README revision 98121
138032Speter 264562Sgshapiro SENDMAIL CONFIGURATION FILES 338032Speter 490792SgshapiroThis document describes the sendmail configuration files. It 590792Sgshapiroexplains how to create a sendmail.cf file for use with sendmail. 690792SgshapiroIt also describes how to set options for sendmail which are explained 790792Sgshapiroin the Sendmail Installation and Operation guide (doc/op/op.me). 838032Speter 990792SgshapiroTo get started, you may want to look at tcpproto.mc (for TCP-only 1090792Sgshapirosites) and clientproto.mc (for clusters of clients using a single 1190792Sgshapiromail host), or the generic-*.mc files as operating system-specific 1290792Sgshapiroexamples. 1338032Speter 1490792SgshapiroTable of Content: 1538032Speter 1690792SgshapiroINTRODUCTION AND EXAMPLE 1790792SgshapiroA BRIEF INTRODUCTION TO M4 1890792SgshapiroFILE LOCATIONS 1990792SgshapiroOSTYPE 2090792SgshapiroDOMAINS 2190792SgshapiroMAILERS 2290792SgshapiroFEATURES 2390792SgshapiroHACKS 2490792SgshapiroSITE CONFIGURATION 2590792SgshapiroUSING UUCP MAILERS 2690792SgshapiroTWEAKING RULESETS 2790792SgshapiroMASQUERADING AND RELAYING 2890792SgshapiroUSING LDAP FOR ALIASES, MAPS, AND CLASSES 2990792SgshapiroLDAP ROUTING 3090792SgshapiroANTI-SPAM CONFIGURATION CONTROL 3190792SgshapiroSTARTTLS 3290792SgshapiroSMTP AUTHENTICATION 3390792SgshapiroADDING NEW MAILERS OR RULESETS 3490792SgshapiroADDING NEW MAIL FILTERS 3590792SgshapiroQUEUE GROUP DEFINITIONS 3690792SgshapiroNON-SMTP BASED CONFIGURATIONS 3790792SgshapiroWHO AM I? 3890792SgshapiroACCEPTING MAIL FOR MULTIPLE NAMES 3990792SgshapiroUSING MAILERTABLES 4090792SgshapiroUSING USERDB TO MAP FULL NAMES 4190792SgshapiroMISCELLANEOUS SPECIAL FEATURES 4290792SgshapiroSECURITY NOTES 4390792SgshapiroTWEAKING CONFIGURATION OPTIONS 4490792SgshapiroMESSAGE SUBMISSION PROGRAM 4590792SgshapiroFORMAT OF FILES AND MAPS 4690792SgshapiroDIRECTORY LAYOUT 4790792SgshapiroADMINISTRATIVE DETAILS 4838032Speter 4990792Sgshapiro 5038032Speter+--------------------------+ 5138032Speter| INTRODUCTION AND EXAMPLE | 5238032Speter+--------------------------+ 5338032Speter 5438032SpeterConfiguration files are contained in the subdirectory "cf", with a 5538032Spetersuffix ".mc". They must be run through "m4" to produce a ".cf" file. 5638032SpeterYou must pre-load "cf.m4": 5738032Speter 5838032Speter m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf 5938032Speter 6064562SgshapiroAlternatively, you can simply: 6164562Sgshapiro 6264562Sgshapiro cd ${CFDIR}/cf 6364562Sgshapiro ./Build config.cf 6464562Sgshapiro 6538032Speterwhere ${CFDIR} is the root of the cf directory and config.mc is the 6638032Spetername of your configuration file. If you are running a version of M4 6738032Speterthat understands the __file__ builtin (versions of GNU m4 >= 0.75 do 6838032Speterthis, but the versions distributed with 4.4BSD and derivatives do not) 6938032Speteror the -I flag (ditto), then ${CFDIR} can be in an arbitrary directory. 7038032SpeterFor "traditional" versions, ${CFDIR} ***MUST*** be "..", or you MUST 7138032Speteruse -D_CF_DIR_=/path/to/cf/dir/ -- note the trailing slash! For example: 7238032Speter 7338032Speter m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 config.mc > config.cf 7438032Speter 7538032SpeterLet's examine a typical .mc file: 7638032Speter 7738032Speter divert(-1) 7838032Speter # 7990792Sgshapiro # Copyright (c) 1998-2002 Sendmail, Inc. and its suppliers. 8064562Sgshapiro # All rights reserved. 8138032Speter # Copyright (c) 1983 Eric P. Allman. All rights reserved. 8238032Speter # Copyright (c) 1988, 1993 8338032Speter # The Regents of the University of California. All rights reserved. 8438032Speter # 8538032Speter # By using this file, you agree to the terms and conditions set 8638032Speter # forth in the LICENSE file which can be found at the top level of 8738032Speter # the sendmail distribution. 8838032Speter # 8938032Speter 9038032Speter # 9138032Speter # This is a Berkeley-specific configuration file for HP-UX 9.x. 9238032Speter # It applies only to the Computer Science Division at Berkeley, 9338032Speter # and should not be used elsewhere. It is provided on the sendmail 9438032Speter # distribution as a sample only. To create your own configuration 9538032Speter # file, create an appropriate domain file in ../domain, change the 9638032Speter # `DOMAIN' macro below to reference that file, and copy the result 9738032Speter # to a name of your own choosing. 9838032Speter # 9938032Speter divert(0) 10038032Speter 10138032SpeterThe divert(-1) will delete the crud in the resulting output file. 10238032SpeterThe copyright notice can be replaced by whatever your lawyers require; 10364562Sgshapiroour lawyers require the one that is included in these files. A copyleft 10438032Speteris a copyright by another name. The divert(0) restores regular output. 10538032Speter 10638032Speter VERSIONID(`<SCCS or RCS version id>') 10738032Speter 10838032SpeterVERSIONID is a macro that stuffs the version information into the 10964562Sgshapiroresulting file. You could use SCCS, RCS, CVS, something else, or 11038032Speteromit it completely. This is not the same as the version id included 11138032Speterin SMTP greeting messages -- this is defined in m4/version.m4. 11238032Speter 11364562Sgshapiro OSTYPE(`hpux9')dnl 11438032Speter 11538032SpeterYou must specify an OSTYPE to properly configure things such as the 11638032Speterpathname of the help and status files, the flags needed for the local 11738032Spetermailer, and other important things. If you omit it, you will get an 11838032Spetererror when you try to build the configuration. Look at the ostype 11938032Speterdirectory for the list of known operating system types. 12038032Speter 12164562Sgshapiro DOMAIN(`CS.Berkeley.EDU')dnl 12238032Speter 12338032SpeterThis example is specific to the Computer Science Division at Berkeley. 12464562SgshapiroYou can use "DOMAIN(`generic')" to get a sufficiently bland definition 12538032Speterthat may well work for you, or you can create a customized domain 12638032Speterdefinition appropriate for your environment. 12738032Speter 12864562Sgshapiro MAILER(`local') 12964562Sgshapiro MAILER(`smtp') 13038032Speter 13190792SgshapiroThese describe the mailers used at the default CS site. The local 13290792Sgshapiromailer is always included automatically. Beware: MAILER declarations 13390792Sgshapiroshould always be at the end of the configuration file. The general 13490792Sgshapirorules are that the order should be: 13538032Speter 13638032Speter VERSIONID 13738032Speter OSTYPE 13838032Speter DOMAIN 13938032Speter FEATURE 14038032Speter local macro definitions 14138032Speter MAILER 14290792Sgshapiro LOCAL_CONFIG 14364562Sgshapiro LOCAL_RULE_* 14464562Sgshapiro LOCAL_RULESETS 14538032Speter 14664562SgshapiroThere are a few exceptions to this rule. Local macro definitions which 14764562Sgshapiroinfluence a FEATURE() should be done before that feature. For example, 14864562Sgshapiroa define(`PROCMAIL_MAILER_PATH', ...) should be done before 14964562SgshapiroFEATURE(`local_procmail'). 15038032Speter 15190792Sgshapiro******************************************************************* 15290792Sgshapiro*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** 15390792Sgshapiro*** Berkeley-specific assumptions built in, such as the name *** 15490792Sgshapiro*** of their UUCP-relay. You'll want to create your own *** 15590792Sgshapiro*** domain description, and use that in place of *** 15690792Sgshapiro*** domain/Berkeley.EDU.m4. *** 15790792Sgshapiro******************************************************************* 15864562Sgshapiro 15990792Sgshapiro 16038032Speter+----------------------------+ 16138032Speter| A BRIEF INTRODUCTION TO M4 | 16238032Speter+----------------------------+ 16338032Speter 16438032SpeterSendmail uses the M4 macro processor to ``compile'' the configuration 16538032Speterfiles. The most important thing to know is that M4 is stream-based, 16638032Speterthat is, it doesn't understand about lines. For this reason, in some 16738032Speterplaces you may see the word ``dnl'', which stands for ``delete 16838032Speterthrough newline''; essentially, it deletes all characters starting 16938032Speterat the ``dnl'' up to and including the next newline character. In 17038032Spetermost cases sendmail uses this only to avoid lots of unnecessary 17138032Speterblank lines in the output. 17238032Speter 17338032SpeterOther important directives are define(A, B) which defines the macro 17438032Speter``A'' to have value ``B''. Macros are expanded as they are read, so 17538032Speterone normally quotes both values to prevent expansion. For example, 17638032Speter 17738032Speter define(`SMART_HOST', `smart.foo.com') 17838032Speter 17938032SpeterOne word of warning: M4 macros are expanded even in lines that appear 18038032Speterto be comments. For example, if you have 18138032Speter 18264562Sgshapiro # See FEATURE(`foo') above 18338032Speter 18464562Sgshapiroit will not do what you expect, because the FEATURE(`foo') will be 18538032Speterexpanded. This also applies to 18638032Speter 18738032Speter # And then define the $X macro to be the return address 18838032Speter 18938032Speterbecause ``define'' is an M4 keyword. If you want to use them, surround 19038032Speterthem with directed quotes, `like this'. 19138032Speter 19290792Sgshapiro 19390792SgshapiroNotice: 19490792Sgshapiro------- 19590792Sgshapiro 19690792SgshapiroThis package requires a post-V7 version of m4; if you are running the 19790792Sgshapiro4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or 19890792SgshapiroBSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works. 19990792SgshapiroUnfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a 20090792SgshapiroNet/2 or GNU version. GNU m4 is available from 20190792Sgshapiroftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version). 20290792SgshapiroEXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU 20390792Sgshapirom4 on this platform. 20490792Sgshapiro 20590792Sgshapiro 20638032Speter+----------------+ 20738032Speter| FILE LOCATIONS | 20838032Speter+----------------+ 20938032Speter 21038032Spetersendmail 8.9 has introduced a new configuration directory for sendmail 21138032Speterrelated files, /etc/mail. The new files available for sendmail 8.9 -- 21264562Sgshapirothe class {R} /etc/mail/relay-domains and the access database 21364562Sgshapiro/etc/mail/access -- take advantage of this new directory. Beginning with 21464562Sgshapiro8.10, all files will use this directory by default (some options may be 21564562Sgshapiroset by OSTYPE() files). This new directory should help to restore 21664562Sgshapirouniformity to sendmail's file locations. 21738032Speter 21864562SgshapiroBelow is a table of some of the common changes: 21964562Sgshapiro 22064562SgshapiroOld filename New filename 22164562Sgshapiro------------ ------------ 22264562Sgshapiro/etc/bitdomain /etc/mail/bitdomain 22364562Sgshapiro/etc/domaintable /etc/mail/domaintable 22464562Sgshapiro/etc/genericstable /etc/mail/genericstable 22564562Sgshapiro/etc/uudomain /etc/mail/uudomain 22664562Sgshapiro/etc/virtusertable /etc/mail/virtusertable 22764562Sgshapiro/etc/userdb /etc/mail/userdb 22864562Sgshapiro 22964562Sgshapiro/etc/aliases /etc/mail/aliases 23064562Sgshapiro/etc/sendmail/aliases /etc/mail/aliases 23164562Sgshapiro/etc/ucbmail/aliases /etc/mail/aliases 23264562Sgshapiro/usr/adm/sendmail/aliases /etc/mail/aliases 23364562Sgshapiro/usr/lib/aliases /etc/mail/aliases 23464562Sgshapiro/usr/lib/mail/aliases /etc/mail/aliases 23564562Sgshapiro/usr/ucblib/aliases /etc/mail/aliases 23664562Sgshapiro 23764562Sgshapiro/etc/sendmail.cw /etc/mail/local-host-names 23864562Sgshapiro/etc/mail/sendmail.cw /etc/mail/local-host-names 23964562Sgshapiro/etc/sendmail/sendmail.cw /etc/mail/local-host-names 24064562Sgshapiro 24164562Sgshapiro/etc/sendmail.ct /etc/mail/trusted-users 24264562Sgshapiro 24364562Sgshapiro/etc/sendmail.oE /etc/mail/error-header 24464562Sgshapiro 24564562Sgshapiro/etc/sendmail.hf /etc/mail/helpfile 24664562Sgshapiro/etc/mail/sendmail.hf /etc/mail/helpfile 24764562Sgshapiro/usr/ucblib/sendmail.hf /etc/mail/helpfile 24864562Sgshapiro/etc/ucbmail/sendmail.hf /etc/mail/helpfile 24964562Sgshapiro/usr/lib/sendmail.hf /etc/mail/helpfile 25064562Sgshapiro/usr/share/lib/sendmail.hf /etc/mail/helpfile 25164562Sgshapiro/usr/share/misc/sendmail.hf /etc/mail/helpfile 25264562Sgshapiro/share/misc/sendmail.hf /etc/mail/helpfile 25364562Sgshapiro 25464562Sgshapiro/etc/service.switch /etc/mail/service.switch 25564562Sgshapiro 25664562Sgshapiro/etc/sendmail.st /etc/mail/statistics 25764562Sgshapiro/etc/mail/sendmail.st /etc/mail/statistics 25864562Sgshapiro/etc/mailer/sendmail.st /etc/mail/statistics 25964562Sgshapiro/etc/sendmail/sendmail.st /etc/mail/statistics 26064562Sgshapiro/usr/lib/sendmail.st /etc/mail/statistics 26164562Sgshapiro/usr/ucblib/sendmail.st /etc/mail/statistics 26264562Sgshapiro 26364562SgshapiroNote that all of these paths actually use a new m4 macro MAIL_SETTINGS_DIR 26464562Sgshapiroto create the pathnames. The default value of this variable is 26564562Sgshapiro`/etc/mail/'. If you set this macro to a different value, you MUST include 26664562Sgshapiroa trailing slash. 26764562Sgshapiro 26880785SgshapiroNotice: all filenames used in a .mc (or .cf) file should be absolute 26980785Sgshapiro(starting at the root, i.e., with '/'). Relative filenames most 27080785Sgshapirolikely cause surprises during operations (unless otherwise noted). 27180785Sgshapiro 27280785Sgshapiro 27338032Speter+--------+ 27438032Speter| OSTYPE | 27538032Speter+--------+ 27638032Speter 27738032SpeterYou MUST define an operating system environment, or the configuration 27838032Speterfile build will puke. There are several environments available; look 27938032Speterat the "ostype" directory for the current list. This macro changes 28038032Speterthings like the location of the alias file and queue directory. Some 28138032Speterof these files are identical to one another. 28238032Speter 28338032SpeterIt is IMPERATIVE that the OSTYPE occur before any MAILER definitions. 28438032SpeterIn general, the OSTYPE macro should go immediately after any version 28538032Speterinformation, and MAILER definitions should always go last. 28638032Speter 28738032SpeterOperating system definitions are usually easy to write. They may define 28838032Speterthe following variables (everything defaults, so an ostype file may be 28938032Speterempty). Unfortunately, the list of configuration-supported systems is 29038032Speternot as broad as the list of source-supported systems, since many of 29138032Speterthe source contributors do not include corresponding ostype files. 29238032Speter 29364562SgshapiroALIAS_FILE [/etc/mail/aliases] The location of the text version 29438032Speter of the alias file(s). It can be a comma-separated 29538032Speter list of names (but be sure you quote values with 29638032Speter commas in them -- for example, use 29738032Speter define(`ALIAS_FILE', `a,b') 29838032Speter to get "a" and "b" both listed as alias files; 29938032Speter otherwise the define() primitive only sees "a"). 30064562SgshapiroHELP_FILE [/etc/mail/helpfile] The name of the file 30138032Speter containing information printed in response to 30238032Speter the SMTP HELP command. 30338032SpeterQUEUE_DIR [/var/spool/mqueue] The directory containing 30464562Sgshapiro queue files. To use multiple queues, supply 30564562Sgshapiro a value ending with an asterisk. For 30673188Sgshapiro example, /var/spool/mqueue/qd* will use all of the 30764562Sgshapiro directories or symbolic links to directories 30873188Sgshapiro beginning with 'qd' in /var/spool/mqueue as queue 30964562Sgshapiro directories. The names 'qf', 'df', and 'xf' are 31073188Sgshapiro reserved as specific subdirectories for the 31173188Sgshapiro corresponding queue file types as explained in 31290792Sgshapiro doc/op/op.me. See also QUEUE GROUP DEFINITIONS. 31390792SgshapiroMSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing 31490792Sgshapiro queue files for the MSP (Mail Submission Program, 31590792Sgshapiro see sendmail/SECURITY). 31664562SgshapiroSTATUS_FILE [/etc/mail/statistics] The file containing status 31738032Speter information. 31838032SpeterLOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. 31964562SgshapiroLOCAL_MAILER_FLAGS [Prmn9] The flags used by the local mailer. The 32064562Sgshapiro flags lsDFMAw5:/|@q are always included. 32138032SpeterLOCAL_MAILER_ARGS [mail -d $u] The arguments passed to deliver local 32238032Speter mail. 32338032SpeterLOCAL_MAILER_MAX [undefined] If defined, the maximum size of local 32438032Speter mail that you are willing to accept. 32564562SgshapiroLOCAL_MAILER_MAXMSGS [undefined] If defined, the maximum number of 32664562Sgshapiro messages to deliver in a single connection. Only 32764562Sgshapiro useful for LMTP local mailers. 32838032SpeterLOCAL_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 32938032Speter that ARRIVE from an address that resolves to the 33038032Speter local mailer and which are converted to MIME will be 33138032Speter labeled with this character set. 33264562SgshapiroLOCAL_MAILER_EOL [undefined] If defined, the string to use as the 33364562Sgshapiro end of line for the local mailer. 33464562SgshapiroLOCAL_MAILER_DSN_DIAGNOSTIC_CODE 33564562Sgshapiro [X-Unix] The DSN Diagnostic-Code value for the 33664562Sgshapiro local mailer. This should be changed with care. 33738032SpeterLOCAL_SHELL_PATH [/bin/sh] The shell used to deliver piped email. 33838032SpeterLOCAL_SHELL_FLAGS [eu9] The flags used by the shell mailer. The 33938032Speter flags lsDFM are always included. 34038032SpeterLOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog" 34138032Speter mail. 34238032SpeterLOCAL_SHELL_DIR [$z:/] The directory search path in which the 34338032Speter shell should run. 34490792SgshapiroLOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. 34538032SpeterUSENET_MAILER_PATH [/usr/lib/news/inews] The name of the program 34638032Speter used to submit news. 34764562SgshapiroUSENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. 34838032SpeterUSENET_MAILER_ARGS [-m -h -n] The command line arguments for the 34990792Sgshapiro usenet mailer. NOTE: Some versions of inews 35090792Sgshapiro (such as those shipped with newer versions of INN) 35190792Sgshapiro use different flags. Double check the defaults 35290792Sgshapiro against the inews man page. 35338032SpeterUSENET_MAILER_MAX [100000] The maximum size of messages that will 35438032Speter be accepted by the usenet mailer. 35590792SgshapiroUSENET_MAILER_QGRP [undefined] The queue group for the usenet mailer. 35638032SpeterSMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default 35764562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 35864562Sgshapiro "esmtp" mailer adds `a'; "smtp8" adds `8'; and 35964562Sgshapiro "dsmtp" adds `%'. 36064562SgshapiroRELAY_MAILER_FLAGS [undefined] Flags added to the relay mailer. Default 36164562Sgshapiro flags are `mDFMuX' for all SMTP-based mailers; the 36264562Sgshapiro relay mailer adds `a8'. If this is not defined, 36364562Sgshapiro then SMTP_MAILER_FLAGS is used. 36438032SpeterSMTP_MAILER_MAX [undefined] The maximum size of messages that will 36564562Sgshapiro be transported using the smtp, smtp8, esmtp, or dsmtp 36638032Speter mailers. 36764562SgshapiroSMTP_MAILER_MAXMSGS [undefined] If defined, the maximum number of 36864562Sgshapiro messages to deliver in a single connection for the 36964562Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 37094334SgshapiroSMTP_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 37194334Sgshapiro recipients to deliver in a single connection for the 37294334Sgshapiro smtp, smtp8, esmtp, or dsmtp mailers. 37366494SgshapiroSMTP_MAILER_ARGS [TCP $h] The arguments passed to the smtp mailer. 37438032Speter About the only reason you would want to change this 37538032Speter would be to change the default port. 37666494SgshapiroESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer. 37766494SgshapiroSMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer. 37866494SgshapiroDSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer. 37966494SgshapiroRELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer. 38090792SgshapiroSMTP_MAILER_QGRP [undefined] The queue group for the smtp mailer. 38190792SgshapiroESMTP_MAILER_QGRP [undefined] The queue group for the esmtp mailer. 38290792SgshapiroSMTP8_MAILER_QGRP [undefined] The queue group for the smtp8 mailer. 38390792SgshapiroDSMTP_MAILER_QGRP [undefined] The queue group for the dsmtp mailer. 38490792SgshapiroRELAY_MAILER_QGRP [undefined] The queue group for the relay mailer. 38564562SgshapiroRELAY_MAILER_MAXMSGS [undefined] If defined, the maximum number of 38664562Sgshapiro messages to deliver in a single connection for the 38764562Sgshapiro relay mailer. 38838032SpeterSMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 38938032Speter that ARRIVE from an address that resolves to one of 39038032Speter the SMTP mailers and which are converted to MIME will 39138032Speter be labeled with this character set. 39238032SpeterUUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail. 39338032SpeterUUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default 39438032Speter flags are `DFMhuU' (and `m' for uucp-new mailer, 39538032Speter minus `U' for uucp-dom mailer). 39638032SpeterUUCP_MAILER_ARGS [uux - -r -z -a$g -gC $h!rmail ($u)] The arguments 39738032Speter passed to the UUCP mailer. 39838032SpeterUUCP_MAILER_MAX [100000] The maximum size message accepted for 39938032Speter transmission by the UUCP mailers. 40038032SpeterUUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 40138032Speter that ARRIVE from an address that resolves to one of 40238032Speter the UUCP mailers and which are converted to MIME will 40338032Speter be labeled with this character set. 40490792SgshapiroUUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. 40538032SpeterFAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to 40638032Speter submit FAX messages. 40738032SpeterFAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX 40838032Speter mailer. 40938032SpeterFAX_MAILER_MAX [100000] The maximum size message accepted for 41038032Speter transmission by FAX. 41138032SpeterPOP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer. 41264562SgshapiroPOP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq 41338032Speter are always added. 41438032SpeterPOP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer. 41590792SgshapiroPOP_MAILER_QGRP [undefined] The queue group for the pop mailer. 41638032SpeterPROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail 41743730Speter program. This is also used by 41843730Speter FEATURE(`local_procmail'). 41938032SpeterPROCMAIL_MAILER_FLAGS [SPhnu9] Flags added to Procmail mailer. Flags 42064562Sgshapiro DFM are always set. This is NOT used by 42143730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_FLAGS 42238032Speter instead. 42338032SpeterPROCMAIL_MAILER_ARGS [procmail -Y -m $h $f $u] The arguments passed to 42438032Speter the Procmail mailer. This is NOT used by 42543730Speter FEATURE(`local_procmail'); tweak LOCAL_MAILER_ARGS 42638032Speter instead. 42738032SpeterPROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that 42838032Speter will be accepted by the procmail mailer. 42990792SgshapiroPROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. 43038032SpeterMAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer. 43138032SpeterMAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer. 43238032SpeterMAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11 43338032Speter mailer. 43490792SgshapiroMAIL11_MAILER_QGRP [undefined] The queue group for the mail11 mailer. 43538032SpeterPH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery 43638032Speter program. 43764562SgshapiroPH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM 43864562Sgshapiro are always set. 43938032SpeterPH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer. 44090792SgshapiroPH_MAILER_QGRP [undefined] The queue group for the ph mailer. 44164562SgshapiroCYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The 44238032Speter flags lsDFMnPq are always included. 44338032SpeterCYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver 44438032Speter cyrus mail. 44538032SpeterCYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed 44638032Speter to deliver cyrus mail. 44738032SpeterCYRUS_MAILER_MAX [undefined] If set, the maximum size message that 44838032Speter will be accepted by the cyrus mailer. 44938032SpeterCYRUS_MAILER_USER [cyrus:mail] The user and group to become when 45038032Speter running the cyrus mailer. 45190792SgshapiroCYRUS_MAILER_QGRP [undefined] The queue group for the cyrus mailer. 45264562SgshapiroCYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer. 45364562Sgshapiro The flags lsDFMnP are always included. 45438032SpeterCYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed 45538032Speter to deliver cyrusbb mail. 45698121SgshapiroCYRUSV2_MAILER_FLAGS [A@/:|m] The flags used by the cyrusv2 mailer. The 45798121Sgshapiro flags lsDFMnqXz are always included. 45898121SgshapiroCYRUSV2_MAILER_MAXMSGS [undefined] If defined, the maximum number of 45998121Sgshapiro messages to deliver in a single connection for the 46098121Sgshapiro cyrusv2 mailer. 46198121SgshapiroCYRUSV2_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 46298121Sgshapiro recipients to deliver in a single connection for the 46398121Sgshapiro cyrusv2 mailer. 46498121SgshapiroCYRUSV2_MAILER_ARGS [FILE /var/imap/socket/lmtp] The arguments passed 46598121Sgshapiro to the cyrusv2 mailer. This can be used to 46698121Sgshapiro change the name of the Unix domain socket, or 46798121Sgshapiro to switch to delivery via TCP (e.g., `TCP $h lmtp') 46898121SgshapiroCYRUSV2_MAILER_QGRP [undefined] The queue group for the cyrusv2 mailer. 46938032SpeterconfEBINDIR [/usr/libexec] The directory for executables. 47043730Speter Currently used for FEATURE(`local_lmtp') and 47143730Speter FEATURE(`smrsh'). 47264562SgshapiroQPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer. 47364562SgshapiroQPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver 47464562Sgshapiro qpage mail. 47564562SgshapiroQPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed 47664562Sgshapiro to deliver qpage mail. 47764562SgshapiroQPAGE_MAILER_MAX [4096] If set, the maximum size message that 47864562Sgshapiro will be accepted by the qpage mailer. 47990792SgshapiroQPAGE_MAILER_QGRP [undefined] The queue group for the qpage mailer. 48090792SgshapiroLOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. 48138032Speter 48264562SgshapiroNote: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: 48364562SgshapiroMODIFY_MAILER_FLAGS(`Name', `change') where Name is the first part of 48464562Sgshapirothe macro Name_MAILER_FLAGS and change can be: flags that should 48564562Sgshapirobe used directly (thus overriding the default value), or if it 48664562Sgshapirostarts with `+' (`-') then those flags are added to (removed from) 48764562Sgshapirothe default value. Example: 48838032Speter 48964562Sgshapiro MODIFY_MAILER_FLAGS(`LOCAL', `+e') 49038032Speter 49190792Sgshapirowill add the flag `e' to LOCAL_MAILER_FLAGS. Notice: there are 49290792Sgshapiroseveral smtp mailers all of which are manipulated individually. 49390792SgshapiroSee the section MAILERS for the available mailer names. 49464562SgshapiroWARNING: The FEATUREs local_lmtp and local_procmail set LOCAL_MAILER_FLAGS 49564562Sgshapirounconditionally, i.e., without respecting any definitions in an 49664562SgshapiroOSTYPE setting. 49764562Sgshapiro 49864562Sgshapiro 49938032Speter+---------+ 50038032Speter| DOMAINS | 50138032Speter+---------+ 50238032Speter 50338032SpeterYou will probably want to collect domain-dependent defines into one 50464562Sgshapirofile, referenced by the DOMAIN macro. For example, the Berkeley 50538032Speterdomain file includes definitions for several internal distinguished 50638032Speterhosts: 50738032Speter 50838032SpeterUUCP_RELAY The host that will accept UUCP-addressed email. 50938032Speter If not defined, all UUCP sites must be directly 51038032Speter connected. 51138032SpeterBITNET_RELAY The host that will accept BITNET-addressed email. 51238032Speter If not defined, the .BITNET pseudo-domain won't work. 51338032SpeterDECNET_RELAY The host that will accept DECNET-addressed email. 51438032Speter If not defined, the .DECNET pseudo-domain and addresses 51538032Speter of the form node::user will not work. 51638032SpeterFAX_RELAY The host that will accept mail to the .FAX pseudo-domain. 51738032Speter The "fax" mailer overrides this value. 51871345SgshapiroLOCAL_RELAY The site that will handle unqualified names -- that 51982017Sgshapiro is, names without an @domain extension. 52071345Sgshapiro Normally MAIL_HUB is preferred for this function. 52171345Sgshapiro LOCAL_RELAY is mostly useful in conjunction with 52290792Sgshapiro FEATURE(`stickyhost') -- see the discussion of 52371345Sgshapiro stickyhost below. If not set, they are assumed to 52471345Sgshapiro belong on this machine. This allows you to have a 52571345Sgshapiro central site to store a company- or department-wide 52671345Sgshapiro alias database. This only works at small sites, 52771345Sgshapiro and only with some user agents. 52838032SpeterLUSER_RELAY The site that will handle lusers -- that is, apparently 52964562Sgshapiro local names that aren't local accounts or aliases. To 53064562Sgshapiro specify a local user instead of a site, set this to 53164562Sgshapiro ``local:username''. 