Speter everything and prepends $U (your UUCP name) to the sender's 122738032Speter address (which can already be a bang path itself). It can 122838032Speter only send to one address at a time, so it spends a lot of 122938032Speter time copying duplicates of messages. Avoid this if at all 123038032Speter possible. 123138032Speter 123238032Speter uucp-new (obsolete name: "suucp") 123338032Speter The same as above, except that it assumes that in one rmail 123438032Speter command you can specify several recipients. It still has a 123538032Speter lot of other problems. 123638032Speter 123738032Speter uucp-dom 123838032Speter This UUCP mailer keeps everything as domain addresses. 123938032Speter Basically, it uses the SMTP mailer rewriting rules. This mailer 124064562Sgshapiro is only included if MAILER(`smtp') is also specified. 124138032Speter 124238032Speter Unfortunately, a lot of UUCP mailer transport agents require 124338032Speter bangified addresses in the envelope, although you can use 124438032Speter domain-based addresses in the message header. (The envelope 124538032Speter shows up as the From_ line on UNIX mail.) So.... 124638032Speter 124738032Speter uucp-uudom 124838032Speter This is a cross between uucp-new (for the envelope addresses) 124938032Speter and uucp-dom (for the header addresses). It bangifies the 125038032Speter envelope sender (From_ line in messages) without adding the 125138032Speter local hostname, unless there is no host name on the address 125238032Speter at all (e.g., "wolf") or the host component is a UUCP host name 125338032Speter instead of a domain name ("somehost!wolf" instead of 125464562Sgshapiro "some.dom.ain!wolf"). This is also included only if MAILER(`smtp') 125538032Speter is also specified. 125638032Speter 125738032SpeterExamples: 125838032Speter 125964562SgshapiroOn host grasp.insa-lyon.fr (UUCP host name "grasp"), the following 126064562Sgshapirosummarizes the sender rewriting for various mailers. 126138032Speter 126266494SgshapiroMailer sender rewriting in the envelope 126338032Speter------ ------ ------------------------- 126438032Speteruucp-{old,new} wolf grasp!wolf 126538032Speteruucp-dom wolf wolf@grasp.insa-lyon.fr 126638032Speteruucp-uudom wolf grasp.insa-lyon.fr!wolf 126738032Speter 126838032Speteruucp-{old,new} wolf@fr.net grasp!fr.net!wolf 126938032Speteruucp-dom wolf@fr.net wolf@fr.net 127038032Speteruucp-uudom wolf@fr.net fr.net!wolf 127138032Speter 127238032Speteruucp-{old,new} somehost!wolf grasp!somehost!wolf 127338032Speteruucp-dom somehost!wolf somehost!wolf@grasp.insa-lyon.fr 127438032Speteruucp-uudom somehost!wolf grasp.insa-lyon.fr!somehost!wolf 127538032Speter 127638032SpeterIf you are using one of the domainized UUCP mailers, you really want 127738032Speterto convert all UUCP addresses to domain format -- otherwise, it will 127838032Speterdo it for you (and probably not the way you expected). For example, 127938032Speterif you have the address foo!bar!baz (and you are not sending to foo), 128038032Speterthe heuristics will add the @uucp.relay.name or @local.host.name to 128138032Speterthis address. However, if you map foo to foo.host.name first, it 128238032Speterwill not add the local hostname. You can do this using the uucpdomain 128338032Speterfeature. 128438032Speter 128538032Speter 128638032Speter+-------------------+ 128738032Speter| TWEAKING RULESETS | 128838032Speter+-------------------+ 128938032Speter 129038032SpeterFor more complex configurations, you can define special rules. 129138032SpeterThe macro LOCAL_RULE_3 introduces rules that are used in canonicalizing 129238032Speterthe names. Any modifications made here are reflected in the header. 129338032Speter 129438032SpeterA common use is to convert old UUCP addresses to SMTP addresses using 129538032Speterthe UUCPSMTP macro. For example: 129638032Speter 129738032Speter LOCAL_RULE_3 129864562Sgshapiro UUCPSMTP(`decvax', `decvax.dec.com') 129964562Sgshapiro UUCPSMTP(`research', `research.att.com') 130038032Speter 130138032Speterwill cause addresses of the form "decvax!user" and "research!user" 130238032Speterto be converted to "user@decvax.dec.com" and "user@research.att.com" 130338032Speterrespectively. 130438032Speter 130538032SpeterThis could also be used to look up hosts in a database map: 130638032Speter 130738032Speter LOCAL_RULE_3 130838032Speter R$* < @ $+ > $* $: $1 < @ $(hostmap $2 $) > $3 130938032Speter 131038032SpeterThis map would be defined in the LOCAL_CONFIG portion, as shown below. 131138032Speter 131238032SpeterSimilarly, LOCAL_RULE_0 can be used to introduce new parsing rules. 131338032SpeterFor example, new rules are needed to parse hostnames that you accept 131438032Spetervia MX records. For example, you might have: 131538032Speter 131638032Speter LOCAL_RULE_0 131738032Speter R$+ <@ host.dom.ain.> $#uucp $@ cnmat $: $1 < @ host.dom.ain.> 131838032Speter 131938032SpeterYou would use this if you had installed an MX record for cnmat.Berkeley.EDU 132038032Speterpointing at this host; this rule catches the message and forwards it on 132138032Speterusing UUCP. 132238032Speter 132338032SpeterYou can also tweak rulesets 1 and 2 using LOCAL_RULE_1 and LOCAL_RULE_2. 132438032SpeterThese rulesets are normally empty. 132538032Speter 132638032SpeterA similar macro is LOCAL_CONFIG. This introduces lines added after the 132764562Sgshapiroboilerplate option setting but before rulesets. Do not declare rulesets in 132864562Sgshapirothe LOCAL_CONFIG section. It can be used to declare local database maps or 132964562Sgshapirowhatever. For example: 133038032Speter 133138032Speter LOCAL_CONFIG 133264562Sgshapiro Khostmap hash /etc/mail/hostmap 133338032Speter Kyplocal nis -m hosts.byname 133438032Speter 133538032Speter 133638032Speter+---------------------------+ 133738032Speter| MASQUERADING AND RELAYING | 133838032Speter+---------------------------+ 133938032Speter 134038032SpeterYou can have your host masquerade as another using 134138032Speter 134264562Sgshapiro MASQUERADE_AS(`host.domain') 134338032Speter 134438032SpeterThis causes mail being sent to be labeled as coming from the 134538032Speterindicated host.domain, rather than $j. One normally masquerades as 134664562Sgshapiroone of one's own subdomains (for example, it's unlikely that 134764562SgshapiroBerkeley would choose to masquerade as an MIT site). This 134864562Sgshapirobehaviour is modified by a plethora of FEATUREs; in particular, see 134964562Sgshapiromasquerade_envelope, allmasquerade, limited_masquerade, and 135064562Sgshapiromasquerade_entire_domain. 135138032Speter 135238032SpeterThe masquerade name is not normally canonified, so it is important 135338032Speterthat it be your One True Name, that is, fully qualified and not a 135438032SpeterCNAME. However, if you use a CNAME, the receiving side may canonify 135538032Speterit for you, so don't think you can cheat CNAME mapping this way. 135638032Speter 135738032SpeterNormally the only addresses that are masqueraded are those that come 135864562Sgshapirofrom this host (that is, are either unqualified or in class {w}, the list 135964562Sgshapiroof local domain names). You can augment this list, which is realized 136064562Sgshapiroby class {M} using 136138032Speter 136264562Sgshapiro MASQUERADE_DOMAIN(`otherhost.domain') 136338032Speter 136438032SpeterThe effect of this is that although mail to user@otherhost.domain 136538032Speterwill not be delivered locally, any mail including any user@otherhost.domain 136638032Speterwill, when relayed, be rewritten to have the MASQUERADE_AS address. 136738032SpeterThis can be a space-separated list of names. 136838032Speter 136938032SpeterIf these names are in a file, you can use 137038032Speter 137164562Sgshapiro MASQUERADE_DOMAIN_FILE(`filename') 137238032Speter 137364562Sgshapiroto read the list of names from the indicated file (i.e., to add 137464562Sgshapiroelements to class {M}). 137538032Speter 137664562SgshapiroTo exempt hosts or subdomains from being masqueraded, you can use 137764562Sgshapiro 137864562Sgshapiro MASQUERADE_EXCEPTION(`host.domain') 137964562Sgshapiro 138064562SgshapiroThis can come handy if you want to masquerade a whole domain 138164562Sgshapiroexcept for one (or a few) host(s). 138264562Sgshapiro 138338032SpeterNormally only header addresses are masqueraded. If you want to 138438032Spetermasquerade the envelope as well, use 138538032Speter 138643730Speter FEATURE(`masquerade_envelope') 138738032Speter 138838032SpeterThere are always users that need to be "exposed" -- that is, their 138938032Speterinternal site name should be displayed instead of the masquerade name. 139064562SgshapiroRoot is an example (which has been "exposed" by default prior to 8.10). 139164562SgshapiroYou can add users to this list using 139238032Speter 139364562Sgshapiro EXPOSED_USER(`usernames') 139438032Speter 139564562SgshapiroThis adds users to class {E}; you could also use something like 139638032Speter 139764562Sgshapiro FE/etc/mail/exposed-users 139838032Speter 139938032SpeterYou can also arrange to relay all unqualified names (that is, names 140038032Speterwithout @host) to a relay host. For example, if you have a central 140138032Speteremail server, you might relay to that host so that users don't have 140238032Speterto have .forward files or aliases. You can do this using 140338032Speter 140443730Speter define(`LOCAL_RELAY', `mailer:hostname') 140538032Speter 140638032SpeterThe ``mailer:'' can be omitted, in which case the mailer defaults to 140738032Speter"relay". There are some user names that you don't want relayed, perhaps 140838032Speterbecause of local aliases. A common example is root, which may be 140938032Speterlocally aliased. You can add entries to this list using 141038032Speter 141164562Sgshapiro LOCAL_USER(`usernames') 141238032Speter 141364562SgshapiroThis adds users to class {L}; you could also use something like 141438032Speter 141564562Sgshapiro FL/etc/mail/local-users 141638032Speter 141738032SpeterIf you want all incoming mail sent to a centralized hub, as for a 141838032Spetershared /var/spool/mail scheme, use 141938032Speter 142043730Speter define(`MAIL_HUB', `mailer:hostname') 142138032Speter 142238032SpeterAgain, ``mailer:'' defaults to "relay". If you define both LOCAL_RELAY 142343730Speterand MAIL_HUB _AND_ you have FEATURE(`stickyhost'), unqualified names will 142438032Speterbe sent to the LOCAL_RELAY and other local names will be sent to MAIL_HUB. 142564562SgshapiroNote: there is a (long standing) bug which keeps this combination from 142664562Sgshapiroworking for addresses of the form user+detail. 142764562SgshapiroNames in class {L} will be delivered locally, so you MUST have aliases or 142838032Speter.forward files for them. 142938032Speter 143038032SpeterFor example, if you are on machine mastodon.CS.Berkeley.EDU and you have 143143730SpeterFEATURE(`stickyhost'), the following combinations of settings will have the 143238032Speterindicated effects: 143338032Speter 143438032Speteremail sent to.... eric eric@mastodon.CS.Berkeley.EDU 143538032Speter 143638032SpeterLOCAL_RELAY set to mail.CS.Berkeley.EDU (delivered locally) 143738032Spetermail.CS.Berkeley.EDU (no local aliasing) (aliasing done) 143838032Speter 143938032SpeterMAIL_HUB set to mammoth.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 144038032Spetermammoth.CS.Berkeley.EDU (aliasing done) (aliasing done) 144138032Speter 144238032SpeterBoth LOCAL_RELAY and mail.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 144338032SpeterMAIL_HUB set as above (no local aliasing) (aliasing done) 144438032Speter 144543730SpeterIf you do not have FEATURE(`stickyhost') set, then LOCAL_RELAY and 144638032SpeterMAIL_HUB act identically, with MAIL_HUB taking precedence. 144738032Speter 144838032SpeterIf you want all outgoing mail to go to a central relay site, define 144938032SpeterSMART_HOST as well. Briefly: 145038032Speter 145138032Speter LOCAL_RELAY applies to unqualified names (e.g., "eric"). 145238032Speter MAIL_HUB applies to names qualified with the name of the 145338032Speter local host (e.g., "eric@mastodon.CS.Berkeley.EDU"). 145464562Sgshapiro SMART_HOST applies to names qualified with other hosts or 145564562Sgshapiro bracketed addresses (e.g., "eric@mastodon.CS.Berkeley.EDU" 145664562Sgshapiro or "eric@[127.0.0.1]"). 145738032Speter 145838032SpeterHowever, beware that other relays (e.g., UUCP_RELAY, BITNET_RELAY, 145938032SpeterDECNET_RELAY, and FAX_RELAY) take precedence over SMART_HOST, so if you 146038032Speterreally want absolutely everything to go to a single central site you will 146138032Speterneed to unset all the other relays -- or better yet, find or build a 146238032Speterminimal config file that does this. 146338032Speter 146438032SpeterFor duplicate suppression to work properly, the host name is best 146538032Speterspecified with a terminal dot: 146638032Speter 146738032Speter define(`MAIL_HUB', `host.domain.') 146838032Speter note the trailing dot ---^ 146938032Speter 147038032Speter 147164562Sgshapiro+--------------+ 147264562Sgshapiro| LDAP ROUTING | 147364562Sgshapiro+--------------+ 147464562Sgshapiro 147564562SgshapiroFEATURE(`ldap_routing') can be used to implement the IETF Internet Draft 147664562SgshapiroLDAP Schema for Intranet Mail Routing 147764562Sgshapiro(draft-lachman-laser-ldap-mail-routing-01). This feature enables 147864562SgshapiroLDAP-based rerouting of a particular address to either a different host 147964562Sgshapiroor a different address. The LDAP lookup is first attempted on the full 148064562Sgshapiroaddress (e.g., user@example.com) and then on the domain portion 148164562Sgshapiro(e.g., @example.com). Be sure to setup your domain for LDAP routing using 148264562SgshapiroLDAPROUTE_DOMAIN(), e.g.: 148364562Sgshapiro 148464562Sgshapiro LDAPROUTE_DOMAIN(`example.com') 148564562Sgshapiro 148664562SgshapiroBy default, the feature will use the schemas as specified in the draft 148764562Sgshapiroand will not reject addresses not found by the LDAP lookup. However, 148864562Sgshapirothis behavior can be changed by giving additional arguments to the FEATURE() 148964562Sgshapirocommand: 149064562Sgshapiro 149164562Sgshapiro FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>) 149264562Sgshapiro 149364562Sgshapirowhere <mailHost> is a map definition describing how to lookup an alternative 149464562Sgshapiromail host for a particular address; <mailRoutingAddress> is a map definition 149564562Sgshapirodescribing how to lookup an alternative address for a particular address; and 149664562Sgshapirothe <bounce> argument, if present and not the word "passthru", dictates 149764562Sgshapirothat mail should be bounced if neither a mailHost nor mailRoutingAddress 149864562Sgshapirois found. 