17c478bd9Sstevel@tonic-gate 27c478bd9Sstevel@tonic-gate SENDMAIL CONFIGURATION FILES 37c478bd9Sstevel@tonic-gate 47c478bd9Sstevel@tonic-gateThis document describes the sendmail configuration files. It 57c478bd9Sstevel@tonic-gateexplains how to create a sendmail.cf file for use with sendmail. 67c478bd9Sstevel@tonic-gateIt also describes how to set options for sendmail which are explained 77c478bd9Sstevel@tonic-gatein the Sendmail Installation and Operation guide, which can be found 87c478bd9Sstevel@tonic-gateon-line at http://www.sendmail.org/%7Eca/email/doc8.12/op.html . 97c478bd9Sstevel@tonic-gateRecall this URL throughout this document when references to 107c478bd9Sstevel@tonic-gatedoc/op/op.* are made. 117c478bd9Sstevel@tonic-gate 127c478bd9Sstevel@tonic-gateTable of Content: 137c478bd9Sstevel@tonic-gate 147c478bd9Sstevel@tonic-gateINTRODUCTION AND EXAMPLE 157c478bd9Sstevel@tonic-gateA BRIEF INTRODUCTION TO M4 167c478bd9Sstevel@tonic-gateFILE LOCATIONS 177c478bd9Sstevel@tonic-gateOSTYPE 187c478bd9Sstevel@tonic-gateDOMAINS 197c478bd9Sstevel@tonic-gateMAILERS 207c478bd9Sstevel@tonic-gateFEATURES 217c478bd9Sstevel@tonic-gateHACKS 227c478bd9Sstevel@tonic-gateSITE CONFIGURATION 237c478bd9Sstevel@tonic-gateUSING UUCP MAILERS 247c478bd9Sstevel@tonic-gateTWEAKING RULESETS 257c478bd9Sstevel@tonic-gateMASQUERADING AND RELAYING 267c478bd9Sstevel@tonic-gateUSING LDAP FOR ALIASES, MAPS, AND CLASSES 277c478bd9Sstevel@tonic-gateLDAP ROUTING 287c478bd9Sstevel@tonic-gateANTI-SPAM CONFIGURATION CONTROL 297c478bd9Sstevel@tonic-gateCONNECTION CONTROL 307c478bd9Sstevel@tonic-gateSTARTTLS 317c478bd9Sstevel@tonic-gateADDING NEW MAILERS OR RULESETS 327c478bd9Sstevel@tonic-gateADDING NEW MAIL FILTERS 337c478bd9Sstevel@tonic-gateQUEUE GROUP DEFINITIONS 347c478bd9Sstevel@tonic-gateNON-SMTP BASED CONFIGURATIONS 357c478bd9Sstevel@tonic-gateWHO AM I? 367c478bd9Sstevel@tonic-gateACCEPTING MAIL FOR MULTIPLE NAMES 377c478bd9Sstevel@tonic-gateUSING MAILERTABLES 387c478bd9Sstevel@tonic-gateUSING USERDB TO MAP FULL NAMES 397c478bd9Sstevel@tonic-gateMISCELLANEOUS SPECIAL FEATURES 407c478bd9Sstevel@tonic-gateSECURITY NOTES 417c478bd9Sstevel@tonic-gateTWEAKING CONFIGURATION OPTIONS 427c478bd9Sstevel@tonic-gateMESSAGE SUBMISSION PROGRAM 437c478bd9Sstevel@tonic-gateFORMAT OF FILES AND MAPS 447c478bd9Sstevel@tonic-gateDIRECTORY LAYOUT 457c478bd9Sstevel@tonic-gateADMINISTRATIVE DETAILS 467c478bd9Sstevel@tonic-gate 477c478bd9Sstevel@tonic-gate 487c478bd9Sstevel@tonic-gate+--------------------------+ 497c478bd9Sstevel@tonic-gate| INTRODUCTION AND EXAMPLE | 507c478bd9Sstevel@tonic-gate+--------------------------+ 517c478bd9Sstevel@tonic-gate 527c478bd9Sstevel@tonic-gateConfiguration files are contained in the subdirectory "cf", with a 537c478bd9Sstevel@tonic-gatesuffix ".mc". They must be run through "m4" to produce a ".cf" file. 547c478bd9Sstevel@tonic-gateYou must pre-load "cf.m4": 557c478bd9Sstevel@tonic-gate 567c478bd9Sstevel@tonic-gate m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gateAlternatively, you can simply: 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate cd ${CFDIR}/cf 617c478bd9Sstevel@tonic-gate /usr/ccs/bin/make config.cf 627c478bd9Sstevel@tonic-gate 637c478bd9Sstevel@tonic-gatewhere ${CFDIR} is the root of the cf directory and config.mc is the 647c478bd9Sstevel@tonic-gatename of your configuration file. If you are running a version of M4 657c478bd9Sstevel@tonic-gatethat understands the __file__ builtin (versions of GNU m4 >= 0.75 do 667c478bd9Sstevel@tonic-gatethis, but the versions distributed with 4.4BSD and derivatives do not) 677c478bd9Sstevel@tonic-gateor the -I flag (ditto), then ${CFDIR} can be in an arbitrary directory. 687c478bd9Sstevel@tonic-gateFor "traditional" versions, ${CFDIR} ***MUST*** be "..", or you MUST 697c478bd9Sstevel@tonic-gateuse -D_CF_DIR_=/path/to/cf/dir/ -- note the trailing slash! For example: 707c478bd9Sstevel@tonic-gate 717c478bd9Sstevel@tonic-gate m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 config.mc > config.cf 727c478bd9Sstevel@tonic-gate 737c478bd9Sstevel@tonic-gateLet's examine a typical .mc file: 747c478bd9Sstevel@tonic-gate 757c478bd9Sstevel@tonic-gate divert(-1) 767c478bd9Sstevel@tonic-gate # 7749218d4fSjbeck # Copyright (c) 1998-2005 Sendmail, Inc. and its suppliers. 787c478bd9Sstevel@tonic-gate # All rights reserved. 797c478bd9Sstevel@tonic-gate # Copyright (c) 1983 Eric P. Allman. All rights reserved. 807c478bd9Sstevel@tonic-gate # Copyright (c) 1988, 1993 817c478bd9Sstevel@tonic-gate # The Regents of the University of California. All rights reserved. 827c478bd9Sstevel@tonic-gate # 837c478bd9Sstevel@tonic-gate # By using this file, you agree to the terms and conditions set 847c478bd9Sstevel@tonic-gate # forth in the LICENSE file which can be found at the top level of 857c478bd9Sstevel@tonic-gate # the sendmail distribution. 867c478bd9Sstevel@tonic-gate # 877c478bd9Sstevel@tonic-gate 887c478bd9Sstevel@tonic-gate # 897c478bd9Sstevel@tonic-gate # This is a Berkeley-specific configuration file for HP-UX 9.x. 907c478bd9Sstevel@tonic-gate # It applies only to the Computer Science Division at Berkeley, 917c478bd9Sstevel@tonic-gate # and should not be used elsewhere. It is provided on the sendmail 927c478bd9Sstevel@tonic-gate # distribution as a sample only. To create your own configuration 937c478bd9Sstevel@tonic-gate # file, create an appropriate domain file in ../domain, change the 947c478bd9Sstevel@tonic-gate # `DOMAIN' macro below to reference that file, and copy the result 957c478bd9Sstevel@tonic-gate # to a name of your own choosing. 967c478bd9Sstevel@tonic-gate # 977c478bd9Sstevel@tonic-gate divert(0) 987c478bd9Sstevel@tonic-gate 997c478bd9Sstevel@tonic-gateThe divert(-1) will delete the crud in the resulting output file. 1007c478bd9Sstevel@tonic-gateThe copyright notice can be replaced by whatever your lawyers require; 1017c478bd9Sstevel@tonic-gateour lawyers require the one that is included in these files. A copyleft 1027c478bd9Sstevel@tonic-gateis a copyright by another name. The divert(0) restores regular output. 1037c478bd9Sstevel@tonic-gate 1047c478bd9Sstevel@tonic-gate VERSIONID(`<SCCS or RCS version id>') 1057c478bd9Sstevel@tonic-gate 1067c478bd9Sstevel@tonic-gateVERSIONID is a macro that stuffs the version information into the 1077c478bd9Sstevel@tonic-gateresulting file. You could use SCCS, RCS, CVS, something else, or 1087c478bd9Sstevel@tonic-gateomit it completely. This is not the same as the version id included 1097c478bd9Sstevel@tonic-gatein SMTP greeting messages -- this is defined in m4/version.m4. 1107c478bd9Sstevel@tonic-gate 1117c478bd9Sstevel@tonic-gate OSTYPE(`hpux9')dnl 1127c478bd9Sstevel@tonic-gate 1137c478bd9Sstevel@tonic-gateYou must specify an OSTYPE to properly configure things such as the 1147c478bd9Sstevel@tonic-gatepathname of the help and status files, the flags needed for the local 1157c478bd9Sstevel@tonic-gatemailer, and other important things. If you omit it, you will get an 1167c478bd9Sstevel@tonic-gateerror when you try to build the configuration. Look at the ostype 1177c478bd9Sstevel@tonic-gatedirectory for the list of known operating system types. 1187c478bd9Sstevel@tonic-gate 1197c478bd9Sstevel@tonic-gate DOMAIN(`CS.Berkeley.EDU')dnl 1207c478bd9Sstevel@tonic-gate 1217c478bd9Sstevel@tonic-gateThis example is specific to the Computer Science Division at Berkeley. 1227c478bd9Sstevel@tonic-gateYou can use "DOMAIN(`generic')" to get a sufficiently bland definition 1237c478bd9Sstevel@tonic-gatethat may well work for you, or you can create a customized domain 1247c478bd9Sstevel@tonic-gatedefinition appropriate for your environment. 1257c478bd9Sstevel@tonic-gate 1267c478bd9Sstevel@tonic-gate MAILER(`local') 1277c478bd9Sstevel@tonic-gate MAILER(`smtp') 1287c478bd9Sstevel@tonic-gate 1297c478bd9Sstevel@tonic-gateThese describe the mailers used at the default CS site. The local 1307c478bd9Sstevel@tonic-gatemailer is always included automatically. Beware: MAILER declarations 1317c478bd9Sstevel@tonic-gateshould only be followed by LOCAL_* sections. The general rules are 1327c478bd9Sstevel@tonic-gatethat the order should be: 1337c478bd9Sstevel@tonic-gate 1347c478bd9Sstevel@tonic-gate VERSIONID 1357c478bd9Sstevel@tonic-gate OSTYPE 1367c478bd9Sstevel@tonic-gate DOMAIN 1377c478bd9Sstevel@tonic-gate FEATURE 1387c478bd9Sstevel@tonic-gate local macro definitions 1397c478bd9Sstevel@tonic-gate MAILER 1407c478bd9Sstevel@tonic-gate LOCAL_CONFIG 1417c478bd9Sstevel@tonic-gate LOCAL_RULE_* 1427c478bd9Sstevel@tonic-gate LOCAL_RULESETS 1437c478bd9Sstevel@tonic-gate 1447c478bd9Sstevel@tonic-gateThere are a few exceptions to this rule. Local macro definitions which 1457c478bd9Sstevel@tonic-gateinfluence a FEATURE() should be done before that feature. For example, 1467c478bd9Sstevel@tonic-gatea define(`PROCMAIL_MAILER_PATH', ...) should be done before 1477c478bd9Sstevel@tonic-gateFEATURE(`local_procmail'). 1487c478bd9Sstevel@tonic-gate 1497c478bd9Sstevel@tonic-gate 1507c478bd9Sstevel@tonic-gate+----------------------------+ 1517c478bd9Sstevel@tonic-gate| A BRIEF INTRODUCTION TO M4 | 1527c478bd9Sstevel@tonic-gate+----------------------------+ 1537c478bd9Sstevel@tonic-gate 1547c478bd9Sstevel@tonic-gateSendmail uses the M4 macro processor to ``compile'' the configuration 1557c478bd9Sstevel@tonic-gatefiles. The most important thing to know is that M4 is stream-based, 1567c478bd9Sstevel@tonic-gatethat is, it doesn't understand about lines. For this reason, in some 1577c478bd9Sstevel@tonic-gateplaces you may see the word ``dnl'', which stands for ``delete 1587c478bd9Sstevel@tonic-gatethrough newline''; essentially, it deletes all characters starting 1597c478bd9Sstevel@tonic-gateat the ``dnl'' up to and including the next newline character. In 1607c478bd9Sstevel@tonic-gatemost cases sendmail uses this only to avoid lots of unnecessary 1617c478bd9Sstevel@tonic-gateblank lines in the output. 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gateOther important directives are define(A, B) which defines the macro 1647c478bd9Sstevel@tonic-gate``A'' to have value ``B''. Macros are expanded as they are read, so 1657c478bd9Sstevel@tonic-gateone normally quotes both values to prevent expansion. For example, 1667c478bd9Sstevel@tonic-gate 1677c478bd9Sstevel@tonic-gate define(`SMART_HOST', `smart.foo.com') 1687c478bd9Sstevel@tonic-gate 1697c478bd9Sstevel@tonic-gateOne word of warning: M4 macros are expanded even in lines that appear 1707c478bd9Sstevel@tonic-gateto be comments. For example, if you have 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate # See FEATURE(`foo') above 1737c478bd9Sstevel@tonic-gate 1747c478bd9Sstevel@tonic-gateit will not do what you expect, because the FEATURE(`foo') will be 1757c478bd9Sstevel@tonic-gateexpanded. This also applies to 1767c478bd9Sstevel@tonic-gate 1777c478bd9Sstevel@tonic-gate # And then define the $X macro to be the return address 1787c478bd9Sstevel@tonic-gate 1797c478bd9Sstevel@tonic-gatebecause ``define'' is an M4 keyword. If you want to use them, surround 1807c478bd9Sstevel@tonic-gatethem with directed quotes, `like this'. 1817c478bd9Sstevel@tonic-gate 1827c478bd9Sstevel@tonic-gateSince m4 uses single quotes (opening "`" and closing "'") to quote 1837c478bd9Sstevel@tonic-gatearguments, those quotes can't be used in arguments. For example, 1847c478bd9Sstevel@tonic-gateit is not possible to define a rejection message containing a single 1857c478bd9Sstevel@tonic-gatequote. Usually there are simple workarounds by changing those 1867c478bd9Sstevel@tonic-gatemessages; in the worst case it might be ok to change the value 1877c478bd9Sstevel@tonic-gatedirectly in the generated .cf file, which however is not advised. 1887c478bd9Sstevel@tonic-gate 1897c478bd9Sstevel@tonic-gate+----------------+ 1907c478bd9Sstevel@tonic-gate| FILE LOCATIONS | 1917c478bd9Sstevel@tonic-gate+----------------+ 1927c478bd9Sstevel@tonic-gate 1937c478bd9Sstevel@tonic-gatesendmail 8.9 has introduced a new configuration directory for sendmail 1947c478bd9Sstevel@tonic-gaterelated files, /etc/mail. The new files available for sendmail 8.9 -- 1957c478bd9Sstevel@tonic-gatethe class {R} /etc/mail/relay-domains and the access database 1967c478bd9Sstevel@tonic-gate/etc/mail/access -- take advantage of this new directory. Beginning with 1977c478bd9Sstevel@tonic-gate8.10, all files will use this directory by default (some options may be 1987c478bd9Sstevel@tonic-gateset by OSTYPE() files). This new directory should help to restore 1997c478bd9Sstevel@tonic-gateuniformity to sendmail's file locations. 2007c478bd9Sstevel@tonic-gate 2017c478bd9Sstevel@tonic-gateBelow is a table of some of the common changes: 2027c478bd9Sstevel@tonic-gate 2037c478bd9Sstevel@tonic-gateOld filename New filename 2047c478bd9Sstevel@tonic-gate------------ ------------ 2057c478bd9Sstevel@tonic-gate/etc/bitdomain /etc/mail/bitdomain 2067c478bd9Sstevel@tonic-gate/etc/domaintable /etc/mail/domaintable 2077c478bd9Sstevel@tonic-gate/etc/genericstable /etc/mail/genericstable 2087c478bd9Sstevel@tonic-gate/etc/uudomain /etc/mail/uudomain 2097c478bd9Sstevel@tonic-gate/etc/virtusertable /etc/mail/virtusertable 2107c478bd9Sstevel@tonic-gate/etc/userdb /etc/mail/userdb 2117c478bd9Sstevel@tonic-gate 2127c478bd9Sstevel@tonic-gate/etc/aliases /etc/mail/aliases 2137c478bd9Sstevel@tonic-gate/etc/sendmail/aliases /etc/mail/aliases 2147c478bd9Sstevel@tonic-gate/etc/ucbmail/aliases /etc/mail/aliases 2157c478bd9Sstevel@tonic-gate/usr/adm/sendmail/aliases /etc/mail/aliases 2167c478bd9Sstevel@tonic-gate/usr/lib/aliases /etc/mail/aliases 2177c478bd9Sstevel@tonic-gate/usr/lib/mail/aliases /etc/mail/aliases 2187c478bd9Sstevel@tonic-gate/usr/ucblib/aliases /etc/mail/aliases 2197c478bd9Sstevel@tonic-gate 2207c478bd9Sstevel@tonic-gate/etc/sendmail.cw /etc/mail/local-host-names 2217c478bd9Sstevel@tonic-gate/etc/mail/sendmail.cw /etc/mail/local-host-names 2227c478bd9Sstevel@tonic-gate/etc/sendmail/sendmail.cw /etc/mail/local-host-names 2237c478bd9Sstevel@tonic-gate 2247c478bd9Sstevel@tonic-gate/etc/sendmail.ct /etc/mail/trusted-users 2257c478bd9Sstevel@tonic-gate 2267c478bd9Sstevel@tonic-gate/etc/sendmail.oE /etc/mail/error-header 2277c478bd9Sstevel@tonic-gate 2287c478bd9Sstevel@tonic-gate/etc/sendmail.hf /etc/mail/helpfile 2297c478bd9Sstevel@tonic-gate/etc/mail/sendmail.hf /etc/mail/helpfile 2307c478bd9Sstevel@tonic-gate/usr/ucblib/sendmail.hf /etc/mail/helpfile 2317c478bd9Sstevel@tonic-gate/etc/ucbmail/sendmail.hf /etc/mail/helpfile 2327c478bd9Sstevel@tonic-gate/usr/lib/sendmail.hf /etc/mail/helpfile 2337c478bd9Sstevel@tonic-gate/usr/share/lib/sendmail.hf /etc/mail/helpfile 2347c478bd9Sstevel@tonic-gate/usr/share/misc/sendmail.hf /etc/mail/helpfile 2357c478bd9Sstevel@tonic-gate/share/misc/sendmail.hf /etc/mail/helpfile 2367c478bd9Sstevel@tonic-gate 2377c478bd9Sstevel@tonic-gate/etc/service.switch /etc/mail/service.switch 2387c478bd9Sstevel@tonic-gate 2397c478bd9Sstevel@tonic-gate/etc/sendmail.st /etc/mail/statistics 2407c478bd9Sstevel@tonic-gate/etc/mail/sendmail.st /etc/mail/statistics 2417c478bd9Sstevel@tonic-gate/etc/mailer/sendmail.st /etc/mail/statistics 2427c478bd9Sstevel@tonic-gate/etc/sendmail/sendmail.st /etc/mail/statistics 2437c478bd9Sstevel@tonic-gate/usr/lib/sendmail.st /etc/mail/statistics 2447c478bd9Sstevel@tonic-gate/usr/ucblib/sendmail.st /etc/mail/statistics 2457c478bd9Sstevel@tonic-gate 2467c478bd9Sstevel@tonic-gateNote that all of these paths actually use a new m4 macro MAIL_SETTINGS_DIR 2477c478bd9Sstevel@tonic-gateto create the pathnames. The default value of this variable is 2487c478bd9Sstevel@tonic-gate`/etc/mail/'. If you set this macro to a different value, you MUST include 2497c478bd9Sstevel@tonic-gatea trailing slash. 2507c478bd9Sstevel@tonic-gate 2517c478bd9Sstevel@tonic-gateNotice: all filenames used in a .mc (or .cf) file should be absolute 2527c478bd9Sstevel@tonic-gate(starting at the root, i.e., with '/'). Relative filenames most 2537c478bd9Sstevel@tonic-gatelikely cause surprises during operations (unless otherwise noted). 2547c478bd9Sstevel@tonic-gate 2557c478bd9Sstevel@tonic-gate 2567c478bd9Sstevel@tonic-gate+--------+ 2577c478bd9Sstevel@tonic-gate| OSTYPE | 2587c478bd9Sstevel@tonic-gate+--------+ 2597c478bd9Sstevel@tonic-gate 2607c478bd9Sstevel@tonic-gateYou MUST define an operating system environment, or the configuration 2617c478bd9Sstevel@tonic-gatefile build will puke. There are several environments available; look 2627c478bd9Sstevel@tonic-gateat the "ostype" directory for the current list. This macro changes 2637c478bd9Sstevel@tonic-gatethings like the location of the alias file and queue directory. Some 2647c478bd9Sstevel@tonic-gateof these files are identical to one another. 2657c478bd9Sstevel@tonic-gate 2667c478bd9Sstevel@tonic-gateIt is IMPERATIVE that the OSTYPE occur before any MAILER definitions. 2677c478bd9Sstevel@tonic-gateIn general, the OSTYPE macro should go immediately after any version 2687c478bd9Sstevel@tonic-gateinformation, and MAILER definitions should always go last. 2697c478bd9Sstevel@tonic-gate 2707c478bd9Sstevel@tonic-gateOperating system definitions are usually easy to write. They may define 2717c478bd9Sstevel@tonic-gatethe following variables (everything defaults, so an ostype file may be 2727c478bd9Sstevel@tonic-gateempty). Unfortunately, the list of configuration-supported systems is 2737c478bd9Sstevel@tonic-gatenot as broad as the list of source-supported systems, since many of 2747c478bd9Sstevel@tonic-gatethe source contributors do not include corresponding ostype files. 2757c478bd9Sstevel@tonic-gate 2767c478bd9Sstevel@tonic-gateALIAS_FILE [/etc/mail/aliases] The location of the text version 2777c478bd9Sstevel@tonic-gate of the alias file(s). It can be a comma-separated 2787c478bd9Sstevel@tonic-gate list of names (but be sure you quote values with 2797c478bd9Sstevel@tonic-gate commas in them -- for example, use 2807c478bd9Sstevel@tonic-gate define(`ALIAS_FILE', `a,b') 2817c478bd9Sstevel@tonic-gate to get "a" and "b" both listed as alias files; 2827c478bd9Sstevel@tonic-gate otherwise the define() primitive only sees "a"). 2837c478bd9Sstevel@tonic-gateHELP_FILE [/etc/mail/helpfile] The name of the file 2847c478bd9Sstevel@tonic-gate containing information printed in response to 2857c478bd9Sstevel@tonic-gate the SMTP HELP command. 2867c478bd9Sstevel@tonic-gateQUEUE_DIR [/var/spool/mqueue] The directory containing 2877c478bd9Sstevel@tonic-gate queue files. To use multiple queues, supply 2887c478bd9Sstevel@tonic-gate a value ending with an asterisk. For 2897c478bd9Sstevel@tonic-gate example, /var/spool/mqueue/qd* will use all of the 2907c478bd9Sstevel@tonic-gate directories or symbolic links to directories 2917c478bd9Sstevel@tonic-gate beginning with 'qd' in /var/spool/mqueue as queue 2927c478bd9Sstevel@tonic-gate directories. The names 'qf', 'df', and 'xf' are 2937c478bd9Sstevel@tonic-gate reserved as specific subdirectories for the 2947c478bd9Sstevel@tonic-gate corresponding queue file types as explained in 2957c478bd9Sstevel@tonic-gate doc/op/op.me. See also QUEUE GROUP DEFINITIONS. 2967c478bd9Sstevel@tonic-gateMSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing 2977c478bd9Sstevel@tonic-gate queue files for the MSP (Mail Submission Program). 2987c478bd9Sstevel@tonic-gateSTATUS_FILE [/etc/mail/statistics] The file containing status 2997c478bd9Sstevel@tonic-gate information. 3007c478bd9Sstevel@tonic-gateLOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. 3017c478bd9Sstevel@tonic-gateLOCAL_MAILER_FLAGS [Prmn9] The flags used by the local mailer. The 3027c478bd9Sstevel@tonic-gate flags lsDFMAw5:/|@q are always included. 3037c478bd9Sstevel@tonic-gateLOCAL_MAILER_ARGS [mail -d $u] The arguments passed to deliver local 3047c478bd9Sstevel@tonic-gate mail. 3057c478bd9Sstevel@tonic-gateLOCAL_MAILER_MAX [undefined] If defined, the maximum size of local 3067c478bd9Sstevel@tonic-gate mail that you are willing to accept. 3077c478bd9Sstevel@tonic-gateLOCAL_MAILER_MAXMSGS [undefined] If defined, the maximum number of 3087c478bd9Sstevel@tonic-gate messages to deliver in a single connection. Only 3097c478bd9Sstevel@tonic-gate useful for LMTP local mailers. 3107c478bd9Sstevel@tonic-gateLOCAL_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 3117c478bd9Sstevel@tonic-gate that ARRIVE from an address that resolves to the 3127c478bd9Sstevel@tonic-gate local mailer and which are converted to MIME will be 3137c478bd9Sstevel@tonic-gate labeled with this character set. 3147c478bd9Sstevel@tonic-gateLOCAL_MAILER_EOL [undefined] If defined, the string to use as the 3157c478bd9Sstevel@tonic-gate end of line for the local mailer. 3167c478bd9Sstevel@tonic-gateLOCAL_MAILER_DSN_DIAGNOSTIC_CODE 3177c478bd9Sstevel@tonic-gate [X-Unix] The DSN Diagnostic-Code value for the 3187c478bd9Sstevel@tonic-gate local mailer. This should be changed with care. 3197c478bd9Sstevel@tonic-gateLOCAL_SHELL_PATH [/bin/sh] The shell used to deliver piped email. 3207c478bd9Sstevel@tonic-gateLOCAL_SHELL_FLAGS [eu9] The flags used by the shell mailer. The 3217c478bd9Sstevel@tonic-gate flags lsDFM are always included. 3227c478bd9Sstevel@tonic-gateLOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog" 3237c478bd9Sstevel@tonic-gate mail. 3247c478bd9Sstevel@tonic-gateLOCAL_SHELL_DIR [$z:/] The directory search path in which the 3257c478bd9Sstevel@tonic-gate shell should run. 3267c478bd9Sstevel@tonic-gateLOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. 3277c478bd9Sstevel@tonic-gateSMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default 3287c478bd9Sstevel@tonic-gate flags are `mDFMuX' for all SMTP-based mailers; the 3297c478bd9Sstevel@tonic-gate "esmtp" mailer adds `a'; "smtp8" adds `8'; and 3307c478bd9Sstevel@tonic-gate "dsmtp" adds `%'. 3317c478bd9Sstevel@tonic-gateRELAY_MAILER_FLAGS [undefined] Flags added to the relay mailer. Default 3327c478bd9Sstevel@tonic-gate flags are `mDFMuX' for all SMTP-based mailers; the 3337c478bd9Sstevel@tonic-gate relay mailer adds `a8'. If this is not defined, 3347c478bd9Sstevel@tonic-gate then SMTP_MAILER_FLAGS is used. 3357c478bd9Sstevel@tonic-gateSMTP_MAILER_MAX [undefined] The maximum size of messages that will 3367c478bd9Sstevel@tonic-gate be transported using the smtp, smtp8, esmtp, or dsmtp 3377c478bd9Sstevel@tonic-gate mailers. 3387c478bd9Sstevel@tonic-gateSMTP_MAILER_MAXMSGS [undefined] If defined, the maximum number of 3397c478bd9Sstevel@tonic-gate messages to deliver in a single connection for the 3407c478bd9Sstevel@tonic-gate smtp, smtp8, esmtp, or dsmtp mailers. 3417c478bd9Sstevel@tonic-gateSMTP_MAILER_MAXRCPTS [undefined] If defined, the maximum number of 3427c478bd9Sstevel@tonic-gate recipients to deliver in a single connection for the 3437c478bd9Sstevel@tonic-gate smtp, smtp8, esmtp, or dsmtp mailers. 3447c478bd9Sstevel@tonic-gateSMTP_MAILER_ARGS [TCP $h] The arguments passed to the smtp mailer. 3457c478bd9Sstevel@tonic-gate About the only reason you would want to change this 3467c478bd9Sstevel@tonic-gate would be to change the default port. 3477c478bd9Sstevel@tonic-gateESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer. 3487c478bd9Sstevel@tonic-gateSMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer. 3497c478bd9Sstevel@tonic-gateDSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer. 3507c478bd9Sstevel@tonic-gateRELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer. 3517c478bd9Sstevel@tonic-gateSMTP_MAILER_QGRP [undefined] The queue group for the smtp mailer. 3527c478bd9Sstevel@tonic-gateESMTP_MAILER_QGRP [undefined] The queue group for the esmtp mailer. 3537c478bd9Sstevel@tonic-gateSMTP8_MAILER_QGRP [undefined] The queue group for the smtp8 mailer. 3547c478bd9Sstevel@tonic-gateDSMTP_MAILER_QGRP [undefined] The queue group for the dsmtp mailer. 3557c478bd9Sstevel@tonic-gateRELAY_MAILER_QGRP [undefined] The queue group for the relay mailer. 3567c478bd9Sstevel@tonic-gateRELAY_MAILER_MAXMSGS [undefined] If defined, the maximum number of 3577c478bd9Sstevel@tonic-gate messages to deliver in a single connection for the 3587c478bd9Sstevel@tonic-gate relay mailer. 3597c478bd9Sstevel@tonic-gateSMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 3607c478bd9Sstevel@tonic-gate that ARRIVE from an address that resolves to one of 3617c478bd9Sstevel@tonic-gate the SMTP mailers and which are converted to MIME will 3627c478bd9Sstevel@tonic-gate be labeled with this character set. 363*058561cbSjbeckSMTP_MAILER_LL [990] The maximum line length for SMTP mailers 364*058561cbSjbeck (except the relay mailer). 365*058561cbSjbeckRELAY_MAILER_LL [2040] The maximum line length for the relay mailer. 3667c478bd9Sstevel@tonic-gateUUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail. 3677c478bd9Sstevel@tonic-gateUUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default 3687c478bd9Sstevel@tonic-gate flags are `DFMhuU' (and `m' for uucp-new mailer, 3697c478bd9Sstevel@tonic-gate minus `U' for uucp-dom mailer). 3707c478bd9Sstevel@tonic-gateUUCP_MAILER_ARGS [uux - -r -z -a$g -gC $h!rmail ($u)] The arguments 3717c478bd9Sstevel@tonic-gate passed to the UUCP mailer. 3727c478bd9Sstevel@tonic-gateUUCP_MAILER_MAX [100000] The maximum size message accepted for 3737c478bd9Sstevel@tonic-gate transmission by the UUCP mailers. 3747c478bd9Sstevel@tonic-gateUUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data 3757c478bd9Sstevel@tonic-gate that ARRIVE from an address that resolves to one of 3767c478bd9Sstevel@tonic-gate the UUCP mailers and which are converted to MIME will 3777c478bd9Sstevel@tonic-gate be labeled with this character set. 3787c478bd9Sstevel@tonic-gateUUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. 3797c478bd9Sstevel@tonic-gatePROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail 3807c478bd9Sstevel@tonic-gate program. This is also used by 3817c478bd9Sstevel@tonic-gate FEATURE(`local_procmail'). 3827c478bd9Sstevel@tonic-gatePROCMAIL_MAILER_FLAGS [SPhnu9] Flags added to Procmail mailer. Flags 3837c478bd9Sstevel@tonic-gate DFM are always set. This is NOT used by 3847c478bd9Sstevel@tonic-gate FEATURE(`local_procmail'); tweak LOCAL_MAILER_FLAGS 3857c478bd9Sstevel@tonic-gate instead. 3867c478bd9Sstevel@tonic-gatePROCMAIL_MAILER_ARGS [procmail -Y -m $h $f $u] The arguments passed to 3877c478bd9Sstevel@tonic-gate the Procmail mailer. This is NOT used by 3887c478bd9Sstevel@tonic-gate FEATURE(`local_procmail'); tweak LOCAL_MAILER_ARGS 3897c478bd9Sstevel@tonic-gate instead. 3907c478bd9Sstevel@tonic-gatePROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that 3917c478bd9Sstevel@tonic-gate will be accepted by the procmail mailer. 3927c478bd9Sstevel@tonic-gatePROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. 3937c478bd9Sstevel@tonic-gateconfEBINDIR [/usr/libexec] The directory for executables. 3947c478bd9Sstevel@tonic-gate Currently used for FEATURE(`local_lmtp') and 3957c478bd9Sstevel@tonic-gate FEATURE(`smrsh'). 3967c478bd9Sstevel@tonic-gateLOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. 3977c478bd9Sstevel@tonic-gate 3987c478bd9Sstevel@tonic-gateNote: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: 39949218d4fSjbeckMODIFY_MAILER_FLAGS(`Name', `change') where Name is the first part 40049218d4fSjbeckof the macro Name_MAILER_FLAGS (note: that means Name is entirely in 40149218d4fSjbeckupper case) and change can be: flags that should be used directly 40249218d4fSjbeck(thus overriding the default value), or if it starts with `+' (`-') 40349218d4fSjbeckthen those flags are added to (removed from) the default value. 40449218d4fSjbeckExample: 4057c478bd9Sstevel@tonic-gate 4067c478bd9Sstevel@tonic-gate MODIFY_MAILER_FLAGS(`LOCAL', `+e') 4077c478bd9Sstevel@tonic-gate 4087c478bd9Sstevel@tonic-gatewill add the flag `e' to LOCAL_MAILER_FLAGS. Notice: there are 4097c478bd9Sstevel@tonic-gateseveral smtp mailers all of which are manipulated individually. 4107c478bd9Sstevel@tonic-gateSee the section MAILERS for the available mailer names. 4117c478bd9Sstevel@tonic-gateWARNING: The FEATUREs local_lmtp and local_procmail set LOCAL_MAILER_FLAGS 4127c478bd9Sstevel@tonic-gateunconditionally, i.e., without respecting any definitions in an 4137c478bd9Sstevel@tonic-gateOSTYPE setting. 4147c478bd9Sstevel@tonic-gate 4157c478bd9Sstevel@tonic-gate 4167c478bd9Sstevel@tonic-gate+---------+ 4177c478bd9Sstevel@tonic-gate| DOMAINS | 4187c478bd9Sstevel@tonic-gate+---------+ 4197c478bd9Sstevel@tonic-gate 4207c478bd9Sstevel@tonic-gateYou will probably want to collect domain-dependent defines into one 4217c478bd9Sstevel@tonic-gatefile, referenced by the DOMAIN macro. For example, the Berkeley 4227c478bd9Sstevel@tonic-gatedomain file includes definitions for several internal distinguished 4237c478bd9Sstevel@tonic-gatehosts: 4247c478bd9Sstevel@tonic-gate 4257c478bd9Sstevel@tonic-gateUUCP_RELAY The host that will accept UUCP-addressed email. 4267c478bd9Sstevel@tonic-gate If not defined, all UUCP sites must be directly 4277c478bd9Sstevel@tonic-gate connected. 4287c478bd9Sstevel@tonic-gateBITNET_RELAY The host that will accept BITNET-addressed email. 4297c478bd9Sstevel@tonic-gate If not defined, the .BITNET pseudo-domain won't work. 4307c478bd9Sstevel@tonic-gateDECNET_RELAY The host that will accept DECNET-addressed email. 4317c478bd9Sstevel@tonic-gate If not defined, the .DECNET pseudo-domain and addresses 4327c478bd9Sstevel@tonic-gate of the form node::user will not work. 4337c478bd9Sstevel@tonic-gateFAX_RELAY The host that will accept mail to the .FAX pseudo-domain. 4347c478bd9Sstevel@tonic-gate The "fax" mailer overrides this value. 4357c478bd9Sstevel@tonic-gateLOCAL_RELAY The site that will handle unqualified names -- that 4367c478bd9Sstevel@tonic-gate is, names without an @domain extension. 4377c478bd9Sstevel@tonic-gate Normally MAIL_HUB is preferred for this function. 4387c478bd9Sstevel@tonic-gate LOCAL_RELAY is mostly useful in conjunction with 4397c478bd9Sstevel@tonic-gate FEATURE(`stickyhost') -- see the discussion of 4407c478bd9Sstevel@tonic-gate stickyhost below. If not set, they are assumed to 4417c478bd9Sstevel@tonic-gate belong on this machine. This allows you to have a 4427c478bd9Sstevel@tonic-gate central site to store a company- or department-wide 4437c478bd9Sstevel@tonic-gate alias database. This only works at small sites, 4447c478bd9Sstevel@tonic-gate and only with some user agents. 4457c478bd9Sstevel@tonic-gateLUSER_RELAY The site that will handle lusers -- that is, apparently 4467c478bd9Sstevel@tonic-gate local names that aren't local accounts or aliases. To 4477c478bd9Sstevel@tonic-gate specify a local user instead of a site, set this to 4487c478bd9Sstevel@tonic-gate ``local:username''. 