Lines Matching +full:resolver +full:- +full:to +full:- +full:digital
5 explains how to create a sendmail.cf file for use with sendmail.
6 It also describes how to set options for sendmail which are explained
9 To get started, you may want to look at tcpproto.mc (for TCP-only
11 mail host), or the generic-*.mc files as operating system-specific
17 A BRIEF INTRODUCTION TO M4
30 ANTI-SPAM CONFIGURATION CONTROL
37 NON-SMTP BASED CONFIGURATIONS
41 USING USERDB TO MAP FULL NAMES
51 +--------------------------+
53 +--------------------------+
56 suffix ".mc". They must be run through "m4" to produce a ".cf" file.
57 You must pre-load "cf.m4":
70 or the -I flag (ditto), then ${CFDIR} can be in an arbitrary directory.
72 use -D_CF_DIR_=/path/to/cf/dir/ -- note the trailing slash! For example:
74 m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 config.mc > config.cf
78 divert(-1)
80 # Copyright (c) 1998-2005 Proofpoint, Inc. and its suppliers.
86 # By using this file, you agree to the terms and conditions set
92 # This is a Berkeley-specific configuration file for HP-UX 9.x.
93 # It applies only to the Computer Science Division at Berkeley,
95 # distribution as a sample only. To create your own configuration
97 # `DOMAIN' macro below to reference that file, and copy the result
98 # to a name of your own choosing.
102 The divert(-1) will delete the crud in the resulting output file.
112 in SMTP greeting messages -- this is defined in m4/version.m4.
116 You must specify an OSTYPE to properly configure things such as the
119 error when you try to build the configuration. Look at the ostype
124 This example is specific to the Computer Science Division at Berkeley.
125 You can use "DOMAIN(`generic')" to get a sufficiently bland definition
147 There are a few exceptions to this rule. Local macro definitions which
154 *** Berkeley-specific assumptions built in, such as the name ***
155 *** of their UUCP-relay. You'll want to create your own ***
169 simply be removed as they turned out not to be really useful.
173 In addition to compile time options for the sendmail binary, there
181 +----------------------------+
182 | A BRIEF INTRODUCTION TO M4 |
183 +----------------------------+
185 Sendmail uses the M4 macro processor to ``compile'' the configuration
186 files. The most important thing to know is that M4 is stream-based,
190 at the ``dnl'' up to and including the next newline character. In
191 most cases sendmail uses this only to avoid lots of unnecessary
195 ``A'' to have value ``B''. Macros are expanded as they are read, so
196 one normally quotes both values to prevent expansion. For example,
201 to be comments. For example, if you have
206 expanded. This also applies to
208 # And then define the $X macro to be the return address
210 because ``define'' is an M4 keyword. If you want to use them, surround
213 Since m4 uses single quotes (opening "`" and closing "'") to quote
215 it is not possible to define a rejection message containing a single
217 messages; in the worst case it might be ok to change the value
222 -------
224 This package requires a post-V7 version of m4; if you are running the
226 BSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works.
227 Unfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a
229 ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version).
230 EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU
234 +----------------+
236 +----------------+
239 related files, /etc/mail. The new files available for sendmail 8.9 --
240 the class {R} /etc/mail/relay-domains and the access database
241 /etc/mail/access -- take advantage of this new directory. Beginning with
243 set by OSTYPE() files). This new directory should help to restore
244 uniformity to sendmail's file locations.
249 ------------ ------------
265 /etc/sendmail.cw /etc/mail/local-host-names
266 /etc/mail/sendmail.cw /etc/mail/local-host-names
267 /etc/sendmail/sendmail.cw /etc/mail/local-host-names
269 /etc/sendmail.ct /etc/mail/trusted-users
271 /etc/sendmail.oE /etc/mail/error-header
292 to create the pathnames. The default value of this variable is
293 `/etc/mail/'. If you set this macro to a different value, you MUST include
301 +--------+
303 +--------+
309 of these files are identical to one another.
315 Operating system definitions are usually easy to write. They may define
317 empty). Unfortunately, the list of configuration-supported systems is
318 not as broad as the list of source-supported systems, since many of
322 of the alias file(s). It can be a comma-separated
324 commas in them -- for example, use
326 to get "a" and "b" both listed as alias files;
329 containing information printed in response to
332 queue files. To use multiple queues, supply
335 directories or symbolic links to directories
346 LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail.
349 LOCAL_MAILER_ARGS [mail -d $u] The arguments passed to deliver local
352 mail that you are willing to accept.
354 messages to deliver in a single connection. Only
356 LOCAL_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data
357 that ARRIVE from an address that resolves to the
358 local mailer and which are converted to MIME will be
360 LOCAL_MAILER_EOL [undefined] If defined, the string to use as the
363 [X-Unix] The DSN Diagnostic-Code value for the
365 LOCAL_SHELL_PATH [/bin/sh] The shell used to deliver piped email.
368 LOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog"
374 used to submit news.
376 USENET_MAILER_ARGS [-m -h -n] The command line arguments for the
384 SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default
385 flags are `mDFMuX' for all SMTP-based mailers; the
388 RELAY_MAILER_FLAGS [undefined] Flags added to the relay mailer. Default
389 flags are `mDFMuX' for all SMTP-based mailers; the
396 messages to deliver in a single connection for the
399 recipients to deliver in a single envelope for the
401 SMTP_MAILER_ARGS [TCP $h] The arguments passed to the smtp mailer.
402 About the only reason you would want to change this
403 would be to change the default port.
404 ESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer.
405 SMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer.
406 DSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer.
407 RELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer.
414 messages to deliver in a single connection for the
416 SMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data
417 that ARRIVE from an address that resolves to one of
418 the SMTP mailers and which are converted to MIME will
420 RELAY_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data
421 that ARRIVE from an address that resolves to the
422 relay mailers and which are converted to MIME will
427 UUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail.
428 UUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default
429 flags are `DFMhuU' (and `m' for uucp-new mailer,
430 minus `U' for uucp-dom mailer).
431 UUCP_MAILER_ARGS [uux - -r -z -a$g -gC $h!rmail ($u)] The arguments
432 passed to the UUCP mailer.
435 UUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data
436 that ARRIVE from an address that resolves to one of
437 the UUCP mailers and which are converted to MIME will
440 FAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to
442 FAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX
447 POP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq
449 POP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer.
451 PROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail
454 PROCMAIL_MAILER_FLAGS [SPhnu9] Flags added to Procmail mailer. Flags
458 PROCMAIL_MAILER_ARGS [procmail -Y -m $h $f $u] The arguments passed to
465 MAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer.
467 MAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11
470 PH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery
474 PH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer.
478 CYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver
480 CYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed
481 to deliver cyrus mail.
484 CYRUS_MAILER_USER [cyrus:mail] The user and group to become when
489 CYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed
490 to deliver cyrusbb mail.
494 messages to deliver in a single connection for the
497 recipients to deliver in a single connection for the
500 to the cyrusv2 mailer. This can be used to
502 to switch to delivery via TCP (e.g., `TCP $h lmtp')
504 CYRUSV2_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data
505 that ARRIVE from an address that resolves to one the
506 Cyrus mailer and which are converted to MIME will
512 QPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver
514 QPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed
515 to deliver qpage mail.
521 Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS:
525 (thus overriding the default value), or if it starts with `+' (`-')
526 then those flags are added to (removed from) the default value.