149964562Sgshapiro 150064562SgshapiroThe default <mailHost> map definition is: 150164562Sgshapiro 150264562Sgshapiro ldap -1 -v mailHost -k (&(objectClass=inetLocalMailRecipient) 150364562Sgshapiro (mailLocalAddress=%0)) 150464562Sgshapiro 150564562SgshapiroThe default <mailRoutingAddress> map definition is: 150664562Sgshapiro 150764562Sgshapiro ldap -1 -v mailRoutingAddress -k (&(objectClass=inetLocalMailRecipient) 150864562Sgshapiro (mailLocalAddress=%0)) 150964562Sgshapiro 151064562SgshapiroNote that neither includes the LDAP server hostname (-h server) or base DN 151164562Sgshapiro(-b o=org,c=COUNTRY), both necessary for LDAP queries. It is presumed that 151264562Sgshapiroyour .mc file contains a setting for the confLDAP_DEFAULT_SPEC option with 151364562Sgshapirothese settings. If this is not the case, the map definitions should be 151464562Sgshapirochanged as described above. 151564562Sgshapiro 151664562SgshapiroThe following possibilities exist as a result of an LDAP lookup on an 151764562Sgshapiroaddress: 151864562Sgshapiro 151964562Sgshapiro mailHost is mailRoutingAddress is Results in 152064562Sgshapiro ----------- --------------------- ---------- 152164562Sgshapiro set to a set mail delivered to 152264562Sgshapiro "local" host mailRoutingAddress 152364562Sgshapiro 152464562Sgshapiro set to a not set delivered to 152564562Sgshapiro "local" host original address 152664562Sgshapiro 152764562Sgshapiro set to a set mailRoutingAddress 152864562Sgshapiro remote host relayed to mailHost 152964562Sgshapiro 153064562Sgshapiro set to a not set original address 153164562Sgshapiro remote host relayed to mailHost 153264562Sgshapiro 153364562Sgshapiro not set set mail delivered to 153464562Sgshapiro mailRoutingAddress 153564562Sgshapiro 153664562Sgshapiro not set not set delivered to 153764562Sgshapiro original address *OR* 153864562Sgshapiro bounced as unknown user 153964562Sgshapiro 154064562SgshapiroThe term "local" host above means the host specified is in class {w}. 154164562SgshapiroNote that the last case depends on whether the third argument is given 154264562Sgshapiroto the FEATURE() command. The default is to deliver the message to the 154364562Sgshapirooriginal address. 154464562Sgshapiro 154564562SgshapiroThe LDAP entries should be set up with an objectClass of 154664562SgshapiroinetLocalMailRecipient and the address be listed in a mailLocalAddress 154764562Sgshapiroattribute. If present, there must be only one mailHost attribute and it 154864562Sgshapiromust contain a fully qualified host name as its value. Similarly, if 154964562Sgshapiropresent, there must be only one mailRoutingAddress attribute and it must 155064562Sgshapirocontain an RFC 822 compliant address. Some example LDAP records (in ldif 155164562Sgshapiroformat): 155264562Sgshapiro 155364562Sgshapiro dn: uid=tom, o=example.com, c=US 155464562Sgshapiro objectClass: inetLocalMailRecipient 155564562Sgshapiro mailLocalAddress: tom@example.com 155664562Sgshapiro mailRoutingAddress: thomas@mailhost.example.com 155764562Sgshapiro 155864562SgshapiroThis would deliver mail for tom@example.com to thomas@mailhost.example.com. 155964562Sgshapiro 156064562Sgshapiro dn: uid=dick, o=example.com, c=US 156164562Sgshapiro objectClass: inetLocalMailRecipient 156264562Sgshapiro mailLocalAddress: dick@example.com 156364562Sgshapiro mailHost: eng.example.com 156464562Sgshapiro 156564562SgshapiroThis would relay mail for dick@example.com to the same address but redirect 156664562Sgshapirothe mail to MX records listed for the host eng.example.com. 156764562Sgshapiro 156864562Sgshapiro dn: uid=harry, o=example.com, c=US 156964562Sgshapiro objectClass: inetLocalMailRecipient 157064562Sgshapiro mailLocalAddress: harry@example.com 157164562Sgshapiro mailHost: mktmail.example.com 157264562Sgshapiro mailRoutingAddress: harry@mkt.example.com 157364562Sgshapiro 157464562SgshapiroThis would relay mail for harry@example.com to the MX records listed for 157564562Sgshapirothe host mktmail.example.com using the new address harry@mkt.example.com 157664562Sgshapirowhen talking to that host. 157764562Sgshapiro 157864562Sgshapiro dn: uid=virtual.example.com, o=example.com, c=US 157964562Sgshapiro objectClass: inetLocalMailRecipient 158064562Sgshapiro mailLocalAddress: @virtual.example.com 158164562Sgshapiro mailHost: server.example.com 158264562Sgshapiro mailRoutingAddress: virtual@example.com 158364562Sgshapiro 158464562SgshapiroThis would send all mail destined for any username @virtual.example.com to 158564562Sgshapirothe machine server.example.com's MX servers and deliver to the address 158664562Sgshapirovirtual@example.com on that relay machine. 158764562Sgshapiro 158864562Sgshapiro 158938032Speter+---------------------------------+ 159038032Speter| ANTI-SPAM CONFIGURATION CONTROL | 159138032Speter+---------------------------------+ 159238032Speter 159338032SpeterThe primary anti-spam features available in sendmail are: 159438032Speter 159538032Speter* Relaying is denied by default. 159638032Speter* Better checking on sender information. 159738032Speter* Access database. 159838032Speter* Header checks. 159938032Speter 160064562SgshapiroRelaying (transmission of messages from a site outside your host (class 160164562Sgshapiro{w}) to another site except yours) is denied by default. Note that this 160264562Sgshapirochanged in sendmail 8.9; previous versions allowed relaying by default. 160364562SgshapiroIf you really want to revert to the old behaviour, you will need to use 160464562SgshapiroFEATURE(`promiscuous_relay'). You can allow certain domains to relay 160564562Sgshapirothrough your server by adding their domain name or IP address to class 160664562Sgshapiro{R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the access database 160764562Sgshapiro(described below). The file consists (like any other file based class) 160864562Sgshapiroof entries listed on separate lines, e.g., 160938032Speter 161064562Sgshapiro sendmail.org 161164562Sgshapiro 128.32 161264562Sgshapiro 1:2:3:4:5:6:7 161364562Sgshapiro host.mydomain.com 161464562Sgshapiro 161538032SpeterIf you use 161638032Speter 161743730Speter FEATURE(`relay_entire_domain') 161838032Speter 161964562Sgshapirothen any host in any of your local domains (that is, class {m}) 162042575Speterwill be relayed (that is, you will accept mail either to or from any 162142575Speterhost in your domain). 162238032Speter 162338032SpeterYou can also allow relaying based on the MX records of the host 162438032Speterportion of an incoming recipient address by using 162538032Speter 162643730Speter FEATURE(`relay_based_on_MX') 162738032Speter 162838032SpeterFor example, if your server receives a recipient of user@domain.com 162938032Speterand domain.com lists your server in its MX records, the mail will be 163042575Speteraccepted for relay to domain.com. Note that this will stop spammers 163142575Speterfrom using your host to relay spam but it will not stop outsiders from 163242575Speterusing your server as a relay for their site (that is, they set up an 163342575SpeterMX record pointing to your mail server, and you will relay mail addressed 163442575Speterto them without any prior arrangement). Along the same lines, 163538032Speter 163643730Speter FEATURE(`relay_local_from') 163738032Speter 163838032Speterwill allow relaying if the sender specifies a return path (i.e. 163938032SpeterMAIL FROM: <user@domain>) domain which is a local domain. This a 164038032Speterdangerous feature as it will allow spammers to spam using your mail 164138032Speterserver by simply specifying a return address of user@your.domain.com. 164238032SpeterIt should not be used unless absolutely necessary. 164364562SgshapiroA slightly better solution is 164438032Speter 164564562Sgshapiro FEATURE(`relay_mail_from') 164664562Sgshapiro 164764562Sgshapirowhich allows relaying if the mail sender is listed as RELAY in the 164864562Sgshapiroaccess map. If an optional argument `domain' is given, the domain 164964562Sgshapiroportion of the mail sender is also checked to allowing relaying. 165064562SgshapiroThis option only works together with the tag From: for the LHS of 165164562Sgshapirothe access map entries (see below: Finer control...). 165264562Sgshapiro 165364562Sgshapiro 165438032SpeterIf source routing is used in the recipient address (i.e. 165538032SpeterRCPT TO: <user%site.com@othersite.com>), sendmail will check 165638032Speteruser@site.com for relaying if othersite.com is an allowed relay host 165764562Sgshapiroin either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, 165843730Speteror the access database if FEATURE(`access_db') is used. To prevent 165938032Speterthe address from being stripped down, use: 166038032Speter 166143730Speter FEATURE(`loose_relay_check') 166238032Speter 166338032SpeterIf you think you need to use this feature, you probably do not. This 166438032Spetershould only be used for sites which have no control over the addresses 166538032Speterthat they provide a gateway for. Use this FEATURE with caution as it 166638032Spetercan allow spammers to relay through your server if not setup properly. 166738032Speter 166864562SgshapiroNOTICE: It is possible to relay mail through a system which the anti-relay 166964562Sgshapirorules do not prevent: the case of a system that does use FEATURE(`nouucp', 167064562Sgshapiro`nospecial') (system A) and relays local messages to a mail hub (e.g., via 167164562SgshapiroLOCAL_RELAY or LUSER_RELAY) (system B). If system B doesn't use 167264562SgshapiroFEATURE(`nouucp') at all, addresses of the form 167364562Sgshapiro<example.net!user@local.host> would be relayed to <user@example.net>. 167464562SgshapiroSystem A doesn't recognize `!' as an address separator and therefore 167564562Sgshapiroforwards it to the mail hub which in turns relays it because it came from 167664562Sgshapiroa trusted local host. So if a mailserver allows UUCP (bang-format) 167764562Sgshapiroaddresses, all systems from which it allows relaying should do the same 167864562Sgshapiroor reject those addresses. 167964562Sgshapiro 168038032SpeterAs of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has 168138032Speteran unresolvable domain (i.e., one that DNS, your local name service, 168238032Speteror special case rules in ruleset 3 cannot locate). If you want to 168364562Sgshapirocontinue to accept such domains, e.g., because you are inside a 168438032Speterfirewall that has only a limited view of the Internet host name space 168538032Speter(note that you will not be able to return mail to them unless you have 168638032Spetersome "smart host" forwarder), use 168738032Speter 168843730Speter FEATURE(`accept_unresolvable_domains') 168938032Speter 169038032Spetersendmail will also refuse mail if the MAIL FROM: parameter is not 169138032Speterfully qualified (i.e., contains a domain as well as a user). If you 169238032Speterwant to continue to accept such senders, use 169338032Speter 169443730Speter FEATURE(`accept_unqualified_senders') 169538032Speter 169664562SgshapiroSetting the DaemonPortOptions modifier 'u' overrides the default behavior, 169764562Sgshapiroi.e., unqualified addresses are accepted even without this FEATURE. If 169864562Sgshapirothis FEATURE is not used, the DaemonPortOptions modifier 'f' can be used 169964562Sgshapiroto enforce fully qualified addresses. 170064562Sgshapiro 170138032SpeterAn ``access'' database can be created to accept or reject mail from 170238032Speterselected domains. For example, you may choose to reject all mail 170338032Speteroriginating from known spammers. To enable such a database, use 170438032Speter 170543730Speter FEATURE(`access_db') 170638032Speter 170738032SpeterThe FEATURE macro can accept a second parameter giving the key file 170838032Speterdefinition for the database; for example 170938032Speter 171064562Sgshapiro FEATURE(`access_db', `hash /etc/mail/access') 171138032Speter 171242575SpeterRemember, since /etc/mail/access is a database, after creating the text 171342575Speterfile as described below, you must use makemap to create the database 171442575Spetermap. For example: 171542575Speter 171643730Speter makemap hash /etc/mail/access < /etc/mail/access 171742575Speter 171838032SpeterThe table itself uses e-mail addresses, domain names, and network 171938032Speternumbers as keys. For example, 172038032Speter 172138032Speter spammer@aol.com REJECT 172238032Speter cyberspammer.com REJECT 172342575Speter 192.168.212 REJECT 172438032Speter 172538032Speterwould refuse mail from spammer@aol.com, any user from cyberspammer.com 172638032Speter(or any host within the cyberspammer.com domain), and any host on the 172742575Speter192.168.212.* network. 172838032Speter 172938032SpeterThe value part of the map can contain: 173038032Speter 173142575Speter OK Accept mail even if other rules in the 173242575Speter running ruleset would reject it, for example, 173342575Speter if the domain name is unresolvable. 173442575Speter RELAY Accept mail addressed to the indicated domain or 173542575Speter received from the indicated domain for relaying 173642575Speter through your SMTP server. RELAY also serves as 173742575Speter an implicit OK for the other checks. 173842575Speter REJECT Reject the sender or recipient with a general 173938032Speter purpose message. 