4497c478bd9Sstevel@tonic-gate 4507c478bd9Sstevel@tonic-gateAny of these can be either ``mailer:hostname'' (in which case the 4517c478bd9Sstevel@tonic-gatemailer is the internal mailer name, such as ``uucp-new'' and the hostname 4527c478bd9Sstevel@tonic-gateis the name of the host as appropriate for that mailer) or just a 4537c478bd9Sstevel@tonic-gate``hostname'', in which case a default mailer type (usually ``relay'', 4547c478bd9Sstevel@tonic-gatea variant on SMTP) is used. WARNING: if you have a wildcard MX 4557c478bd9Sstevel@tonic-gaterecord matching your domain, you probably want to define these to 4567c478bd9Sstevel@tonic-gatehave a trailing dot so that you won't get the mail diverted back 4577c478bd9Sstevel@tonic-gateto yourself. 4587c478bd9Sstevel@tonic-gate 4597c478bd9Sstevel@tonic-gateThe domain file can also be used to define a domain name, if needed 4607c478bd9Sstevel@tonic-gate(using "DD<domain>") and set certain site-wide features. If all hosts 4617c478bd9Sstevel@tonic-gateat your site masquerade behind one email name, you could also use 4627c478bd9Sstevel@tonic-gateMASQUERADE_AS here. 4637c478bd9Sstevel@tonic-gate 4647c478bd9Sstevel@tonic-gateYou do not have to define a domain -- in particular, if you are a 4657c478bd9Sstevel@tonic-gatesingle machine sitting off somewhere, it is probably more work than 4667c478bd9Sstevel@tonic-gateit's worth. This is just a mechanism for combining "domain dependent 4677c478bd9Sstevel@tonic-gateknowledge" into one place. 4687c478bd9Sstevel@tonic-gate 4697c478bd9Sstevel@tonic-gate 4707c478bd9Sstevel@tonic-gate+---------+ 4717c478bd9Sstevel@tonic-gate| MAILERS | 4727c478bd9Sstevel@tonic-gate+---------+ 4737c478bd9Sstevel@tonic-gate 4747c478bd9Sstevel@tonic-gateThere are fewer mailers supported in this version than the previous 4757c478bd9Sstevel@tonic-gateversion, owing mostly to a simpler world. As a general rule, put the 4767c478bd9Sstevel@tonic-gateMAILER definitions last in your .mc file. 4777c478bd9Sstevel@tonic-gate 4787c478bd9Sstevel@tonic-gatelocal The local and prog mailers. You will almost always 4797c478bd9Sstevel@tonic-gate need these; the only exception is if you relay ALL 4807c478bd9Sstevel@tonic-gate your mail to another site. This mailer is included 4817c478bd9Sstevel@tonic-gate automatically. 4827c478bd9Sstevel@tonic-gate 4837c478bd9Sstevel@tonic-gatesmtp The Simple Mail Transport Protocol mailer. This does 4847c478bd9Sstevel@tonic-gate not hide hosts behind a gateway or another other 4857c478bd9Sstevel@tonic-gate such hack; it assumes a world where everyone is 4867c478bd9Sstevel@tonic-gate running the name server. This file actually defines 4877c478bd9Sstevel@tonic-gate five mailers: "smtp" for regular (old-style) SMTP to 4887c478bd9Sstevel@tonic-gate other servers, "esmtp" for extended SMTP to other 4897c478bd9Sstevel@tonic-gate servers, "smtp8" to do SMTP to other servers without 4907c478bd9Sstevel@tonic-gate converting 8-bit data to MIME (essentially, this is 4917c478bd9Sstevel@tonic-gate your statement that you know the other end is 8-bit 4927c478bd9Sstevel@tonic-gate clean even if it doesn't say so), "dsmtp" to do on 4937c478bd9Sstevel@tonic-gate demand delivery, and "relay" for transmission to the 4947c478bd9Sstevel@tonic-gate RELAY_HOST, LUSER_RELAY, or MAIL_HUB. 4957c478bd9Sstevel@tonic-gate 4967c478bd9Sstevel@tonic-gateuucp The UNIX-to-UNIX Copy Program mailer. Actually, this 4977c478bd9Sstevel@tonic-gate defines two mailers, "uucp-old" (a.k.a. "uucp") and 4987c478bd9Sstevel@tonic-gate "uucp-new" (a.k.a. "suucp"). The latter is for when you 4997c478bd9Sstevel@tonic-gate know that the UUCP mailer at the other end can handle 5007c478bd9Sstevel@tonic-gate multiple recipients in one transfer. If the smtp mailer 5017c478bd9Sstevel@tonic-gate is included in your configuration, two other mailers 5027c478bd9Sstevel@tonic-gate ("uucp-dom" and "uucp-uudom") are also defined [warning: you 5037c478bd9Sstevel@tonic-gate MUST specify MAILER(`smtp') before MAILER(`uucp')]. When you 5047c478bd9Sstevel@tonic-gate include the uucp mailer, sendmail looks for all names in 5057c478bd9Sstevel@tonic-gate class {U} and sends them to the uucp-old mailer; all 5067c478bd9Sstevel@tonic-gate names in class {Y} are sent to uucp-new; and all 5077c478bd9Sstevel@tonic-gate names in class {Z} are sent to uucp-uudom. Note that 5087c478bd9Sstevel@tonic-gate this is a function of what version of rmail runs on 5097c478bd9Sstevel@tonic-gate the receiving end, and hence may be out of your control. 5107c478bd9Sstevel@tonic-gate See the section below describing UUCP mailers in more 5117c478bd9Sstevel@tonic-gate detail. 5127c478bd9Sstevel@tonic-gate 5137c478bd9Sstevel@tonic-gateprocmail An interface to procmail (does not come with sendmail). 5147c478bd9Sstevel@tonic-gate This is designed to be used in mailertables. For example, 5157c478bd9Sstevel@tonic-gate a common question is "how do I forward all mail for a given 5167c478bd9Sstevel@tonic-gate domain to a single person?". If you have this mailer 5177c478bd9Sstevel@tonic-gate defined, you could set up a mailertable reading: 5187c478bd9Sstevel@tonic-gate 5197c478bd9Sstevel@tonic-gate host.com procmail:/etc/procmailrcs/host.com 5207c478bd9Sstevel@tonic-gate 5217c478bd9Sstevel@tonic-gate with the file /etc/procmailrcs/host.com reading: 5227c478bd9Sstevel@tonic-gate 5237c478bd9Sstevel@tonic-gate :0 # forward mail for host.com 5247c478bd9Sstevel@tonic-gate ! -oi -f $1 person@other.host 5257c478bd9Sstevel@tonic-gate 5267c478bd9Sstevel@tonic-gate This would arrange for (anything)@host.com to be sent 5277c478bd9Sstevel@tonic-gate to person@other.host. In a procmail script, $1 is the 5287c478bd9Sstevel@tonic-gate name of the sender and $2 is the name of the recipient. 5297c478bd9Sstevel@tonic-gate If you use this with FEATURE(`local_procmail'), the FEATURE 5307c478bd9Sstevel@tonic-gate should be listed first. 5317c478bd9Sstevel@tonic-gate 5327c478bd9Sstevel@tonic-gate Of course there are other ways to solve this particular 5337c478bd9Sstevel@tonic-gate problem, e.g., a catch-all entry in a virtusertable. 5347c478bd9Sstevel@tonic-gate 5357c478bd9Sstevel@tonic-gateThe local mailer accepts addresses of the form "user+detail", where 5367c478bd9Sstevel@tonic-gatethe "+detail" is not used for mailbox matching but is available 5377c478bd9Sstevel@tonic-gateto certain local mail programs (in particular, see 5387c478bd9Sstevel@tonic-gateFEATURE(`local_procmail')). For example, "eric", "eric+sendmail", and 5397c478bd9Sstevel@tonic-gate"eric+sww" all indicate the same user, but additional arguments <null>, 5407c478bd9Sstevel@tonic-gate"sendmail", and "sww" may be provided for use in sorting mail. 5417c478bd9Sstevel@tonic-gate 5427c478bd9Sstevel@tonic-gate 5437c478bd9Sstevel@tonic-gate+----------+ 5447c478bd9Sstevel@tonic-gate| FEATURES | 5457c478bd9Sstevel@tonic-gate+----------+ 5467c478bd9Sstevel@tonic-gate 5477c478bd9Sstevel@tonic-gateSpecial features can be requested using the "FEATURE" macro. For 5487c478bd9Sstevel@tonic-gateexample, the .mc line: 5497c478bd9Sstevel@tonic-gate 5507c478bd9Sstevel@tonic-gate FEATURE(`use_cw_file') 5517c478bd9Sstevel@tonic-gate 5527c478bd9Sstevel@tonic-gatetells sendmail that you want to have it read an /etc/mail/local-host-names 5537c478bd9Sstevel@tonic-gatefile to get values for class {w}. A FEATURE may contain up to 9 5547c478bd9Sstevel@tonic-gateoptional parameters -- for example: 5557c478bd9Sstevel@tonic-gate 5567c478bd9Sstevel@tonic-gate FEATURE(`mailertable', `dbm /usr/lib/mailertable') 5577c478bd9Sstevel@tonic-gate 5587c478bd9Sstevel@tonic-gateThe default database map type for the table features can be set with 5597c478bd9Sstevel@tonic-gate 5607c478bd9Sstevel@tonic-gate define(`DATABASE_MAP_TYPE', `dbm') 5617c478bd9Sstevel@tonic-gate 5627c478bd9Sstevel@tonic-gatewhich would set it to use ndbm databases. The default is the Berkeley DB 5637c478bd9Sstevel@tonic-gatehash database format. Note that you must still declare a database map type 5647c478bd9Sstevel@tonic-gateif you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used 5657c478bd9Sstevel@tonic-gateif no argument is given for the FEATURE. It must be specified before any 5667c478bd9Sstevel@tonic-gatefeature that uses a map. 5677c478bd9Sstevel@tonic-gate 5687c478bd9Sstevel@tonic-gateAlso, features which can take a map definition as an argument can also take 5697c478bd9Sstevel@tonic-gatethe special keyword `LDAP'. If that keyword is used, the map will use the 5707c478bd9Sstevel@tonic-gateLDAP definition described in the ``USING LDAP FOR ALIASES, MAPS, AND 5717c478bd9Sstevel@tonic-gateCLASSES'' section below. 5727c478bd9Sstevel@tonic-gate 5737c478bd9Sstevel@tonic-gateAvailable features are: 5747c478bd9Sstevel@tonic-gate 5757c478bd9Sstevel@tonic-gateuse_cw_file Read the file /etc/mail/local-host-names file to get 5767c478bd9Sstevel@tonic-gate alternate names for this host. This might be used if you 5777c478bd9Sstevel@tonic-gate were on a host that MXed for a dynamic set of other hosts. 5787c478bd9Sstevel@tonic-gate If the set is static, just including the line "Cw<name1> 5797c478bd9Sstevel@tonic-gate <name2> ..." (where the names are fully qualified domain 5807c478bd9Sstevel@tonic-gate names) is probably superior. The actual filename can be 5817c478bd9Sstevel@tonic-gate overridden by redefining confCW_FILE. 5827c478bd9Sstevel@tonic-gate 5837c478bd9Sstevel@tonic-gateuse_ct_file Read the file /etc/mail/trusted-users file to get the 5847c478bd9Sstevel@tonic-gate names of users that will be ``trusted'', that is, able to 5857c478bd9Sstevel@tonic-gate set their envelope from address using -f without generating 5867c478bd9Sstevel@tonic-gate a warning message. The actual filename can be overridden 5877c478bd9Sstevel@tonic-gate by redefining confCT_FILE. 5887c478bd9Sstevel@tonic-gate 5897c478bd9Sstevel@tonic-gateredirect Reject all mail addressed to "address.REDIRECT" with 5907c478bd9Sstevel@tonic-gate a ``551 User has moved; please try <address>'' message. 5917c478bd9Sstevel@tonic-gate If this is set, you can alias people who have left 5927c478bd9Sstevel@tonic-gate to their new address with ".REDIRECT" appended. 5937c478bd9Sstevel@tonic-gate 5947c478bd9Sstevel@tonic-gatenouucp Don't route UUCP addresses. This feature takes one 5957c478bd9Sstevel@tonic-gate parameter: 5967c478bd9Sstevel@tonic-gate `reject': reject addresses which have "!" in the local 5977c478bd9Sstevel@tonic-gate part unless it originates from a system 5987c478bd9Sstevel@tonic-gate that is allowed to relay. 5997c478bd9Sstevel@tonic-gate `nospecial': don't do anything special with "!". 6007c478bd9Sstevel@tonic-gate Warnings: 1. See the notice in the anti-spam section. 6017c478bd9Sstevel@tonic-gate 2. don't remove "!" from OperatorChars if `reject' is 6027c478bd9Sstevel@tonic-gate given as parameter. 6037c478bd9Sstevel@tonic-gate 6047c478bd9Sstevel@tonic-gatenocanonify Don't pass addresses to $[ ... $] for canonification 6057c478bd9Sstevel@tonic-gate by default, i.e., host/domain names are considered canonical, 6067c478bd9Sstevel@tonic-gate except for unqualified names, which must not be used in this 6077c478bd9Sstevel@tonic-gate mode (violation of the standard). It can be changed by 6087c478bd9Sstevel@tonic-gate setting the DaemonPortOptions modifiers (M=). That is, 6097c478bd9Sstevel@tonic-gate FEATURE(`nocanonify') will be overridden by setting the 6107c478bd9Sstevel@tonic-gate 'c' flag. Conversely, if FEATURE(`nocanonify') is not used, 6117c478bd9Sstevel@tonic-gate it can be emulated by setting the 'C' flag 6127c478bd9Sstevel@tonic-gate (DaemonPortOptions=Modifiers=C). This would generally only 6137c478bd9Sstevel@tonic-gate be used by sites that only act as mail gateways or which have 6147c478bd9Sstevel@tonic-gate user agents that do full canonification themselves. You may 6157c478bd9Sstevel@tonic-gate also want to use 6167c478bd9Sstevel@tonic-gate "define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')" to turn off 6177c478bd9Sstevel@tonic-gate the usual resolver options that do a similar thing. 6187c478bd9Sstevel@tonic-gate 6197c478bd9Sstevel@tonic-gate An exception list for FEATURE(`nocanonify') can be 6207c478bd9Sstevel@tonic-gate specified with CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, 6217c478bd9Sstevel@tonic-gate i.e., a list of domains which are nevertheless passed to 6227c478bd9Sstevel@tonic-gate $[ ... $] for canonification. This is useful to turn on 6237c478bd9Sstevel@tonic-gate canonification for local domains, e.g., use 6247c478bd9Sstevel@tonic-gate CANONIFY_DOMAIN(`my.domain my') to canonify addresses 6257c478bd9Sstevel@tonic-gate which end in "my.domain" or "my". 6267c478bd9Sstevel@tonic-gate Another way to require canonification in the local 6277c478bd9Sstevel@tonic-gate domain is CANONIFY_DOMAIN(`$=m'). 6287c478bd9Sstevel@tonic-gate 6297c478bd9Sstevel@tonic-gate A trailing dot is added to addresses with more than 6307c478bd9Sstevel@tonic-gate one component in it such that other features which 6317c478bd9Sstevel@tonic-gate expect a trailing dot (e.g., virtusertable) will 6327c478bd9Sstevel@tonic-gate still work. 6337c478bd9Sstevel@tonic-gate 6347c478bd9Sstevel@tonic-gate If `canonify_hosts' is specified as parameter, i.e., 6357c478bd9Sstevel@tonic-gate FEATURE(`nocanonify', `canonify_hosts'), then 6367c478bd9Sstevel@tonic-gate addresses which have only a hostname, e.g., 6377c478bd9Sstevel@tonic-gate <user@host>, will be canonified (and hopefully fully 6387c478bd9Sstevel@tonic-gate qualified), too. 6397c478bd9Sstevel@tonic-gate 6407c478bd9Sstevel@tonic-gatestickyhost This feature is sometimes used with LOCAL_RELAY, 6417c478bd9Sstevel@tonic-gate although it can be used for a different effect with 6427c478bd9Sstevel@tonic-gate MAIL_HUB. 6437c478bd9Sstevel@tonic-gate 6447c478bd9Sstevel@tonic-gate When used without MAIL_HUB, email sent to 6457c478bd9Sstevel@tonic-gate "user@local.host" are marked as "sticky" -- that 6467c478bd9Sstevel@tonic-gate is, the local addresses aren't matched against UDB, 6477c478bd9Sstevel@tonic-gate don't go through ruleset 5, and are not forwarded to 6487c478bd9Sstevel@tonic-gate the LOCAL_RELAY (if defined). 6497c478bd9Sstevel@tonic-gate 6507c478bd9Sstevel@tonic-gate With MAIL_HUB, mail addressed to "user@local.host" 6517c478bd9Sstevel@tonic-gate is forwarded to the mail hub, with the envelope 6527c478bd9Sstevel@tonic-gate address still remaining "user@local.host". 6537c478bd9Sstevel@tonic-gate Without stickyhost, the envelope would be changed 6547c478bd9Sstevel@tonic-gate to "user@mail_hub", in order to protect against 6557c478bd9Sstevel@tonic-gate mailing loops. 6567c478bd9Sstevel@tonic-gate 6577c478bd9Sstevel@tonic-gatemailertable Include a "mailer table" which can be used to override 6587c478bd9Sstevel@tonic-gate routing for particular domains (which are not in class {w}, 6597c478bd9Sstevel@tonic-gate i.e. local host names). The argument of the FEATURE may be 6607c478bd9Sstevel@tonic-gate the key definition. If none is specified, the definition 6617c478bd9Sstevel@tonic-gate used is: 6627c478bd9Sstevel@tonic-gate 6637c478bd9Sstevel@tonic-gate hash /etc/mail/mailertable 6647c478bd9Sstevel@tonic-gate 6657c478bd9Sstevel@tonic-gate Keys in this database are fully qualified domain names 6667c478bd9Sstevel@tonic-gate or partial domains preceded by a dot -- for example, 6677c478bd9Sstevel@tonic-gate "vangogh.CS.Berkeley.EDU" or ".CS.Berkeley.EDU". As a 6687c478bd9Sstevel@tonic-gate special case of the latter, "." matches any domain not 6697c478bd9Sstevel@tonic-gate covered by other keys. Values must be of the form: 6707c478bd9Sstevel@tonic-gate mailer:domain 6717c478bd9Sstevel@tonic-gate where "mailer" is the internal mailer name, and "domain" 6727c478bd9Sstevel@tonic-gate is where to send the message. These maps are not 6737c478bd9Sstevel@tonic-gate reflected into the message header. As a special case, 6747c478bd9Sstevel@tonic-gate the forms: 6757c478bd9Sstevel@tonic-gate local:user 6767c478bd9Sstevel@tonic-gate will forward to the indicated user using the local mailer, 6777c478bd9Sstevel@tonic-gate local: 6787c478bd9Sstevel@tonic-gate will forward to the original user in the e-mail address 6797c478bd9Sstevel@tonic-gate using the local mailer, and 6807c478bd9Sstevel@tonic-gate error:code message 6817c478bd9Sstevel@tonic-gate error:D.S.N:code message 6827c478bd9Sstevel@tonic-gate will give an error message with the indicated SMTP reply 6837c478bd9Sstevel@tonic-gate code and message, where D.S.N is an RFC 1893 compliant 6847c478bd9Sstevel@tonic-gate error code. 6857c478bd9Sstevel@tonic-gate 6867c478bd9Sstevel@tonic-gatedomaintable Include a "domain table" which can be used to provide 6877c478bd9Sstevel@tonic-gate domain name mapping. Use of this should really be 6887c478bd9Sstevel@tonic-gate limited to your own domains. It may be useful if you 6897c478bd9Sstevel@tonic-gate change names (e.g., your company changes names from 6907c478bd9Sstevel@tonic-gate oldname.com to newname.com). The argument of the 6917c478bd9Sstevel@tonic-gate FEATURE may be the key definition. If none is specified, 6927c478bd9Sstevel@tonic-gate the definition used is: 6937c478bd9Sstevel@tonic-gate 6947c478bd9Sstevel@tonic-gate hash /etc/mail/domaintable 6957c478bd9Sstevel@tonic-gate 6967c478bd9Sstevel@tonic-gate The key in this table is the domain name; the value is 6977c478bd9Sstevel@tonic-gate the new (fully qualified) domain. Anything in the 6987c478bd9Sstevel@tonic-gate domaintable is reflected into headers; that is, this 6997c478bd9Sstevel@tonic-gate is done in ruleset 3. 7007c478bd9Sstevel@tonic-gate 7017c478bd9Sstevel@tonic-gatebitdomain Look up bitnet hosts in a table to try to turn them into 7027c478bd9Sstevel@tonic-gate internet addresses. The table can be built using the 7037c478bd9Sstevel@tonic-gate bitdomain program contributed by John Gardiner Myers. 7047c478bd9Sstevel@tonic-gate The argument of the FEATURE may be the key definition; if 7057c478bd9Sstevel@tonic-gate none is specified, the definition used is: 7067c478bd9Sstevel@tonic-gate 7077c478bd9Sstevel@tonic-gate hash /etc/mail/bitdomain 7087c478bd9Sstevel@tonic-gate 7097c478bd9Sstevel@tonic-gate Keys are the bitnet hostname; values are the corresponding 7107c478bd9Sstevel@tonic-gate internet hostname. 7117c478bd9Sstevel@tonic-gate 7127c478bd9Sstevel@tonic-gateuucpdomain Similar feature for UUCP hosts. The default map definition 7137c478bd9Sstevel@tonic-gate is: 7147c478bd9Sstevel@tonic-gate 7157c478bd9Sstevel@tonic-gate hash /etc/mail/uudomain 7167c478bd9Sstevel@tonic-gate 7177c478bd9Sstevel@tonic-gate At the moment there is no automagic tool to build this 7187c478bd9Sstevel@tonic-gate database. 7197c478bd9Sstevel@tonic-gate 7207c478bd9Sstevel@tonic-gatealways_add_domain 7217c478bd9Sstevel@tonic-gate Include the local host domain even on locally delivered 7227c478bd9Sstevel@tonic-gate mail. Normally it is not added on unqualified names. 7237c478bd9Sstevel@tonic-gate However, if you use a shared message store but do not use 7247c478bd9Sstevel@tonic-gate the same user name space everywhere, you may need the host 7257c478bd9Sstevel@tonic-gate name on local names. An optional argument specifies 7267c478bd9Sstevel@tonic-gate another domain to be added than the local. 7277c478bd9Sstevel@tonic-gate 7287c478bd9Sstevel@tonic-gateallmasquerade If masquerading is enabled (using MASQUERADE_AS), this 7297c478bd9Sstevel@tonic-gate feature will cause recipient addresses to also masquerade 7307c478bd9Sstevel@tonic-gate as being from the masquerade host. Normally they get 7317c478bd9Sstevel@tonic-gate the local hostname. Although this may be right for 7327c478bd9Sstevel@tonic-gate ordinary users, it can break local aliases. For example, 7337c478bd9Sstevel@tonic-gate if you send to "localalias", the originating sendmail will 7347c478bd9Sstevel@tonic-gate find that alias and send to all members, but send the 7357c478bd9Sstevel@tonic-gate message with "To: localalias@masqueradehost". Since that 7367c478bd9Sstevel@tonic-gate alias likely does not exist, replies will fail. Use this 7377c478bd9Sstevel@tonic-gate feature ONLY if you can guarantee that the ENTIRE 7387c478bd9Sstevel@tonic-gate namespace on your masquerade host supersets all the 7397c478bd9Sstevel@tonic-gate local entries. 7407c478bd9Sstevel@tonic-gate 7417c478bd9Sstevel@tonic-gatelimited_masquerade 7427c478bd9Sstevel@tonic-gate Normally, any hosts listed in class {w} are masqueraded. If 7437c478bd9Sstevel@tonic-gate this feature is given, only the hosts listed in class {M} (see 7447c478bd9Sstevel@tonic-gate below: MASQUERADE_DOMAIN) are masqueraded. This is useful 7457c478bd9Sstevel@tonic-gate if you have several domains with disjoint namespaces hosted 7467c478bd9Sstevel@tonic-gate on the same machine. 7477c478bd9Sstevel@tonic-gate 7487c478bd9Sstevel@tonic-gatemasquerade_entire_domain 7497c478bd9Sstevel@tonic-gate If masquerading is enabled (using MASQUERADE_AS) and 7507c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN (see below) is set, this feature will 7517c478bd9Sstevel@tonic-gate cause addresses to be rewritten such that the masquerading 7527c478bd9Sstevel@tonic-gate domains are actually entire domains to be hidden. All 7537c478bd9Sstevel@tonic-gate hosts within the masquerading domains will be rewritten 7547c478bd9Sstevel@tonic-gate to the masquerade name (used in MASQUERADE_AS). For example, 7557c478bd9Sstevel@tonic-gate if you have: 7567c478bd9Sstevel@tonic-gate 7577c478bd9Sstevel@tonic-gate MASQUERADE_AS(`masq.com') 7587c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN(`foo.org') 7597c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN(`bar.com') 7607c478bd9Sstevel@tonic-gate 7617c478bd9Sstevel@tonic-gate then *foo.org and *bar.com are converted to masq.com. Without 7627c478bd9Sstevel@tonic-gate this feature, only foo.org and bar.com are masqueraded. 7637c478bd9Sstevel@tonic-gate 7647c478bd9Sstevel@tonic-gate NOTE: only domains within your jurisdiction and 7657c478bd9Sstevel@tonic-gate current hierarchy should be masqueraded using this. 7667c478bd9Sstevel@tonic-gate 7677c478bd9Sstevel@tonic-gatelocal_no_masquerade 7687c478bd9Sstevel@tonic-gate This feature prevents the local mailer from masquerading even 7697c478bd9Sstevel@tonic-gate if MASQUERADE_AS is used. MASQUERADE_AS will only have effect 7707c478bd9Sstevel@tonic-gate on addresses of mail going outside the local domain. 7717c478bd9Sstevel@tonic-gate 7727c478bd9Sstevel@tonic-gatemasquerade_envelope 7737c478bd9Sstevel@tonic-gate If masquerading is enabled (using MASQUERADE_AS) or the 7747c478bd9Sstevel@tonic-gate genericstable is in use, this feature will cause envelope 7757c478bd9Sstevel@tonic-gate addresses to also masquerade as being from the masquerade 7767c478bd9Sstevel@tonic-gate host. Normally only the header addresses are masqueraded. 7777c478bd9Sstevel@tonic-gate 7787c478bd9Sstevel@tonic-gategenericstable This feature will cause unqualified addresses (i.e., without 7797c478bd9Sstevel@tonic-gate a domain) and addresses with a domain listed in class {G} 7807c478bd9Sstevel@tonic-gate to be looked up in a map and turned into another ("generic") 7817c478bd9Sstevel@tonic-gate form, which can change both the domain name and the user name. 7827c478bd9Sstevel@tonic-gate Notice: if you use an MSP (as it is default starting with 7837c478bd9Sstevel@tonic-gate 8.12), the MTA will only receive qualified addresses from the 7847c478bd9Sstevel@tonic-gate MSP (as required by the RFCs). Hence you need to add your 7857c478bd9Sstevel@tonic-gate domain to class {G}. This feature is similar to the userdb 7867c478bd9Sstevel@tonic-gate functionality. The same types of addresses as for 7877c478bd9Sstevel@tonic-gate masquerading are looked up, i.e., only header sender 7887c478bd9Sstevel@tonic-gate addresses unless the allmasquerade and/or masquerade_envelope 7897c478bd9Sstevel@tonic-gate features are given. Qualified addresses must have the domain 7907c478bd9Sstevel@tonic-gate part in class {G}; entries can be added to this class by the 7917c478bd9Sstevel@tonic-gate macros GENERICS_DOMAIN or GENERICS_DOMAIN_FILE (analogously 7927c478bd9Sstevel@tonic-gate to MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE, see below). 7937c478bd9Sstevel@tonic-gate 7947c478bd9Sstevel@tonic-gate The argument of FEATURE(`genericstable') may be the map 7957c478bd9Sstevel@tonic-gate definition; the default map definition is: 7967c478bd9Sstevel@tonic-gate 7977c478bd9Sstevel@tonic-gate hash /etc/mail/genericstable 7987c478bd9Sstevel@tonic-gate 7997c478bd9Sstevel@tonic-gate The key for this table is either the full address, the domain 8007c478bd9Sstevel@tonic-gate (with a leading @; the localpart is passed as first argument) 8017c478bd9Sstevel@tonic-gate or the unqualified username (tried in the order mentioned); 8027c478bd9Sstevel@tonic-gate the value is the new user address. If the new user address 8037c478bd9Sstevel@tonic-gate does not include a domain, it will be qualified in the standard 8047c478bd9Sstevel@tonic-gate manner, i.e., using $j or the masquerade name. Note that the 8057c478bd9Sstevel@tonic-gate address being looked up must be fully qualified. For local 8067c478bd9Sstevel@tonic-gate mail, it is necessary to use FEATURE(`always_add_domain') 8077c478bd9Sstevel@tonic-gate for the addresses to be qualified. 8087c478bd9Sstevel@tonic-gate The "+detail" of an address is passed as %1, so entries like 8097c478bd9Sstevel@tonic-gate 8107c478bd9Sstevel@tonic-gate old+*@foo.org new+%1@example.com 8117c478bd9Sstevel@tonic-gate gen+*@foo.org %1@example.com 8127c478bd9Sstevel@tonic-gate 8137c478bd9Sstevel@tonic-gate and other forms are possible. 8147c478bd9Sstevel@tonic-gate 8157c478bd9Sstevel@tonic-gategenerics_entire_domain 8167c478bd9Sstevel@tonic-gate If the genericstable is enabled and GENERICS_DOMAIN or 8177c478bd9Sstevel@tonic-gate GENERICS_DOMAIN_FILE is used, this feature will cause 8187c478bd9Sstevel@tonic-gate addresses to be searched in the map if their domain 8197c478bd9Sstevel@tonic-gate parts are subdomains of elements in class {G}. 8207c478bd9Sstevel@tonic-gate 8217c478bd9Sstevel@tonic-gatevirtusertable A domain-specific form of aliasing, allowing multiple 8227c478bd9Sstevel@tonic-gate virtual domains to be hosted on one machine. For example, 82349218d4fSjbeck if the virtuser table contains: 8247c478bd9Sstevel@tonic-gate 8257c478bd9Sstevel@tonic-gate info@foo.com foo-info 8267c478bd9Sstevel@tonic-gate info@bar.com bar-info 8277c478bd9Sstevel@tonic-gate joe@bar.com error:nouser 550 No such user here 8287c478bd9Sstevel@tonic-gate jax@bar.com error:5.7.0:550 Address invalid 8297c478bd9Sstevel@tonic-gate @baz.org jane@example.net 8307c478bd9Sstevel@tonic-gate 8317c478bd9Sstevel@tonic-gate then mail addressed to info@foo.com will be sent to the 8327c478bd9Sstevel@tonic-gate address foo-info, mail addressed to info@bar.com will be 8337c478bd9Sstevel@tonic-gate delivered to bar-info, and mail addressed to anyone at baz.org 8347c478bd9Sstevel@tonic-gate will be sent to jane@example.net, mail to joe@bar.com will 8357c478bd9Sstevel@tonic-gate be rejected with the specified error message, and mail to 8367c478bd9Sstevel@tonic-gate jax@bar.com will also have a RFC 1893 compliant error code 8377c478bd9Sstevel@tonic-gate 5.7.0. 8387c478bd9Sstevel@tonic-gate 8397c478bd9Sstevel@tonic-gate The username from the original address is passed 8407c478bd9Sstevel@tonic-gate as %1 allowing: 8417c478bd9Sstevel@tonic-gate 8427c478bd9Sstevel@tonic-gate @foo.org %1@example.com 8437c478bd9Sstevel@tonic-gate 8447c478bd9Sstevel@tonic-gate meaning someone@foo.org will be sent to someone@example.com. 8457c478bd9Sstevel@tonic-gate Additionally, if the local part consists of "user+detail" 8467c478bd9Sstevel@tonic-gate then "detail" is passed as %2 and "+detail" is passed as %3 8477c478bd9Sstevel@tonic-gate when a match against user+* is attempted, so entries like 8487c478bd9Sstevel@tonic-gate 8497c478bd9Sstevel@tonic-gate old+*@foo.org new+%2@example.com 8507c478bd9Sstevel@tonic-gate gen+*@foo.org %2@example.com 8517c478bd9Sstevel@tonic-gate +*@foo.org %1%3@example.com 8527c478bd9Sstevel@tonic-gate X++@foo.org Z%3@example.com 8537c478bd9Sstevel@tonic-gate @bar.org %1%3 8547c478bd9Sstevel@tonic-gate 8557c478bd9Sstevel@tonic-gate and other forms are possible. Note: to preserve "+detail" 8567c478bd9Sstevel@tonic-gate for a default case (@domain) %1%3 must be used as RHS. 8577c478bd9Sstevel@tonic-gate There are two wildcards after "+": "+" matches only a non-empty 8587c478bd9Sstevel@tonic-gate detail, "*" matches also empty details, e.g., user+@foo.org 8597c478bd9Sstevel@tonic-gate matches +*@foo.org but not ++@foo.org. This can be used 8607c478bd9Sstevel@tonic-gate to ensure that the parameters %2 and %3 are not empty. 8617c478bd9Sstevel@tonic-gate 8627c478bd9Sstevel@tonic-gate All the host names on the left hand side (foo.com, bar.com, 8637c478bd9Sstevel@tonic-gate and baz.org) must be in class {w} or class {VirtHost}. The 8647c478bd9Sstevel@tonic-gate latter can be defined by the macros VIRTUSER_DOMAIN or 8657c478bd9Sstevel@tonic-gate VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 8667c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or 8677c478bd9Sstevel@tonic-gate VIRTUSER_DOMAIN_FILE is used, then the entries of class 8687c478bd9Sstevel@tonic-gate {VirtHost} are added to class {R}, i.e., relaying is allowed 8697c478bd9Sstevel@tonic-gate to (and from) those domains. The default map definition is: 8707c478bd9Sstevel@tonic-gate 8717c478bd9Sstevel@tonic-gate hash /etc/mail/virtusertable 8727c478bd9Sstevel@tonic-gate 8737c478bd9Sstevel@tonic-gate A new definition can be specified as the second argument of 8747c478bd9Sstevel@tonic-gate the FEATURE macro, such as 8757c478bd9Sstevel@tonic-gate 8767c478bd9Sstevel@tonic-gate FEATURE(`virtusertable', `dbm /etc/mail/virtusers') 8777c478bd9Sstevel@tonic-gate 8787c478bd9Sstevel@tonic-gatevirtuser_entire_domain 8797c478bd9Sstevel@tonic-gate If the virtusertable is enabled and VIRTUSER_DOMAIN or 8807c478bd9Sstevel@tonic-gate VIRTUSER_DOMAIN_FILE is used, this feature will cause 8817c478bd9Sstevel@tonic-gate addresses to be searched in the map if their domain 8827c478bd9Sstevel@tonic-gate parts are subdomains of elements in class {VirtHost}. 8837c478bd9Sstevel@tonic-gate 8847c478bd9Sstevel@tonic-gateldap_routing Implement LDAP-based e-mail recipient routing according to 8857c478bd9Sstevel@tonic-gate the Internet Draft draft-lachman-laser-ldap-mail-routing-01. 