53238032Speter 53338032SpeterAny of these can be either ``mailer:hostname'' (in which case the 53438032Spetermailer is the internal mailer name, such as ``uucp-new'' and the hostname 53538032Speteris the name of the host as appropriate for that mailer) or just a 53638032Speter``hostname'', in which case a default mailer type (usually ``relay'', 53738032Spetera variant on SMTP) is used. WARNING: if you have a wildcard MX 53838032Speterrecord matching your domain, you probably want to define these to 53938032Speterhave a trailing dot so that you won't get the mail diverted back 54038032Speterto yourself. 54138032Speter 54238032SpeterThe domain file can also be used to define a domain name, if needed 54338032Speter(using "DD<domain>") and set certain site-wide features. If all hosts 54438032Speterat your site masquerade behind one email name, you could also use 54538032SpeterMASQUERADE_AS here. 54638032Speter 54738032SpeterYou do not have to define a domain -- in particular, if you are a 54838032Spetersingle machine sitting off somewhere, it is probably more work than 54938032Speterit's worth. This is just a mechanism for combining "domain dependent 55038032Speterknowledge" into one place. 55138032Speter 55290792Sgshapiro 55338032Speter+---------+ 55438032Speter| MAILERS | 55538032Speter+---------+ 55638032Speter 55738032SpeterThere are fewer mailers supported in this version than the previous 55838032Speterversion, owing mostly to a simpler world. As a general rule, put the 55990792SgshapiroMAILER definitions last in your .mc file. 56038032Speter 56138032Speterlocal The local and prog mailers. You will almost always 56238032Speter need these; the only exception is if you relay ALL 56338032Speter your mail to another site. This mailer is included 56438032Speter automatically. 56538032Speter 56638032Spetersmtp The Simple Mail Transport Protocol mailer. This does 56738032Speter not hide hosts behind a gateway or another other 56838032Speter such hack; it assumes a world where everyone is 56938032Speter running the name server. This file actually defines 57064562Sgshapiro five mailers: "smtp" for regular (old-style) SMTP to 57138032Speter other servers, "esmtp" for extended SMTP to other 57238032Speter servers, "smtp8" to do SMTP to other servers without 57338032Speter converting 8-bit data to MIME (essentially, this is 57438032Speter your statement that you know the other end is 8-bit 57564562Sgshapiro clean even if it doesn't say so), "dsmtp" to do on 57664562Sgshapiro demand delivery, and "relay" for transmission to the 57764562Sgshapiro RELAY_HOST, LUSER_RELAY, or MAIL_HUB. 57838032Speter 57966494Sgshapirouucp The UNIX-to-UNIX Copy Program mailer. Actually, this 58038032Speter defines two mailers, "uucp-old" (a.k.a. "uucp") and 58138032Speter "uucp-new" (a.k.a. "suucp"). The latter is for when you 58238032Speter know that the UUCP mailer at the other end can handle 58338032Speter multiple recipients in one transfer. If the smtp mailer 58490792Sgshapiro is included in your configuration, two other mailers 58590792Sgshapiro ("uucp-dom" and "uucp-uudom") are also defined [warning: you 58690792Sgshapiro MUST specify MAILER(`smtp') before MAILER(`uucp')]. When you 58738032Speter include the uucp mailer, sendmail looks for all names in 58864562Sgshapiro class {U} and sends them to the uucp-old mailer; all 58964562Sgshapiro names in class {Y} are sent to uucp-new; and all 59064562Sgshapiro names in class {Z} are sent to uucp-uudom. Note that 59138032Speter this is a function of what version of rmail runs on 59238032Speter the receiving end, and hence may be out of your control. 59338032Speter See the section below describing UUCP mailers in more 59438032Speter detail. 59538032Speter 59638032Speterusenet Usenet (network news) delivery. If this is specified, 59738032Speter an extra rule is added to ruleset 0 that forwards all 59838032Speter local email for users named ``group.usenet'' to the 59938032Speter ``inews'' program. Note that this works for all groups, 60038032Speter and may be considered a security problem. 60138032Speter 60238032Speterfax Facsimile transmission. This is experimental and based 60338032Speter on Sam Leffler's HylaFAX software. For more information, 60471345Sgshapiro see http://www.hylafax.org/. 60538032Speter 60638032Speterpop Post Office Protocol. 60738032Speter 60838032Speterprocmail An interface to procmail (does not come with sendmail). 60938032Speter This is designed to be used in mailertables. For example, 61038032Speter a common question is "how do I forward all mail for a given 61138032Speter domain to a single person?". If you have this mailer 61238032Speter defined, you could set up a mailertable reading: 61338032Speter 61438032Speter host.com procmail:/etc/procmailrcs/host.com 61538032Speter 61638032Speter with the file /etc/procmailrcs/host.com reading: 61738032Speter 61838032Speter :0 # forward mail for host.com 61938032Speter ! -oi -f $1 person@other.host 62038032Speter 62138032Speter This would arrange for (anything)@host.com to be sent 62238032Speter to person@other.host. Within the procmail script, $1 is 62338032Speter the name of the sender and $2 is the name of the recipient. 62443730Speter If you use this with FEATURE(`local_procmail'), the FEATURE 62538032Speter should be listed first. 62638032Speter 62790792Sgshapiro Of course there are other ways to solve this particular 62890792Sgshapiro problem, e.g., a catch-all entry in a virtusertable. 62990792Sgshapiro 63038032Spetermail11 The DECnet mail11 mailer, useful only if you have the mail11 63138032Speter program from gatekeeper.dec.com:/pub/DEC/gwtools (and 63238032Speter DECnet, of course). This is for Phase IV DECnet support; 63338032Speter if you have Phase V at your site you may have additional 63438032Speter problems. 63538032Speter 63638032Speterphquery The phquery program. This is somewhat counterintuitively 63738032Speter referenced as the "ph" mailer internally. It can be used 63838032Speter to do CCSO name server lookups. The phquery program, which 63938032Speter this mailer uses, is distributed with the ph client. 64038032Speter 64138032Spetercyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to 64238032Speter a local cyrus user. this mailer can make use of the 64390792Sgshapiro "user+detail@local.host" syntax (see 64490792Sgshapiro FEATURE(`preserve_local_plus_detail')); it will deliver the 64590792Sgshapiro mail to the user's "detail" mailbox if the mailbox's ACL 64690792Sgshapiro permits. The cyrusbb mailer delivers to a system-wide 64790792Sgshapiro cyrus mailbox if the mailbox's ACL permits. The cyrus 64890792Sgshapiro mailer must be defined after the local mailer. 64938032Speter 65098121Sgshapirocyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to 65198121Sgshapiro local cyrus users via LMTP. This mailer can make use of the 65298121Sgshapiro "user+detail@local.host" syntax (see 65398121Sgshapiro FEATURE(`preserve_local_plus_detail')); it will deliver the 65498121Sgshapiro mail to the user's "detail" mailbox if the mailbox's ACL 65598121Sgshapiro permits. The cyrusv2 mailer must be defined after the 65698121Sgshapiro local mailer. 65798121Sgshapiro 65864562Sgshapiroqpage A mailer for QuickPage, a pager interface. See 65964562Sgshapiro http://www.qpage.org/ for further information. 66038032Speter 66138032SpeterThe local mailer accepts addresses of the form "user+detail", where 66238032Speterthe "+detail" is not used for mailbox matching but is available 66343730Speterto certain local mail programs (in particular, see 66443730SpeterFEATURE(`local_procmail')). For example, "eric", "eric+sendmail", and 66543730Speter"eric+sww" all indicate the same user, but additional arguments <null>, 66643730Speter"sendmail", and "sww" may be provided for use in sorting mail. 66738032Speter 66838032Speter 66938032Speter+----------+ 67038032Speter| FEATURES | 67138032Speter+----------+ 67238032Speter 67338032SpeterSpecial features can be requested using the "FEATURE" macro. For 67438032Speterexample, the .mc line: 67538032Speter 67643730Speter FEATURE(`use_cw_file') 67738032Speter 67864562Sgshapirotells sendmail that you want to have it read an /etc/mail/local-host-names 67990792Sgshapirofile to get values for class {w}. A FEATURE may contain up to 9 68064562Sgshapirooptional parameters -- for example: 68138032Speter 68243730Speter FEATURE(`mailertable', `dbm /usr/lib/mailertable') 68338032Speter 68438032SpeterThe default database map type for the table features can be set with 68564562Sgshapiro 68638032Speter define(`DATABASE_MAP_TYPE', `dbm') 68738032Speter 68838032Speterwhich would set it to use ndbm databases. The default is the Berkeley DB 68938032Speterhash database format. Note that you must still declare a database map type 69038032Speterif you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used 69164562Sgshapiroif no argument is given for the FEATURE. It must be specified before any 69264562Sgshapirofeature that uses a map. 69338032Speter 69490792SgshapiroAlso, features which can take a map definition as an argument can also take 69590792Sgshapirothe special keyword `LDAP'. If that keyword is used, the map will use the 69690792SgshapiroLDAP definition described in the ``USING LDAP FOR ALIASES, MAPS, AND 69790792SgshapiroCLASSES'' section below. 69890792Sgshapiro 69938032SpeterAvailable features are: 70038032Speter 70164562Sgshapirouse_cw_file Read the file /etc/mail/local-host-names file to get 70264562Sgshapiro alternate names for this host. This might be used if you 70364562Sgshapiro were on a host that MXed for a dynamic set of other hosts. 70464562Sgshapiro If the set is static, just including the line "Cw<name1> 70564562Sgshapiro <name2> ..." (where the names are fully qualified domain 70664562Sgshapiro names) is probably superior. The actual filename can be 70764562Sgshapiro overridden by redefining confCW_FILE. 70838032Speter 70964562Sgshapirouse_ct_file Read the file /etc/mail/trusted-users file to get the 71064562Sgshapiro names of users that will be ``trusted'', that is, able to 71164562Sgshapiro set their envelope from address using -f without generating 71264562Sgshapiro a warning message. The actual filename can be overridden 71364562Sgshapiro by redefining confCT_FILE. 71438032Speter 71538032Speterredirect Reject all mail addressed to "address.REDIRECT" with 71664562Sgshapiro a ``551 User has moved; please try <address>'' message. 71738032Speter If this is set, you can alias people who have left 71838032Speter to their new address with ".REDIRECT" appended. 71938032Speter 72064562Sgshapironouucp Don't route UUCP addresses. This feature takes one 72164562Sgshapiro parameter: 72264562Sgshapiro `reject': reject addresses which have "!" in the local 72364562Sgshapiro part unless it originates from a system 72464562Sgshapiro that is allowed to relay. 72564562Sgshapiro `nospecial': don't do anything special with "!". 72690792Sgshapiro Warnings: 1. See the notice in the anti-spam section. 72764562Sgshapiro 2. don't remove "!" from OperatorChars if `reject' is 72864562Sgshapiro given as parameter. 72938032Speter 73064562Sgshapironocanonify Don't pass addresses to $[ ... $] for canonification 73171345Sgshapiro by default, i.e., host/domain names are considered canonical, 73271345Sgshapiro except for unqualified names, which must not be used in this 73371345Sgshapiro mode (violation of the standard). It can be changed by 73471345Sgshapiro setting the DaemonPortOptions modifiers (M=). That is, 73564562Sgshapiro FEATURE(`nocanonify') will be overridden by setting the 73664562Sgshapiro 'c' flag. Conversely, if FEATURE(`nocanonify') is not used, 73764562Sgshapiro it can be emulated by setting the 'C' flag 73864562Sgshapiro (DaemonPortOptions=Modifiers=C). This would generally only 73964562Sgshapiro be used by sites that only act as mail gateways or which have 74064562Sgshapiro user agents that do full canonification themselves. You may 74164562Sgshapiro also want to use 74264562Sgshapiro "define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')" to turn off 74364562Sgshapiro the usual resolver options that do a similar thing. 74438032Speter 74564562Sgshapiro An exception list for FEATURE(`nocanonify') can be 74664562Sgshapiro specified with CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, 74764562Sgshapiro i.e., a list of domains which are nevertheless passed to 74864562Sgshapiro $[ ... $] for canonification. This is useful to turn on 74964562Sgshapiro canonification for local domains, e.g., use 75064562Sgshapiro CANONIFY_DOMAIN(`my.domain my') to canonify addresses 75164562Sgshapiro which end in "my.domain" or "my". 75264562Sgshapiro Another way to require canonification in the local 75364562Sgshapiro domain is CANONIFY_DOMAIN(`$=m'). 75464562Sgshapiro 75564562Sgshapiro A trailing dot is added to addresses with more than 75664562Sgshapiro one component in it such that other features which 75764562Sgshapiro expect a trailing dot (e.g., virtusertable) will 75864562Sgshapiro still work. 75964562Sgshapiro 76064562Sgshapiro If `canonify_hosts' is specified as parameter, i.e., 76164562Sgshapiro FEATURE(`nocanonify', `canonify_hosts'), then 76264562Sgshapiro addresses which have only a hostname, e.g., 76364562Sgshapiro <user@host>, will be canonified (and hopefully fully 76464562Sgshapiro qualified), too. 76564562Sgshapiro 76671345Sgshapirostickyhost This feature is sometimes used with LOCAL_RELAY, 76771345Sgshapiro although it can be used for a different effect with 76871345Sgshapiro MAIL_HUB. 76938032Speter 77073188Sgshapiro When used without MAIL_HUB, email sent to 77171345Sgshapiro "user@local.host" are marked as "sticky" -- that 77271345Sgshapiro is, the local addresses aren't matched against UDB, 77371345Sgshapiro don't go through ruleset 5, and are not forwarded to 77471345Sgshapiro the LOCAL_RELAY (if defined). 77571345Sgshapiro 77671345Sgshapiro With MAIL_HUB, mail addressed to "user@local.host" 77771345Sgshapiro is forwarded to the mail hub, with the envelope 77871345Sgshapiro address still remaining "user@local.host". 77971345Sgshapiro Without stickyhost, the envelope would be changed 78071345Sgshapiro to "user@mail_hub", in order to protect against 78171345Sgshapiro mailing loops. 78271345Sgshapiro 78338032Spetermailertable Include a "mailer table" which can be used to override 78464562Sgshapiro routing for particular domains (which are not in class {w}, 78564562Sgshapiro i.e. local host names). The argument of the FEATURE may be 78664562Sgshapiro the key definition. If none is specified, the definition 78764562Sgshapiro used is: 78843730Speter 78964562Sgshapiro hash /etc/mail/mailertable 79043730Speter 79138032Speter Keys in this database are fully qualified domain names 79238032Speter or partial domains preceded by a dot -- for example, 79364562Sgshapiro "vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". As a 79464562Sgshapiro special case of the latter, "." matches any domain not 79564562Sgshapiro covered by other keys. Values must be of the form: 79638032Speter mailer:domain 79738032Speter where "mailer" is the internal mailer name, and "domain" 79838032Speter is where to send the message. These maps are not 79938032Speter reflected into the message header. As a special case, 80038032Speter the forms: 80138032Speter local:user 80238032Speter will forward to the indicated user using the local mailer, 80338032Speter local: 80438032Speter will forward to the original user in the e-mail address 80538032Speter using the local mailer, and 80638032Speter error:code message 80764562Sgshapiro error:D.S.N:code message 80864562Sgshapiro will give an error message with the indicated SMTP reply 80964562Sgshapiro code and message, where D.S.N is an RFC 1893 compliant 81064562Sgshapiro error code. 81138032Speter 81238032Speterdomaintable Include a "domain table" which can be used to provide 81338032Speter domain name mapping. Use of this should really be 81438032Speter limited to your own domains. It may be useful if you 81538032Speter change names (e.g., your company changes names from 81638032Speter oldname.com to newname.com). The argument of the 81738032Speter FEATURE may be the key definition. If none is specified, 81838032Speter the definition used is: 81943730Speter 82064562Sgshapiro hash /etc/mail/domaintable 82143730Speter 82238032Speter The key in this table is the domain name; the value is 82338032Speter the new (fully qualified) domain. Anything in the 82438032Speter domaintable is reflected into headers; that is, this 82538032Speter is done in ruleset 3. 82638032Speter 82738032Speterbitdomain Look up bitnet hosts in a table to try to turn them into 82838032Speter internet addresses. The table can be built using the 82938032Speter bitdomain program contributed by John Gardiner Myers. 83038032Speter The argument of the FEATURE may be the key definition; if 83138032Speter none is specified, the definition used is: 83243730Speter 83364562Sgshapiro hash /etc/mail/bitdomain 83443730Speter 83538032Speter Keys are the bitnet hostname; values are the corresponding 83638032Speter internet hostname. 83738032Speter 83838032Speteruucpdomain Similar feature for UUCP hosts. The default map definition 83938032Speter is: 84043730Speter 84164562Sgshapiro hash /etc/mail/uudomain 84243730Speter 84338032Speter At the moment there is no automagic tool to build this 84438032Speter database. 84538032Speter 84638032Speteralways_add_domain 84738032Speter Include the local host domain even on locally delivered 84838032Speter mail. Normally it is not added on unqualified names. 84938032Speter However, if you use a shared message store but do not use 85038032Speter the same user name space everywhere, you may need the host 85190792Sgshapiro name on local names. An optional argument specifies 85290792Sgshapiro another domain to be added than the local. 85338032Speter 85438032Speterallmasquerade If masquerading is enabled (using MASQUERADE_AS), this 85538032Speter feature will cause recipient addresses to also masquerade 85638032Speter as being from the masquerade host. Normally they get 85738032Speter the local hostname. Although this may be right for 85838032Speter ordinary users, it can break local aliases. For example, 85938032Speter if you send to "localalias", the originating sendmail will 86038032Speter find that alias and send to all members, but send the 86138032Speter message with "To: localalias@masqueradehost". Since that 86238032Speter alias likely does not exist, replies will fail. Use this 86338032Speter feature ONLY if you can guarantee that the ENTIRE 86438032Speter namespace on your masquerade host supersets all the 86538032Speter local entries. 86638032Speter 86738032Speterlimited_masquerade 86864562Sgshapiro Normally, any hosts listed in class {w} are masqueraded. If 86964562Sgshapiro this feature is given, only the hosts listed in class {M} (see 87064562Sgshapiro below: MASQUERADE_DOMAIN) are masqueraded. This is useful 87164562Sgshapiro if you have several domains with disjoint namespaces hosted 87264562Sgshapiro on the same machine. 87338032Speter 87438032Spetermasquerade_entire_domain 87564562Sgshapiro If masquerading is enabled (using MASQUERADE_AS) and 87638032Speter MASQUERADE_DOMAIN (see below) is set, this feature will 87738032Speter cause addresses to be rewritten such that the masquerading 87838032Speter domains are actually entire domains to be hidden. All 87938032Speter hosts within the masquerading domains will be rewritten 88038032Speter to the masquerade name (used in MASQUERADE_AS). For example, 88138032Speter if you have: 88238032Speter 88364562Sgshapiro MASQUERADE_AS(`masq.com') 88464562Sgshapiro MASQUERADE_DOMAIN(`foo.org') 88564562Sgshapiro MASQUERADE_DOMAIN(`bar.com') 88638032Speter 88738032Speter then *foo.org and *bar.com are converted to masq.com. Without 88838032Speter this feature, only foo.org and bar.com are masqueraded. 88938032Speter 89038032Speter NOTE: only domains within your jurisdiction and 89138032Speter current hierarchy should be masqueraded using this. 89238032Speter 89390792Sgshapirolocal_no_masquerade 89490792Sgshapiro This feature prevents the local mailer from masquerading even 89590792Sgshapiro if MASQUERADE_AS is used. MASQUERADE_AS will only have effect 89690792Sgshapiro on addresses of mail going outside the local domain. 89790792Sgshapiro 89864562Sgshapirogenericstable This feature will cause unqualified addresses (i.e., without 89964562Sgshapiro a domain) and addresses with a domain listed in class {G} 90064562Sgshapiro to be looked up in a map and turned into another ("generic") 90164562Sgshapiro form, which can change both the domain name and the user name. 90290792Sgshapiro Notice: if you use an MSP (as it is default starting with 90390792Sgshapiro 8.12), the MTA will only receive qualified addresses from the 90490792Sgshapiro MSP (as required by the RFCs). Hence you need to add your 90590792Sgshapiro domain to class {G}. This feature is similar to the userdb 90690792Sgshapiro functionality. The same types of addresses as for 90790792Sgshapiro masquerading are looked up, i.e., only header sender 90890792Sgshapiro addresses unless the allmasquerade and/or masquerade_envelope 90990792Sgshapiro features are given. Qualified addresses must have the domain 91090792Sgshapiro part in class {G}; entries can be added to this class by the 91190792Sgshapiro macros GENERICS_DOMAIN or GENERICS_DOMAIN_FILE (analogously 91290792Sgshapiro to MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE, see below). 91338032Speter 91443730Speter The argument of FEATURE(`genericstable') may be the map 91538032Speter definition; the default map definition is: 91638032Speter 91764562Sgshapiro hash /etc/mail/genericstable 91838032Speter 91964562Sgshapiro The key for this table is either the full address, the domain 92064562Sgshapiro (with a leading @; the localpart is passed as first argument) 92164562Sgshapiro or the unqualified username (tried in the order mentioned); 92264562Sgshapiro the value is the new user address. If the new user address 92364562Sgshapiro does not include a domain, it will be qualified in the standard 92464562Sgshapiro manner, i.e., using $j or the masquerade name. Note that the 92538032Speter address being looked up must be fully qualified. For local 92643730Speter mail, it is necessary to use FEATURE(`always_add_domain') 92743730Speter for the addresses to be qualified. 92864562Sgshapiro The "+detail" of an address is passed as %1, so entries like 92938032Speter 93064562Sgshapiro old+*@foo.org new+%1@example.com 93164562Sgshapiro gen+*@foo.org %1@example.com 93264562Sgshapiro 93364562Sgshapiro and other forms are possible. 93464562Sgshapiro 93564562Sgshapirogenerics_entire_domain 93664562Sgshapiro If the genericstable is enabled and GENERICS_DOMAIN or 93764562Sgshapiro GENERICS_DOMAIN_FILE is used, this feature will cause 93864562Sgshapiro addresses to be searched in the map if their domain 93964562Sgshapiro parts are subdomains of elements in class {G}. 94064562Sgshapiro 94138032Spetervirtusertable A domain-specific form of aliasing, allowing multiple 94238032Speter virtual domains to be hosted on one machine. For example, 94338032Speter if the virtuser table contained: 94438032Speter 94538032Speter info@foo.com foo-info 94638032Speter info@bar.com bar-info 94790792Sgshapiro joe@bar.com error:nouser 550 No such user here 94890792Sgshapiro jax@bar.com error:5.7.0:550 Address invalid 94964562Sgshapiro @baz.org jane@example.net 95038032Speter 95138032Speter then mail addressed to info@foo.com will be sent to the 95238032Speter address foo-info, mail addressed to info@bar.com will be 95364562Sgshapiro delivered to bar-info, and mail addressed to anyone at baz.org 95464562Sgshapiro will be sent to jane@example.net, mail to joe@bar.com will 95564562Sgshapiro be rejected with the specified error message, and mail to 95664562Sgshapiro jax@bar.com will also have a RFC 1893 compliant error code 95790792Sgshapiro 5.7.0. 95838032Speter 95964562Sgshapiro The username from the original address is passed 96064562Sgshapiro as %1 allowing: 96138032Speter 96264562Sgshapiro @foo.org %1@example.com 96338032Speter 96464562Sgshapiro meaning someone@foo.org will be sent to someone@example.com. 96564562Sgshapiro Additionally, if the local part consists of "user+detail" 96690792Sgshapiro then "detail" is passed as %2 and "+detail" is passed as %3 96790792Sgshapiro when a match against user+* is attempted, so entries like 96864562Sgshapiro 96964562Sgshapiro old+*@foo.org new+%2@example.com 97064562Sgshapiro gen+*@foo.org %2@example.com 97190792Sgshapiro +*@foo.org %1%3@example.com 97290792Sgshapiro X++@foo.org Z%3@example.com 97390792Sgshapiro @bar.org %1%3 97464562Sgshapiro 97564562Sgshapiro and other forms are possible. Note: to preserve "+detail" 97690792Sgshapiro for a default case (@domain) %1%3 must be used as RHS. 97790792Sgshapiro There are two wildcards after "+": "+" matches only a non-empty 97890792Sgshapiro detail, "*" matches also empty details, e.g., user+@foo.org 97990792Sgshapiro matches +*@foo.org but not ++@foo.org. This can be used 98090792Sgshapiro to ensure that the parameters %2 and %3 are not empty. 98164562Sgshapiro 98238032Speter All the host names on the left hand side (foo.com, bar.com, 98390792Sgshapiro and baz.org) must be in class {w} or class {VirtHost}. The 98464562Sgshapiro latter can be defined by the macros VIRTUSER_DOMAIN or 98564562Sgshapiro VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 98664562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or 98764562Sgshapiro VIRTUSER_DOMAIN_FILE is used, then the entries of class 98864562Sgshapiro {VirtHost} are added to class {R}, i.e., relaying is allowed 98964562Sgshapiro to (and from) those domains. The default map definition is: 99038032Speter 99164562Sgshapiro hash /etc/mail/virtusertable 99238032Speter 99338032Speter A new definition can be specified as the second argument of 99438032Speter the FEATURE macro, such as 99538032Speter 99664562Sgshapiro FEATURE(`virtusertable', `dbm /etc/mail/virtusers') 99738032Speter 99864562Sgshapirovirtuser_entire_domain 99964562Sgshapiro If the virtusertable is enabled and VIRTUSER_DOMAIN or 100064562Sgshapiro VIRTUSER_DOMAIN_FILE is used, this feature will cause 100164562Sgshapiro addresses to be searched in the map if their domain 100264562Sgshapiro parts are subdomains of elements in class {VirtHost}. 100364562Sgshapiro 100464562Sgshapiroldap_routing Implement LDAP-based e-mail recipient routing according to 100564562Sgshapiro the Internet Draft draft-lachman-laser-ldap-mail-routing-01. 100664562Sgshapiro This provides a method to re-route addresses with a 100764562Sgshapiro domain portion in class {LDAPRoute} to either a 100864562Sgshapiro different mail host or a different address. Hosts can 100964562Sgshapiro be added to this class using LDAPROUTE_DOMAIN and 101064562Sgshapiro LDAPROUTE_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 101164562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 101264562Sgshapiro 101364562Sgshapiro See the LDAP ROUTING section below for more information. 101464562Sgshapiro 101564562Sgshapironodns If you aren't running DNS at your site (for example, 101664562Sgshapiro you are UUCP-only connected). It's hard to consider 101738032Speter this a "feature", but hey, it had to go somewhere. 101838032Speter Actually, as of 8.7 this is a no-op -- remove "dns" from 101938032Speter the hosts service switch entry instead. 102038032Speter 102164562Sgshapironullclient This is a special case -- it creates a configuration file 102264562Sgshapiro containing nothing but support for forwarding all mail to a 102364562Sgshapiro central hub via a local SMTP-based network. The argument 102464562Sgshapiro is the name of that hub. 102564562Sgshapiro 102638032Speter The only other feature that should be used in conjunction 102764562Sgshapiro with this one is FEATURE(`nocanonify'). No mailers 102838032Speter should be defined. No aliasing or forwarding is done. 102938032Speter 103038032Speterlocal_lmtp Use an LMTP capable local mailer. The argument to this 103138032Speter feature is the pathname of an LMTP capable mailer. By 103238032Speter default, mail.local is used. This is expected to be the 103338032Speter mail.local which came with the 8.9 distribution which is 103438032Speter LMTP capable. The path to mail.local is set by the 103538032Speter confEBINDIR m4 variable -- making the default 103638032Speter LOCAL_MAILER_PATH /usr/libexec/mail.local. 103764562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 103864562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 103938032Speter 104064562Sgshapirolocal_procmail Use procmail or another delivery agent as the local mailer. 104164562Sgshapiro The argument to this feature is the pathname of the 104264562Sgshapiro delivery agent, which defaults to PROCMAIL_MAILER_PATH. 104364562Sgshapiro Note that this does NOT use PROCMAIL_MAILER_FLAGS or 104464562Sgshapiro PROCMAIL_MAILER_ARGS for the local mailer; tweak 104564562Sgshapiro LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS instead, or 104664562Sgshapiro specify the appropriate parameters. When procmail is used, 104764562Sgshapiro the local mailer can make use of the 104864562Sgshapiro "user+indicator@local.host" syntax; normally the +indicator 104964562Sgshapiro is just tossed, but by default it is passed as the -a 105064562Sgshapiro argument to procmail. 105138032Speter 105264562Sgshapiro This feature can take up to three arguments: 105364562Sgshapiro 105464562Sgshapiro 1. Path to the mailer program 105564562Sgshapiro [default: /usr/local/bin/procmail] 105664562Sgshapiro 2. Argument vector including name of the program 105764562Sgshapiro [default: procmail -Y -a $h -d $u] 105864562Sgshapiro 3. Flags for the mailer [default: SPfhn9] 105964562Sgshapiro 106064562Sgshapiro Empty arguments cause the defaults to be taken. 