174042575Speter DISCARD Discard the message completely using the 174171345Sgshapiro $#discard mailer. If it is used in check_compat, 174271345Sgshapiro it affects only the designated recipient, not 174371345Sgshapiro the whole message as it does in all other cases. 174471345Sgshapiro This should only be used if really necessary. 174566494Sgshapiro ### any text where ### is an RFC 821 compliant error code and 174666494Sgshapiro "any text" is a message to return for the command. 174766494Sgshapiro The string should be quoted to avoid surprises, 174866494Sgshapiro e.g., sendmail may remove spaces otherwise. 174964562Sgshapiro ERROR:### any text 175064562Sgshapiro as above, but useful to mark error messages as such. 175164562Sgshapiro ERROR:D.S.N:### any text 175264562Sgshapiro where D.S.N is an RFC 1893 compliant error code 175364562Sgshapiro and the rest as above. 175438032Speter 175538032SpeterFor example: 175638032Speter 175766494Sgshapiro cyberspammer.com ERROR:"550 We don't accept mail from spammers" 175838032Speter okay.cyberspammer.com OK 175964562Sgshapiro sendmail.org RELAY 176038032Speter 128.32 RELAY 176164562Sgshapiro 1:2:3:4:5:6:7 RELAY 176264562Sgshapiro [127.0.0.3] OK 176364562Sgshapiro [1:2:3:4:5:6:7:8] OK 176438032Speter 176564562Sgshapirowould accept mail from okay.cyberspammer.com, but would reject mail from 176664562Sgshapiroall other hosts at cyberspammer.com with the indicated message. It would 176764562Sgshapiroallow relaying mail from and to any hosts in the sendmail.org domain, and 176864562Sgshapiroallow relaying from the 128.32.*.* network and the IPv6 1:2:3:4:5:6:7:* 176964562Sgshapironetwork. The latter two entries are for checks against ${client_name} if 177064562Sgshapirothe IP address doesn't resolve to a hostname (or is considered as "may be 177164562Sgshapiroforged"). 177238032Speter 177364562SgshapiroWarning: if you change the RFC 821 compliant error code from the default 177464562Sgshapirovalue of 550, then you should probably also change the RFC 1893 compliant 177564562Sgshapiroerror code to match it. For example, if you use 177664562Sgshapiro 177764562Sgshapiro user@example.com 450 mailbox full 177864562Sgshapiro 177964562Sgshapirothe error returned would be "450 4.0.0 mailbox full" which is wrong. 178064562SgshapiroUse "450 4.2.2 mailbox full" or "ERROR:4.2.2:450 mailbox full" 178164562Sgshapiroinstead. 178264562Sgshapiro 178364562SgshapiroNote, UUCP users may need to add hostname.UUCP to the access database 178464562Sgshapiroor class {R}. If you also use: 178564562Sgshapiro 178643730Speter FEATURE(`relay_hosts_only') 178738032Speter 178838032Speterthen the above example will allow relaying for sendmail.org, but not 178938032Speterhosts within the sendmail.org domain. Note that this will also require 179064562Sgshapirohosts listed in class {R} to be fully qualified host names. 179138032Speter 179238032SpeterYou can also use the access database to block sender addresses based on 179338032Speterthe username portion of the address. For example: 179438032Speter 179566494Sgshapiro FREE.STEALTH.MAILER@ ERROR:550 Spam not accepted 179638032Speter 179738032SpeterNote that you must include the @ after the username to signify that 179838032Speterthis database entry is for checking only the username portion of the 179938032Spetersender address. 180038032Speter 180138032SpeterIf you use: 180238032Speter 180343730Speter FEATURE(`blacklist_recipients') 180438032Speter 180538032Speterthen you can add entries to the map for local users, hosts in your 180638032Speterdomains, or addresses in your domain which should not receive mail: 180738032Speter 180866494Sgshapiro badlocaluser@ ERROR:550 Mailbox disabled for this username 180966494Sgshapiro host.mydomain.com ERROR:550 That host does not accept mail 181066494Sgshapiro user@otherhost.mydomain.com ERROR:550 Mailbox disabled for this recipient 181138032Speter 181238032SpeterThis would prevent a recipient of badlocaluser@mydomain.com, any 181338032Speteruser at host.mydomain.com, and the single address 181464562Sgshapirouser@otherhost.mydomain.com from receiving mail. Please note: a 181564562Sgshapirolocal username must be now tagged with an @ (this is consistent 181664562Sgshapirowith the check of the sender address, and hence it is possible to 181764562Sgshapirodistinguish between hostnames and usernames). Enabling this feature 181864562Sgshapirowill keep you from sending mails to all addresses that have an 181964562Sgshapiroerror message or REJECT as value part in the access map. Taking 182064562Sgshapirothe example from above: 182138032Speter 182242575Speter spammer@aol.com REJECT 182342575Speter cyberspammer.com REJECT 182442575Speter 182542575SpeterMail can't be sent to spammer@aol.com or anyone at cyberspammer.com. 182642575Speter 182738032SpeterThere is also a ``Realtime Blackhole List'' run by the MAPS project 182838032Speterat http://maps.vix.com/. This is a database maintained in DNS of 182938032Speterspammers. To use this database, use 183038032Speter 183164562Sgshapiro FEATURE(`dnsbl') 183238032Speter 183338032SpeterThis will cause sendmail to reject mail from any site in the 183480785SgshapiroRealtime Blackhole List database. This default DNS blacklist, 183580785Sgshapiroblackholes.mail-abuse.org, is a service offered by the Mail Abuse 183680785SgshapiroPrevention System (MAPS). As of July 31, 2001, MAPS is a subscription 183780785Sgshapiroservice, so using that network address won't work if you haven't 183880785Sgshapirosubscribed. Contact MAPS to subscribe (http://mail-abuse.org/). 183938032Speter 184080785SgshapiroYou can specify an alternative RBL server to check by specifying an 184180785Sgshapiroargument to the FEATURE. The default error message is 184280785Sgshapiro 184380785SgshapiroYou can specify an alternative RBL domain to check by specifying an 184480785Sgshapiroargument to the FEATURE. The default error message is 184580785Sgshapiro 184671345Sgshapiro Mail from $&{client_addr} refused by blackhole site DOMAIN 184771345Sgshapiro 184871345Sgshapirowhere DOMAIN is the first argument of the feature. A second argument 184971345Sgshapirocan be used to specify a different text. This FEATURE can be 185071345Sgshapiroincluded several times to query different DNS based rejection lists, 185171345Sgshapiroe.g., the dial-up user list (see http://maps.vix.com/dul/). 185271345Sgshapiro 185338032SpeterThe features described above make use of the check_relay, check_mail, 185438032Speterand check_rcpt rulesets. If you wish to include your own checks, 185538032Speteryou can put your checks in the rulesets Local_check_relay, 185638032SpeterLocal_check_mail, and Local_check_rcpt. For example if you wanted to 185738032Speterblock senders with all numeric usernames (i.e. 2312343@bigisp.com), 185838032Speteryou would use Local_check_mail and the new regex map: 185938032Speter 186064562Sgshapiro LOCAL_CONFIG 186164562Sgshapiro Kallnumbers regex -a@MATCH ^[0-9]+$ 186264562Sgshapiro 186364562Sgshapiro LOCAL_RULESETS 186464562Sgshapiro SLocal_check_mail 186564562Sgshapiro # check address against various regex checks 186638032Speter R$* $: $>Parse0 $>3 $1 186764562Sgshapiro R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $) 186864562Sgshapiro R@MATCH $#error $: 553 Header Error 186938032Speter 187038032SpeterThese rules are called with the original arguments of the corresponding 187138032Spetercheck_* ruleset. If the local ruleset returns $#OK, no further checking 187238032Speteris done by the features described above and the mail is accepted. If the 187338032Speterlocal ruleset resolves to a mailer (such as $#error or $#discard), the 187438032Speterappropriate action is taken. Otherwise, the results of the local 187538032Speterrewriting are ignored. 187638032Speter 187764562SgshapiroFiner control by using tags for the LHS of the access map 187838032Speter 187964562SgshapiroRead this section only if the options listed so far are not sufficient 188064562Sgshapirofor your purposes. There is now the option to tag entries in the 188164562Sgshapiroaccess map according to their type. Three tags are available: 188264562Sgshapiro 188364562Sgshapiro Connect: connection information (${client_addr}, ${client_name}) 188473188Sgshapiro From: envelope sender 188573188Sgshapiro To: envelope recipient 188664562Sgshapiro 188764562SgshapiroIf the required item is looked up in a map, it will be tried first 188864562Sgshapirowith the corresponding tag in front, then (as fallback to enable 188964562Sgshapirobackward compatibility) without any tag. For example, 189064562Sgshapiro 189164562Sgshapiro From:spammer@some.dom REJECT 189264562Sgshapiro To:friend.domain RELAY 189364562Sgshapiro Connect:friend.domain OK 189464562Sgshapiro Connect:from.domain RELAY 189564562Sgshapiro From:good@another.dom OK 189664562Sgshapiro From:another.dom REJECT 189764562Sgshapiro 189864562SgshapiroThis would deny mails from spammer@some.dom but you could still 189964562Sgshapirosend mail to that address even if FEATURE(`blacklist_recipients') 190064562Sgshapirois enabled. Your system will allow relaying to friend.domain, but 190164562Sgshapironot from it (unless enabled by other means). Connections from that 190264562Sgshapirodomain will be allowed even if it ends up in one of the DNS based 190364562Sgshapirorejection lists. Relaying is enabled from from.domain but not to 190464562Sgshapiroit (since relaying is based on the connection information for 190564562Sgshapirooutgoing relaying, the tag Connect: must be used; for incoming 190664562Sgshapirorelaying, which is based on the recipient address, To: must be 190764562Sgshapiroused). The last two entries allow mails from good@another.dom but 190864562Sgshapiroreject mail from all other addresses with another.dom as domain 190964562Sgshapiropart. 191064562Sgshapiro 191164562SgshapiroDelay all checks 191264562Sgshapiro 191364562SgshapiroBy using FEATURE(`delay_checks') the rulesets check_mail and check_relay 191464562Sgshapirowill not be called when a client connects or issues a MAIL command, 191564562Sgshapirorespectively. Instead, those rulesets will be called by the check_rcpt 191664562Sgshapiroruleset; they will be skipped if a sender has been authenticated using 191764562Sgshapiroa "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(). 191864562SgshapiroIf check_mail returns an error then the RCPT TO command will be rejected 191964562Sgshapirowith that error. If it returns some other result starting with $# then 192064562Sgshapirocheck_relay will be skipped. If the sender address (or a part of it) is 192164562Sgshapirolisted in the access map and it has a RHS of OK or RELAY, then check_relay 192264562Sgshapirowill be skipped. This has an interesting side effect: if your domain is 192364562Sgshapiromy.domain and you have 192464562Sgshapiro 192564562Sgshapiro my.domain RELAY 192664562Sgshapiro 192764562Sgshapiroin the access map, then all e-mail with a sender address of 192864562Sgshapiro<user@my.domain> gets through, even if check_relay would reject it 192964562Sgshapiro(e.g., based on the hostname or IP address). This allows spammers 193064562Sgshapiroto get around DNS based blacklist by faking the sender address. To 193164562Sgshapiroavoid this problem you have to use tagged entries: 193264562Sgshapiro 193364562Sgshapiro To:my.domain RELAY 193464562Sgshapiro Connect:my.domain RELAY 193564562Sgshapiro 193664562Sgshapiroif you need those entries at all (class {R} may take care of them). 193773188Sgshapiro 193864562SgshapiroFEATURE(`delay_checks') can take an optional argument: 193964562Sgshapiro 194064562Sgshapiro FEATURE(`delay_checks', `friend') 194164562Sgshapiro enables spamfriend test 194264562Sgshapiro FEATURE(`delay_checks', `hater') 194364562Sgshapiro enables spamhater test 194464562Sgshapiro 194564562SgshapiroIf such an argument is given, the recipient will be looked up in the access 194664562Sgshapiromap (using the tag To:). If the argument is `friend', then the other 194764562Sgshapirorulesets will be skipped if the recipient address is found and has RHS 194864562Sgshapirospamfriend. If the argument is `hater', then the other rulesets will be 194964562Sgshapiroapplied if the recipient address is found and has RHS spamhater. 195064562Sgshapiro 195164562SgshapiroThis allows for simple exceptions from the tests, e.g., by activating 195264562Sgshapirothe spamfriend option and having 195364562Sgshapiro 195464562Sgshapiro To:abuse@ SPAMFRIEND 195564562Sgshapiro 195664562Sgshapiroin the access map, mail to abuse@localdomain will get through. It is 195764562Sgshapiroalso possible to specify a full address or an address with +detail: 195864562Sgshapiro 195964562Sgshapiro To:abuse@abuse.my.domain SPAMFRIEND 196064562Sgshapiro To:me+abuse@ SPAMFRIEND 196164562Sgshapiro 196264562Sgshapiro 196364562SgshapiroHeader Checks 196464562Sgshapiro 196538032SpeterYou can also reject mail on the basis of the contents of headers. 196638032SpeterThis is done by adding a ruleset call to the 'H' header definition command 196738032Speterin sendmail.cf. For example, this can be used to check the validity of 196838032Spetera Message-ID: header: 196938032Speter 197038032Speter LOCAL_RULESETS 197138032Speter HMessage-Id: $>CheckMessageId 197238032Speter 197338032Speter SCheckMessageId 197438032Speter R< $+ @ $+ > $@ OK 197538032Speter R$* $#error $: 553 Header Error 197638032Speter 197764562SgshapiroThe alternative format: 197838032Speter 197964562Sgshapiro HSubject: $>+CheckSubject 198042575Speter 198164562Sgshapirothat is, $>+ instead of $>, gives the full Subject: header including 198264562Sgshapirocomments to the ruleset (comments in parentheses () are stripped 198364562Sgshapiroby default). 198442575Speter 198564562SgshapiroA default ruleset for headers which don't have a specific ruleset 198664562Sgshapirodefined for them can be given by: 198742575Speter 198864562Sgshapiro H*: $>CheckHdr 198943730Speter 199073188SgshapiroNotice: All rules act on tokens as explained in doc/op/op.{me,ps,txt}. 