8867c478bd9Sstevel@tonic-gate This provides a method to re-route addresses with a 8877c478bd9Sstevel@tonic-gate domain portion in class {LDAPRoute} to either a 8887c478bd9Sstevel@tonic-gate different mail host or a different address. Hosts can 8897c478bd9Sstevel@tonic-gate be added to this class using LDAPROUTE_DOMAIN and 8907c478bd9Sstevel@tonic-gate LDAPROUTE_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 8917c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN_FILE, see below). 8927c478bd9Sstevel@tonic-gate 8937c478bd9Sstevel@tonic-gate See the LDAP ROUTING section below for more information. 8947c478bd9Sstevel@tonic-gate 8957c478bd9Sstevel@tonic-gatenullclient This is a special case -- it creates a configuration file 8967c478bd9Sstevel@tonic-gate containing nothing but support for forwarding all mail to a 8977c478bd9Sstevel@tonic-gate central hub via a local SMTP-based network. The argument 8987c478bd9Sstevel@tonic-gate is the name of that hub. 8997c478bd9Sstevel@tonic-gate 9007c478bd9Sstevel@tonic-gate The only other feature that should be used in conjunction 9017c478bd9Sstevel@tonic-gate with this one is FEATURE(`nocanonify'). No mailers 9027c478bd9Sstevel@tonic-gate should be defined. No aliasing or forwarding is done. 9037c478bd9Sstevel@tonic-gate 9047c478bd9Sstevel@tonic-gatelocal_lmtp Use an LMTP capable local mailer. The argument to this 9057c478bd9Sstevel@tonic-gate feature is the pathname of an LMTP capable mailer. By 9067c478bd9Sstevel@tonic-gate default, mail.local is used. This is expected to be the 9077c478bd9Sstevel@tonic-gate mail.local which came with the 8.9 distribution which is 9087c478bd9Sstevel@tonic-gate LMTP capable. The path to mail.local is set by the 9097c478bd9Sstevel@tonic-gate confEBINDIR m4 variable -- making the default 9107c478bd9Sstevel@tonic-gate LOCAL_MAILER_PATH /usr/libexec/mail.local. 9117c478bd9Sstevel@tonic-gate If a different LMTP capable mailer is used, its pathname 9127c478bd9Sstevel@tonic-gate can be specified as second parameter and the arguments 9137c478bd9Sstevel@tonic-gate passed to it (A=) as third parameter, e.g., 9147c478bd9Sstevel@tonic-gate 9157c478bd9Sstevel@tonic-gate FEATURE(`local_lmtp', `/usr/local/bin/lmtp', `lmtp') 9167c478bd9Sstevel@tonic-gate 9177c478bd9Sstevel@tonic-gate WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 9187c478bd9Sstevel@tonic-gate i.e., without respecting any definitions in an OSTYPE setting. 9197c478bd9Sstevel@tonic-gate 9207c478bd9Sstevel@tonic-gatelocal_procmail Use procmail or another delivery agent as the local mailer. 9217c478bd9Sstevel@tonic-gate The argument to this feature is the pathname of the 9227c478bd9Sstevel@tonic-gate delivery agent, which defaults to PROCMAIL_MAILER_PATH. 9237c478bd9Sstevel@tonic-gate Note that this does NOT use PROCMAIL_MAILER_FLAGS or 9247c478bd9Sstevel@tonic-gate PROCMAIL_MAILER_ARGS for the local mailer; tweak 9257c478bd9Sstevel@tonic-gate LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS instead, or 9267c478bd9Sstevel@tonic-gate specify the appropriate parameters. When procmail is used, 9277c478bd9Sstevel@tonic-gate the local mailer can make use of the 9287c478bd9Sstevel@tonic-gate "user+indicator@local.host" syntax; normally the +indicator 9297c478bd9Sstevel@tonic-gate is just tossed, but by default it is passed as the -a 9307c478bd9Sstevel@tonic-gate argument to procmail. 9317c478bd9Sstevel@tonic-gate 9327c478bd9Sstevel@tonic-gate This feature can take up to three arguments: 9337c478bd9Sstevel@tonic-gate 9347c478bd9Sstevel@tonic-gate 1. Path to the mailer program 9357c478bd9Sstevel@tonic-gate [default: /usr/local/bin/procmail] 9367c478bd9Sstevel@tonic-gate 2. Argument vector including name of the program 9377c478bd9Sstevel@tonic-gate [default: procmail -Y -a $h -d $u] 9387c478bd9Sstevel@tonic-gate 3. Flags for the mailer [default: SPfhn9] 9397c478bd9Sstevel@tonic-gate 9407c478bd9Sstevel@tonic-gate Empty arguments cause the defaults to be taken. 9417c478bd9Sstevel@tonic-gate Note that if you are on a system with a broken 9427c478bd9Sstevel@tonic-gate setreuid() call, you may need to add -f $f to the procmail 9437c478bd9Sstevel@tonic-gate argument vector to pass the proper sender to procmail. 9447c478bd9Sstevel@tonic-gate 9457c478bd9Sstevel@tonic-gate For example, this allows it to use the maildrop 9467c478bd9Sstevel@tonic-gate (http://www.flounder.net/~mrsam/maildrop/) mailer instead 9477c478bd9Sstevel@tonic-gate by specifying: 9487c478bd9Sstevel@tonic-gate 9497c478bd9Sstevel@tonic-gate FEATURE(`local_procmail', `/usr/local/bin/maildrop', 9507c478bd9Sstevel@tonic-gate `maildrop -d $u') 9517c478bd9Sstevel@tonic-gate 9527c478bd9Sstevel@tonic-gate or scanmails using: 9537c478bd9Sstevel@tonic-gate 9547c478bd9Sstevel@tonic-gate FEATURE(`local_procmail', `/usr/local/bin/scanmails') 9557c478bd9Sstevel@tonic-gate 9567c478bd9Sstevel@tonic-gate WARNING: This feature sets LOCAL_MAILER_FLAGS unconditionally, 9577c478bd9Sstevel@tonic-gate i.e., without respecting any definitions in an OSTYPE setting. 9587c478bd9Sstevel@tonic-gate 9597c478bd9Sstevel@tonic-gatebestmx_is_local Accept mail as though locally addressed for any host that 9607c478bd9Sstevel@tonic-gate lists us as the best possible MX record. This generates 9617c478bd9Sstevel@tonic-gate additional DNS traffic, but should be OK for low to 9627c478bd9Sstevel@tonic-gate medium traffic hosts. The argument may be a set of 9637c478bd9Sstevel@tonic-gate domains, which will limit the feature to only apply to 9647c478bd9Sstevel@tonic-gate these domains -- this will reduce unnecessary DNS 9657c478bd9Sstevel@tonic-gate traffic. THIS FEATURE IS FUNDAMENTALLY INCOMPATIBLE WITH 9667c478bd9Sstevel@tonic-gate WILDCARD MX RECORDS!!! If you have a wildcard MX record 9677c478bd9Sstevel@tonic-gate that matches your domain, you cannot use this feature. 9687c478bd9Sstevel@tonic-gate 9697c478bd9Sstevel@tonic-gatesmrsh Use the SendMail Restricted SHell (smrsh) provided 9707c478bd9Sstevel@tonic-gate with the distribution instead of /bin/sh for mailing 9717c478bd9Sstevel@tonic-gate to programs. This improves the ability of the local 9727c478bd9Sstevel@tonic-gate system administrator to control what gets run via 9737c478bd9Sstevel@tonic-gate e-mail. If an argument is provided it is used as the 9747c478bd9Sstevel@tonic-gate pathname to smrsh; otherwise, the path defined by 9757c478bd9Sstevel@tonic-gate confEBINDIR is used for the smrsh binary -- by default, 9767c478bd9Sstevel@tonic-gate /usr/libexec/smrsh is assumed. 9777c478bd9Sstevel@tonic-gate 9787c478bd9Sstevel@tonic-gatepromiscuous_relay 9797c478bd9Sstevel@tonic-gate By default, the sendmail configuration files do not permit 9807c478bd9Sstevel@tonic-gate mail relaying (that is, accepting mail from outside your 9817c478bd9Sstevel@tonic-gate local host (class {w}) and sending it to another host than 9827c478bd9Sstevel@tonic-gate your local host). This option sets your site to allow 9837c478bd9Sstevel@tonic-gate mail relaying from any site to any site. In almost all 9847c478bd9Sstevel@tonic-gate cases, it is better to control relaying more carefully 9857c478bd9Sstevel@tonic-gate with the access map, class {R}, or authentication. Domains 9867c478bd9Sstevel@tonic-gate can be added to class {R} by the macros RELAY_DOMAIN or 9877c478bd9Sstevel@tonic-gate RELAY_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and 9887c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN_FILE, see below). 9897c478bd9Sstevel@tonic-gate 9907c478bd9Sstevel@tonic-gaterelay_entire_domain 9917c478bd9Sstevel@tonic-gate This option allows any host in your domain as defined by 9927c478bd9Sstevel@tonic-gate class {m} to use your server for relaying. Notice: make 9937c478bd9Sstevel@tonic-gate sure that your domain is not just a top level domain, 9947c478bd9Sstevel@tonic-gate e.g., com. This can happen if you give your host a name 9957c478bd9Sstevel@tonic-gate like example.com instead of host.example.com. 9967c478bd9Sstevel@tonic-gate 9977c478bd9Sstevel@tonic-gaterelay_hosts_only 9987c478bd9Sstevel@tonic-gate By default, names that are listed as RELAY in the access 9997c478bd9Sstevel@tonic-gate db and class {R} are treated as domain names, not host names. 10007c478bd9Sstevel@tonic-gate For example, if you specify ``foo.com'', then mail to or 10017c478bd9Sstevel@tonic-gate from foo.com, abc.foo.com, or a.very.deep.domain.foo.com 10027c478bd9Sstevel@tonic-gate will all be accepted for relaying. This feature changes 10037c478bd9Sstevel@tonic-gate the behaviour to lookup individual host names only. 10047c478bd9Sstevel@tonic-gate 10057c478bd9Sstevel@tonic-gaterelay_based_on_MX 10067c478bd9Sstevel@tonic-gate Turns on the ability to allow relaying based on the MX 10077c478bd9Sstevel@tonic-gate records of the host portion of an incoming recipient; that 10087c478bd9Sstevel@tonic-gate is, if an MX record for host foo.com points to your site, 10097c478bd9Sstevel@tonic-gate you will accept and relay mail addressed to foo.com. See 10107c478bd9Sstevel@tonic-gate description below for more information before using this 10117c478bd9Sstevel@tonic-gate feature. Also, see the KNOWNBUGS entry regarding bestmx 10127c478bd9Sstevel@tonic-gate map lookups. 10137c478bd9Sstevel@tonic-gate 10147c478bd9Sstevel@tonic-gate FEATURE(`relay_based_on_MX') does not necessarily allow 10157c478bd9Sstevel@tonic-gate routing of these messages which you expect to be allowed, 10167c478bd9Sstevel@tonic-gate if route address syntax (or %-hack syntax) is used. If 10177c478bd9Sstevel@tonic-gate this is a problem, add entries to the access-table or use 10187c478bd9Sstevel@tonic-gate FEATURE(`loose_relay_check'). 10197c478bd9Sstevel@tonic-gate 10207c478bd9Sstevel@tonic-gaterelay_mail_from 10217c478bd9Sstevel@tonic-gate Allows relaying if the mail sender is listed as RELAY in 10227c478bd9Sstevel@tonic-gate the access map. If an optional argument `domain' (this 10237c478bd9Sstevel@tonic-gate is the literal word `domain', not a placeholder) is given, 10247c478bd9Sstevel@tonic-gate relaying can be allowed just based on the domain portion 10257c478bd9Sstevel@tonic-gate of the sender address. This feature should only be used if 10267c478bd9Sstevel@tonic-gate absolutely necessary as the sender address can be easily 10277c478bd9Sstevel@tonic-gate forged. Use of this feature requires the "From:" tag to 10287c478bd9Sstevel@tonic-gate be used for the key in the access map; see the discussion 10297c478bd9Sstevel@tonic-gate of tags and FEATURE(`relay_mail_from') in the section on 10307c478bd9Sstevel@tonic-gate anti-spam configuration control. 10317c478bd9Sstevel@tonic-gate 10327c478bd9Sstevel@tonic-gaterelay_local_from 10337c478bd9Sstevel@tonic-gate Allows relaying if the domain portion of the mail sender 10347c478bd9Sstevel@tonic-gate is a local host. This should only be used if absolutely 10357c478bd9Sstevel@tonic-gate necessary as it opens a window for spammers. Specifically, 10367c478bd9Sstevel@tonic-gate they can send mail to your mail server that claims to be 10377c478bd9Sstevel@tonic-gate from your domain (either directly or via a routed address), 10387c478bd9Sstevel@tonic-gate and you will go ahead and relay it out to arbitrary hosts 10397c478bd9Sstevel@tonic-gate on the Internet. 10407c478bd9Sstevel@tonic-gate 10417c478bd9Sstevel@tonic-gateaccept_unqualified_senders 10427c478bd9Sstevel@tonic-gate Normally, MAIL FROM: commands in the SMTP session will be 10437c478bd9Sstevel@tonic-gate refused if the connection is a network connection and the 10447c478bd9Sstevel@tonic-gate sender address does not include a domain name. If your 10457c478bd9Sstevel@tonic-gate setup sends local mail unqualified (i.e., MAIL FROM:<joe>), 10467c478bd9Sstevel@tonic-gate you will need to use this feature to accept unqualified 10477c478bd9Sstevel@tonic-gate sender addresses. Setting the DaemonPortOptions modifier 10487c478bd9Sstevel@tonic-gate 'u' overrides the default behavior, i.e., unqualified 10497c478bd9Sstevel@tonic-gate addresses are accepted even without this FEATURE. 10507c478bd9Sstevel@tonic-gate If this FEATURE is not used, the DaemonPortOptions modifier 10517c478bd9Sstevel@tonic-gate 'f' can be used to enforce fully qualified addresses. 10527c478bd9Sstevel@tonic-gate 10537c478bd9Sstevel@tonic-gateaccept_unresolvable_domains 10547c478bd9Sstevel@tonic-gate Normally, MAIL FROM: commands in the SMTP session will be 10557c478bd9Sstevel@tonic-gate refused if the host part of the argument to MAIL FROM: 10567c478bd9Sstevel@tonic-gate cannot be located in the host name service (e.g., an A or 10577c478bd9Sstevel@tonic-gate MX record in DNS). If you are inside a firewall that has 10587c478bd9Sstevel@tonic-gate only a limited view of the Internet host name space, this 10597c478bd9Sstevel@tonic-gate could cause problems. In this case you probably want to 10607c478bd9Sstevel@tonic-gate use this feature to accept all domains on input, even if 10617c478bd9Sstevel@tonic-gate they are unresolvable. 10627c478bd9Sstevel@tonic-gate 10637c478bd9Sstevel@tonic-gateaccess_db Turns on the access database feature. The access db gives 10647c478bd9Sstevel@tonic-gate you the ability to allow or refuse to accept mail from 10657c478bd9Sstevel@tonic-gate specified domains for administrative reasons. Moreover, 10667c478bd9Sstevel@tonic-gate it can control the behavior of sendmail in various situations. 10677c478bd9Sstevel@tonic-gate By default, the access database specification is: 10687c478bd9Sstevel@tonic-gate 10697c478bd9Sstevel@tonic-gate hash -T<TMPF> /etc/mail/access 10707c478bd9Sstevel@tonic-gate 10717c478bd9Sstevel@tonic-gate See the anti-spam configuration control section for further 10727c478bd9Sstevel@tonic-gate important information about this feature. Notice: 10737c478bd9Sstevel@tonic-gate "-T<TMPF>" is meant literal, do not replace it by anything. 10747c478bd9Sstevel@tonic-gate 10757c478bd9Sstevel@tonic-gateblacklist_recipients 10767c478bd9Sstevel@tonic-gate Turns on the ability to block incoming mail for certain 10777c478bd9Sstevel@tonic-gate recipient usernames, hostnames, or addresses. For 10787c478bd9Sstevel@tonic-gate example, you can block incoming mail to user nobody, 10797c478bd9Sstevel@tonic-gate host foo.mydomain.com, or guest@bar.mydomain.com. 10807c478bd9Sstevel@tonic-gate These specifications are put in the access db as 10817c478bd9Sstevel@tonic-gate described in the anti-spam configuration control section 10827c478bd9Sstevel@tonic-gate later in this document. 10837c478bd9Sstevel@tonic-gate 10847c478bd9Sstevel@tonic-gatedelay_checks The rulesets check_mail and check_relay will not be called 10857c478bd9Sstevel@tonic-gate when a client connects or issues a MAIL command, respectively. 10867c478bd9Sstevel@tonic-gate Instead, those rulesets will be called by the check_rcpt 10877c478bd9Sstevel@tonic-gate ruleset; they will be skipped under certain circumstances. 10887c478bd9Sstevel@tonic-gate See "Delay all checks" in the anti-spam configuration control 10897c478bd9Sstevel@tonic-gate section. Note: this feature is incompatible to the versions 10907c478bd9Sstevel@tonic-gate in 8.10 and 8.11. 10917c478bd9Sstevel@tonic-gate 10927c478bd9Sstevel@tonic-gateuse_client_ptr If this feature is enabled then check_relay will override 10937c478bd9Sstevel@tonic-gate its first argument with $&{client_ptr}. This is useful for 10947c478bd9Sstevel@tonic-gate rejections based on the unverified hostname of client, 10957c478bd9Sstevel@tonic-gate which turns on the same behavior as in earlier sendmail 10967c478bd9Sstevel@tonic-gate versions when delay_checks was not in use. See doc/op/op.* 10977c478bd9Sstevel@tonic-gate about check_relay, {client_name}, and {client_ptr}. 10987c478bd9Sstevel@tonic-gate 1099*058561cbSjbeckdnsbl Turns on rejection, discarding, or quarantining of hosts 1100*058561cbSjbeck found in a DNS based list. The first argument is used as 1101*058561cbSjbeck the domain in which blocked hosts are listed. A second 1102*058561cbSjbeck argument can be used to change the default error message, 1103*058561cbSjbeck or select one of the operations `discard' and 'quarantine'. 1104*058561cbSjbeck Without that second argument, the error message will be 1105*058561cbSjbeck 11067c478bd9Sstevel@tonic-gate Rejected: IP-ADDRESS listed at SERVER 1107*058561cbSjbeck 11087c478bd9Sstevel@tonic-gate where IP-ADDRESS and SERVER are replaced by the appropriate 11097c478bd9Sstevel@tonic-gate information. By default, temporary lookup failures are 11107c478bd9Sstevel@tonic-gate ignored. This behavior can be changed by specifying a 11117c478bd9Sstevel@tonic-gate third argument, which must be either `t' or a full error 11127c478bd9Sstevel@tonic-gate message. See the anti-spam configuration control section for 11137c478bd9Sstevel@tonic-gate an example. The dnsbl feature can be included several times 11147c478bd9Sstevel@tonic-gate to query different DNS based rejection lists. See also 11157c478bd9Sstevel@tonic-gate enhdnsbl for an enhanced version. 11167c478bd9Sstevel@tonic-gate 11177c478bd9Sstevel@tonic-gate Set the DNSBL_MAP mc option to change the default map 11187c478bd9Sstevel@tonic-gate definition from `host'. Set the DNSBL_MAP_OPT mc option 11197c478bd9Sstevel@tonic-gate to add additional options to the map specification used. 11207c478bd9Sstevel@tonic-gate 11217c478bd9Sstevel@tonic-gate Some DNS based rejection lists cause failures if asked 11227c478bd9Sstevel@tonic-gate for AAAA records. If your sendmail version is compiled 11237c478bd9Sstevel@tonic-gate with IPv6 support (NETINET6) and you experience this 11247c478bd9Sstevel@tonic-gate problem, add 11257c478bd9Sstevel@tonic-gate 11267c478bd9Sstevel@tonic-gate define(`DNSBL_MAP', `dns -R A') 11277c478bd9Sstevel@tonic-gate 11287c478bd9Sstevel@tonic-gate before the first use of this feature. Alternatively you 11297c478bd9Sstevel@tonic-gate can use enhdnsbl instead (see below). Moreover, this 11307c478bd9Sstevel@tonic-gate statement can be used to reduce the number of DNS retries, 11317c478bd9Sstevel@tonic-gate e.g., 11327c478bd9Sstevel@tonic-gate 11337c478bd9Sstevel@tonic-gate define(`DNSBL_MAP', `dns -R A -r2') 11347c478bd9Sstevel@tonic-gate 11357c478bd9Sstevel@tonic-gate See below (EDNSBL_TO) for an explanation. 11367c478bd9Sstevel@tonic-gate 11377c478bd9Sstevel@tonic-gateenhdnsbl Enhanced version of dnsbl (see above). Further arguments 11387c478bd9Sstevel@tonic-gate (up to 5) can be used to specify specific return values 11397c478bd9Sstevel@tonic-gate from lookups. Temporary lookup failures are ignored unless 11407c478bd9Sstevel@tonic-gate a third argument is given, which must be either `t' or a full 11417c478bd9Sstevel@tonic-gate error message. By default, any successful lookup will 11427c478bd9Sstevel@tonic-gate generate an error. Otherwise the result of the lookup is 11437c478bd9Sstevel@tonic-gate compared with the supplied argument(s), and only if a match 11447c478bd9Sstevel@tonic-gate occurs an error is generated. For example, 11457c478bd9Sstevel@tonic-gate 11467c478bd9Sstevel@tonic-gate FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.') 11477c478bd9Sstevel@tonic-gate 11487c478bd9Sstevel@tonic-gate will reject the e-mail if the lookup returns the value 11497c478bd9Sstevel@tonic-gate ``127.0.0.2.'', or generate a 451 response if the lookup 11507c478bd9Sstevel@tonic-gate temporarily failed. The arguments can contain metasymbols 11517c478bd9Sstevel@tonic-gate as they are allowed in the LHS of rules. As the example 11527c478bd9Sstevel@tonic-gate shows, the default values are also used if an empty argument, 11537c478bd9Sstevel@tonic-gate i.e., `', is specified. This feature requires that sendmail 11547c478bd9Sstevel@tonic-gate has been compiled with the flag DNSMAP (see sendmail/README). 11557c478bd9Sstevel@tonic-gate 11567c478bd9Sstevel@tonic-gate Set the EDNSBL_TO mc option to change the DNS retry count 11577c478bd9Sstevel@tonic-gate from the default value of 5, this can be very useful when 11587c478bd9Sstevel@tonic-gate a DNS server is not responding, which in turn may cause 11597c478bd9Sstevel@tonic-gate clients to time out (an entry stating 11607c478bd9Sstevel@tonic-gate 11617c478bd9Sstevel@tonic-gate did not issue MAIL/EXPN/VRFY/ETRN 11627c478bd9Sstevel@tonic-gate 11637c478bd9Sstevel@tonic-gate will be logged). 11647c478bd9Sstevel@tonic-gate 11657c478bd9Sstevel@tonic-gateratecontrol Enable simple ruleset to do connection rate control 11667c478bd9Sstevel@tonic-gate checking. This requires entries in access_db of the form 11677c478bd9Sstevel@tonic-gate 11687c478bd9Sstevel@tonic-gate ClientRate:IP.ADD.RE.SS LIMIT 11697c478bd9Sstevel@tonic-gate 11707c478bd9Sstevel@tonic-gate The RHS specifies the maximum number of connections 11717c478bd9Sstevel@tonic-gate (an integer number) over the time interval defined 11727c478bd9Sstevel@tonic-gate by ConnectionRateWindowSize, where 0 means unlimited. 11737c478bd9Sstevel@tonic-gate 11747c478bd9Sstevel@tonic-gate Take the following example: 11757c478bd9Sstevel@tonic-gate 11767c478bd9Sstevel@tonic-gate ClientRate:10.1.2.3 4 11777c478bd9Sstevel@tonic-gate ClientRate:127.0.0.1 0 11787c478bd9Sstevel@tonic-gate ClientRate: 10 11797c478bd9Sstevel@tonic-gate 11807c478bd9Sstevel@tonic-gate 10.1.2.3 can only make up to 4 connections, the 11817c478bd9Sstevel@tonic-gate general limit it 10, and 127.0.0.1 can make an unlimited 11827c478bd9Sstevel@tonic-gate number of connections per ConnectionRateWindowSize. 11837c478bd9Sstevel@tonic-gate 11847c478bd9Sstevel@tonic-gate See also CONNECTION CONTROL. 11857c478bd9Sstevel@tonic-gate 11867c478bd9Sstevel@tonic-gateconncontrol Enable a simple check of the number of incoming SMTP 11877c478bd9Sstevel@tonic-gate connections. This requires entries in access_db of the 11887c478bd9Sstevel@tonic-gate form 11897c478bd9Sstevel@tonic-gate 11907c478bd9Sstevel@tonic-gate ClientConn:IP.ADD.RE.SS LIMIT 11917c478bd9Sstevel@tonic-gate 11927c478bd9Sstevel@tonic-gate The RHS specifies the maximum number of open connections 11937c478bd9Sstevel@tonic-gate (an integer number). 11947c478bd9Sstevel@tonic-gate 11957c478bd9Sstevel@tonic-gate Take the following example: 11967c478bd9Sstevel@tonic-gate 11977c478bd9Sstevel@tonic-gate ClientConn:10.1.2.3 4 11987c478bd9Sstevel@tonic-gate ClientConn:127.0.0.1 0 11997c478bd9Sstevel@tonic-gate ClientConn: 10 12007c478bd9Sstevel@tonic-gate 12017c478bd9Sstevel@tonic-gate 10.1.2.3 can only have up to 4 open connections, the 12027c478bd9Sstevel@tonic-gate general limit it 10, and 127.0.0.1 does not have any 12037c478bd9Sstevel@tonic-gate explicit limit. 12047c478bd9Sstevel@tonic-gate 12057c478bd9Sstevel@tonic-gate See also CONNECTION CONTROL. 12067c478bd9Sstevel@tonic-gate 12077c478bd9Sstevel@tonic-gatemtamark Experimental support for "Marking Mail Transfer Agents in 12087c478bd9Sstevel@tonic-gate Reverse DNS with TXT RRs" (MTAMark), see 12097c478bd9Sstevel@tonic-gate draft-stumpf-dns-mtamark-01. Optional arguments are: 12107c478bd9Sstevel@tonic-gate 12117c478bd9Sstevel@tonic-gate 1. Error message, default: 12127c478bd9Sstevel@tonic-gate 12137c478bd9Sstevel@tonic-gate 550 Rejected: $&{client_addr} not listed as MTA 12147c478bd9Sstevel@tonic-gate 12157c478bd9Sstevel@tonic-gate 2. Temporary lookup failures are ignored unless a second 12167c478bd9Sstevel@tonic-gate argument is given, which must be either `t' or a full 12177c478bd9Sstevel@tonic-gate error message. 12187c478bd9Sstevel@tonic-gate 12197c478bd9Sstevel@tonic-gate 3. Lookup prefix, default: _perm._smtp._srv. This should 12207c478bd9Sstevel@tonic-gate not be changed unless the draft changes it. 12217c478bd9Sstevel@tonic-gate 12227c478bd9Sstevel@tonic-gate Example: 12237c478bd9Sstevel@tonic-gate 12247c478bd9Sstevel@tonic-gate FEATURE(`mtamark', `', `t') 12257c478bd9Sstevel@tonic-gate 12267c478bd9Sstevel@tonic-gatelookupdotdomain Look up also .domain in the access map. This allows to 12277c478bd9Sstevel@tonic-gate match only subdomains. It does not work well with 12287c478bd9Sstevel@tonic-gate FEATURE(`relay_hosts_only'), because most lookups for 12297c478bd9Sstevel@tonic-gate subdomains are suppressed by the latter feature. 12307c478bd9Sstevel@tonic-gate 12317c478bd9Sstevel@tonic-gateloose_relay_check 12327c478bd9Sstevel@tonic-gate Normally, if % addressing is used for a recipient, e.g. 12337c478bd9Sstevel@tonic-gate user%site@othersite, and othersite is in class {R}, the 12347c478bd9Sstevel@tonic-gate check_rcpt ruleset will strip @othersite and recheck 12357c478bd9Sstevel@tonic-gate user@site for relaying. This feature changes that 12367c478bd9Sstevel@tonic-gate behavior. It should not be needed for most installations. 12377c478bd9Sstevel@tonic-gate 12387c478bd9Sstevel@tonic-gatepreserve_luser_host 12397c478bd9Sstevel@tonic-gate Preserve the name of the recipient host if LUSER_RELAY is 12407c478bd9Sstevel@tonic-gate used. Without this option, the domain part of the 12417c478bd9Sstevel@tonic-gate recipient address will be replaced by the host specified as 12427c478bd9Sstevel@tonic-gate LUSER_RELAY. This feature only works if the hostname is 12437c478bd9Sstevel@tonic-gate passed to the mailer (see mailer triple in op.me). Note 12447c478bd9Sstevel@tonic-gate that in the default configuration the local mailer does not 12457c478bd9Sstevel@tonic-gate receive the hostname, i.e., the mailer triple has an empty 12467c478bd9Sstevel@tonic-gate hostname. 12477c478bd9Sstevel@tonic-gate 12487c478bd9Sstevel@tonic-gatepreserve_local_plus_detail 12497c478bd9Sstevel@tonic-gate Preserve the +detail portion of the address when passing 12507c478bd9Sstevel@tonic-gate address to local delivery agent. Disables alias and 12517c478bd9Sstevel@tonic-gate .forward +detail stripping (e.g., given user+detail, only 12527c478bd9Sstevel@tonic-gate that address will be looked up in the alias file; user+* and 12537c478bd9Sstevel@tonic-gate user will not be looked up). Only use if the local 12547c478bd9Sstevel@tonic-gate delivery agent in use supports +detail addressing. 12557c478bd9Sstevel@tonic-gate 12567c478bd9Sstevel@tonic-gatecompat_check Enable ruleset check_compat to look up pairs of addresses 12577c478bd9Sstevel@tonic-gate with the Compat: tag -- Compat:sender<@>recipient -- in the 12587c478bd9Sstevel@tonic-gate access map. Valid values for the RHS include 12597c478bd9Sstevel@tonic-gate DISCARD silently discard recipient 12607c478bd9Sstevel@tonic-gate TEMP: return a temporary error 12617c478bd9Sstevel@tonic-gate ERROR: return a permanent error 12627c478bd9Sstevel@tonic-gate In the last two cases, a 4xy/5xy SMTP reply code should 12637c478bd9Sstevel@tonic-gate follow the colon. 12647c478bd9Sstevel@tonic-gate 12657c478bd9Sstevel@tonic-gateno_default_msa Don't generate the default MSA daemon, i.e., 12667c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') 12677c478bd9Sstevel@tonic-gate To define a MSA daemon with other parameters, use this 12687c478bd9Sstevel@tonic-gate FEATURE and introduce new settings via DAEMON_OPTIONS(). 12697c478bd9Sstevel@tonic-gate 12707c478bd9Sstevel@tonic-gatemsp Defines config file for Message Submission Program. 12717c478bd9Sstevel@tonic-gate See cf/submit.mc for how 12727c478bd9Sstevel@tonic-gate to use it. An optional argument can be used to override 12737c478bd9Sstevel@tonic-gate the default of `[localhost]' to use as host to send all 12747c478bd9Sstevel@tonic-gate e-mails to. Note that MX records will be used if the 12757c478bd9Sstevel@tonic-gate specified hostname is not in square brackets (e.g., 12767c478bd9Sstevel@tonic-gate [hostname]). If `MSA' is specified as second argument then 12777c478bd9Sstevel@tonic-gate port 587 is used to contact the server. Example: 12787c478bd9Sstevel@tonic-gate 12797c478bd9Sstevel@tonic-gate FEATURE(`msp', `', `MSA') 12807c478bd9Sstevel@tonic-gate 12817c478bd9Sstevel@tonic-gate Some more hints about possible changes can be found below 12827c478bd9Sstevel@tonic-gate in the section MESSAGE SUBMISSION PROGRAM. 12837c478bd9Sstevel@tonic-gate 12847c478bd9Sstevel@tonic-gate Note: Due to many problems, submit.mc uses 12857c478bd9Sstevel@tonic-gate 12867c478bd9Sstevel@tonic-gate FEATURE(`msp', `[127.0.0.1]') 12877c478bd9Sstevel@tonic-gate 12887c478bd9Sstevel@tonic-gate by default. If you have a machine with IPv6 only, 12897c478bd9Sstevel@tonic-gate change it to 12907c478bd9Sstevel@tonic-gate 12917c478bd9Sstevel@tonic-gate FEATURE(`msp', `[IPv6:::1]') 12927c478bd9Sstevel@tonic-gate 12937c478bd9Sstevel@tonic-gate If you want to continue using '[localhost]', (the behavior 12947c478bd9Sstevel@tonic-gate up to 8.12.6), use 12957c478bd9Sstevel@tonic-gate 12967c478bd9Sstevel@tonic-gate FEATURE(`msp') 12977c478bd9Sstevel@tonic-gate 12987c478bd9Sstevel@tonic-gatequeuegroup A simple example how to select a queue group based 12997c478bd9Sstevel@tonic-gate on the full e-mail address or the domain of the 13007c478bd9Sstevel@tonic-gate recipient. Selection is done via entries in the 13017c478bd9Sstevel@tonic-gate access map using the tag QGRP:, for example: 13027c478bd9Sstevel@tonic-gate 13037c478bd9Sstevel@tonic-gate QGRP:example.com main 13047c478bd9Sstevel@tonic-gate QGRP:friend@some.org others 13057c478bd9Sstevel@tonic-gate QGRP:my.domain local 13067c478bd9Sstevel@tonic-gate 13077c478bd9Sstevel@tonic-gate where "main", "others", and "local" are names of 13087c478bd9Sstevel@tonic-gate queue groups. If an argument is specified, it is used 13097c478bd9Sstevel@tonic-gate as default queue group. 13107c478bd9Sstevel@tonic-gate 13117c478bd9Sstevel@tonic-gate Note: please read the warning in doc/op/op.me about 13127c478bd9Sstevel@tonic-gate queue groups and possible queue manipulations. 13137c478bd9Sstevel@tonic-gate 13147c478bd9Sstevel@tonic-gategreet_pause Adds the greet_pause ruleset which enables open proxy 13157c478bd9Sstevel@tonic-gate and SMTP slamming protection. The feature can take an 13167c478bd9Sstevel@tonic-gate argument specifying the milliseconds to wait: 13177c478bd9Sstevel@tonic-gate 13187c478bd9Sstevel@tonic-gate FEATURE(`greet_pause', `5000') dnl 5 seconds 13197c478bd9Sstevel@tonic-gate 13207c478bd9Sstevel@tonic-gate If FEATURE(`access_db') is enabled, an access database 13217c478bd9Sstevel@tonic-gate lookup with the GreetPause tag is done using client 13227c478bd9Sstevel@tonic-gate hostname, domain, IP address, or subnet to determine the 13237c478bd9Sstevel@tonic-gate pause time: 13247c478bd9Sstevel@tonic-gate 13257c478bd9Sstevel@tonic-gate GreetPause:my.domain 0 13267c478bd9Sstevel@tonic-gate GreetPause:example.com 5000 13277c478bd9Sstevel@tonic-gate GreetPause:10.1.2 2000 13287c478bd9Sstevel@tonic-gate GreetPause:127.0.0.1 0 13297c478bd9Sstevel@tonic-gate 13307c478bd9Sstevel@tonic-gate When using FEATURE(`access_db'), the optional 13317c478bd9Sstevel@tonic-gate FEATURE(`greet_pause') argument becomes the default if 13327c478bd9Sstevel@tonic-gate nothing is found in the access database. A ruleset called 13337c478bd9Sstevel@tonic-gate Local_greet_pause can be used for local modifications, e.g., 13347c478bd9Sstevel@tonic-gate 13357c478bd9Sstevel@tonic-gate LOCAL_RULESETS 13367c478bd9Sstevel@tonic-gate SLocal_greet_pause 13377c478bd9Sstevel@tonic-gate R$* $: $&{daemon_flags} 13387c478bd9Sstevel@tonic-gate R$* a $* $# 0 13397c478bd9Sstevel@tonic-gate 1340*058561cbSjbeckblock_bad_helo Reject messages from SMTP clients which provide a HELO/EHLO 1341*058561cbSjbeck argument which is either unqualified, or is one of our own 1342*058561cbSjbeck names (i.e., the server name instead of the client name). 