106164562Sgshapiro 106264562Sgshapiro For example, this allows it to use the maildrop 106364562Sgshapiro (http://www.flounder.net/~mrsam/maildrop/) mailer instead 106464562Sgshapiro by specifying: 106564562Sgshapiro 106664562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/maildrop', 106764562Sgshapiro `maildrop -d $u') 106864562Sgshapiro 106964562Sgshapiro or scanmails using: 107064562Sgshapiro 107164562Sgshapiro FEATURE(`local_procmail', `/usr/local/bin/scanmails') 107264562Sgshapiro 107364562Sgshapiro WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 107464562Sgshapiro i.e., without respecting any definitions in an OSTYPE setting. 107564562Sgshapiro 107638032Speterbestmx_is_local Accept mail as though locally addressed for any host that 107738032Speter lists us as the best possible MX record. This generates 107838032Speter additional DNS traffic, but should be OK for low to 107938032Speter medium traffic hosts. The argument may be a set of 108038032Speter domains, which will limit the feature to only apply to 108138032Speter these domains -- this will reduce unnecessary DNS 108238032Speter traffic. THIS FEATURE IS FUNDAMENTALLY INCOMPATIBLE WITH 108338032Speter WILDCARD MX RECORDS!!! If you have a wildcard MX record 108438032Speter that matches your domain, you cannot use this feature. 108538032Speter 108638032Spetersmrsh Use the SendMail Restricted SHell (smrsh) provided 108738032Speter with the distribution instead of /bin/sh for mailing 108838032Speter to programs. This improves the ability of the local 108938032Speter system administrator to control what gets run via 109038032Speter e-mail. If an argument is provided it is used as the 109138032Speter pathname to smrsh; otherwise, the path defined by 109238032Speter confEBINDIR is used for the smrsh binary -- by default, 109338032Speter /usr/libexec/smrsh is assumed. 109438032Speter 109538032Speterpromiscuous_relay 109638032Speter By default, the sendmail configuration files do not permit 109738032Speter mail relaying (that is, accepting mail from outside your 109864562Sgshapiro local host (class {w}) and sending it to another host than 109964562Sgshapiro your local host). This option sets your site to allow 110064562Sgshapiro mail relaying from any site to any site. In almost all 110164562Sgshapiro cases, it is better to control relaying more carefully 110264562Sgshapiro with the access map, class {R}, or authentication. Domains 110364562Sgshapiro can be added to class {R} by the macros RELAY_DOMAIN or 110464562Sgshapiro RELAY_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 110564562Sgshapiro MASQUERADE_DOMAIN_FILE, see below). 110638032Speter 110738032Speterrelay_entire_domain 110898121Sgshapiro This option allows any host in your domain as defined by 110998121Sgshapiro class {m} to use your server for relaying. Notice: make 111098121Sgshapiro sure that your domain is not just a top level domain, 111198121Sgshapiro e.g., com. This can happen if you give your host a name 111298121Sgshapiro like example.com instead of host.example.com. 111338032Speter 111438032Speterrelay_hosts_only 111538032Speter By default, names that are listed as RELAY in the access 111698121Sgshapiro db and class {R} are treated as domain names, not host names. 111738032Speter For example, if you specify ``foo.com'', then mail to or 111838032Speter from foo.com, abc.foo.com, or a.very.deep.domain.foo.com 111938032Speter will all be accepted for relaying. This feature changes 112038032Speter the behaviour to lookup individual host names only. 112138032Speter 112238032Speterrelay_based_on_MX 112338032Speter Turns on the ability to allow relaying based on the MX 112442575Speter records of the host portion of an incoming recipient; that 112542575Speter is, if an MX record for host foo.com points to your site, 112642575Speter you will accept and relay mail addressed to foo.com. See 112738032Speter description below for more information before using this 112842575Speter feature. Also, see the KNOWNBUGS entry regarding bestmx 112942575Speter map lookups. 113038032Speter 113143730Speter FEATURE(`relay_based_on_MX') does not necessarily allow 113242575Speter routing of these messages which you expect to be allowed, 113342575Speter if route address syntax (or %-hack syntax) is used. If 113442575Speter this is a problem, add entries to the access-table or use 113543730Speter FEATURE(`loose_relay_check'). 113642575Speter 113764562Sgshapirorelay_mail_from 113864562Sgshapiro Allows relaying if the mail sender is listed as RELAY in 113964562Sgshapiro the access map. If an optional argument `domain' is given, 114090792Sgshapiro relaying can be allowed just based on the domain portion 114190792Sgshapiro of the sender address. This feature should only be used if 114290792Sgshapiro absolutely necessary as the sender address can be easily 114398121Sgshapiro forged. Use of this feature requires the "From:" tag to 114498121Sgshapiro be used for the key in the access map; see the discussion 114590792Sgshapiro of tags and FEATURE(`relay_mail_from') in the section on 114690792Sgshapiro anti-spam configuration control. 114764562Sgshapiro 114838032Speterrelay_local_from 114938032Speter Allows relaying if the domain portion of the mail sender 115038032Speter is a local host. This should only be used if absolutely 115142575Speter necessary as it opens a window for spammers. Specifically, 115242575Speter they can send mail to your mail server that claims to be 115342575Speter from your domain (either directly or via a routed address), 115442575Speter and you will go ahead and relay it out to arbitrary hosts 115542575Speter on the Internet. 115664562Sgshapiro 115738032Speteraccept_unqualified_senders 115838032Speter Normally, MAIL FROM: commands in the SMTP session will be 115938032Speter refused if the connection is a network connection and the 116038032Speter sender address does not include a domain name. If your 116164562Sgshapiro setup sends local mail unqualified (i.e., MAIL FROM: <joe>), 116238032Speter you will need to use this feature to accept unqualified 116364562Sgshapiro sender addresses. Setting the DaemonPortOptions modifier 116464562Sgshapiro 'u' overrides the default behavior, i.e., unqualified 116564562Sgshapiro addresses are accepted even without this FEATURE. 116664562Sgshapiro If this FEATURE is not used, the DaemonPortOptions modifier 116764562Sgshapiro 'f' can be used to enforce fully qualified addresses. 116864562Sgshapiro 116938032Speteraccept_unresolvable_domains 117038032Speter Normally, MAIL FROM: commands in the SMTP session will be 117164562Sgshapiro refused if the host part of the argument to MAIL FROM: 117264562Sgshapiro cannot be located in the host name service (e.g., an A or 117364562Sgshapiro MX record in DNS). If you are inside a firewall that has 117464562Sgshapiro only a limited view of the Internet host name space, this 117564562Sgshapiro could cause problems. In this case you probably want to 117664562Sgshapiro use this feature to accept all domains on input, even if 117764562Sgshapiro they are unresolvable. 117838032Speter 117938032Speteraccess_db Turns on the access database feature. The access db gives 118038032Speter you the ability to allow or refuse to accept mail from 118190792Sgshapiro specified domains for administrative reasons. Moreover, 118290792Sgshapiro it can control the behavior of sendmail in various situations. 118390792Sgshapiro By default, the access database specification is: 118438032Speter 118590792Sgshapiro hash -T<TMPF> /etc/mail/access 118643730Speter 118790792Sgshapiro See the anti-spam configuration control section for further 118890792Sgshapiro important information about this feature. Notice: 118990792Sgshapiro "-T<TMPF>" is meant literal, do not replace it by anything. 119043730Speter 119138032Speterblacklist_recipients 119238032Speter Turns on the ability to block incoming mail for certain 119338032Speter recipient usernames, hostnames, or addresses. For 119438032Speter example, you can block incoming mail to user nobody, 119538032Speter host foo.mydomain.com, or guest@bar.mydomain.com. 119638032Speter These specifications are put in the access db as 119764562Sgshapiro described in the anti-spam configuration control section 119864562Sgshapiro later in this document. 119938032Speter 120071345Sgshapirodelay_checks The rulesets check_mail and check_relay will not be called 120171345Sgshapiro when a client connects or issues a MAIL command, respectively. 120271345Sgshapiro Instead, those rulesets will be called by the check_rcpt 120371345Sgshapiro ruleset; they will be skipped under certain circumstances. 120490792Sgshapiro See "Delay all checks" in the anti-spam configuration control 120590792Sgshapiro section. Note: this feature is incompatible to the versions 120690792Sgshapiro in 8.10 and 8.11. 120771345Sgshapiro 120864562Sgshapirodnsbl Turns on rejection of hosts found in an DNS based rejection 120964562Sgshapiro list. If an argument is provided it is used as the domain 121064562Sgshapiro in which blocked hosts are listed; otherwise it defaults to 121171345Sgshapiro blackholes.mail-abuse.org. An explanation for an DNS based 121290792Sgshapiro rejection list can be found at http://mail-abuse.org/rbl/. 121390792Sgshapiro A second argument can be used to change the default error 121490792Sgshapiro message. Without that second argument, the error message 121590792Sgshapiro will be 121690792Sgshapiro Mail from IP-ADDRESS refused by blackhole site SERVER 121790792Sgshapiro where IP-ADDRESS and SERVER are replaced by the appropriate 121890792Sgshapiro information. By default, temporary lookup failures are 121990792Sgshapiro ignored. This behavior can be changed by specifying a 122090792Sgshapiro third argument, which must be either `t' or a full error 122190792Sgshapiro message. See the anti-spam configuration control section for 122290792Sgshapiro an example. The dnsbl feature can be included several times 122390792Sgshapiro to query different DNS based rejection lists. See also 122490792Sgshapiro enhdnsbl for an enhanced version. 122564562Sgshapiro 122698121Sgshapiro Some DNS based rejection lists cause failures if asked 122798121Sgshapiro for AAAA records. If your sendmail version is compiled 122898121Sgshapiro with IPv6 support (NETINET6) and you experience this 122998121Sgshapiro problem, add 123098121Sgshapiro 123198121Sgshapiro define(`DNSBL_MAP', `dns -R A') 123298121Sgshapiro 123398121Sgshapiro before the first use of this feature. Alternatively you 123498121Sgshapiro can use enhdnsbl instead (see below). 123598121Sgshapiro 123680785Sgshapiro NOTE: The default DNS blacklist, blackholes.mail-abuse.org, 123780785Sgshapiro is a service offered by the Mail Abuse Prevention System 123880785Sgshapiro (MAPS). As of July 31, 2001, MAPS is a subscription 123980785Sgshapiro service, so using that network address won't work if you 124080785Sgshapiro haven't subscribed. Contact MAPS to subscribe 124180785Sgshapiro (http://mail-abuse.org/). 124280785Sgshapiro 124390792Sgshapiroenhdnsbl Enhanced version of dnsbl (see above). Further arguments 124490792Sgshapiro (up to 5) can be used to specify specific return values 124590792Sgshapiro from lookups. Temporary lookup failures are ignored unless 124690792Sgshapiro a third argument is given, which must be either `t' or a full 124790792Sgshapiro error message. By default, any successful lookup will 124890792Sgshapiro generate an error. Otherwise the result of the lookup is 124990792Sgshapiro compared with the supplied argument(s), and only if a match 125090792Sgshapiro occurs an error is generated. For example, 125190792Sgshapiro 125290792Sgshapiro FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.') 125390792Sgshapiro 125490792Sgshapiro will reject the e-mail if the lookup returns the value 125590792Sgshapiro ``127.0.0.2.'', or generate a 451 response if the lookup 125690792Sgshapiro temporarily failed. The arguments can contain metasymbols 125790792Sgshapiro as they are allowed in the LHS of rules. As the example 125890792Sgshapiro shows, the default values are also used if an empty argument, 125990792Sgshapiro i.e., `', is specified. This feature requires that sendmail 126090792Sgshapiro has been compiled with the flag DNSMAP (see sendmail/README). 126190792Sgshapiro 126290792Sgshapirolookupdotdomain Look up also .domain in the access map. This allows to 126390792Sgshapiro match only subdomains. It does not work well with 126490792Sgshapiro FEATURE(`relay_hosts_only'), because most lookups for 126590792Sgshapiro subdomains are suppressed by the latter feature. 126690792Sgshapiro 126738032Speterloose_relay_check 126864562Sgshapiro Normally, if % addressing is used for a recipient, e.g. 126964562Sgshapiro user%site@othersite, and othersite is in class {R}, the 127038032Speter check_rcpt ruleset will strip @othersite and recheck 127138032Speter user@site for relaying. This feature changes that 127238032Speter behavior. It should not be needed for most installations. 127338032Speter 127490792Sgshapiroauthinfo Provide a separate map for client side authentication 127590792Sgshapiro information. See SMTP AUTHENTICATION for details. 127690792Sgshapiro By default, the authinfo database specification is: 127790792Sgshapiro 127890792Sgshapiro hash /etc/mail/authinfo 127990792Sgshapiro 128090792Sgshapiropreserve_luser_host 128190792Sgshapiro Preserve the name of the recipient host if LUSER_RELAY is 128290792Sgshapiro used. Without this option, the domain part of the 128390792Sgshapiro recipient address will be replaced by the host specified as 128490792Sgshapiro LUSER_RELAY. This feature only works if the hostname is 128590792Sgshapiro passed to the mailer (see mailer triple in op.me). Note 128690792Sgshapiro that in the default configuration the local mailer does not 128790792Sgshapiro receive the hostname, i.e., the mailer triple has an empty 128890792Sgshapiro hostname. 128990792Sgshapiro 129090792Sgshapiropreserve_local_plus_detail 129190792Sgshapiro Preserve the +detail portion of the address when passing 129290792Sgshapiro address to local delivery agent. Disables alias and 129390792Sgshapiro .forward +detail stripping (e.g., given user+detail, only 129490792Sgshapiro that address will be looked up in the alias file; user+* and 129590792Sgshapiro user will not be looked up). Only use if the local 129690792Sgshapiro delivery agent in use supports +detail addressing. 129790792Sgshapiro 129890792Sgshapirocompat_check Enable ruleset check_compat to look up pairs of addresses 129990792Sgshapiro with the Compat: tag -- Compat:sender<@>recipient -- in the 130090792Sgshapiro access map. Valid values for the RHS include 130190792Sgshapiro DISCARD silently discard recipient 130290792Sgshapiro TEMP: return a temporary error 130390792Sgshapiro ERROR: return a permanent error 130490792Sgshapiro In the last two cases, a 4xy/5xy SMTP reply code should 130590792Sgshapiro follow the colon. 130690792Sgshapiro 130764562Sgshapirono_default_msa Don't generate the default MSA daemon, i.e., 130864562Sgshapiro DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') 130964562Sgshapiro To define a MSA daemon with other parameters, use this 131064562Sgshapiro FEATURE and introduce new settings via DAEMON_OPTIONS(). 131138032Speter 131290792Sgshapiromsp Defines config file for Message Submission Program. 131394334Sgshapiro See sendmail/SECURITY for details and cf/cf/submit.mc how 131494334Sgshapiro to use it. An optional argument can be used to override 131594334Sgshapiro the default of `[localhost]' to use as host to send all 131694334Sgshapiro e-mails to. Note that MX records will be used if the 131794334Sgshapiro specified hostname is not in square brackets (e.g., 131894334Sgshapiro [hostname]). If `MSA' is specified as second argument then 131994334Sgshapiro port 587 is used to contact the server. Example: 132090792Sgshapiro 132190792Sgshapiro FEATURE(`msp', `', `MSA') 132290792Sgshapiro 132390792Sgshapiro Some more hints about possible changes can be found below 132490792Sgshapiro in the section MESSAGE SUBMISSION PROGRAM. 132590792Sgshapiro 132698121Sgshapiro Note: if localhost doesn't resolve to the IP address 132798121Sgshapiro of your local system (127.0.0.1 or ::1 for IPv6), 132898121Sgshapiro then you either need to fix your hostname resolution 132998121Sgshapiro (localhost and localhost.YOUR.DOMAIN should resolve 133098121Sgshapiro to that address by convention) or you need to specify 133198121Sgshapiro the IP address as argument, e.g., 133298121Sgshapiro 133398121Sgshapiro FEATURE(`msp', `[127.0.0.1]') 133498121Sgshapiro 133590792Sgshapiroqueuegroup A simple example how to select a queue group based 133690792Sgshapiro on the full e-mail address or the domain of the 133790792Sgshapiro recipient. Selection is done via entries in the 133890792Sgshapiro access map using the tag QGRP:, for example: 133990792Sgshapiro 134090792Sgshapiro QGRP:example.com main 134190792Sgshapiro QGRP:friend@some.org others 134290792Sgshapiro QGRP:my.domain local 134390792Sgshapiro 134490792Sgshapiro where "main", "others", and "local" are names of 134590792Sgshapiro queue groups. If an argument is specified, it is used 134690792Sgshapiro as default queue group. 134790792Sgshapiro 134894334Sgshapiro Note: please read the warning in doc/op/op.me about 134994334Sgshapiro queue groups and possible queue manipulations. 135094334Sgshapiro 135138032Speter+-------+ 135238032Speter| HACKS | 135338032Speter+-------+ 135438032Speter 135538032SpeterSome things just can't be called features. To make this clear, 135638032Speterthey go in the hack subdirectory and are referenced using the HACK 135738032Spetermacro. These will tend to be site-dependent. The release 135838032Speterincludes the Berkeley-dependent "cssubdomain" hack (that makes 135938032Spetersendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU; 136064562Sgshapirothis is intended as a short-term aid while moving hosts into 136138032Spetersubdomains. 136238032Speter 136338032Speter 136438032Speter+--------------------+ 136538032Speter| SITE CONFIGURATION | 136638032Speter+--------------------+ 136738032Speter 136838032Speter ***************************************************** 136938032Speter * This section is really obsolete, and is preserved * 137038032Speter * only for back compatibility. You should plan on * 137190792Sgshapiro * using mailertables for new installations. In * 137238032Speter * particular, it doesn't work for the newer forms * 137338032Speter * of UUCP mailers, such as uucp-uudom. * 137438032Speter ***************************************************** 137538032Speter 137638032SpeterComplex sites will need more local configuration information, such as 137738032Speterlists of UUCP hosts they speak with directly. This can get a bit more 137838032Spetertricky. For an example of a "complex" site, see cf/ucbvax.mc. 137938032Speter 138038032SpeterThe SITECONFIG macro allows you to indirectly reference site-dependent 138138032Speterconfiguration information stored in the siteconfig subdirectory. For 138238032Speterexample, the line 138338032Speter 138464562Sgshapiro SITECONFIG(`uucp.ucbvax', `ucbvax', `U') 138538032Speter 138638032Speterreads the file uucp.ucbvax for local connection information. The 138738032Spetersecond parameter is the local name (in this case just "ucbvax" since 138838032Speterit is locally connected, and hence a UUCP hostname). The third 138938032Speterparameter is the name of both a macro to store the local name (in 139064562Sgshapirothis case, {U}) and the name of the class (e.g., {U}) in which to store 139138032Speterthe host information read from the file. Another SITECONFIG line reads 139238032Speter 139364562Sgshapiro SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W') 139438032Speter 139538032SpeterThis says that the file uucp.ucbarpa contains the list of UUCP sites 139664562Sgshapiroconnected to ucbarpa.Berkeley.EDU. Class {W} will be used to 139738032Speterstore this list, and $W is defined to be ucbarpa.Berkeley.EDU, that 139838032Speteris, the name of the relay to which the hosts listed in uucp.ucbarpa 139964562Sgshapiroare connected. [The machine ucbarpa is gone now, but this 140064562Sgshapiroout-of-date configuration file has been left around to demonstrate 140164562Sgshapirohow you might do this.] 140238032Speter 140338032SpeterNote that the case of SITECONFIG with a third parameter of ``U'' is 140438032Speterspecial; the second parameter is assumed to be the UUCP name of the 140538032Speterlocal site, rather than the name of a remote site, and the UUCP name 140664562Sgshapirois entered into class {w} (the list of local hostnames) as $U.UUCP. 140738032Speter 140838032SpeterThe siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing 140938032Spetermore than a sequence of SITE macros describing connectivity. For 141038032Speterexample: 141138032Speter 141264562Sgshapiro SITE(`cnmat') 141364562Sgshapiro SITE(`sgi olympus') 141438032Speter 141538032SpeterThe second example demonstrates that you can use two names on the 141638032Spetersame line; these are usually aliases for the same host (or are at 141738032Speterleast in the same company). 141838032Speter 141938032Speter 142038032Speter+--------------------+ 142138032Speter| USING UUCP MAILERS | 142238032Speter+--------------------+ 142338032Speter 142438032SpeterIt's hard to get UUCP mailers right because of the extremely ad hoc 142538032Speternature of UUCP addressing. These config files are really designed 142638032Speterfor domain-based addressing, even for UUCP sites. 142738032Speter 142838032SpeterThere are four UUCP mailers available. The choice of which one to 142938032Speteruse is partly a matter of local preferences and what is running at 143038032Speterthe other end of your UUCP connection. Unlike good protocols that 143138032Speterdefine what will go over the wire, UUCP uses the policy that you 143238032Spetershould do what is right for the other end; if they change, you have 143338032Speterto change. This makes it hard to do the right thing, and discourages 143438032Speterpeople from updating their software. In general, if you can avoid 143538032SpeterUUCP, please do. 143638032Speter 143738032SpeterThe major choice is whether to go for a domainized scheme or a 143838032Speternon-domainized scheme. This depends entirely on what the other 143938032Speterend will recognize. If at all possible, you should encourage the 144038032Speterother end to go to a domain-based system -- non-domainized addresses 144138032Speterdon't work entirely properly. 144238032Speter 144338032SpeterThe four mailers are: 144438032Speter 144538032Speter uucp-old (obsolete name: "uucp") 144638032Speter This is the oldest, the worst (but the closest to UUCP) way of 144738032Speter sending messages accros UUCP connections. It does bangify 144838032Speter everything and prepends $U (your UUCP name) to the sender's 144938032Speter address (which can already be a bang path itself). It can 145038032Speter only send to one address at a time, so it spends a lot of 145138032Speter time copying duplicates of messages. Avoid this if at all 145238032Speter possible. 145338032Speter 145438032Speter uucp-new (obsolete name: "suucp") 145538032Speter The same as above, except that it assumes that in one rmail 145638032Speter command you can specify several recipients. It still has a 145738032Speter lot of other problems. 145838032Speter 145938032Speter uucp-dom 146038032Speter This UUCP mailer keeps everything as domain addresses. 146138032Speter Basically, it uses the SMTP mailer rewriting rules. This mailer 146290792Sgshapiro is only included if MAILER(`smtp') is specified before 146390792Sgshapiro MAILER(`uucp'). 146438032Speter 146538032Speter Unfortunately, a lot of UUCP mailer transport agents require 146638032Speter bangified addresses in the envelope, although you can use 146738032Speter domain-based addresses in the message header. (The envelope 146838032Speter shows up as the From_ line on UNIX mail.) So.... 146938032Speter 147038032Speter uucp-uudom 147138032Speter This is a cross between uucp-new (for the envelope addresses) 147238032Speter and uucp-dom (for the header addresses). It bangifies the 147338032Speter envelope sender (From_ line in messages) without adding the 147438032Speter local hostname, unless there is no host name on the address 147538032Speter at all (e.g., "wolf") or the host component is a UUCP host name 147638032Speter instead of a domain name ("somehost!wolf" instead of 147764562Sgshapiro "some.dom.ain!wolf"). This is also included only if MAILER(`smtp') 147890792Sgshapiro is also specified earlier. 147938032Speter 148038032SpeterExamples: 148138032Speter 148264562SgshapiroOn host grasp.insa-lyon.fr (UUCP host name "grasp"), the following 148364562Sgshapirosummarizes the sender rewriting for various mailers. 148438032Speter 148566494SgshapiroMailer sender rewriting in the envelope 148638032Speter------ ------ ------------------------- 148738032Speteruucp-{old,new} wolf grasp!wolf 148838032Speteruucp-dom wolf wolf@grasp.insa-lyon.fr 148938032Speteruucp-uudom wolf grasp.insa-lyon.fr!wolf 149038032Speter 149138032Speteruucp-{old,new} wolf@fr.net grasp!fr.net!wolf 149238032Speteruucp-dom wolf@fr.net wolf@fr.net 149338032Speteruucp-uudom wolf@fr.net fr.net!wolf 149438032Speter 149538032Speteruucp-{old,new} somehost!wolf grasp!somehost!wolf 149638032Speteruucp-dom somehost!wolf somehost!wolf@grasp.insa-lyon.fr 149738032Speteruucp-uudom somehost!wolf grasp.insa-lyon.fr!somehost!wolf 149838032Speter 149938032SpeterIf you are using one of the domainized UUCP mailers, you really want 150038032Speterto convert all UUCP addresses to domain format -- otherwise, it will 150138032Speterdo it for you (and probably not the way you expected). For example, 150238032Speterif you have the address foo!bar!baz (and you are not sending to foo), 150338032Speterthe heuristics will add the @uucp.relay.name or @local.host.name to 150438032Speterthis address. However, if you map foo to foo.host.name first, it 150538032Speterwill not add the local hostname. You can do this using the uucpdomain 150638032Speterfeature. 150738032Speter 150838032Speter 150938032Speter+-------------------+ 151038032Speter| TWEAKING RULESETS | 151138032Speter+-------------------+ 151238032Speter 151338032SpeterFor more complex configurations, you can define special rules. 151438032SpeterThe macro LOCAL_RULE_3 introduces rules that are used in canonicalizing 151538032Speterthe names. Any modifications made here are reflected in the header. 151638032Speter 151738032SpeterA common use is to convert old UUCP addresses to SMTP addresses using 151838032Speterthe UUCPSMTP macro. For example: 151938032Speter 152038032Speter LOCAL_RULE_3 152164562Sgshapiro UUCPSMTP(`decvax', `decvax.dec.com') 152264562Sgshapiro UUCPSMTP(`research', `research.att.com') 152338032Speter 152438032Speterwill cause addresses of the form "decvax!user" and "research!user" 152538032Speterto be converted to "user@decvax.dec.com" and "user@research.att.com" 152638032Speterrespectively. 152738032Speter 152838032SpeterThis could also be used to look up hosts in a database map: 152938032Speter 153038032Speter LOCAL_RULE_3 153138032Speter R$* < @ $+ > $* $: $1 < @ $(hostmap $2 $) > $3 153238032Speter 153338032SpeterThis map would be defined in the LOCAL_CONFIG portion, as shown below. 153438032Speter 153538032SpeterSimilarly, LOCAL_RULE_0 can be used to introduce new parsing rules. 153638032SpeterFor example, new rules are needed to parse hostnames that you accept 153738032Spetervia MX records. For example, you might have: 153838032Speter 153938032Speter LOCAL_RULE_0 154038032Speter R$+ <@ host.dom.ain.> $#uucp $@ cnmat $: $1 < @ host.dom.ain.> 154138032Speter 154238032SpeterYou would use this if you had installed an MX record for cnmat.Berkeley.EDU 154338032Speterpointing at this host; this rule catches the message and forwards it on 154438032Speterusing UUCP. 154538032Speter 154638032SpeterYou can also tweak rulesets 1 and 2 using LOCAL_RULE_1 and LOCAL_RULE_2. 154738032SpeterThese rulesets are normally empty. 154838032Speter 154938032SpeterA similar macro is LOCAL_CONFIG. This introduces lines added after the 155064562Sgshapiroboilerplate option setting but before rulesets. Do not declare rulesets in 155164562Sgshapirothe LOCAL_CONFIG section. It can be used to declare local database maps or 155264562Sgshapirowhatever. For example: 155338032Speter 155438032Speter LOCAL_CONFIG 155564562Sgshapiro Khostmap hash /etc/mail/hostmap 155638032Speter Kyplocal nis -m hosts.byname 155738032Speter 155838032Speter 155938032Speter+---------------------------+ 156038032Speter| MASQUERADING AND RELAYING | 156138032Speter+---------------------------+ 156238032Speter 156338032SpeterYou can have your host masquerade as another using 156438032Speter 156564562Sgshapiro MASQUERADE_AS(`host.domain') 156638032Speter 156738032SpeterThis causes mail being sent to be labeled as coming from the 156838032Speterindicated host.domain, rather than $j. One normally masquerades as 156964562Sgshapiroone of one's own subdomains (for example, it's unlikely that 157064562SgshapiroBerkeley would choose to masquerade as an MIT site). This 157164562Sgshapirobehaviour is modified by a plethora of FEATUREs; in particular, see 157264562Sgshapiromasquerade_envelope, allmasquerade, limited_masquerade, and 157364562Sgshapiromasquerade_entire_domain. 