199173188SgshapiroThat may cause problems with simple header checks due to the 199273188Sgshapirotokenization. It might be simpler to use a regex map and apply it 199373188Sgshapiroto $&{currHeader}. 199473188Sgshapiro 199564562SgshapiroAfter all of the headers are read, the check_eoh ruleset will be called for 199664562Sgshapiroany final header-related checks. The ruleset is called with the number of 199764562Sgshapiroheaders and the size of all of the headers in bytes separated by $|. One 199864562Sgshapiroexample usage is to reject messages which do not have a Message-Id: 199964562Sgshapiroheader. However, the Message-Id: header is *NOT* a required header and is 200064562Sgshapironot a guaranteed spam indicator. This ruleset is an example and should 200164562Sgshapiroprobably not be used in production. 200264562Sgshapiro 200364562Sgshapiro LOCAL_CONFIG 200464562Sgshapiro Kstorage macro 200564562Sgshapiro 200664562Sgshapiro LOCAL_RULESETS 200764562Sgshapiro HMessage-Id: $>CheckMessageId 200864562Sgshapiro 200964562Sgshapiro SCheckMessageId 201064562Sgshapiro # Record the presence of the header 201164562Sgshapiro R$* $: $(storage {MessageIdCheck} $@ OK $) $1 201264562Sgshapiro R< $+ @ $+ > $@ OK 201364562Sgshapiro R$* $#error $: 553 Header Error 201464562Sgshapiro 201564562Sgshapiro Scheck_eoh 201664562Sgshapiro # Check the macro 201764562Sgshapiro R$* $: < $&{MessageIdCheck} > 201864562Sgshapiro # Clear the macro for the next message 201964562Sgshapiro R$* $: $(storage {MessageIdCheck} $) $1 202064562Sgshapiro # Has a Message-Id: header 202164562Sgshapiro R< $+ > $@ OK 202264562Sgshapiro # Allow missing Message-Id: from local mail 202364562Sgshapiro R$* $: < $&{client_name} > 202464562Sgshapiro R< > $@ OK 202564562Sgshapiro R< $=w > $@ OK 202664562Sgshapiro # Otherwise, reject the mail 202764562Sgshapiro R$* $#error $: 553 Header Error 202864562Sgshapiro 202966494Sgshapiro+----------+ 203066494Sgshapiro| STARTTLS | 203166494Sgshapiro+----------+ 203264562Sgshapiro 203364562SgshapiroIn this text, cert will be used as an abreviation for X.509 certificate, 203464562SgshapiroDN is the distinguished name of a cert, and CA is a certification authority. 203564562Sgshapiro 203680785SgshapiroFor STARTTLS to be offered by sendmail you need to set at least 203780785Sgshapirothis variables (the file names and paths are just examples): 203880785Sgshapiro 203980785Sgshapiro define(`confCACERT_PATH', `/etc/mail/certs/') 204080785Sgshapiro define(`confCACERT', `/etc/mail/certs/CA.cert.pem') 204180785Sgshapiro define(`confSERVER_CERT', `/etc/mail/certs/my.cert.pem') 204280785Sgshapiro define(`confSERVER_KEY', `/etc/mail/certs/my.key.pem') 204380785Sgshapiro 204480785SgshapiroOn systems which do not have the compile flag HASURANDOM set (see 204580785Sgshapirosendmail/README) you also must set confRAND_FILE. 204680785Sgshapiro 204780785SgshapiroSee doc/op/op.{me,ps} for more information about these options, 204880785Sgshapiroesp. the sections ``Certificates for STARTTLS'' and ``PRNG for 204980785SgshapiroSTARTTLS''. 205080785Sgshapiro 205164562SgshapiroMacros related to STARTTLS are: 205264562Sgshapiro 205364562Sgshapiro${cert_issuer} holds the DN of the CA (the cert issuer). 205464562Sgshapiro${cert_subject} holds the DN of the cert (called the cert subject). 205564562Sgshapiro${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, 205664562Sgshapiro SSLv3, SSLv2. 205764562Sgshapiro${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, 205864562Sgshapiro EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA. 205964562Sgshapiro${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm 206064562Sgshapiro used for the connection. 206164562Sgshapiro${verify} holds the result of the verification of the presented cert. Possible 206264562Sgshapiro values are: 206364562Sgshapiro OK verification succeeded. 206464562Sgshapiro NO no cert presented. 206564562Sgshapiro FAIL cert presented but could not be verified, e.g., the signing 206664562Sgshapiro CA is missing. 206764562Sgshapiro NONE STARTTLS has not been performed. 206864562Sgshapiro TEMP temporary error occurred. 206964562Sgshapiro PROTOCOL some protocol error occurred. 207064562Sgshapiro SOFTWARE STARTTLS handshake failed. 207164562Sgshapiro${server_name} the name of the server of the current outgoing SMTP 207264562Sgshapiro connection. 207364562Sgshapiro${server_addr} the address of the server of the current outgoing SMTP 207464562Sgshapiro connection. 207564562Sgshapiro 207664562SgshapiroRelaying 207764562Sgshapiro 207864562SgshapiroSMTP STARTTLS can allow relaying for senders who have successfully 207964562Sgshapiroauthenticated themselves. This is done in the ruleset RelayAuth. If the 208064562Sgshapiroverification of the cert failed (${verify} != OK), relaying is subject to 208164562Sgshapirothe usual rules. Otherwise the DN of the issuer is looked up in the access 208264562Sgshapiromap using the tag CERTISSUER. If the resulting value is RELAY, relaying is 208364562Sgshapiroallowed. If it is SUBJECT, the DN of the cert subject is looked up next in 208464562Sgshapirothe access map. using the tag CERTSUBJECT. If the value is RELAY, relaying 208564562Sgshapirois allowed. 208664562Sgshapiro 208764562SgshapiroTo make things a bit more flexible (or complicated), the values for 208864562Sgshapiro${cert_issuer} and ${cert_subject} can be optionally modified by regular 208964562Sgshapiroexpressions defined in the m4 variables _CERT_REGEX_ISSUER_ and 209064562Sgshapiro_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in 209164562Sgshapirorulesets and map lookups, they are modified as follows: each non-printable 209264562Sgshapirocharacter and the characters '<', '>', '(', ')', '"', '+' are replaced by 209364562Sgshapirotheir HEX value with a leading '+'. For example: 209464562Sgshapiro 209564562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email= 209664562Sgshapirodarth+cert@endmail.org 209764562Sgshapiro 209864562Sgshapirois encoded as: 209964562Sgshapiro 210064562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 210164562SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 210264562Sgshapiro 210364562Sgshapiro(line breaks have been inserted for readability). 210464562Sgshapiro 210564562SgshapiroOf course it is also possible to write a simple rulesets that allows 210664562Sgshapirorelaying for everyone who can present a cert that can be verified, e.g., 210764562Sgshapiro 210864562SgshapiroLOCAL_RULESETS 210964562SgshapiroSLocal_check_rcpt 211064562SgshapiroR$* $: $&{verify} 211164562SgshapiroROK $# OK 211264562Sgshapiro 211364562SgshapiroAllowing Connections 211464562Sgshapiro 211564562SgshapiroThe rulesets tls_server and tls_client are used to decide whether an SMTP 211664562Sgshapiroconnection is accepted (or should continue). 211764562Sgshapiro 211864562Sgshapirotls_server is called when sendmail acts as client after a STARTTLS command 211964562Sgshapiro(should) have been issued. The parameter is the value of ${verify}. 212064562Sgshapiro 212164562Sgshapirotls_client is called when sendmail acts as server, after a STARTTLS command 212264562Sgshapirohas been issued, and from check_mail. The parameter is the value of 212364562Sgshapiro${verify} and STARTTLS or MAIL, respectively. 212464562Sgshapiro 212564562SgshapiroBoth rulesets behave the same. If no access map is in use, the connection 212664562Sgshapirowill be accepted unless ${verify} is SOFTWARE, in which case the connection 212764562Sgshapirois always aborted. Otherwise, ${client_name} (${server_name}) is looked 212864562Sgshapiroup in the access map using the tag TLS_Srv (or TLS_Clt), which is done 212964562Sgshapirowith the ruleset LookUpDomain. If no entry is found, ${client_addr} 213064562Sgshapiro(${server_addr}) is looked up in the access map (same tag, ruleset 213164562SgshapiroLookUpAddr). If this doesn't result in an entry either, just the tag is 213264562Sgshapirolooked up in the access map (included the trailing :). The result of the 213364562Sgshapirolookups is then used to call the ruleset tls_connection, which checks the 213464562Sgshapirorequirement specified by the RHS in the access map against the actual 213564562Sgshapiroparameters of the current TLS connection, esp. ${verify} and 213664562Sgshapiro${cipher_bits}. Legal RHSs in the access map are: 213764562Sgshapiro 213864562SgshapiroVERIFY verification must have succeeded 213964562SgshapiroVERIFY:bits verification must have succeeded and ${cipher_bits} must 214064562Sgshapiro be greater than or equal bits. 214164562SgshapiroENCR:bits ${cipher_bits} must be greater than or equal bits. 214264562Sgshapiro 214364562SgshapiroThe RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary 214464562Sgshapiroor permanent error. The default is a temporary error code (403 4.7.0) 214564562Sgshapirounless the macro TLS_PERM_ERR is set during generation of the .cf file. 214664562Sgshapiro 214764562SgshapiroIf a certain level of encryption is required, then it might also be 214864562Sgshapiropossible that this level is provided by the security layer from a SASL 214964562Sgshapiroalgorithm, e.g., DIGEST-MD5. 215064562Sgshapiro 215164562SgshapiroExample: e-mail send to secure.example.com should only use an encrypted 215264562Sgshapiroconnection. e-mail received from hosts within the laptop.example.com domain 215364562Sgshapiroshould only be accepted if they have been authenticated. 215464562SgshapiroTLS_Srv:secure.example.com ENCR:112 215564562SgshapiroTLS_Clt:laptop.example.com PERM+VERIFY:112 215664562Sgshapiro 215773188SgshapiroNotice: requiring that e-mail is sent to a server only encrypted, 215873188Sgshapiroe.g., via 215973188Sgshapiro 216073188SgshapiroTLS_Srv:secure.domain ENCR:112 216173188Sgshapiro 216273188Sgshapirodoesn't necessarily mean that e-mail sent to that domain is encrypted. 216373188SgshapiroIf the domain has multiple MX servers, e.g., 216473188Sgshapiro 216573188Sgshapirosecure.domain. IN MX 10 mail.secure.domain. 216673188Sgshapirosecure.domain. IN MX 50 mail.other.domain. 216773188Sgshapiro 216873188Sgshapirothen mail to user@secure.domain may go unencrypted to mail.other.domain. 216973188Sgshapiro 217073188Sgshapiro 217164562SgshapiroReceived: Header 217264562Sgshapiro 217364562SgshapiroThe Received: header reveals whether STARTTLS has been used. It contains an 217464562Sgshapiroextra line: 217564562Sgshapiro 217664562Sgshapiro(using ${tls_version} with cipher ${cipher} (${cipher_bits} bits) verified ${verify}) 217764562Sgshapiro 217866494Sgshapiro+---------------------+ 217966494Sgshapiro| SMTP AUTHENTICATION | 218066494Sgshapiro+---------------------+ 218164562Sgshapiro 218264562SgshapiroThe macros ${auth_authen}, ${auth_author}, and ${auth_type} can be 218364562Sgshapiroused in anti-relay rulesets to allow relaying for those users that 218464562Sgshapiroauthenticated themselves. A very simple example is: 218564562Sgshapiro 218664562SgshapiroSLocal_check_rcpt 218764562SgshapiroR$* $: $&{auth_type} 218864562SgshapiroR$+ $# OK 218964562Sgshapiro 219064562Sgshapirowhich checks whether a user has successfully authenticated using 219164562Sgshapiroany available mechanism. Depending on the setup of the CYRUS SASL 219264562Sgshapirolibrary, more sophisticated rulesets might be required, e.g., 219364562Sgshapiro 219464562SgshapiroSLocal_check_rcpt 219564562SgshapiroR$* $: $&{auth_type} $| $&{auth_authen} 219664562SgshapiroRDIGEST-MD5 $| $+@$=w $# OK 219764562Sgshapiro 219864562Sgshapiroto allow relaying for users that authenticated using DIGEST-MD5 219964562Sgshapiroand have an identity in the local domains. 220064562Sgshapiro 220164562SgshapiroThe ruleset Strust_auth is used to determine whether a given AUTH= 220264562Sgshapiroparameter (that is passed to this ruleset) should be trusted. This 220364562Sgshapiroruleset may make use of the other ${auth_*} macros. Only if the 220464562Sgshapiroruleset resolves to the error mailer, the AUTH= parameter is not 220564562Sgshapirotrusted. A user supplied ruleset Local_trust_auth can be written 220664562Sgshapiroto modify the default behavior, which only trust the AUTH= 220764562Sgshapiroparameter if it is identical to the authenticated user. 220864562Sgshapiro 220964562SgshapiroPer default, relaying is allowed for any user who authenticated 221064562Sgshapirovia a "trusted" mechanism, i.e., one that is defined via 221164562SgshapiroTRUST_AUTH_MECH(`list of mechanisms') 221271345SgshapiroFor example: 221371345SgshapiroTRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5') 221464562Sgshapiro 221564562SgshapiroIf the selected mechanism provides a security layer the number of 221664562Sgshapirobits used for the key of the symmetric cipher is stored in the 221764562Sgshapiromacro ${auth_ssf}. 221864562Sgshapiro 221964562Sgshapiro+--------------------------------+ 222038032Speter| ADDING NEW MAILERS OR RULESETS | 222138032Speter+--------------------------------+ 222238032Speter 222338032SpeterSometimes you may need to add entirely new mailers or rulesets. They 222438032Spetershould be introduced with the constructs MAILER_DEFINITIONS and 222538032SpeterLOCAL_RULESETS respectively. For example: 222638032Speter 222738032Speter MAILER_DEFINITIONS 222838032Speter Mmymailer, ... 222938032Speter ... 223038032Speter 223138032Speter LOCAL_RULESETS 223238032Speter Smyruleset 223338032Speter ... 223438032Speter 223538032Speter 223664562Sgshapiro#if _FFR_MILTER 223771345Sgshapiro+-------------------------+ 223871345Sgshapiro| ADDING NEW MAIL FILTERS | 223971345Sgshapiro+-------------------------+ 224064562Sgshapiro 224164562SgshapiroSendmail supports mail filters to filter incoming SMTP messages according 224264562Sgshapiroto the "Sendmail Mail Filter API" documentation. These filters can be 224364562Sgshapiroconfigured in your mc file using the two commands: 224464562Sgshapiro 224564562Sgshapiro MAIL_FILTER(`name', `equates') 224664562Sgshapiro INPUT_MAIL_FILTER(`name', `equates') 224764562Sgshapiro 224864562SgshapiroThe first command, MAIL_FILTER(), simply defines a filter with the given 224964562Sgshapironame and equates. For example: 225064562Sgshapiro 225164562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 225264562Sgshapiro 225364562SgshapiroThis creates the equivalent sendmail.cf entry: 225464562Sgshapiro 225564562Sgshapiro Xarchive, S=local:/var/run/archivesock, F=R 225664562Sgshapiro 225764562SgshapiroThe INPUT_MAIL_FILTER() command performs the same actions as MAIL_FILTER 225864562Sgshapirobut also populates the m4 variable `confINPUT_MAIL_FILTERS' with the name 225964562Sgshapiroof the filter such that the filter will actually be called by sendmail. 