1343*058561cbSjbeck 1344*058561cbSjbeckrequire_rdns Reject mail from connecting SMTP clients without proper 1345*058561cbSjbeck rDNS (reverse DNS), functional gethostbyaddr() resolution. 1346*058561cbSjbeck 1347*058561cbSjbeck The basic policy is to reject message with a 5xx error if 1348*058561cbSjbeck the IP address fails to resolve. However, if this is a 1349*058561cbSjbeck temporary failure, a 4xx temporary failure is returned. 1350*058561cbSjbeck If the look-up succeeds, but returns an apparently forged 1351*058561cbSjbeck value, this is treated as a temporary failure with a 4xx 1352*058561cbSjbeck error code. 1353*058561cbSjbeck 1354*058561cbSjbeck EXCEPTIONS: 1355*058561cbSjbeck 1356*058561cbSjbeck Exceptions based on access entries are discussed below. 1357*058561cbSjbeck Any IP address matched using $=R (the "relay-domains" file) 1358*058561cbSjbeck is excepted from the rules. Since we have explicitly 1359*058561cbSjbeck allowed relaying for this host, based on IP address, we 1360*058561cbSjbeck ignore the rDNS failure. 1361*058561cbSjbeck 1362*058561cbSjbeck The philosophical assumption here is that most users do 1363*058561cbSjbeck not control their rDNS. They should be able to send mail 1364*058561cbSjbeck through their ISP, whether or not they have valid rDNS. 1365*058561cbSjbeck The class $=R, roughly speaking, contains those IP addresses 1366*058561cbSjbeck and address ranges for which we are the ISP, or are acting 1367*058561cbSjbeck as if the ISP. 1368*058561cbSjbeck 1369*058561cbSjbeck If `delay_checks' is in effect (recommended), then any 1370*058561cbSjbeck sender who has authenticated is also excepted from the 1371*058561cbSjbeck restrictions. This happens because the rules produced by 1372*058561cbSjbeck this FEATURE() will not be applied to authenticated senders 1373*058561cbSjbeck (assuming `delay_checks'). 1374*058561cbSjbeck 1375*058561cbSjbeck ACCESS MAP ENTRIES: 1376*058561cbSjbeck 1377*058561cbSjbeck Entries such as 1378*058561cbSjbeck Connect:1.2.3.4 OK 1379*058561cbSjbeck Connect:1.2 RELAY 1380*058561cbSjbeck will whitelist IP address 1.2.3.4, so that the rDNS 1381*058561cbSjbeck blocking does apply to that IP address 1382*058561cbSjbeck 1383*058561cbSjbeck Entries such as 1384*058561cbSjbeck Connect:1.2.3.4 REJECT 1385*058561cbSjbeck will have the effect of forcing a temporary failure for 1386*058561cbSjbeck that address to be treated as a permanent failure. 1387*058561cbSjbeck 1388*058561cbSjbeckbadmx Reject envelope sender addresses (MAIL) whose domain part 1389*058561cbSjbeck resolves to a "bad" MX record. By default these are 1390*058561cbSjbeck MX records which resolve to A records that match the 1391*058561cbSjbeck regular expression: 1392*058561cbSjbeck 1393*058561cbSjbeck ^(127\.|10\.|0\.0\.0\.0) 1394*058561cbSjbeck 1395*058561cbSjbeck This default regular expression can be overridden by 1396*058561cbSjbeck specifying an argument, e.g., 1397*058561cbSjbeck 1398*058561cbSjbeck FEATURE(`badmx', `^127\.0\.0\.1') 1399*058561cbSjbeck 1400*058561cbSjbeck Note: this feature requires that the sendmail binary 1401*058561cbSjbeck has been compiled with the options MAP_REGEX and 1402*058561cbSjbeck DNSMAP. 1403*058561cbSjbeck 14047c478bd9Sstevel@tonic-gate+--------------------+ 14057c478bd9Sstevel@tonic-gate| USING UUCP MAILERS | 14067c478bd9Sstevel@tonic-gate+--------------------+ 14077c478bd9Sstevel@tonic-gate 14087c478bd9Sstevel@tonic-gateIt's hard to get UUCP mailers right because of the extremely ad hoc 14097c478bd9Sstevel@tonic-gatenature of UUCP addressing. These config files are really designed 14107c478bd9Sstevel@tonic-gatefor domain-based addressing, even for UUCP sites. 14117c478bd9Sstevel@tonic-gate 14127c478bd9Sstevel@tonic-gateThere are four UUCP mailers available. The choice of which one to 14137c478bd9Sstevel@tonic-gateuse is partly a matter of local preferences and what is running at 14147c478bd9Sstevel@tonic-gatethe other end of your UUCP connection. Unlike good protocols that 14157c478bd9Sstevel@tonic-gatedefine what will go over the wire, UUCP uses the policy that you 14167c478bd9Sstevel@tonic-gateshould do what is right for the other end; if they change, you have 14177c478bd9Sstevel@tonic-gateto change. This makes it hard to do the right thing, and discourages 14187c478bd9Sstevel@tonic-gatepeople from updating their software. In general, if you can avoid 14197c478bd9Sstevel@tonic-gateUUCP, please do. 14207c478bd9Sstevel@tonic-gate 14217c478bd9Sstevel@tonic-gateThe major choice is whether to go for a domainized scheme or a 14227c478bd9Sstevel@tonic-gatenon-domainized scheme. This depends entirely on what the other 14237c478bd9Sstevel@tonic-gateend will recognize. If at all possible, you should encourage the 14247c478bd9Sstevel@tonic-gateother end to go to a domain-based system -- non-domainized addresses 14257c478bd9Sstevel@tonic-gatedon't work entirely properly. 14267c478bd9Sstevel@tonic-gate 14277c478bd9Sstevel@tonic-gateThe four mailers are: 14287c478bd9Sstevel@tonic-gate 14297c478bd9Sstevel@tonic-gate uucp-old (obsolete name: "uucp") 14307c478bd9Sstevel@tonic-gate This is the oldest, the worst (but the closest to UUCP) way of 14317c478bd9Sstevel@tonic-gate sending messages across UUCP connections. It does bangify 14327c478bd9Sstevel@tonic-gate everything and prepends $U (your UUCP name) to the sender's 14337c478bd9Sstevel@tonic-gate address (which can already be a bang path itself). It can 14347c478bd9Sstevel@tonic-gate only send to one address at a time, so it spends a lot of 14357c478bd9Sstevel@tonic-gate time copying duplicates of messages. Avoid this if at all 14367c478bd9Sstevel@tonic-gate possible. 14377c478bd9Sstevel@tonic-gate 14387c478bd9Sstevel@tonic-gate uucp-new (obsolete name: "suucp") 14397c478bd9Sstevel@tonic-gate The same as above, except that it assumes that in one rmail 14407c478bd9Sstevel@tonic-gate command you can specify several recipients. It still has a 14417c478bd9Sstevel@tonic-gate lot of other problems. 14427c478bd9Sstevel@tonic-gate 14437c478bd9Sstevel@tonic-gate uucp-dom 14447c478bd9Sstevel@tonic-gate This UUCP mailer keeps everything as domain addresses. 14457c478bd9Sstevel@tonic-gate Basically, it uses the SMTP mailer rewriting rules. This mailer 14467c478bd9Sstevel@tonic-gate is only included if MAILER(`smtp') is specified before 14477c478bd9Sstevel@tonic-gate MAILER(`uucp'). 14487c478bd9Sstevel@tonic-gate 14497c478bd9Sstevel@tonic-gate Unfortunately, a lot of UUCP mailer transport agents require 14507c478bd9Sstevel@tonic-gate bangified addresses in the envelope, although you can use 14517c478bd9Sstevel@tonic-gate domain-based addresses in the message header. (The envelope 14527c478bd9Sstevel@tonic-gate shows up as the From_ line on UNIX mail.) So.... 14537c478bd9Sstevel@tonic-gate 14547c478bd9Sstevel@tonic-gate uucp-uudom 14557c478bd9Sstevel@tonic-gate This is a cross between uucp-new (for the envelope addresses) 14567c478bd9Sstevel@tonic-gate and uucp-dom (for the header addresses). It bangifies the 14577c478bd9Sstevel@tonic-gate envelope sender (From_ line in messages) without adding the 14587c478bd9Sstevel@tonic-gate local hostname, unless there is no host name on the address 14597c478bd9Sstevel@tonic-gate at all (e.g., "wolf") or the host component is a UUCP host name 14607c478bd9Sstevel@tonic-gate instead of a domain name ("somehost!wolf" instead of 14617c478bd9Sstevel@tonic-gate "some.dom.ain!wolf"). This is also included only if MAILER(`smtp') 14627c478bd9Sstevel@tonic-gate is also specified earlier. 14637c478bd9Sstevel@tonic-gate 14647c478bd9Sstevel@tonic-gateExamples: 14657c478bd9Sstevel@tonic-gate 14667c478bd9Sstevel@tonic-gateOn host grasp.insa-lyon.fr (UUCP host name "grasp"), the following 14677c478bd9Sstevel@tonic-gatesummarizes the sender rewriting for various mailers. 14687c478bd9Sstevel@tonic-gate 14697c478bd9Sstevel@tonic-gateMailer sender rewriting in the envelope 14707c478bd9Sstevel@tonic-gate------ ------ ------------------------- 14717c478bd9Sstevel@tonic-gateuucp-{old,new} wolf grasp!wolf 14727c478bd9Sstevel@tonic-gateuucp-dom wolf wolf@grasp.insa-lyon.fr 14737c478bd9Sstevel@tonic-gateuucp-uudom wolf grasp.insa-lyon.fr!wolf 14747c478bd9Sstevel@tonic-gate 14757c478bd9Sstevel@tonic-gateuucp-{old,new} wolf@fr.net grasp!fr.net!wolf 14767c478bd9Sstevel@tonic-gateuucp-dom wolf@fr.net wolf@fr.net 14777c478bd9Sstevel@tonic-gateuucp-uudom wolf@fr.net fr.net!wolf 14787c478bd9Sstevel@tonic-gate 14797c478bd9Sstevel@tonic-gateuucp-{old,new} somehost!wolf grasp!somehost!wolf 14807c478bd9Sstevel@tonic-gateuucp-dom somehost!wolf somehost!wolf@grasp.insa-lyon.fr 14817c478bd9Sstevel@tonic-gateuucp-uudom somehost!wolf grasp.insa-lyon.fr!somehost!wolf 14827c478bd9Sstevel@tonic-gate 14837c478bd9Sstevel@tonic-gateIf you are using one of the domainized UUCP mailers, you really want 14847c478bd9Sstevel@tonic-gateto convert all UUCP addresses to domain format -- otherwise, it will 14857c478bd9Sstevel@tonic-gatedo it for you (and probably not the way you expected). For example, 14867c478bd9Sstevel@tonic-gateif you have the address foo!bar!baz (and you are not sending to foo), 14877c478bd9Sstevel@tonic-gatethe heuristics will add the @uucp.relay.name or @local.host.name to 14887c478bd9Sstevel@tonic-gatethis address. However, if you map foo to foo.host.name first, it 14897c478bd9Sstevel@tonic-gatewill not add the local hostname. You can do this using the uucpdomain 14907c478bd9Sstevel@tonic-gatefeature. 14917c478bd9Sstevel@tonic-gate 14927c478bd9Sstevel@tonic-gate 14937c478bd9Sstevel@tonic-gate+-------------------+ 14947c478bd9Sstevel@tonic-gate| TWEAKING RULESETS | 14957c478bd9Sstevel@tonic-gate+-------------------+ 14967c478bd9Sstevel@tonic-gate 14977c478bd9Sstevel@tonic-gateFor more complex configurations, you can define special rules. 14987c478bd9Sstevel@tonic-gateThe macro LOCAL_RULE_3 introduces rules that are used in canonicalizing 14997c478bd9Sstevel@tonic-gatethe names. Any modifications made here are reflected in the header. 15007c478bd9Sstevel@tonic-gate 15017c478bd9Sstevel@tonic-gateA common use is to convert old UUCP addresses to SMTP addresses using 15027c478bd9Sstevel@tonic-gatethe UUCPSMTP macro. For example: 15037c478bd9Sstevel@tonic-gate 15047c478bd9Sstevel@tonic-gate LOCAL_RULE_3 15057c478bd9Sstevel@tonic-gate UUCPSMTP(`decvax', `decvax.dec.com') 15067c478bd9Sstevel@tonic-gate UUCPSMTP(`research', `research.att.com') 15077c478bd9Sstevel@tonic-gate 15087c478bd9Sstevel@tonic-gatewill cause addresses of the form "decvax!user" and "research!user" 15097c478bd9Sstevel@tonic-gateto be converted to "user@decvax.dec.com" and "user@research.att.com" 15107c478bd9Sstevel@tonic-gaterespectively. 15117c478bd9Sstevel@tonic-gate 15127c478bd9Sstevel@tonic-gateThis could also be used to look up hosts in a database map: 15137c478bd9Sstevel@tonic-gate 15147c478bd9Sstevel@tonic-gate LOCAL_RULE_3 15157c478bd9Sstevel@tonic-gate R$* < @ $+ > $* $: $1 < @ $(hostmap $2 $) > $3 15167c478bd9Sstevel@tonic-gate 15177c478bd9Sstevel@tonic-gateThis map would be defined in the LOCAL_CONFIG portion, as shown below. 15187c478bd9Sstevel@tonic-gate 15197c478bd9Sstevel@tonic-gateSimilarly, LOCAL_RULE_0 can be used to introduce new parsing rules. 15207c478bd9Sstevel@tonic-gateFor example, new rules are needed to parse hostnames that you accept 15217c478bd9Sstevel@tonic-gatevia MX records. For example, you might have: 15227c478bd9Sstevel@tonic-gate 15237c478bd9Sstevel@tonic-gate LOCAL_RULE_0 15247c478bd9Sstevel@tonic-gate R$+ <@ host.dom.ain.> $#uucp $@ cnmat $: $1 < @ host.dom.ain.> 15257c478bd9Sstevel@tonic-gate 15267c478bd9Sstevel@tonic-gateYou would use this if you had installed an MX record for cnmat.Berkeley.EDU 15277c478bd9Sstevel@tonic-gatepointing at this host; this rule catches the message and forwards it on 15287c478bd9Sstevel@tonic-gateusing UUCP. 15297c478bd9Sstevel@tonic-gate 15307c478bd9Sstevel@tonic-gateYou can also tweak rulesets 1 and 2 using LOCAL_RULE_1 and LOCAL_RULE_2. 15317c478bd9Sstevel@tonic-gateThese rulesets are normally empty. 15327c478bd9Sstevel@tonic-gate 15337c478bd9Sstevel@tonic-gateA similar macro is LOCAL_CONFIG. This introduces lines added after the 15347c478bd9Sstevel@tonic-gateboilerplate option setting but before rulesets. Do not declare rulesets in 15357c478bd9Sstevel@tonic-gatethe LOCAL_CONFIG section. It can be used to declare local database maps or 15367c478bd9Sstevel@tonic-gatewhatever. For example: 15377c478bd9Sstevel@tonic-gate 15387c478bd9Sstevel@tonic-gate LOCAL_CONFIG 15397c478bd9Sstevel@tonic-gate Khostmap hash /etc/mail/hostmap 15407c478bd9Sstevel@tonic-gate Kyplocal nis -m hosts.byname 15417c478bd9Sstevel@tonic-gate 15427c478bd9Sstevel@tonic-gate 15437c478bd9Sstevel@tonic-gate+---------------------------+ 15447c478bd9Sstevel@tonic-gate| MASQUERADING AND RELAYING | 15457c478bd9Sstevel@tonic-gate+---------------------------+ 15467c478bd9Sstevel@tonic-gate 15477c478bd9Sstevel@tonic-gateYou can have your host masquerade as another using 15487c478bd9Sstevel@tonic-gate 15497c478bd9Sstevel@tonic-gate MASQUERADE_AS(`host.domain') 15507c478bd9Sstevel@tonic-gate 15517c478bd9Sstevel@tonic-gateThis causes mail being sent to be labeled as coming from the 15527c478bd9Sstevel@tonic-gateindicated host.domain, rather than $j. One normally masquerades as 15537c478bd9Sstevel@tonic-gateone of one's own subdomains (for example, it's unlikely that 15547c478bd9Sstevel@tonic-gateBerkeley would choose to masquerade as an MIT site). This 15557c478bd9Sstevel@tonic-gatebehaviour is modified by a plethora of FEATUREs; in particular, see 15567c478bd9Sstevel@tonic-gatemasquerade_envelope, allmasquerade, limited_masquerade, and 15577c478bd9Sstevel@tonic-gatemasquerade_entire_domain. 15587c478bd9Sstevel@tonic-gate 15597c478bd9Sstevel@tonic-gateThe masquerade name is not normally canonified, so it is important 15607c478bd9Sstevel@tonic-gatethat it be your One True Name, that is, fully qualified and not a 15617c478bd9Sstevel@tonic-gateCNAME. However, if you use a CNAME, the receiving side may canonify 15627c478bd9Sstevel@tonic-gateit for you, so don't think you can cheat CNAME mapping this way. 15637c478bd9Sstevel@tonic-gate 15647c478bd9Sstevel@tonic-gateNormally the only addresses that are masqueraded are those that come 15657c478bd9Sstevel@tonic-gatefrom this host (that is, are either unqualified or in class {w}, the list 15667c478bd9Sstevel@tonic-gateof local domain names). You can augment this list, which is realized 15677c478bd9Sstevel@tonic-gateby class {M} using 15687c478bd9Sstevel@tonic-gate 15697c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN(`otherhost.domain') 15707c478bd9Sstevel@tonic-gate 15717c478bd9Sstevel@tonic-gateThe effect of this is that although mail to user@otherhost.domain 15727c478bd9Sstevel@tonic-gatewill not be delivered locally, any mail including any user@otherhost.domain 15737c478bd9Sstevel@tonic-gatewill, when relayed, be rewritten to have the MASQUERADE_AS address. 15747c478bd9Sstevel@tonic-gateThis can be a space-separated list of names. 15757c478bd9Sstevel@tonic-gate 15767c478bd9Sstevel@tonic-gateIf these names are in a file, you can use 15777c478bd9Sstevel@tonic-gate 15787c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN_FILE(`filename') 15797c478bd9Sstevel@tonic-gate 15807c478bd9Sstevel@tonic-gateto read the list of names from the indicated file (i.e., to add 15817c478bd9Sstevel@tonic-gateelements to class {M}). 15827c478bd9Sstevel@tonic-gate 15837c478bd9Sstevel@tonic-gateTo exempt hosts or subdomains from being masqueraded, you can use 15847c478bd9Sstevel@tonic-gate 15857c478bd9Sstevel@tonic-gate MASQUERADE_EXCEPTION(`host.domain') 15867c478bd9Sstevel@tonic-gate 15877c478bd9Sstevel@tonic-gateThis can come handy if you want to masquerade a whole domain 15887c478bd9Sstevel@tonic-gateexcept for one (or a few) host(s). If these names are in a file, 15897c478bd9Sstevel@tonic-gateyou can use 15907c478bd9Sstevel@tonic-gate 15917c478bd9Sstevel@tonic-gate MASQUERADE_EXCEPTION_FILE(`filename') 15927c478bd9Sstevel@tonic-gate 15937c478bd9Sstevel@tonic-gateNormally only header addresses are masqueraded. If you want to 15947c478bd9Sstevel@tonic-gatemasquerade the envelope as well, use 15957c478bd9Sstevel@tonic-gate 15967c478bd9Sstevel@tonic-gate FEATURE(`masquerade_envelope') 15977c478bd9Sstevel@tonic-gate 15987c478bd9Sstevel@tonic-gateThere are always users that need to be "exposed" -- that is, their 15997c478bd9Sstevel@tonic-gateinternal site name should be displayed instead of the masquerade name. 16007c478bd9Sstevel@tonic-gateRoot is an example (which has been "exposed" by default prior to 8.10). 16017c478bd9Sstevel@tonic-gateYou can add users to this list using 16027c478bd9Sstevel@tonic-gate 16037c478bd9Sstevel@tonic-gate EXPOSED_USER(`usernames') 16047c478bd9Sstevel@tonic-gate 16057c478bd9Sstevel@tonic-gateThis adds users to class {E}; you could also use 16067c478bd9Sstevel@tonic-gate 16077c478bd9Sstevel@tonic-gate EXPOSED_USER_FILE(`filename') 16087c478bd9Sstevel@tonic-gate 16097c478bd9Sstevel@tonic-gateYou can also arrange to relay all unqualified names (that is, names 16107c478bd9Sstevel@tonic-gatewithout @host) to a relay host. For example, if you have a central 16117c478bd9Sstevel@tonic-gateemail server, you might relay to that host so that users don't have 16127c478bd9Sstevel@tonic-gateto have .forward files or aliases. You can do this using 16137c478bd9Sstevel@tonic-gate 16147c478bd9Sstevel@tonic-gate define(`LOCAL_RELAY', `mailer:hostname') 16157c478bd9Sstevel@tonic-gate 16167c478bd9Sstevel@tonic-gateThe ``mailer:'' can be omitted, in which case the mailer defaults to 16177c478bd9Sstevel@tonic-gate"relay". There are some user names that you don't want relayed, perhaps 16187c478bd9Sstevel@tonic-gatebecause of local aliases. A common example is root, which may be 16197c478bd9Sstevel@tonic-gatelocally aliased. You can add entries to this list using 16207c478bd9Sstevel@tonic-gate 16217c478bd9Sstevel@tonic-gate LOCAL_USER(`usernames') 16227c478bd9Sstevel@tonic-gate 16237c478bd9Sstevel@tonic-gateThis adds users to class {L}; you could also use 16247c478bd9Sstevel@tonic-gate 16257c478bd9Sstevel@tonic-gate LOCAL_USER_FILE(`filename') 16267c478bd9Sstevel@tonic-gate 16277c478bd9Sstevel@tonic-gateIf you want all incoming mail sent to a centralized hub, as for a 16287c478bd9Sstevel@tonic-gateshared /var/spool/mail scheme, use 16297c478bd9Sstevel@tonic-gate 16307c478bd9Sstevel@tonic-gate define(`MAIL_HUB', `mailer:hostname') 16317c478bd9Sstevel@tonic-gate 16327c478bd9Sstevel@tonic-gateAgain, ``mailer:'' defaults to "relay". If you define both LOCAL_RELAY 16337c478bd9Sstevel@tonic-gateand MAIL_HUB _AND_ you have FEATURE(`stickyhost'), unqualified names will 16347c478bd9Sstevel@tonic-gatebe sent to the LOCAL_RELAY and other local names will be sent to MAIL_HUB. 16357c478bd9Sstevel@tonic-gateNote: there is a (long standing) bug which keeps this combination from 16367c478bd9Sstevel@tonic-gateworking for addresses of the form user+detail. 16377c478bd9Sstevel@tonic-gateNames in class {L} will be delivered locally, so you MUST have aliases or 16387c478bd9Sstevel@tonic-gate.forward files for them. 16397c478bd9Sstevel@tonic-gate 16407c478bd9Sstevel@tonic-gateFor example, if you are on machine mastodon.CS.Berkeley.EDU and you have 16417c478bd9Sstevel@tonic-gateFEATURE(`stickyhost'), the following combinations of settings will have the 16427c478bd9Sstevel@tonic-gateindicated effects: 16437c478bd9Sstevel@tonic-gate 16447c478bd9Sstevel@tonic-gateemail sent to.... eric eric@mastodon.CS.Berkeley.EDU 16457c478bd9Sstevel@tonic-gate 16467c478bd9Sstevel@tonic-gateLOCAL_RELAY set to mail.CS.Berkeley.EDU (delivered locally) 16477c478bd9Sstevel@tonic-gatemail.CS.Berkeley.EDU (no local aliasing) (aliasing done) 16487c478bd9Sstevel@tonic-gate 16497c478bd9Sstevel@tonic-gateMAIL_HUB set to mammoth.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 16507c478bd9Sstevel@tonic-gatemammoth.CS.Berkeley.EDU (aliasing done) (aliasing done) 16517c478bd9Sstevel@tonic-gate 16527c478bd9Sstevel@tonic-gateBoth LOCAL_RELAY and mail.CS.Berkeley.EDU mammoth.CS.Berkeley.EDU 16537c478bd9Sstevel@tonic-gateMAIL_HUB set as above (no local aliasing) (aliasing done) 16547c478bd9Sstevel@tonic-gate 16557c478bd9Sstevel@tonic-gateIf you do not have FEATURE(`stickyhost') set, then LOCAL_RELAY and 16567c478bd9Sstevel@tonic-gateMAIL_HUB act identically, with MAIL_HUB taking precedence. 16577c478bd9Sstevel@tonic-gate 16587c478bd9Sstevel@tonic-gateIf you want all outgoing mail to go to a central relay site, define 16597c478bd9Sstevel@tonic-gateSMART_HOST as well. Briefly: 16607c478bd9Sstevel@tonic-gate 16617c478bd9Sstevel@tonic-gate LOCAL_RELAY applies to unqualified names (e.g., "eric"). 16627c478bd9Sstevel@tonic-gate MAIL_HUB applies to names qualified with the name of the 16637c478bd9Sstevel@tonic-gate local host (e.g., "eric@mastodon.CS.Berkeley.EDU"). 16647c478bd9Sstevel@tonic-gate SMART_HOST applies to names qualified with other hosts or 16657c478bd9Sstevel@tonic-gate bracketed addresses (e.g., "eric@mastodon.CS.Berkeley.EDU" 16667c478bd9Sstevel@tonic-gate or "eric@[127.0.0.1]"). 16677c478bd9Sstevel@tonic-gate 16687c478bd9Sstevel@tonic-gateHowever, beware that other relays (e.g., UUCP_RELAY, BITNET_RELAY, 16697c478bd9Sstevel@tonic-gateDECNET_RELAY, and FAX_RELAY) take precedence over SMART_HOST, so if you 16707c478bd9Sstevel@tonic-gatereally want absolutely everything to go to a single central site you will 16717c478bd9Sstevel@tonic-gateneed to unset all the other relays -- or better yet, find or build a 16727c478bd9Sstevel@tonic-gateminimal config file that does this. 16737c478bd9Sstevel@tonic-gate 16747c478bd9Sstevel@tonic-gateFor duplicate suppression to work properly, the host name is best 16757c478bd9Sstevel@tonic-gatespecified with a terminal dot: 16767c478bd9Sstevel@tonic-gate 16777c478bd9Sstevel@tonic-gate define(`MAIL_HUB', `host.domain.') 16787c478bd9Sstevel@tonic-gate note the trailing dot ---^ 16797c478bd9Sstevel@tonic-gate 16807c478bd9Sstevel@tonic-gate 16817c478bd9Sstevel@tonic-gate+-------------------------------------------+ 16827c478bd9Sstevel@tonic-gate| USING LDAP FOR ALIASES, MAPS, AND CLASSES | 16837c478bd9Sstevel@tonic-gate+-------------------------------------------+ 16847c478bd9Sstevel@tonic-gate 16857c478bd9Sstevel@tonic-gateLDAP can be used for aliases, maps, and classes by either specifying your 16867c478bd9Sstevel@tonic-gateown LDAP map specification or using the built-in default LDAP map 16877c478bd9Sstevel@tonic-gatespecification. The built-in default specifications all provide lookups 16887c478bd9Sstevel@tonic-gatewhich match against either the machine's fully qualified hostname (${j}) or 16897c478bd9Sstevel@tonic-gatea "cluster". The cluster allows you to share LDAP entries among a large 16907c478bd9Sstevel@tonic-gatenumber of machines without having to enter each of the machine names into 16917c478bd9Sstevel@tonic-gateeach LDAP entry. To set the LDAP cluster name to use for a particular 16927c478bd9Sstevel@tonic-gatemachine or set of machines, set the confLDAP_CLUSTER m4 variable to a 16937c478bd9Sstevel@tonic-gateunique name. For example: 16947c478bd9Sstevel@tonic-gate 16957c478bd9Sstevel@tonic-gate define(`confLDAP_CLUSTER', `Servers') 16967c478bd9Sstevel@tonic-gate 16977c478bd9Sstevel@tonic-gateHere, the word `Servers' will be the cluster name. As an example, assume 16987c478bd9Sstevel@tonic-gatethat smtp.sendmail.org, etrn.sendmail.org, and mx.sendmail.org all belong 16997c478bd9Sstevel@tonic-gateto the Servers cluster. 17007c478bd9Sstevel@tonic-gate 17017c478bd9Sstevel@tonic-gateSome of the LDAP LDIF examples below show use of the Servers cluster. 17027c478bd9Sstevel@tonic-gateEvery entry must have either a sendmailMTAHost or sendmailMTACluster 17037c478bd9Sstevel@tonic-gateattribute or it will be ignored. Be careful as mixing clusters and 17047c478bd9Sstevel@tonic-gateindividual host records can have surprising results (see the CAUTION 17057c478bd9Sstevel@tonic-gatesections below). 17067c478bd9Sstevel@tonic-gate 17077c478bd9Sstevel@tonic-gateSee the file cf/sendmail.schema for the actual LDAP schemas. Note that 17087c478bd9Sstevel@tonic-gatethis schema (and therefore the lookups and examples below) is experimental 17097c478bd9Sstevel@tonic-gateat this point as it has had little public review. Therefore, it may change 171049218d4fSjbeckin future versions. Feedback via sendmail-YYYY@support.sendmail.org is 171149218d4fSjbeckencouraged (replace YYYY with the current year, e.g., 2005). 17127c478bd9Sstevel@tonic-gate 17137c478bd9Sstevel@tonic-gate------- 17147c478bd9Sstevel@tonic-gateAliases 17157c478bd9Sstevel@tonic-gate------- 17167c478bd9Sstevel@tonic-gate 17177c478bd9Sstevel@tonic-gateThe ALIAS_FILE (O AliasFile) option can be set to use LDAP for alias 17187c478bd9Sstevel@tonic-gatelookups. To use the default schema, simply use: 17197c478bd9Sstevel@tonic-gate 17207c478bd9Sstevel@tonic-gate define(`ALIAS_FILE', `ldap:') 17217c478bd9Sstevel@tonic-gate 17227c478bd9Sstevel@tonic-gateBy doing so, you will use the default schema which expands to a map 17237c478bd9Sstevel@tonic-gatedeclared as follows: 17247c478bd9Sstevel@tonic-gate 17257c478bd9Sstevel@tonic-gate ldap -k (&(objectClass=sendmailMTAAliasObject) 17267c478bd9Sstevel@tonic-gate (sendmailMTAAliasGrouping=aliases) 17277c478bd9Sstevel@tonic-gate (|(sendmailMTACluster=${sendmailMTACluster}) 17287c478bd9Sstevel@tonic-gate (sendmailMTAHost=$j)) 17297c478bd9Sstevel@tonic-gate (sendmailMTAKey=%0)) 17307c478bd9Sstevel@tonic-gate -v sendmailMTAAliasValue,sendmailMTAAliasSearch:FILTER:sendmailMTAAliasObject,sendmailMTAAliasURL:URL:sendmailMTAAliasObject 17317c478bd9Sstevel@tonic-gate 17327c478bd9Sstevel@tonic-gate 17337c478bd9Sstevel@tonic-gateNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 17347c478bd9Sstevel@tonic-gateused when the binary expands the `ldap:' token as the AliasFile option is 17357c478bd9Sstevel@tonic-gatenot actually macro-expanded when read from the sendmail.cf file. 17367c478bd9Sstevel@tonic-gate 17377c478bd9Sstevel@tonic-gateExample LDAP LDIF entries might be: 17387c478bd9Sstevel@tonic-gate 17397c478bd9Sstevel@tonic-gate dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org 17407c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 17417c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAlias 17427c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAliasObject 17437c478bd9Sstevel@tonic-gate sendmailMTAAliasGrouping: aliases 17447c478bd9Sstevel@tonic-gate sendmailMTAHost: etrn.sendmail.org 17457c478bd9Sstevel@tonic-gate sendmailMTAKey: sendmail-list 17467c478bd9Sstevel@tonic-gate sendmailMTAAliasValue: ca@example.org 17477c478bd9Sstevel@tonic-gate sendmailMTAAliasValue: eric 17487c478bd9Sstevel@tonic-gate sendmailMTAAliasValue: gshapiro@example.com 17497c478bd9Sstevel@tonic-gate 17507c478bd9Sstevel@tonic-gate dn: sendmailMTAKey=owner-sendmail-list, dc=sendmail, dc=org 17517c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 17527c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAlias 17537c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAliasObject 17547c478bd9Sstevel@tonic-gate sendmailMTAAliasGrouping: aliases 17557c478bd9Sstevel@tonic-gate sendmailMTAHost: etrn.sendmail.org 17567c478bd9Sstevel@tonic-gate sendmailMTAKey: owner-sendmail-list 17577c478bd9Sstevel@tonic-gate sendmailMTAAliasValue: eric 17587c478bd9Sstevel@tonic-gate 17597c478bd9Sstevel@tonic-gate dn: sendmailMTAKey=postmaster, dc=sendmail, dc=org 17607c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 17617c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAlias 17627c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAliasObject 17637c478bd9Sstevel@tonic-gate sendmailMTAAliasGrouping: aliases 17647c478bd9Sstevel@tonic-gate sendmailMTACluster: Servers 17657c478bd9Sstevel@tonic-gate sendmailMTAKey: postmaster 17667c478bd9Sstevel@tonic-gate sendmailMTAAliasValue: eric 17677c478bd9Sstevel@tonic-gate 17687c478bd9Sstevel@tonic-gateHere, the aliases sendmail-list and owner-sendmail-list will be available 17697c478bd9Sstevel@tonic-gateonly on etrn.sendmail.org but the postmaster alias will be available on 17707c478bd9Sstevel@tonic-gateevery machine in the Servers cluster (including etrn.sendmail.org). 17717c478bd9Sstevel@tonic-gate 17727c478bd9Sstevel@tonic-gateCAUTION: aliases are additive so that entries like these: 17737c478bd9Sstevel@tonic-gate 17747c478bd9Sstevel@tonic-gate dn: sendmailMTAKey=bob, dc=sendmail, dc=org 17757c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 17767c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAlias 17777c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAliasObject 17787c478bd9Sstevel@tonic-gate sendmailMTAAliasGrouping: aliases 17797c478bd9Sstevel@tonic-gate sendmailMTACluster: Servers 17807c478bd9Sstevel@tonic-gate sendmailMTAKey: bob 17817c478bd9Sstevel@tonic-gate sendmailMTAAliasValue: eric 17827c478bd9Sstevel@tonic-gate 17837c478bd9Sstevel@tonic-gate dn: sendmailMTAKey=bobetrn, dc=sendmail, dc=org 17847c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 17857c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAlias 17867c478bd9Sstevel@tonic-gate objectClass: sendmailMTAAliasObject 17877c478bd9Sstevel@tonic-gate sendmailMTAAliasGrouping: aliases 17887c478bd9Sstevel@tonic-gate sendmailMTAHost: etrn.sendmail.org 17897c478bd9Sstevel@tonic-gate sendmailMTAKey: bob 17907c478bd9Sstevel@tonic-gate sendmailMTAAliasValue: gshapiro 17917c478bd9Sstevel@tonic-gate 17927c478bd9Sstevel@tonic-gatewould mean that on all of the hosts in the cluster, mail to bob would go to 17937c478bd9Sstevel@tonic-gateeric EXCEPT on etrn.sendmail.org in which case it would go to BOTH eric and 17947c478bd9Sstevel@tonic-gategshapiro. 