531 will add the flag `e' to LOCAL_MAILER_FLAGS. Notice: there are
539 +---------+
541 +---------+
543 You will probably want to collect domain-dependent defines into one
548 UUCP_RELAY The host that will accept UUCP-addressed email.
551 BITNET_RELAY The host that will accept BITNET-addressed email.
552 If not defined, the .BITNET pseudo-domain won't work.
553 DECNET_RELAY The host that will accept DECNET-addressed email.
554 If not defined, the .DECNET pseudo-domain and addresses
556 FAX_RELAY The host that will accept mail to the .FAX pseudo-domain.
558 LOCAL_RELAY The site that will handle unqualified names -- that
562 FEATURE(`stickyhost') -- see the discussion of
563 stickyhost below. If not set, they are assumed to
564 belong on this machine. This allows you to have a
565 central site to store a company- or department-wide
568 LUSER_RELAY The site that will handle lusers -- that is, apparently
569 local names that aren't local accounts or aliases. To
570 specify a local user instead of a site, set this to
574 mailer is the internal mailer name, such as ``uucp-new'' and the hostname
578 record matching your domain, you probably want to define these to
580 to yourself.
582 The domain file can also be used to define a domain name, if needed
583 (using "DD<domain>") and set certain site-wide features. If all hosts
587 You do not have to define a domain -- in particular, if you are a
593 +---------+
595 +---------+
598 version, owing mostly to a simpler world. As a general rule, put the
603 your mail to another site. This mailer is included
610 five mailers: "smtp" for regular (old-style) SMTP to
611 other servers, "esmtp" for extended SMTP to other
612 servers, "smtp8" to do SMTP to other servers without
613 converting 8-bit data to MIME (essentially, this is
614 your statement that you know the other end is 8-bit
615 clean even if it doesn't say so), "dsmtp" to do on
616 demand delivery, and "relay" for transmission to the
619 uucp The UNIX-to-UNIX Copy Program mailer. Actually, this
620 defines two mailers, "uucp-old" (a.k.a. "uucp") and
621 "uucp-new" (a.k.a. "suucp"). The latter is for when you
625 ("uucp-dom" and "uucp-uudom") are also defined [warning: you
628 class {U} and sends them to the uucp-old mailer; all
629 names in class {Y} are sent to uucp-new; and all
630 names in class {Z} are sent to uucp-uudom. Note that
637 an extra rule is added to ruleset 0 that forwards all
638 local email for users named ``group.usenet'' to the
648 procmail An interface to procmail (does not come with sendmail).
649 This is designed to be used in mailertables. For example,
651 domain to a single person?". If you have this mailer
659 ! -oi -f $1 person@other.host
661 This would arrange for (anything)@host.com to be sent
662 to person@other.host. In a procmail script, $1 is the
667 Of course there are other ways to solve this particular
668 problem, e.g., a catch-all entry in a virtusertable.
678 to do CCSO name server lookups. The phquery program, which
681 cyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to
685 mail to the user's "detail" mailbox if the mailbox's ACL
686 permits. The cyrusbb mailer delivers to a system-wide
690 cyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to
694 mail to the user's "detail" mailbox if the mailbox's ACL
703 to certain local mail programs (in particular, see
709 +----------+
711 +----------+
718 tells sendmail that you want to have it read an /etc/mail/local-host-names
719 file to get values for class {w}. A FEATURE may contain up to 9
720 optional parameters -- for example:
728 which would set it to use ndbm databases. The default is the Berkeley DB
730 if you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used
741 use_cw_file Read the file /etc/mail/local-host-names file to get
749 use_ct_file Read the file /etc/mail/trusted-users file to get the
750 names of users that will be ``trusted'', that is, able to
751 set their envelope from address using -f without generating
755 redirect Reject all mail addressed to "address.REDIRECT" with
758 to their new address with ".REDIRECT" appended.
764 that is allowed to relay.
766 Warnings: 1. See the notice in the anti-spam section.
774 that is allowed to relay.
776 Warnings: 1. See the notice in the anti-spam section.
780 nocanonify Don't pass addresses to $[ ... $] for canonification
791 also want to use
792 "define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')" to turn off
793 the usual resolver options that do a similar thing.
797 i.e., a list of domains which are nevertheless passed to
798 $[ ... $] for canonification. This is useful to turn on
800 CANONIFY_DOMAIN(`my.domain my') to canonify addresses
802 Another way to require canonification in the local
805 A trailing dot is added to addresses with more than
820 When used without MAIL_HUB, email sent to
821 "user@local.host" are marked as "sticky" -- that
823 don't go through ruleset 5, and are not forwarded to
826 With MAIL_HUB, mail addressed to "user@local.host"
827 is forwarded to the mail hub, with the envelope
830 to "user@mail_hub", in order to protect against
833 mailertable Include a "mailer table" which can be used to override
842 or partial domains preceded by a dot -- for example,
848 is where to send the message. These maps are not
852 will forward to the indicated user using the local mailer,
854 will forward to the original user in the e-mail address
862 domaintable Include a "domain table" which can be used to provide
864 limited to your own domains. It may be useful if you
866 oldname.com to newname.com). The argument of the
877 bitdomain Look up bitnet hosts in a table to try to turn them into
893 At the moment there is no automagic tool to build this
902 another domain to be added than the local.
905 feature will cause recipient addresses to also masquerade
909 if you send to "localalias", the originating sendmail will
910 find that alias and send to all members, but send the
911 message with "To: localalias@masqueradehost". Since that
927 cause addresses to be rewritten such that the masquerading
928 domains are actually entire domains to be hidden. All
930 to the masquerade name (used in MASQUERADE_AS). For example,
937 then *foo.org and *bar.com are converted to masq.com. Without
951 addresses to also masquerade as being from the masquerade
956 to be looked up in a map and turned into another ("generic")
960 MSP (as required by the RFCs). Hence you need to add your
961 domain to class {G}. This feature is similar to the userdb
966 part in class {G}; entries can be added to this class by the
968 to MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE, see below).
982 mail, it is necessary to use FEATURE(`always_add_domain')
983 for the addresses to be qualified.
994 addresses to be searched in the map if their domain
997 virtusertable A domain-specific form of aliasing, allowing multiple
998 virtual domains to be hosted on one machine. For example,
1001 info@foo.com foo-info
1002 info@bar.com bar-info
1007 then mail addressed to info@foo.com will be sent to the
1008 address foo-info, mail addressed to info@bar.com will be
1009 delivered to bar-info, and mail addressed to anyone at baz.org
1010 will be sent to jane@example.net, mail to joe@bar.com will
1011 be rejected with the specified error message, and mail to
1020 meaning someone@foo.org will be sent to someone@example.com.
1031 and other forms are possible. Note: to preserve "+detail"
1033 There are two wildcards after "+": "+" matches only a non-empty
1036 to ensure that the parameters %2 and %3 are not empty.
1041 VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and
1044 {VirtHost} are added to class {R}, i.e., relaying is allowed
1045 to (and from) those domains, which by default includes also
1059 addresses to be searched in the map if their domain
1062 ldap_routing Implement LDAP-based e-mail recipient routing according to
1063 the Internet Draft draft-lachman-laser-ldap-mail-routing-01.
1064 This provides a method to re-route addresses with a
1065 domain portion in class {LDAPRoute} to either a
1067 be added to this class using LDAPROUTE_DOMAIN and
1068 LDAPROUTE_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and
1073 nullclient This is a special case -- it creates a configuration file
1074 containing nothing but support for forwarding all mail to a
1075 central hub via a local SMTP-based network. The argument
1082 local_lmtp Use an LMTP capable local mailer. The argument to this
1084 default, mail.local is used. This is expected to be the
1086 LMTP capable. The path to mail.local is set by the
1087 confEBINDIR m4 variable -- making the default
1091 passed to it (A=) as third parameter, e.g.,
1099 The argument to this feature is the pathname of the
1100 delivery agent, which defaults to PROCMAIL_MAILER_PATH.