226064562Sgshapiro 226164562SgshapiroFor example, the two commands: 226264562Sgshapiro 226364562Sgshapiro INPUT_MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 226464562Sgshapiro INPUT_MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 226564562Sgshapiro 226664562Sgshapiroare equivalent to the three commands: 226764562Sgshapiro 226864562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 226964562Sgshapiro MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 227064562Sgshapiro define(`confINPUT_MAIL_FILTERS', `archive, spamcheck') 227164562Sgshapiro 227264562SgshapiroIn general, INPUT_MAIL_FILTER() should be used unless you need to define 227364562Sgshapiromore filters than you want to use for `confINPUT_MAIL_FILTERS'. 227464562Sgshapiro 227564562SgshapiroNote that setting `confINPUT_MAIL_FILTERS' after any INPUT_MAIL_FILTER() 227664562Sgshapirocommands will clear the list created by the prior INPUT_MAIL_FILTER() 227764562Sgshapirocommands. 227864562Sgshapiro#endif /* _FFR_MILTER */ 227964562Sgshapiro 228064562Sgshapiro 228138032Speter+-------------------------------+ 228238032Speter| NON-SMTP BASED CONFIGURATIONS | 228338032Speter+-------------------------------+ 228438032Speter 228564562SgshapiroThese configuration files are designed primarily for use by 228664562SgshapiroSMTP-based sites. They may not be well tuned for UUCP-only or 228738032SpeterUUCP-primarily nodes (the latter is defined as a small local net 228864562Sgshapiroconnected to the rest of the world via UUCP). However, there is 228964562Sgshapiroone hook to handle some special cases. 229038032Speter 229138032SpeterYou can define a ``smart host'' that understands a richer address syntax 229238032Speterusing: 229338032Speter 229443730Speter define(`SMART_HOST', `mailer:hostname') 229538032Speter 229638032SpeterIn this case, the ``mailer:'' defaults to "relay". Any messages that 229738032Spetercan't be handled using the usual UUCP rules are passed to this host. 229838032Speter 229938032SpeterIf you are on a local SMTP-based net that connects to the outside 230038032Speterworld via UUCP, you can use LOCAL_NET_CONFIG to add appropriate rules. 230138032SpeterFor example: 230238032Speter 230364562Sgshapiro define(`SMART_HOST', `uucp-new:uunet') 230438032Speter LOCAL_NET_CONFIG 230538032Speter R$* < @ $* .$m. > $* $#smtp $@ $2.$m. $: $1 < @ $2.$m. > $3 230638032Speter 230738032SpeterThis will cause all names that end in your domain name ($m) via 230864562SgshapiroSMTP; anything else will be sent via uucp-new (smart UUCP) to uunet. 230943730SpeterIf you have FEATURE(`nocanonify'), you may need to omit the dots after 231038032Speterthe $m. If you are running a local DNS inside your domain which is 231138032Speternot otherwise connected to the outside world, you probably want to 231238032Speteruse: 231338032Speter 231443730Speter define(`SMART_HOST', `smtp:fire.wall.com') 231538032Speter LOCAL_NET_CONFIG 231638032Speter R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 231738032Speter 231838032SpeterThat is, send directly only to things you found in your DNS lookup; 231938032Speteranything else goes through SMART_HOST. 232038032Speter 232138032SpeterYou may need to turn off the anti-spam rules in order to accept 232243730SpeterUUCP mail with FEATURE(`promiscuous_relay') and 232343730SpeterFEATURE(`accept_unresolvable_domains'). 232438032Speter 232538032Speter 232638032Speter+-----------+ 232738032Speter| WHO AM I? | 232838032Speter+-----------+ 232938032Speter 233038032SpeterNormally, the $j macro is automatically defined to be your fully 233138032Speterqualified domain name (FQDN). Sendmail does this by getting your 233238032Speterhost name using gethostname and then calling gethostbyname on the 233338032Speterresult. For example, in some environments gethostname returns 233438032Speteronly the root of the host name (such as "foo"); gethostbyname is 233538032Spetersupposed to return the FQDN ("foo.bar.com"). In some (fairly rare) 233638032Spetercases, gethostbyname may fail to return the FQDN. In this case 233738032Speteryou MUST define confDOMAIN_NAME to be your fully qualified domain 233838032Spetername. This is usually done using: 233938032Speter 234038032Speter Dmbar.com 234138032Speter define(`confDOMAIN_NAME', `$w.$m')dnl 234238032Speter 234338032Speter 234464562Sgshapiro+-----------------------------------+ 234564562Sgshapiro| ACCEPTING MAIL FOR MULTIPLE NAMES | 234664562Sgshapiro+-----------------------------------+ 234764562Sgshapiro 234864562SgshapiroIf your host is known by several different names, you need to augment 234964562Sgshapiroclass {w}. This is a list of names by which your host is known, and 235064562Sgshapiroanything sent to an address using a host name in this list will be 235164562Sgshapirotreated as local mail. You can do this in two ways: either create the 235264562Sgshapirofile /etc/mail/local-host-names containing a list of your aliases (one per 235364562Sgshapiroline), and use ``FEATURE(`use_cw_file')'' in the .mc file, or add 235464562Sgshapiro``LOCAL_DOMAIN(`alias.host.name')''. Be sure you use the fully-qualified 235564562Sgshapironame of the host, rather than a short name. 235664562Sgshapiro 235764562SgshapiroIf you want to have different address in different domains, take 235864562Sgshapiroa look at the virtusertable feature, which is also explained at 235964562Sgshapirohttp://www.sendmail.org/virtual-hosting.html 236064562Sgshapiro 236164562Sgshapiro 236238032Speter+--------------------+ 236338032Speter| USING MAILERTABLES | 236438032Speter+--------------------+ 236538032Speter 236643730SpeterTo use FEATURE(`mailertable'), you will have to create an external 236738032Speterdatabase containing the routing information for various domains. 236838032SpeterFor example, a mailertable file in text format might be: 236938032Speter 237038032Speter .my.domain xnet:%1.my.domain 237164562Sgshapiro uuhost1.my.domain uucp-new:uuhost1 237238032Speter .bitnet smtp:relay.bit.net 237338032Speter 237464562SgshapiroThis should normally be stored in /etc/mail/mailertable. The actual 237538032Speterdatabase version of the mailertable is built using: 237638032Speter 237764562Sgshapiro makemap hash /etc/mail/mailertable < /etc/mail/mailertable 237838032Speter 237938032SpeterThe semantics are simple. Any LHS entry that does not begin with 238038032Spetera dot matches the full host name indicated. LHS entries beginning 238166494Sgshapirowith a dot match anything ending with that domain name (including 238266494Sgshapirothe leading dot) -- that is, they can be thought of as having a 238366494Sgshapiroleading ".+" regular expression pattern for a non-empty sequence of 238466494Sgshapirocharacters. Matching is done in order of most-to-least qualified 238566494Sgshapiro-- for example, even though ".my.domain" is listed first in the 238666494Sgshapiroabove example, an entry of "uuhost1.my.domain" will match the second 238766494Sgshapiroentry since it is more explicit. Note: e-mail to "user@my.domain" 238866494Sgshapirodoes not match any entry in the above table. You need to have 238966494Sgshapirosomething like: 239038032Speter 239164562Sgshapiro my.domain esmtp:host.my.domain 239264562Sgshapiro 239338032SpeterThe RHS should always be a "mailer:host" pair. The mailer is the 239464562Sgshapiroconfiguration name of a mailer (that is, an {M} line in the 239538032Spetersendmail.cf file). The "host" will be the hostname passed to 239638032Speterthat mailer. In domain-based matches (that is, those with leading 239738032Speterdots) the "%1" may be used to interpolate the wildcarded part of 239838032Speterthe host name. For example, the first line above sends everything 239938032Speteraddressed to "anything.my.domain" to that same host name, but using 240038032Speterthe (presumably experimental) xnet mailer. 240138032Speter 240238032SpeterIn some cases you may want to temporarily turn off MX records, 240338032Speterparticularly on gateways. For example, you may want to MX 240438032Spetereverything in a domain to one machine that then forwards it 240538032Speterdirectly. To do this, you might use the DNS configuration: 240638032Speter 240738032Speter *.domain. IN MX 0 relay.machine 240838032Speter 240938032Speterand on relay.machine use the mailertable: 241038032Speter 241138032Speter .domain smtp:[gateway.domain] 241238032Speter 241338032SpeterThe [square brackets] turn off MX records for this host only. 241438032SpeterIf you didn't do this, the mailertable would use the MX record 241538032Speteragain, which would give you an MX loop. 241638032Speter 241738032Speter 241838032Speter+--------------------------------+ 241938032Speter| USING USERDB TO MAP FULL NAMES | 242038032Speter+--------------------------------+ 242138032Speter 242238032SpeterThe user database was not originally intended for mapping full names 242338032Speterto login names (e.g., Eric.Allman => eric), but some people are using 242464562Sgshapiroit that way. (it is recommended that you set up aliases for this 242538032Speterpurpose instead -- since you can specify multiple alias files, this 242638032Speteris fairly easy.) The intent was to locate the default maildrop at 242738032Spetera site, but allow you to override this by sending to a specific host. 242838032Speter 242938032SpeterIf you decide to set up the user database in this fashion, it is 243043730Speterimperative that you not use FEATURE(`stickyhost') -- otherwise, 243138032Spetere-mail sent to Full.Name@local.host.name will be rejected. 243238032Speter 243338032SpeterTo build the internal form of the user database, use: 243438032Speter 243564562Sgshapiro makemap btree /etc/mail/userdb < /etc/mail/userdb.txt 243638032Speter 243764562SgshapiroAs a general rule, it is an extremely bad idea to using full names 243864562Sgshapiroas e-mail addresses, since they are not in any sense unique. For 243966494Sgshapiroexample, the UNIX software-development community has at least two 244064562Sgshapirowell-known Peter Deutsches, and at one time Bell Labs had two 244164562SgshapiroStephen R. Bournes with offices along the same hallway. Which one 244264562Sgshapirowill be forced to suffer the indignity of being Stephen_R_Bourne_2? 244364562SgshapiroThe less famous of the two, or the one that was hired later? 244438032Speter 244538032SpeterFinger should handle full names (and be fuzzy). Mail should use 244664562Sgshapirohandles, and not be fuzzy. 244738032Speter 244838032Speter 244938032Speter+--------------------------------+ 245038032Speter| MISCELLANEOUS SPECIAL FEATURES | 245138032Speter+--------------------------------+ 245238032Speter 245338032SpeterPlussed users 245438032Speter Sometimes it is convenient to merge configuration on a 245538032Speter centralized mail machine, for example, to forward all 245638032Speter root mail to a mail server. In this case it might be 245738032Speter useful to be able to treat the root addresses as a class 245838032Speter of addresses with subtle differences. You can do this 245938032Speter using plussed users. For example, a client might include 246038032Speter the alias: 246138032Speter 246238032Speter root: root+client1@server 246338032Speter 246438032Speter On the server, this will match an alias for "root+client1". 246538032Speter If that is not found, the alias "root+*" will be tried, 246638032Speter then "root". 246738032Speter 246838032Speter 246938032Speter+----------------+ 247038032Speter| SECURITY NOTES | 247138032Speter+----------------+ 247238032Speter 247338032SpeterA lot of sendmail security comes down to you. Sendmail 8 is much 247438032Spetermore careful about checking for security problems than previous 247538032Speterversions, but there are some things that you still need to watch 247638032Speterfor. In particular: 247738032Speter 247838032Speter* Make sure the aliases file isn't writable except by trusted 247938032Speter system personnel. This includes both the text and database 248038032Speter version. 248138032Speter 248238032Speter* Make sure that other files that sendmail reads, such as the 248338032Speter mailertable, are only writable by trusted system personnel. 248438032Speter 248538032Speter* The queue directory should not be world writable PARTICULARLY 248638032Speter if your system allows "file giveaways" (that is, if a non-root 248738032Speter user can chown any file they own to any other user). 248838032Speter 248938032Speter* If your system allows file giveaways, DO NOT create a publically 249038032Speter writable directory for forward files. This will allow anyone 249138032Speter to steal anyone else's e-mail. Instead, create a script that 249238032Speter copies the .forward file from users' home directories once a 249338032Speter night (if you want the non-NFS-mounted forward directory). 249438032Speter 249538032Speter* If your system allows file giveaways, you'll find that 249638032Speter sendmail is much less trusting of :include: files -- in 249738032Speter particular, you'll have to have /SENDMAIL/ANY/SHELL/ in 249838032Speter /etc/shells before they will be trusted (that is, before 249938032Speter files and programs listed in them will be honored). 