17957c478bd9Sstevel@tonic-gate 17967c478bd9Sstevel@tonic-gateIf you prefer not to use the default LDAP schema for your aliases, you can 17977c478bd9Sstevel@tonic-gatespecify the map parameters when setting ALIAS_FILE. For example: 17987c478bd9Sstevel@tonic-gate 17997c478bd9Sstevel@tonic-gate define(`ALIAS_FILE', `ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember') 18007c478bd9Sstevel@tonic-gate 18017c478bd9Sstevel@tonic-gate---- 18027c478bd9Sstevel@tonic-gateMaps 18037c478bd9Sstevel@tonic-gate---- 18047c478bd9Sstevel@tonic-gate 18057c478bd9Sstevel@tonic-gateFEATURE()'s which take an optional map definition argument (e.g., access, 18067c478bd9Sstevel@tonic-gatemailertable, virtusertable, etc.) can instead take the special keyword 18077c478bd9Sstevel@tonic-gate`LDAP', e.g.: 18087c478bd9Sstevel@tonic-gate 18097c478bd9Sstevel@tonic-gate FEATURE(`access_db', `LDAP') 18107c478bd9Sstevel@tonic-gate FEATURE(`virtusertable', `LDAP') 18117c478bd9Sstevel@tonic-gate 18127c478bd9Sstevel@tonic-gateWhen this keyword is given, that map will use LDAP lookups consisting of 18137c478bd9Sstevel@tonic-gatethe objectClass sendmailMTAClassObject, the attribute sendmailMTAMapName 18147c478bd9Sstevel@tonic-gatewith the map name, a search attribute of sendmailMTAKey, and the value 18157c478bd9Sstevel@tonic-gateattribute sendmailMTAMapValue. 18167c478bd9Sstevel@tonic-gate 18177c478bd9Sstevel@tonic-gateThe values for sendmailMTAMapName are: 18187c478bd9Sstevel@tonic-gate 18197c478bd9Sstevel@tonic-gate FEATURE() sendmailMTAMapName 18207c478bd9Sstevel@tonic-gate --------- ------------------ 18217c478bd9Sstevel@tonic-gate access_db access 18227c478bd9Sstevel@tonic-gate authinfo authinfo 18237c478bd9Sstevel@tonic-gate bitdomain bitdomain 18247c478bd9Sstevel@tonic-gate domaintable domain 18257c478bd9Sstevel@tonic-gate genericstable generics 18267c478bd9Sstevel@tonic-gate mailertable mailer 18277c478bd9Sstevel@tonic-gate uucpdomain uucpdomain 18287c478bd9Sstevel@tonic-gate virtusertable virtuser 18297c478bd9Sstevel@tonic-gate 18307c478bd9Sstevel@tonic-gateFor example, FEATURE(`mailertable', `LDAP') would use the map definition: 18317c478bd9Sstevel@tonic-gate 18327c478bd9Sstevel@tonic-gate Kmailertable ldap -k (&(objectClass=sendmailMTAMapObject) 18337c478bd9Sstevel@tonic-gate (sendmailMTAMapName=mailer) 18347c478bd9Sstevel@tonic-gate (|(sendmailMTACluster=${sendmailMTACluster}) 18357c478bd9Sstevel@tonic-gate (sendmailMTAHost=$j)) 18367c478bd9Sstevel@tonic-gate (sendmailMTAKey=%0)) 18377c478bd9Sstevel@tonic-gate -1 -v sendmailMTAMapValue,sendmailMTAMapSearch:FILTER:sendmailMTAMapObject,sendmailMTAMapURL:URL:sendmailMTAMapObject 18387c478bd9Sstevel@tonic-gate 18397c478bd9Sstevel@tonic-gateAn example LDAP LDIF entry using this map might be: 18407c478bd9Sstevel@tonic-gate 18417c478bd9Sstevel@tonic-gate dn: sendmailMTAMapName=mailer, dc=sendmail, dc=org 18427c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 18437c478bd9Sstevel@tonic-gate objectClass: sendmailMTAMap 18447c478bd9Sstevel@tonic-gate sendmailMTACluster: Servers 18457c478bd9Sstevel@tonic-gate sendmailMTAMapName: mailer 18467c478bd9Sstevel@tonic-gate 18477c478bd9Sstevel@tonic-gate dn: sendmailMTAKey=example.com, sendmailMTAMapName=mailer, dc=sendmail, dc=org 18487c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 18497c478bd9Sstevel@tonic-gate objectClass: sendmailMTAMap 18507c478bd9Sstevel@tonic-gate objectClass: sendmailMTAMapObject 18517c478bd9Sstevel@tonic-gate sendmailMTAMapName: mailer 18527c478bd9Sstevel@tonic-gate sendmailMTACluster: Servers 18537c478bd9Sstevel@tonic-gate sendmailMTAKey: example.com 18547c478bd9Sstevel@tonic-gate sendmailMTAMapValue: relay:[smtp.example.com] 18557c478bd9Sstevel@tonic-gate 18567c478bd9Sstevel@tonic-gateCAUTION: If your LDAP database contains the record above and *ALSO* a host 18577c478bd9Sstevel@tonic-gatespecific record such as: 18587c478bd9Sstevel@tonic-gate 18597c478bd9Sstevel@tonic-gate dn: sendmailMTAKey=example.com@etrn, sendmailMTAMapName=mailer, dc=sendmail, dc=org 18607c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 18617c478bd9Sstevel@tonic-gate objectClass: sendmailMTAMap 18627c478bd9Sstevel@tonic-gate objectClass: sendmailMTAMapObject 18637c478bd9Sstevel@tonic-gate sendmailMTAMapName: mailer 18647c478bd9Sstevel@tonic-gate sendmailMTAHost: etrn.sendmail.org 18657c478bd9Sstevel@tonic-gate sendmailMTAKey: example.com 18667c478bd9Sstevel@tonic-gate sendmailMTAMapValue: relay:[mx.example.com] 18677c478bd9Sstevel@tonic-gate 18687c478bd9Sstevel@tonic-gatethen these entries will give unexpected results. When the lookup is done 18697c478bd9Sstevel@tonic-gateon etrn.sendmail.org, the effect is that there is *NO* match at all as maps 18707c478bd9Sstevel@tonic-gaterequire a single match. Since the host etrn.sendmail.org is also in the 18717c478bd9Sstevel@tonic-gateServers cluster, LDAP would return two answers for the example.com map key 18727c478bd9Sstevel@tonic-gatein which case sendmail would treat this as no match at all. 18737c478bd9Sstevel@tonic-gate 18747c478bd9Sstevel@tonic-gateIf you prefer not to use the default LDAP schema for your maps, you can 18757c478bd9Sstevel@tonic-gatespecify the map parameters when using the FEATURE(). For example: 18767c478bd9Sstevel@tonic-gate 18777c478bd9Sstevel@tonic-gate FEATURE(`access_db', `ldap:-1 -k (&(objectClass=mapDatabase)(key=%0)) -v value') 18787c478bd9Sstevel@tonic-gate 18797c478bd9Sstevel@tonic-gate------- 18807c478bd9Sstevel@tonic-gateClasses 18817c478bd9Sstevel@tonic-gate------- 18827c478bd9Sstevel@tonic-gate 18837c478bd9Sstevel@tonic-gateNormally, classes can be filled via files or programs. As of 8.12, they 18847c478bd9Sstevel@tonic-gatecan also be filled via map lookups using a new syntax: 18857c478bd9Sstevel@tonic-gate 18867c478bd9Sstevel@tonic-gate F{ClassName}mapkey@mapclass:mapspec 18877c478bd9Sstevel@tonic-gate 18887c478bd9Sstevel@tonic-gatemapkey is optional and if not provided the map key will be empty. This can 18897c478bd9Sstevel@tonic-gatebe used with LDAP to read classes from LDAP. Note that the lookup is only 18907c478bd9Sstevel@tonic-gatedone when sendmail is initially started. Use the special value `@LDAP' to 18917c478bd9Sstevel@tonic-gateuse the default LDAP schema. For example: 18927c478bd9Sstevel@tonic-gate 18937c478bd9Sstevel@tonic-gate RELAY_DOMAIN_FILE(`@LDAP') 18947c478bd9Sstevel@tonic-gate 18957c478bd9Sstevel@tonic-gatewould put all of the attribute sendmailMTAClassValue values of LDAP records 18967c478bd9Sstevel@tonic-gatewith objectClass sendmailMTAClass and an attribute sendmailMTAClassName of 18977c478bd9Sstevel@tonic-gate'R' into class $={R}. In other words, it is equivalent to the LDAP map 18987c478bd9Sstevel@tonic-gatespecification: 18997c478bd9Sstevel@tonic-gate 19007c478bd9Sstevel@tonic-gate F{R}@ldap:-k (&(objectClass=sendmailMTAClass) 19017c478bd9Sstevel@tonic-gate (sendmailMTAClassName=R) 19027c478bd9Sstevel@tonic-gate (|(sendmailMTACluster=${sendmailMTACluster}) 19037c478bd9Sstevel@tonic-gate (sendmailMTAHost=$j))) 19047c478bd9Sstevel@tonic-gate -v sendmailMTAClassValue,sendmailMTAClassSearch:FILTER:sendmailMTAClass,sendmailMTAClassURL:URL:sendmailMTAClass 19057c478bd9Sstevel@tonic-gate 19067c478bd9Sstevel@tonic-gateNOTE: The macros shown above ${sendmailMTACluster} and $j are not actually 19077c478bd9Sstevel@tonic-gateused when the binary expands the `@LDAP' token as class declarations are 19087c478bd9Sstevel@tonic-gatenot actually macro-expanded when read from the sendmail.cf file. 19097c478bd9Sstevel@tonic-gate 19107c478bd9Sstevel@tonic-gateThis can be used with class related commands such as RELAY_DOMAIN_FILE(), 19117c478bd9Sstevel@tonic-gateMASQUERADE_DOMAIN_FILE(), etc: 19127c478bd9Sstevel@tonic-gate 19137c478bd9Sstevel@tonic-gate Command sendmailMTAClassName 19147c478bd9Sstevel@tonic-gate ------- -------------------- 19157c478bd9Sstevel@tonic-gate CANONIFY_DOMAIN_FILE() Canonify 19167c478bd9Sstevel@tonic-gate EXPOSED_USER_FILE() E 19177c478bd9Sstevel@tonic-gate GENERICS_DOMAIN_FILE() G 19187c478bd9Sstevel@tonic-gate LDAPROUTE_DOMAIN_FILE() LDAPRoute 19197c478bd9Sstevel@tonic-gate LDAPROUTE_EQUIVALENT_FILE() LDAPRouteEquiv 19207c478bd9Sstevel@tonic-gate LOCAL_USER_FILE() L 19217c478bd9Sstevel@tonic-gate MASQUERADE_DOMAIN_FILE() M 19227c478bd9Sstevel@tonic-gate MASQUERADE_EXCEPTION_FILE() N 19237c478bd9Sstevel@tonic-gate RELAY_DOMAIN_FILE() R 19247c478bd9Sstevel@tonic-gate VIRTUSER_DOMAIN_FILE() VirtHost 19257c478bd9Sstevel@tonic-gate 19267c478bd9Sstevel@tonic-gateYou can also add your own as any 'F'ile class of the form: 19277c478bd9Sstevel@tonic-gate 19287c478bd9Sstevel@tonic-gate F{ClassName}@LDAP 19297c478bd9Sstevel@tonic-gate ^^^^^^^^^ 19307c478bd9Sstevel@tonic-gatewill use "ClassName" for the sendmailMTAClassName. 19317c478bd9Sstevel@tonic-gate 19327c478bd9Sstevel@tonic-gateAn example LDAP LDIF entry would look like: 19337c478bd9Sstevel@tonic-gate 19347c478bd9Sstevel@tonic-gate dn: sendmailMTAClassName=R, dc=sendmail, dc=org 19357c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 19367c478bd9Sstevel@tonic-gate objectClass: sendmailMTAClass 19377c478bd9Sstevel@tonic-gate sendmailMTACluster: Servers 19387c478bd9Sstevel@tonic-gate sendmailMTAClassName: R 19397c478bd9Sstevel@tonic-gate sendmailMTAClassValue: sendmail.org 19407c478bd9Sstevel@tonic-gate sendmailMTAClassValue: example.com 19417c478bd9Sstevel@tonic-gate sendmailMTAClassValue: 10.56.23 19427c478bd9Sstevel@tonic-gate 19437c478bd9Sstevel@tonic-gateCAUTION: If your LDAP database contains the record above and *ALSO* a host 19447c478bd9Sstevel@tonic-gatespecific record such as: 19457c478bd9Sstevel@tonic-gate 19467c478bd9Sstevel@tonic-gate dn: sendmailMTAClassName=R@etrn.sendmail.org, dc=sendmail, dc=org 19477c478bd9Sstevel@tonic-gate objectClass: sendmailMTA 19487c478bd9Sstevel@tonic-gate objectClass: sendmailMTAClass 19497c478bd9Sstevel@tonic-gate sendmailMTAHost: etrn.sendmail.org 19507c478bd9Sstevel@tonic-gate sendmailMTAClassName: R 19517c478bd9Sstevel@tonic-gate sendmailMTAClassValue: example.com 19527c478bd9Sstevel@tonic-gate 19537c478bd9Sstevel@tonic-gatethe result will be similar to the aliases caution above. When the lookup 19547c478bd9Sstevel@tonic-gateis done on etrn.sendmail.org, $={R} would contain all of the entries (from 19557c478bd9Sstevel@tonic-gateboth the cluster match and the host match). In other words, the effective 19567c478bd9Sstevel@tonic-gateis additive. 19577c478bd9Sstevel@tonic-gate 19587c478bd9Sstevel@tonic-gateIf you prefer not to use the default LDAP schema for your classes, you can 19597c478bd9Sstevel@tonic-gatespecify the map parameters when using the class command. For example: 19607c478bd9Sstevel@tonic-gate 19617c478bd9Sstevel@tonic-gate VIRTUSER_DOMAIN_FILE(`@ldap:-k (&(objectClass=virtHosts)(host=*)) -v host') 19627c478bd9Sstevel@tonic-gate 19637c478bd9Sstevel@tonic-gateRemember, macros can not be used in a class declaration as the binary does 19647c478bd9Sstevel@tonic-gatenot expand them. 19657c478bd9Sstevel@tonic-gate 19667c478bd9Sstevel@tonic-gate 19677c478bd9Sstevel@tonic-gate+--------------+ 19687c478bd9Sstevel@tonic-gate| LDAP ROUTING | 19697c478bd9Sstevel@tonic-gate+--------------+ 19707c478bd9Sstevel@tonic-gate 19717c478bd9Sstevel@tonic-gateFEATURE(`ldap_routing') can be used to implement the IETF Internet Draft 19727c478bd9Sstevel@tonic-gateLDAP Schema for Intranet Mail Routing 19737c478bd9Sstevel@tonic-gate(draft-lachman-laser-ldap-mail-routing-01). This feature enables 19747c478bd9Sstevel@tonic-gateLDAP-based rerouting of a particular address to either a different host 19757c478bd9Sstevel@tonic-gateor a different address. The LDAP lookup is first attempted on the full 19767c478bd9Sstevel@tonic-gateaddress (e.g., user@example.com) and then on the domain portion 19777c478bd9Sstevel@tonic-gate(e.g., @example.com). Be sure to setup your domain for LDAP routing using 19787c478bd9Sstevel@tonic-gateLDAPROUTE_DOMAIN(), e.g.: 19797c478bd9Sstevel@tonic-gate 19807c478bd9Sstevel@tonic-gate LDAPROUTE_DOMAIN(`example.com') 19817c478bd9Sstevel@tonic-gate 19827c478bd9Sstevel@tonic-gateAdditionally, you can specify equivalent domains for LDAP routing using 19837c478bd9Sstevel@tonic-gateLDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE(). 'Equivalent' 19847c478bd9Sstevel@tonic-gatehostnames are mapped to $M (the masqueraded hostname for the server) before 19857c478bd9Sstevel@tonic-gatethe LDAP query. For example, if the mail is addressed to 19867c478bd9Sstevel@tonic-gateuser@host1.example.com, normally the LDAP lookup would only be done for 19877c478bd9Sstevel@tonic-gate'user@host1.example.com' and '@host1.example.com'. However, if 19887c478bd9Sstevel@tonic-gateLDAPROUTE_EQUIVALENT(`host1.example.com') is used, the lookups would also be 19897c478bd9Sstevel@tonic-gatedone on 'user@example.com' and '@example.com' after attempting the 19907c478bd9Sstevel@tonic-gatehost1.example.com lookups. 19917c478bd9Sstevel@tonic-gate 19927c478bd9Sstevel@tonic-gateBy default, the feature will use the schemas as specified in the draft 19937c478bd9Sstevel@tonic-gateand will not reject addresses not found by the LDAP lookup. However, 19947c478bd9Sstevel@tonic-gatethis behavior can be changed by giving additional arguments to the FEATURE() 19957c478bd9Sstevel@tonic-gatecommand: 19967c478bd9Sstevel@tonic-gate 19977c478bd9Sstevel@tonic-gate FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>, 19987c478bd9Sstevel@tonic-gate <detail>, <nodomain>, <tempfail>) 19997c478bd9Sstevel@tonic-gate 20007c478bd9Sstevel@tonic-gatewhere <mailHost> is a map definition describing how to lookup an alternative 20017c478bd9Sstevel@tonic-gatemail host for a particular address; <mailRoutingAddress> is a map definition 20027c478bd9Sstevel@tonic-gatedescribing how to lookup an alternative address for a particular address; 20037c478bd9Sstevel@tonic-gatethe <bounce> argument, if present and not the word "passthru", dictates 20047c478bd9Sstevel@tonic-gatethat mail should be bounced if neither a mailHost nor mailRoutingAddress 20057c478bd9Sstevel@tonic-gateis found, if set to "sendertoo", the sender will be rejected if not 20067c478bd9Sstevel@tonic-gatefound in LDAP; and <detail> indicates what actions to take if the address 20077c478bd9Sstevel@tonic-gatecontains +detail information -- `strip' tries the lookup with the +detail 20087c478bd9Sstevel@tonic-gateand if no matches are found, strips the +detail and tries the lookup again; 20097c478bd9Sstevel@tonic-gate`preserve', does the same as `strip' but if a mailRoutingAddress match is 20107c478bd9Sstevel@tonic-gatefound, the +detail information is copied to the new address; the <nodomain> 20117c478bd9Sstevel@tonic-gateargument, if present, will prevent the @domain lookup if the full 20127c478bd9Sstevel@tonic-gateaddress is not found in LDAP; the <tempfail> argument, if set to 20137c478bd9Sstevel@tonic-gate"tempfail", instructs the rules to give an SMTP 4XX temporary 20147c478bd9Sstevel@tonic-gateerror if the LDAP server gives the MTA a temporary failure, or if set to 20157c478bd9Sstevel@tonic-gate"queue" (the default), the MTA will locally queue the mail. 20167c478bd9Sstevel@tonic-gate 20177c478bd9Sstevel@tonic-gateThe default <mailHost> map definition is: 20187c478bd9Sstevel@tonic-gate 20197c478bd9Sstevel@tonic-gate ldap -1 -T<TMPF> -v mailHost -k (&(objectClass=inetLocalMailRecipient) 20207c478bd9Sstevel@tonic-gate (mailLocalAddress=%0)) 20217c478bd9Sstevel@tonic-gate 20227c478bd9Sstevel@tonic-gateThe default <mailRoutingAddress> map definition is: 20237c478bd9Sstevel@tonic-gate 20247c478bd9Sstevel@tonic-gate ldap -1 -T<TMPF> -v mailRoutingAddress 20257c478bd9Sstevel@tonic-gate -k (&(objectClass=inetLocalMailRecipient) 20267c478bd9Sstevel@tonic-gate (mailLocalAddress=%0)) 20277c478bd9Sstevel@tonic-gate 20287c478bd9Sstevel@tonic-gateNote that neither includes the LDAP server hostname (-h server) or base DN 20297c478bd9Sstevel@tonic-gate(-b o=org,c=COUNTRY), both necessary for LDAP queries. It is presumed that 20307c478bd9Sstevel@tonic-gateyour .mc file contains a setting for the confLDAP_DEFAULT_SPEC option with 20317c478bd9Sstevel@tonic-gatethese settings. If this is not the case, the map definitions should be 20327c478bd9Sstevel@tonic-gatechanged as described above. The "-T<TMPF>" is required in any user 20337c478bd9Sstevel@tonic-gatespecified map definition to catch temporary errors. 20347c478bd9Sstevel@tonic-gate 20357c478bd9Sstevel@tonic-gateThe following possibilities exist as a result of an LDAP lookup on an 20367c478bd9Sstevel@tonic-gateaddress: 20377c478bd9Sstevel@tonic-gate 20387c478bd9Sstevel@tonic-gate mailHost is mailRoutingAddress is Results in 20397c478bd9Sstevel@tonic-gate ----------- --------------------- ---------- 20407c478bd9Sstevel@tonic-gate set to a set mail delivered to 20417c478bd9Sstevel@tonic-gate "local" host mailRoutingAddress 20427c478bd9Sstevel@tonic-gate 20437c478bd9Sstevel@tonic-gate set to a not set delivered to 20447c478bd9Sstevel@tonic-gate "local" host original address 20457c478bd9Sstevel@tonic-gate 20467c478bd9Sstevel@tonic-gate set to a set mailRoutingAddress 20477c478bd9Sstevel@tonic-gate remote host relayed to mailHost 20487c478bd9Sstevel@tonic-gate 20497c478bd9Sstevel@tonic-gate set to a not set original address 20507c478bd9Sstevel@tonic-gate remote host relayed to mailHost 20517c478bd9Sstevel@tonic-gate 20527c478bd9Sstevel@tonic-gate not set set mail delivered to 20537c478bd9Sstevel@tonic-gate mailRoutingAddress 20547c478bd9Sstevel@tonic-gate 20557c478bd9Sstevel@tonic-gate not set not set delivered to 20567c478bd9Sstevel@tonic-gate original address *OR* 20577c478bd9Sstevel@tonic-gate bounced as unknown user 20587c478bd9Sstevel@tonic-gate 20597c478bd9Sstevel@tonic-gateThe term "local" host above means the host specified is in class {w}. If 20607c478bd9Sstevel@tonic-gatethe result would mean sending the mail to a different host, that host is 20617c478bd9Sstevel@tonic-gatelooked up in the mailertable before delivery. 20627c478bd9Sstevel@tonic-gate 20637c478bd9Sstevel@tonic-gateNote that the last case depends on whether the third argument is given 20647c478bd9Sstevel@tonic-gateto the FEATURE() command. The default is to deliver the message to the 20657c478bd9Sstevel@tonic-gateoriginal address. 20667c478bd9Sstevel@tonic-gate 20677c478bd9Sstevel@tonic-gateThe LDAP entries should be set up with an objectClass of 20687c478bd9Sstevel@tonic-gateinetLocalMailRecipient and the address be listed in a mailLocalAddress 20697c478bd9Sstevel@tonic-gateattribute. If present, there must be only one mailHost attribute and it 20707c478bd9Sstevel@tonic-gatemust contain a fully qualified host name as its value. Similarly, if 20717c478bd9Sstevel@tonic-gatepresent, there must be only one mailRoutingAddress attribute and it must 20727c478bd9Sstevel@tonic-gatecontain an RFC 822 compliant address. Some example LDAP records (in LDIF 20737c478bd9Sstevel@tonic-gateformat): 20747c478bd9Sstevel@tonic-gate 20757c478bd9Sstevel@tonic-gate dn: uid=tom, o=example.com, c=US 20767c478bd9Sstevel@tonic-gate objectClass: inetLocalMailRecipient 20777c478bd9Sstevel@tonic-gate mailLocalAddress: tom@example.com 20787c478bd9Sstevel@tonic-gate mailRoutingAddress: thomas@mailhost.example.com 20797c478bd9Sstevel@tonic-gate 20807c478bd9Sstevel@tonic-gateThis would deliver mail for tom@example.com to thomas@mailhost.example.com. 20817c478bd9Sstevel@tonic-gate 20827c478bd9Sstevel@tonic-gate dn: uid=dick, o=example.com, c=US 20837c478bd9Sstevel@tonic-gate objectClass: inetLocalMailRecipient 20847c478bd9Sstevel@tonic-gate mailLocalAddress: dick@example.com 20857c478bd9Sstevel@tonic-gate mailHost: eng.example.com 20867c478bd9Sstevel@tonic-gate 20877c478bd9Sstevel@tonic-gateThis would relay mail for dick@example.com to the same address but redirect 20887c478bd9Sstevel@tonic-gatethe mail to MX records listed for the host eng.example.com (unless the 20897c478bd9Sstevel@tonic-gatemailertable overrides). 20907c478bd9Sstevel@tonic-gate 20917c478bd9Sstevel@tonic-gate dn: uid=harry, o=example.com, c=US 20927c478bd9Sstevel@tonic-gate objectClass: inetLocalMailRecipient 20937c478bd9Sstevel@tonic-gate mailLocalAddress: harry@example.com 20947c478bd9Sstevel@tonic-gate mailHost: mktmail.example.com 20957c478bd9Sstevel@tonic-gate mailRoutingAddress: harry@mkt.example.com 20967c478bd9Sstevel@tonic-gate 20977c478bd9Sstevel@tonic-gateThis would relay mail for harry@example.com to the MX records listed for 20987c478bd9Sstevel@tonic-gatethe host mktmail.example.com using the new address harry@mkt.example.com 20997c478bd9Sstevel@tonic-gatewhen talking to that host. 21007c478bd9Sstevel@tonic-gate 21017c478bd9Sstevel@tonic-gate dn: uid=virtual.example.com, o=example.com, c=US 21027c478bd9Sstevel@tonic-gate objectClass: inetLocalMailRecipient 21037c478bd9Sstevel@tonic-gate mailLocalAddress: @virtual.example.com 21047c478bd9Sstevel@tonic-gate mailHost: server.example.com 21057c478bd9Sstevel@tonic-gate mailRoutingAddress: virtual@example.com 21067c478bd9Sstevel@tonic-gate 21077c478bd9Sstevel@tonic-gateThis would send all mail destined for any username @virtual.example.com to 21087c478bd9Sstevel@tonic-gatethe machine server.example.com's MX servers and deliver to the address 21097c478bd9Sstevel@tonic-gatevirtual@example.com on that relay machine. 21107c478bd9Sstevel@tonic-gate 21117c478bd9Sstevel@tonic-gate 21127c478bd9Sstevel@tonic-gate+---------------------------------+ 21137c478bd9Sstevel@tonic-gate| ANTI-SPAM CONFIGURATION CONTROL | 21147c478bd9Sstevel@tonic-gate+---------------------------------+ 21157c478bd9Sstevel@tonic-gate 21167c478bd9Sstevel@tonic-gateThe primary anti-spam features available in sendmail are: 21177c478bd9Sstevel@tonic-gate 21187c478bd9Sstevel@tonic-gate* Relaying is denied by default. 21197c478bd9Sstevel@tonic-gate* Better checking on sender information. 21207c478bd9Sstevel@tonic-gate* Access database. 21217c478bd9Sstevel@tonic-gate* Header checks. 21227c478bd9Sstevel@tonic-gate 21237c478bd9Sstevel@tonic-gateRelaying (transmission of messages from a site outside your host (class 21247c478bd9Sstevel@tonic-gate{w}) to another site except yours) is denied by default. Note that this 21257c478bd9Sstevel@tonic-gatechanged in sendmail 8.9; previous versions allowed relaying by default. 21267c478bd9Sstevel@tonic-gateIf you really want to revert to the old behaviour, you will need to use 21277c478bd9Sstevel@tonic-gateFEATURE(`promiscuous_relay'). You can allow certain domains to relay 21287c478bd9Sstevel@tonic-gatethrough your server by adding their domain name or IP address to class 21297c478bd9Sstevel@tonic-gate{R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the access database 21307c478bd9Sstevel@tonic-gate(described below). Note that IPv6 addresses must be prefaced with "IPv6:". 21317c478bd9Sstevel@tonic-gateThe file consists (like any other file based class) of entries listed on 21327c478bd9Sstevel@tonic-gateseparate lines, e.g., 21337c478bd9Sstevel@tonic-gate 21347c478bd9Sstevel@tonic-gate sendmail.org 21357c478bd9Sstevel@tonic-gate 128.32 21367c478bd9Sstevel@tonic-gate IPv6:2002:c0a8:02c7 21377c478bd9Sstevel@tonic-gate IPv6:2002:c0a8:51d2::23f4 21387c478bd9Sstevel@tonic-gate host.mydomain.com 21397c478bd9Sstevel@tonic-gate [UNIX:localhost] 21407c478bd9Sstevel@tonic-gate 21417c478bd9Sstevel@tonic-gateNotice: the last entry allows relaying for connections via a UNIX 21427c478bd9Sstevel@tonic-gatesocket to the MTA/MSP. This might be necessary if your configuration 21437c478bd9Sstevel@tonic-gatedoesn't allow relaying by other means in that case, e.g., by having 21447c478bd9Sstevel@tonic-gatelocalhost.$m in class {R} (make sure $m is not just a top level 21457c478bd9Sstevel@tonic-gatedomain). 21467c478bd9Sstevel@tonic-gate 21477c478bd9Sstevel@tonic-gateIf you use 21487c478bd9Sstevel@tonic-gate 21497c478bd9Sstevel@tonic-gate FEATURE(`relay_entire_domain') 21507c478bd9Sstevel@tonic-gate 21517c478bd9Sstevel@tonic-gatethen any host in any of your local domains (that is, class {m}) 21527c478bd9Sstevel@tonic-gatewill be relayed (that is, you will accept mail either to or from any 21537c478bd9Sstevel@tonic-gatehost in your domain). 21547c478bd9Sstevel@tonic-gate 21557c478bd9Sstevel@tonic-gateYou can also allow relaying based on the MX records of the host 21567c478bd9Sstevel@tonic-gateportion of an incoming recipient address by using 21577c478bd9Sstevel@tonic-gate 21587c478bd9Sstevel@tonic-gate FEATURE(`relay_based_on_MX') 21597c478bd9Sstevel@tonic-gate 21607c478bd9Sstevel@tonic-gateFor example, if your server receives a recipient of user@domain.com 21617c478bd9Sstevel@tonic-gateand domain.com lists your server in its MX records, the mail will be 21627c478bd9Sstevel@tonic-gateaccepted for relay to domain.com. This feature may cause problems 21637c478bd9Sstevel@tonic-gateif MX lookups for the recipient domain are slow or time out. In that 21647c478bd9Sstevel@tonic-gatecase, mail will be temporarily rejected. It is usually better to 21657c478bd9Sstevel@tonic-gatemaintain a list of hosts/domains for which the server acts as relay. 21667c478bd9Sstevel@tonic-gateNote also that this feature will stop spammers from using your host 21677c478bd9Sstevel@tonic-gateto relay spam but it will not stop outsiders from using your server 21687c478bd9Sstevel@tonic-gateas a relay for their site (that is, they set up an MX record pointing 21697c478bd9Sstevel@tonic-gateto your mail server, and you will relay mail addressed to them 21707c478bd9Sstevel@tonic-gatewithout any prior arrangement). Along the same lines, 21717c478bd9Sstevel@tonic-gate 21727c478bd9Sstevel@tonic-gate FEATURE(`relay_local_from') 21737c478bd9Sstevel@tonic-gate 21747c478bd9Sstevel@tonic-gatewill allow relaying if the sender specifies a return path (i.e. 21757c478bd9Sstevel@tonic-gateMAIL FROM:<user@domain>) domain which is a local domain. This is a 21767c478bd9Sstevel@tonic-gatedangerous feature as it will allow spammers to spam using your mail 21777c478bd9Sstevel@tonic-gateserver by simply specifying a return address of user@your.domain.com. 21787c478bd9Sstevel@tonic-gateIt should not be used unless absolutely necessary. 21797c478bd9Sstevel@tonic-gateA slightly better solution is 21807c478bd9Sstevel@tonic-gate 21817c478bd9Sstevel@tonic-gate FEATURE(`relay_mail_from') 21827c478bd9Sstevel@tonic-gate 21837c478bd9Sstevel@tonic-gatewhich allows relaying if the mail sender is listed as RELAY in the 21847c478bd9Sstevel@tonic-gateaccess map. If an optional argument `domain' (this is the literal 21857c478bd9Sstevel@tonic-gateword `domain', not a placeholder) is given, the domain portion of 21867c478bd9Sstevel@tonic-gatethe mail sender is also checked to allowing relaying. This option 21877c478bd9Sstevel@tonic-gateonly works together with the tag From: for the LHS of the access 21887c478bd9Sstevel@tonic-gatemap entries. This feature allows spammers to abuse your mail server 21897c478bd9Sstevel@tonic-gateby specifying a return address that you enabled in your access file. 21907c478bd9Sstevel@tonic-gateThis may be harder to figure out for spammers, but it should not 21917c478bd9Sstevel@tonic-gatebe used unless necessary. Instead use STARTTLS to 21927c478bd9Sstevel@tonic-gateallow relaying for roaming users. 21937c478bd9Sstevel@tonic-gate 21947c478bd9Sstevel@tonic-gate 21957c478bd9Sstevel@tonic-gateIf source routing is used in the recipient address (e.g., 21967c478bd9Sstevel@tonic-gateRCPT TO:<user%site.com@othersite.com>), sendmail will check 21977c478bd9Sstevel@tonic-gateuser@site.com for relaying if othersite.com is an allowed relay host 21987c478bd9Sstevel@tonic-gatein either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, 21997c478bd9Sstevel@tonic-gateor the access database if FEATURE(`access_db') is used. To prevent 22007c478bd9Sstevel@tonic-gatethe address from being stripped down, use: 22017c478bd9Sstevel@tonic-gate 22027c478bd9Sstevel@tonic-gate FEATURE(`loose_relay_check') 22037c478bd9Sstevel@tonic-gate 22047c478bd9Sstevel@tonic-gateIf you think you need to use this feature, you probably do not. This 22057c478bd9Sstevel@tonic-gateshould only be used for sites which have no control over the addresses 22067c478bd9Sstevel@tonic-gatethat they provide a gateway for. Use this FEATURE with caution as it 22077c478bd9Sstevel@tonic-gatecan allow spammers to relay through your server if not setup properly. 22087c478bd9Sstevel@tonic-gate 22097c478bd9Sstevel@tonic-gateNOTICE: It is possible to relay mail through a system which the anti-relay 22107c478bd9Sstevel@tonic-gaterules do not prevent: the case of a system that does use FEATURE(`nouucp', 22117c478bd9Sstevel@tonic-gate`nospecial') (system A) and relays local messages to a mail hub (e.g., via 22127c478bd9Sstevel@tonic-gateLOCAL_RELAY or LUSER_RELAY) (system B). If system B doesn't use 22137c478bd9Sstevel@tonic-gateFEATURE(`nouucp') at all, addresses of the form 22147c478bd9Sstevel@tonic-gate<example.net!user@local.host> would be relayed to <user@example.net>. 22157c478bd9Sstevel@tonic-gateSystem A doesn't recognize `!' as an address separator and therefore 22167c478bd9Sstevel@tonic-gateforwards it to the mail hub which in turns relays it because it came from 22177c478bd9Sstevel@tonic-gatea trusted local host. So if a mailserver allows UUCP (bang-format) 22187c478bd9Sstevel@tonic-gateaddresses, all systems from which it allows relaying should do the same 22197c478bd9Sstevel@tonic-gateor reject those addresses. 22207c478bd9Sstevel@tonic-gate 22217c478bd9Sstevel@tonic-gateAs of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has 22227c478bd9Sstevel@tonic-gatean unresolvable domain (i.e., one that DNS, your local name service, 22237c478bd9Sstevel@tonic-gateor special case rules in ruleset 3 cannot locate). This also applies 22247c478bd9Sstevel@tonic-gateto addresses that use domain literals, e.g., <user@[1.2.3.4]>, if the 22257c478bd9Sstevel@tonic-gateIP address can't be mapped to a host name. If you want to continue 22267c478bd9Sstevel@tonic-gateto accept such domains, e.g., because you are inside a firewall that 22277c478bd9Sstevel@tonic-gatehas only a limited view of the Internet host name space (note that you 22287c478bd9Sstevel@tonic-gatewill not be able to return mail to them unless you have some "smart 22297c478bd9Sstevel@tonic-gatehost" forwarder), use 22307c478bd9Sstevel@tonic-gate 22317c478bd9Sstevel@tonic-gate FEATURE(`accept_unresolvable_domains') 22327c478bd9Sstevel@tonic-gate 22337c478bd9Sstevel@tonic-gateAlternatively, you can allow specific addresses by adding them to 22347c478bd9Sstevel@tonic-gatethe access map, e.g., 22357c478bd9Sstevel@tonic-gate 22367c478bd9Sstevel@tonic-gate From:unresolvable.domain OK 22377c478bd9Sstevel@tonic-gate From:[1.2.3.4] OK 22387c478bd9Sstevel@tonic-gate From:[1.2.4] OK 22397c478bd9Sstevel@tonic-gate 22407c478bd9Sstevel@tonic-gateNotice: domains which are temporarily unresolvable are (temporarily) 22417c478bd9Sstevel@tonic-gaterejected with a 451 reply code. If those domains should be accepted 22427c478bd9Sstevel@tonic-gate(which is discouraged) then you can use 22437c478bd9Sstevel@tonic-gate 22447c478bd9Sstevel@tonic-gate LOCAL_CONFIG 22457c478bd9Sstevel@tonic-gate C{ResOk}TEMP 22467c478bd9Sstevel@tonic-gate 22477c478bd9Sstevel@tonic-gatesendmail will also refuse mail if the MAIL FROM: parameter is not 22487c478bd9Sstevel@tonic-gatefully qualified (i.e., contains a domain as well as a user). If you 22497c478bd9Sstevel@tonic-gatewant to continue to accept such senders, use 22507c478bd9Sstevel@tonic-gate 22517c478bd9Sstevel@tonic-gate FEATURE(`accept_unqualified_senders') 22527c478bd9Sstevel@tonic-gate 22537c478bd9Sstevel@tonic-gateSetting the DaemonPortOptions modifier 'u' overrides the default behavior, 22547c478bd9Sstevel@tonic-gatei.e., unqualified addresses are accepted even without this FEATURE. If 22557c478bd9Sstevel@tonic-gatethis FEATURE is not used, the DaemonPortOptions modifier 'f' can be used 22567c478bd9Sstevel@tonic-gateto enforce fully qualified domain names. 