1107 is just tossed, but by default it is passed as the -a
1108 argument to procmail.
1110 This feature can take up to three arguments:
1112 1. Path to the mailer program
1115 [default: procmail -Y -a $h -d $u]
1118 Empty arguments cause the defaults to be taken.
1120 setreuid() call, you may need to add -f $f to the procmail
1121 argument vector to pass the proper sender to procmail.
1123 For example, this allows it to use the maildrop mailer
1127 `maildrop -d $u')
1138 additional DNS traffic, but should be OK for low to
1140 domains, which will limit the feature to only apply to
1141 these domains -- this will reduce unnecessary DNS
1148 to programs. This improves the ability of the local
1149 system administrator to control what gets run via
1150 e-mail. If an argument is provided it is used as the
1151 pathname to smrsh; otherwise, the path defined by
1152 confEBINDIR is used for the smrsh binary -- by default,
1158 local host (class {w}) and sending it to another host than
1159 your local host). This option sets your site to allow
1160 mail relaying from any site to any site. In almost all
1161 cases, it is better to control relaying more carefully
1163 can be added to class {R} by the macros RELAY_DOMAIN or
1164 RELAY_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and
1169 class {m} to use your server for relaying. Notice: make
1177 For example, if you specify ``foo.com'', then mail to or
1180 the behaviour to look up individual host names only.
1183 Turns on the ability to allow relaying based on the MX
1185 is, if an MX record for host foo.com points to your site,
1186 you will accept and relay mail addressed to foo.com. See
1192 routing of these messages which you expect to be allowed,
1193 if route address syntax (or %-hack syntax) is used. If
1194 this is a problem, add entries to the access-table or use
1204 forged. Use of this feature requires the "From:" tag to
1207 anti-spam configuration control.
1213 they can send mail to your mail server that claims to be
1215 and you will go ahead and relay it out to arbitrary hosts
1223 you will need to use this feature to accept unqualified
1228 'f' can be used to enforce fully qualified addresses.
1232 refused if the host part of the argument to MAIL FROM:
1236 could cause problems. In this case you probably want to
1237 use this feature to accept all domains on input, even if
1241 you the ability to allow or refuse to accept mail from
1246 hash -T<TMPF> /etc/mail/access
1248 See the anti-spam configuration control section for further
1250 "-T<TMPF>" is meant literal, do not replace it by anything.
1253 Turns on the ability to block incoming mail for certain
1255 example, you can block incoming mail to user nobody,
1258 described in the anti-spam configuration control section
1265 See "Delay all checks" in the anti-spam configuration control
1266 section. Note: this feature is incompatible to the versions
1272 is given, then the default (to match potential headers) is:
1285 argument can be used to change the default error message,
1289 Rejected: IP-ADDRESS listed at SERVER
1291 where IP-ADDRESS and SERVER are replaced by the appropriate
1295 message. See the anti-spam configuration control section for
1297 to query different DNS based rejection lists. See also
1300 Set the DNSBL_MAP mc option to change the default map
1302 to add additional options to the map specification used.
1311 define(`DNSBL_MAP', `dns -R A')
1315 statement can be used to reduce the number of DNS retries,
1318 define(`DNSBL_MAP', `dns -R A -r2')
1323 (up to 5) can be used to specify specific return values
1333 will reject the e-mail if the lookup returns the value
1341 Set the EDNSBL_TO mc option to change the DNS retry count
1344 clients to time out (an entry stating
1350 ratecontrol Enable simple ruleset to do connection rate control
1365 10.1.2.3 can only make up to 4 connections, the
1386 10.1.2.3 can only have up to 4 open connections, the
1394 draft-stumpf-dns-mtamark-01. Optional arguments are:
1411 lookupdotdomain Look up also .domain in the access map. This allows to
1434 passed to the mailer (see mailer triple in op.me). Note
1441 address to local delivery agent. Disables alias and
1448 including +detail is passed to the user lookup function.
1450 compat_check Enable ruleset check_compat to look up pairs of addresses
1451 with the Compat: tag -- Compat:sender<@>recipient -- in the
1461 To define a MSA daemon with other parameters, use this
1466 to use it. An optional argument can be used to override
1467 the default of `[localhost]' to use as host to send all
1468 e-mails to. Note that MX records will be used if the
1471 port 587 is used to contact the server. Example:
1478 Note: Due to many problems, submit.mc uses
1483 change it to
1487 If you want to continue using '[localhost]', (the behavior
1488 up to 8.12.6), use
1492 queuegroup A simple example how to select a queue group based
1493 on the full e-mail address or the domain of the
1510 argument specifying the milliseconds to wait:
1516 hostname, domain, IP address, or subnet to determine the
1539 - authenticated sessions,
1540 - connections from IP addresses in class $={R}.
1541 Currently access_db lookups can not be used to
1547 adds the IPv6 and IPv4 localhost IP addresses to $={w} (local
1556 The basic policy is to reject message with a 5xx error if
1557 the IP address fails to resolve. However, if this is a
1559 If the look-up succeeds, but returns an apparently forged
1566 Any IP address matched using $=R (the "relay-domains" file)
1572 not control their rDNS. They should be able to send mail
1581 this FEATURE() will not be applied to authenticated senders
1590 so that the rDNS blocking does apply not to those IPs.
1595 that address to be treated as a permanent failure.
1598 resolves to a "bad" MX record. By default these are
1599 MX records which resolve to A records that match the
1614 (MTA-STS, see RFC 8461). It sets the option
1616 argument: the socket map specification to access
1617 postfix-mta-sts-resolver (see feature/sts.m4
1623 OPENSSL_MODULES to the first and second argument,
1627 +-------+
1629 +-------+
1631 Some things just can't be called features. To make this clear,
1633 macro. These will tend to be site-dependent. The release
1634 includes the Berkeley-dependent "cssubdomain" hack (that makes
1636 this is intended as a short-term aid while moving hosts into
1640 +--------------------+
1642 +--------------------+
1649 * of UUCP mailers, such as uucp-uudom. *
1656 The SITECONFIG macro allows you to indirectly reference site-dependent
1665 parameter is the name of both a macro to store the local name (in
1666 this case, {U}) and the name of the class (e.g., {U}) in which to store
1672 connected to ucbarpa.Berkeley.EDU. Class {W} will be used to
1673 store this list, and $W is defined to be ucbarpa.Berkeley.EDU, that
1674 is, the name of the relay to which the hosts listed in uucp.ucbarpa
1676 out-of-date configuration file has been left around to demonstrate
1680 special; the second parameter is assumed to be the UUCP name of the
1695 The macro LOCAL_UUCP can be used to add rules into the generated
1700 +--------------------+
1702 +--------------------+
1704 It's hard to get UUCP mailers right because of the extremely ad hoc
1706 for domain-based addressing, even for UUCP sites.