250038032Speter 250138032SpeterIn general, file giveaways are a mistake -- if you can turn them 250264562Sgshapirooff, do so. 250338032Speter 250438032Speter 250538032Speter+--------------------------------+ 250638032Speter| TWEAKING CONFIGURATION OPTIONS | 250738032Speter+--------------------------------+ 250838032Speter 250938032SpeterThere are a large number of configuration options that don't normally 251038032Speterneed to be changed. However, if you feel you need to tweak them, you 251138032Spetercan define the following M4 variables. This list is shown in four 251238032Spetercolumns: the name you define, the default value for that definition, 251338032Speterthe option or macro that is affected (either Ox for an option or Dx 251438032Speterfor a macro), and a brief description. Greater detail of the semantics 251538032Spetercan be found in the Installation and Operations Guide. 251638032Speter 251738032SpeterSome options are likely to be deprecated in future versions -- that is, 251838032Speterthe option is only included to provide back-compatibility. These are 251938032Spetermarked with "*". 252038032Speter 252138032SpeterRemember that these options are M4 variables, and hence may need to 252238032Speterbe quoted. In particular, arguments with commas will usually have to 252338032Speterbe ``double quoted, like this phrase'' to avoid having the comma 252438032Speterconfuse things. This is common for alias file definitions and for 252538032Speterthe read timeout. 252638032Speter 252738032SpeterM4 Variable Name Configuration Description & [Default] 252838032Speter================ ============= ======================= 252938032SpeterconfMAILER_NAME $n macro [MAILER-DAEMON] The sender name used 253038032Speter for internally generated outgoing 253138032Speter messages. 253238032SpeterconfDOMAIN_NAME $j macro If defined, sets $j. This should 253338032Speter only be done if your system cannot 253438032Speter determine your local domain name, 253538032Speter and then it should be set to 253638032Speter $w.Foo.COM, where Foo.COM is your 253738032Speter domain name. 253838032SpeterconfCF_VERSION $Z macro If defined, this is appended to the 253938032Speter configuration version name. 254064562SgshapiroconfFROM_HEADER From: [$?x$x <$g>$|$g$.] The format of an 254138032Speter internally generated From: address. 254238032SpeterconfRECEIVED_HEADER Received: 254338032Speter [$?sfrom $s $.$?_($?s$|from $.$_) 254464562Sgshapiro $.$?{auth_type}(authenticated) 254538032Speter $.by $j ($v/$Z)$?r with $r$. id $i$?u 254638032Speter for $u; $|; 254738032Speter $.$b] 254838032Speter The format of the Received: header 254938032Speter in messages passed through this host. 255038032Speter It is unwise to try to change this. 255164562SgshapiroconfCW_FILE Fw class [/etc/mail/local-host-names] Name 255264562Sgshapiro of file used to get the local 255364562Sgshapiro additions to class {w} (local host 255464562Sgshapiro names). 255564562SgshapiroconfCT_FILE Ft class [/etc/mail/trusted-users] Name of 255664562Sgshapiro file used to get the local additions 255764562Sgshapiro to class {t} (trusted users). 255838032SpeterconfCR_FILE FR class [/etc/mail/relay-domains] Name of 255938032Speter file used to get the local additions 256064562Sgshapiro to class {R} (hosts allowed to relay). 256138032SpeterconfTRUSTED_USERS Ct class [no default] Names of users to add to 256238032Speter the list of trusted users. This list 256338032Speter always includes root, uucp, and daemon. 256443730Speter See also FEATURE(`use_ct_file'). 256564562SgshapiroconfTRUSTED_USER TrustedUser [no default] Trusted user for file 256664562Sgshapiro ownership and starting the daemon. 256764562Sgshapiro Not to be confused with 256864562Sgshapiro confTRUSTED_USERS (see above). 256938032SpeterconfSMTP_MAILER - [esmtp] The mailer name used when 257038032Speter SMTP connectivity is required. 257164562Sgshapiro One of "smtp", "smtp8", 257264562Sgshapiro "esmtp", or "dsmtp". 257338032SpeterconfUUCP_MAILER - [uucp-old] The mailer to be used by 257438032Speter default for bang-format recipient 257538032Speter addresses. See also discussion of 257664562Sgshapiro class {U}, class {Y}, and class {Z} 257764562Sgshapiro in the MAILER(`uucp') section. 257838032SpeterconfLOCAL_MAILER - [local] The mailer name used when 257938032Speter local connectivity is required. 258038032Speter Almost always "local". 258138032SpeterconfRELAY_MAILER - [relay] The default mailer name used 258238032Speter for relaying any mail (e.g., to a 258338032Speter BITNET_RELAY, a SMART_HOST, or 258438032Speter whatever). This can reasonably be 258538032Speter "uucp-new" if you are on a 258638032Speter UUCP-connected site. 258738032SpeterconfSEVEN_BIT_INPUT SevenBitInput [False] Force input to seven bits? 258838032SpeterconfEIGHT_BIT_HANDLING EightBitMode [pass8] 8-bit data handling 258938032SpeterconfALIAS_WAIT AliasWait [10m] Time to wait for alias file 259038032Speter rebuild until you get bored and 259138032Speter decide that the apparently pending 259238032Speter rebuild failed. 259338032SpeterconfMIN_FREE_BLOCKS MinFreeBlocks [100] Minimum number of free blocks on 259438032Speter queue filesystem to accept SMTP mail. 259538032Speter (Prior to 8.7 this was minfree/maxsize, 259638032Speter where minfree was the number of free 259738032Speter blocks and maxsize was the maximum 259838032Speter message size. Use confMAX_MESSAGE_SIZE 259938032Speter for the second value now.) 260038032SpeterconfMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages 260138032Speter that will be accepted (in bytes). 260238032SpeterconfBLANK_SUB BlankSub [.] Blank (space) substitution 260338032Speter character. 260438032SpeterconfCON_EXPENSIVE HoldExpensive [False] Avoid connecting immediately 260564562Sgshapiro to mailers marked expensive. 260638032SpeterconfCHECKPOINT_INTERVAL CheckpointInterval 260738032Speter [10] Checkpoint queue files every N 260838032Speter recipients. 260938032SpeterconfDELIVERY_MODE DeliveryMode [background] Default delivery mode. 261038032SpeterconfAUTO_REBUILD AutoRebuildAliases 261138032Speter [False] Automatically rebuild alias 261238032Speter file if needed. 261364562Sgshapiro There is a potential for a denial 261464562Sgshapiro of service attack if this is set. 261564562Sgshapiro This option is deprecated and will 261664562Sgshapiro be removed from a future version. 261738032SpeterconfERROR_MODE ErrorMode [print] Error message mode. 261838032SpeterconfERROR_MESSAGE ErrorHeader [undefined] Error message header/file. 261942575SpeterconfSAVE_FROM_LINES SaveFromLine Save extra leading From_ lines. 262038032SpeterconfTEMP_FILE_MODE TempFileMode [0600] Temporary file mode. 262138032SpeterconfMATCH_GECOS MatchGECOS [False] Match GECOS field. 262238032SpeterconfMAX_HOP MaxHopCount [25] Maximum hop count. 262364562SgshapiroconfIGNORE_DOTS* IgnoreDots [False; always False in -bs or -bd 262464562Sgshapiro mode] Ignore dot as terminator for 262564562Sgshapiro incoming messages? 262638032SpeterconfBIND_OPTS ResolverOptions [undefined] Default options for DNS 262738032Speter resolver. 262838032SpeterconfMIME_FORMAT_ERRORS* SendMimeErrors [True] Send error messages as MIME- 262938032Speter encapsulated messages per RFC 1344. 263038032SpeterconfFORWARD_PATH ForwardPath [$z/.forward.$w:$z/.forward] 263138032Speter The colon-separated list of places to 263238032Speter search for .forward files. N.B.: see 263338032Speter the Security Notes section. 263438032SpeterconfMCI_CACHE_SIZE ConnectionCacheSize 263538032Speter [2] Size of open connection cache. 263638032SpeterconfMCI_CACHE_TIMEOUT ConnectionCacheTimeout 263738032Speter [5m] Open connection cache timeout. 263838032SpeterconfHOST_STATUS_DIRECTORY HostStatusDirectory 263938032Speter [undefined] If set, host status is kept 264038032Speter on disk between sendmail runs in the 264138032Speter named directory tree. This need not be 264238032Speter a full pathname, in which case it is 264338032Speter interpreted relative to the queue 264438032Speter directory. 264538032SpeterconfSINGLE_THREAD_DELIVERY SingleThreadDelivery 264638032Speter [False] If this option and the 264738032Speter HostStatusDirectory option are both 264838032Speter set, single thread deliveries to other 264938032Speter hosts. That is, don't allow any two 265038032Speter sendmails on this host to connect 265138032Speter simultaneously to any other single 265238032Speter host. This can slow down delivery in 265338032Speter some cases, in particular since a 265438032Speter cached but otherwise idle connection 265538032Speter to a host will prevent other sendmails 265638032Speter from connecting to the other host. 265764562SgshapiroconfUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to 265838032Speter deliver error messages. This should 265938032Speter not be necessary because of general 266038032Speter acceptance of the envelope/header 266138032Speter distinction. 266238032SpeterconfLOG_LEVEL LogLevel [9] Log level. 266364562SgshapiroconfME_TOO MeToo [True] Include sender in group 266464562Sgshapiro expansions. This option is 266564562Sgshapiro deprecated and will be removed from 266664562Sgshapiro a future version. 266738032SpeterconfCHECK_ALIASES CheckAliases [False] Check RHS of aliases when 266838032Speter running newaliases. Since this does 266938032Speter DNS lookups on every address, it can 267038032Speter slow down the alias rebuild process 267138032Speter considerably on large alias files. 267238032SpeterconfOLD_STYLE_HEADERS* OldStyleHeaders [True] Assume that headers without 267338032Speter special chars are old style. 267464562SgshapiroconfCLIENT_OPTIONS ClientPortOptions 267564562Sgshapiro [none] Options for outgoing SMTP client 267664562Sgshapiro connections. 267738032SpeterconfPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags. 267838032SpeterconfCOPY_ERRORS_TO PostmasterCopy [undefined] Address for additional 267938032Speter copies of all error messages. 268038032SpeterconfQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function. 268138032SpeterconfDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr 268238032Speter syntax addresses to the minimum 268338032Speter possible. 268438032SpeterconfSAFE_QUEUE* SuperSafe [True] Commit all messages to disk 268538032Speter before forking. 268638032SpeterconfTO_INITIAL Timeout.initial [5m] The timeout waiting for a response 268738032Speter on the initial connect. 268838032SpeterconfTO_CONNECT Timeout.connect [0] The timeout waiting for an initial 268938032Speter connect() to complete. This can only 269038032Speter shorten connection timeouts; the kernel 269138032Speter silently enforces an absolute maximum 269238032Speter (which varies depending on the system). 269338032SpeterconfTO_ICONNECT Timeout.iconnect 269438032Speter [undefined] Like Timeout.connect, but 269538032Speter applies only to the very first attempt 269638032Speter to connect to a host in a message. 269738032Speter This allows a single very fast pass 269838032Speter followed by more careful delivery 269938032Speter attempts in the future. 270038032SpeterconfTO_HELO Timeout.helo [5m] The timeout waiting for a response 270138032Speter to a HELO or EHLO command. 270238032SpeterconfTO_MAIL Timeout.mail [10m] The timeout waiting for a 270338032Speter response to the MAIL command. 270438032SpeterconfTO_RCPT Timeout.rcpt [1h] The timeout waiting for a response 270538032Speter to the RCPT command. 270638032SpeterconfTO_DATAINIT Timeout.datainit 270738032Speter [5m] The timeout waiting for a 354 270838032Speter response from the DATA command. 270938032SpeterconfTO_DATABLOCK Timeout.datablock 271038032Speter [1h] The timeout waiting for a block 271138032Speter during DATA phase. 271238032SpeterconfTO_DATAFINAL Timeout.datafinal 271338032Speter [1h] The timeout waiting for a response 271438032Speter to the final "." that terminates a 271538032Speter message. 271638032SpeterconfTO_RSET Timeout.rset [5m] The timeout waiting for a response 271738032Speter to the RSET command. 271838032SpeterconfTO_QUIT Timeout.quit [2m] The timeout waiting for a response 271938032Speter to the QUIT command. 272038032SpeterconfTO_MISC Timeout.misc [2m] The timeout waiting for a response 272138032Speter to other SMTP commands. 272264562SgshapiroconfTO_COMMAND Timeout.command [1h] In server SMTP, the timeout 272364562Sgshapiro waiting for a command to be issued. 272464562SgshapiroconfTO_IDENT Timeout.ident [5s] The timeout waiting for a 272564562Sgshapiro response to an IDENT query. 272638032SpeterconfTO_FILEOPEN Timeout.fileopen 272738032Speter [60s] The timeout waiting for a file 272838032Speter (e.g., :include: file) to be opened. 272964562SgshapiroconfTO_CONTROL Timeout.control 273064562Sgshapiro [2m] The timeout for a complete 273164562Sgshapiro control socket transaction to complete. 273238032SpeterconfTO_QUEUERETURN Timeout.queuereturn 273338032Speter [5d] The timeout before a message is 273438032Speter returned as undeliverable. 273538032SpeterconfTO_QUEUERETURN_NORMAL 273638032Speter Timeout.queuereturn.normal 273738032Speter [undefined] As above, for normal 273838032Speter priority messages. 273938032SpeterconfTO_QUEUERETURN_URGENT 274038032Speter Timeout.queuereturn.urgent 274138032Speter [undefined] As above, for urgent 274238032Speter priority messages. 274338032SpeterconfTO_QUEUERETURN_NONURGENT 274438032Speter Timeout.queuereturn.non-urgent 274538032Speter [undefined] As above, for non-urgent 274638032Speter (low) priority messages. 274738032SpeterconfTO_QUEUEWARN Timeout.queuewarn 274838032Speter [4h] The timeout before a warning 274938032Speter message is sent to the sender telling 275064562Sgshapiro them that the message has been 275164562Sgshapiro deferred. 275238032SpeterconfTO_QUEUEWARN_NORMAL Timeout.queuewarn.normal 275338032Speter [undefined] As above, for normal 275438032Speter priority messages. 275538032SpeterconfTO_QUEUEWARN_URGENT Timeout.queuewarn.urgent 275638032Speter [undefined] As above, for urgent 275738032Speter priority messages. 275838032SpeterconfTO_QUEUEWARN_NONURGENT 275938032Speter Timeout.queuewarn.non-urgent 276038032Speter [undefined] As above, for non-urgent 276138032Speter (low) priority messages. 