157438032Speter 157538032SpeterThe masquerade name is not normally canonified, so it is important 157638032Speterthat it be your One True Name, that is, fully qualified and not a 157738032SpeterCNAME. However, if you use a CNAME, the receiving side may canonify 157838032Speterit for you, so don't think you can cheat CNAME mapping this way. 157938032Speter 158038032SpeterNormally the only addresses that are masqueraded are those that come 158164562Sgshapirofrom this host (that is, are either unqualified or in class {w}, the list 158264562Sgshapiroof local domain names). You can augment this list, which is realized 158364562Sgshapiroby class {M} using 158438032Speter 158564562Sgshapiro MASQUERADE_DOMAIN(`otherhost.domain') 158638032Speter 158738032SpeterThe effect of this is that although mail to user@otherhost.domain 158838032Speterwill not be delivered locally, any mail including any user@otherhost.domain 158938032Speterwill, when relayed, be rewritten to have the MASQUERADE_AS address. 159038032SpeterThis can be a space-separated list of names. 159138032Speter 159238032SpeterIf these names are in a file, you can use 159338032Speter 159464562Sgshapiro MASQUERADE_DOMAIN_FILE(`filename') 159538032Speter 159664562Sgshapiroto read the list of names from the indicated file (i.e., to add 159764562Sgshapiroelements to class {M}). 159838032Speter 159964562SgshapiroTo exempt hosts or subdomains from being masqueraded, you can use 160064562Sgshapiro 160164562Sgshapiro MASQUERADE_EXCEPTION(`host.domain') 160264562Sgshapiro 160364562SgshapiroThis can come handy if you want to masquerade a whole domain 160490792Sgshapiroexcept for one (or a few) host(s). If these names are in a file, 160590792Sgshapiroyou can use 160664562Sgshapiro 160790792Sgshapiro MASQUERADE_EXCEPTION_FILE(`filename') 160890792Sgshapiro 160938032SpeterNormally only header addresses are masqueraded. If you want to 161038032Spetermasquerade the envelope as well, use 161138032Speter 161243730Speter FEATURE(`masquerade_envelope') 161338032Speter 161438032SpeterThere are always users that need to be "exposed" -- that is, their 161538032Speterinternal site name should be displayed instead of the masquerade name. 161664562SgshapiroRoot is an example (which has been "exposed" by default prior to 8.10). 161764562SgshapiroYou can add users to this list using 161838032Speter 161964562Sgshapiro EXPOSED_USER(`usernames') 162038032Speter 162190792SgshapiroThis adds users to class {E}; you could also use 162238032Speter 162390792Sgshapiro EXPOSED_USER_FILE(`filename') 162438032Speter 162538032SpeterYou can also arrange to relay all unqualified names (that is, names 162638032Speterwithout @host) to a relay host. For example, if you have a central 162738032Speteremail server, you might relay to that host so that users don't have 162838032Speterto have .forward files or aliases. You can do this using 162938032Speter 163043730Speter define(`LOCAL_RELAY', `mailer:hostname') 163138032Speter 163238032SpeterThe ``mailer:'' can be omitted, in which case the mailer defaults to 163338032Speter"relay". There are some user names that you don't want relayed, perhaps 163438032Speterbecause of local aliases. A common example is root, which may be 163538032Speterlocally aliased. You can add entries to this list using 163638032Speter 163764562Sgshapiro LOCAL_USER(`usernames') 163838032Speter 163990792SgshapiroThis adds users to class {L}; you could also use 164038032Speter 164190792Sgshapiro LOCAL_USER_FILE(`filename') 164238032Speter 164338032SpeterIf you want all incoming mail sent to a centralized hub, as for a 164438032Spetershared /var/spool/mail scheme, use 164538032Speter 164643730Speter define(`MAIL_HUB', `mailer:hostname') 164738032Speter 164838032SpeterAgain, ``mailer:'' defaults to "relay". If you define both LOCAL_RELAY 164943730Speterand MAIL_HUB _AND_ you have FEATURE(`stickyhost'), unqualified names will 165038032Speterbe sent to the LOCAL_RELAY and other local names will be sent to MAIL_HUB. 165164562SgshapiroNote: there is a (long standing) bug which keeps this combination from 165264562Sgshapiroworking for addresses of the form user+detail. 165364562SgshapiroNames in class {L} will be delivered locally, so you MUST have aliases or 165438032Speter.forward files for them. 165538032Speter 165638032SpeterFor example, if you are on machine mastodon.CS.Berkeley.EDU and you have 165743730SpeterFEATURE(`stickyhost'), the following combinations of settings will have the 165838032Speterindicated effects: 165938032Speter 166038032Speteremail sent to.... eric eric@mastodon.CS.Berkeley.EDU 166138032Speter 166238032SpeterLOCAL_RELAY set to mail.CS.Berkeley.EDU (delivered locally) 166338032Spetermail.CS.Berkeley.EDU (no local aliasing) (aliasing done) 166438032Speter 166538032SpeterMAIL_HUB set to mammoth.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 166638032Spetermammoth.CS.Berkeley.EDU (aliasing done) (aliasing done) 166738032Speter 166838032SpeterBoth LOCAL_RELAY and mail.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 166938032SpeterMAIL_HUB set as above (no local aliasing) (aliasing done) 167038032Speter 167143730SpeterIf you do not have FEATURE(`stickyhost') set, then LOCAL_RELAY and 167238032SpeterMAIL_HUB act identically, with MAIL_HUB taking precedence. 167338032Speter 167438032SpeterIf you want all outgoing mail to go to a central relay site, define 167538032SpeterSMART_HOST as well. Briefly: 167638032Speter 167738032Speter LOCAL_RELAY applies to unqualified names (e.g., "eric"). 167838032Speter MAIL_HUB applies to names qualified with the name of the 167938032Speter local host (e.g., "eric@mastodon.CS.Berkeley.EDU"). 168064562Sgshapiro SMART_HOST applies to names qualified with other hosts or 168164562Sgshapiro bracketed addresses (e.g., "eric@mastodon.CS.Berkeley.EDU" 168264562Sgshapiro or "eric@[127.0.0.1]"). 168338032Speter 168438032SpeterHowever, beware that other relays (e.g., UUCP_RELAY, BITNET_RELAY, 168538032SpeterDECNET_RELAY, and FAX_RELAY) take precedence over SMART_HOST, so if you 168638032Speterreally want absolutely everything to go to a single central site you will 168738032Speterneed to unset all the other relays -- or better yet, find or build a 168838032Speterminimal config file that does this. 168938032Speter 169038032SpeterFor duplicate suppression to work properly, the host name is best 169138032Speterspecified with a terminal dot: 169238032Speter 169338032Speter define(`MAIL_HUB', `host.domain.') 169438032Speter note the trailing dot ---^ 169538032Speter 169638032Speter 169790792Sgshapiro+-------------------------------------------+ 169890792Sgshapiro| USING LDAP FOR ALIASES, MAPS, AND CLASSES | 169990792Sgshapiro+-------------------------------------------+ 170090792Sgshapiro 170190792SgshapiroLDAP can be used for aliases, maps, and classes by either specifying your 170290792Sgshapiroown LDAP map specification or using the built-in default LDAP map 170390792Sgshapirospecification. The built-in default specifications all provide lookups 170490792Sgshapirowhich match against either the machine's fully qualified hostname (${j}) or 170590792Sgshapiroa "cluster". The cluster allows you to share LDAP entries among a large 170690792Sgshapironumber of machines without having to enter each of the machine names into 170790792Sgshapiroeach LDAP entry. To set the LDAP cluster name to use for a particular 170890792Sgshapiromachine or set of machines, set the confLDAP_CLUSTER m4 variable to a 170990792Sgshapirounique name. For example: 171090792Sgshapiro 171190792Sgshapiro define(`confLDAP_CLUSTER', `Servers') 171290792Sgshapiro 171390792SgshapiroHere, the word `Servers' will be the cluster name. As an example, assume 171490792Sgshapirothat smtp.sendmail.org, etrn.sendmail.org, and mx.sendmail.org all belong 171590792Sgshapiroto the Servers cluster. 171690792Sgshapiro 171790792SgshapiroSome of the LDAP LDIF examples below show use of the Servers cluster. 171890792SgshapiroEvery entry must have either a sendmailMTAHost or sendmailMTACluster 171990792Sgshapiroattribute or it will be ignored. Be careful as mixing clusters and 172090792Sgshapiroindividual host records can have surprising results (see the CAUTION 172190792Sgshapirosections below). 172290792Sgshapiro 172390792SgshapiroSee the file cf/sendmail.schema for the actual LDAP schemas. Note that 172490792Sgshapirothis schema (and therefore the lookups and examples below) is experimental 172590792Sgshapiroat this point as it has had little public review. Therefore, it may change 172690792Sgshapiroin future versions. Feedback via sendmail@sendmail.org is encouraged. 172790792Sgshapiro 172890792Sgshapiro------- 172990792SgshapiroAliases 173090792Sgshapiro------- 173190792Sgshapiro 173290792SgshapiroThe ALIAS_FILE (O AliasFile) option can be set to use LDAP for alias 173390792Sgshapirolookups. To use the default schema, simply use: 173490792Sgshapiro 173590792Sgshapiro define(`ALIAS_FILE', `ldap:') 173690792Sgshapiro 173790792SgshapiroBy doing so, you will use the default schema which expands to a map 173890792Sgshapirodeclared as follows: 173990792Sgshapiro 174090792Sgshapiro ldap -k (&(objectClass=sendmailMTAAliasObject) 174190792Sgshapiro (sendmailMTAAliasGrouping=aliases) 174290792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 174390792Sgshapiro (sendmailMTAHost=$j)) 174490792Sgshapiro (sendmailMTAKey=%0)) 174590792Sgshapiro -v sendmailMTAAliasValue 174690792Sgshapiro 174790792SgshapiroNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 174890792Sgshapiroused when the binary expands the `ldap:' token as the AliasFile option is 174990792Sgshapironot actually macro-expanded when read from the sendmail.cf file. 175090792Sgshapiro 175190792SgshapiroExample LDAP LDIF entries might be: 175290792Sgshapiro 175390792Sgshapiro dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org 175490792Sgshapiro objectClass: sendmailMTA 175590792Sgshapiro objectClass: sendmailMTAAlias 175690792Sgshapiro objectClass: sendmailMTAAliasObject 175790792Sgshapiro sendmailMTAAliasGrouping: aliases 175890792Sgshapiro sendmailMTAHost: etrn.sendmail.org 175990792Sgshapiro sendmailMTAKey: sendmail-list 176090792Sgshapiro sendmailMTAAliasValue: ca@example.org 176190792Sgshapiro sendmailMTAAliasValue: eric 176290792Sgshapiro sendmailMTAAliasValue: gshapiro@example.com 176390792Sgshapiro 176490792Sgshapiro dn: sendmailMTAKey=owner-sendmail-list, dc=sendmail, dc=org 176590792Sgshapiro objectClass: sendmailMTA 176690792Sgshapiro objectClass: sendmailMTAAlias 176790792Sgshapiro objectClass: sendmailMTAAliasObject 176890792Sgshapiro sendmailMTAAliasGrouping: aliases 176990792Sgshapiro sendmailMTAHost: etrn.sendmail.org 177090792Sgshapiro sendmailMTAKey: owner-sendmail-list 177190792Sgshapiro sendmailMTAAliasValue: eric 177290792Sgshapiro 177390792Sgshapiro dn: sendmailMTAKey=postmaster, dc=sendmail, dc=org 177490792Sgshapiro objectClass: sendmailMTA 177590792Sgshapiro objectClass: sendmailMTAAlias 177690792Sgshapiro objectClass: sendmailMTAAliasObject 177790792Sgshapiro sendmailMTAAliasGrouping: aliases 177890792Sgshapiro sendmailMTACluster: Servers 177990792Sgshapiro sendmailMTAKey: postmaster 178090792Sgshapiro sendmailMTAAliasValue: eric 178190792Sgshapiro 178290792SgshapiroHere, the aliases sendmail-list and owner-sendmail-list will be available 178390792Sgshapiroonly on etrn.sendmail.org but the postmaster alias will be available on 178490792Sgshapiroevery machine in the Servers cluster (including etrn.sendmail.org). 178590792Sgshapiro 178690792SgshapiroCAUTION: aliases are additive so that entries like these: 178790792Sgshapiro 178890792Sgshapiro dn: sendmailMTAKey=bob, dc=sendmail, dc=org 178990792Sgshapiro objectClass: sendmailMTA 179090792Sgshapiro objectClass: sendmailMTAAlias 179190792Sgshapiro objectClass: sendmailMTAAliasObject 179290792Sgshapiro sendmailMTAAliasGrouping: aliases 179390792Sgshapiro sendmailMTACluster: Servers 179490792Sgshapiro sendmailMTAKey: bob 179590792Sgshapiro sendmailMTAAliasValue: eric 179690792Sgshapiro 179794334Sgshapiro dn: sendmailMTAKey=bobetrn, dc=sendmail, dc=org 179890792Sgshapiro objectClass: sendmailMTA 179990792Sgshapiro objectClass: sendmailMTAAlias 180090792Sgshapiro objectClass: sendmailMTAAliasObject 180190792Sgshapiro sendmailMTAAliasGrouping: aliases 180290792Sgshapiro sendmailMTAHost: etrn.sendmail.org 180390792Sgshapiro sendmailMTAKey: bob 180490792Sgshapiro sendmailMTAAliasValue: gshapiro 180590792Sgshapiro 180690792Sgshapirowould mean that on all of the hosts in the cluster, mail to bob would go to 180790792Sgshapiroeric EXCEPT on etrn.sendmail.org in which case it would go to BOTH eric and 180890792Sgshapirogshapiro. 180990792Sgshapiro 181090792SgshapiroIf you prefer not to use the default LDAP schema for your aliases, you can 181190792Sgshapirospecify the map parameters when setting ALIAS_FILE. For example: 181290792Sgshapiro 181390792Sgshapiro define(`ALIAS_FILE', `ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember') 181490792Sgshapiro 181590792Sgshapiro---- 181690792SgshapiroMaps 181790792Sgshapiro---- 181890792Sgshapiro 181990792SgshapiroFEATURE()'s which take an optional map definition argument (e.g., access, 182090792Sgshapiromailertable, virtusertable, etc.) can instead take the special keyword 182190792Sgshapiro`LDAP', e.g.: 182290792Sgshapiro 182390792Sgshapiro FEATURE(`access_db', `LDAP') 182490792Sgshapiro FEATURE(`virtusertable', `LDAP') 182590792Sgshapiro 182690792SgshapiroWhen this keyword is given, that map will use LDAP lookups consisting of 182790792Sgshapirothe objectClass sendmailMTAClassObject, the attribute sendmailMTAMapName 182890792Sgshapirowith the map name, a search attribute of sendmailMTAKey, and the value 182990792Sgshapiroattribute sendmailMTAMapValue. 183090792Sgshapiro 183190792SgshapiroThe values for sendmailMTAMapName are: 183290792Sgshapiro 183390792Sgshapiro FEATURE() sendmailMTAMapName 183490792Sgshapiro --------- ------------------ 183590792Sgshapiro access_db access 183690792Sgshapiro authinfo authinfo 183790792Sgshapiro bitdomain bitdomain 183890792Sgshapiro domaintable domain 183990792Sgshapiro genericstable generics 184090792Sgshapiro mailertable mailer 184190792Sgshapiro uucpdomain uucpdomain 184290792Sgshapiro virtusertable virtuser 184390792Sgshapiro 184490792SgshapiroFor example, FEATURE(`mailertable', `LDAP') would use the map definition: 184590792Sgshapiro 184690792Sgshapiro Kmailertable ldap -k (&(objectClass=sendmailMTAMapObject) 184790792Sgshapiro (sendmailMTAMapName=mailer) 184890792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 184990792Sgshapiro (sendmailMTAHost=$j)) 185090792Sgshapiro (sendmailMTAKey=%0)) 185190792Sgshapiro -1 -v sendmailMTAMapValue 185290792Sgshapiro 185390792SgshapiroAn example LDAP LDIF entry using this map might be: 185490792Sgshapiro 185590792Sgshapiro dn: sendmailMTAMapName=mailer, dc=sendmail, dc=org 185690792Sgshapiro objectClass: sendmailMTA 185790792Sgshapiro objectClass: sendmailMTAMap 185890792Sgshapiro sendmailMTACluster: Servers 185990792Sgshapiro sendmailMTAMapName: mailer 186090792Sgshapiro 186190792Sgshapiro dn: sendmailMTAKey=example.com, sendmailMTAMapName=mailer, dc=sendmail, dc=org 186290792Sgshapiro objectClass: sendmailMTA 186390792Sgshapiro objectClass: sendmailMTAMap 186490792Sgshapiro objectClass: sendmailMTAMapObject 186590792Sgshapiro sendmailMTAMapName: mailer 186690792Sgshapiro sendmailMTACluster: Servers 186790792Sgshapiro sendmailMTAKey: example.com 186890792Sgshapiro sendmailMTAMapValue: relay:[smtp.example.com] 186990792Sgshapiro 187090792SgshapiroCAUTION: If your LDAP database contains the record above and *ALSO* a host 187190792Sgshapirospecific record such as: 187290792Sgshapiro 187390792Sgshapiro dn: sendmailMTAKey=example.com@etrn, sendmailMTAMapName=mailer, dc=sendmail, dc=org 187490792Sgshapiro objectClass: sendmailMTA 187590792Sgshapiro objectClass: sendmailMTAMap 187690792Sgshapiro objectClass: sendmailMTAMapObject 187790792Sgshapiro sendmailMTAMapName: mailer 187890792Sgshapiro sendmailMTAHost: etrn.sendmail.org 187990792Sgshapiro sendmailMTAKey: example.com 188090792Sgshapiro sendmailMTAMapValue: relay:[mx.example.com] 188190792Sgshapiro 188290792Sgshapirothen these entries will give unexpected results. When the lookup is done 188390792Sgshapiroon etrn.sendmail.org, the effect is that there is *NO* match at all as maps 188490792Sgshapirorequire a single match. Since the host etrn.sendmail.org is also in the 188590792SgshapiroServers cluster, LDAP would return two answers for the example.com map key 188690792Sgshapiroin which case sendmail would treat this as no match at all. 188790792Sgshapiro 188890792SgshapiroIf you prefer not to use the default LDAP schema for your maps, you can 188990792Sgshapirospecify the map parameters when using the FEATURE(). For example: 189090792Sgshapiro 189190792Sgshapiro FEATURE(`access_db', `ldap:-1 -k (&(objectClass=mapDatabase)(key=%0)) -v value') 189290792Sgshapiro 189390792Sgshapiro------- 189490792SgshapiroClasses 189590792Sgshapiro------- 189690792Sgshapiro 189790792SgshapiroNormally, classes can be filled via files or programs. As of 8.12, they 189890792Sgshapirocan also be filled via map lookups using a new syntax: 189990792Sgshapiro 190090792Sgshapiro F{ClassName}mapkey@mapclass:mapspec 190190792Sgshapiro 190290792Sgshapiromapkey is optional and if not provided the map key will be empty. This can 190390792Sgshapirobe used with LDAP to read classes from LDAP. Note that the lookup is only 190490792Sgshapirodone when sendmail is initially started. Use the special value `@LDAP' to 190590792Sgshapirouse the default LDAP schema. For example: 190690792Sgshapiro 190790792Sgshapiro RELAY_DOMAIN_FILE(`@LDAP') 190890792Sgshapiro 190990792Sgshapirowould put all of the attribute sendmailMTAClassValue values of LDAP records 191090792Sgshapirowith objectClass sendmailMTAClass and an attribute sendmailMTAClassName of 191190792Sgshapiro'R' into class $={R}. In other words, it is equivalent to the LDAP map 191290792Sgshapirospecification: 191390792Sgshapiro 191490792Sgshapiro F{R}@ldap:-k (&(objectClass=sendmailMTAClass) 191590792Sgshapiro (sendmailMTAClassName=R) 191690792Sgshapiro (|(sendmailMTACluster=${sendmailMTACluster}) 191790792Sgshapiro (sendmailMTAHost=$j))) 191890792Sgshapiro -v sendmailMTAClassValue 191990792Sgshapiro 192090792SgshapiroNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 192190792Sgshapiroused when the binary expands the `@LDAP' token as class declarations are 192290792Sgshapironot actually macro-expanded when read from the sendmail.cf file. 192390792Sgshapiro 192490792SgshapiroThis can be used with class related commands such as RELAY_DOMAIN_FILE(), 192590792SgshapiroMASQUERADE_DOMAIN_FILE(), etc: 192690792Sgshapiro 192790792Sgshapiro Command sendmailMTAClassName 192890792Sgshapiro ------- -------------------- 192990792Sgshapiro CANONIFY_DOMAIN_FILE() Canonify 193090792Sgshapiro EXPOSED_USER_FILE() E 193190792Sgshapiro GENERICS_DOMAIN_FILE() G 193290792Sgshapiro LDAPROUTE_DOMAIN_FILE() LDAPRoute 193390792Sgshapiro LDAPROUTE_EQUIVALENT_FILE() LDAPRouteEquiv 193490792Sgshapiro LOCAL_USER_FILE() L 193590792Sgshapiro MASQUERADE_DOMAIN_FILE() M 193690792Sgshapiro MASQUERADE_EXCEPTION_FILE() N 193790792Sgshapiro RELAY_DOMAIN_FILE() R 193890792Sgshapiro VIRTUSER_DOMAIN_FILE() VirtHost 193990792Sgshapiro 194090792SgshapiroYou can also add your own as any 'F'ile class of the form: 194190792Sgshapiro 194290792Sgshapiro F{ClassName}@LDAP 194390792Sgshapiro ^^^^^^^^^ 194490792Sgshapirowill use "ClassName" for the sendmailMTAClassName. 194590792Sgshapiro 194690792SgshapiroAn example LDAP LDIF entry would look like: 194790792Sgshapiro 194890792Sgshapiro dn: sendmailMTAClassName=R, dc=sendmail, dc=org 194990792Sgshapiro objectClass: sendmailMTA 195090792Sgshapiro objectClass: sendmailMTAClass 195190792Sgshapiro sendmailMTACluster: Servers 195290792Sgshapiro sendmailMTAClassName: R 195390792Sgshapiro sendmailMTAClassValue: sendmail.org 195490792Sgshapiro sendmailMTAClassValue: example.com 195590792Sgshapiro sendmailMTAClassValue: 10.56.23 195690792Sgshapiro 195790792SgshapiroCAUTION: If your LDAP database contains the record above and *ALSO* a host 195890792Sgshapirospecific record such as: 195990792Sgshapiro 196090792Sgshapiro dn: sendmailMTAClassName=R@etrn.sendmail.org, dc=sendmail, dc=org 196190792Sgshapiro objectClass: sendmailMTA 196290792Sgshapiro objectClass: sendmailMTAClass 196390792Sgshapiro sendmailMTAHost: etrn.sendmail.org 196490792Sgshapiro sendmailMTAClassName: R 196590792Sgshapiro sendmailMTAClassValue: example.com 196690792Sgshapiro 196790792Sgshapirothe result will be similar to the aliases caution above. When the lookup 196890792Sgshapirois done on etrn.sendmail.org, $={R} would contain all of the entries (from 196990792Sgshapiroboth the cluster match and the host match). In other words, the effective 197090792Sgshapirois additive. 197190792Sgshapiro 197290792SgshapiroIf you prefer not to use the default LDAP schema for your classes, you can 197390792Sgshapirospecify the map parameters when using the class command. For example: 197490792Sgshapiro 197590792Sgshapiro VIRTUSER_DOMAIN_FILE(`@ldap:-k (&(objectClass=virtHosts)(host=*)) -v host') 197690792Sgshapiro 197790792SgshapiroRemember, macros can not be used in a class declaration as the binary does 197890792Sgshapironot expand them. 197990792Sgshapiro 198090792Sgshapiro 198164562Sgshapiro+--------------+ 198264562Sgshapiro| LDAP ROUTING | 198364562Sgshapiro+--------------+ 198464562Sgshapiro 198564562SgshapiroFEATURE(`ldap_routing') can be used to implement the IETF Internet Draft 198664562SgshapiroLDAP Schema for Intranet Mail Routing 198764562Sgshapiro(draft-lachman-laser-ldap-mail-routing-01). This feature enables 198864562SgshapiroLDAP-based rerouting of a particular address to either a different host 198964562Sgshapiroor a different address. The LDAP lookup is first attempted on the full 199064562Sgshapiroaddress (e.g., user@example.com) and then on the domain portion 199164562Sgshapiro(e.g., @example.com). Be sure to setup your domain for LDAP routing using 199264562SgshapiroLDAPROUTE_DOMAIN(), e.g.: 199364562Sgshapiro 199464562Sgshapiro LDAPROUTE_DOMAIN(`example.com') 199564562Sgshapiro 199690792SgshapiroAdditionally, you can specify equivalent domains for LDAP routing using 199790792SgshapiroLDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE(). 'Equivalent' 199890792Sgshapirohostnames are mapped to $M (the masqueraded hostname for the server) before 199990792Sgshapirothe LDAP query. For example, if the mail is addressed to 200090792Sgshapirouser@host1.example.com, normally the LDAP lookup would only be done for 200190792Sgshapiro'user@host1.example.com' and '@host1.example.com'. However, if 200290792SgshapiroLDAPROUTE_EQUIVALENT(`host1.example.com') is used, the lookups would also be 200390792Sgshapirodone on 'user@example.com' and '@example.com' after attempting the 200490792Sgshapirohost1.example.com lookups. 200590792Sgshapiro 200664562SgshapiroBy default, the feature will use the schemas as specified in the draft 200764562Sgshapiroand will not reject addresses not found by the LDAP lookup. However, 200864562Sgshapirothis behavior can be changed by giving additional arguments to the FEATURE() 200964562Sgshapirocommand: 201064562Sgshapiro 201190792Sgshapiro FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>, <detail>) 201264562Sgshapiro 201364562Sgshapirowhere <mailHost> is a map definition describing how to lookup an alternative 201464562Sgshapiromail host for a particular address; <mailRoutingAddress> is a map definition 201590792Sgshapirodescribing how to lookup an alternative address for a particular address; 201664562Sgshapirothe <bounce> argument, if present and not the word "passthru", dictates 201764562Sgshapirothat mail should be bounced if neither a mailHost nor mailRoutingAddress 201890792Sgshapirois found; and <detail> indicates what actions to take if the address 201990792Sgshapirocontains +detail information -- `strip' tries the lookup with the +detail 202090792Sgshapiroand if no matches are found, strips the +detail and tries the lookup again; 202190792Sgshapiro`preserve', does the same as `strip' but if a mailRoutingAddress match is 202290792Sgshapirofound, the +detail information is copied to the new address. 202364562Sgshapiro 202464562SgshapiroThe default <mailHost> map definition is: 202564562Sgshapiro 202694334Sgshapiro ldap -1 -T<TMPF> -v mailHost -k (&(objectClass=inetLocalMailRecipient) 202764562Sgshapiro (mailLocalAddress=%0)) 202864562Sgshapiro 202964562SgshapiroThe default <mailRoutingAddress> map definition is: 203064562Sgshapiro 203194334Sgshapiro ldap -1 -T<TMPF> -v mailRoutingAddress 203294334Sgshapiro -k (&(objectClass=inetLocalMailRecipient) 203394334Sgshapiro (mailLocalAddress=%0)) 203464562Sgshapiro 203564562SgshapiroNote that neither includes the LDAP server hostname (-h server) or base DN 203664562Sgshapiro(-b o=org,c=COUNTRY), both necessary for LDAP queries. It is presumed that 203764562Sgshapiroyour .mc file contains a setting for the confLDAP_DEFAULT_SPEC option with 203864562Sgshapirothese settings. If this is not the case, the map definitions should be 203994334Sgshapirochanged as described above. The "-T<TMPF>" is required in any user 204094334Sgshapirospecified map definition to catch temporary errors. 204164562Sgshapiro 204264562SgshapiroThe following possibilities exist as a result of an LDAP lookup on an 204364562Sgshapiroaddress: 204464562Sgshapiro 204564562Sgshapiro mailHost is mailRoutingAddress is Results in 204664562Sgshapiro ----------- --------------------- ---------- 204764562Sgshapiro set to a set mail delivered to 204864562Sgshapiro "local" host mailRoutingAddress 204964562Sgshapiro 205064562Sgshapiro set to a not set delivered to 205164562Sgshapiro "local" host original address 205264562Sgshapiro 205364562Sgshapiro set to a set mailRoutingAddress 205464562Sgshapiro remote host relayed to mailHost 205564562Sgshapiro 205664562Sgshapiro set to a not set original address 205764562Sgshapiro remote host relayed to mailHost 205864562Sgshapiro 205964562Sgshapiro not set set mail delivered to 206064562Sgshapiro mailRoutingAddress 206164562Sgshapiro 206264562Sgshapiro not set not set delivered to 206364562Sgshapiro original address *OR* 206464562Sgshapiro bounced as unknown user 206564562Sgshapiro 206690792SgshapiroThe term "local" host above means the host specified is in class {w}. If 206790792Sgshapirothe result would mean sending the mail to a different host, that host is 206890792Sgshapirolooked up in the mailertable before delivery. 206990792Sgshapiro 207064562SgshapiroNote that the last case depends on whether the third argument is given 207164562Sgshapiroto the FEATURE() command. The default is to deliver the message to the 207264562Sgshapirooriginal address. 207364562Sgshapiro 207464562SgshapiroThe LDAP entries should be set up with an objectClass of 207564562SgshapiroinetLocalMailRecipient and the address be listed in a mailLocalAddress 207664562Sgshapiroattribute. If present, there must be only one mailHost attribute and it 207764562Sgshapiromust contain a fully qualified host name as its value. Similarly, if 207864562Sgshapiropresent, there must be only one mailRoutingAddress attribute and it must 207990792Sgshapirocontain an RFC 822 compliant address. Some example LDAP records (in LDIF 208064562Sgshapiroformat): 208164562Sgshapiro 208264562Sgshapiro dn: uid=tom, o=example.com, c=US 208364562Sgshapiro objectClass: inetLocalMailRecipient 208464562Sgshapiro mailLocalAddress: tom@example.com 208564562Sgshapiro mailRoutingAddress: thomas@mailhost.example.com 208664562Sgshapiro 208764562SgshapiroThis would deliver mail for tom@example.com to thomas@mailhost.example.com. 208864562Sgshapiro 208964562Sgshapiro dn: uid=dick, o=example.com, c=US 209064562Sgshapiro objectClass: inetLocalMailRecipient 209164562Sgshapiro mailLocalAddress: dick@example.com 209264562Sgshapiro mailHost: eng.example.com 209364562Sgshapiro 209464562SgshapiroThis would relay mail for dick@example.com to the same address but redirect 209590792Sgshapirothe mail to MX records listed for the host eng.example.com (unless the 209690792Sgshapiromailertable overrides). 209764562Sgshapiro 209864562Sgshapiro dn: uid=harry, o=example.com, c=US 209964562Sgshapiro objectClass: inetLocalMailRecipient 210064562Sgshapiro mailLocalAddress: harry@example.com 210164562Sgshapiro mailHost: mktmail.example.com 210264562Sgshapiro mailRoutingAddress: harry@mkt.example.com 210364562Sgshapiro 210464562SgshapiroThis would relay mail for harry@example.com to the MX records listed for 210564562Sgshapirothe host mktmail.example.com using the new address harry@mkt.example.com 210664562Sgshapirowhen talking to that host. 210764562Sgshapiro 210864562Sgshapiro dn: uid=virtual.example.com, o=example.com, c=US 210964562Sgshapiro objectClass: inetLocalMailRecipient 211064562Sgshapiro mailLocalAddress: @virtual.example.com 211164562Sgshapiro mailHost: server.example.com 211264562Sgshapiro mailRoutingAddress: virtual@example.com 211364562Sgshapiro 211464562SgshapiroThis would send all mail destined for any username @virtual.example.com to 211564562Sgshapirothe machine server.example.com's MX servers and deliver to the address 211664562Sgshapirovirtual@example.com on that relay machine. 211764562Sgshapiro 211864562Sgshapiro 211938032Speter+---------------------------------+ 212038032Speter| ANTI-SPAM CONFIGURATION CONTROL | 212138032Speter+---------------------------------+ 212238032Speter 212338032SpeterThe primary anti-spam features available in sendmail are: 212438032Speter 212538032Speter* Relaying is denied by default. 212638032Speter* Better checking on sender information. 212738032Speter* Access database. 212838032Speter* Header checks. 212938032Speter 213064562SgshapiroRelaying (transmission of messages from a site outside your host (class 213164562Sgshapiro{w}) to another site except yours) is denied by default. Note that this 213264562Sgshapirochanged in sendmail 8.9; previous versions allowed relaying by default. 