22577c478bd9Sstevel@tonic-gate 22587c478bd9Sstevel@tonic-gateAn ``access'' database can be created to accept or reject mail from 22597c478bd9Sstevel@tonic-gateselected domains. For example, you may choose to reject all mail 22607c478bd9Sstevel@tonic-gateoriginating from known spammers. To enable such a database, use 22617c478bd9Sstevel@tonic-gate 22627c478bd9Sstevel@tonic-gate FEATURE(`access_db') 22637c478bd9Sstevel@tonic-gate 22647c478bd9Sstevel@tonic-gateNotice: the access database is applied to the envelope addresses 22657c478bd9Sstevel@tonic-gateand the connection information, not to the header. 22667c478bd9Sstevel@tonic-gate 22677c478bd9Sstevel@tonic-gateThe FEATURE macro can accept as second parameter the key file 22687c478bd9Sstevel@tonic-gatedefinition for the database; for example 22697c478bd9Sstevel@tonic-gate 22707c478bd9Sstevel@tonic-gate FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map') 22717c478bd9Sstevel@tonic-gate 22727c478bd9Sstevel@tonic-gateNotice: If a second argument is specified it must contain the option 2273*058561cbSjbeck`-T<TMPF>' as shown above. The optional parameters may be 2274*058561cbSjbeck 2275*058561cbSjbeck `skip' enables SKIP as value part (see below). 2276*058561cbSjbeck `lookupdotdomain' another way to enable the feature of the 2277*058561cbSjbeck same name (see above). 2278*058561cbSjbeck `relaytofulladdress' enable entries of the form 2279*058561cbSjbeck To:user@example.com RELAY 2280*058561cbSjbeck to allow relaying to just a specific 2281*058561cbSjbeck e-mail address instead of an entire domain. 22827c478bd9Sstevel@tonic-gate 22837c478bd9Sstevel@tonic-gateRemember, since /etc/mail/access is a database, after creating the text 22847c478bd9Sstevel@tonic-gatefile as described below, you must use makemap to create the database 22857c478bd9Sstevel@tonic-gatemap. For example: 22867c478bd9Sstevel@tonic-gate 22877c478bd9Sstevel@tonic-gate makemap hash /etc/mail/access < /etc/mail/access 22887c478bd9Sstevel@tonic-gate 22897c478bd9Sstevel@tonic-gateThe table itself uses e-mail addresses, domain names, and network 22907c478bd9Sstevel@tonic-gatenumbers as keys. Note that IPv6 addresses must be prefaced with "IPv6:". 22917c478bd9Sstevel@tonic-gateFor example, 22927c478bd9Sstevel@tonic-gate 22937c478bd9Sstevel@tonic-gate From:spammer@aol.com REJECT 22947c478bd9Sstevel@tonic-gate From:cyberspammer.com REJECT 22957c478bd9Sstevel@tonic-gate Connect:cyberspammer.com REJECT 22967c478bd9Sstevel@tonic-gate Connect:TLD REJECT 22977c478bd9Sstevel@tonic-gate Connect:192.168.212 REJECT 22987c478bd9Sstevel@tonic-gate Connect:IPv6:2002:c0a8:02c7 RELAY 22997c478bd9Sstevel@tonic-gate Connect:IPv6:2002:c0a8:51d2::23f4 REJECT 23007c478bd9Sstevel@tonic-gate 23017c478bd9Sstevel@tonic-gatewould refuse mail from spammer@aol.com, any user from cyberspammer.com 23027c478bd9Sstevel@tonic-gate(or any host within the cyberspammer.com domain), any host in the entire 23037c478bd9Sstevel@tonic-gatetop level domain TLD, 192.168.212.* network, and the IPv6 address 23047c478bd9Sstevel@tonic-gate2002:c0a8:51d2::23f4. It would allow relay for the IPv6 network 23057c478bd9Sstevel@tonic-gate2002:c0a8:02c7::/48. 23067c478bd9Sstevel@tonic-gate 23077c478bd9Sstevel@tonic-gateEntries in the access map should be tagged according to their type. 23087c478bd9Sstevel@tonic-gateThree tags are available: 23097c478bd9Sstevel@tonic-gate 23107c478bd9Sstevel@tonic-gate Connect: connection information (${client_addr}, ${client_name}) 23117c478bd9Sstevel@tonic-gate From: envelope sender 23127c478bd9Sstevel@tonic-gate To: envelope recipient 23137c478bd9Sstevel@tonic-gate 23147c478bd9Sstevel@tonic-gateNotice: untagged entries are deprecated. 23157c478bd9Sstevel@tonic-gate 23167c478bd9Sstevel@tonic-gateIf the required item is looked up in a map, it will be tried first 23177c478bd9Sstevel@tonic-gatewith the corresponding tag in front, then (as fallback to enable 23187c478bd9Sstevel@tonic-gatebackward compatibility) without any tag, unless the specific feature 23197c478bd9Sstevel@tonic-gaterequires a tag. For example, 23207c478bd9Sstevel@tonic-gate 23217c478bd9Sstevel@tonic-gate From:spammer@some.dom REJECT 23227c478bd9Sstevel@tonic-gate To:friend.domain RELAY 23237c478bd9Sstevel@tonic-gate Connect:friend.domain OK 23247c478bd9Sstevel@tonic-gate Connect:from.domain RELAY 23257c478bd9Sstevel@tonic-gate From:good@another.dom OK 23267c478bd9Sstevel@tonic-gate From:another.dom REJECT 23277c478bd9Sstevel@tonic-gate 23287c478bd9Sstevel@tonic-gateThis would deny mails from spammer@some.dom but you could still 23297c478bd9Sstevel@tonic-gatesend mail to that address even if FEATURE(`blacklist_recipients') 23307c478bd9Sstevel@tonic-gateis enabled. Your system will allow relaying to friend.domain, but 23317c478bd9Sstevel@tonic-gatenot from it (unless enabled by other means). Connections from that 23327c478bd9Sstevel@tonic-gatedomain will be allowed even if it ends up in one of the DNS based 23337c478bd9Sstevel@tonic-gaterejection lists. Relaying is enabled from from.domain but not to 23347c478bd9Sstevel@tonic-gateit (since relaying is based on the connection information for 23357c478bd9Sstevel@tonic-gateoutgoing relaying, the tag Connect: must be used; for incoming 23367c478bd9Sstevel@tonic-gaterelaying, which is based on the recipient address, To: must be 23377c478bd9Sstevel@tonic-gateused). The last two entries allow mails from good@another.dom but 23387c478bd9Sstevel@tonic-gatereject mail from all other addresses with another.dom as domain 23397c478bd9Sstevel@tonic-gatepart. 23407c478bd9Sstevel@tonic-gate 23417c478bd9Sstevel@tonic-gate 23427c478bd9Sstevel@tonic-gateThe value part of the map can contain: 23437c478bd9Sstevel@tonic-gate 23447c478bd9Sstevel@tonic-gate OK Accept mail even if other rules in the running 23457c478bd9Sstevel@tonic-gate ruleset would reject it, for example, if the domain 23467c478bd9Sstevel@tonic-gate name is unresolvable. "Accept" does not mean 23477c478bd9Sstevel@tonic-gate "relay", but at most acceptance for local 23487c478bd9Sstevel@tonic-gate recipients. That is, OK allows less than RELAY. 2349*058561cbSjbeck RELAY Accept mail addressed to the indicated domain 2350*058561cbSjbeck (or address if `relaytofulladdress' is set) or 23517c478bd9Sstevel@tonic-gate received from the indicated domain for relaying 23527c478bd9Sstevel@tonic-gate through your SMTP server. RELAY also serves as 23537c478bd9Sstevel@tonic-gate an implicit OK for the other checks. 23547c478bd9Sstevel@tonic-gate REJECT Reject the sender or recipient with a general 23557c478bd9Sstevel@tonic-gate purpose message. 23567c478bd9Sstevel@tonic-gate DISCARD Discard the message completely using the 23577c478bd9Sstevel@tonic-gate $#discard mailer. If it is used in check_compat, 23587c478bd9Sstevel@tonic-gate it affects only the designated recipient, not 23597c478bd9Sstevel@tonic-gate the whole message as it does in all other cases. 23607c478bd9Sstevel@tonic-gate This should only be used if really necessary. 23617c478bd9Sstevel@tonic-gate SKIP This can only be used for host/domain names 23627c478bd9Sstevel@tonic-gate and IP addresses/nets. It will abort the current 23637c478bd9Sstevel@tonic-gate search for this entry without accepting or rejecting 23647c478bd9Sstevel@tonic-gate it but causing the default action. 23657c478bd9Sstevel@tonic-gate ### any text where ### is an RFC 821 compliant error code and 23667c478bd9Sstevel@tonic-gate "any text" is a message to return for the command. 2367445f2479Sjbeck The entire string should be quoted to avoid 2368445f2479Sjbeck surprises: 2369445f2479Sjbeck 2370445f2479Sjbeck "### any text" 2371445f2479Sjbeck 2372445f2479Sjbeck Otherwise sendmail formats the text as email 2373445f2479Sjbeck addresses, e.g., it may remove spaces. 23747c478bd9Sstevel@tonic-gate This type is deprecated, use one of the two 23757c478bd9Sstevel@tonic-gate ERROR: entries below instead. 23767c478bd9Sstevel@tonic-gate ERROR:### any text 23777c478bd9Sstevel@tonic-gate as above, but useful to mark error messages as such. 2378445f2479Sjbeck If quotes need to be used to avoid modifications 2379445f2479Sjbeck (see above), they should be placed like this: 2380445f2479Sjbeck 2381445f2479Sjbeck ERROR:"### any text" 2382445f2479Sjbeck 23837c478bd9Sstevel@tonic-gate ERROR:D.S.N:### any text 23847c478bd9Sstevel@tonic-gate where D.S.N is an RFC 1893 compliant error code 2385445f2479Sjbeck and the rest as above. If quotes need to be used 2386445f2479Sjbeck to avoid modifications, they should be placed 2387445f2479Sjbeck like this: 2388445f2479Sjbeck 2389445f2479Sjbeck ERROR:D.S.N:"### any text" 2390445f2479Sjbeck 23917c478bd9Sstevel@tonic-gate QUARANTINE:any text 23927c478bd9Sstevel@tonic-gate Quarantine the message using the given text as the 23937c478bd9Sstevel@tonic-gate quarantining reason. 23947c478bd9Sstevel@tonic-gate 23957c478bd9Sstevel@tonic-gateFor example: 23967c478bd9Sstevel@tonic-gate 23977c478bd9Sstevel@tonic-gate From:cyberspammer.com ERROR:"550 We don't accept mail from spammers" 23987c478bd9Sstevel@tonic-gate From:okay.cyberspammer.com OK 23997c478bd9Sstevel@tonic-gate Connect:sendmail.org RELAY 24007c478bd9Sstevel@tonic-gate To:sendmail.org RELAY 24017c478bd9Sstevel@tonic-gate Connect:128.32 RELAY 24027c478bd9Sstevel@tonic-gate Connect:128.32.2 SKIP 24037c478bd9Sstevel@tonic-gate Connect:IPv6:1:2:3:4:5:6:7 RELAY 24047c478bd9Sstevel@tonic-gate Connect:suspicious.example.com QUARANTINE:Mail from suspicious host 24057c478bd9Sstevel@tonic-gate Connect:[127.0.0.3] OK 24067c478bd9Sstevel@tonic-gate Connect:[IPv6:1:2:3:4:5:6:7:8] OK 24077c478bd9Sstevel@tonic-gate 24087c478bd9Sstevel@tonic-gatewould accept mail from okay.cyberspammer.com, but would reject mail 24097c478bd9Sstevel@tonic-gatefrom all other hosts at cyberspammer.com with the indicated message. 24107c478bd9Sstevel@tonic-gateIt would allow relaying mail from and to any hosts in the sendmail.org 24117c478bd9Sstevel@tonic-gatedomain, and allow relaying from the IPv6 1:2:3:4:5:6:7:* network 24127c478bd9Sstevel@tonic-gateand from the 128.32.*.* network except for the 128.32.2.* network, 24137c478bd9Sstevel@tonic-gatewhich shows how SKIP is useful to exempt subnets/subdomains. The 24147c478bd9Sstevel@tonic-gatelast two entries are for checks against ${client_name} if the IP 24157c478bd9Sstevel@tonic-gateaddress doesn't resolve to a hostname (or is considered as "may be 24167c478bd9Sstevel@tonic-gateforged"). That is, using square brackets means these are host 24177c478bd9Sstevel@tonic-gatenames, not network numbers. 24187c478bd9Sstevel@tonic-gate 24197c478bd9Sstevel@tonic-gateWarning: if you change the RFC 821 compliant error code from the default 24207c478bd9Sstevel@tonic-gatevalue of 550, then you should probably also change the RFC 1893 compliant 24217c478bd9Sstevel@tonic-gateerror code to match it. For example, if you use 24227c478bd9Sstevel@tonic-gate 24237c478bd9Sstevel@tonic-gate To:user@example.com ERROR:450 mailbox full 24247c478bd9Sstevel@tonic-gate 24257c478bd9Sstevel@tonic-gatethe error returned would be "450 5.0.0 mailbox full" which is wrong. 24267c478bd9Sstevel@tonic-gateUse "ERROR:4.2.2:450 mailbox full" instead. 24277c478bd9Sstevel@tonic-gate 24287c478bd9Sstevel@tonic-gateNote, UUCP users may need to add hostname.UUCP to the access database 24297c478bd9Sstevel@tonic-gateor class {R}. 24307c478bd9Sstevel@tonic-gate 24317c478bd9Sstevel@tonic-gateIf you also use: 24327c478bd9Sstevel@tonic-gate 24337c478bd9Sstevel@tonic-gate FEATURE(`relay_hosts_only') 24347c478bd9Sstevel@tonic-gate 24357c478bd9Sstevel@tonic-gatethen the above example will allow relaying for sendmail.org, but not 24367c478bd9Sstevel@tonic-gatehosts within the sendmail.org domain. Note that this will also require 24377c478bd9Sstevel@tonic-gatehosts listed in class {R} to be fully qualified host names. 24387c478bd9Sstevel@tonic-gate 24397c478bd9Sstevel@tonic-gateYou can also use the access database to block sender addresses based on 24407c478bd9Sstevel@tonic-gatethe username portion of the address. For example: 24417c478bd9Sstevel@tonic-gate 24427c478bd9Sstevel@tonic-gate From:FREE.STEALTH.MAILER@ ERROR:550 Spam not accepted 24437c478bd9Sstevel@tonic-gate 24447c478bd9Sstevel@tonic-gateNote that you must include the @ after the username to signify that 24457c478bd9Sstevel@tonic-gatethis database entry is for checking only the username portion of the 24467c478bd9Sstevel@tonic-gatesender address. 24477c478bd9Sstevel@tonic-gate 24487c478bd9Sstevel@tonic-gateIf you use: 24497c478bd9Sstevel@tonic-gate 24507c478bd9Sstevel@tonic-gate FEATURE(`blacklist_recipients') 24517c478bd9Sstevel@tonic-gate 24527c478bd9Sstevel@tonic-gatethen you can add entries to the map for local users, hosts in your 24537c478bd9Sstevel@tonic-gatedomains, or addresses in your domain which should not receive mail: 24547c478bd9Sstevel@tonic-gate 24557c478bd9Sstevel@tonic-gate To:badlocaluser@ ERROR:550 Mailbox disabled for badlocaluser 24567c478bd9Sstevel@tonic-gate To:host.my.TLD ERROR:550 That host does not accept mail 24577c478bd9Sstevel@tonic-gate To:user@other.my.TLD ERROR:550 Mailbox disabled for this recipient 24587c478bd9Sstevel@tonic-gate 24597c478bd9Sstevel@tonic-gateThis would prevent a recipient of badlocaluser in any of the local 24607c478bd9Sstevel@tonic-gatedomains (class {w}), any user at host.my.TLD, and the single address 24617c478bd9Sstevel@tonic-gateuser@other.my.TLD from receiving mail. Please note: a local username 24627c478bd9Sstevel@tonic-gatemust be now tagged with an @ (this is consistent with the check of 24637c478bd9Sstevel@tonic-gatethe sender address, and hence it is possible to distinguish between 24647c478bd9Sstevel@tonic-gatehostnames and usernames). Enabling this feature will keep you from 24657c478bd9Sstevel@tonic-gatesending mails to all addresses that have an error message or REJECT 24667c478bd9Sstevel@tonic-gateas value part in the access map. Taking the example from above: 24677c478bd9Sstevel@tonic-gate 24687c478bd9Sstevel@tonic-gate spammer@aol.com REJECT 24697c478bd9Sstevel@tonic-gate cyberspammer.com REJECT 24707c478bd9Sstevel@tonic-gate 24717c478bd9Sstevel@tonic-gateMail can't be sent to spammer@aol.com or anyone at cyberspammer.com. 24727c478bd9Sstevel@tonic-gateThat's why tagged entries should be used. 24737c478bd9Sstevel@tonic-gate 24743ee0e492SjbeckThere are several DNS based blacklists which can be found by 24753ee0e492Sjbeckquerying a search engine. These are databases of spammers 24767c478bd9Sstevel@tonic-gatemaintained in DNS. To use such a database, specify 24777c478bd9Sstevel@tonic-gate 24783ee0e492Sjbeck FEATURE(`dnsbl', `dnsbl.example.com') 24797c478bd9Sstevel@tonic-gate 24803ee0e492SjbeckThis will cause sendmail to reject mail from any site listed in the 2481*058561cbSjbeckDNS based blacklist. You must select a DNS based blacklist domain 24823ee0e492Sjbeckto check by specifying an argument to the FEATURE. The default 24833ee0e492Sjbeckerror message is 24847c478bd9Sstevel@tonic-gate 24857c478bd9Sstevel@tonic-gate Rejected: IP-ADDRESS listed at SERVER 24867c478bd9Sstevel@tonic-gate 24877c478bd9Sstevel@tonic-gatewhere IP-ADDRESS and SERVER are replaced by the appropriate 24887c478bd9Sstevel@tonic-gateinformation. A second argument can be used to specify a different 2489*058561cbSjbecktext or action. For example, 2490*058561cbSjbeck 2491*058561cbSjbeck FEATURE(`dnsbl', `dnsbl.example.com', `quarantine') 2492*058561cbSjbeck 2493*058561cbSjbeckwould quarantine the message if the client IP address is listed 2494*058561cbSjbeckat `dnsbl.example.com'. 2495*058561cbSjbeck 2496*058561cbSjbeckBy default, temporary lookup failures are ignored 2497*058561cbSjbeckand hence cause the connection not to be rejected by the DNS based 2498*058561cbSjbeckrejection list. This behavior can be changed by specifying a third 2499*058561cbSjbeckargument, which must be either `t' or a full error message. For 2500*058561cbSjbeckexample: 25017c478bd9Sstevel@tonic-gate 25027c478bd9Sstevel@tonic-gate FEATURE(`dnsbl', `dnsbl.example.com', `', 25037c478bd9Sstevel@tonic-gate `"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"') 25047c478bd9Sstevel@tonic-gate 25057c478bd9Sstevel@tonic-gateIf `t' is used, the error message is: 25067c478bd9Sstevel@tonic-gate 25077c478bd9Sstevel@tonic-gate 451 Temporary lookup failure of IP-ADDRESS at SERVER 25087c478bd9Sstevel@tonic-gate 25097c478bd9Sstevel@tonic-gatewhere IP-ADDRESS and SERVER are replaced by the appropriate 25107c478bd9Sstevel@tonic-gateinformation. 25117c478bd9Sstevel@tonic-gate 25127c478bd9Sstevel@tonic-gateThis FEATURE can be included several times to query different 25133ee0e492SjbeckDNS based rejection lists. 25147c478bd9Sstevel@tonic-gate 25157c478bd9Sstevel@tonic-gateNotice: to avoid checking your own local domains against those 25167c478bd9Sstevel@tonic-gateblacklists, use the access_db feature and add: 25177c478bd9Sstevel@tonic-gate 25187c478bd9Sstevel@tonic-gate Connect:10.1 OK 25197c478bd9Sstevel@tonic-gate Connect:127.0.0.1 RELAY 25207c478bd9Sstevel@tonic-gate 25217c478bd9Sstevel@tonic-gateto the access map, where 10.1 is your local network. You may 25227c478bd9Sstevel@tonic-gatewant to use "RELAY" instead of "OK" to allow also relaying 25237c478bd9Sstevel@tonic-gateinstead of just disabling the DNS lookups in the blacklists. 25247c478bd9Sstevel@tonic-gate 25257c478bd9Sstevel@tonic-gate 25267c478bd9Sstevel@tonic-gateThe features described above make use of the check_relay, check_mail, 25277c478bd9Sstevel@tonic-gateand check_rcpt rulesets. Note that check_relay checks the SMTP 25287c478bd9Sstevel@tonic-gateclient hostname and IP address when the connection is made to your 25297c478bd9Sstevel@tonic-gateserver. It does not check if a mail message is being relayed to 25307c478bd9Sstevel@tonic-gateanother server. That check is done in check_rcpt. If you wish to 25317c478bd9Sstevel@tonic-gateinclude your own checks, you can put your checks in the rulesets 25327c478bd9Sstevel@tonic-gateLocal_check_relay, Local_check_mail, and Local_check_rcpt. For 25337c478bd9Sstevel@tonic-gateexample if you wanted to block senders with all numeric usernames 25347c478bd9Sstevel@tonic-gate(i.e. 2312343@bigisp.com), you would use Local_check_mail and the 25357c478bd9Sstevel@tonic-gateregex map: 25367c478bd9Sstevel@tonic-gate 25377c478bd9Sstevel@tonic-gate LOCAL_CONFIG 25387c478bd9Sstevel@tonic-gate Kallnumbers regex -a@MATCH ^[0-9]+$ 25397c478bd9Sstevel@tonic-gate 25407c478bd9Sstevel@tonic-gate LOCAL_RULESETS 25417c478bd9Sstevel@tonic-gate SLocal_check_mail 25427c478bd9Sstevel@tonic-gate # check address against various regex checks 25437c478bd9Sstevel@tonic-gate R$* $: $>Parse0 $>3 $1 25447c478bd9Sstevel@tonic-gate R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $) 25457c478bd9Sstevel@tonic-gate R@MATCH $#error $: 553 Header Error 25467c478bd9Sstevel@tonic-gate 25477c478bd9Sstevel@tonic-gateThese rules are called with the original arguments of the corresponding 25487c478bd9Sstevel@tonic-gatecheck_* ruleset. If the local ruleset returns $#OK, no further checking 25497c478bd9Sstevel@tonic-gateis done by the features described above and the mail is accepted. If 25507c478bd9Sstevel@tonic-gatethe local ruleset resolves to a mailer (such as $#error or $#discard), 25517c478bd9Sstevel@tonic-gatethe appropriate action is taken. Other results starting with $# are 25527c478bd9Sstevel@tonic-gateinterpreted by sendmail and may lead to unspecified behavior. Note: do 25537c478bd9Sstevel@tonic-gateNOT create a mailer with the name OK. Return values that do not start 25547c478bd9Sstevel@tonic-gatewith $# are ignored, i.e., normal processing continues. 25557c478bd9Sstevel@tonic-gate 25567c478bd9Sstevel@tonic-gateDelay all checks 25577c478bd9Sstevel@tonic-gate---------------- 25587c478bd9Sstevel@tonic-gate 25597c478bd9Sstevel@tonic-gateBy using FEATURE(`delay_checks') the rulesets check_mail and check_relay 25607c478bd9Sstevel@tonic-gatewill not be called when a client connects or issues a MAIL command, 25617c478bd9Sstevel@tonic-gaterespectively. Instead, those rulesets will be called by the check_rcpt 25627c478bd9Sstevel@tonic-gateruleset; they will be skipped if a sender has been authenticated using 25637c478bd9Sstevel@tonic-gatea "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH(). 25647c478bd9Sstevel@tonic-gateIf check_mail returns an error then the RCPT TO command will be rejected 25657c478bd9Sstevel@tonic-gatewith that error. If it returns some other result starting with $# then 25667c478bd9Sstevel@tonic-gatecheck_relay will be skipped. If the sender address (or a part of it) is 25677c478bd9Sstevel@tonic-gatelisted in the access map and it has a RHS of OK or RELAY, then check_relay 25687c478bd9Sstevel@tonic-gatewill be skipped. This has an interesting side effect: if your domain is 25697c478bd9Sstevel@tonic-gatemy.domain and you have 25707c478bd9Sstevel@tonic-gate 25717c478bd9Sstevel@tonic-gate my.domain RELAY 25727c478bd9Sstevel@tonic-gate 25737c478bd9Sstevel@tonic-gatein the access map, then any e-mail with a sender address of 25747c478bd9Sstevel@tonic-gate<user@my.domain> will not be rejected by check_relay even though 25757c478bd9Sstevel@tonic-gateit would match the hostname or IP address. This allows spammers 25767c478bd9Sstevel@tonic-gateto get around DNS based blacklist by faking the sender address. To 25777c478bd9Sstevel@tonic-gateavoid this problem you have to use tagged entries: 25787c478bd9Sstevel@tonic-gate 25797c478bd9Sstevel@tonic-gate To:my.domain RELAY 25807c478bd9Sstevel@tonic-gate Connect:my.domain RELAY 25817c478bd9Sstevel@tonic-gate 25827c478bd9Sstevel@tonic-gateif you need those entries at all (class {R} may take care of them). 25837c478bd9Sstevel@tonic-gate 25847c478bd9Sstevel@tonic-gateFEATURE(`delay_checks') can take an optional argument: 25857c478bd9Sstevel@tonic-gate 25867c478bd9Sstevel@tonic-gate FEATURE(`delay_checks', `friend') 25877c478bd9Sstevel@tonic-gate enables spamfriend test 25887c478bd9Sstevel@tonic-gate FEATURE(`delay_checks', `hater') 25897c478bd9Sstevel@tonic-gate enables spamhater test 25907c478bd9Sstevel@tonic-gate 25917c478bd9Sstevel@tonic-gateIf such an argument is given, the recipient will be looked up in the 25927c478bd9Sstevel@tonic-gateaccess map (using the tag Spam:). If the argument is `friend', then 25937c478bd9Sstevel@tonic-gatethe default behavior is to apply the other rulesets and make a SPAM 25947c478bd9Sstevel@tonic-gatefriend the exception. The rulesets check_mail and check_relay will be 25957c478bd9Sstevel@tonic-gateskipped only if the recipient address is found and has RHS FRIEND. If 25967c478bd9Sstevel@tonic-gatethe argument is `hater', then the default behavior is to skip the rulesets 25977c478bd9Sstevel@tonic-gatecheck_mail and check_relay and make a SPAM hater the exception. The 25987c478bd9Sstevel@tonic-gateother two rulesets will be applied only if the recipient address is 25997c478bd9Sstevel@tonic-gatefound and has RHS HATER. 26007c478bd9Sstevel@tonic-gate 26017c478bd9Sstevel@tonic-gateThis allows for simple exceptions from the tests, e.g., by activating 26027c478bd9Sstevel@tonic-gatethe friend option and having 26037c478bd9Sstevel@tonic-gate 26047c478bd9Sstevel@tonic-gate Spam:abuse@ FRIEND 26057c478bd9Sstevel@tonic-gate 26067c478bd9Sstevel@tonic-gatein the access map, mail to abuse@localdomain will get through (where 26077c478bd9Sstevel@tonic-gate"localdomain" is any domain in class {w}). It is also possible to 26087c478bd9Sstevel@tonic-gatespecify a full address or an address with +detail: 26097c478bd9Sstevel@tonic-gate 26107c478bd9Sstevel@tonic-gate Spam:abuse@my.domain FRIEND 26117c478bd9Sstevel@tonic-gate Spam:me+abuse@ FRIEND 26127c478bd9Sstevel@tonic-gate Spam:spam.domain FRIEND 26137c478bd9Sstevel@tonic-gate 26147c478bd9Sstevel@tonic-gateNote: The required tag has been changed in 8.12 from To: to Spam:. 26157c478bd9Sstevel@tonic-gateThis change is incompatible to previous versions. However, you can 26167c478bd9Sstevel@tonic-gate(for now) simply add the new entries to the access map, the old 26177c478bd9Sstevel@tonic-gateones will be ignored. As soon as you removed the old entries from 26187c478bd9Sstevel@tonic-gatethe access map, specify a third parameter (`n') to this feature and 26197c478bd9Sstevel@tonic-gatethe backward compatibility rules will not be in the generated .cf 26207c478bd9Sstevel@tonic-gatefile. 26217c478bd9Sstevel@tonic-gate 26227c478bd9Sstevel@tonic-gateHeader Checks 26237c478bd9Sstevel@tonic-gate------------- 26247c478bd9Sstevel@tonic-gate 26257c478bd9Sstevel@tonic-gateYou can also reject mail on the basis of the contents of headers. 26267c478bd9Sstevel@tonic-gateThis is done by adding a ruleset call to the 'H' header definition command 26277c478bd9Sstevel@tonic-gatein sendmail.cf. For example, this can be used to check the validity of 26287c478bd9Sstevel@tonic-gatea Message-ID: header: 26297c478bd9Sstevel@tonic-gate 26307c478bd9Sstevel@tonic-gate LOCAL_CONFIG 26317c478bd9Sstevel@tonic-gate HMessage-Id: $>CheckMessageId 26327c478bd9Sstevel@tonic-gate 26337c478bd9Sstevel@tonic-gate LOCAL_RULESETS 26347c478bd9Sstevel@tonic-gate SCheckMessageId 26357c478bd9Sstevel@tonic-gate R< $+ @ $+ > $@ OK 26367c478bd9Sstevel@tonic-gate R$* $#error $: 553 Header Error 26377c478bd9Sstevel@tonic-gate 26387c478bd9Sstevel@tonic-gateThe alternative format: 26397c478bd9Sstevel@tonic-gate 26407c478bd9Sstevel@tonic-gate HSubject: $>+CheckSubject 26417c478bd9Sstevel@tonic-gate 26427c478bd9Sstevel@tonic-gatethat is, $>+ instead of $>, gives the full Subject: header including 26437c478bd9Sstevel@tonic-gatecomments to the ruleset (comments in parentheses () are stripped 26447c478bd9Sstevel@tonic-gateby default). 26457c478bd9Sstevel@tonic-gate 26467c478bd9Sstevel@tonic-gateA default ruleset for headers which don't have a specific ruleset 26477c478bd9Sstevel@tonic-gatedefined for them can be given by: 26487c478bd9Sstevel@tonic-gate 26497c478bd9Sstevel@tonic-gate H*: $>CheckHdr 26507c478bd9Sstevel@tonic-gate 26517c478bd9Sstevel@tonic-gateNotice: 26527c478bd9Sstevel@tonic-gate1. All rules act on tokens as explained in doc/op/op.{me,ps,txt}. 26537c478bd9Sstevel@tonic-gateThat may cause problems with simple header checks due to the 26547c478bd9Sstevel@tonic-gatetokenization. It might be simpler to use a regex map and apply it 26557c478bd9Sstevel@tonic-gateto $&{currHeader}. 26567c478bd9Sstevel@tonic-gate2. There are no default rulesets coming with this distribution of 265749218d4fSjbecksendmail. You can write your own or search the WWW for examples. 26587c478bd9Sstevel@tonic-gate3. When using a default ruleset for headers, the name of the header 26597c478bd9Sstevel@tonic-gatecurrently being checked can be found in the $&{hdr_name} macro. 26607c478bd9Sstevel@tonic-gate 26617c478bd9Sstevel@tonic-gateAfter all of the headers are read, the check_eoh ruleset will be called for 26627c478bd9Sstevel@tonic-gateany final header-related checks. The ruleset is called with the number of 26637c478bd9Sstevel@tonic-gateheaders and the size of all of the headers in bytes separated by $|. One 26647c478bd9Sstevel@tonic-gateexample usage is to reject messages which do not have a Message-Id: 26657c478bd9Sstevel@tonic-gateheader. However, the Message-Id: header is *NOT* a required header and is 26667c478bd9Sstevel@tonic-gatenot a guaranteed spam indicator. This ruleset is an example and should 26677c478bd9Sstevel@tonic-gateprobably not be used in production. 26687c478bd9Sstevel@tonic-gate 26697c478bd9Sstevel@tonic-gate LOCAL_CONFIG 26707c478bd9Sstevel@tonic-gate Kstorage macro 26717c478bd9Sstevel@tonic-gate HMessage-Id: $>CheckMessageId 26727c478bd9Sstevel@tonic-gate 26737c478bd9Sstevel@tonic-gate LOCAL_RULESETS 26747c478bd9Sstevel@tonic-gate SCheckMessageId 26757c478bd9Sstevel@tonic-gate # Record the presence of the header 26767c478bd9Sstevel@tonic-gate R$* $: $(storage {MessageIdCheck} $@ OK $) $1 26777c478bd9Sstevel@tonic-gate R< $+ @ $+ > $@ OK 26787c478bd9Sstevel@tonic-gate R$* $#error $: 553 Header Error 26797c478bd9Sstevel@tonic-gate 26807c478bd9Sstevel@tonic-gate Scheck_eoh 26817c478bd9Sstevel@tonic-gate # Check the macro 26827c478bd9Sstevel@tonic-gate R$* $: < $&{MessageIdCheck} > 26837c478bd9Sstevel@tonic-gate # Clear the macro for the next message 26847c478bd9Sstevel@tonic-gate R$* $: $(storage {MessageIdCheck} $) $1 26857c478bd9Sstevel@tonic-gate # Has a Message-Id: header 26867c478bd9Sstevel@tonic-gate R< $+ > $@ OK 26877c478bd9Sstevel@tonic-gate # Allow missing Message-Id: from local mail 26887c478bd9Sstevel@tonic-gate R$* $: < $&{client_name} > 26897c478bd9Sstevel@tonic-gate R< > $@ OK 26907c478bd9Sstevel@tonic-gate R< $=w > $@ OK 26917c478bd9Sstevel@tonic-gate # Otherwise, reject the mail 26927c478bd9Sstevel@tonic-gate R$* $#error $: 553 Header Error 26937c478bd9Sstevel@tonic-gate 26947c478bd9Sstevel@tonic-gate 26957c478bd9Sstevel@tonic-gate+--------------------+ 26967c478bd9Sstevel@tonic-gate| CONNECTION CONTROL | 26977c478bd9Sstevel@tonic-gate+--------------------+ 26987c478bd9Sstevel@tonic-gate 26997c478bd9Sstevel@tonic-gateThe features ratecontrol and conncontrol allow to establish connection 27007c478bd9Sstevel@tonic-gatelimits per client IP address or net. These features can limit the 27017c478bd9Sstevel@tonic-gaterate of connections (connections per time unit) or the number of 27027c478bd9Sstevel@tonic-gateincoming SMTP connections, respectively. If enabled, appropriate 27037c478bd9Sstevel@tonic-gaterulesets are called at the end of check_relay, i.e., after DNS 27047c478bd9Sstevel@tonic-gateblacklists and generic access_db operations. The features require 27057c478bd9Sstevel@tonic-gateFEATURE(`access_db') to be listed earlier in the mc file. 27067c478bd9Sstevel@tonic-gate 27077c478bd9Sstevel@tonic-gateNote: FEATURE(`delay_checks') delays those connection control checks 27087c478bd9Sstevel@tonic-gateafter a recipient address has been received, hence making these 27097c478bd9Sstevel@tonic-gateconnection control features less useful. To run the checks as early 27107c478bd9Sstevel@tonic-gateas possible, specify the parameter `nodelay', e.g., 27117c478bd9Sstevel@tonic-gate 27127c478bd9Sstevel@tonic-gate FEATURE(`ratecontrol', `nodelay') 27137c478bd9Sstevel@tonic-gate 27147c478bd9Sstevel@tonic-gateIn that case, FEATURE(`delay_checks') has no effect on connection 27157c478bd9Sstevel@tonic-gatecontrol (and it must be specified earlier in the mc file). 