1708 There are four UUCP mailers available. The choice of which one to
1713 to change. This makes it hard to do the right thing, and discourages
1717 The major choice is whether to go for a domainized scheme or a
1718 non-domainized scheme. This depends entirely on what the other
1720 other end to go to a domain-based system -- non-domainized addresses
1725 uucp-old (obsolete name: "uucp")
1726 This is the oldest, the worst (but the closest to UUCP) way of
1728 everything and prepends $U (your UUCP name) to the sender's
1730 only send to one address at a time, so it spends a lot of
1734 uucp-new (obsolete name: "suucp")
1739 uucp-dom
1747 domain-based addresses in the message header. (The envelope
1750 uucp-uudom
1751 This is a cross between uucp-new (for the envelope addresses)
1752 and uucp-dom (for the header addresses). It bangifies the
1762 On host grasp.insa-lyon.fr (UUCP host name "grasp"), the following
1766 ------ ------ -------------------------
1767 uucp-{old,new} wolf grasp!wolf
1768 uucp-dom wolf wolf@grasp.insa-lyon.fr
1769 uucp-uudom wolf grasp.insa-lyon.fr!wolf
1771 uucp-{old,new} wolf@fr.net grasp!fr.net!wolf
1772 uucp-dom wolf@fr.net wolf@fr.net
1773 uucp-uudom wolf@fr.net fr.net!wolf
1775 uucp-{old,new} somehost!wolf grasp!somehost!wolf
1776 uucp-dom somehost!wolf somehost!wolf@grasp.insa-lyon.fr
1777 uucp-uudom somehost!wolf grasp.insa-lyon.fr!somehost!wolf
1780 to convert all UUCP addresses to domain format -- otherwise, it will
1782 if you have the address foo!bar!baz (and you are not sending to foo),
1783 the heuristics will add the @uucp.relay.name or @local.host.name to
1784 this address. However, if you map foo to foo.host.name first, it
1789 +-------------------+
1791 +-------------------+
1797 A common use is to convert old UUCP addresses to SMTP addresses using
1805 to be converted to "user@decvax.dec.com" and "user@research.att.com"
1808 This could also be used to look up hosts in a database map:
1815 Similarly, LOCAL_RULE_0 can be used to introduce new parsing rules.
1816 For example, new rules are needed to parse hostnames that you accept
1831 the LOCAL_CONFIG section. It can be used to declare local database maps or
1836 Kyplocal nis -m hosts.byname
1839 +---------------------------+
1841 +---------------------------+
1847 This causes mail being sent to be labeled as coming from the
1850 Berkeley would choose to masquerade as an MIT site). This
1867 The effect of this is that although mail to user@otherhost.domain
1869 will, when relayed, be rewritten to have the MASQUERADE_AS address.
1870 This can be a space-separated list of names.
1876 to read the list of names from the indicated file (i.e., to add
1877 elements to class {M}).
1879 To exempt hosts or subdomains from being masqueraded, you can use
1883 This can come handy if you want to masquerade a whole domain
1889 Normally only header addresses are masqueraded. If you want to
1894 There are always users that need to be "exposed" -- that is, their
1896 Root is an example (which has been "exposed" by default prior to 8.10).
1897 You can add users to this list using
1901 This adds users to class {E}; you could also use
1905 You can also arrange to relay all unqualified names (that is, names
1906 without @host) to a relay host. For example, if you have a central
1907 email server, you might relay to that host so that users don't have
1908 to have .forward files or aliases. You can do this using
1912 The ``mailer:'' can be omitted, in which case the mailer defaults to
1915 locally aliased. You can add entries to this list using
1919 This adds users to class {L}; you could also use
1923 If you want all incoming mail sent to a centralized hub, as for a
1928 Again, ``mailer:'' defaults to "relay". If you define both LOCAL_RELAY
1930 be sent to the LOCAL_RELAY and other local names will be sent to MAIL_HUB.
1940 email sent to.... eric eric@mastodon.CS.Berkeley.EDU
1942 LOCAL_RELAY set to mail.CS.Berkeley.EDU (delivered locally)
1945 MAIL_HUB set to mammoth.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU
1954 If you want all outgoing mail to go to a central relay site, define
1957 LOCAL_RELAY applies to unqualified names (e.g., "eric").
1958 MAIL_HUB applies to names qualified with the name of the
1960 SMART_HOST applies to names qualified with other hosts or
1966 really want absolutely everything to go to a single central site you will
1967 need to unset all the other relays -- or better yet, find or build a
1970 For duplicate suppression to work properly, the host name is best
1974 note the trailing dot ---^
1977 +-------------------------------------------+
1979 +-------------------------------------------+
1982 own LDAP map specification or using the built-in default LDAP map
1983 specification. The built-in default specifications all provide lookups
1985 a "cluster". The cluster allows you to share LDAP entries among a large
1986 number of machines without having to enter each of the machine names into
1987 each LDAP entry. To set the LDAP cluster name to use for a particular
1988 machine or set of machines, set the confLDAP_CLUSTER m4 variable to a
1995 to the Servers cluster.
2006 in future versions. Feedback via sendmail-YYYY@support.sendmail.org is
2009 -------
2011 -------
2013 The ALIAS_FILE (O AliasFile) option can be set to use LDAP for alias
2014 lookups. To use the default schema, simply use:
2018 By doing so, you will use the default schema which expands to a map
2021 ldap -k (&(objectClass=sendmailMTAAliasObject)
2026 …-v sendmailMTAAliasValue,sendmailMTAAliasSearch:FILTER:sendmailMTAAliasObject,sendmailMTAAliasURL:…
2031 not actually macro-expanded when read from the sendmail.cf file.
2035 dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org
2041 sendmailMTAKey: sendmail-list
2046 dn: sendmailMTAKey=owner-sendmail-list, dc=sendmail, dc=org
2052 sendmailMTAKey: owner-sendmail-list
2064 Here, the aliases sendmail-list and owner-sendmail-list will be available
2088 would mean that on all of the hosts in the cluster, mail to bob would go to
2089 eric EXCEPT on etrn.sendmail.org in which case it would go to BOTH eric and
2092 If you prefer not to use the default LDAP schema for your aliases, you can
2095 define(`ALIAS_FILE', `ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember')
2097 ----
2099 ----
2116 --------- ------------------
2128 Kmailertable ldap -k (&(objectClass=sendmailMTAMapObject)
2133 …-1 -v sendmailMTAMapValue,sendmailMTAMapSearch:FILTER:sendmailMTAMapObject,sendmailMTAMapURL:URL:s…
2170 If you prefer not to use the default LDAP schema for your maps, you can
2173 FEATURE(`access_db', `ldap:-1 -k (&(objectClass=mapDatabase)(key=%0)) -v value')
2175 -------
2177 -------
2185 be used with LDAP to read classes from LDAP. Note that the lookup is only
2186 done when sendmail is initially started. Use the special value `@LDAP' to
2193 'R' into class $={R}. In other words, it is equivalent to the LDAP map
2196 F{R}@ldap:-k (&(objectClass=sendmailMTAClass)
2200 …-v sendmailMTAClassValue,sendmailMTAClassSearch:FILTER:sendmailMTAClass,sendmailMTAClassURL:URL:se…
2204 not actually macro-expanded when read from the sendmail.cf file.