213364562SgshapiroIf you really want to revert to the old behaviour, you will need to use 213464562SgshapiroFEATURE(`promiscuous_relay'). You can allow certain domains to relay 213564562Sgshapirothrough your server by adding their domain name or IP address to class 213664562Sgshapiro{R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the access database 213790792Sgshapiro(described below). Note that IPv6 addresses must be prefaced with "IPv6:". 213890792SgshapiroThe file consists (like any other file based class) of entries listed on 213990792Sgshapiroseparate lines, e.g., 214038032Speter 214164562Sgshapiro sendmail.org 214264562Sgshapiro 128.32 214390792Sgshapiro IPv6:2002:c0a8:02c7 214490792Sgshapiro IPv6:2002:c0a8:51d2::23f4 214564562Sgshapiro host.mydomain.com 214690792Sgshapiro [UNIX:localhost] 214764562Sgshapiro 214890792SgshapiroNotice: the last entry allows relaying for connections via a UNIX 214990792Sgshapirosocket to the MTA/MSP. This might be necessary if your configuration 215090792Sgshapirodoesn't allow relaying by other means in that case, e.g., by having 215190792Sgshapirolocalhost.$m in class {R} (make sure $m is not just a top level 215290792Sgshapirodomain). 215390792Sgshapiro 215438032SpeterIf you use 215538032Speter 215643730Speter FEATURE(`relay_entire_domain') 215738032Speter 215864562Sgshapirothen any host in any of your local domains (that is, class {m}) 215942575Speterwill be relayed (that is, you will accept mail either to or from any 216042575Speterhost in your domain). 216138032Speter 216238032SpeterYou can also allow relaying based on the MX records of the host 216338032Speterportion of an incoming recipient address by using 216438032Speter 216543730Speter FEATURE(`relay_based_on_MX') 216638032Speter 216738032SpeterFor example, if your server receives a recipient of user@domain.com 216838032Speterand domain.com lists your server in its MX records, the mail will be 216990792Sgshapiroaccepted for relay to domain.com. This feature may cause problems 217090792Sgshapiroif MX lookups for the recipient domain are slow or time out. In that 217190792Sgshapirocase, mail will be temporarily rejected. It is usually better to 217290792Sgshapiromaintain a list of hosts/domains for which the server acts as relay. 217390792SgshapiroNote also that this feature will stop spammers from using your host 217490792Sgshapiroto relay spam but it will not stop outsiders from using your server 217590792Sgshapiroas a relay for their site (that is, they set up an MX record pointing 217690792Sgshapiroto your mail server, and you will relay mail addressed to them 217790792Sgshapirowithout any prior arrangement). Along the same lines, 217838032Speter 217943730Speter FEATURE(`relay_local_from') 218038032Speter 218138032Speterwill allow relaying if the sender specifies a return path (i.e. 218290792SgshapiroMAIL FROM: <user@domain>) domain which is a local domain. This is a 218338032Speterdangerous feature as it will allow spammers to spam using your mail 218438032Speterserver by simply specifying a return address of user@your.domain.com. 218538032SpeterIt should not be used unless absolutely necessary. 218664562SgshapiroA slightly better solution is 218738032Speter 218864562Sgshapiro FEATURE(`relay_mail_from') 218964562Sgshapiro 219064562Sgshapirowhich allows relaying if the mail sender is listed as RELAY in the 219164562Sgshapiroaccess map. If an optional argument `domain' is given, the domain 219264562Sgshapiroportion of the mail sender is also checked to allowing relaying. 219364562SgshapiroThis option only works together with the tag From: for the LHS of 219490792Sgshapirothe access map entries (see below: Finer control...). This feature 219590792Sgshapiroallows spammers to abuse your mail server by specifying a return 219690792Sgshapiroaddress that you enabled in your access file. This may be harder 219790792Sgshapiroto figure out for spammers, but it should not be used unless 219890792Sgshapironecessary. Instead use SMTP AUTH or STARTTLS to allow relaying 219990792Sgshapirofor roaming users. 220064562Sgshapiro 220164562Sgshapiro 220290792SgshapiroIf source routing is used in the recipient address (e.g., 220338032SpeterRCPT TO: <user%site.com@othersite.com>), sendmail will check 220438032Speteruser@site.com for relaying if othersite.com is an allowed relay host 220564562Sgshapiroin either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, 220643730Speteror the access database if FEATURE(`access_db') is used. To prevent 220738032Speterthe address from being stripped down, use: 220838032Speter 220943730Speter FEATURE(`loose_relay_check') 221038032Speter 221138032SpeterIf you think you need to use this feature, you probably do not. This 221238032Spetershould only be used for sites which have no control over the addresses 221338032Speterthat they provide a gateway for. Use this FEATURE with caution as it 221438032Spetercan allow spammers to relay through your server if not setup properly. 221538032Speter 221664562SgshapiroNOTICE: It is possible to relay mail through a system which the anti-relay 221764562Sgshapirorules do not prevent: the case of a system that does use FEATURE(`nouucp', 221864562Sgshapiro`nospecial') (system A) and relays local messages to a mail hub (e.g., via 221964562SgshapiroLOCAL_RELAY or LUSER_RELAY) (system B). If system B doesn't use 222064562SgshapiroFEATURE(`nouucp') at all, addresses of the form 222164562Sgshapiro<example.net!user@local.host> would be relayed to <user@example.net>. 222264562SgshapiroSystem A doesn't recognize `!' as an address separator and therefore 222364562Sgshapiroforwards it to the mail hub which in turns relays it because it came from 222464562Sgshapiroa trusted local host. So if a mailserver allows UUCP (bang-format) 222564562Sgshapiroaddresses, all systems from which it allows relaying should do the same 222664562Sgshapiroor reject those addresses. 222764562Sgshapiro 222838032SpeterAs of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has 222938032Speteran unresolvable domain (i.e., one that DNS, your local name service, 223090792Sgshapiroor special case rules in ruleset 3 cannot locate). This also applies 223190792Sgshapiroto addresses that use domain literals, e.g., <user@[1.2.3.4]>, if the 223290792SgshapiroIP address can't be mapped to a host name. If you want to continue 223390792Sgshapiroto accept such domains, e.g., because you are inside a firewall that 223490792Sgshapirohas only a limited view of the Internet host name space (note that you 223590792Sgshapirowill not be able to return mail to them unless you have some "smart 223690792Sgshapirohost" forwarder), use 223738032Speter 223843730Speter FEATURE(`accept_unresolvable_domains') 223938032Speter 224090792SgshapiroAlternatively, you can allow specific addresses by adding them to 224190792Sgshapirothe access map, e.g., 224290792Sgshapiro 224390792Sgshapiro From:unresolvable.domain OK 224490792Sgshapiro From:[1.2.3.4] OK 224590792Sgshapiro From:[1.2.4] OK 224690792Sgshapiro 224790792SgshapiroNotice: domains which are temporarily unresolvable are (temporarily) 224890792Sgshapirorejected with a 451 reply code. If those domains should be accepted 224990792Sgshapiro(which is discouraged) then you can use 225090792Sgshapiro 225190792Sgshapiro LOCAL_CONFIG 225290792Sgshapiro C{ResOk}TEMP 225390792Sgshapiro 225438032Spetersendmail will also refuse mail if the MAIL FROM: parameter is not 225538032Speterfully qualified (i.e., contains a domain as well as a user). If you 225638032Speterwant to continue to accept such senders, use 225738032Speter 225843730Speter FEATURE(`accept_unqualified_senders') 225938032Speter 226064562SgshapiroSetting the DaemonPortOptions modifier 'u' overrides the default behavior, 226164562Sgshapiroi.e., unqualified addresses are accepted even without this FEATURE. If 226264562Sgshapirothis FEATURE is not used, the DaemonPortOptions modifier 'f' can be used 226390792Sgshapiroto enforce fully qualified domain names. 226464562Sgshapiro 226538032SpeterAn ``access'' database can be created to accept or reject mail from 226638032Speterselected domains. For example, you may choose to reject all mail 226738032Speteroriginating from known spammers. To enable such a database, use 226838032Speter 226943730Speter FEATURE(`access_db') 227038032Speter 227190792SgshapiroNotice: the access database is applied to the envelope addresses 227290792Sgshapiroand the connection information, not to the header. 227390792Sgshapiro 227490792SgshapiroThe FEATURE macro can accept as second parameter the key file 227538032Speterdefinition for the database; for example 227638032Speter 227790792Sgshapiro FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map') 227838032Speter 227990792SgshapiroNotice: If a second argument is specified it must contain the option 228090792Sgshapiro`-T<TMPF>' as shown above. The optional third and fourth parameters 228190792Sgshapiromay be `skip' or `lookupdotdomain'. The former enables SKIP as 228290792Sgshapirovalue part (see below), the latter is another way to enable the 228390792Sgshapirofeature of the same name (see above). 228490792Sgshapiro 228542575SpeterRemember, since /etc/mail/access is a database, after creating the text 228642575Speterfile as described below, you must use makemap to create the database 228742575Spetermap. For example: 228842575Speter 228943730Speter makemap hash /etc/mail/access < /etc/mail/access 229042575Speter 229138032SpeterThe table itself uses e-mail addresses, domain names, and network 229290792Sgshapironumbers as keys. Note that IPv6 addresses must be prefaced with "IPv6:". 229390792SgshapiroFor example, 229438032Speter 229590792Sgshapiro spammer@aol.com REJECT 229690792Sgshapiro cyberspammer.com REJECT 229794334Sgshapiro TLD REJECT 229890792Sgshapiro 192.168.212 REJECT 229990792Sgshapiro IPv6:2002:c0a8:02c7 RELAY 230090792Sgshapiro IPv6:2002:c0a8:51d2::23f4 REJECT 230138032Speter 230238032Speterwould refuse mail from spammer@aol.com, any user from cyberspammer.com 230394334Sgshapiro(or any host within the cyberspammer.com domain), any host in the entire 230494334Sgshapirotop level domain TLD, 192.168.212.* network, and the IPv6 address 230594334Sgshapiro2002:c0a8:51d2::23f4. It would allow relay for the IPv6 network 230694334Sgshapiro2002:c0a8:02c7::/48. 230738032Speter 230838032SpeterThe value part of the map can contain: 230938032Speter 231090792Sgshapiro OK Accept mail even if other rules in the running 231190792Sgshapiro ruleset would reject it, for example, if the domain 231290792Sgshapiro name is unresolvable. "Accept" does not mean 231390792Sgshapiro "relay", but at most acceptance for local 231490792Sgshapiro recipients. That is, OK allows less than RELAY. 231542575Speter RELAY Accept mail addressed to the indicated domain or 231642575Speter received from the indicated domain for relaying 231742575Speter through your SMTP server. RELAY also serves as 231842575Speter an implicit OK for the other checks. 231942575Speter REJECT Reject the sender or recipient with a general 232038032Speter purpose message. 232142575Speter DISCARD Discard the message completely using the 232271345Sgshapiro $#discard mailer. If it is used in check_compat, 232371345Sgshapiro it affects only the designated recipient, not 232471345Sgshapiro the whole message as it does in all other cases. 232571345Sgshapiro This should only be used if really necessary. 232690792Sgshapiro SKIP This can only be used for host/domain names 232790792Sgshapiro and IP addresses/nets. It will abort the current 232890792Sgshapiro search for this entry without accepting or rejecting 232990792Sgshapiro it but causing the default action. 233066494Sgshapiro ### any text where ### is an RFC 821 compliant error code and 233166494Sgshapiro "any text" is a message to return for the command. 233266494Sgshapiro The string should be quoted to avoid surprises, 233366494Sgshapiro e.g., sendmail may remove spaces otherwise. 233490792Sgshapiro This type is deprecated, use one the two 233590792Sgshapiro ERROR: entries below instead. 233664562Sgshapiro ERROR:### any text 233764562Sgshapiro as above, but useful to mark error messages as such. 233864562Sgshapiro ERROR:D.S.N:### any text 233964562Sgshapiro where D.S.N is an RFC 1893 compliant error code 234064562Sgshapiro and the rest as above. 234138032Speter 234238032SpeterFor example: 234338032Speter 234490792Sgshapiro cyberspammer.com ERROR:550 "We don't accept mail from spammers" 234538032Speter okay.cyberspammer.com OK 234664562Sgshapiro sendmail.org RELAY 234738032Speter 128.32 RELAY 234890792Sgshapiro IPv6:1:2:3:4:5:6:7 RELAY 234964562Sgshapiro [127.0.0.3] OK 235090792Sgshapiro [IPv6:1:2:3:4:5:6:7:8] OK 235138032Speter 235264562Sgshapirowould accept mail from okay.cyberspammer.com, but would reject mail from 235364562Sgshapiroall other hosts at cyberspammer.com with the indicated message. It would 235464562Sgshapiroallow relaying mail from and to any hosts in the sendmail.org domain, and 235564562Sgshapiroallow relaying from the 128.32.*.* network and the IPv6 1:2:3:4:5:6:7:* 235664562Sgshapironetwork. The latter two entries are for checks against ${client_name} if 235764562Sgshapirothe IP address doesn't resolve to a hostname (or is considered as "may be 235890792Sgshapiroforged"). That is, using square brackets means these are host names, 235990792Sgshapironot network numbers. 236038032Speter 236164562SgshapiroWarning: if you change the RFC 821 compliant error code from the default 236264562Sgshapirovalue of 550, then you should probably also change the RFC 1893 compliant 236364562Sgshapiroerror code to match it. For example, if you use 236464562Sgshapiro 236590792Sgshapiro user@example.com ERROR:450 mailbox full 236664562Sgshapiro 236790792Sgshapirothe error returned would be "450 5.0.0 mailbox full" which is wrong. 236890792SgshapiroUse "ERROR:4.2.2:450 mailbox full" instead. 236964562Sgshapiro 237064562SgshapiroNote, UUCP users may need to add hostname.UUCP to the access database 237190792Sgshapiroor class {R}. 237264562Sgshapiro 237390792SgshapiroIf you also use: 237490792Sgshapiro 237543730Speter FEATURE(`relay_hosts_only') 237638032Speter 237738032Speterthen the above example will allow relaying for sendmail.org, but not 237838032Speterhosts within the sendmail.org domain. Note that this will also require 237964562Sgshapirohosts listed in class {R} to be fully qualified host names. 238038032Speter 238138032SpeterYou can also use the access database to block sender addresses based on 238238032Speterthe username portion of the address. For example: 238338032Speter 238466494Sgshapiro FREE.STEALTH.MAILER@ ERROR:550 Spam not accepted 238538032Speter 238638032SpeterNote that you must include the @ after the username to signify that 238738032Speterthis database entry is for checking only the username portion of the 238838032Spetersender address. 238938032Speter 239038032SpeterIf you use: 239138032Speter 239243730Speter FEATURE(`blacklist_recipients') 239338032Speter 239438032Speterthen you can add entries to the map for local users, hosts in your 239538032Speterdomains, or addresses in your domain which should not receive mail: 239638032Speter 239766494Sgshapiro badlocaluser@ ERROR:550 Mailbox disabled for this username 239866494Sgshapiro host.mydomain.com ERROR:550 That host does not accept mail 239966494Sgshapiro user@otherhost.mydomain.com ERROR:550 Mailbox disabled for this recipient 240038032Speter 240138032SpeterThis would prevent a recipient of badlocaluser@mydomain.com, any 240238032Speteruser at host.mydomain.com, and the single address 240364562Sgshapirouser@otherhost.mydomain.com from receiving mail. Please note: a 240464562Sgshapirolocal username must be now tagged with an @ (this is consistent 240564562Sgshapirowith the check of the sender address, and hence it is possible to 240664562Sgshapirodistinguish between hostnames and usernames). Enabling this feature 240764562Sgshapirowill keep you from sending mails to all addresses that have an 240864562Sgshapiroerror message or REJECT as value part in the access map. Taking 240964562Sgshapirothe example from above: 241038032Speter 241142575Speter spammer@aol.com REJECT 241242575Speter cyberspammer.com REJECT 241342575Speter 241442575SpeterMail can't be sent to spammer@aol.com or anyone at cyberspammer.com. 241542575Speter 241690792SgshapiroThere are several DNS based blacklists, the first of which was 241790792Sgshapirothe RBL (``Realtime Blackhole List'') run by the MAPS project, 241890792Sgshapirosee http://mail-abuse.org/. These are databases of spammers 241990792Sgshapiromaintained in DNS. To use such a database, specify 242038032Speter 242164562Sgshapiro FEATURE(`dnsbl') 242238032Speter 242390792SgshapiroThis will cause sendmail to reject mail from any site in the original 242480785SgshapiroRealtime Blackhole List database. This default DNS blacklist, 242580785Sgshapiroblackholes.mail-abuse.org, is a service offered by the Mail Abuse 242680785SgshapiroPrevention System (MAPS). As of July 31, 2001, MAPS is a subscription 242780785Sgshapiroservice, so using that network address won't work if you haven't 242880785Sgshapirosubscribed. Contact MAPS to subscribe (http://mail-abuse.org/). 242938032Speter 243080785SgshapiroYou can specify an alternative RBL server to check by specifying an 243180785Sgshapiroargument to the FEATURE. The default error message is 243280785Sgshapiro 243390792Sgshapiro Mail from IP-ADDRESS refused by blackhole site SERVER 243480785Sgshapiro 243590792Sgshapirowhere IP-ADDRESS and SERVER are replaced by the appropriate 243690792Sgshapiroinformation. A second argument can be used to specify a different 243790792Sgshapirotext. By default, temporary lookup failures are ignored and hence 243890792Sgshapirocause the connection not to be rejected by the DNS based rejection 243990792Sgshapirolist. This behavior can be changed by specifying a third argument, 244090792Sgshapirowhich must be either `t' or a full error message. For example: 244171345Sgshapiro 244290792Sgshapiro FEATURE(`dnsbl', `dnsbl.example.com', `', 244390792Sgshapiro `"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"') 244471345Sgshapiro 244590792SgshapiroIf `t' is used, the error message is: 244690792Sgshapiro 244790792Sgshapiro 451 Temporary lookup failure of IP-ADDRESS at SERVER 244890792Sgshapiro 244990792Sgshapirowhere IP-ADDRESS and SERVER are replaced by the appropriate 245090792Sgshapiroinformation. 245190792Sgshapiro 245290792SgshapiroThis FEATURE can be included several times to query different 245390792SgshapiroDNS based rejection lists, e.g., the dial-up user list (see 245490792Sgshapirohttp://mail-abuse.org/dul/). 245590792Sgshapiro 245690792SgshapiroNotice: to avoid checking your own local domains against those 245790792Sgshapiroblacklists, use the access_db feature and add: 245890792Sgshapiro 245990792Sgshapiro Connect:10.1 OK 246090792Sgshapiro Connect:127.0.0.1 RELAY 246190792Sgshapiro 246290792Sgshapiroto the access map, where 10.1 is your local network. You may 246390792Sgshapirowant to use "RELAY" instead of "OK" to allow also relaying 246490792Sgshapiroinstead of just disabling the DNS lookups in the backlists. 246590792Sgshapiro 246690792Sgshapiro 246738032SpeterThe features described above make use of the check_relay, check_mail, 246838032Speterand check_rcpt rulesets. If you wish to include your own checks, 246938032Speteryou can put your checks in the rulesets Local_check_relay, 247038032SpeterLocal_check_mail, and Local_check_rcpt. For example if you wanted to 247138032Speterblock senders with all numeric usernames (i.e. 2312343@bigisp.com), 247290792Sgshapiroyou would use Local_check_mail and the regex map: 247338032Speter 247464562Sgshapiro LOCAL_CONFIG 247564562Sgshapiro Kallnumbers regex -a@MATCH ^[0-9]+$ 247664562Sgshapiro 247764562Sgshapiro LOCAL_RULESETS 247864562Sgshapiro SLocal_check_mail 247964562Sgshapiro # check address against various regex checks 248038032Speter R$* $: $>Parse0 $>3 $1 248164562Sgshapiro R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $) 248264562Sgshapiro R@MATCH $#error $: 553 Header Error 248338032Speter 248438032SpeterThese rules are called with the original arguments of the corresponding 248538032Spetercheck_* ruleset. If the local ruleset returns $#OK, no further checking 248638032Speteris done by the features described above and the mail is accepted. If the 248738032Speterlocal ruleset resolves to a mailer (such as $#error or $#discard), the 248838032Speterappropriate action is taken. Otherwise, the results of the local 248938032Speterrewriting are ignored. 249038032Speter 249164562SgshapiroFiner control by using tags for the LHS of the access map 249290792Sgshapiro--------------------------------------------------------- 249338032Speter 249464562SgshapiroRead this section only if the options listed so far are not sufficient 249564562Sgshapirofor your purposes. There is now the option to tag entries in the 249664562Sgshapiroaccess map according to their type. Three tags are available: 249764562Sgshapiro 249864562Sgshapiro Connect: connection information (${client_addr}, ${client_name}) 249973188Sgshapiro From: envelope sender 250073188Sgshapiro To: envelope recipient 250164562Sgshapiro 250264562SgshapiroIf the required item is looked up in a map, it will be tried first 250364562Sgshapirowith the corresponding tag in front, then (as fallback to enable 250490792Sgshapirobackward compatibility) without any tag, unless the specific feature 250590792Sgshapirorequires a tag. For example, 250664562Sgshapiro 250764562Sgshapiro From:spammer@some.dom REJECT 250864562Sgshapiro To:friend.domain RELAY 250964562Sgshapiro Connect:friend.domain OK 251064562Sgshapiro Connect:from.domain RELAY 251164562Sgshapiro From:good@another.dom OK 251264562Sgshapiro From:another.dom REJECT 251364562Sgshapiro 251464562SgshapiroThis would deny mails from spammer@some.dom but you could still 251564562Sgshapirosend mail to that address even if FEATURE(`blacklist_recipients') 251664562Sgshapirois enabled. Your system will allow relaying to friend.domain, but 251764562Sgshapironot from it (unless enabled by other means). Connections from that 251864562Sgshapirodomain will be allowed even if it ends up in one of the DNS based 251964562Sgshapirorejection lists. Relaying is enabled from from.domain but not to 252064562Sgshapiroit (since relaying is based on the connection information for 252164562Sgshapirooutgoing relaying, the tag Connect: must be used; for incoming 252264562Sgshapirorelaying, which is based on the recipient address, To: must be 252364562Sgshapiroused). The last two entries allow mails from good@another.dom but 252464562Sgshapiroreject mail from all other addresses with another.dom as domain 252564562Sgshapiropart. 252664562Sgshapiro 252764562SgshapiroDelay all checks 252890792Sgshapiro---------------- 252964562Sgshapiro 253064562SgshapiroBy using FEATURE(`delay_checks') the rulesets check_mail and check_relay 253164562Sgshapirowill not be called when a client connects or issues a MAIL command, 253264562Sgshapirorespectively. Instead, those rulesets will be called by the check_rcpt 253364562Sgshapiroruleset; they will be skipped if a sender has been authenticated using 253464562Sgshapiroa "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(). 253564562SgshapiroIf check_mail returns an error then the RCPT TO command will be rejected 253664562Sgshapirowith that error. If it returns some other result starting with $# then 253764562Sgshapirocheck_relay will be skipped. If the sender address (or a part of it) is 253864562Sgshapirolisted in the access map and it has a RHS of OK or RELAY, then check_relay 253964562Sgshapirowill be skipped. This has an interesting side effect: if your domain is 254064562Sgshapiromy.domain and you have 254164562Sgshapiro 254264562Sgshapiro my.domain RELAY 254364562Sgshapiro 254464562Sgshapiroin the access map, then all e-mail with a sender address of 254564562Sgshapiro<user@my.domain> gets through, even if check_relay would reject it 254664562Sgshapiro(e.g., based on the hostname or IP address). This allows spammers 254764562Sgshapiroto get around DNS based blacklist by faking the sender address. To 254864562Sgshapiroavoid this problem you have to use tagged entries: 254964562Sgshapiro 255064562Sgshapiro To:my.domain RELAY 255164562Sgshapiro Connect:my.domain RELAY 255264562Sgshapiro 255364562Sgshapiroif you need those entries at all (class {R} may take care of them). 255473188Sgshapiro 255564562SgshapiroFEATURE(`delay_checks') can take an optional argument: 255664562Sgshapiro 255764562Sgshapiro FEATURE(`delay_checks', `friend') 255864562Sgshapiro enables spamfriend test 255964562Sgshapiro FEATURE(`delay_checks', `hater') 256064562Sgshapiro enables spamhater test 256164562Sgshapiro 256294334SgshapiroIf such an argument is given, the recipient will be looked up in the 256394334Sgshapiroaccess map (using the tag Spam:). If the argument is `friend', then 256494334Sgshapirothe default behavior is to apply the other rulesets and make a SPAM 256594334Sgshapirofriend the exception. The rulesets check_mail and check_relay will be 256694334Sgshapiroskipped only if the recipient address is found and has RHS FRIEND. If 256794334Sgshapirothe argument is `hater', then the default behavior is to skip the rulesets 256894334Sgshapirocheck_mail and check_relay and make a SPAM hater the exception. The 256994334Sgshapiroother two rulesets will be applied only if the recipient address is 257094334Sgshapirofound and has RHS HATER. 257164562Sgshapiro 257264562SgshapiroThis allows for simple exceptions from the tests, e.g., by activating 257390792Sgshapirothe friend option and having 257464562Sgshapiro 257590792Sgshapiro Spam:abuse@ FRIEND 257664562Sgshapiro 257764562Sgshapiroin the access map, mail to abuse@localdomain will get through. It is 257864562Sgshapiroalso possible to specify a full address or an address with +detail: 257964562Sgshapiro 258090792Sgshapiro Spam:abuse@my.domain FRIEND 258190792Sgshapiro Spam:me+abuse@ FRIEND 258290792Sgshapiro Spam:spam.domain FRIEND 258364562Sgshapiro 258490792SgshapiroNote: The required tag has been changed in 8.12 from To: to Spam:. 258590792SgshapiroThis change is incompatible to previous versions. However, you can 258690792Sgshapiro(for now) simply add the new entries to the access map, the old 258790792Sgshapiroones will be ignored. As soon as you removed the old entries from 258890792Sgshapirothe access map, specify a third parameter (`n') to this feature and 258990792Sgshapirothe backward compatibility rules will not be in the generated .cf 259090792Sgshapirofile. 259164562Sgshapiro 259264562SgshapiroHeader Checks 259390792Sgshapiro------------- 259464562Sgshapiro 259538032SpeterYou can also reject mail on the basis of the contents of headers. 259638032SpeterThis is done by adding a ruleset call to the 'H' header definition command 259738032Speterin sendmail.cf. For example, this can be used to check the validity of 259838032Spetera Message-ID: header: 259938032Speter 260038032Speter LOCAL_RULESETS 260138032Speter HMessage-Id: $>CheckMessageId 260238032Speter 260338032Speter SCheckMessageId 260438032Speter R< $+ @ $+ > $@ OK 260538032Speter R$* $#error $: 553 Header Error 260638032Speter 260764562SgshapiroThe alternative format: 260838032Speter 260964562Sgshapiro HSubject: $>+CheckSubject 261042575Speter 261164562Sgshapirothat is, $>+ instead of $>, gives the full Subject: header including 261264562Sgshapirocomments to the ruleset (comments in parentheses () are stripped 261364562Sgshapiroby default). 261442575Speter 261564562SgshapiroA default ruleset for headers which don't have a specific ruleset 261664562Sgshapirodefined for them can be given by: 261742575Speter 261864562Sgshapiro H*: $>CheckHdr 261943730Speter 262090792SgshapiroNotice: 262190792Sgshapiro1. All rules act on tokens as explained in doc/op/op.{me,ps,txt}. 262273188SgshapiroThat may cause problems with simple header checks due to the 262390792Sgshapirotokenization. It might be simpler to use a regex map and apply it 262473188Sgshapiroto $&{currHeader}. 262590792Sgshapiro2. There are no default rulesets coming with this distribution of 262690792Sgshapirosendmail. You can either write your own or you can search the 262790792SgshapiroWWW for examples, e.g., http://www.digitalanswers.org/check_local/ 262873188Sgshapiro 262964562SgshapiroAfter all of the headers are read, the check_eoh ruleset will be called for 263064562Sgshapiroany final header-related checks. The ruleset is called with the number of 263164562Sgshapiroheaders and the size of all of the headers in bytes separated by $|. One 263264562Sgshapiroexample usage is to reject messages which do not have a Message-Id: 263364562Sgshapiroheader. However, the Message-Id: header is *NOT* a required header and is 263464562Sgshapironot a guaranteed spam indicator. This ruleset is an example and should 263564562Sgshapiroprobably not be used in production. 263664562Sgshapiro 263764562Sgshapiro LOCAL_CONFIG 263864562Sgshapiro Kstorage macro 263964562Sgshapiro 264064562Sgshapiro LOCAL_RULESETS 264164562Sgshapiro HMessage-Id: $>CheckMessageId 264264562Sgshapiro 264364562Sgshapiro SCheckMessageId 264464562Sgshapiro # Record the presence of the header 264564562Sgshapiro R$* $: $(storage {MessageIdCheck} $@ OK $) $1 264664562Sgshapiro R< $+ @ $+ > $@ OK 264764562Sgshapiro R$* $#error $: 553 Header Error 264864562Sgshapiro 264964562Sgshapiro Scheck_eoh 265064562Sgshapiro # Check the macro 265164562Sgshapiro R$* $: < $&{MessageIdCheck} > 265264562Sgshapiro # Clear the macro for the next message 265364562Sgshapiro R$* $: $(storage {MessageIdCheck} $) $1 265464562Sgshapiro # Has a Message-Id: header 265564562Sgshapiro R< $+ > $@ OK 265664562Sgshapiro # Allow missing Message-Id: from local mail 265764562Sgshapiro R$* $: < $&{client_name} > 265864562Sgshapiro R< > $@ OK 265964562Sgshapiro R< $=w > $@ OK 266064562Sgshapiro # Otherwise, reject the mail 266164562Sgshapiro R$* $#error $: 553 Header Error 266264562Sgshapiro 266366494Sgshapiro+----------+ 266466494Sgshapiro| STARTTLS | 266566494Sgshapiro+----------+ 266664562Sgshapiro 266764562SgshapiroIn this text, cert will be used as an abreviation for X.509 certificate, 266890792SgshapiroDN (CN) is the distinguished (common) name of a cert, and CA is a 266990792Sgshapirocertification authority, which signs (issues) certs. 