276238032SpeterconfTO_HOSTSTATUS Timeout.hoststatus 276338032Speter [30m] How long information about host 276438032Speter statuses will be maintained before it 276538032Speter is considered stale and the host should 276638032Speter be retried. This applies both within 276738032Speter a single queue run and to persistent 276838032Speter information (see below). 276964562SgshapiroconfTO_RESOLVER_RETRANS Timeout.resolver.retrans 277064562Sgshapiro [varies] Sets the resolver's 277164562Sgshapiro retransmition time interval (in 277264562Sgshapiro seconds). Sets both 277364562Sgshapiro Timeout.resolver.retrans.first and 277464562Sgshapiro Timeout.resolver.retrans.normal. 277564562SgshapiroconfTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first 277664562Sgshapiro [varies] Sets the resolver's 277764562Sgshapiro retransmition time interval (in 277864562Sgshapiro seconds) for the first attempt to 277964562Sgshapiro deliver a message. 278064562SgshapiroconfTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal 278164562Sgshapiro [varies] Sets the resolver's 278264562Sgshapiro retransmition time interval (in 278364562Sgshapiro seconds) for all resolver lookups 278464562Sgshapiro except the first delivery attempt. 278564562SgshapiroconfTO_RESOLVER_RETRY Timeout.resolver.retry 278664562Sgshapiro [varies] Sets the number of times 278764562Sgshapiro to retransmit a resolver query. 278864562Sgshapiro Sets both 278964562Sgshapiro Timeout.resolver.retry.first and 279064562Sgshapiro Timeout.resolver.retry.normal. 279164562SgshapiroconfTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first 279264562Sgshapiro [varies] Sets the number of times 279364562Sgshapiro to retransmit a resolver query for 279464562Sgshapiro the first attempt to deliver a 279564562Sgshapiro message. 279664562SgshapiroconfTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal 279764562Sgshapiro [varies] Sets the number of times 279864562Sgshapiro to retransmit a resolver query for 279964562Sgshapiro all resolver lookups except the 280064562Sgshapiro first delivery attempt. 280138032SpeterconfTIME_ZONE TimeZoneSpec [USE_SYSTEM] Time zone info -- can be 280238032Speter USE_SYSTEM to use the system's idea, 280338032Speter USE_TZ to use the user's TZ envariable, 280438032Speter or something else to force that value. 280538032SpeterconfDEF_USER_ID DefaultUser [1:1] Default user id. 280638032SpeterconfUSERDB_SPEC UserDatabaseSpec 280764562Sgshapiro [undefined] User database 280864562Sgshapiro specification. 280938032SpeterconfFALLBACK_MX FallbackMXhost [undefined] Fallback MX host. 281064562SgshapiroconfTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX 281164562Sgshapiro for a host and other arrangements 281264562Sgshapiro haven't been made, try connecting 281364562Sgshapiro to the host directly; normally this 281464562Sgshapiro would be a config error. 281564562SgshapiroconfQUEUE_LA QueueLA [varies] Load average at which 281664562Sgshapiro queue-only function kicks in. 281764562Sgshapiro Default values is (8 * numproc) 281864562Sgshapiro where numproc is the number of 281964562Sgshapiro processors online (if that can be 282064562Sgshapiro determined). 282164562SgshapiroconfREFUSE_LA RefuseLA [varies] Load average at which 282264562Sgshapiro incoming SMTP connections are 282364562Sgshapiro refused. Default values is (12 * 282464562Sgshapiro numproc) where numproc is the 282564562Sgshapiro number of processors online (if 282664562Sgshapiro that can be determined). 282764562SgshapiroconfMAX_ALIAS_RECURSION MaxAliasRecursion 282864562Sgshapiro [10] Maximum depth of alias recursion. 282938032SpeterconfMAX_DAEMON_CHILDREN MaxDaemonChildren 283038032Speter [undefined] The maximum number of 283138032Speter children the daemon will permit. After 283238032Speter this number, connections will be 283338032Speter rejected. If not set or <= 0, there is 283438032Speter no limit. 283564562SgshapiroconfMAX_HEADERS_LENGTH MaxHeadersLength 283671345Sgshapiro [32768] Maximum length of the sum 283764562Sgshapiro of all headers. 283864562SgshapiroconfMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength 283964562Sgshapiro [undefined] Maximum length of 284064562Sgshapiro certain MIME header field values. 284138032SpeterconfCONNECTION_RATE_THROTTLE ConnectionRateThrottle 284238032Speter [undefined] The maximum number of 284338032Speter connections permitted per second. 284438032Speter After this many connections are 284538032Speter accepted, further connections will be 284638032Speter delayed. If not set or <= 0, there is 284738032Speter no limit. 284838032SpeterconfWORK_RECIPIENT_FACTOR 284938032Speter RecipientFactor [30000] Cost of each recipient. 285064562SgshapiroconfSEPARATE_PROC ForkEachJob [False] Run all deliveries in a 285164562Sgshapiro separate process. 285238032SpeterconfWORK_CLASS_FACTOR ClassFactor [1800] Priority multiplier for class. 285338032SpeterconfWORK_TIME_FACTOR RetryFactor [90000] Cost of each delivery attempt. 285438032SpeterconfQUEUE_SORT_ORDER QueueSortOrder [Priority] Queue sort algorithm: 285564562Sgshapiro Priority, Host, Filename, or Time. 285638032SpeterconfMIN_QUEUE_AGE MinQueueAge [0] The minimum amount of time a job 285738032Speter must sit in the queue between queue 285838032Speter runs. This allows you to set the 285938032Speter queue run interval low for better 286038032Speter responsiveness without trying all 286138032Speter jobs in each run. 286238032SpeterconfDEF_CHAR_SET DefaultCharSet [unknown-8bit] When converting 286338032Speter unlabeled 8 bit input to MIME, the 286438032Speter character set to use by default. 286538032SpeterconfSERVICE_SWITCH_FILE ServiceSwitchFile 286664562Sgshapiro [/etc/mail/service.switch] The file 286764562Sgshapiro to use for the service switch on 286864562Sgshapiro systems that do not have a 286964562Sgshapiro system-defined switch. 287038032SpeterconfHOSTS_FILE HostsFile [/etc/hosts] The file to use when doing 287138032Speter "file" type access of hosts names. 287238032SpeterconfDIAL_DELAY DialDelay [0s] If a connection fails, wait this 287338032Speter long and try again. Zero means "don't 287438032Speter retry". This is to allow "dial on 287538032Speter demand" connections to have enough time 287638032Speter to complete a connection. 287738032SpeterconfNO_RCPT_ACTION NoRecipientAction 287838032Speter [none] What to do if there are no legal 287938032Speter recipient fields (To:, Cc: or Bcc:) 288038032Speter in the message. Legal values can 288138032Speter be "none" to just leave the 288238032Speter nonconforming message as is, "add-to" 288338032Speter to add a To: header with all the 288438032Speter known recipients (which may expose 288538032Speter blind recipients), "add-apparently-to" 288638032Speter to do the same but use Apparently-To: 288738032Speter instead of To:, "add-bcc" to add an 288838032Speter empty Bcc: header, or 288938032Speter "add-to-undisclosed" to add the header 289038032Speter ``To: undisclosed-recipients:;''. 289138032SpeterconfSAFE_FILE_ENV SafeFileEnvironment 289238032Speter [undefined] If set, sendmail will do a 289338032Speter chroot() into this directory before 289438032Speter writing files. 289538032SpeterconfCOLON_OK_IN_ADDR ColonOkInAddr [True unless Configuration Level > 6] 289638032Speter If set, colons are treated as a regular 289738032Speter character in addresses. If not set, 289838032Speter they are treated as the introducer to 289938032Speter the RFC 822 "group" syntax. Colons are 290038032Speter handled properly in route-addrs. This 290138032Speter option defaults on for V5 and lower 290238032Speter configuration files. 290338032SpeterconfMAX_QUEUE_RUN_SIZE MaxQueueRunSize [0] If set, limit the maximum size of 290438032Speter any given queue run to this number of 290538032Speter entries. Essentially, this will stop 290664562Sgshapiro reading each queue directory after this 290738032Speter number of entries are reached; it does 290838032Speter _not_ pick the highest priority jobs, 290938032Speter so this should be as large as your 291038032Speter system can tolerate. If not set, there 291138032Speter is no limit. 291238032SpeterconfDONT_EXPAND_CNAMES DontExpandCnames 291338032Speter [False] If set, $[ ... $] lookups that 291438032Speter do DNS based lookups do not expand 291538032Speter CNAME records. This currently violates 291638032Speter the published standards, but the IETF 291738032Speter seems to be moving toward legalizing 291838032Speter this. For example, if "FTP.Foo.ORG" 291938032Speter is a CNAME for "Cruft.Foo.ORG", then 292038032Speter with this option set a lookup of 292138032Speter "FTP" will return "FTP.Foo.ORG"; if 292238032Speter clear it returns "Cruft.FOO.ORG". N.B. 292338032Speter you may not see any effect until your 292438032Speter downstream neighbors stop doing CNAME 292538032Speter lookups as well. 292664562SgshapiroconfFROM_LINE UnixFromLine [From $g $d] The From_ line used 292738032Speter when sending to files or programs. 292838032SpeterconfSINGLE_LINE_FROM_HEADER SingleLineFromHeader 292938032Speter [False] From: lines that have 293038032Speter embedded newlines are unwrapped 293138032Speter onto one line. 293238032SpeterconfALLOW_BOGUS_HELO AllowBogusHELO [False] Allow HELO SMTP command that 293338032Speter does not include a host name. 293438032SpeterconfMUST_QUOTE_CHARS MustQuoteChars [.'] Characters to be quoted in a full 293538032Speter name phrase (@,;:\()[] are automatic). 293638032SpeterconfOPERATORS OperatorChars [.:%@!^/[]+] Address operator 293738032Speter characters. 293838032SpeterconfSMTP_LOGIN_MSG SmtpGreetingMessage 293938032Speter [$j Sendmail $v/$Z; $b] 294038032Speter The initial (spontaneous) SMTP 294138032Speter greeting message. The word "ESMTP" 294238032Speter will be inserted between the first and 294338032Speter second words to convince other 294438032Speter sendmails to try to speak ESMTP. 294538032SpeterconfDONT_INIT_GROUPS DontInitGroups [False] If set, the initgroups(3) 294638032Speter routine will never be invoked. You 294738032Speter might want to do this if you are 294838032Speter running NIS and you have a large group 294938032Speter map, since this call does a sequential 295038032Speter scan of the map; in a large site this 295138032Speter can cause your ypserv to run 295238032Speter essentially full time. If you set 295338032Speter this, agents run on behalf of users 295438032Speter will only have their primary 295538032Speter (/etc/passwd) group permissions. 295638032SpeterconfUNSAFE_GROUP_WRITES UnsafeGroupWrites 295738032Speter [False] If set, group-writable 295838032Speter :include: and .forward files are 295938032Speter considered "unsafe", that is, programs 296038032Speter and files cannot be directly referenced 296138032Speter from such files. World-writable files 296238032Speter are always considered unsafe. 296364562SgshapiroconfCONNECT_ONLY_TO ConnectOnlyTo [undefined] override connection 296464562Sgshapiro address (for testing). 296564562SgshapiroconfCONTROL_SOCKET_NAME ControlSocketName 296664562Sgshapiro [undefined] Control socket for daemon 296764562Sgshapiro management. 296838032SpeterconfDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress 296938032Speter [postmaster] If an error occurs when 297038032Speter sending an error message, send that 297138032Speter "double bounce" error message to this 297238032Speter address. 297364562SgshapiroconfDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce 297464562Sgshapiro messages which could not be returned 297564562Sgshapiro to the user or sent to postmaster. 297664562Sgshapiro If not set, the queue file will 297764562Sgshapiro be renamed. 297864562SgshapiroconfRRT_IMPLIES_DSN RrtImpliesDsn [False] Return-Receipt-To: header 297964562Sgshapiro implies DSN request. 298038032SpeterconfRUN_AS_USER RunAsUser [undefined] If set, become this user 298138032Speter when reading and delivering mail. 298238032Speter Causes all file reads (e.g., .forward 298338032Speter and :include: files) to be done as 298438032Speter this user. Also, all programs will 298538032Speter be run as this user, and all output 298638032Speter files will be written as this user. 298738032Speter Intended for use only on firewalls 298838032Speter where users do not have accounts. 298938032SpeterconfMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage 299038032Speter [infinite] If set, allow no more than 299138032Speter the specified number of recipients in 299238032Speter an SMTP envelope. Further recipients 299338032Speter receive a 452 error code (i.e., they 299438032Speter are deferred for the next delivery 299538032Speter attempt). 299638032SpeterconfDONT_PROBE_INTERFACES DontProbeInterfaces 299738032Speter [False] If set, sendmail will _not_ 299838032Speter insert the names and addresses of any 299964562Sgshapiro local interfaces into class {w} 300038032Speter (list of known "equivalent" addresses). 300138032Speter If you set this, you must also include 300238032Speter some support for these addresses (e.g., 300338032Speter in a mailertable entry) -- otherwise, 300438032Speter mail to addresses in this list will 300538032Speter bounce with a configuration error. 300664562SgshapiroconfPID_FILE PidFile [system dependent] Location of pid 300764562Sgshapiro file. 300864562SgshapiroconfPROCESS_TITLE_PREFIX ProcessTitlePrefix 300964562Sgshapiro [undefined] Prefix string for the 301064562Sgshapiro process title shown on 'ps' listings. 301138032SpeterconfDONT_BLAME_SENDMAIL DontBlameSendmail 301238032Speter [safe] Override sendmail's file 301338032Speter safety checks. This will definitely 301438032Speter compromise system security and should 301538032Speter not be used unless absolutely 301638032Speter necessary. 301738032SpeterconfREJECT_MSG - [550 Access denied] The message 301838032Speter given if the access database contains 301938032Speter REJECT in the value portion. 