2210 ------- --------------------
2249 the result will be similar to the aliases caution above. When the lookup
2254 If you prefer not to use the default LDAP schema for your classes, you can
2257 VIRTUSER_DOMAIN_FILE(`@ldap:-k (&(objectClass=virtHosts)(host=*)) -v host')
2263 +--------------+
2265 +--------------+
2267 FEATURE(`ldap_routing') can be used to implement the IETF Internet Draft
2269 (draft-lachman-laser-ldap-mail-routing-01). This feature enables
2270 LDAP-based rerouting of a particular address to either a different host
2273 (e.g., @example.com). Be sure to setup your domain for LDAP routing using
2280 hostnames are mapped to $M (the masqueraded hostname for the server) before
2281 the LDAP query. For example, if the mail is addressed to
2290 this behavior can be changed by giving additional arguments to the FEATURE()
2296 where <mailHost> is a map definition describing how to look up an alternative
2298 describing how to look up an alternative address for a particular address;
2301 is found, if set to "sendertoo", the sender will be rejected if not
2302 found in LDAP; and <detail> indicates what actions to take if the address
2303 contains +detail information -- `strip' tries the lookup with the +detail
2306 found, the +detail information is copied to the new address; the <nodomain>
2308 address is not found in LDAP; the <tempfail> argument, if set to
2309 "tempfail", instructs the rules to give an SMTP 4XX temporary
2310 error if the LDAP server gives the MTA a temporary failure, or if set to
2315 ldap -1 -T<TMPF> -v mailHost -k (&(objectClass=inetLocalMailRecipient)
2320 ldap -1 -T<TMPF> -v mailRoutingAddress
2321 -k (&(objectClass=inetLocalMailRecipient)
2324 Note that neither includes the LDAP server hostname (-h server) or base DN
2325 (-b o=org,c=COUNTRY), both necessary for LDAP queries. It is presumed that
2328 changed as described above. The "-T<TMPF>" is required in any user
2329 specified map definition to catch temporary errors.
2335 ----------- --------------------- ----------
2336 set to a set mail delivered to
2339 set to a not set delivered to
2342 set to a set mailRoutingAddress
2343 remote host relayed to mailHost
2345 set to a not set original address
2346 remote host relayed to mailHost
2348 not set set mail delivered to
2351 not set not set delivered to
2356 the result would mean sending the mail to a different host, that host is
2360 to the FEATURE() command. The default is to deliver the message to the
2376 This would deliver mail for tom@example.com to thomas@mailhost.example.com.
2383 This would relay mail for dick@example.com to the same address but redirect
2384 the mail to MX records listed for the host eng.example.com (unless the
2393 This would relay mail for harry@example.com to the MX records listed for
2395 when talking to that host.
2403 This would send all mail destined for any username @virtual.example.com to
2404 the machine server.example.com's MX servers and deliver to the address
2408 +---------------------------------+
2409 | ANTI-SPAM CONFIGURATION CONTROL |
2410 +---------------------------------+
2412 The primary anti-spam features available in sendmail are:
2420 {w}) to another site except yours) is denied by default. Note that this
2422 If you really want to revert to the old behaviour, you will need to use
2423 FEATURE(`promiscuous_relay'). You can allow certain domains to relay
2424 through your server by adding their domain name or IP address to class
2438 socket to the MTA/MSP. This might be necessary if your configuration
2448 will be relayed (that is, you will accept mail either to or from any
2458 accepted for relay to domain.com. This feature may cause problems
2460 case, mail will be temporarily rejected. It is usually better to
2463 to relay spam but it will not stop outsiders from using your server
2465 to your mail server, and you will relay mail addressed to them
2472 dangerous feature as it will allow spammers to spam using your mail
2482 the mail sender is also checked to allowing relaying. This option
2484 map entries. This feature allows spammers to abuse your mail server
2486 This may be harder to figure out for spammers, but it should not
2487 be used unless necessary. Instead use SMTP AUTH or STARTTLS to
2492 RCPT TO:<user%site.com@othersite.com>), sendmail will check
2495 or the access database if FEATURE(`access_db') is used. To prevent
2500 If you think you need to use this feature, you probably do not. This
2503 can allow spammers to relay through your server if not setup properly.
2505 NOTICE: It is possible to relay mail through a system which the
2506 anti-relay rules do not prevent: the case of a system that does use
2508 (system A) and relays local messages to a mail hub (e.g., via
2512 would be relayed to <user@example.net>.
2514 therefore forwards it to the mail hub which in turns relays it
2516 allows UUCP (bang-format) / %-hack addresses, all systems from which
2522 to addresses that use domain literals, e.g., <user@[1.2.3.4]>, if the
2523 IP address can't be mapped to a host name. If you want to continue
2524 to accept such domains, e.g., because you are inside a firewall that
2526 will not be able to return mail to them unless you have some "smart
2531 Alternatively, you can allow specific addresses by adding them to
2547 want to continue to accept such senders, use
2554 to enforce fully qualified domain names.
2556 An ``access'' database can be created to accept or reject mail from
2557 selected domains. For example, you may choose to reject all mail
2558 originating from known spammers. To enable such a database, use
2562 Notice: the access database is applied to the envelope addresses
2563 and the connection information, not to the header.
2568 FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map')
2571 `-T<TMPF>' as shown above. The optional parameters may be
2574 `lookupdotdomain' another way to enable the feature of the
2577 To:user@example.com RELAY
2578 to allow relaying to just a specific
2579 e-mail address instead of an entire domain.
2582 file as described below, you must use makemap to create the database
2587 The table itself uses e-mail addresses, domain names, and network
2605 Entries in the access map should be tagged according to their type.
2610 To: envelope recipient
2615 with the corresponding tag in front, then (as fallback to enable
2620 To:friend.domain RELAY
2627 send mail to that address even if FEATURE(`blocklist_recipients')
2628 is enabled. Your system will allow relaying to friend.domain, but
2631 rejection lists. Relaying is enabled from from.domain but not to
2634 relaying, which is based on the recipient address, To: must be
2647 RELAY Accept mail addressed to the indicated domain
2664 "any text" is a message to return for the command.
2665 The entire string should be quoted to avoid
2675 as above, but useful to mark error messages as such.
2676 If quotes need to be used to avoid modifications
2683 and the rest as above. If quotes need to be used
2684 to avoid modifications, they should be placed
2698 To:sendmail.org RELAY
2708 It would allow relaying mail from and to any hosts in the sendmail.org
2711 which shows how SKIP is useful to exempt subnets/subdomains. The
2713 address doesn't resolve to a hostname (or is considered as "may be
2719 error code to match it. For example, if you use
2721 To:user@example.com ERROR:450 mailbox full
2726 Note, UUCP users may need to add hostname.UUCP to the access database
2735 hosts listed in class {R} to be fully qualified host names.
2737 You can also use the access database to block sender addresses based on
2742 Note that you must include the @ after the username to signify that
2750 then you can add entries to the map for local users, hosts in your
2753 To:badlocaluser@ ERROR:550 Mailbox disabled for badlocaluser
2754 To:host.my.TLD ERROR:550 That host does not accept mail
2755 To:user@other.my.TLD ERROR:550 Mailbox disabled for this recipient
2761 the sender address, and hence it is possible to distinguish between
2763 sending mails to all addresses that have an error message or REJECT
2769 Mail can't be sent to spammer@aol.com or anyone at cyberspammer.com.
2774 maintained in DNS. To use such a database, specify
2778 This will cause sendmail to reject mail from any site listed in the
2780 to check by specifying an argument to the FEATURE. The default
2783 Rejected: IP-ADDRESS listed at SERVER
2785 where IP-ADDRESS and SERVER are replaced by the appropriate
2786 information. A second argument can be used to specify a different
2795 and hence cause the connection not to be rejected by the DNS based
2805 451 Temporary lookup failure of IP-ADDRESS at SERVER
2807 where IP-ADDRESS and SERVER are replaced by the appropriate
2810 This FEATURE can be included several times to query different
2813 Notice: to avoid checking your own local domains against those
2819 to the access map, where 10.1 is your local network. You may
2820 want to use "RELAY" instead of "OK" to allow also relaying
2826 client hostname and IP address when the connection is made to your
2827 server. It does not check if a mail message is being relayed to
2828 another server. That check is done in check_rcpt. If you wish to
2831 example if you wanted to block senders with all numeric usernames
2836 Kallnumbers regex -a@MATCH ^[0-9]+$
2848 the local ruleset resolves to a mailer (such as $#error or $#discard),
2850 interpreted by sendmail and may lead to unspecified behavior. Note: do
2855 ----------------
2862 If check_mail returns an error then the RCPT TO command will be rejected
2871 in the access map, then any e-mail with a sender address of
2874 to get around DNS based blocklist by faking the sender address. To
2875 avoid this problem you have to use tagged entries:
2877 To:my.domain RELAY
2891 the default behavior is to apply the other rulesets and make a SPAM
2894 the argument is `hater', then the default behavior is to skip the rulesets
2904 in the access map, mail to abuse@localdomain will get through (where
2905 "localdomain" is any domain in class {w}). It is also possible to
2912 Note: The required tag has been changed in 8.12 from To: to Spam:.
2913 This change is incompatible to previous versions. However, you can
2914 (for now) simply add the new entries to the access map, the old
2916 the access map, specify a third parameter (`n') to this feature and
2921 -------------
2924 This is done by adding a ruleset call to the 'H' header definition command
2925 in sendmail.cf. For example, this can be used to check the validity of
2926 a Message-ID: header:
2929 HMessage-Id: $>CheckMessageId
2941 comments to the ruleset (comments in parentheses () are stripped
2951 That may cause problems with simple header checks due to the
2952 tokenization. It might be simpler to use a regex map and apply it
2953 to $&{currHeader}.
2961 any final header-related checks. The ruleset is called with the number of
2963 example usage is to reject messages which do not have a Message-Id:
2964 header. However, the Message-Id: header is *NOT* a required header and is
2970 HMessage-Id: $>CheckMessageId
2984 # Has a Message-Id: header
2986 # Allow missing Message-Id: from local mail
2994 +--------------------+
2996 +--------------------+
2998 The features ratecontrol and conncontrol allow to establish connection
3004 FEATURE(`access_db') to be listed earlier in the mc file.
3008 connection control features less useful. To run the checks as early
3018 sendmail to terminate the session with that error if it is
3025 +----------+
3027 +----------+
3033 For STARTTLS to be offered by sendmail you need to set at least
3048 Macros related to STARTTLS are:
3056 ${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA,
3057 EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA.
3077 --------
3081 failed (${verify} != OK), relaying is subject to the usual rules.
3088 To make things a bit more flexible (or complicated), the values for
3091 _CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in
3092 rulesets and map lookups, they are modified as follows: each non-printable
3106 The macros which are subject to this encoding are ${cert_subject},
3111 To allow relaying for everyone who can present a cert signed by
3121 To allow relaying only for a subset of machines that have a cert signed by
3136 Of course it is also possible to write a simple ruleset that allows
3145 --------------------
3147 The rulesets tls_server, tls_client, and tls_rcpt are used to decide whether
3165 requiring that e-mail is sent to a server only encrypted, e.g., via
3169 doesn't necessarily mean that e-mail sent to that domain is encrypted.
3175 then mail to user@secure.domain may go unencrypted to mail.other.domain.
3176 tls_rcpt can be used to address this problem.
3178 tls_rcpt is called before a RCPT TO: command is sent. The parameter is the
3184 The result of the lookups is then used to call the ruleset TLS_connection,
3194 The RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary
3200 algorithm, e.g., DIGEST-MD5.
3213 Example: e-mail sent to secure.example.com should only use an encrypted
3214 connection. E-mail received from hosts within the laptop.example.com domain
3216 receives e-mail for darth@endmail.org must present a cert that uses the
3217 CN smtp.endmail.org. E-mail sent to safe.example.com must be verified,
3230 -----------------------
3233 MTAs with STARTTLS interoperability issues. To be able to send to
3240 be used to return a (semicolon separated) list of TLS related
3243 - Options: compare {Server,Client}SSLOptions.
3244 - CipherList: same as the global option.
3245 - CertFile, KeyFile: {Server,Client}{Cert,Key}File
3246 - Flags: see doc/op/op.me for details.
3254 TLS_Clt_features:10.1.0.1 Options=SSL_OP_NO_TLSv1_2; CipherList=ALL:-EXPORT
3258 and turn off TLSv1.2 when connecting to the server with the IP
3268 to the hostname or IP address of the connecting system (the latter
3278 will turn off STARTTLS when sending to broken.server (or any host
3280 only for hosts in my.domain, and disable MTA-STS for broken.sts.
3286 ----------------
3294 +---------------------+
3296 +---------------------+
3299 used in anti-relay rulesets to allow relaying for those users that
3312 RDIGEST-MD5 $| $+@$=w $# OK
3314 to allow relaying for users that authenticated using DIGEST-MD5
3317 The ruleset trust_auth is used to determine whether a given AUTH=
3318 parameter (that is passed to this ruleset) should be trusted. This
3320 ruleset resolves to the error mailer, the AUTH= parameter is not
3322 to modify the default behavior, which only trust the AUTH=
3323 parameter if it is identical to the authenticated user.
3329 TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')
3336 -----------------------------------------------------
3338 If sendmail acts as client, it needs some information how to
3343 in the same way and finally just the tag AuthInfo: to provide
3346 is used then only up to three lookups are performed (two exact
3352 sendmail set-user-ID. Use PrivacyOptions to turn off verbose output
3356 to fail since the ruleset authinfo is in the .cf file. If you really
3357 want to use DefaultAuthInfo (it is deprecated) then you have to
3374 AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5"
3380 If "R:" is not specified, realm defaults to $j. The list of mechanisms
3381 defaults to those specified by AuthMechanisms.
3387 group/world-unreadable, this is left to the user.
3390 +--------------------------------+
3392 +--------------------------------+
3394 Sometimes you may need to add entirely new mailers or rulesets. They
3409 and LOCAL_TLS_SERVER, respectively. For example, to add a local
3410 ruleset that decides whether to try STARTTLS in a sendmail client, use:
3415 Note: you don't need to add a name for the ruleset, it is implicitly
3419 +-------------------------+
3421 +-------------------------+
3423 Sendmail supports mail filters to filter incoming SMTP messages according
3424 to the "Sendmail Mail Filter API" documentation. These filters can be
3448 are equivalent to the three commands:
3454 In general, INPUT_MAIL_FILTER() should be used unless you need to define
3455 more filters than you want to use for `confINPUT_MAIL_FILTERS'.
3462 +-------------------------+
3464 +-------------------------+
3466 In addition to the queue directory (which is the default queue group
3476 +-------------------------------+
3477 | NON-SMTP BASED CONFIGURATIONS |
3478 +-------------------------------+
3481 SMTP-based sites. They may not be well tuned for UUCP-only or
3482 UUCP-primarily nodes (the latter is defined as a small local net
3483 connected to the rest of the world via UUCP). However, there is
3484 one hook to handle some special cases.
3491 In this case, the ``mailer:'' defaults to "relay". Any messages that
3492 can't be handled using the usual UUCP rules are passed to this host.
3494 If you are on a local SMTP-based net that connects to the outside
3495 world via UUCP, you can use LOCAL_NET_CONFIG to add appropriate rules.
3498 define(`SMART_HOST', `uucp-new:uunet')
3502 This will cause all names that end in your domain name ($m) to be sent
3503 via SMTP; anything else will be sent via uucp-new (smart UUCP) to uunet.