267064562Sgshapiro 267180785SgshapiroFor STARTTLS to be offered by sendmail you need to set at least 267280785Sgshapirothis variables (the file names and paths are just examples): 267380785Sgshapiro 267480785Sgshapiro define(`confCACERT_PATH', `/etc/mail/certs/') 267580785Sgshapiro define(`confCACERT', `/etc/mail/certs/CA.cert.pem') 267680785Sgshapiro define(`confSERVER_CERT', `/etc/mail/certs/my.cert.pem') 267780785Sgshapiro define(`confSERVER_KEY', `/etc/mail/certs/my.key.pem') 267880785Sgshapiro 267980785SgshapiroOn systems which do not have the compile flag HASURANDOM set (see 268080785Sgshapirosendmail/README) you also must set confRAND_FILE. 268180785Sgshapiro 268290792SgshapiroSee doc/op/op.{me,ps,txt} for more information about these options, 268390792Sgshapiroespecially the sections ``Certificates for STARTTLS'' and ``PRNG for 268480785SgshapiroSTARTTLS''. 268580785Sgshapiro 268664562SgshapiroMacros related to STARTTLS are: 268764562Sgshapiro 268864562Sgshapiro${cert_issuer} holds the DN of the CA (the cert issuer). 268964562Sgshapiro${cert_subject} holds the DN of the cert (called the cert subject). 269090792Sgshapiro${cn_issuer} holds the CN of the CA (the cert issuer). 269190792Sgshapiro${cn_subject} holds the CN of the cert (called the cert subject). 269264562Sgshapiro${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, 269390792Sgshapiro TLSv1/SSLv3, SSLv3, SSLv2. 269464562Sgshapiro${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, 269564562Sgshapiro EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA. 269664562Sgshapiro${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm 269764562Sgshapiro used for the connection. 269890792Sgshapiro${verify} holds the result of the verification of the presented cert. 269990792Sgshapiro Possible values are: 270090792Sgshapiro OK verification succeeded. 270190792Sgshapiro NO no cert presented. 270290792Sgshapiro NOT no cert requested. 270390792Sgshapiro FAIL cert presented but could not be verified, 270490792Sgshapiro e.g., the cert of the signing CA is missing. 270590792Sgshapiro NONE STARTTLS has not been performed. 270690792Sgshapiro TEMP temporary error occurred. 270790792Sgshapiro PROTOCOL protocol error occurred (SMTP level). 270864562Sgshapiro SOFTWARE STARTTLS handshake failed. 270990792Sgshapiro${server_name} the name of the server of the current outgoing SMTP 271064562Sgshapiro connection. 271190792Sgshapiro${server_addr} the address of the server of the current outgoing SMTP 271264562Sgshapiro connection. 271364562Sgshapiro 271464562SgshapiroRelaying 271590792Sgshapiro-------- 271664562Sgshapiro 271764562SgshapiroSMTP STARTTLS can allow relaying for senders who have successfully 271890792Sgshapiroauthenticated themselves. This is done in the ruleset RelayAuth. If the 271964562Sgshapiroverification of the cert failed (${verify} != OK), relaying is subject to 272090792Sgshapirothe usual rules. Otherwise the DN of the issuer is looked up in the access 272190792Sgshapiromap using the tag CERTISSUER. If the resulting value is RELAY, relaying is 272290792Sgshapiroallowed. If it is SUBJECT, the DN of the cert subject is looked up next in 272390792Sgshapirothe access map using the tag CERTSUBJECT. If the value is RELAY, relaying 272464562Sgshapirois allowed. 272564562Sgshapiro 272664562SgshapiroTo make things a bit more flexible (or complicated), the values for 272764562Sgshapiro${cert_issuer} and ${cert_subject} can be optionally modified by regular 272864562Sgshapiroexpressions defined in the m4 variables _CERT_REGEX_ISSUER_ and 272990792Sgshapiro_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in 273064562Sgshapirorulesets and map lookups, they are modified as follows: each non-printable 273164562Sgshapirocharacter and the characters '<', '>', '(', ')', '"', '+' are replaced by 273290792Sgshapirotheir HEX value with a leading '+'. For example: 273364562Sgshapiro 273464562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email= 273564562Sgshapirodarth+cert@endmail.org 273664562Sgshapiro 273764562Sgshapirois encoded as: 273864562Sgshapiro 273964562Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 274064562SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 274164562Sgshapiro 274264562Sgshapiro(line breaks have been inserted for readability). 274364562Sgshapiro 274490792SgshapiroExamples: 274590792Sgshapiro 274690792SgshapiroTo allow relaying for everyone who can present a cert signed by 274790792Sgshapiro 274890792Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 274990792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 275090792Sgshapiro 275190792Sgshapirosimply use: 275290792Sgshapiro 275390792SgshapiroCERTIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 275490792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org RELAY 275590792Sgshapiro 275690792SgshapiroTo allow relaying only for a subset of machines that have a cert signed by 275790792Sgshapiro 275890792Sgshapiro/C=US/ST=California/O=endmail.org/OU=private/CN= 275990792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 276090792Sgshapiro 276190792Sgshapirouse: 276290792Sgshapiro 276390792SgshapiroCERTIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 276490792SgshapiroDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org SUBJECT 276590792SgshapiroCERTSubject:/C=US/ST=California/O=endmail.org/OU=private/CN= 276690792SgshapiroDeathStar/Email=deathstar@endmail.org RELAY 276790792Sgshapiro 276890792SgshapiroNote: line breaks have been inserted after "CN=" for readability, 276990792Sgshapiroeach tagged entry must be one (long) line in the access map. 277090792Sgshapiro 277190792SgshapiroOf course it is also possible to write a simple ruleset that allows 277264562Sgshapirorelaying for everyone who can present a cert that can be verified, e.g., 277364562Sgshapiro 277464562SgshapiroLOCAL_RULESETS 277564562SgshapiroSLocal_check_rcpt 277664562SgshapiroR$* $: $&{verify} 277764562SgshapiroROK $# OK 277864562Sgshapiro 277964562SgshapiroAllowing Connections 278090792Sgshapiro-------------------- 278164562Sgshapiro 278290792SgshapiroThe rulesets tls_server, tls_client, and tls_rcpt are used to decide whether 278390792Sgshapiroan SMTP connection is accepted (or should continue). 278464562Sgshapiro 278564562Sgshapirotls_server is called when sendmail acts as client after a STARTTLS command 278690792Sgshapiro(should) have been issued. The parameter is the value of ${verify}. 278764562Sgshapiro 278864562Sgshapirotls_client is called when sendmail acts as server, after a STARTTLS command 278990792Sgshapirohas been issued, and from check_mail. The parameter is the value of 279064562Sgshapiro${verify} and STARTTLS or MAIL, respectively. 279164562Sgshapiro 279290792SgshapiroBoth rulesets behave the same. If no access map is in use, the connection 279364562Sgshapirowill be accepted unless ${verify} is SOFTWARE, in which case the connection 279490792Sgshapirois always aborted. For tls_server/tls_client, ${client_name}/${server_name} 279590792Sgshapirois looked up in the access map using the tag TLS_Srv/TLS_Clt, which is done 279690792Sgshapirowith the ruleset LookUpDomain. If no entry is found, ${client_addr} 279764562Sgshapiro(${server_addr}) is looked up in the access map (same tag, ruleset 279890792SgshapiroLookUpAddr). If this doesn't result in an entry either, just the tag is 279990792Sgshapirolooked up in the access map (included the trailing colon). Notice: 280090792Sgshapirorequiring that e-mail is sent to a server only encrypted, e.g., via 280164562Sgshapiro 280290792SgshapiroTLS_Srv:secure.domain ENCR:112 280390792Sgshapiro 280490792Sgshapirodoesn't necessarily mean that e-mail sent to that domain is encrypted. 280590792SgshapiroIf the domain has multiple MX servers, e.g., 280690792Sgshapiro 280790792Sgshapirosecure.domain. IN MX 10 mail.secure.domain. 280890792Sgshapirosecure.domain. IN MX 50 mail.other.domain. 280990792Sgshapiro 281090792Sgshapirothen mail to user@secure.domain may go unencrypted to mail.other.domain. 281190792Sgshapirotls_rcpt can be used to address this problem. 281290792Sgshapiro 281390792Sgshapirotls_rcpt is called before a RCPT TO: command is sent. The parameter is the 281490792Sgshapirocurrent recipient. This ruleset is only defined if FEATURE(`access_db') 281590792Sgshapirois selected. A recipient address user@domain is looked up in the access 281690792Sgshapiromap in four formats: TLS_Rcpt:user@domain, TLS_Rcpt:user@, TLS_Rcpt:domain, 281790792Sgshapiroand TLS_Rcpt:; the first match is taken. 281890792Sgshapiro 281990792SgshapiroThe result of the lookups is then used to call the ruleset TLS_connection, 282090792Sgshapirowhich checks the requirement specified by the RHS in the access map against 282190792Sgshapirothe actual parameters of the current TLS connection, esp. ${verify} and 282290792Sgshapiro${cipher_bits}. Legal RHSs in the access map are: 282390792Sgshapiro 282464562SgshapiroVERIFY verification must have succeeded 282564562SgshapiroVERIFY:bits verification must have succeeded and ${cipher_bits} must 282664562Sgshapiro be greater than or equal bits. 282764562SgshapiroENCR:bits ${cipher_bits} must be greater than or equal bits. 282864562Sgshapiro 282964562SgshapiroThe RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary 283090792Sgshapiroor permanent error. The default is a temporary error code (403 4.7.0) 283164562Sgshapirounless the macro TLS_PERM_ERR is set during generation of the .cf file. 283264562Sgshapiro 283364562SgshapiroIf a certain level of encryption is required, then it might also be 283464562Sgshapiropossible that this level is provided by the security layer from a SASL 283564562Sgshapiroalgorithm, e.g., DIGEST-MD5. 283664562Sgshapiro 283790792SgshapiroFurthermore, there can be a list of extensions added. Such a list 283890792Sgshapirostarts with '+' and the items are separated by '++'. Allowed 283990792Sgshapiroextensions are: 284090792Sgshapiro 284190792SgshapiroCN:name name must match ${cn_subject} 284290792SgshapiroCN ${server_name} must match ${cn_subject} 284390792SgshapiroCS:name name must match ${cert_subject} 284490792SgshapiroCI:name name must match ${cert_issuer} 284590792Sgshapiro 284682017SgshapiroExample: e-mail sent to secure.example.com should only use an encrypted 284790792Sgshapiroconnection. E-mail received from hosts within the laptop.example.com domain 284890792Sgshapiroshould only be accepted if they have been authenticated. The host which 284990792Sgshapiroreceives e-mail for darth@endmail.org must present a cert that uses the 285090792SgshapiroCN smtp.endmail.org. 285190792Sgshapiro 285264562SgshapiroTLS_Srv:secure.example.com ENCR:112 285364562SgshapiroTLS_Clt:laptop.example.com PERM+VERIFY:112 285490792SgshapiroTLS_Rcpt:darth@endmail.org ENCR:112+CN:smtp.endmail.org 285564562Sgshapiro 285673188Sgshapiro 285790792SgshapiroDisabling STARTTLS And Setting SMTP Server Features 285890792Sgshapiro--------------------------------------------------- 285973188Sgshapiro 286090792SgshapiroBy default STARTTLS is used whenever possible. However, there are 286190792Sgshapirosome broken MTAs that don't properly implement STARTTLS. To be able 286290792Sgshapiroto send to (or receive from) those MTAs, the ruleset try_tls 286390792Sgshapiro(srv_features) can be used that work together with the access map. 286490792SgshapiroEntries for the access map must be tagged with Try_TLS (Srv_Features) 286590792Sgshapiroand refer to the hostname or IP address of the connecting system. 286690792SgshapiroA default case can be specified by using just the tag. For example, 286790792Sgshapirothe following entries in the access map: 286873188Sgshapiro 286990792Sgshapiro Try_TLS:broken.server NO 287090792Sgshapiro Srv_Features:my.domain v 287190792Sgshapiro Srv_Features: V 287273188Sgshapiro 287390792Sgshapirowill turn off STARTTLS when sending to broken.server (or any host 287490792Sgshapiroin that domain), and request a client certificate during the TLS 287590792Sgshapirohandshake only for hosts in my.domain. The valid entries on the RHS 287690792Sgshapirofor Srv_Features are listed in the Sendmail Installation and 287790792SgshapiroOperations Guide. 287873188Sgshapiro 287973188Sgshapiro 288064562SgshapiroReceived: Header 288190792Sgshapiro---------------- 288264562Sgshapiro 288390792SgshapiroThe Received: header reveals whether STARTTLS has been used. It contains an 288464562Sgshapiroextra line: 288564562Sgshapiro 288690792Sgshapiro(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) 288764562Sgshapiro 288890792Sgshapiro 288966494Sgshapiro+---------------------+ 289066494Sgshapiro| SMTP AUTHENTICATION | 289166494Sgshapiro+---------------------+ 289264562Sgshapiro 289364562SgshapiroThe macros ${auth_authen}, ${auth_author}, and ${auth_type} can be 289464562Sgshapiroused in anti-relay rulesets to allow relaying for those users that 289564562Sgshapiroauthenticated themselves. A very simple example is: 289664562Sgshapiro 289764562SgshapiroSLocal_check_rcpt 289864562SgshapiroR$* $: $&{auth_type} 289964562SgshapiroR$+ $# OK 290064562Sgshapiro 290164562Sgshapirowhich checks whether a user has successfully authenticated using 290264562Sgshapiroany available mechanism. Depending on the setup of the CYRUS SASL 290364562Sgshapirolibrary, more sophisticated rulesets might be required, e.g., 290464562Sgshapiro 290564562SgshapiroSLocal_check_rcpt 290664562SgshapiroR$* $: $&{auth_type} $| $&{auth_authen} 290764562SgshapiroRDIGEST-MD5 $| $+@$=w $# OK 290864562Sgshapiro 290964562Sgshapiroto allow relaying for users that authenticated using DIGEST-MD5 291064562Sgshapiroand have an identity in the local domains. 291164562Sgshapiro 291290792SgshapiroThe ruleset trust_auth is used to determine whether a given AUTH= 291364562Sgshapiroparameter (that is passed to this ruleset) should be trusted. This 291464562Sgshapiroruleset may make use of the other ${auth_*} macros. Only if the 291564562Sgshapiroruleset resolves to the error mailer, the AUTH= parameter is not 291664562Sgshapirotrusted. A user supplied ruleset Local_trust_auth can be written 291764562Sgshapiroto modify the default behavior, which only trust the AUTH= 291864562Sgshapiroparameter if it is identical to the authenticated user. 291964562Sgshapiro 292064562SgshapiroPer default, relaying is allowed for any user who authenticated 292164562Sgshapirovia a "trusted" mechanism, i.e., one that is defined via 292264562SgshapiroTRUST_AUTH_MECH(`list of mechanisms') 292371345SgshapiroFor example: 292471345SgshapiroTRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5') 292564562Sgshapiro 292664562SgshapiroIf the selected mechanism provides a security layer the number of 292764562Sgshapirobits used for the key of the symmetric cipher is stored in the 292864562Sgshapiromacro ${auth_ssf}. 292964562Sgshapiro 293090792SgshapiroIf sendmail acts as client, it needs some information how to 293190792Sgshapiroauthenticate against another MTA. This information can be provided 293290792Sgshapiroby the ruleset authinfo or by the option DefaultAuthInfo. The 293390792Sgshapiroauthinfo ruleset looks up {server_name} using the tag AuthInfo: in 293490792Sgshapirothe access map. If no entry is found, {server_addr} is looked up 293590792Sgshapiroin the same way and finally just the tag AuthInfo: to provide 293690792Sgshapirodefault values. 293790792Sgshapiro 293890792SgshapiroNotice: the default configuration file causes the option DefaultAuthInfo 293990792Sgshapiroto fail since the ruleset authinfo is in the .cf file. If you really 294090792Sgshapirowant to use DefaultAuthInfo (it is deprecated) then you have to 294190792Sgshapiroremove the ruleset. 294290792Sgshapiro 294390792SgshapiroThe RHS for an AuthInfo: entry in the access map should consists of a 294490792Sgshapirolist of tokens, each of which has the form: "TDstring" (including 294590792Sgshapirothe quotes). T is a tag which describes the item, D is a delimiter, 294690792Sgshapiroeither ':' for simple text or '=' for a base64 encoded string. 294790792SgshapiroValid values for the tag are: 294890792Sgshapiro 294990792Sgshapiro U user (authorization) id 295090792Sgshapiro I authentication id 295190792Sgshapiro P password 295290792Sgshapiro R realm 295390792Sgshapiro M list of mechanisms delimited by spaces 295490792Sgshapiro 295590792SgshapiroExample entries are: 295690792Sgshapiro 295790792SgshapiroAuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5" 295890792SgshapiroAuthInfo:more.dom "U:user" "P=c2VjcmV0" 295990792Sgshapiro 296090792SgshapiroUser or authentication id must exist as well as the password. All 296190792Sgshapiroother entries have default values. If one of user or authentication 296290792Sgshapiroid is missing, the existing value is used for the missing item. 296390792SgshapiroIf "R:" is not specified, realm defaults to $j. The list of mechanisms 296490792Sgshapirodefaults to those specified by AuthMechanisms. 296590792Sgshapiro 296690792SgshapiroSince this map contains sensitive information, either the access 296790792Sgshapiromap must be unreadable by everyone but root (or the trusted user) 296890792Sgshapiroor FEATURE(`authinfo') must be used which provides a separate map. 296990792SgshapiroNotice: It is not checked whether the map is actually 297090792Sgshapirogroup/world-unreadable, this is left to the user. 297190792Sgshapiro 297264562Sgshapiro+--------------------------------+ 297338032Speter| ADDING NEW MAILERS OR RULESETS | 297438032Speter+--------------------------------+ 297538032Speter 297638032SpeterSometimes you may need to add entirely new mailers or rulesets. They 297738032Spetershould be introduced with the constructs MAILER_DEFINITIONS and 297838032SpeterLOCAL_RULESETS respectively. For example: 297938032Speter 298038032Speter MAILER_DEFINITIONS 298138032Speter Mmymailer, ... 298238032Speter ... 298338032Speter 298438032Speter LOCAL_RULESETS 298538032Speter Smyruleset 298638032Speter ... 298738032Speter 298890792SgshapiroLocal additions for the rulesets srv_features, try_tls, tls_rcpt, 298990792Sgshapirotls_client, and tls_server can be made using LOCAL_SRV_FEATURES, 299090792SgshapiroLOCAL_TRY_TLS, LOCAL_TLS_RCPT, LOCAL_TLS_CLIENT, and LOCAL_TLS_SERVER, 299190792Sgshapirorespectively. For example, to add a local ruleset that decides 299290792Sgshapirowhether to try STARTTLS in a sendmail client, use: 299338032Speter 299490792Sgshapiro LOCAL_TRY_TLS 299590792Sgshapiro R... 299690792Sgshapiro 299790792SgshapiroNote: you don't need to add a name for the ruleset, it is implicitly 299890792Sgshapirodefined by using the appropriate macro. 299990792Sgshapiro 300090792Sgshapiro 300171345Sgshapiro+-------------------------+ 300271345Sgshapiro| ADDING NEW MAIL FILTERS | 300371345Sgshapiro+-------------------------+ 300464562Sgshapiro 300564562SgshapiroSendmail supports mail filters to filter incoming SMTP messages according 300664562Sgshapiroto the "Sendmail Mail Filter API" documentation. These filters can be 300764562Sgshapiroconfigured in your mc file using the two commands: 300864562Sgshapiro 300964562Sgshapiro MAIL_FILTER(`name', `equates') 301064562Sgshapiro INPUT_MAIL_FILTER(`name', `equates') 301164562Sgshapiro 301264562SgshapiroThe first command, MAIL_FILTER(), simply defines a filter with the given 301364562Sgshapironame and equates. For example: 301464562Sgshapiro 301564562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 301664562Sgshapiro 301764562SgshapiroThis creates the equivalent sendmail.cf entry: 301864562Sgshapiro 301964562Sgshapiro Xarchive, S=local:/var/run/archivesock, F=R 302064562Sgshapiro 302164562SgshapiroThe INPUT_MAIL_FILTER() command performs the same actions as MAIL_FILTER 302264562Sgshapirobut also populates the m4 variable `confINPUT_MAIL_FILTERS' with the name 302364562Sgshapiroof the filter such that the filter will actually be called by sendmail. 302464562Sgshapiro 302564562SgshapiroFor example, the two commands: 302664562Sgshapiro 302764562Sgshapiro INPUT_MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 302864562Sgshapiro INPUT_MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 302964562Sgshapiro 303064562Sgshapiroare equivalent to the three commands: 303164562Sgshapiro 303264562Sgshapiro MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 303364562Sgshapiro MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 303464562Sgshapiro define(`confINPUT_MAIL_FILTERS', `archive, spamcheck') 303564562Sgshapiro 303664562SgshapiroIn general, INPUT_MAIL_FILTER() should be used unless you need to define 303764562Sgshapiromore filters than you want to use for `confINPUT_MAIL_FILTERS'. 303864562Sgshapiro 303964562SgshapiroNote that setting `confINPUT_MAIL_FILTERS' after any INPUT_MAIL_FILTER() 304064562Sgshapirocommands will clear the list created by the prior INPUT_MAIL_FILTER() 304164562Sgshapirocommands. 304264562Sgshapiro 304364562Sgshapiro 304490792Sgshapiro+-------------------------+ 304590792Sgshapiro| QUEUE GROUP DEFINITIONS | 304690792Sgshapiro+-------------------------+ 304790792Sgshapiro 304890792SgshapiroIn addition to the queue directory (which is the default queue group 304990792Sgshapirocalled "mqueue"), sendmail can deal with multiple queue groups, which 305090792Sgshapiroare collections of queue directories with the same behaviour. Queue 305190792Sgshapirogroups can be defined using the command: 305290792Sgshapiro 305390792Sgshapiro QUEUE_GROUP(`name', `equates') 305490792Sgshapiro 305590792SgshapiroFor details about queue groups, please see doc/op/op.{me,ps,txt}. 305690792Sgshapiro 305738032Speter+-------------------------------+ 305838032Speter| NON-SMTP BASED CONFIGURATIONS | 305938032Speter+-------------------------------+ 306038032Speter 306164562SgshapiroThese configuration files are designed primarily for use by 306264562SgshapiroSMTP-based sites. They may not be well tuned for UUCP-only or 306338032SpeterUUCP-primarily nodes (the latter is defined as a small local net 306464562Sgshapiroconnected to the rest of the world via UUCP). However, there is 306564562Sgshapiroone hook to handle some special cases. 306638032Speter 306738032SpeterYou can define a ``smart host'' that understands a richer address syntax 306838032Speterusing: 306938032Speter 307043730Speter define(`SMART_HOST', `mailer:hostname') 307138032Speter 307238032SpeterIn this case, the ``mailer:'' defaults to "relay". Any messages that 307338032Spetercan't be handled using the usual UUCP rules are passed to this host. 307438032Speter 307538032SpeterIf you are on a local SMTP-based net that connects to the outside 307638032Speterworld via UUCP, you can use LOCAL_NET_CONFIG to add appropriate rules. 307738032SpeterFor example: 307838032Speter 307964562Sgshapiro define(`SMART_HOST', `uucp-new:uunet') 308038032Speter LOCAL_NET_CONFIG 308138032Speter R$* < @ $* .$m. > $* $#smtp $@ $2.$m. $: $1 < @ $2.$m. > $3 308238032Speter 308394334SgshapiroThis will cause all names that end in your domain name ($m) to be sent 308494334Sgshapirovia SMTP; anything else will be sent via uucp-new (smart UUCP) to uunet. 308543730SpeterIf you have FEATURE(`nocanonify'), you may need to omit the dots after 308638032Speterthe $m. If you are running a local DNS inside your domain which is 308738032Speternot otherwise connected to the outside world, you probably want to 308838032Speteruse: 308938032Speter 309043730Speter define(`SMART_HOST', `smtp:fire.wall.com') 309138032Speter LOCAL_NET_CONFIG 309238032Speter R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 309338032Speter 309438032SpeterThat is, send directly only to things you found in your DNS lookup; 309538032Speteranything else goes through SMART_HOST. 309638032Speter 309738032SpeterYou may need to turn off the anti-spam rules in order to accept 309843730SpeterUUCP mail with FEATURE(`promiscuous_relay') and 309943730SpeterFEATURE(`accept_unresolvable_domains'). 310038032Speter 310138032Speter 310238032Speter+-----------+ 310338032Speter| WHO AM I? | 310438032Speter+-----------+ 310538032Speter 310638032SpeterNormally, the $j macro is automatically defined to be your fully 310738032Speterqualified domain name (FQDN). Sendmail does this by getting your 310838032Speterhost name using gethostname and then calling gethostbyname on the 310938032Speterresult. For example, in some environments gethostname returns 311038032Speteronly the root of the host name (such as "foo"); gethostbyname is 311138032Spetersupposed to return the FQDN ("foo.bar.com"). In some (fairly rare) 311238032Spetercases, gethostbyname may fail to return the FQDN. In this case 311338032Speteryou MUST define confDOMAIN_NAME to be your fully qualified domain 311438032Spetername. This is usually done using: 311538032Speter 311638032Speter Dmbar.com 311738032Speter define(`confDOMAIN_NAME', `$w.$m')dnl 311838032Speter 311938032Speter 312064562Sgshapiro+-----------------------------------+ 312164562Sgshapiro| ACCEPTING MAIL FOR MULTIPLE NAMES | 312264562Sgshapiro+-----------------------------------+ 312364562Sgshapiro 312464562SgshapiroIf your host is known by several different names, you need to augment 312564562Sgshapiroclass {w}. This is a list of names by which your host is known, and 312664562Sgshapiroanything sent to an address using a host name in this list will be 312764562Sgshapirotreated as local mail. You can do this in two ways: either create the 312864562Sgshapirofile /etc/mail/local-host-names containing a list of your aliases (one per 312964562Sgshapiroline), and use ``FEATURE(`use_cw_file')'' in the .mc file, or add 313064562Sgshapiro``LOCAL_DOMAIN(`alias.host.name')''. Be sure you use the fully-qualified 313164562Sgshapironame of the host, rather than a short name. 313264562Sgshapiro 313364562SgshapiroIf you want to have different address in different domains, take 313464562Sgshapiroa look at the virtusertable feature, which is also explained at 313564562Sgshapirohttp://www.sendmail.org/virtual-hosting.html 313664562Sgshapiro 313764562Sgshapiro 313838032Speter+--------------------+ 313938032Speter| USING MAILERTABLES | 314038032Speter+--------------------+ 314138032Speter 314243730SpeterTo use FEATURE(`mailertable'), you will have to create an external 314338032Speterdatabase containing the routing information for various domains. 314438032SpeterFor example, a mailertable file in text format might be: 314538032Speter 314638032Speter .my.domain xnet:%1.my.domain 314764562Sgshapiro uuhost1.my.domain uucp-new:uuhost1 314838032Speter .bitnet smtp:relay.bit.net 314938032Speter 315064562SgshapiroThis should normally be stored in /etc/mail/mailertable. The actual 315138032Speterdatabase version of the mailertable is built using: 315238032Speter 315364562Sgshapiro makemap hash /etc/mail/mailertable < /etc/mail/mailertable 315438032Speter 315538032SpeterThe semantics are simple. Any LHS entry that does not begin with 315638032Spetera dot matches the full host name indicated. LHS entries beginning 315766494Sgshapirowith a dot match anything ending with that domain name (including 315866494Sgshapirothe leading dot) -- that is, they can be thought of as having a 315966494Sgshapiroleading ".+" regular expression pattern for a non-empty sequence of 316066494Sgshapirocharacters. Matching is done in order of most-to-least qualified 316166494Sgshapiro-- for example, even though ".my.domain" is listed first in the 316266494Sgshapiroabove example, an entry of "uuhost1.my.domain" will match the second 316366494Sgshapiroentry since it is more explicit. Note: e-mail to "user@my.domain" 316466494Sgshapirodoes not match any entry in the above table. You need to have 316566494Sgshapirosomething like: 316638032Speter 316764562Sgshapiro my.domain esmtp:host.my.domain 316864562Sgshapiro 316938032SpeterThe RHS should always be a "mailer:host" pair. The mailer is the 317090792Sgshapiroconfiguration name of a mailer (that is, an M line in the 317138032Spetersendmail.cf file). The "host" will be the hostname passed to 317238032Speterthat mailer. In domain-based matches (that is, those with leading 317338032Speterdots) the "%1" may be used to interpolate the wildcarded part of 317438032Speterthe host name. For example, the first line above sends everything 317538032Speteraddressed to "anything.my.domain" to that same host name, but using 317638032Speterthe (presumably experimental) xnet mailer. 