27167c478bd9Sstevel@tonic-gate 27177c478bd9Sstevel@tonic-gateAn optional second argument `terminate' specifies whether the 27187c478bd9Sstevel@tonic-gaterulesets should return the error code 421 which will cause 27197c478bd9Sstevel@tonic-gatesendmail to terminate the session with that error if it is 27207c478bd9Sstevel@tonic-gatereturned from check_relay, i.e., not delayed as explained in 27217c478bd9Sstevel@tonic-gatethe previous paragraph. Example: 27227c478bd9Sstevel@tonic-gate 27237c478bd9Sstevel@tonic-gate FEATURE(`ratecontrol', `nodelay', `terminate') 27247c478bd9Sstevel@tonic-gate 27257c478bd9Sstevel@tonic-gate 27267c478bd9Sstevel@tonic-gate+----------+ 27277c478bd9Sstevel@tonic-gate| STARTTLS | 27287c478bd9Sstevel@tonic-gate+----------+ 27297c478bd9Sstevel@tonic-gate 27307c478bd9Sstevel@tonic-gateIn this text, cert will be used as an abbreviation for X.509 certificate, 27317c478bd9Sstevel@tonic-gateDN (CN) is the distinguished (common) name of a cert, and CA is a 27327c478bd9Sstevel@tonic-gatecertification authority, which signs (issues) certs. 27337c478bd9Sstevel@tonic-gate 27347c478bd9Sstevel@tonic-gateFor STARTTLS to be offered by sendmail you need to set at least 27357c478bd9Sstevel@tonic-gatethese variables (the file names and paths are just examples): 27367c478bd9Sstevel@tonic-gate 27377c478bd9Sstevel@tonic-gate define(`confCACERT_PATH', `/etc/mail/certs/') 27387c478bd9Sstevel@tonic-gate define(`confCACERT', `/etc/mail/certs/CA.cert.pem') 27397c478bd9Sstevel@tonic-gate define(`confSERVER_CERT', `/etc/mail/certs/my.cert.pem') 27407c478bd9Sstevel@tonic-gate define(`confSERVER_KEY', `/etc/mail/certs/my.key.pem') 27417c478bd9Sstevel@tonic-gate 27427c478bd9Sstevel@tonic-gateOn systems which do not have the compile flag HASURANDOM set (see 27437c478bd9Sstevel@tonic-gatesendmail/README) you also must set confRAND_FILE. 27447c478bd9Sstevel@tonic-gate 27457c478bd9Sstevel@tonic-gateSee doc/op/op.{me,ps,txt} for more information about these options, 27467c478bd9Sstevel@tonic-gateespecially the sections ``Certificates for STARTTLS'' and ``PRNG for 27477c478bd9Sstevel@tonic-gateSTARTTLS''. 27487c478bd9Sstevel@tonic-gate 27497c478bd9Sstevel@tonic-gateMacros related to STARTTLS are: 27507c478bd9Sstevel@tonic-gate 27517c478bd9Sstevel@tonic-gate${cert_issuer} holds the DN of the CA (the cert issuer). 27527c478bd9Sstevel@tonic-gate${cert_subject} holds the DN of the cert (called the cert subject). 27537c478bd9Sstevel@tonic-gate${cn_issuer} holds the CN of the CA (the cert issuer). 27547c478bd9Sstevel@tonic-gate${cn_subject} holds the CN of the cert (called the cert subject). 27557c478bd9Sstevel@tonic-gate${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, 27567c478bd9Sstevel@tonic-gate TLSv1/SSLv3, SSLv3, SSLv2. 27577c478bd9Sstevel@tonic-gate${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, 27587c478bd9Sstevel@tonic-gate EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA. 27597c478bd9Sstevel@tonic-gate${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm 27607c478bd9Sstevel@tonic-gate used for the connection. 27617c478bd9Sstevel@tonic-gate${verify} holds the result of the verification of the presented cert. 27627c478bd9Sstevel@tonic-gate Possible values are: 27637c478bd9Sstevel@tonic-gate OK verification succeeded. 27647c478bd9Sstevel@tonic-gate NO no cert presented. 27657c478bd9Sstevel@tonic-gate NOT no cert requested. 27667c478bd9Sstevel@tonic-gate FAIL cert presented but could not be verified, 27677c478bd9Sstevel@tonic-gate e.g., the cert of the signing CA is missing. 27687c478bd9Sstevel@tonic-gate NONE STARTTLS has not been performed. 27697c478bd9Sstevel@tonic-gate TEMP temporary error occurred. 27707c478bd9Sstevel@tonic-gate PROTOCOL protocol error occurred (SMTP level). 27717c478bd9Sstevel@tonic-gate SOFTWARE STARTTLS handshake failed. 27727c478bd9Sstevel@tonic-gate${server_name} the name of the server of the current outgoing SMTP 27737c478bd9Sstevel@tonic-gate connection. 27747c478bd9Sstevel@tonic-gate${server_addr} the address of the server of the current outgoing SMTP 27757c478bd9Sstevel@tonic-gate connection. 27767c478bd9Sstevel@tonic-gate 27777c478bd9Sstevel@tonic-gateRelaying 27787c478bd9Sstevel@tonic-gate-------- 27797c478bd9Sstevel@tonic-gate 27807c478bd9Sstevel@tonic-gateSMTP STARTTLS can allow relaying for remote SMTP clients which have 27817c478bd9Sstevel@tonic-gatesuccessfully authenticated themselves. If the verification of the cert 27827c478bd9Sstevel@tonic-gatefailed (${verify} != OK), relaying is subject to the usual rules. 27837c478bd9Sstevel@tonic-gateOtherwise the DN of the issuer is looked up in the access map using the 27847c478bd9Sstevel@tonic-gatetag CERTISSUER. If the resulting value is RELAY, relaying is allowed. 27857c478bd9Sstevel@tonic-gateIf it is SUBJECT, the DN of the cert subject is looked up next in the 27867c478bd9Sstevel@tonic-gateaccess map using the tag CERTSUBJECT. If the value is RELAY, relaying 27877c478bd9Sstevel@tonic-gateis allowed. 27887c478bd9Sstevel@tonic-gate 27897c478bd9Sstevel@tonic-gateTo make things a bit more flexible (or complicated), the values for 27907c478bd9Sstevel@tonic-gate${cert_issuer} and ${cert_subject} can be optionally modified by regular 27917c478bd9Sstevel@tonic-gateexpressions defined in the m4 variables _CERT_REGEX_ISSUER_ and 27927c478bd9Sstevel@tonic-gate_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in 27937c478bd9Sstevel@tonic-gaterulesets and map lookups, they are modified as follows: each non-printable 27947c478bd9Sstevel@tonic-gatecharacter and the characters '<', '>', '(', ')', '"', '+', ' ' are replaced 27957c478bd9Sstevel@tonic-gateby their HEX value with a leading '+'. For example: 27967c478bd9Sstevel@tonic-gate 27977c478bd9Sstevel@tonic-gate/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email= 27987c478bd9Sstevel@tonic-gatedarth+cert@endmail.org 27997c478bd9Sstevel@tonic-gate 28007c478bd9Sstevel@tonic-gateis encoded as: 28017c478bd9Sstevel@tonic-gate 28027c478bd9Sstevel@tonic-gate/C=US/ST=California/O=endmail.org/OU=private/CN= 28037c478bd9Sstevel@tonic-gateDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 28047c478bd9Sstevel@tonic-gate 28057c478bd9Sstevel@tonic-gate(line breaks have been inserted for readability). 28067c478bd9Sstevel@tonic-gate 28077c478bd9Sstevel@tonic-gateThe macros which are subject to this encoding are ${cert_subject}, 28087c478bd9Sstevel@tonic-gate${cert_issuer}, ${cn_subject}, and ${cn_issuer}. 28097c478bd9Sstevel@tonic-gate 28107c478bd9Sstevel@tonic-gateExamples: 28117c478bd9Sstevel@tonic-gate 28127c478bd9Sstevel@tonic-gateTo allow relaying for everyone who can present a cert signed by 28137c478bd9Sstevel@tonic-gate 28147c478bd9Sstevel@tonic-gate/C=US/ST=California/O=endmail.org/OU=private/CN= 28157c478bd9Sstevel@tonic-gateDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 28167c478bd9Sstevel@tonic-gate 28177c478bd9Sstevel@tonic-gatesimply use: 28187c478bd9Sstevel@tonic-gate 28197c478bd9Sstevel@tonic-gateCertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 28207c478bd9Sstevel@tonic-gateDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org RELAY 28217c478bd9Sstevel@tonic-gate 28227c478bd9Sstevel@tonic-gateTo allow relaying only for a subset of machines that have a cert signed by 28237c478bd9Sstevel@tonic-gate 28247c478bd9Sstevel@tonic-gate/C=US/ST=California/O=endmail.org/OU=private/CN= 28257c478bd9Sstevel@tonic-gateDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org 28267c478bd9Sstevel@tonic-gate 28277c478bd9Sstevel@tonic-gateuse: 28287c478bd9Sstevel@tonic-gate 28297c478bd9Sstevel@tonic-gateCertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN= 28307c478bd9Sstevel@tonic-gateDarth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org SUBJECT 28317c478bd9Sstevel@tonic-gateCertSubject:/C=US/ST=California/O=endmail.org/OU=private/CN= 28327c478bd9Sstevel@tonic-gateDeathStar/Email=deathstar@endmail.org RELAY 28337c478bd9Sstevel@tonic-gate 28347c478bd9Sstevel@tonic-gateNotes: 28357c478bd9Sstevel@tonic-gate- line breaks have been inserted after "CN=" for readability, 28367c478bd9Sstevel@tonic-gate each tagged entry must be one (long) line in the access map. 28377c478bd9Sstevel@tonic-gate- if OpenSSL 0.9.7 or newer is used then the "Email=" part of a DN 28387c478bd9Sstevel@tonic-gate is replaced by "emailAddress=". 28397c478bd9Sstevel@tonic-gate 28407c478bd9Sstevel@tonic-gateOf course it is also possible to write a simple ruleset that allows 28417c478bd9Sstevel@tonic-gaterelaying for everyone who can present a cert that can be verified, e.g., 28427c478bd9Sstevel@tonic-gate 28437c478bd9Sstevel@tonic-gateLOCAL_RULESETS 28447c478bd9Sstevel@tonic-gateSLocal_check_rcpt 28457c478bd9Sstevel@tonic-gateR$* $: $&{verify} 28467c478bd9Sstevel@tonic-gateROK $# OK 28477c478bd9Sstevel@tonic-gate 28487c478bd9Sstevel@tonic-gateAllowing Connections 28497c478bd9Sstevel@tonic-gate-------------------- 28507c478bd9Sstevel@tonic-gate 28517c478bd9Sstevel@tonic-gateThe rulesets tls_server, tls_client, and tls_rcpt are used to decide whether 28527c478bd9Sstevel@tonic-gatean SMTP connection is accepted (or should continue). 28537c478bd9Sstevel@tonic-gate 28547c478bd9Sstevel@tonic-gatetls_server is called when sendmail acts as client after a STARTTLS command 28557c478bd9Sstevel@tonic-gate(should) have been issued. The parameter is the value of ${verify}. 28567c478bd9Sstevel@tonic-gate 28577c478bd9Sstevel@tonic-gatetls_client is called when sendmail acts as server, after a STARTTLS command 28587c478bd9Sstevel@tonic-gatehas been issued, and from check_mail. The parameter is the value of 28597c478bd9Sstevel@tonic-gate${verify} and STARTTLS or MAIL, respectively. 28607c478bd9Sstevel@tonic-gate 28617c478bd9Sstevel@tonic-gateBoth rulesets behave the same. If no access map is in use, the connection 28627c478bd9Sstevel@tonic-gatewill be accepted unless ${verify} is SOFTWARE, in which case the connection 28637c478bd9Sstevel@tonic-gateis always aborted. For tls_server/tls_client, ${client_name}/${server_name} 28647c478bd9Sstevel@tonic-gateis looked up in the access map using the tag TLS_Srv/TLS_Clt, which is done 28657c478bd9Sstevel@tonic-gatewith the ruleset LookUpDomain. If no entry is found, ${client_addr} 28667c478bd9Sstevel@tonic-gate(${server_addr}) is looked up in the access map (same tag, ruleset 28677c478bd9Sstevel@tonic-gateLookUpAddr). If this doesn't result in an entry either, just the tag is 28687c478bd9Sstevel@tonic-gatelooked up in the access map (included the trailing colon). Notice: 28697c478bd9Sstevel@tonic-gaterequiring that e-mail is sent to a server only encrypted, e.g., via 28707c478bd9Sstevel@tonic-gate 28717c478bd9Sstevel@tonic-gateTLS_Srv:secure.domain ENCR:112 28727c478bd9Sstevel@tonic-gate 28737c478bd9Sstevel@tonic-gatedoesn't necessarily mean that e-mail sent to that domain is encrypted. 28747c478bd9Sstevel@tonic-gateIf the domain has multiple MX servers, e.g., 28757c478bd9Sstevel@tonic-gate 28767c478bd9Sstevel@tonic-gatesecure.domain. IN MX 10 mail.secure.domain. 28777c478bd9Sstevel@tonic-gatesecure.domain. IN MX 50 mail.other.domain. 28787c478bd9Sstevel@tonic-gate 28797c478bd9Sstevel@tonic-gatethen mail to user@secure.domain may go unencrypted to mail.other.domain. 28807c478bd9Sstevel@tonic-gatetls_rcpt can be used to address this problem. 28817c478bd9Sstevel@tonic-gate 28827c478bd9Sstevel@tonic-gatetls_rcpt is called before a RCPT TO: command is sent. The parameter is the 28837c478bd9Sstevel@tonic-gatecurrent recipient. This ruleset is only defined if FEATURE(`access_db') 28847c478bd9Sstevel@tonic-gateis selected. A recipient address user@domain is looked up in the access 28857c478bd9Sstevel@tonic-gatemap in four formats: TLS_Rcpt:user@domain, TLS_Rcpt:user@, TLS_Rcpt:domain, 28867c478bd9Sstevel@tonic-gateand TLS_Rcpt:; the first match is taken. 28877c478bd9Sstevel@tonic-gate 28887c478bd9Sstevel@tonic-gateThe result of the lookups is then used to call the ruleset TLS_connection, 28897c478bd9Sstevel@tonic-gatewhich checks the requirement specified by the RHS in the access map against 28907c478bd9Sstevel@tonic-gatethe actual parameters of the current TLS connection, esp. ${verify} and 28917c478bd9Sstevel@tonic-gate${cipher_bits}. Legal RHSs in the access map are: 28927c478bd9Sstevel@tonic-gate 28937c478bd9Sstevel@tonic-gateVERIFY verification must have succeeded 28947c478bd9Sstevel@tonic-gateVERIFY:bits verification must have succeeded and ${cipher_bits} must 28957c478bd9Sstevel@tonic-gate be greater than or equal bits. 28967c478bd9Sstevel@tonic-gateENCR:bits ${cipher_bits} must be greater than or equal bits. 28977c478bd9Sstevel@tonic-gate 28987c478bd9Sstevel@tonic-gateThe RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary 28997c478bd9Sstevel@tonic-gateor permanent error. The default is a temporary error code (403 4.7.0) 29007c478bd9Sstevel@tonic-gateunless the macro TLS_PERM_ERR is set during generation of the .cf file. 29017c478bd9Sstevel@tonic-gate 29027c478bd9Sstevel@tonic-gateIf a certain level of encryption is required, then it might also be 29037c478bd9Sstevel@tonic-gatepossible that this level is provided by the security layer from a SASL 29047c478bd9Sstevel@tonic-gatealgorithm, e.g., DIGEST-MD5. 29057c478bd9Sstevel@tonic-gate 29067c478bd9Sstevel@tonic-gateFurthermore, there can be a list of extensions added. Such a list 29077c478bd9Sstevel@tonic-gatestarts with '+' and the items are separated by '++'. Allowed 29087c478bd9Sstevel@tonic-gateextensions are: 29097c478bd9Sstevel@tonic-gate 29107c478bd9Sstevel@tonic-gateCN:name name must match ${cn_subject} 29117c478bd9Sstevel@tonic-gateCN ${server_name} must match ${cn_subject} 29127c478bd9Sstevel@tonic-gateCS:name name must match ${cert_subject} 29137c478bd9Sstevel@tonic-gateCI:name name must match ${cert_issuer} 29147c478bd9Sstevel@tonic-gate 29157c478bd9Sstevel@tonic-gateExample: e-mail sent to secure.example.com should only use an encrypted 29167c478bd9Sstevel@tonic-gateconnection. E-mail received from hosts within the laptop.example.com domain 29177c478bd9Sstevel@tonic-gateshould only be accepted if they have been authenticated. The host which 29187c478bd9Sstevel@tonic-gatereceives e-mail for darth@endmail.org must present a cert that uses the 29197c478bd9Sstevel@tonic-gateCN smtp.endmail.org. 29207c478bd9Sstevel@tonic-gate 29217c478bd9Sstevel@tonic-gateTLS_Srv:secure.example.com ENCR:112 29227c478bd9Sstevel@tonic-gateTLS_Clt:laptop.example.com PERM+VERIFY:112 29237c478bd9Sstevel@tonic-gateTLS_Rcpt:darth@endmail.org ENCR:112+CN:smtp.endmail.org 29247c478bd9Sstevel@tonic-gate 29257c478bd9Sstevel@tonic-gate 29267c478bd9Sstevel@tonic-gateDisabling STARTTLS And Setting SMTP Server Features 29277c478bd9Sstevel@tonic-gate--------------------------------------------------- 29287c478bd9Sstevel@tonic-gate 29297c478bd9Sstevel@tonic-gateBy default STARTTLS is used whenever possible. However, there are 29307c478bd9Sstevel@tonic-gatesome broken MTAs that don't properly implement STARTTLS. To be able 29317c478bd9Sstevel@tonic-gateto send to (or receive from) those MTAs, the ruleset try_tls 29327c478bd9Sstevel@tonic-gate(srv_features) can be used that work together with the access map. 29337c478bd9Sstevel@tonic-gateEntries for the access map must be tagged with Try_TLS (Srv_Features) 29347c478bd9Sstevel@tonic-gateand refer to the hostname or IP address of the connecting system. 29357c478bd9Sstevel@tonic-gateA default case can be specified by using just the tag. For example, 29367c478bd9Sstevel@tonic-gatethe following entries in the access map: 29377c478bd9Sstevel@tonic-gate 29387c478bd9Sstevel@tonic-gate Try_TLS:broken.server NO 29397c478bd9Sstevel@tonic-gate Srv_Features:my.domain v 29407c478bd9Sstevel@tonic-gate Srv_Features: V 29417c478bd9Sstevel@tonic-gate 29427c478bd9Sstevel@tonic-gatewill turn off STARTTLS when sending to broken.server (or any host 29437c478bd9Sstevel@tonic-gatein that domain), and request a client certificate during the TLS 29447c478bd9Sstevel@tonic-gatehandshake only for hosts in my.domain. The valid entries on the RHS 29457c478bd9Sstevel@tonic-gatefor Srv_Features are listed in the Sendmail Installation and 29467c478bd9Sstevel@tonic-gateOperations Guide. 29477c478bd9Sstevel@tonic-gate 29487c478bd9Sstevel@tonic-gate 29497c478bd9Sstevel@tonic-gateReceived: Header 29507c478bd9Sstevel@tonic-gate---------------- 29517c478bd9Sstevel@tonic-gate 29527c478bd9Sstevel@tonic-gateThe Received: header reveals whether STARTTLS has been used. It contains an 29537c478bd9Sstevel@tonic-gateextra line: 29547c478bd9Sstevel@tonic-gate 29557c478bd9Sstevel@tonic-gate(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) 29567c478bd9Sstevel@tonic-gate 29577c478bd9Sstevel@tonic-gate 29587c478bd9Sstevel@tonic-gate+--------------------------------+ 29597c478bd9Sstevel@tonic-gate| ADDING NEW MAILERS OR RULESETS | 29607c478bd9Sstevel@tonic-gate+--------------------------------+ 29617c478bd9Sstevel@tonic-gate 29627c478bd9Sstevel@tonic-gateSometimes you may need to add entirely new mailers or rulesets. They 29637c478bd9Sstevel@tonic-gateshould be introduced with the constructs MAILER_DEFINITIONS and 29647c478bd9Sstevel@tonic-gateLOCAL_RULESETS respectively. For example: 29657c478bd9Sstevel@tonic-gate 29667c478bd9Sstevel@tonic-gate MAILER_DEFINITIONS 29677c478bd9Sstevel@tonic-gate Mmymailer, ... 29687c478bd9Sstevel@tonic-gate ... 29697c478bd9Sstevel@tonic-gate 29707c478bd9Sstevel@tonic-gate LOCAL_RULESETS 29717c478bd9Sstevel@tonic-gate Smyruleset 29727c478bd9Sstevel@tonic-gate ... 29737c478bd9Sstevel@tonic-gate 297449218d4fSjbeckLocal additions for the rulesets srv_features, try_tls, tls_rcpt, 297549218d4fSjbecktls_client, and tls_server can be made using LOCAL_SRV_FEATURES, 297649218d4fSjbeckLOCAL_TRY_TLS, LOCAL_TLS_RCPT, LOCAL_TLS_CLIENT, and LOCAL_TLS_SERVER, 297749218d4fSjbeckrespectively. For example, to add a local ruleset that decides 297849218d4fSjbeckwhether to try STARTTLS in a sendmail client, use: 297949218d4fSjbeck 298049218d4fSjbeck LOCAL_TRY_TLS 298149218d4fSjbeck R... 298249218d4fSjbeck 29837c478bd9Sstevel@tonic-gateNote: you don't need to add a name for the ruleset, it is implicitly 29847c478bd9Sstevel@tonic-gatedefined by using the appropriate macro. 29857c478bd9Sstevel@tonic-gate 29867c478bd9Sstevel@tonic-gate 29877c478bd9Sstevel@tonic-gate+-------------------------+ 29887c478bd9Sstevel@tonic-gate| ADDING NEW MAIL FILTERS | 29897c478bd9Sstevel@tonic-gate+-------------------------+ 29907c478bd9Sstevel@tonic-gate 29917c478bd9Sstevel@tonic-gateSendmail supports mail filters to filter incoming SMTP messages according 29927c478bd9Sstevel@tonic-gateto the "Sendmail Mail Filter API" documentation. These filters can be 29937c478bd9Sstevel@tonic-gateconfigured in your mc file using the two commands: 29947c478bd9Sstevel@tonic-gate 29957c478bd9Sstevel@tonic-gate MAIL_FILTER(`name', `equates') 29967c478bd9Sstevel@tonic-gate INPUT_MAIL_FILTER(`name', `equates') 29977c478bd9Sstevel@tonic-gate 29987c478bd9Sstevel@tonic-gateThe first command, MAIL_FILTER(), simply defines a filter with the given 29997c478bd9Sstevel@tonic-gatename and equates. For example: 30007c478bd9Sstevel@tonic-gate 30017c478bd9Sstevel@tonic-gate MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 30027c478bd9Sstevel@tonic-gate 30037c478bd9Sstevel@tonic-gateThis creates the equivalent sendmail.cf entry: 30047c478bd9Sstevel@tonic-gate 30057c478bd9Sstevel@tonic-gate Xarchive, S=local:/var/run/archivesock, F=R 30067c478bd9Sstevel@tonic-gate 30077c478bd9Sstevel@tonic-gateThe INPUT_MAIL_FILTER() command performs the same actions as MAIL_FILTER 30087c478bd9Sstevel@tonic-gatebut also populates the m4 variable `confINPUT_MAIL_FILTERS' with the name 30097c478bd9Sstevel@tonic-gateof the filter such that the filter will actually be called by sendmail. 30107c478bd9Sstevel@tonic-gate 30117c478bd9Sstevel@tonic-gateFor example, the two commands: 30127c478bd9Sstevel@tonic-gate 30137c478bd9Sstevel@tonic-gate INPUT_MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 30147c478bd9Sstevel@tonic-gate INPUT_MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 30157c478bd9Sstevel@tonic-gate 30167c478bd9Sstevel@tonic-gateare equivalent to the three commands: 30177c478bd9Sstevel@tonic-gate 30187c478bd9Sstevel@tonic-gate MAIL_FILTER(`archive', `S=local:/var/run/archivesock, F=R') 30197c478bd9Sstevel@tonic-gate MAIL_FILTER(`spamcheck', `S=inet:2525@localhost, F=T') 30207c478bd9Sstevel@tonic-gate define(`confINPUT_MAIL_FILTERS', `archive, spamcheck') 30217c478bd9Sstevel@tonic-gate 30227c478bd9Sstevel@tonic-gateIn general, INPUT_MAIL_FILTER() should be used unless you need to define 30237c478bd9Sstevel@tonic-gatemore filters than you want to use for `confINPUT_MAIL_FILTERS'. 30247c478bd9Sstevel@tonic-gate 30257c478bd9Sstevel@tonic-gateNote that setting `confINPUT_MAIL_FILTERS' after any INPUT_MAIL_FILTER() 30267c478bd9Sstevel@tonic-gatecommands will clear the list created by the prior INPUT_MAIL_FILTER() 30277c478bd9Sstevel@tonic-gatecommands. 30287c478bd9Sstevel@tonic-gate 30297c478bd9Sstevel@tonic-gate 30307c478bd9Sstevel@tonic-gate+-------------------------+ 30317c478bd9Sstevel@tonic-gate| QUEUE GROUP DEFINITIONS | 30327c478bd9Sstevel@tonic-gate+-------------------------+ 30337c478bd9Sstevel@tonic-gate 30347c478bd9Sstevel@tonic-gateIn addition to the queue directory (which is the default queue group 30357c478bd9Sstevel@tonic-gatecalled "mqueue"), sendmail can deal with multiple queue groups, which 30367c478bd9Sstevel@tonic-gateare collections of queue directories with the same behaviour. Queue 30377c478bd9Sstevel@tonic-gategroups can be defined using the command: 30387c478bd9Sstevel@tonic-gate 30397c478bd9Sstevel@tonic-gate QUEUE_GROUP(`name', `equates') 30407c478bd9Sstevel@tonic-gate 30417c478bd9Sstevel@tonic-gateFor details about queue groups, please see doc/op/op.{me,ps,txt}. 30427c478bd9Sstevel@tonic-gate 30437c478bd9Sstevel@tonic-gate+-------------------------------+ 30447c478bd9Sstevel@tonic-gate| NON-SMTP BASED CONFIGURATIONS | 30457c478bd9Sstevel@tonic-gate+-------------------------------+ 30467c478bd9Sstevel@tonic-gate 30477c478bd9Sstevel@tonic-gateThese configuration files are designed primarily for use by 30487c478bd9Sstevel@tonic-gateSMTP-based sites. They may not be well tuned for UUCP-only or 30497c478bd9Sstevel@tonic-gateUUCP-primarily nodes (the latter is defined as a small local net 30507c478bd9Sstevel@tonic-gateconnected to the rest of the world via UUCP). However, there is 30517c478bd9Sstevel@tonic-gateone hook to handle some special cases. 30527c478bd9Sstevel@tonic-gate 30537c478bd9Sstevel@tonic-gateYou can define a ``smart host'' that understands a richer address syntax 30547c478bd9Sstevel@tonic-gateusing: 30557c478bd9Sstevel@tonic-gate 30567c478bd9Sstevel@tonic-gate define(`SMART_HOST', `mailer:hostname') 30577c478bd9Sstevel@tonic-gate 30587c478bd9Sstevel@tonic-gateIn this case, the ``mailer:'' defaults to "relay". Any messages that 30597c478bd9Sstevel@tonic-gatecan't be handled using the usual UUCP rules are passed to this host. 30607c478bd9Sstevel@tonic-gate 30617c478bd9Sstevel@tonic-gateIf you are on a local SMTP-based net that connects to the outside 30627c478bd9Sstevel@tonic-gateworld via UUCP, you can use LOCAL_NET_CONFIG to add appropriate rules. 30637c478bd9Sstevel@tonic-gateFor example: 30647c478bd9Sstevel@tonic-gate 30657c478bd9Sstevel@tonic-gate define(`SMART_HOST', `uucp-new:uunet') 30667c478bd9Sstevel@tonic-gate LOCAL_NET_CONFIG 30677c478bd9Sstevel@tonic-gate R$* < @ $* .$m. > $* $#smtp $@ $2.$m. $: $1 < @ $2.$m. > $3 30687c478bd9Sstevel@tonic-gate 30697c478bd9Sstevel@tonic-gateThis will cause all names that end in your domain name ($m) to be sent 30707c478bd9Sstevel@tonic-gatevia SMTP; anything else will be sent via uucp-new (smart UUCP) to uunet. 30717c478bd9Sstevel@tonic-gateIf you have FEATURE(`nocanonify'), you may need to omit the dots after 30727c478bd9Sstevel@tonic-gatethe $m. If you are running a local DNS inside your domain which is 30737c478bd9Sstevel@tonic-gatenot otherwise connected to the outside world, you probably want to 30747c478bd9Sstevel@tonic-gateuse: 30757c478bd9Sstevel@tonic-gate 30767c478bd9Sstevel@tonic-gate define(`SMART_HOST', `smtp:fire.wall.com') 30777c478bd9Sstevel@tonic-gate LOCAL_NET_CONFIG 30787c478bd9Sstevel@tonic-gate R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 30797c478bd9Sstevel@tonic-gate 30807c478bd9Sstevel@tonic-gateThat is, send directly only to things you found in your DNS lookup; 30817c478bd9Sstevel@tonic-gateanything else goes through SMART_HOST. 30827c478bd9Sstevel@tonic-gate 30837c478bd9Sstevel@tonic-gateYou may need to turn off the anti-spam rules in order to accept 30847c478bd9Sstevel@tonic-gateUUCP mail with FEATURE(`promiscuous_relay') and 30857c478bd9Sstevel@tonic-gateFEATURE(`accept_unresolvable_domains'). 30867c478bd9Sstevel@tonic-gate 30877c478bd9Sstevel@tonic-gate 30887c478bd9Sstevel@tonic-gate+-----------+ 30897c478bd9Sstevel@tonic-gate| WHO AM I? | 30907c478bd9Sstevel@tonic-gate+-----------+ 30917c478bd9Sstevel@tonic-gate 30927c478bd9Sstevel@tonic-gateNormally, the $j macro is automatically defined to be your fully 30937c478bd9Sstevel@tonic-gatequalified domain name (FQDN). Sendmail does this by getting your 30947c478bd9Sstevel@tonic-gatehost name using gethostname and then calling gethostbyname on the 30957c478bd9Sstevel@tonic-gateresult. For example, in some environments gethostname returns 30967c478bd9Sstevel@tonic-gateonly the root of the host name (such as "foo"); gethostbyname is 30977c478bd9Sstevel@tonic-gatesupposed to return the FQDN ("foo.bar.com"). In some (fairly rare) 30987c478bd9Sstevel@tonic-gatecases, gethostbyname may fail to return the FQDN. In this case 30997c478bd9Sstevel@tonic-gateyou MUST define confDOMAIN_NAME to be your fully qualified domain 31007c478bd9Sstevel@tonic-gatename. This is usually done using: 31017c478bd9Sstevel@tonic-gate 31027c478bd9Sstevel@tonic-gate Dmbar.com 31037c478bd9Sstevel@tonic-gate define(`confDOMAIN_NAME', `$w.$m')dnl 31047c478bd9Sstevel@tonic-gate 31057c478bd9Sstevel@tonic-gate 31067c478bd9Sstevel@tonic-gate+-----------------------------------+ 31077c478bd9Sstevel@tonic-gate| ACCEPTING MAIL FOR MULTIPLE NAMES | 31087c478bd9Sstevel@tonic-gate+-----------------------------------+ 31097c478bd9Sstevel@tonic-gate 31107c478bd9Sstevel@tonic-gateIf your host is known by several different names, you need to augment 31117c478bd9Sstevel@tonic-gateclass {w}. This is a list of names by which your host is known, and 31127c478bd9Sstevel@tonic-gateanything sent to an address using a host name in this list will be 31137c478bd9Sstevel@tonic-gatetreated as local mail. You can do this in two ways: either create the 31147c478bd9Sstevel@tonic-gatefile /etc/mail/local-host-names containing a list of your aliases (one per 31157c478bd9Sstevel@tonic-gateline), and use ``FEATURE(`use_cw_file')'' in the .mc file, or add 31167c478bd9Sstevel@tonic-gate``LOCAL_DOMAIN(`alias.host.name')''. Be sure you use the fully-qualified 31177c478bd9Sstevel@tonic-gatename of the host, rather than a short name. 31187c478bd9Sstevel@tonic-gate 31197c478bd9Sstevel@tonic-gateIf you want to have different address in different domains, take 31207c478bd9Sstevel@tonic-gatea look at the virtusertable feature, which is also explained at 31217c478bd9Sstevel@tonic-gatehttp://www.sendmail.org/virtual-hosting.html 31227c478bd9Sstevel@tonic-gate 31237c478bd9Sstevel@tonic-gate 31247c478bd9Sstevel@tonic-gate+--------------------+ 31257c478bd9Sstevel@tonic-gate| USING MAILERTABLES | 31267c478bd9Sstevel@tonic-gate+--------------------+ 31277c478bd9Sstevel@tonic-gate 31287c478bd9Sstevel@tonic-gateTo use FEATURE(`mailertable'), you will have to create an external 31297c478bd9Sstevel@tonic-gatedatabase containing the routing information for various domains. 31307c478bd9Sstevel@tonic-gateFor example, a mailertable file in text format might be: 31317c478bd9Sstevel@tonic-gate 31327c478bd9Sstevel@tonic-gate .my.domain xnet:%1.my.domain 31337c478bd9Sstevel@tonic-gate uuhost1.my.domain uucp-new:uuhost1 31347c478bd9Sstevel@tonic-gate .bitnet smtp:relay.bit.net 31357c478bd9Sstevel@tonic-gate 31367c478bd9Sstevel@tonic-gateThis should normally be stored in /etc/mail/mailertable. The actual 31377c478bd9Sstevel@tonic-gatedatabase version of the mailertable is built using: 31387c478bd9Sstevel@tonic-gate 31397c478bd9Sstevel@tonic-gate makemap hash /etc/mail/mailertable < /etc/mail/mailertable 31407c478bd9Sstevel@tonic-gate 31417c478bd9Sstevel@tonic-gateThe semantics are simple. Any LHS entry that does not begin with 31427c478bd9Sstevel@tonic-gatea dot matches the full host name indicated. LHS entries beginning 31437c478bd9Sstevel@tonic-gatewith a dot match anything ending with that domain name (including 31447c478bd9Sstevel@tonic-gatethe leading dot) -- that is, they can be thought of as having a 31457c478bd9Sstevel@tonic-gateleading ".