3504 If you have FEATURE(`nocanonify'), you may need to omit the dots after
3506 not otherwise connected to the outside world, you probably want to
3513 That is, send directly only to things you found in your DNS lookup;
3516 You may need to turn off the anti-spam rules in order to accept
3521 +-----------+
3523 +-----------+
3525 Normally, the $j macro is automatically defined to be your fully
3530 supposed to return the FQDN ("foo.bar.com"). In some (fairly rare)
3531 cases, gethostbyname may fail to return the FQDN. In this case
3532 you MUST define confDOMAIN_NAME to be your fully qualified domain
3539 +-----------------------------------+
3541 +-----------------------------------+
3543 If your host is known by several different names, you need to augment
3545 anything sent to an address using a host name in this list will be
3547 file /etc/mail/local-host-names containing a list of your aliases (one per
3549 ``LOCAL_DOMAIN(`alias.host.name')''. Be sure you use the fully-qualified
3552 If you want to have different address in different domains, take
3554 http://www.sendmail.org/virtual-hosting.html
3557 +--------------------+
3559 +--------------------+
3561 To use FEATURE(`mailertable'), you will have to create an external
3566 uuhost1.my.domain uucp-new:uuhost1
3577 the leading dot) -- that is, they can be thought of as having a
3578 leading ".+" regular expression pattern for a non-empty sequence of
3579 characters. Matching is done in order of most-to-least qualified
3580 -- for example, even though ".my.domain" is listed first in the
3582 entry since it is more explicit. Note: e-mail to "user@my.domain"
3583 does not match any entry in the above table. You need to have
3590 sendmail.cf file). The "host" will be the hostname passed to
3591 that mailer. In domain-based matches (that is, those with leading
3592 dots) the "%1" may be used to interpolate the wildcarded part of
3594 addressed to "anything.my.domain" to that same host name, but using
3597 In some cases you may want to temporarily turn off MX records,
3598 particularly on gateways. For example, you may want to MX
3599 everything in a domain to one machine that then forwards it
3600 directly. To do this, you might use the DNS configuration:
3615 +--------------------------------+
3616 | USING USERDB TO MAP FULL NAMES |
3617 +--------------------------------+
3620 to login names (e.g., Eric.Allman => eric), but some people are using
3622 purpose instead -- since you can specify multiple alias files, this
3623 is fairly easy.) The intent was to locate the default maildrop at
3624 a site, but allow you to override this by sending to a specific host.
3626 If you decide to set up the user database in this fashion, it is
3627 imperative that you not use FEATURE(`stickyhost') -- otherwise,
3628 e-mail sent to Full.Name@local.host.name will be rejected.
3630 To build the internal form of the user database, use:
3634 As a general rule, it is an extremely bad idea to using full names
3635 as e-mail addresses, since they are not in any sense unique. For
3636 example, the UNIX software-development community has at least two
3637 well-known Peter Deutsches, and at one time Bell Labs had two
3639 will be forced to suffer the indignity of being Stephen_R_Bourne_2?
3646 +--------------------------------+
3648 +--------------------------------+
3651 Sometimes it is convenient to merge configuration on a
3652 centralized mail machine, for example, to forward all
3653 root mail to a mail server. In this case it might be
3654 useful to be able to treat the root addresses as a class
3666 +----------------+
3668 +----------------+
3670 A lot of sendmail security comes down to you. Sendmail 8 is much
3672 versions, but there are some things that you still need to watch
3683 if your system allows "file giveaways" (that is, if a non-root
3684 user can chown any file they own to any other user).
3688 to steal anyone else's e-mail. Instead, create a script that
3690 night (if you want the non-NFS-mounted forward directory).
3693 sendmail is much less trusting of :include: files -- in
3694 particular, you'll have to have /SENDMAIL/ANY/SHELL/ in
3698 In general, file giveaways are a mistake -- if you can turn them
3702 +--------------------------------+
3704 +--------------------------------+
3707 need to be changed. However, if you feel you need to tweak them,
3710 Before changing them you need to make sure you do not violate those
3719 Some options are likely to be deprecated in future versions -- that is,
3720 the option is only included to provide back-compatibility. These are
3723 Remember that these options are M4 variables, and hence may need to
3724 be quoted. In particular, arguments with commas will usually have to
3725 be ``double quoted, like this phrase'' to avoid having the comma
3731 confMAILER_NAME $n macro [MAILER-DAEMON] The sender name used
3737 and then it should be set to
3740 confCF_VERSION $Z macro If defined, this is appended to the
3744 cluster to use for LDAP searches
3757 It is unwise to try to change this.
3758 confMESSAGEID_HEADER Message-Id: [<$t.$i@$j>] The format of an
3759 internally generated Message-Id:
3761 confCW_FILE Fw class [/etc/mail/local-host-names] Name
3762 of file used to get the local
3763 additions to class {w} (local host
3765 confCT_FILE Ft class [/etc/mail/trusted-users] Name of
3766 file used to get the local additions
3767 to class {t} (trusted users).
3768 confCR_FILE FR class [/etc/mail/relay-domains] Name of
3769 file used to get the local additions
3770 to class {R} (hosts allowed to relay).
3771 confTRUSTED_USERS Ct class [no default] Names of users to add to
3777 Not to be confused with
3779 confSMTP_MAILER - [esmtp] The mailer name used when
3783 confUUCP_MAILER - [uucp-old] The mailer to be used by
3784 default for bang-format recipient
3788 confLOCAL_MAILER - [local] The mailer name used when
3791 confRELAY_MAILER - [relay] The default mailer name used
3792 for relaying any mail (e.g., to a
3795 "uucp-new" if you are on a
3796 UUCP-connected site.
3797 confSEVEN_BIT_INPUT SevenBitInput [False] Force input to seven bits?
3798 confEIGHT_BIT_HANDLING EightBitMode [pass8] 8-bit data handling
3799 confALIAS_WAIT AliasWait [10m] Time to wait for alias file
3804 queue filesystem to accept SMTP mail.
3805 (Prior to 8.7 this was minfree/maxsize,
3815 to mailers marked expensive.
3826 confIGNORE_DOTS* IgnoreDots [False; always False in -bs or -bd
3830 resolver.
3831 confMIME_FORMAT_ERRORS* SendMimeErrors [True] Send error messages as MIME-
3834 The colon-separated list of places to
3846 interpreted relative to the queue
3851 set, single thread deliveries to other
3853 sendmails on this host to connect
3854 simultaneously to any other single
3858 to a host will prevent other sendmails
3859 from connecting to the other host.
3866 confUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to
3886 confQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function.
3892 confDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr
3893 syntax addresses to the minimum
3895 confSAFE_QUEUE* SuperSafe [True] Commit all messages to disk
3900 connect() to complete. This can only
3906 applies only to the very first attempt
3907 to connect to a host in a message.
3914 attempt to succeed. If 0, no overall
3917 to a HELO or EHLO command.
3919 response to the MAIL command.
3921 to the RCPT command.
3930 to the final "." that terminates a
3933 to the RSET command.
3935 to the QUIT command.
3937 to other SMTP commands.
3939 waiting for a command to be issued.
3941 response to an IDENT query.
3944 (e.g., :include: file) to be opened.
3946 to an LMTP LHLO command.
3951 response to an SMTP STARTTLS command.
3954 control socket transaction to complete.
3967 Timeout.queuereturn.non-urgent
3968 [undefined] As above, for non-urgent
3976 message is sent to the sender telling
3986 Timeout.queuewarn.non-urgent
3987 [undefined] As above, for non-urgent
3998 a single queue run and to persistent
4000 confTO_RESOLVER_RETRANS Timeout.resolver.retrans
4001 [varies] Sets the resolver's
4004 Timeout.resolver.retrans.first and
4005 Timeout.resolver.retrans.normal.
4006 confTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first
4007 [varies] Sets the resolver's
4009 seconds) for the first attempt to
4011 confTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal
4012 [varies] Sets the resolver's
4014 seconds) for all resolver lookups
4016 confTO_RESOLVER_RETRY Timeout.resolver.retry
4018 to retransmit a resolver query.