317738032Speter 317838032SpeterIn some cases you may want to temporarily turn off MX records, 317938032Speterparticularly on gateways. For example, you may want to MX 318038032Spetereverything in a domain to one machine that then forwards it 318138032Speterdirectly. To do this, you might use the DNS configuration: 318238032Speter 318338032Speter *.domain. IN MX 0 relay.machine 318438032Speter 318538032Speterand on relay.machine use the mailertable: 318638032Speter 318738032Speter .domain smtp:[gateway.domain] 318838032Speter 318938032SpeterThe [square brackets] turn off MX records for this host only. 319038032SpeterIf you didn't do this, the mailertable would use the MX record 319138032Speteragain, which would give you an MX loop. 319238032Speter 319338032Speter 319438032Speter+--------------------------------+ 319538032Speter| USING USERDB TO MAP FULL NAMES | 319638032Speter+--------------------------------+ 319738032Speter 319838032SpeterThe user database was not originally intended for mapping full names 319938032Speterto login names (e.g., Eric.Allman => eric), but some people are using 320064562Sgshapiroit that way. (it is recommended that you set up aliases for this 320138032Speterpurpose instead -- since you can specify multiple alias files, this 320238032Speteris fairly easy.) The intent was to locate the default maildrop at 320338032Spetera site, but allow you to override this by sending to a specific host. 320438032Speter 320538032SpeterIf you decide to set up the user database in this fashion, it is 320643730Speterimperative that you not use FEATURE(`stickyhost') -- otherwise, 320738032Spetere-mail sent to Full.Name@local.host.name will be rejected. 320838032Speter 320938032SpeterTo build the internal form of the user database, use: 321038032Speter 321164562Sgshapiro makemap btree /etc/mail/userdb < /etc/mail/userdb.txt 321238032Speter 321364562SgshapiroAs a general rule, it is an extremely bad idea to using full names 321464562Sgshapiroas e-mail addresses, since they are not in any sense unique. For 321566494Sgshapiroexample, the UNIX software-development community has at least two 321664562Sgshapirowell-known Peter Deutsches, and at one time Bell Labs had two 321764562SgshapiroStephen R. Bournes with offices along the same hallway. Which one 321864562Sgshapirowill be forced to suffer the indignity of being Stephen_R_Bourne_2? 321964562SgshapiroThe less famous of the two, or the one that was hired later? 322038032Speter 322138032SpeterFinger should handle full names (and be fuzzy). Mail should use 322264562Sgshapirohandles, and not be fuzzy. 322338032Speter 322438032Speter 322538032Speter+--------------------------------+ 322638032Speter| MISCELLANEOUS SPECIAL FEATURES | 322738032Speter+--------------------------------+ 322838032Speter 322938032SpeterPlussed users 323038032Speter Sometimes it is convenient to merge configuration on a 323138032Speter centralized mail machine, for example, to forward all 323238032Speter root mail to a mail server. In this case it might be 323338032Speter useful to be able to treat the root addresses as a class 323438032Speter of addresses with subtle differences. You can do this 323538032Speter using plussed users. For example, a client might include 323638032Speter the alias: 323738032Speter 323838032Speter root: root+client1@server 323938032Speter 324038032Speter On the server, this will match an alias for "root+client1". 324138032Speter If that is not found, the alias "root+*" will be tried, 324238032Speter then "root". 324338032Speter 324438032Speter 324538032Speter+----------------+ 324638032Speter| SECURITY NOTES | 324738032Speter+----------------+ 324838032Speter 324938032SpeterA lot of sendmail security comes down to you. Sendmail 8 is much 325038032Spetermore careful about checking for security problems than previous 325138032Speterversions, but there are some things that you still need to watch 325238032Speterfor. In particular: 325338032Speter 325498121Sgshapiro* Make sure the aliases file is not writable except by trusted 325538032Speter system personnel. This includes both the text and database 325638032Speter version. 325738032Speter 325838032Speter* Make sure that other files that sendmail reads, such as the 325938032Speter mailertable, are only writable by trusted system personnel. 326038032Speter 326138032Speter* The queue directory should not be world writable PARTICULARLY 326238032Speter if your system allows "file giveaways" (that is, if a non-root 326338032Speter user can chown any file they own to any other user). 326438032Speter 326538032Speter* If your system allows file giveaways, DO NOT create a publically 326638032Speter writable directory for forward files. This will allow anyone 326738032Speter to steal anyone else's e-mail. Instead, create a script that 326838032Speter copies the .forward file from users' home directories once a 326938032Speter night (if you want the non-NFS-mounted forward directory). 327038032Speter 327138032Speter* If your system allows file giveaways, you'll find that 327238032Speter sendmail is much less trusting of :include: files -- in 327338032Speter particular, you'll have to have /SENDMAIL/ANY/SHELL/ in 327438032Speter /etc/shells before they will be trusted (that is, before 327538032Speter files and programs listed in them will be honored). 327638032Speter 327738032SpeterIn general, file giveaways are a mistake -- if you can turn them 327864562Sgshapirooff, do so. 327938032Speter 328038032Speter 328138032Speter+--------------------------------+ 328238032Speter| TWEAKING CONFIGURATION OPTIONS | 328338032Speter+--------------------------------+ 328438032Speter 328538032SpeterThere are a large number of configuration options that don't normally 328638032Speterneed to be changed. However, if you feel you need to tweak them, you 328738032Spetercan define the following M4 variables. This list is shown in four 328838032Spetercolumns: the name you define, the default value for that definition, 328938032Speterthe option or macro that is affected (either Ox for an option or Dx 329038032Speterfor a macro), and a brief description. Greater detail of the semantics 329138032Spetercan be found in the Installation and Operations Guide. 329238032Speter 329338032SpeterSome options are likely to be deprecated in future versions -- that is, 329438032Speterthe option is only included to provide back-compatibility. These are 329538032Spetermarked with "*". 329638032Speter 329738032SpeterRemember that these options are M4 variables, and hence may need to 329838032Speterbe quoted. In particular, arguments with commas will usually have to 329938032Speterbe ``double quoted, like this phrase'' to avoid having the comma 330038032Speterconfuse things. This is common for alias file definitions and for 330138032Speterthe read timeout. 330238032Speter 330338032SpeterM4 Variable Name Configuration Description & [Default] 330438032Speter================ ============= ======================= 330538032SpeterconfMAILER_NAME $n macro [MAILER-DAEMON] The sender name used 330638032Speter for internally generated outgoing 330738032Speter messages. 330838032SpeterconfDOMAIN_NAME $j macro If defined, sets $j. This should 330938032Speter only be done if your system cannot 331038032Speter determine your local domain name, 331138032Speter and then it should be set to 331238032Speter $w.Foo.COM, where Foo.COM is your 331338032Speter domain name. 331438032SpeterconfCF_VERSION $Z macro If defined, this is appended to the 331538032Speter configuration version name. 331690792SgshapiroconfLDAP_CLUSTER ${sendmailMTACluster} macro 331790792Sgshapiro If defined, this is the LDAP 331890792Sgshapiro cluster to use for LDAP searches 331990792Sgshapiro as described above in ``USING LDAP 332090792Sgshapiro FOR ALIASES, MAPS, AND CLASSES''. 332164562SgshapiroconfFROM_HEADER From: [$?x$x <$g>$|$g$.] The format of an 332238032Speter internally generated From: address. 332338032SpeterconfRECEIVED_HEADER Received: 332438032Speter [$?sfrom $s $.$?_($?s$|from $.$_) 332564562Sgshapiro $.$?{auth_type}(authenticated) 332638032Speter $.by $j ($v/$Z)$?r with $r$. id $i$?u 332738032Speter for $u; $|; 332838032Speter $.$b] 332938032Speter The format of the Received: header 333038032Speter in messages passed through this host. 333138032Speter It is unwise to try to change this. 333264562SgshapiroconfCW_FILE Fw class [/etc/mail/local-host-names] Name 333364562Sgshapiro of file used to get the local 333464562Sgshapiro additions to class {w} (local host 333564562Sgshapiro names). 333664562SgshapiroconfCT_FILE Ft class [/etc/mail/trusted-users] Name of 333764562Sgshapiro file used to get the local additions 333864562Sgshapiro to class {t} (trusted users). 333938032SpeterconfCR_FILE FR class [/etc/mail/relay-domains] Name of 334038032Speter file used to get the local additions 334164562Sgshapiro to class {R} (hosts allowed to relay). 334238032SpeterconfTRUSTED_USERS Ct class [no default] Names of users to add to 334338032Speter the list of trusted users. This list 334438032Speter always includes root, uucp, and daemon. 334543730Speter See also FEATURE(`use_ct_file'). 334664562SgshapiroconfTRUSTED_USER TrustedUser [no default] Trusted user for file 334764562Sgshapiro ownership and starting the daemon. 334864562Sgshapiro Not to be confused with 334964562Sgshapiro confTRUSTED_USERS (see above). 335038032SpeterconfSMTP_MAILER - [esmtp] The mailer name used when 335138032Speter SMTP connectivity is required. 335264562Sgshapiro One of "smtp", "smtp8", 335364562Sgshapiro "esmtp", or "dsmtp". 335438032SpeterconfUUCP_MAILER - [uucp-old] The mailer to be used by 335538032Speter default for bang-format recipient 335638032Speter addresses. See also discussion of 335764562Sgshapiro class {U}, class {Y}, and class {Z} 335864562Sgshapiro in the MAILER(`uucp') section. 335938032SpeterconfLOCAL_MAILER - [local] The mailer name used when 336038032Speter local connectivity is required. 336138032Speter Almost always "local". 336238032SpeterconfRELAY_MAILER - [relay] The default mailer name used 336338032Speter for relaying any mail (e.g., to a 336438032Speter BITNET_RELAY, a SMART_HOST, or 336538032Speter whatever). This can reasonably be 336638032Speter "uucp-new" if you are on a 336738032Speter UUCP-connected site. 336838032SpeterconfSEVEN_BIT_INPUT SevenBitInput [False] Force input to seven bits? 336938032SpeterconfEIGHT_BIT_HANDLING EightBitMode [pass8] 8-bit data handling 337038032SpeterconfALIAS_WAIT AliasWait [10m] Time to wait for alias file 337138032Speter rebuild until you get bored and 337238032Speter decide that the apparently pending 337338032Speter rebuild failed. 337438032SpeterconfMIN_FREE_BLOCKS MinFreeBlocks [100] Minimum number of free blocks on 337538032Speter queue filesystem to accept SMTP mail. 337638032Speter (Prior to 8.7 this was minfree/maxsize, 337738032Speter where minfree was the number of free 337838032Speter blocks and maxsize was the maximum 337938032Speter message size. Use confMAX_MESSAGE_SIZE 338038032Speter for the second value now.) 338138032SpeterconfMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages 338238032Speter that will be accepted (in bytes). 338338032SpeterconfBLANK_SUB BlankSub [.] Blank (space) substitution 338438032Speter character. 338538032SpeterconfCON_EXPENSIVE HoldExpensive [False] Avoid connecting immediately 338664562Sgshapiro to mailers marked expensive. 338738032SpeterconfCHECKPOINT_INTERVAL CheckpointInterval 338838032Speter [10] Checkpoint queue files every N 338938032Speter recipients. 339038032SpeterconfDELIVERY_MODE DeliveryMode [background] Default delivery mode. 339138032SpeterconfERROR_MODE ErrorMode [print] Error message mode. 339238032SpeterconfERROR_MESSAGE ErrorHeader [undefined] Error message header/file. 339342575SpeterconfSAVE_FROM_LINES SaveFromLine Save extra leading From_ lines. 339438032SpeterconfTEMP_FILE_MODE TempFileMode [0600] Temporary file mode. 339538032SpeterconfMATCH_GECOS MatchGECOS [False] Match GECOS field. 339638032SpeterconfMAX_HOP MaxHopCount [25] Maximum hop count. 339764562SgshapiroconfIGNORE_DOTS* IgnoreDots [False; always False in -bs or -bd 339864562Sgshapiro mode] Ignore dot as terminator for 339964562Sgshapiro incoming messages? 340038032SpeterconfBIND_OPTS ResolverOptions [undefined] Default options for DNS 340138032Speter resolver. 340238032SpeterconfMIME_FORMAT_ERRORS* SendMimeErrors [True] Send error messages as MIME- 340338032Speter encapsulated messages per RFC 1344. 340438032SpeterconfFORWARD_PATH ForwardPath [$z/.forward.$w:$z/.forward] 340538032Speter The colon-separated list of places to 340638032Speter search for .forward files. N.B.: see 340738032Speter the Security Notes section. 340838032SpeterconfMCI_CACHE_SIZE ConnectionCacheSize 340938032Speter [2] Size of open connection cache. 341038032SpeterconfMCI_CACHE_TIMEOUT ConnectionCacheTimeout 341138032Speter [5m] Open connection cache timeout. 341238032SpeterconfHOST_STATUS_DIRECTORY HostStatusDirectory 341338032Speter [undefined] If set, host status is kept 341438032Speter on disk between sendmail runs in the 341538032Speter named directory tree. This need not be 341638032Speter a full pathname, in which case it is 341738032Speter interpreted relative to the queue 341838032Speter directory. 341938032SpeterconfSINGLE_THREAD_DELIVERY SingleThreadDelivery 342038032Speter [False] If this option and the 342138032Speter HostStatusDirectory option are both 342238032Speter set, single thread deliveries to other 342338032Speter hosts. That is, don't allow any two 342438032Speter sendmails on this host to connect 342538032Speter simultaneously to any other single 342638032Speter host. This can slow down delivery in 342738032Speter some cases, in particular since a 342838032Speter cached but otherwise idle connection 342938032Speter to a host will prevent other sendmails 343038032Speter from connecting to the other host. 343164562SgshapiroconfUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to 343238032Speter deliver error messages. This should 343338032Speter not be necessary because of general 343438032Speter acceptance of the envelope/header 343538032Speter distinction. 343638032SpeterconfLOG_LEVEL LogLevel [9] Log level. 343764562SgshapiroconfME_TOO MeToo [True] Include sender in group 343864562Sgshapiro expansions. This option is 343964562Sgshapiro deprecated and will be removed from 344064562Sgshapiro a future version. 344138032SpeterconfCHECK_ALIASES CheckAliases [False] Check RHS of aliases when 344238032Speter running newaliases. Since this does 344338032Speter DNS lookups on every address, it can 344438032Speter slow down the alias rebuild process 344538032Speter considerably on large alias files. 344638032SpeterconfOLD_STYLE_HEADERS* OldStyleHeaders [True] Assume that headers without 344738032Speter special chars are old style. 344838032SpeterconfPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags. 344938032SpeterconfCOPY_ERRORS_TO PostmasterCopy [undefined] Address for additional 345038032Speter copies of all error messages. 345138032SpeterconfQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function. 345290792SgshapiroconfQUEUE_FILE_MODE QueueFileMode [undefined] Default permissions for 345390792Sgshapiro queue files (octal). If not set, 345490792Sgshapiro sendmail uses 0600 unless its real 345590792Sgshapiro and effective uid are different in 345690792Sgshapiro which case it uses 0644. 345738032SpeterconfDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr 345838032Speter syntax addresses to the minimum 345938032Speter possible. 346038032SpeterconfSAFE_QUEUE* SuperSafe [True] Commit all messages to disk 346138032Speter before forking. 346238032SpeterconfTO_INITIAL Timeout.initial [5m] The timeout waiting for a response 346338032Speter on the initial connect. 346438032SpeterconfTO_CONNECT Timeout.connect [0] The timeout waiting for an initial 346538032Speter connect() to complete. This can only 346638032Speter shorten connection timeouts; the kernel 346738032Speter silently enforces an absolute maximum 346838032Speter (which varies depending on the system). 346938032SpeterconfTO_ICONNECT Timeout.iconnect 347038032Speter [undefined] Like Timeout.connect, but 347138032Speter applies only to the very first attempt 347238032Speter to connect to a host in a message. 347338032Speter This allows a single very fast pass 347438032Speter followed by more careful delivery 347538032Speter attempts in the future. 347690792SgshapiroconfTO_ACONNECT Timeout.aconnect 347790792Sgshapiro [0] The overall timeout waiting for 347890792Sgshapiro all connection for a single delivery 347990792Sgshapiro attempt to succeed. If 0, no overall 348090792Sgshapiro limit is applied. 348138032SpeterconfTO_HELO Timeout.helo [5m] The timeout waiting for a response 348238032Speter to a HELO or EHLO command. 348338032SpeterconfTO_MAIL Timeout.mail [10m] The timeout waiting for a 348438032Speter response to the MAIL command. 348538032SpeterconfTO_RCPT Timeout.rcpt [1h] The timeout waiting for a response 348638032Speter to the RCPT command. 348738032SpeterconfTO_DATAINIT Timeout.datainit 348838032Speter [5m] The timeout waiting for a 354 348938032Speter response from the DATA command. 349038032SpeterconfTO_DATABLOCK Timeout.datablock 349138032Speter [1h] The timeout waiting for a block 349238032Speter during DATA phase. 349338032SpeterconfTO_DATAFINAL Timeout.datafinal 349438032Speter [1h] The timeout waiting for a response 349538032Speter to the final "." that terminates a 349638032Speter message. 349738032SpeterconfTO_RSET Timeout.rset [5m] The timeout waiting for a response 349838032Speter to the RSET command. 349938032SpeterconfTO_QUIT Timeout.quit [2m] The timeout waiting for a response 350038032Speter to the QUIT command. 350138032SpeterconfTO_MISC Timeout.misc [2m] The timeout waiting for a response 350238032Speter to other SMTP commands. 350364562SgshapiroconfTO_COMMAND Timeout.command [1h] In server SMTP, the timeout 350464562Sgshapiro waiting for a command to be issued. 350564562SgshapiroconfTO_IDENT Timeout.ident [5s] The timeout waiting for a 350664562Sgshapiro response to an IDENT query. 350738032SpeterconfTO_FILEOPEN Timeout.fileopen 350838032Speter [60s] The timeout waiting for a file 350938032Speter (e.g., :include: file) to be opened. 351090792SgshapiroconfTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response 351190792Sgshapiro to an LMTP LHLO command. 351290792SgshapiroconfTO_AUTH Timeout.auth [10m] The timeout waiting for a 351390792Sgshapiro response in an AUTH dialogue. 351490792SgshapiroconfTO_STARTTLS Timeout.starttls 351590792Sgshapiro [1h] The timeout waiting for a 351690792Sgshapiro response to an SMTP STARTTLS command. 351764562SgshapiroconfTO_CONTROL Timeout.control 351864562Sgshapiro [2m] The timeout for a complete 351964562Sgshapiro control socket transaction to complete. 352038032SpeterconfTO_QUEUERETURN Timeout.queuereturn 352138032Speter [5d] The timeout before a message is 352238032Speter returned as undeliverable. 352338032SpeterconfTO_QUEUERETURN_NORMAL 352438032Speter Timeout.queuereturn.normal 352538032Speter [undefined] As above, for normal 352638032Speter priority messages. 352738032SpeterconfTO_QUEUERETURN_URGENT 352838032Speter Timeout.queuereturn.urgent 352938032Speter [undefined] As above, for urgent 353038032Speter priority messages. 353138032SpeterconfTO_QUEUERETURN_NONURGENT 353238032Speter Timeout.queuereturn.non-urgent 353338032Speter [undefined] As above, for non-urgent 353438032Speter (low) priority messages. 353538032SpeterconfTO_QUEUEWARN Timeout.queuewarn 353638032Speter [4h] The timeout before a warning 353738032Speter message is sent to the sender telling 353864562Sgshapiro them that the message has been 353964562Sgshapiro deferred. 354038032SpeterconfTO_QUEUEWARN_NORMAL Timeout.queuewarn.normal 354138032Speter [undefined] As above, for normal 354238032Speter priority messages. 354338032SpeterconfTO_QUEUEWARN_URGENT Timeout.queuewarn.urgent 354438032Speter [undefined] As above, for urgent 354538032Speter priority messages. 354638032SpeterconfTO_QUEUEWARN_NONURGENT 354738032Speter Timeout.queuewarn.non-urgent 354838032Speter [undefined] As above, for non-urgent 354938032Speter (low) priority messages. 355038032SpeterconfTO_HOSTSTATUS Timeout.hoststatus 355138032Speter [30m] How long information about host 355238032Speter statuses will be maintained before it 355338032Speter is considered stale and the host should 355438032Speter be retried. This applies both within 355538032Speter a single queue run and to persistent 355638032Speter information (see below). 355764562SgshapiroconfTO_RESOLVER_RETRANS Timeout.resolver.retrans 355864562Sgshapiro [varies] Sets the resolver's 355998121Sgshapiro retransmission time interval (in 356064562Sgshapiro seconds). Sets both 356164562Sgshapiro Timeout.resolver.retrans.first and 356264562Sgshapiro Timeout.resolver.retrans.normal. 356364562SgshapiroconfTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first 356464562Sgshapiro [varies] Sets the resolver's 356598121Sgshapiro retransmission time interval (in 356664562Sgshapiro seconds) for the first attempt to 356764562Sgshapiro deliver a message. 356864562SgshapiroconfTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal 356964562Sgshapiro [varies] Sets the resolver's 357098121Sgshapiro retransmission time interval (in 357164562Sgshapiro seconds) for all resolver lookups 357264562Sgshapiro except the first delivery attempt. 357364562SgshapiroconfTO_RESOLVER_RETRY Timeout.resolver.retry 357464562Sgshapiro [varies] Sets the number of times 357564562Sgshapiro to retransmit a resolver query. 357664562Sgshapiro Sets both 357764562Sgshapiro Timeout.resolver.retry.first and 357864562Sgshapiro Timeout.resolver.retry.normal. 357964562SgshapiroconfTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first 358064562Sgshapiro [varies] Sets the number of times 358164562Sgshapiro to retransmit a resolver query for 358264562Sgshapiro the first attempt to deliver a 358364562Sgshapiro message. 358464562SgshapiroconfTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal 358564562Sgshapiro [varies] Sets the number of times 358664562Sgshapiro to retransmit a resolver query for 358764562Sgshapiro all resolver lookups except the 358864562Sgshapiro first delivery attempt. 358938032SpeterconfTIME_ZONE TimeZoneSpec [USE_SYSTEM] Time zone info -- can be 359038032Speter USE_SYSTEM to use the system's idea, 359138032Speter USE_TZ to use the user's TZ envariable, 359238032Speter or something else to force that value. 359338032SpeterconfDEF_USER_ID DefaultUser [1:1] Default user id. 359438032SpeterconfUSERDB_SPEC UserDatabaseSpec 359564562Sgshapiro [undefined] User database 359664562Sgshapiro specification. 359738032SpeterconfFALLBACK_MX FallbackMXhost [undefined] Fallback MX host. 359864562SgshapiroconfTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX 359964562Sgshapiro for a host and other arrangements 360064562Sgshapiro haven't been made, try connecting 360164562Sgshapiro to the host directly; normally this 360264562Sgshapiro would be a config error. 360364562SgshapiroconfQUEUE_LA QueueLA [varies] Load average at which 360464562Sgshapiro queue-only function kicks in. 360564562Sgshapiro Default values is (8 * numproc) 360664562Sgshapiro where numproc is the number of 360764562Sgshapiro processors online (if that can be 360864562Sgshapiro determined). 360964562SgshapiroconfREFUSE_LA RefuseLA [varies] Load average at which 361064562Sgshapiro incoming SMTP connections are 361164562Sgshapiro refused. Default values is (12 * 361264562Sgshapiro numproc) where numproc is the 361364562Sgshapiro number of processors online (if 361464562Sgshapiro that can be determined). 361590792SgshapiroconfDELAY_LA DelayLA [0] Load average at which sendmail 361690792Sgshapiro will sleep for one second on most 361790792Sgshapiro SMTP commands and before accepting 361890792Sgshapiro connections. 0 means no limit. 361964562SgshapiroconfMAX_ALIAS_RECURSION MaxAliasRecursion 362064562Sgshapiro [10] Maximum depth of alias recursion. 362138032SpeterconfMAX_DAEMON_CHILDREN MaxDaemonChildren 362238032Speter [undefined] The maximum number of 362338032Speter children the daemon will permit. After 362438032Speter this number, connections will be 362538032Speter rejected. If not set or <= 0, there is 362638032Speter no limit. 362764562SgshapiroconfMAX_HEADERS_LENGTH MaxHeadersLength 362871345Sgshapiro [32768] Maximum length of the sum 362964562Sgshapiro of all headers. 363064562SgshapiroconfMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength 363164562Sgshapiro [undefined] Maximum length of 363264562Sgshapiro certain MIME header field values. 363338032SpeterconfCONNECTION_RATE_THROTTLE ConnectionRateThrottle 363438032Speter [undefined] The maximum number of 363590792Sgshapiro connections permitted per second per 363690792Sgshapiro daemon. After this many connections 363790792Sgshapiro are accepted, further connections 363890792Sgshapiro will be delayed. If not set or <= 0, 363990792Sgshapiro there is no limit. 364038032SpeterconfWORK_RECIPIENT_FACTOR 364138032Speter RecipientFactor [30000] Cost of each recipient. 364264562SgshapiroconfSEPARATE_PROC ForkEachJob [False] Run all deliveries in a 364364562Sgshapiro separate process. 364438032SpeterconfWORK_CLASS_FACTOR ClassFactor [1800] Priority multiplier for class. 364538032SpeterconfWORK_TIME_FACTOR RetryFactor [90000] Cost of each delivery attempt. 364638032SpeterconfQUEUE_SORT_ORDER QueueSortOrder [Priority] Queue sort algorithm: 364790792Sgshapiro Priority, Host, Filename, Random, 364890792Sgshapiro Modification, or Time. 364938032SpeterconfMIN_QUEUE_AGE MinQueueAge [0] The minimum amount of time a job 365038032Speter must sit in the queue between queue 365138032Speter runs. This allows you to set the 365238032Speter queue run interval low for better 365338032Speter responsiveness without trying all 365438032Speter jobs in each run. 365538032SpeterconfDEF_CHAR_SET DefaultCharSet [unknown-8bit] When converting 365638032Speter unlabeled 8 bit input to MIME, the 365738032Speter character set to use by default. 365838032SpeterconfSERVICE_SWITCH_FILE ServiceSwitchFile 365964562Sgshapiro [/etc/mail/service.switch] The file 366064562Sgshapiro to use for the service switch on 366164562Sgshapiro systems that do not have a 366264562Sgshapiro system-defined switch. 366338032SpeterconfHOSTS_FILE HostsFile [/etc/hosts] The file to use when doing 366438032Speter "file" type access of hosts names. 366538032SpeterconfDIAL_DELAY DialDelay [0s] If a connection fails, wait this 366638032Speter long and try again. Zero means "don't 366738032Speter retry". This is to allow "dial on 366838032Speter demand" connections to have enough time 366938032Speter to complete a connection. 367038032SpeterconfNO_RCPT_ACTION NoRecipientAction 367138032Speter [none] What to do if there are no legal 367238032Speter recipient fields (To:, Cc: or Bcc:) 367338032Speter in the message. Legal values can 367438032Speter be "none" to just leave the 367538032Speter nonconforming message as is, "add-to" 367638032Speter to add a To: header with all the 367738032Speter known recipients (which may expose 367838032Speter blind recipients), "add-apparently-to" 367938032Speter to do the same but use Apparently-To: 368090792Sgshapiro instead of To: (strongly discouraged 368190792Sgshapiro in accordance with IETF standards), 368290792Sgshapiro "add-bcc" to add an empty Bcc: 368390792Sgshapiro header, or "add-to-undisclosed" to 368490792Sgshapiro add the header 368538032Speter ``To: undisclosed-recipients:;''. 368638032SpeterconfSAFE_FILE_ENV SafeFileEnvironment 368738032Speter [undefined] If set, sendmail will do a 368838032Speter chroot() into this directory before 368938032Speter writing files. 369038032SpeterconfCOLON_OK_IN_ADDR ColonOkInAddr [True unless Configuration Level > 6] 369138032Speter If set, colons are treated as a regular 369238032Speter character in addresses. If not set, 369338032Speter they are treated as the introducer to 369438032Speter the RFC 822 "group" syntax. Colons are 369538032Speter handled properly in route-addrs. This 369638032Speter option defaults on for V5 and lower 369738032Speter configuration files. 369838032SpeterconfMAX_QUEUE_RUN_SIZE MaxQueueRunSize [0] If set, limit the maximum size of 369938032Speter any given queue run to this number of 370038032Speter entries. Essentially, this will stop 370164562Sgshapiro reading each queue directory after this 370238032Speter number of entries are reached; it does 370338032Speter _not_ pick the highest priority jobs, 370438032Speter so this should be as large as your 370538032Speter system can tolerate. If not set, there 370638032Speter is no limit. 370790792SgshapiroconfMAX_QUEUE_CHILDREN MaxQueueChildren 370890792Sgshapiro [undefined] Limits the maximum number 370990792Sgshapiro of concurrent queue runners active. 371090792Sgshapiro This is to keep system resources used 371190792Sgshapiro within a reasonable limit. Relates to 371290792Sgshapiro Queue Groups and ForkAllJobs. 371390792SgshapiroconfMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue 371490792Sgshapiro [1] Only active when MaxQueueChildren 371590792Sgshapiro defined. Controls the maximum number 371690792Sgshapiro of queue runners (aka queue children) 371790792Sgshapiro active at the same time in a work 371890792Sgshapiro group. See also MaxQueueChildren. 371938032SpeterconfDONT_EXPAND_CNAMES DontExpandCnames 372038032Speter [False] If set, $[ ... $] lookups that 372138032Speter do DNS based lookups do not expand 372238032Speter CNAME records. This currently violates 372338032Speter the published standards, but the IETF 372438032Speter seems to be moving toward legalizing 372538032Speter this. For example, if "FTP.Foo.ORG" 372638032Speter is a CNAME for "Cruft.Foo.ORG", then 372738032Speter with this option set a lookup of 372838032Speter "FTP" will return "FTP.Foo.ORG"; if 372938032Speter clear it returns "Cruft.FOO.ORG". N.B. 373038032Speter you may not see any effect until your 373138032Speter downstream neighbors stop doing CNAME 373238032Speter lookups as well. 373364562SgshapiroconfFROM_LINE UnixFromLine [From $g $d] The From_ line used 373438032Speter when sending to files or programs. 373538032SpeterconfSINGLE_LINE_FROM_HEADER SingleLineFromHeader 373638032Speter [False] From: lines that have 373738032Speter embedded newlines are unwrapped 373838032Speter onto one line. 373938032SpeterconfALLOW_BOGUS_HELO AllowBogusHELO [False] Allow HELO SMTP command that 374038032Speter does not include a host name. 374138032SpeterconfMUST_QUOTE_CHARS MustQuoteChars [.'] Characters to be quoted in a full 374238032Speter name phrase (@,;:\()[] are automatic). 