302064562SgshapiroconfDF_BUFFER_SIZE DataFileBufferSize 302164562Sgshapiro [4096] The maximum size of a 302264562Sgshapiro memory-buffered data (df) file 302364562Sgshapiro before a disk-based file is used. 302464562SgshapiroconfXF_BUFFER_SIZE XScriptFileBufferSize 302564562Sgshapiro [4096] The maximum size of a 302664562Sgshapiro memory-buffered transcript (xf) 302764562Sgshapiro file before a disk-based file is 302864562Sgshapiro used. 302964562SgshapiroconfAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5 303064562Sgshapiro CRAM-MD5] List of authentication 303164562Sgshapiro mechanisms for AUTH (separated by 303264562Sgshapiro spaces). The advertised list of 303364562Sgshapiro authentication mechanisms will be the 303464562Sgshapiro intersection of this list and the list 303564562Sgshapiro of available mechanisms as determined 303664562Sgshapiro by the CYRUS SASL library. 303773188SgshapiroconfDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains 303864562Sgshapiro authentication information for 303964562Sgshapiro outgoing connections. This file 304064562Sgshapiro must contain the user id, the 304164562Sgshapiro authorization id, the password 304264562Sgshapiro (plain text), and the realm to use, 304364562Sgshapiro each on a separate line and must be 304464562Sgshapiro readable by root (or the trusted 304564562Sgshapiro user) only. If no realm is 304664562Sgshapiro specified, $j is used. 304738032Speter 304864562Sgshapiro NOTE: Currently, AuthMechanisms is 304964562Sgshapiro used to determine the list of 305064562Sgshapiro mechanisms to use on an outgoing 305164562Sgshapiro connection. Sites which require a 305264562Sgshapiro different list of mechanisms for 305364562Sgshapiro incoming connections and outgoing 305464562Sgshapiro connections will have the ability 305564562Sgshapiro to do this in 8.11 by specifying a 305664562Sgshapiro list of mechanisms as the fifth 305764562Sgshapiro line of the DefaultAuthInfo file. 305864562Sgshapiro If no mechanisms are given in the 305964562Sgshapiro file, AuthMechanisms is used. The 306064562Sgshapiro code for doing so is included as 306164562Sgshapiro in the sendmail source code but 306264562Sgshapiro disabled. It can be enabled by 306364562Sgshapiro recompiling sendmail with: 306464562Sgshapiro -D_FFR_DEFAUTHINFO_MECHS 306564562SgshapiroconfAUTH_OPTIONS AuthOptions [undefined] If this options is 'A' 306664562Sgshapiro then the AUTH= parameter for the 306764562Sgshapiro MAIL FROM command is only issued 306864562Sgshapiro when authentication succeeded. 306964562SgshapiroconfLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map 307064562Sgshapiro specification for LDAP maps. The 307164562Sgshapiro value should only contain LDAP 307264562Sgshapiro specific settings such as "-h host 307364562Sgshapiro -p port -d bindDN", etc. The 307464562Sgshapiro settings will be used for all LDAP 307564562Sgshapiro maps unless they are specified in 307664562Sgshapiro the individual map specification 307764562Sgshapiro ('K' command). 307864562SgshapiroconfCACERT_PATH CACERTPath [undefined] Path to directory 307964562Sgshapiro with certs of CAs. 308064562SgshapiroconfCACERT CACERTFile [undefined] File containing one CA 308164562Sgshapiro cert. 308264562SgshapiroconfSERVER_CERT ServerCertFile [undefined] File containing the 308364562Sgshapiro cert of the server, i.e., this cert 308464562Sgshapiro is used when sendmail acts as 308564562Sgshapiro server. 308664562SgshapiroconfSERVER_KEY ServerKeyFile [undefined] File containing the 308764562Sgshapiro private key belonging to the server 308864562Sgshapiro cert. 308964562SgshapiroconfCLIENT_CERT ClientCertFile [undefined] File containing the 309064562Sgshapiro cert of the client, i.e., this cert 309164562Sgshapiro is used when sendmail acts as 309264562Sgshapiro client. 309364562SgshapiroconfCLIENT_KEY ClientKeyFile [undefined] File containing the 309464562Sgshapiro private key belonging to the client 309564562Sgshapiro cert. 309664562SgshapiroconfDH_PARAMETERS DHParameters [undefined] File containing the 309764562Sgshapiro DH parameters. 309864562SgshapiroconfRAND_FILE RandFile [undefined] File containing random 309966494Sgshapiro data (use prefix file:) or the 310066494Sgshapiro name of the UNIX socket if EGD is 310166494Sgshapiro used (use prefix egd:). STARTTLS 310266494Sgshapiro requires this option if the compile 310366494Sgshapiro flag HASURANDOM is not set (see 310464562Sgshapiro sendmail/README). 310564562Sgshapiro 310638032SpeterSee also the description of OSTYPE for some parameters that can be 310738032Spetertweaked (generally pathnames to mailers). 310838032Speter 310964562SgshapiroDaemonPortOptions are a special case since multiple daemons can be 311064562Sgshapirodefined. This can be done via 311138032Speter 311264562Sgshapiro DAEMON_OPTIONS(`field1=value1,field2=value2,...') 311364562Sgshapiro 311464562SgshapiroIf DAEMON_OPTIONS is not used, then the default is 311564562Sgshapiro 311664562Sgshapiro DAEMON_OPTIONS(`Port=smtp, Name=MTA') 311764562Sgshapiro DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') 311864562Sgshapiro 311964562SgshapiroIf you use one DAEMON_OPTIONS macro, it will alter the parameters 312064562Sgshapiroof the first of these. The second will still be defaulted; it 312164562Sgshapirorepresents a "Message Submission Agent" (MSA) as defined by RFC 312264562Sgshapiro2476 (see below). To turn off the default definition for the MSA, 312364562Sgshapirouse FEATURE(`no_default_msa') (see also FEATURES). If you use 312464562Sgshapiroadditional DAEMON_OPTIONS macros, they will add additional daemons. 312564562Sgshapiro 312664562SgshapiroExample 1: To change the port for the SMTP listener, while 312764562Sgshapirostill using the MSA default, use 312864562Sgshapiro DAEMON_OPTIONS(`Port=925, Name=MTA') 312964562Sgshapiro 313064562SgshapiroExample 2: To change the port for the MSA daemon, while still 313164562Sgshapirousing the default SMTP port, use 313264562Sgshapiro FEATURE(`no_default_msa') 313364562Sgshapiro DAEMON_OPTIONS(`Name=MTA') 313464562Sgshapiro DAEMON_OPTIONS(`Port=987, Name=MSA, M=E') 313564562Sgshapiro 313664562SgshapiroNote that if the first of those DAEMON_OPTIONS lines were omitted, then 313764562Sgshapirothere would be no listener on the standard SMTP port. 313864562Sgshapiro 313964562SgshapiroExample 3: To listen on both IPv4 and IPv6 interfaces, use 314064562Sgshapiro 314164562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v4, Family=inet') 314264562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6') 314364562Sgshapiro 314464562SgshapiroA "Message Submission Agent" still uses all of the same rulesets for 314564562Sgshapiroprocessing the message (and therefore still allows message rejection via 314664562Sgshapirothe check_* rulesets). In accordance with the RFC, the MSA will ensure 314764562Sgshapirothat all domains in the envelope are fully qualified if the message is 314864562Sgshapirorelayed to another MTA. It will also enforce the normal address syntax 314964562Sgshapirorules and log error messages. Additionally, by using the M=a modifier 315064562Sgshapiroyou can require authentication before messages are accepted by the MSA. 315177349SgshapiroNotice: Do NOT use the 'a' modifier on a public accessible MTA! 315264562SgshapiroFinally, the M=E modifier shown above disables ETRN as required by RFC 315364562Sgshapiro2476. 315464562Sgshapiro 315564562Sgshapiro 315638032Speter+-----------+ 315738032Speter| HIERARCHY | 315838032Speter+-----------+ 315938032Speter 316038032SpeterWithin this directory are several subdirectories, to wit: 316138032Speter 316238032Speterm4 General support routines. These are typically 316338032Speter very important and should not be changed without 316438032Speter very careful consideration. 316538032Speter 316638032Spetercf The configuration files themselves. They have 316738032Speter ".mc" suffixes, and must be run through m4 to 316838032Speter become complete. The resulting output should 316938032Speter have a ".cf" suffix. 317038032Speter 317138032Speterostype Definitions describing a particular operating 317238032Speter system type. These should always be referenced 317338032Speter using the OSTYPE macro in the .mc file. Examples 317438032Speter include "bsd4.3", "bsd4.4", "sunos3.5", and 317538032Speter "sunos4.1". 317638032Speter 317738032Speterdomain Definitions describing a particular domain, referenced 317838032Speter using the DOMAIN macro in the .mc file. These are 317938032Speter site dependent; for example, "CS.Berkeley.EDU.m4" 318038032Speter describes hosts in the CS.Berkeley.EDU subdomain. 318138032Speter 318266494Sgshapiromailer Descriptions of mailers. These are referenced using 318338032Speter the MAILER macro in the .mc file. 318438032Speter 318538032Spetersh Shell files used when building the .cf file from the 318638032Speter .mc file in the cf subdirectory. 318738032Speter 318838032Speterfeature These hold special orthogonal features that you might 318938032Speter want to include. They should be referenced using 319038032Speter the FEATURE macro. 319138032Speter 319238032Speterhack Local hacks. These can be referenced using the HACK 319338032Speter macro. They shouldn't be of more than voyeuristic 319438032Speter interest outside the .Berkeley.EDU domain, but who knows? 319538032Speter 319638032Spetersiteconfig Site configuration -- e.g., tables of locally connected 319738032Speter UUCP sites. 319838032Speter 319938032Speter 320038032Speter+------------------------+ 320138032Speter| ADMINISTRATIVE DETAILS | 320238032Speter+------------------------+ 320338032Speter 320438032SpeterThe following sections detail usage of certain internal parts of the 320538032Spetersendmail.cf file. Read them carefully if you are trying to modify 320638032Speterthe current model. If you find the above descriptions adequate, these 320738032Spetershould be {boring, confusing, tedious, ridiculous} (pick one or more). 320838032Speter 320938032SpeterRULESETS (* means built in to sendmail) 321038032Speter 321138032Speter 0 * Parsing 321238032Speter 1 * Sender rewriting 321338032Speter 2 * Recipient rewriting 321438032Speter 3 * Canonicalization 321538032Speter 4 * Post cleanup 321638032Speter 5 * Local address rewrite (after aliasing) 321738032Speter 1x mailer rules (sender qualification) 321838032Speter 2x mailer rules (recipient qualification) 321938032Speter 3x mailer rules (sender header qualification) 322038032Speter 4x mailer rules (recipient header qualification) 322138032Speter 5x mailer subroutines (general) 322238032Speter 6x mailer subroutines (general) 322338032Speter 7x mailer subroutines (general) 322438032Speter 8x reserved 322538032Speter 90 Mailertable host stripping 322638032Speter 96 Bottom half of Ruleset 3 (ruleset 6 in old sendmail) 322738032Speter 97 Hook for recursive ruleset 0 call (ruleset 7 in old sendmail) 322838032Speter 98 Local part of ruleset 0 (ruleset 8 in old sendmail) 322938032Speter 99 Guaranteed null (for debugging) 323038032Speter 323138032Speter 323238032SpeterMAILERS 323338032Speter 323438032Speter 0 local, prog local and program mailers 323538032Speter 1 [e]smtp, relay SMTP channel 323638032Speter 2 uucp-* UNIX-to-UNIX Copy Program 323738032Speter 3 netnews Network News delivery 323838032Speter 4 fax Sam Leffler's HylaFAX software 323938032Speter 5 mail11 DECnet mailer 324038032Speter 324138032Speter 324238032SpeterMACROS 324338032Speter 324438032Speter A 324538032Speter B Bitnet Relay 324638032Speter C DECnet Relay 324738032Speter D The local domain -- usually not needed 324838032Speter E reserved for X.400 Relay 324938032Speter F FAX Relay 325038032Speter G 325138032Speter H mail Hub (for mail clusters) 325238032Speter I 325338032Speter J 325438032Speter K 325538032Speter L Luser Relay 325664562Sgshapiro M Masquerade (who you claim to be) 325738032Speter N 325838032Speter O 325938032Speter P 326038032Speter Q 326138032Speter R Relay (for unqualified names) 326238032Speter S Smart Host 326338032Speter T 326464562Sgshapiro U my UUCP name (if you have a UUCP connection) 326564562Sgshapiro V UUCP Relay (class {V} hosts) 326664562Sgshapiro W UUCP Relay (class {W} hosts) 326764562Sgshapiro X UUCP Relay (class {X} hosts) 326838032Speter Y UUCP Relay (all other hosts) 326938032Speter Z Version number 327038032Speter 327138032Speter 327238032SpeterCLASSES 327338032Speter 327438032Speter A 327538032Speter B domains that are candidates for bestmx lookup 327638032Speter C 327738032Speter D 327838032Speter E addresses that should not seem to come from $M 327964562Sgshapiro F hosts this system forward for 328038032Speter G domains that should be looked up in genericstable 328138032Speter H 328238032Speter I 328338032Speter J 328438032Speter K 328538032Speter L addresses that should not be forwarded to $R 328638032Speter M domains that should be mapped to $M 328764562Sgshapiro N host/domains that should not be mapped to $M 328838032Speter O operators that indicate network operations (cannot be in local names) 328938032Speter P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc. 329038032Speter Q 329164562Sgshapiro R domains this system is willing to relay (pass anti-spam filters) 329238032Speter S 329338032Speter T 329438032Speter U locally connected UUCP hosts 329538032Speter V UUCP hosts connected to relay $V 329638032Speter W UUCP hosts connected to relay $W 329738032Speter X UUCP hosts connected to relay $X 329838032Speter Y locally connected smart UUCP hosts 329938032Speter Z locally connected domain-ized UUCP hosts 330038032Speter . the class containing only a dot 330138032Speter [ the class containing only a left bracket 330238032Speter 330338032Speter 330438032SpeterM4 DIVERSIONS 330538032Speter 330638032Speter 1 Local host detection and resolution 330738032Speter 2 Local Ruleset 3 additions 330838032Speter 3 Local Ruleset 0 additions 330938032Speter 4 UUCP Ruleset 0 additions 331038032Speter 5 locally interpreted names (overrides $R) 331138032Speter 6 local configuration (at top of file) 331238032Speter 7 mailer definitions 331364562Sgshapiro 8 DNS based blacklists 331438032Speter 9 special local rulesets (1 and 2) 331564562Sgshapiro 331680785Sgshapiro$Revision: 8.383.2.1.2.47 $, Last updated $Date: 2001/07/13 22:31:49 $ 3317