4020 Timeout.resolver.retry.first and
4021 Timeout.resolver.retry.normal.
4022 confTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first
4024 to retransmit a resolver query for
4025 the first attempt to deliver a
4027 confTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal
4029 to retransmit a resolver query for
4030 all resolver lookups except the
4032 confTIME_ZONE TimeZoneSpec [USE_SYSTEM] Time zone info -- can be
4033 USE_SYSTEM to use the system's idea,
4034 USE_TZ to use the user's TZ envariable,
4035 or something else to force that value.
4050 to the host directly; normally this
4053 queue-only function kicks in.
4104 confMAX_QUEUE_AGE MaxQueueAge [undefined] If set to a value greater
4113 runs. This allows you to set the
4117 confDEF_CHAR_SET DefaultCharSet [unknown-8bit] When converting
4118 unlabeled 8 bit input to MIME, the
4119 character set to use by default.
4122 to use for the service switch on
4124 system-defined switch.
4125 confHOSTS_FILE HostsFile [/etc/hosts] The file to use when doing
4129 retry". This is to allow "dial on
4130 demand" connections to have enough time
4131 to complete a connection.
4133 [none] What to do if there are no legal
4134 recipient fields (To:, Cc: or Bcc:)
4136 be "none" to just leave the
4137 nonconforming message as is, "add-to"
4138 to add a To: header with all the
4140 blind recipients), "add-apparently-to"
4141 to do the same but use Apparently-To:
4142 instead of To: (strongly discouraged
4144 "add-bcc" to add an empty Bcc:
4145 header, or "add-to-undisclosed" to
4147 ``To: undisclosed-recipients:;''.
4155 they are treated as the introducer to
4157 handled properly in route-addrs. This
4161 any given queue run to this number of
4172 This is to keep system resources used
4173 within a reasonable limit. Relates to
4186 seems to be moving toward legalizing
4196 when sending to files or programs.
4203 confMUST_QUOTE_CHARS MustQuoteChars [.'] Characters to be quoted in a full
4212 second words to convince other
4213 sendmails to try to speak ESMTP.
4216 might want to do this if you are
4220 can cause your ypserv to run
4226 [True] If set, group-writable
4230 from such files. World-writable files
4245 "double bounce" error message to this
4246 address. If it expands to an empty
4251 testing of a new configuration to
4253 confDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce
4255 to the user or sent to postmaster.
4258 confRRT_IMPLIES_DSN RrtImpliesDsn [False] Return-Receipt-To: header
4263 and :include: files) to be done as
4286 in a mailertable entry) -- otherwise,
4287 mail to addresses in this list will
4289 If set to "loopback" (without
4303 confREJECT_MSG - [550 Access denied] The message
4306 confRELAY_MSG - [550 Relaying denied] The message
4311 memory-buffered data (df) file
4312 before a disk-based file is used.
4315 memory-buffered transcript (xf)
4316 file before a disk-based file is
4318 confAUTH_MECHANISMS AuthMechanisms [EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5
4319 CRAM-MD5] List of authentication
4327 that is passed to the Cyrus SASL
4335 realm to use, and the list of
4336 mechanisms to try, each on a separate
4373 specific settings such as "-h host
4374 -p port -d bindDN", etc. The
4379 confCACERT_PATH CACertPath [undefined] Path to directory with
4389 private key belonging to the server
4396 private key belonging to the client
4402 hashes pointing to certificate
4416 (digest) to use for the presented
4419 confSSL_ENGINE_PATH SSLEnginePath [undefined] Path to dynamic library
4435 be used to turn off the compile time
4444 confFAST_SPLIT FastSplit [1] If set to a value greater than
4451 limits the number of processes to
4453 confMAILBOX_DATABASE MailboxDatabase [pw] Type of lookup to find
4455 confDEQUOTE_OPTS - [empty] Additional options for the
4470 actions, defaults to LogLevel.
4473 {if_addr}] Macros to transmit to
4479 {cert_issuer}] Macros to transmit to
4485 {mail_addr}] Macros to transmit to
4489 {rcpt_addr}] Macros to transmit to
4490 milters after RCPT TO command.
4492 [{msg_id}] Macros to transmit to
4496 Macros to transmit to milters
4499 Macros to transmit to milters
4504 tweaked (generally pathnames to mailers).
4513 ClientPortOptions settings) are allowed in order to give settings for each
4526 2476 (see below). To turn off the default definition for the MSA,
4530 Example 1: To change the port for the SMTP listener, while
4534 Example 2: To change the port for the MSA daemon, while still
4543 Example 3: To listen on both IPv4 and IPv6 interfaces, use
4545 DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')
4546 DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6')
4552 is relayed to another MTA. It will also enforce the normal address syntax
4564 The INPUT_MAIL_FILTER() command causes the filter(s) to be called in the
4566 filter can be defined without adding it to the input filter list by using
4573 +----------------------------+
4575 +----------------------------+
4579 a few hints how for those who want to tweak the default configuration
4582 Notice: do not add options/features to submit.mc unless you are
4583 absolutely sure you need them. Options you may want to change
4586 - confTRUSTED_USERS, FEATURE(`use_ct_file'), and confCT_FILE for
4587 avoiding X-Authentication warnings.
4588 - confTIME_ZONE to change it from the default `USE_TZ'.
4589 - confDELIVERY_MODE is set to interactive in msp.m4 instead
4591 - FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses
4592 to the LOCAL_RELAY instead of the default relay.
4593 - confRAND_FILE if you use STARTTLS and sendmail is not compiled with
4606 Some things are not intended to work with the MSP. These include
4615 workarounds. For example, to allow for client authentication it
4616 is not just sufficient to provide a client certificate and the
4617 corresponding key, but it is also necessary to make the key group
4618 (smmsp) readable and tell sendmail not to complain about that, i.e.,
4625 FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo')
4627 /etc/mail/msp-authinfo should contain an entry like:
4629 AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5"
4635 part will be relayed on to the next hop. This can be achieved by
4636 adding the following to your sendmail.mc file:
4643 Note: the authentication data can leak to local users who invoke
4644 the MSP with debug options or even with -v. For that reason either
4646 AUTH dialogue (e.g., DIGEST-MD5) or a different authentication
4651 can be overridden if really necessary. It is a bit tricky to do
4660 To see how the options are defined read feature/msp.m4.
4663 +--------------------------+
4665 +--------------------------+
4669 /etc/mail/local-host-names may have the following content:
4684 By default, the delimiter between LHS and RHS is a non-empty sequence
4688 +------------------+
4690 +------------------+
4692 Within this directory are several subdirectories, to wit:
4699 ".mc" suffixes, and must be run through m4 to
4721 want to include. They should be referenced using
4728 siteconfig Site configuration -- e.g., tables of locally connected
4732 +------------------------+
4734 +------------------------+
4737 sendmail.cf file. Read them carefully if you are trying to modify
4741 RULESETS (* means built in to sendmail)
4767 2 uucp-* UNIX-to-UNIX Copy Program
4778 D The local domain -- usually not needed
4787 M Masquerade (who you claim to be)
4809 E addresses that should not seem to come from $M
4816 L addresses that should not be forwarded to $R
4817 M domains that should be mapped to $M
4818 N host/domains that should not be mapped to $M
4820 P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc.
4822 R domains this system is willing to relay (pass anti-spam filters)
4826 V UUCP hosts connected to relay $V
4827 W UUCP hosts connected to relay $W
4828 X UUCP hosts connected to relay $X
4830 Z locally connected domain-ized UUCP hosts