374338032SpeterconfOPERATORS OperatorChars [.:%@!^/[]+] Address operator 374438032Speter characters. 374538032SpeterconfSMTP_LOGIN_MSG SmtpGreetingMessage 374638032Speter [$j Sendmail $v/$Z; $b] 374738032Speter The initial (spontaneous) SMTP 374838032Speter greeting message. The word "ESMTP" 374938032Speter will be inserted between the first and 375038032Speter second words to convince other 375138032Speter sendmails to try to speak ESMTP. 375238032SpeterconfDONT_INIT_GROUPS DontInitGroups [False] If set, the initgroups(3) 375338032Speter routine will never be invoked. You 375438032Speter might want to do this if you are 375538032Speter running NIS and you have a large group 375638032Speter map, since this call does a sequential 375738032Speter scan of the map; in a large site this 375838032Speter can cause your ypserv to run 375938032Speter essentially full time. If you set 376038032Speter this, agents run on behalf of users 376138032Speter will only have their primary 376238032Speter (/etc/passwd) group permissions. 376338032SpeterconfUNSAFE_GROUP_WRITES UnsafeGroupWrites 376438032Speter [False] If set, group-writable 376538032Speter :include: and .forward files are 376638032Speter considered "unsafe", that is, programs 376738032Speter and files cannot be directly referenced 376838032Speter from such files. World-writable files 376938032Speter are always considered unsafe. 377064562SgshapiroconfCONNECT_ONLY_TO ConnectOnlyTo [undefined] override connection 377164562Sgshapiro address (for testing). 377264562SgshapiroconfCONTROL_SOCKET_NAME ControlSocketName 377364562Sgshapiro [undefined] Control socket for daemon 377464562Sgshapiro management. 377538032SpeterconfDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress 377638032Speter [postmaster] If an error occurs when 377738032Speter sending an error message, send that 377838032Speter "double bounce" error message to this 377990792Sgshapiro address. If it expands to an empty 378090792Sgshapiro string, double bounces are dropped. 378164562SgshapiroconfDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce 378264562Sgshapiro messages which could not be returned 378364562Sgshapiro to the user or sent to postmaster. 378464562Sgshapiro If not set, the queue file will 378564562Sgshapiro be renamed. 378664562SgshapiroconfRRT_IMPLIES_DSN RrtImpliesDsn [False] Return-Receipt-To: header 378764562Sgshapiro implies DSN request. 378838032SpeterconfRUN_AS_USER RunAsUser [undefined] If set, become this user 378938032Speter when reading and delivering mail. 379038032Speter Causes all file reads (e.g., .forward 379138032Speter and :include: files) to be done as 379238032Speter this user. Also, all programs will 379338032Speter be run as this user, and all output 379438032Speter files will be written as this user. 379538032Speter Intended for use only on firewalls 379638032Speter where users do not have accounts. 379738032SpeterconfMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage 379838032Speter [infinite] If set, allow no more than 379938032Speter the specified number of recipients in 380038032Speter an SMTP envelope. Further recipients 380138032Speter receive a 452 error code (i.e., they 380238032Speter are deferred for the next delivery 380338032Speter attempt). 380490792SgshapiroconfBAD_RCPT_THROTTLE BadRcptThrottle [infinite] If set and more than the 380590792Sgshapiro specified number of recipients in an 380690792Sgshapiro envelope are rejected, sleep for one 380790792Sgshapiro second after each rejected RCPT 380890792Sgshapiro command. 380938032SpeterconfDONT_PROBE_INTERFACES DontProbeInterfaces 381038032Speter [False] If set, sendmail will _not_ 381138032Speter insert the names and addresses of any 381264562Sgshapiro local interfaces into class {w} 381338032Speter (list of known "equivalent" addresses). 381438032Speter If you set this, you must also include 381538032Speter some support for these addresses (e.g., 381638032Speter in a mailertable entry) -- otherwise, 381738032Speter mail to addresses in this list will 381838032Speter bounce with a configuration error. 381990792Sgshapiro If set to "loopback" (without 382090792Sgshapiro quotes), sendmail will skip 382190792Sgshapiro loopback interfaces (e.g., "lo0"). 382264562SgshapiroconfPID_FILE PidFile [system dependent] Location of pid 382364562Sgshapiro file. 382464562SgshapiroconfPROCESS_TITLE_PREFIX ProcessTitlePrefix 382564562Sgshapiro [undefined] Prefix string for the 382664562Sgshapiro process title shown on 'ps' listings. 382738032SpeterconfDONT_BLAME_SENDMAIL DontBlameSendmail 382838032Speter [safe] Override sendmail's file 382938032Speter safety checks. This will definitely 383038032Speter compromise system security and should 383138032Speter not be used unless absolutely 383238032Speter necessary. 383338032SpeterconfREJECT_MSG - [550 Access denied] The message 383438032Speter given if the access database contains 383538032Speter REJECT in the value portion. 383690792SgshapiroconfRELAY_MSG - [550 Relaying denied] The message 383790792Sgshapiro given if an unauthorized relaying 383890792Sgshapiro attempt is rejected. 383964562SgshapiroconfDF_BUFFER_SIZE DataFileBufferSize 384064562Sgshapiro [4096] The maximum size of a 384164562Sgshapiro memory-buffered data (df) file 384264562Sgshapiro before a disk-based file is used. 384364562SgshapiroconfXF_BUFFER_SIZE XScriptFileBufferSize 384464562Sgshapiro [4096] The maximum size of a 384564562Sgshapiro memory-buffered transcript (xf) 384664562Sgshapiro file before a disk-based file is 384764562Sgshapiro used. 384864562SgshapiroconfAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5 384964562Sgshapiro CRAM-MD5] List of authentication 385064562Sgshapiro mechanisms for AUTH (separated by 385164562Sgshapiro spaces). The advertised list of 385264562Sgshapiro authentication mechanisms will be the 385364562Sgshapiro intersection of this list and the list 385464562Sgshapiro of available mechanisms as determined 385564562Sgshapiro by the CYRUS SASL library. 385673188SgshapiroconfDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains 385764562Sgshapiro authentication information for 385890792Sgshapiro outgoing connections. This file must 385990792Sgshapiro contain the user id, the authorization 386090792Sgshapiro id, the password (plain text), the 386190792Sgshapiro realm to use, and the list of 386290792Sgshapiro mechanisms to try, each on a separate 386390792Sgshapiro line and must be readable by root (or 386490792Sgshapiro the trusted user) only. If no realm 386590792Sgshapiro is specified, $j is used. If no 386690792Sgshapiro mechanisms are given in the file, 386790792Sgshapiro AuthMechanisms is used. Notice: this 386890792Sgshapiro option is deprecated and will be 386990792Sgshapiro removed in future versions; it doesn't 387090792Sgshapiro work for the MSP since it can't read 387190792Sgshapiro the file. Use the authinfo ruleset 387290792Sgshapiro instead. See also the section SMTP 387390792Sgshapiro AUTHENTICATION. 387490792SgshapiroconfAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' 387564562Sgshapiro then the AUTH= parameter for the 387664562Sgshapiro MAIL FROM command is only issued 387764562Sgshapiro when authentication succeeded. 387890792Sgshapiro Other values (which should be listed 387990792Sgshapiro one after the other without any 388090792Sgshapiro intervening characters except for 388190792Sgshapiro space or comma) are a, c, d, f, p, 388290792Sgshapiro and y. See doc/op/op.me for 388390792Sgshapiro details. 388490792SgshapiroconfAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption 388590792Sgshapiro strength for the security layer in 388690792Sgshapiro SMTP AUTH (SASL). Default is 388790792Sgshapiro essentially unlimited. 388890792SgshapiroconfTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client 388990792Sgshapiro verification is performed, i.e., 389090792Sgshapiro the server doesn't ask for a 389190792Sgshapiro certificate. 389264562SgshapiroconfLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map 389364562Sgshapiro specification for LDAP maps. The 389464562Sgshapiro value should only contain LDAP 389564562Sgshapiro specific settings such as "-h host 389664562Sgshapiro -p port -d bindDN", etc. The 389764562Sgshapiro settings will be used for all LDAP 389864562Sgshapiro maps unless they are specified in 389964562Sgshapiro the individual map specification 390064562Sgshapiro ('K' command). 390164562SgshapiroconfCACERT_PATH CACERTPath [undefined] Path to directory 390264562Sgshapiro with certs of CAs. 390364562SgshapiroconfCACERT CACERTFile [undefined] File containing one CA 390464562Sgshapiro cert. 390564562SgshapiroconfSERVER_CERT ServerCertFile [undefined] File containing the 390664562Sgshapiro cert of the server, i.e., this cert 390764562Sgshapiro is used when sendmail acts as 390864562Sgshapiro server. 390964562SgshapiroconfSERVER_KEY ServerKeyFile [undefined] File containing the 391064562Sgshapiro private key belonging to the server 391164562Sgshapiro cert. 391264562SgshapiroconfCLIENT_CERT ClientCertFile [undefined] File containing the 391364562Sgshapiro cert of the client, i.e., this cert 391464562Sgshapiro is used when sendmail acts as 391564562Sgshapiro client. 391664562SgshapiroconfCLIENT_KEY ClientKeyFile [undefined] File containing the 391764562Sgshapiro private key belonging to the client 391864562Sgshapiro cert. 391964562SgshapiroconfDH_PARAMETERS DHParameters [undefined] File containing the 392064562Sgshapiro DH parameters. 392164562SgshapiroconfRAND_FILE RandFile [undefined] File containing random 392266494Sgshapiro data (use prefix file:) or the 392366494Sgshapiro name of the UNIX socket if EGD is 392466494Sgshapiro used (use prefix egd:). STARTTLS 392566494Sgshapiro requires this option if the compile 392666494Sgshapiro flag HASURANDOM is not set (see 392764562Sgshapiro sendmail/README). 392890792SgshapiroconfNICE_QUEUE_RUN NiceQueueRun [undefined] If set, the priority of 392990792Sgshapiro queue runners is set the given value 393090792Sgshapiro (nice(3)). 393190792SgshapiroconfDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers 393290792Sgshapiro [undefined] Defines {daemon_flags} 393390792Sgshapiro for direct submissions. 393490792SgshapiroconfUSE_MSP UseMSP [false] Use as mail submission 393590792Sgshapiro program, see sendmail/SECURITY. 393690792SgshapiroconfDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By 393790792Sgshapiro SMTP Service Extension (RFC 2852). 393890792SgshapiroconfSHARED_MEMORY_KEY SharedMemoryKey [0] Key for shared memory. 393990792SgshapiroconfFAST_SPLIT FastSplit [1] If set to a value greater than 394090792Sgshapiro zero, the initial MX lookups on 394190792Sgshapiro addresses is suppressed when they 394290792Sgshapiro are sorted which may result in 394390792Sgshapiro faster envelope splitting. If the 394490792Sgshapiro mail is submitted directly from the 394590792Sgshapiro command line, then the value also 394690792Sgshapiro limits the number of processes to 394790792Sgshapiro deliver the envelopes. 394890792SgshapiroconfMAILBOX_DATABASE MailboxDatabase [pw] Type of lookup to find 394990792Sgshapiro information about local mailboxes. 395090792SgshapiroconfDEQUOTE_OPTS - [empty] Additional options for the 395190792Sgshapiro dequote map. 395290792SgshapiroconfINPUT_MAIL_FILTERS InputMailFilters 395390792Sgshapiro A comma separated list of filters 395490792Sgshapiro which determines which filters and 395590792Sgshapiro the invocation sequence are 395690792Sgshapiro contacted for incoming SMTP 395790792Sgshapiro messages. If none are set, no 395890792Sgshapiro filters will be contacted. 395990792SgshapiroconfMILTER_LOG_LEVEL Milter.LogLevel [9] Log level for input mail filter 396090792Sgshapiro actions, defaults to LogLevel. 396190792SgshapiroconfMILTER_MACROS_CONNECT Milter.macros.connect 396290792Sgshapiro [empty] Macros to transmit to milters 396390792Sgshapiro when a session connection starts. 396490792SgshapiroconfMILTER_MACROS_HELO Milter.macros.helo 396590792Sgshapiro [empty] Macros to transmit to milters 396690792Sgshapiro after HELO command. 396790792SgshapiroconfMILTER_MACROS_ENVFROM Milter.macros.envfrom 396890792Sgshapiro [empty] Macros to transmit to milters 396990792Sgshapiro after MAIL FROM command. 397090792SgshapiroconfMILTER_MACROS_ENVRCPT Milter.macros.envrcpt 397190792Sgshapiro [empty] Macros to transmit to milters 397290792Sgshapiro after RCPT TO command. 397364562Sgshapiro 397490792Sgshapiro 397538032SpeterSee also the description of OSTYPE for some parameters that can be 397638032Spetertweaked (generally pathnames to mailers). 397738032Speter 397890792SgshapiroClientPortOptions and DaemonPortOptions are special cases since multiple 397990792Sgshapiroclients/daemons can be defined. This can be done via 398038032Speter 398190792Sgshapiro CLIENT_OPTIONS(`field1=value1,field2=value2,...') 398264562Sgshapiro DAEMON_OPTIONS(`field1=value1,field2=value2,...') 398364562Sgshapiro 398490792SgshapiroNote that multiple CLIENT_OPTIONS() commands (and therefore multiple 398590792SgshapiroClientPortOptions settings) are allowed in order to give settings for each 398690792Sgshapiroprotocol family (e.g., one for Family=inet and one for Family=inet6). A 398790792Sgshapirorestriction placed on one family only affects outgoing connections on that 398890792Sgshapiroparticular family. 398990792Sgshapiro 399064562SgshapiroIf DAEMON_OPTIONS is not used, then the default is 399164562Sgshapiro 399264562Sgshapiro DAEMON_OPTIONS(`Port=smtp, Name=MTA') 399364562Sgshapiro DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') 399464562Sgshapiro 399564562SgshapiroIf you use one DAEMON_OPTIONS macro, it will alter the parameters 399664562Sgshapiroof the first of these. The second will still be defaulted; it 399764562Sgshapirorepresents a "Message Submission Agent" (MSA) as defined by RFC 399864562Sgshapiro2476 (see below). To turn off the default definition for the MSA, 399964562Sgshapirouse FEATURE(`no_default_msa') (see also FEATURES). If you use 400064562Sgshapiroadditional DAEMON_OPTIONS macros, they will add additional daemons. 400164562Sgshapiro 400264562SgshapiroExample 1: To change the port for the SMTP listener, while 400364562Sgshapirostill using the MSA default, use 400464562Sgshapiro DAEMON_OPTIONS(`Port=925, Name=MTA') 400564562Sgshapiro 400664562SgshapiroExample 2: To change the port for the MSA daemon, while still 400764562Sgshapirousing the default SMTP port, use 400864562Sgshapiro FEATURE(`no_default_msa') 400964562Sgshapiro DAEMON_OPTIONS(`Name=MTA') 401064562Sgshapiro DAEMON_OPTIONS(`Port=987, Name=MSA, M=E') 401164562Sgshapiro 401264562SgshapiroNote that if the first of those DAEMON_OPTIONS lines were omitted, then 401364562Sgshapirothere would be no listener on the standard SMTP port. 401464562Sgshapiro 401564562SgshapiroExample 3: To listen on both IPv4 and IPv6 interfaces, use 401664562Sgshapiro 401764562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v4, Family=inet') 401864562Sgshapiro DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6') 401964562Sgshapiro 402064562SgshapiroA "Message Submission Agent" still uses all of the same rulesets for 402164562Sgshapiroprocessing the message (and therefore still allows message rejection via 402264562Sgshapirothe check_* rulesets). In accordance with the RFC, the MSA will ensure 402364562Sgshapirothat all domains in the envelope are fully qualified if the message is 402464562Sgshapirorelayed to another MTA. It will also enforce the normal address syntax 402564562Sgshapirorules and log error messages. Additionally, by using the M=a modifier 402664562Sgshapiroyou can require authentication before messages are accepted by the MSA. 402777349SgshapiroNotice: Do NOT use the 'a' modifier on a public accessible MTA! 402864562SgshapiroFinally, the M=E modifier shown above disables ETRN as required by RFC 402964562Sgshapiro2476. 403064562Sgshapiro 403190792SgshapiroMail filters can be defined using the INPUT_MAIL_FILTER() and MAIL_FILTER() 403290792Sgshapirocommands: 403364562Sgshapiro 403490792Sgshapiro INPUT_MAIL_FILTER(`sample', `S=local:/var/run/f1.sock') 403590792Sgshapiro MAIL_FILTER(`myfilter', `S=inet:3333@localhost') 403638032Speter 403790792SgshapiroThe INPUT_MAIL_FILTER() command causes the filter(s) to be called in the 403890792Sgshapirosame order they were specified by also setting confINPUT_MAIL_FILTERS. A 403990792Sgshapirofilter can be defined without adding it to the input filter list by using 404090792SgshapiroMAIL_FILTER() instead of INPUT_MAIL_FILTER() in your .mc file. 404190792SgshapiroAlternatively, you can reset the list of filters and their order by setting 404290792SgshapiroconfINPUT_MAIL_FILTERS option after all INPUT_MAIL_FILTER() commands in 404390792Sgshapiroyour .mc file. 404490792Sgshapiro 404590792Sgshapiro 404690792Sgshapiro+----------------------------+ 404790792Sgshapiro| MESSAGE SUBMISSION PROGRAM | 404890792Sgshapiro+----------------------------+ 404990792Sgshapiro 405090792SgshapiroThe purpose of the message submission program (MSP) is explained 405190792Sgshapiroin sendmail/SECURITY. This section contains a list of caveats and 405290792Sgshapiroa few hints how for those who want to tweak the default configuration 405390792Sgshapirofor it (which is installed as submit.cf). 405490792Sgshapiro 405590792SgshapiroNotice: do not add options/features to submit.mc unless you are 405690792Sgshapiroabsolutely sure you need them. Options you may want to change 405790792Sgshapiroinclude: 405890792Sgshapiro 405994334Sgshapiro- confTRUSTED_USERS, FEATURE(`use_ct_file'), and confCT_FILE for 406098121Sgshapiro avoiding X-Authentication warnings. 406194334Sgshapiro- confTIME_ZONE to change it from the default `USE_TZ'. 406290792Sgshapiro- confDELIVERY_MODE is set to interactive in msp.m4 instead 406390792Sgshapiro of the default background mode. 406498121Sgshapiro- FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses 406598121Sgshapiro to the LOCAL_RELAY instead of the default relay. 406698121Sgshapiro- confRAND_FILE if you use STARTTLS and sendmail is not compiled with 406798121Sgshapiro the flag HASURANDOM. 406890792Sgshapiro 406998121SgshapiroThe MSP performs hostname canonicalization by default. As also 407098121Sgshapiroexplained in sendmail/SECURITY, mail may end up for various DNS 407198121Sgshapirorelated reasons in the MSP queue. This problem can be minimized by 407298121Sgshapirousing 407398121Sgshapiro 407498121Sgshapiro FEATURE(`nocanonify', `canonify_hosts') 407598121Sgshapiro define(`confDIRECT_SUBMISSION_MODIFIERS', `C') 407698121Sgshapiro 407798121SgshapiroSee the discussion about nocanonify for possible side effects. 407898121Sgshapiro 407990792SgshapiroSome things are not intended to work with the MSP. These include 408090792Sgshapirofeatures that influence the delivery process (e.g., mailertable, 408190792Sgshapiroaliases), or those that are only important for a SMTP server (e.g., 408290792Sgshapirovirtusertable, DaemonPortOptions, multiple queues). Moreover, 408390792Sgshapirorelaxing certain restrictions (RestrictQueueRun, permissions on 408490792Sgshapiroqueue directory) or adding features (e.g., enabling prog/file mailer) 408590792Sgshapirocan cause security problems. 408690792Sgshapiro 408790792SgshapiroOther things don't work well with the MSP and require tweaking or 408890792Sgshapiroworkarounds. For example, to allow for client authentication it 408990792Sgshapirois not just sufficient to provide a client certificate and the 409090792Sgshapirocorresponding key, but it is also necessary to make the key group 409190792Sgshapiro(smmsp) readable and tell sendmail not to complain about that, i.e., 409290792Sgshapiro 409390792Sgshapiro define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') 409490792Sgshapiro 409590792SgshapiroIf the MSP should actually use AUTH then the necessary data 409690792Sgshapiroshould be placed in a map as explained in SMTP AUTHENTICATION: 409790792Sgshapiro 409890792SgshapiroFEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') 409990792Sgshapiro 410090792Sgshapiro/etc/mail/msp-authinfo should contain an entry like: 410190792Sgshapiro 410290792Sgshapiro AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" 410390792Sgshapiro 410490792SgshapiroThe file and the map created by makemap should be owned by smmsp, 410590792Sgshapiroits group should be smmsp, and it should have mode 640. The database 410690792Sgshapiroused by the MTA for AUTH must have a corresponding entry. 410790792SgshapiroAdditionally the MTA must trust this authentication data so the AUTH= 410890792Sgshapiropart will be relayed on to the next hop. This can be achieved by 410990792Sgshapiroadding the following to your sendmail.mc file: 411090792Sgshapiro 411190792Sgshapiro LOCAL_RULESETS 411290792Sgshapiro SLocal_trust_auth 411390792Sgshapiro R$* $: $&{auth_authen} 411490792Sgshapiro Rsmmsp $# OK 411590792Sgshapiro 411690792Sgshapirofeature/msp.m4 defines almost all settings for the MSP. Most of 411790792Sgshapirothose should not be changed at all. Some of the features and options 411890792Sgshapirocan be overridden if really necessary. It is a bit tricky to do 411990792Sgshapirothis, because it depends on the actual way the option is defined 412090792Sgshapiroin feature/msp.m4. If it is directly defined (i.e., define()) then 412190792Sgshapirothe modified value must be defined after 412290792Sgshapiro 412390792Sgshapiro FEATURE(`msp') 412490792Sgshapiro 412590792SgshapiroIf it is conditionally defined (i.e., ifdef()) then the desired 412690792Sgshapirovalue must be defined before the FEATURE line in the .mc file. 412790792SgshapiroTo see how the options are defined read feature/msp.m4. 412890792Sgshapiro 412990792Sgshapiro 413090792Sgshapiro+--------------------------+ 413190792Sgshapiro| FORMAT OF FILES AND MAPS | 413290792Sgshapiro+--------------------------+ 413390792Sgshapiro 413490792SgshapiroFiles that define classes, i.e., F{classname}, consist of lines 413590792Sgshapiroeach of which contains a single element of the class. For example, 413690792Sgshapiro/etc/mail/local-host-names may have the following content: 413790792Sgshapiro 413890792Sgshapiromy.domain 413990792Sgshapiroanother.domain 414090792Sgshapiro 414190792SgshapiroMaps must be created using makemap(8) , e.g., 414290792Sgshapiro 414390792Sgshapiro makemap hash MAP < MAP 414490792Sgshapiro 414590792SgshapiroIn general, a text file from which a map is created contains lines 414690792Sgshapiroof the form 414790792Sgshapiro 414890792Sgshapirokey value 414990792Sgshapiro 415090792Sgshapirowhere 'key' and 'value' are also called LHS and RHS, respectively. 415190792SgshapiroBy default, the delimiter between LHS and RHS is a non-empty sequence 415290792Sgshapiroof white space characters. 415390792Sgshapiro 415490792Sgshapiro 415590792Sgshapiro+------------------+ 415690792Sgshapiro| DIRECTORY LAYOUT | 415790792Sgshapiro+------------------+ 415890792Sgshapiro 415938032SpeterWithin this directory are several subdirectories, to wit: 416038032Speter 416138032Speterm4 General support routines. These are typically 416238032Speter very important and should not be changed without 416338032Speter very careful consideration. 416438032Speter 416538032Spetercf The configuration files themselves. They have 416638032Speter ".mc" suffixes, and must be run through m4 to 416738032Speter become complete. The resulting output should 416838032Speter have a ".cf" suffix. 416938032Speter 417038032Speterostype Definitions describing a particular operating 417138032Speter system type. These should always be referenced 417238032Speter using the OSTYPE macro in the .mc file. Examples 417338032Speter include "bsd4.3", "bsd4.4", "sunos3.5", and 417438032Speter "sunos4.1". 417538032Speter 417638032Speterdomain Definitions describing a particular domain, referenced 417738032Speter using the DOMAIN macro in the .mc file. These are 417838032Speter site dependent; for example, "CS.Berkeley.EDU.m4" 417938032Speter describes hosts in the CS.Berkeley.EDU subdomain. 418038032Speter 418166494Sgshapiromailer Descriptions of mailers. These are referenced using 418238032Speter the MAILER macro in the .mc file. 418338032Speter 418438032Spetersh Shell files used when building the .cf file from the 418538032Speter .mc file in the cf subdirectory. 418638032Speter 418738032Speterfeature These hold special orthogonal features that you might 418838032Speter want to include. They should be referenced using 418938032Speter the FEATURE macro. 419038032Speter 419138032Speterhack Local hacks. These can be referenced using the HACK 419238032Speter macro. They shouldn't be of more than voyeuristic 419338032Speter interest outside the .Berkeley.EDU domain, but who knows? 419438032Speter 419538032Spetersiteconfig Site configuration -- e.g., tables of locally connected 419638032Speter UUCP sites. 419738032Speter 419838032Speter 419938032Speter+------------------------+ 420038032Speter| ADMINISTRATIVE DETAILS | 420138032Speter+------------------------+ 420238032Speter 420338032SpeterThe following sections detail usage of certain internal parts of the 420438032Spetersendmail.cf file. Read them carefully if you are trying to modify 420538032Speterthe current model. If you find the above descriptions adequate, these 420638032Spetershould be {boring, confusing, tedious, ridiculous} (pick one or more). 420738032Speter 420838032SpeterRULESETS (* means built in to sendmail) 420938032Speter 421038032Speter 0 * Parsing 421138032Speter 1 * Sender rewriting 421238032Speter 2 * Recipient rewriting 421338032Speter 3 * Canonicalization 421438032Speter 4 * Post cleanup 421538032Speter 5 * Local address rewrite (after aliasing) 421638032Speter 1x mailer rules (sender qualification) 421738032Speter 2x mailer rules (recipient qualification) 421838032Speter 3x mailer rules (sender header qualification) 421938032Speter 4x mailer rules (recipient header qualification) 422038032Speter 5x mailer subroutines (general) 422138032Speter 6x mailer subroutines (general) 422238032Speter 7x mailer subroutines (general) 422338032Speter 8x reserved 422438032Speter 90 Mailertable host stripping 422538032Speter 96 Bottom half of Ruleset 3 (ruleset 6 in old sendmail) 422638032Speter 97 Hook for recursive ruleset 0 call (ruleset 7 in old sendmail) 422738032Speter 98 Local part of ruleset 0 (ruleset 8 in old sendmail) 422838032Speter 422938032Speter 423038032SpeterMAILERS 423138032Speter 423238032Speter 0 local, prog local and program mailers 423338032Speter 1 [e]smtp, relay SMTP channel 423438032Speter 2 uucp-* UNIX-to-UNIX Copy Program 423538032Speter 3 netnews Network News delivery 423638032Speter 4 fax Sam Leffler's HylaFAX software 423738032Speter 5 mail11 DECnet mailer 423838032Speter 423938032Speter 424038032SpeterMACROS 424138032Speter 424238032Speter A 424338032Speter B Bitnet Relay 424438032Speter C DECnet Relay 424538032Speter D The local domain -- usually not needed 424638032Speter E reserved for X.400 Relay 424738032Speter F FAX Relay 424838032Speter G 424938032Speter H mail Hub (for mail clusters) 425038032Speter I 425138032Speter J 425238032Speter K 425338032Speter L Luser Relay 425464562Sgshapiro M Masquerade (who you claim to be) 425538032Speter N 425638032Speter O 425738032Speter P 425838032Speter Q 425938032Speter R Relay (for unqualified names) 426038032Speter S Smart Host 426138032Speter T 426264562Sgshapiro U my UUCP name (if you have a UUCP connection) 426364562Sgshapiro V UUCP Relay (class {V} hosts) 426464562Sgshapiro W UUCP Relay (class {W} hosts) 426564562Sgshapiro X UUCP Relay (class {X} hosts) 426638032Speter Y UUCP Relay (all other hosts) 426738032Speter Z Version number 426838032Speter 426938032Speter 427038032SpeterCLASSES 427138032Speter 427238032Speter A 427338032Speter B domains that are candidates for bestmx lookup 427438032Speter C 427538032Speter D 427638032Speter E addresses that should not seem to come from $M 427764562Sgshapiro F hosts this system forward for 427838032Speter G domains that should be looked up in genericstable 427938032Speter H 428038032Speter I 428138032Speter J 428238032Speter K 428338032Speter L addresses that should not be forwarded to $R 428438032Speter M domains that should be mapped to $M 428564562Sgshapiro N host/domains that should not be mapped to $M 428638032Speter O operators that indicate network operations (cannot be in local names) 428738032Speter P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc. 428838032Speter Q 428964562Sgshapiro R domains this system is willing to relay (pass anti-spam filters) 429038032Speter S 429138032Speter T 429238032Speter U locally connected UUCP hosts 429338032Speter V UUCP hosts connected to relay $V 429438032Speter W UUCP hosts connected to relay $W 429538032Speter X UUCP hosts connected to relay $X 429638032Speter Y locally connected smart UUCP hosts 429738032Speter Z locally connected domain-ized UUCP hosts 429838032Speter . the class containing only a dot 429938032Speter [ the class containing only a left bracket 430038032Speter 430138032Speter 430238032SpeterM4 DIVERSIONS 430338032Speter 430438032Speter 1 Local host detection and resolution 430538032Speter 2 Local Ruleset 3 additions 430638032Speter 3 Local Ruleset 0 additions 430738032Speter 4 UUCP Ruleset 0 additions 430838032Speter 5 locally interpreted names (overrides $R) 430938032Speter 6 local configuration (at top of file) 431038032Speter 7 mailer definitions 431164562Sgshapiro 8 DNS based blacklists 431238032Speter 9 special local rulesets (1 and 2) 431364562Sgshapiro 431498121Sgshapiro$Revision: 8.622 $, Last updated $Date: 2002/06/03 13:15:16 $ 4315