+" regular expression pattern for a non-empty sequence of 31467c478bd9Sstevel@tonic-gatecharacters. Matching is done in order of most-to-least qualified 31477c478bd9Sstevel@tonic-gate-- for example, even though ".my.domain" is listed first in the 31487c478bd9Sstevel@tonic-gateabove example, an entry of "uuhost1.my.domain" will match the second 31497c478bd9Sstevel@tonic-gateentry since it is more explicit. Note: e-mail to "user@my.domain" 31507c478bd9Sstevel@tonic-gatedoes not match any entry in the above table. You need to have 31517c478bd9Sstevel@tonic-gatesomething like: 31527c478bd9Sstevel@tonic-gate 31537c478bd9Sstevel@tonic-gate my.domain esmtp:host.my.domain 31547c478bd9Sstevel@tonic-gate 31557c478bd9Sstevel@tonic-gateThe RHS should always be a "mailer:host" pair. The mailer is the 31567c478bd9Sstevel@tonic-gateconfiguration name of a mailer (that is, an M line in the 31577c478bd9Sstevel@tonic-gatesendmail.cf file). The "host" will be the hostname passed to 31587c478bd9Sstevel@tonic-gatethat mailer. In domain-based matches (that is, those with leading 31597c478bd9Sstevel@tonic-gatedots) the "%1" may be used to interpolate the wildcarded part of 31607c478bd9Sstevel@tonic-gatethe host name. For example, the first line above sends everything 31617c478bd9Sstevel@tonic-gateaddressed to "anything.my.domain" to that same host name, but using 31627c478bd9Sstevel@tonic-gatethe (presumably experimental) xnet mailer. 31637c478bd9Sstevel@tonic-gate 31647c478bd9Sstevel@tonic-gateIn some cases you may want to temporarily turn off MX records, 31657c478bd9Sstevel@tonic-gateparticularly on gateways. For example, you may want to MX 31667c478bd9Sstevel@tonic-gateeverything in a domain to one machine that then forwards it 31677c478bd9Sstevel@tonic-gatedirectly. To do this, you might use the DNS configuration: 31687c478bd9Sstevel@tonic-gate 31697c478bd9Sstevel@tonic-gate *.domain. IN MX 0 relay.machine 31707c478bd9Sstevel@tonic-gate 31717c478bd9Sstevel@tonic-gateand on relay.machine use the mailertable: 31727c478bd9Sstevel@tonic-gate 31737c478bd9Sstevel@tonic-gate .domain smtp:[gateway.domain] 31747c478bd9Sstevel@tonic-gate 31757c478bd9Sstevel@tonic-gateThe [square brackets] turn off MX records for this host only. 31767c478bd9Sstevel@tonic-gateIf you didn't do this, the mailertable would use the MX record 31777c478bd9Sstevel@tonic-gateagain, which would give you an MX loop. Note that the use of 31787c478bd9Sstevel@tonic-gatewildcard MX records is almost always a bad idea. Please avoid 31797c478bd9Sstevel@tonic-gateusing them if possible. 31807c478bd9Sstevel@tonic-gate 31817c478bd9Sstevel@tonic-gate 31827c478bd9Sstevel@tonic-gate+--------------------------------+ 31837c478bd9Sstevel@tonic-gate| USING USERDB TO MAP FULL NAMES | 31847c478bd9Sstevel@tonic-gate+--------------------------------+ 31857c478bd9Sstevel@tonic-gate 31867c478bd9Sstevel@tonic-gateThe user database was not originally intended for mapping full names 31877c478bd9Sstevel@tonic-gateto login names (e.g., Eric.Allman => eric), but some people are using 31887c478bd9Sstevel@tonic-gateit that way. (it is recommended that you set up aliases for this 31897c478bd9Sstevel@tonic-gatepurpose instead -- since you can specify multiple alias files, this 31907c478bd9Sstevel@tonic-gateis fairly easy.) The intent was to locate the default maildrop at 31917c478bd9Sstevel@tonic-gatea site, but allow you to override this by sending to a specific host. 31927c478bd9Sstevel@tonic-gate 31937c478bd9Sstevel@tonic-gateIf you decide to set up the user database in this fashion, it is 31947c478bd9Sstevel@tonic-gateimperative that you not use FEATURE(`stickyhost') -- otherwise, 31957c478bd9Sstevel@tonic-gatee-mail sent to Full.Name@local.host.name will be rejected. 31967c478bd9Sstevel@tonic-gate 31977c478bd9Sstevel@tonic-gateTo build the internal form of the user database, use: 31987c478bd9Sstevel@tonic-gate 31997c478bd9Sstevel@tonic-gate makemap btree /etc/mail/userdb < /etc/mail/userdb.txt 32007c478bd9Sstevel@tonic-gate 32017c478bd9Sstevel@tonic-gateAs a general rule, it is an extremely bad idea to using full names 32027c478bd9Sstevel@tonic-gateas e-mail addresses, since they are not in any sense unique. For 32037c478bd9Sstevel@tonic-gateexample, the UNIX software-development community has at least two 32047c478bd9Sstevel@tonic-gatewell-known Peter Deutsches, and at one time Bell Labs had two 32057c478bd9Sstevel@tonic-gateStephen R. Bournes with offices along the same hallway. Which one 32067c478bd9Sstevel@tonic-gatewill be forced to suffer the indignity of being Stephen_R_Bourne_2? 32077c478bd9Sstevel@tonic-gateThe less famous of the two, or the one that was hired later? 32087c478bd9Sstevel@tonic-gate 32097c478bd9Sstevel@tonic-gateFinger should handle full names (and be fuzzy). Mail should use 32107c478bd9Sstevel@tonic-gatehandles, and not be fuzzy. 32117c478bd9Sstevel@tonic-gate 32127c478bd9Sstevel@tonic-gate 32137c478bd9Sstevel@tonic-gate+--------------------------------+ 32147c478bd9Sstevel@tonic-gate| MISCELLANEOUS SPECIAL FEATURES | 32157c478bd9Sstevel@tonic-gate+--------------------------------+ 32167c478bd9Sstevel@tonic-gate 32177c478bd9Sstevel@tonic-gatePlussed users 32187c478bd9Sstevel@tonic-gate Sometimes it is convenient to merge configuration on a 32197c478bd9Sstevel@tonic-gate centralized mail machine, for example, to forward all 32207c478bd9Sstevel@tonic-gate root mail to a mail server. In this case it might be 32217c478bd9Sstevel@tonic-gate useful to be able to treat the root addresses as a class 32227c478bd9Sstevel@tonic-gate of addresses with subtle differences. You can do this 32237c478bd9Sstevel@tonic-gate using plussed users. For example, a client might include 32247c478bd9Sstevel@tonic-gate the alias: 32257c478bd9Sstevel@tonic-gate 32267c478bd9Sstevel@tonic-gate root: root+client1@server 32277c478bd9Sstevel@tonic-gate 32287c478bd9Sstevel@tonic-gate On the server, this will match an alias for "root+client1". 32297c478bd9Sstevel@tonic-gate If that is not found, the alias "root+*" will be tried, 32307c478bd9Sstevel@tonic-gate then "root". 32317c478bd9Sstevel@tonic-gate 32327c478bd9Sstevel@tonic-gate 32337c478bd9Sstevel@tonic-gate+----------------+ 32347c478bd9Sstevel@tonic-gate| SECURITY NOTES | 32357c478bd9Sstevel@tonic-gate+----------------+ 32367c478bd9Sstevel@tonic-gate 32377c478bd9Sstevel@tonic-gateA lot of sendmail security comes down to you. Sendmail 8 is much 32387c478bd9Sstevel@tonic-gatemore careful about checking for security problems than previous 32397c478bd9Sstevel@tonic-gateversions, but there are some things that you still need to watch 32407c478bd9Sstevel@tonic-gatefor. In particular: 32417c478bd9Sstevel@tonic-gate 32427c478bd9Sstevel@tonic-gate* Make sure the aliases file is not writable except by trusted 32437c478bd9Sstevel@tonic-gate system personnel. This includes both the text and database 32447c478bd9Sstevel@tonic-gate version. 32457c478bd9Sstevel@tonic-gate 32467c478bd9Sstevel@tonic-gate* Make sure that other files that sendmail reads, such as the 32477c478bd9Sstevel@tonic-gate mailertable, are only writable by trusted system personnel. 32487c478bd9Sstevel@tonic-gate 32497c478bd9Sstevel@tonic-gate* The queue directory should not be world writable PARTICULARLY 32507c478bd9Sstevel@tonic-gate if your system allows "file giveaways" (that is, if a non-root 32517c478bd9Sstevel@tonic-gate user can chown any file they own to any other user). 32527c478bd9Sstevel@tonic-gate 32537c478bd9Sstevel@tonic-gate* If your system allows file giveaways, DO NOT create a publically 32547c478bd9Sstevel@tonic-gate writable directory for forward files. This will allow anyone 32557c478bd9Sstevel@tonic-gate to steal anyone else's e-mail. Instead, create a script that 32567c478bd9Sstevel@tonic-gate copies the .forward file from users' home directories once a 32577c478bd9Sstevel@tonic-gate night (if you want the non-NFS-mounted forward directory). 32587c478bd9Sstevel@tonic-gate 32597c478bd9Sstevel@tonic-gate* If your system allows file giveaways, you'll find that 32607c478bd9Sstevel@tonic-gate sendmail is much less trusting of :include: files -- in 32617c478bd9Sstevel@tonic-gate particular, you'll have to have /SENDMAIL/ANY/SHELL/ in 32627c478bd9Sstevel@tonic-gate /etc/shells before they will be trusted (that is, before 32637c478bd9Sstevel@tonic-gate files and programs listed in them will be honored). 32647c478bd9Sstevel@tonic-gate 32657c478bd9Sstevel@tonic-gateIn general, file giveaways are a mistake -- if you can turn them 32667c478bd9Sstevel@tonic-gateoff, do so. 32677c478bd9Sstevel@tonic-gate 32687c478bd9Sstevel@tonic-gate 32697c478bd9Sstevel@tonic-gate+--------------------------------+ 32707c478bd9Sstevel@tonic-gate| TWEAKING CONFIGURATION OPTIONS | 32717c478bd9Sstevel@tonic-gate+--------------------------------+ 32727c478bd9Sstevel@tonic-gate 32737c478bd9Sstevel@tonic-gateThere are a large number of configuration options that don't normally 32747c478bd9Sstevel@tonic-gateneed to be changed. However, if you feel you need to tweak them, 32757c478bd9Sstevel@tonic-gateyou can define the following M4 variables. Note that some of these 32767c478bd9Sstevel@tonic-gatevariables require formats that are defined in RFC 2821 or RFC 2822. 32777c478bd9Sstevel@tonic-gateBefore changing them you need to make sure you do not violate those 32787c478bd9Sstevel@tonic-gate(and other relevant) RFCs. 32797c478bd9Sstevel@tonic-gate 32807c478bd9Sstevel@tonic-gateThis list is shown in four columns: the name you define, the default 32817c478bd9Sstevel@tonic-gatevalue for that definition, the option or macro that is affected 32827c478bd9Sstevel@tonic-gate(either Ox for an option or Dx for a macro), and a brief description. 32837c478bd9Sstevel@tonic-gate 32847c478bd9Sstevel@tonic-gateSome options are likely to be deprecated in future versions -- that is, 32857c478bd9Sstevel@tonic-gatethe option is only included to provide back-compatibility. These are 32867c478bd9Sstevel@tonic-gatemarked with "*". 32877c478bd9Sstevel@tonic-gate 32887c478bd9Sstevel@tonic-gateRemember that these options are M4 variables, and hence may need to 32897c478bd9Sstevel@tonic-gatebe quoted. In particular, arguments with commas will usually have to 32907c478bd9Sstevel@tonic-gatebe ``double quoted, like this phrase'' to avoid having the comma 32917c478bd9Sstevel@tonic-gateconfuse things. This is common for alias file definitions and for 32927c478bd9Sstevel@tonic-gatethe read timeout. 32937c478bd9Sstevel@tonic-gate 32947c478bd9Sstevel@tonic-gateM4 Variable Name Configuration [Default] & Description 32957c478bd9Sstevel@tonic-gate================ ============= ======================= 32967c478bd9Sstevel@tonic-gateconfMAILER_NAME $n macro [MAILER-DAEMON] The sender name used 32977c478bd9Sstevel@tonic-gate for internally generated outgoing 32987c478bd9Sstevel@tonic-gate messages. 32997c478bd9Sstevel@tonic-gateconfDOMAIN_NAME $j macro If defined, sets $j. This should 33007c478bd9Sstevel@tonic-gate only be done if your system cannot 33017c478bd9Sstevel@tonic-gate determine your local domain name, 33027c478bd9Sstevel@tonic-gate and then it should be set to 33037c478bd9Sstevel@tonic-gate $w.Foo.COM, where Foo.COM is your 33047c478bd9Sstevel@tonic-gate domain name. 33057c478bd9Sstevel@tonic-gateconfCF_VERSION $Z macro If defined, this is appended to the 33067c478bd9Sstevel@tonic-gate configuration version name. 33077c478bd9Sstevel@tonic-gateconfLDAP_CLUSTER ${sendmailMTACluster} macro 33087c478bd9Sstevel@tonic-gate If defined, this is the LDAP 33097c478bd9Sstevel@tonic-gate cluster to use for LDAP searches 33107c478bd9Sstevel@tonic-gate as described above in ``USING LDAP 33117c478bd9Sstevel@tonic-gate FOR ALIASES, MAPS, AND CLASSES''. 33127c478bd9Sstevel@tonic-gateconfFROM_HEADER From: [$?x$x <$g>$|$g$.] The format of an 33137c478bd9Sstevel@tonic-gate internally generated From: address. 33147c478bd9Sstevel@tonic-gateconfRECEIVED_HEADER Received: 33157c478bd9Sstevel@tonic-gate [$?sfrom $s $.$?_($?s$|from $.$_) 33167c478bd9Sstevel@tonic-gate $.$?{auth_type}(authenticated) 33177c478bd9Sstevel@tonic-gate $.by $j ($v/$Z)$?r with $r$. id $i$?u 33187c478bd9Sstevel@tonic-gate for $u; $|; 33197c478bd9Sstevel@tonic-gate $.$b] 33207c478bd9Sstevel@tonic-gate The format of the Received: header 33217c478bd9Sstevel@tonic-gate in messages passed through this host. 33227c478bd9Sstevel@tonic-gate It is unwise to try to change this. 33237c478bd9Sstevel@tonic-gateconfMESSAGEID_HEADER Message-Id: [<$t.$i@$j>] The format of an 33247c478bd9Sstevel@tonic-gate internally generated Message-Id: 33257c478bd9Sstevel@tonic-gate header. 33267c478bd9Sstevel@tonic-gateconfCW_FILE Fw class [/etc/mail/local-host-names] Name 33277c478bd9Sstevel@tonic-gate of file used to get the local 33287c478bd9Sstevel@tonic-gate additions to class {w} (local host 33297c478bd9Sstevel@tonic-gate names). 33307c478bd9Sstevel@tonic-gateconfCT_FILE Ft class [/etc/mail/trusted-users] Name of 33317c478bd9Sstevel@tonic-gate file used to get the local additions 33327c478bd9Sstevel@tonic-gate to class {t} (trusted users). 33337c478bd9Sstevel@tonic-gateconfCR_FILE FR class [/etc/mail/relay-domains] Name of 33347c478bd9Sstevel@tonic-gate file used to get the local additions 33357c478bd9Sstevel@tonic-gate to class {R} (hosts allowed to relay). 33367c478bd9Sstevel@tonic-gateconfTRUSTED_USERS Ct class [no default] Names of users to add to 33377c478bd9Sstevel@tonic-gate the list of trusted users. This list 33387c478bd9Sstevel@tonic-gate always includes root, uucp, and daemon. 33397c478bd9Sstevel@tonic-gate See also FEATURE(`use_ct_file'). 33407c478bd9Sstevel@tonic-gateconfTRUSTED_USER TrustedUser [no default] Trusted user for file 33417c478bd9Sstevel@tonic-gate ownership and starting the daemon. 33427c478bd9Sstevel@tonic-gate Not to be confused with 33437c478bd9Sstevel@tonic-gate confTRUSTED_USERS (see above). 33447c478bd9Sstevel@tonic-gateconfSMTP_MAILER - [esmtp] The mailer name used when 33457c478bd9Sstevel@tonic-gate SMTP connectivity is required. 33467c478bd9Sstevel@tonic-gate One of "smtp", "smtp8", 33477c478bd9Sstevel@tonic-gate "esmtp", or "dsmtp". 33487c478bd9Sstevel@tonic-gateconfUUCP_MAILER - [uucp-old] The mailer to be used by 33497c478bd9Sstevel@tonic-gate default for bang-format recipient 33507c478bd9Sstevel@tonic-gate addresses. See also discussion of 33517c478bd9Sstevel@tonic-gate class {U}, class {Y}, and class {Z} 33527c478bd9Sstevel@tonic-gate in the MAILER(`uucp') section. 33537c478bd9Sstevel@tonic-gateconfLOCAL_MAILER - [local] The mailer name used when 33547c478bd9Sstevel@tonic-gate local connectivity is required. 33557c478bd9Sstevel@tonic-gate Almost always "local". 33567c478bd9Sstevel@tonic-gateconfRELAY_MAILER - [relay] The default mailer name used 33577c478bd9Sstevel@tonic-gate for relaying any mail (e.g., to a 33587c478bd9Sstevel@tonic-gate BITNET_RELAY, a SMART_HOST, or 33597c478bd9Sstevel@tonic-gate whatever). This can reasonably be 33607c478bd9Sstevel@tonic-gate "uucp-new" if you are on a 33617c478bd9Sstevel@tonic-gate UUCP-connected site. 33627c478bd9Sstevel@tonic-gateconfSEVEN_BIT_INPUT SevenBitInput [False] Force input to seven bits? 33637c478bd9Sstevel@tonic-gateconfEIGHT_BIT_HANDLING EightBitMode [pass8] 8-bit data handling 33647c478bd9Sstevel@tonic-gateconfALIAS_WAIT AliasWait [10m] Time to wait for alias file 33657c478bd9Sstevel@tonic-gate rebuild until you get bored and 33667c478bd9Sstevel@tonic-gate decide that the apparently pending 33677c478bd9Sstevel@tonic-gate rebuild failed. 33687c478bd9Sstevel@tonic-gateconfMIN_FREE_BLOCKS MinFreeBlocks [100] Minimum number of free blocks on 33697c478bd9Sstevel@tonic-gate queue filesystem to accept SMTP mail. 33707c478bd9Sstevel@tonic-gate (Prior to 8.7 this was minfree/maxsize, 33717c478bd9Sstevel@tonic-gate where minfree was the number of free 33727c478bd9Sstevel@tonic-gate blocks and maxsize was the maximum 33737c478bd9Sstevel@tonic-gate message size. Use confMAX_MESSAGE_SIZE 33747c478bd9Sstevel@tonic-gate for the second value now.) 33757c478bd9Sstevel@tonic-gateconfMAX_MESSAGE_SIZE MaxMessageSize [infinite] The maximum size of messages 33767c478bd9Sstevel@tonic-gate that will be accepted (in bytes). 33777c478bd9Sstevel@tonic-gateconfBLANK_SUB BlankSub [.] Blank (space) substitution 33787c478bd9Sstevel@tonic-gate character. 33797c478bd9Sstevel@tonic-gateconfCON_EXPENSIVE HoldExpensive [False] Avoid connecting immediately 33807c478bd9Sstevel@tonic-gate to mailers marked expensive. 33817c478bd9Sstevel@tonic-gateconfCHECKPOINT_INTERVAL CheckpointInterval 33827c478bd9Sstevel@tonic-gate [10] Checkpoint queue files every N 33837c478bd9Sstevel@tonic-gate recipients. 33847c478bd9Sstevel@tonic-gateconfDELIVERY_MODE DeliveryMode [background] Default delivery mode. 33857c478bd9Sstevel@tonic-gateconfERROR_MODE ErrorMode [print] Error message mode. 33867c478bd9Sstevel@tonic-gateconfERROR_MESSAGE ErrorHeader [undefined] Error message header/file. 33877c478bd9Sstevel@tonic-gateconfSAVE_FROM_LINES SaveFromLine Save extra leading From_ lines. 33887c478bd9Sstevel@tonic-gateconfTEMP_FILE_MODE TempFileMode [0600] Temporary file mode. 33897c478bd9Sstevel@tonic-gateconfMATCH_GECOS MatchGECOS [False] Match GECOS field. 33907c478bd9Sstevel@tonic-gateconfMAX_HOP MaxHopCount [25] Maximum hop count. 33917c478bd9Sstevel@tonic-gateconfIGNORE_DOTS* IgnoreDots [False; always False in -bs or -bd 33927c478bd9Sstevel@tonic-gate mode] Ignore dot as terminator for 33937c478bd9Sstevel@tonic-gate incoming messages? 33947c478bd9Sstevel@tonic-gateconfBIND_OPTS ResolverOptions [undefined] Default options for DNS 33957c478bd9Sstevel@tonic-gate resolver. 33967c478bd9Sstevel@tonic-gateconfMIME_FORMAT_ERRORS* SendMimeErrors [True] Send error messages as MIME- 33977c478bd9Sstevel@tonic-gate encapsulated messages per RFC 1344. 33987c478bd9Sstevel@tonic-gateconfFORWARD_PATH ForwardPath [$z/.forward.$w:$z/.forward] 33997c478bd9Sstevel@tonic-gate The colon-separated list of places to 34007c478bd9Sstevel@tonic-gate search for .forward files. N.B.: see 34017c478bd9Sstevel@tonic-gate the Security Notes section. 34027c478bd9Sstevel@tonic-gateconfMCI_CACHE_SIZE ConnectionCacheSize 34037c478bd9Sstevel@tonic-gate [2] Size of open connection cache. 34047c478bd9Sstevel@tonic-gateconfMCI_CACHE_TIMEOUT ConnectionCacheTimeout 34057c478bd9Sstevel@tonic-gate [5m] Open connection cache timeout. 34067c478bd9Sstevel@tonic-gateconfHOST_STATUS_DIRECTORY HostStatusDirectory 34077c478bd9Sstevel@tonic-gate [undefined] If set, host status is kept 34087c478bd9Sstevel@tonic-gate on disk between sendmail runs in the 34097c478bd9Sstevel@tonic-gate named directory tree. This need not be 34107c478bd9Sstevel@tonic-gate a full pathname, in which case it is 34117c478bd9Sstevel@tonic-gate interpreted relative to the queue 34127c478bd9Sstevel@tonic-gate directory. 34137c478bd9Sstevel@tonic-gateconfSINGLE_THREAD_DELIVERY SingleThreadDelivery 34147c478bd9Sstevel@tonic-gate [False] If this option and the 34157c478bd9Sstevel@tonic-gate HostStatusDirectory option are both 34167c478bd9Sstevel@tonic-gate set, single thread deliveries to other 34177c478bd9Sstevel@tonic-gate hosts. That is, don't allow any two 34187c478bd9Sstevel@tonic-gate sendmails on this host to connect 34197c478bd9Sstevel@tonic-gate simultaneously to any other single 34207c478bd9Sstevel@tonic-gate host. This can slow down delivery in 34217c478bd9Sstevel@tonic-gate some cases, in particular since a 34227c478bd9Sstevel@tonic-gate cached but otherwise idle connection 34237c478bd9Sstevel@tonic-gate to a host will prevent other sendmails 34247c478bd9Sstevel@tonic-gate from connecting to the other host. 34257c478bd9Sstevel@tonic-gateconfUSE_ERRORS_TO* UseErrorsTo [False] Use the Errors-To: header to 34267c478bd9Sstevel@tonic-gate deliver error messages. This should 34277c478bd9Sstevel@tonic-gate not be necessary because of general 34287c478bd9Sstevel@tonic-gate acceptance of the envelope/header 34297c478bd9Sstevel@tonic-gate distinction. 34307c478bd9Sstevel@tonic-gateconfLOG_LEVEL LogLevel [9] Log level. 34317c478bd9Sstevel@tonic-gateconfME_TOO MeToo [True] Include sender in group 34327c478bd9Sstevel@tonic-gate expansions. This option is 34337c478bd9Sstevel@tonic-gate deprecated and will be removed from 34347c478bd9Sstevel@tonic-gate a future version. 34357c478bd9Sstevel@tonic-gateconfCHECK_ALIASES CheckAliases [False] Check RHS of aliases when 34367c478bd9Sstevel@tonic-gate running newaliases. Since this does 34377c478bd9Sstevel@tonic-gate DNS lookups on every address, it can 34387c478bd9Sstevel@tonic-gate slow down the alias rebuild process 34397c478bd9Sstevel@tonic-gate considerably on large alias files. 34407c478bd9Sstevel@tonic-gateconfOLD_STYLE_HEADERS* OldStyleHeaders [True] Assume that headers without 34417c478bd9Sstevel@tonic-gate special chars are old style. 34427c478bd9Sstevel@tonic-gateconfPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags. 34437c478bd9Sstevel@tonic-gateconfCOPY_ERRORS_TO PostmasterCopy [undefined] Address for additional 34447c478bd9Sstevel@tonic-gate copies of all error messages. 34457c478bd9Sstevel@tonic-gateconfQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function. 34467c478bd9Sstevel@tonic-gateconfQUEUE_FILE_MODE QueueFileMode [undefined] Default permissions for 34477c478bd9Sstevel@tonic-gate queue files (octal). If not set, 34487c478bd9Sstevel@tonic-gate sendmail uses 0600 unless its real 34497c478bd9Sstevel@tonic-gate and effective uid are different in 34507c478bd9Sstevel@tonic-gate which case it uses 0644. 34517c478bd9Sstevel@tonic-gateconfDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr 34527c478bd9Sstevel@tonic-gate syntax addresses to the minimum 34537c478bd9Sstevel@tonic-gate possible. 34547c478bd9Sstevel@tonic-gateconfSAFE_QUEUE* SuperSafe [True] Commit all messages to disk 34557c478bd9Sstevel@tonic-gate before forking. 34567c478bd9Sstevel@tonic-gateconfTO_INITIAL Timeout.initial [5m] The timeout waiting for a response 34577c478bd9Sstevel@tonic-gate on the initial connect. 34587c478bd9Sstevel@tonic-gateconfTO_CONNECT Timeout.connect [0] The timeout waiting for an initial 34597c478bd9Sstevel@tonic-gate connect() to complete. This can only 34607c478bd9Sstevel@tonic-gate shorten connection timeouts; the kernel 34617c478bd9Sstevel@tonic-gate silently enforces an absolute maximum 34627c478bd9Sstevel@tonic-gate (which varies depending on the system). 34637c478bd9Sstevel@tonic-gateconfTO_ICONNECT Timeout.iconnect 34647c478bd9Sstevel@tonic-gate [undefined] Like Timeout.connect, but 34657c478bd9Sstevel@tonic-gate applies only to the very first attempt 34667c478bd9Sstevel@tonic-gate to connect to a host in a message. 34677c478bd9Sstevel@tonic-gate This allows a single very fast pass 34687c478bd9Sstevel@tonic-gate followed by more careful delivery 34697c478bd9Sstevel@tonic-gate attempts in the future. 34707c478bd9Sstevel@tonic-gateconfTO_ACONNECT Timeout.aconnect 34717c478bd9Sstevel@tonic-gate [0] The overall timeout waiting for 34727c478bd9Sstevel@tonic-gate all connection for a single delivery 34737c478bd9Sstevel@tonic-gate attempt to succeed. If 0, no overall 34747c478bd9Sstevel@tonic-gate limit is applied. 34757c478bd9Sstevel@tonic-gateconfTO_HELO Timeout.helo [5m] The timeout waiting for a response 34767c478bd9Sstevel@tonic-gate to a HELO or EHLO command. 34777c478bd9Sstevel@tonic-gateconfTO_MAIL Timeout.mail [10m] The timeout waiting for a 34787c478bd9Sstevel@tonic-gate response to the MAIL command. 34797c478bd9Sstevel@tonic-gateconfTO_RCPT Timeout.rcpt [1h] The timeout waiting for a response 34807c478bd9Sstevel@tonic-gate to the RCPT command. 34817c478bd9Sstevel@tonic-gateconfTO_DATAINIT Timeout.datainit 34827c478bd9Sstevel@tonic-gate [5m] The timeout waiting for a 354 34837c478bd9Sstevel@tonic-gate response from the DATA command. 34847c478bd9Sstevel@tonic-gateconfTO_DATABLOCK Timeout.datablock 34857c478bd9Sstevel@tonic-gate [1h] The timeout waiting for a block 34867c478bd9Sstevel@tonic-gate during DATA phase. 34877c478bd9Sstevel@tonic-gateconfTO_DATAFINAL Timeout.datafinal 34887c478bd9Sstevel@tonic-gate [1h] The timeout waiting for a response 34897c478bd9Sstevel@tonic-gate to the final "." that terminates a 34907c478bd9Sstevel@tonic-gate message. 34917c478bd9Sstevel@tonic-gateconfTO_RSET Timeout.rset [5m] The timeout waiting for a response 34927c478bd9Sstevel@tonic-gate to the RSET command. 34937c478bd9Sstevel@tonic-gateconfTO_QUIT Timeout.quit [2m] The timeout waiting for a response 34947c478bd9Sstevel@tonic-gate to the QUIT command. 34957c478bd9Sstevel@tonic-gateconfTO_MISC Timeout.misc [2m] The timeout waiting for a response 34967c478bd9Sstevel@tonic-gate to other SMTP commands. 34977c478bd9Sstevel@tonic-gateconfTO_COMMAND Timeout.command [1h] In server SMTP, the timeout 34987c478bd9Sstevel@tonic-gate waiting for a command to be issued. 34997c478bd9Sstevel@tonic-gateconfTO_IDENT Timeout.ident [5s] The timeout waiting for a 35007c478bd9Sstevel@tonic-gate response to an IDENT query. 35017c478bd9Sstevel@tonic-gateconfTO_FILEOPEN Timeout.fileopen 35027c478bd9Sstevel@tonic-gate [60s] The timeout waiting for a file 35037c478bd9Sstevel@tonic-gate (e.g., :include: file) to be opened. 35047c478bd9Sstevel@tonic-gateconfTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response 35057c478bd9Sstevel@tonic-gate to an LMTP LHLO command. 35067c478bd9Sstevel@tonic-gateconfTO_STARTTLS Timeout.starttls 35077c478bd9Sstevel@tonic-gate [1h] The timeout waiting for a 35087c478bd9Sstevel@tonic-gate response to an SMTP STARTTLS command. 35097c478bd9Sstevel@tonic-gateconfTO_CONTROL Timeout.control 35107c478bd9Sstevel@tonic-gate [2m] The timeout for a complete 35117c478bd9Sstevel@tonic-gate control socket transaction to complete. 35127c478bd9Sstevel@tonic-gateconfTO_QUEUERETURN Timeout.queuereturn 35137c478bd9Sstevel@tonic-gate [5d] The timeout before a message is 35147c478bd9Sstevel@tonic-gate returned as undeliverable. 35157c478bd9Sstevel@tonic-gateconfTO_QUEUERETURN_NORMAL 35167c478bd9Sstevel@tonic-gate Timeout.queuereturn.normal 35177c478bd9Sstevel@tonic-gate [undefined] As above, for normal 35187c478bd9Sstevel@tonic-gate priority messages. 35197c478bd9Sstevel@tonic-gateconfTO_QUEUERETURN_URGENT 35207c478bd9Sstevel@tonic-gate Timeout.queuereturn.urgent 35217c478bd9Sstevel@tonic-gate [undefined] As above, for urgent 35227c478bd9Sstevel@tonic-gate priority messages. 35237c478bd9Sstevel@tonic-gateconfTO_QUEUERETURN_NONURGENT 35247c478bd9Sstevel@tonic-gate Timeout.queuereturn.non-urgent 35257c478bd9Sstevel@tonic-gate [undefined] As above, for non-urgent 35267c478bd9Sstevel@tonic-gate (low) priority messages. 35277c478bd9Sstevel@tonic-gateconfTO_QUEUERETURN_DSN 35287c478bd9Sstevel@tonic-gate Timeout.queuereturn.dsn 35297c478bd9Sstevel@tonic-gate [undefined] As above, for delivery 35307c478bd9Sstevel@tonic-gate status notification messages. 35317c478bd9Sstevel@tonic-gateconfTO_QUEUEWARN Timeout.queuewarn 35327c478bd9Sstevel@tonic-gate [4h] The timeout before a warning 35337c478bd9Sstevel@tonic-gate message is sent to the sender telling 35347c478bd9Sstevel@tonic-gate them that the message has been 35357c478bd9Sstevel@tonic-gate deferred. 35367c478bd9Sstevel@tonic-gateconfTO_QUEUEWARN_NORMAL Timeout.queuewarn.normal 35377c478bd9Sstevel@tonic-gate [undefined] As above, for normal 35387c478bd9Sstevel@tonic-gate priority messages. 35397c478bd9Sstevel@tonic-gateconfTO_QUEUEWARN_URGENT Timeout.queuewarn.urgent 35407c478bd9Sstevel@tonic-gate [undefined] As above, for urgent 35417c478bd9Sstevel@tonic-gate priority messages. 35427c478bd9Sstevel@tonic-gateconfTO_QUEUEWARN_NONURGENT 35437c478bd9Sstevel@tonic-gate Timeout.queuewarn.non-urgent 35447c478bd9Sstevel@tonic-gate [undefined] As above, for non-urgent 35457c478bd9Sstevel@tonic-gate (low) priority messages. 35467c478bd9Sstevel@tonic-gateconfTO_QUEUEWARN_DSN 35477c478bd9Sstevel@tonic-gate Timeout.queuewarn.dsn 35487c478bd9Sstevel@tonic-gate [undefined] As above, for delivery 35497c478bd9Sstevel@tonic-gate status notification messages. 35507c478bd9Sstevel@tonic-gateconfTO_HOSTSTATUS Timeout.hoststatus 35517c478bd9Sstevel@tonic-gate [30m] How long information about host 35527c478bd9Sstevel@tonic-gate statuses will be maintained before it 35537c478bd9Sstevel@tonic-gate is considered stale and the host should 35547c478bd9Sstevel@tonic-gate be retried. This applies both within 35557c478bd9Sstevel@tonic-gate a single queue run and to persistent 35567c478bd9Sstevel@tonic-gate information (see below). 35577c478bd9Sstevel@tonic-gateconfTO_RESOLVER_RETRANS Timeout.resolver.retrans 35587c478bd9Sstevel@tonic-gate [varies] Sets the resolver's 35597c478bd9Sstevel@tonic-gate retransmission time interval (in 35607c478bd9Sstevel@tonic-gate seconds). Sets both 35617c478bd9Sstevel@tonic-gate Timeout.resolver.retrans.first and 35627c478bd9Sstevel@tonic-gate Timeout.resolver.retrans.normal. 35637c478bd9Sstevel@tonic-gateconfTO_RESOLVER_RETRANS_FIRST Timeout.resolver.retrans.first 35647c478bd9Sstevel@tonic-gate [varies] Sets the resolver's 35657c478bd9Sstevel@tonic-gate retransmission time interval (in 35667c478bd9Sstevel@tonic-gate seconds) for the first attempt to 35677c478bd9Sstevel@tonic-gate deliver a message. 35687c478bd9Sstevel@tonic-gateconfTO_RESOLVER_RETRANS_NORMAL Timeout.resolver.retrans.normal 35697c478bd9Sstevel@tonic-gate [varies] Sets the resolver's 35707c478bd9Sstevel@tonic-gate retransmission time interval (in 35717c478bd9Sstevel@tonic-gate seconds) for all resolver lookups 35727c478bd9Sstevel@tonic-gate except the first delivery attempt. 35737c478bd9Sstevel@tonic-gateconfTO_RESOLVER_RETRY Timeout.resolver.retry 35747c478bd9Sstevel@tonic-gate [varies] Sets the number of times 35757c478bd9Sstevel@tonic-gate to retransmit a resolver query. 35767c478bd9Sstevel@tonic-gate Sets both 35777c478bd9Sstevel@tonic-gate Timeout.resolver.retry.first and 35787c478bd9Sstevel@tonic-gate Timeout.resolver.retry.normal. 35797c478bd9Sstevel@tonic-gateconfTO_RESOLVER_RETRY_FIRST Timeout.resolver.retry.first 35807c478bd9Sstevel@tonic-gate [varies] Sets the number of times 35817c478bd9Sstevel@tonic-gate to retransmit a resolver query for 35827c478bd9Sstevel@tonic-gate the first attempt to deliver a 35837c478bd9Sstevel@tonic-gate message. 35847c478bd9Sstevel@tonic-gateconfTO_RESOLVER_RETRY_NORMAL Timeout.resolver.retry.normal 35857c478bd9Sstevel@tonic-gate [varies] Sets the number of times 35867c478bd9Sstevel@tonic-gate to retransmit a resolver query for 35877c478bd9Sstevel@tonic-gate all resolver lookups except the 35887c478bd9Sstevel@tonic-gate first delivery attempt. 35897c478bd9Sstevel@tonic-gateconfTIME_ZONE TimeZoneSpec [USE_SYSTEM] Time zone info -- can be 35907c478bd9Sstevel@tonic-gate USE_SYSTEM to use the system's idea, 35917c478bd9Sstevel@tonic-gate USE_TZ to use the user's TZ envariable, 35927c478bd9Sstevel@tonic-gate or something else to force that value. 35937c478bd9Sstevel@tonic-gateconfDEF_USER_ID DefaultUser [1:1] Default user id. 35947c478bd9Sstevel@tonic-gateconfUSERDB_SPEC UserDatabaseSpec 35957c478bd9Sstevel@tonic-gate [undefined] User database 35967c478bd9Sstevel@tonic-gate specification. 35977c478bd9Sstevel@tonic-gateconfFALLBACK_MX FallbackMXhost [undefined] Fallback MX host. 35987c478bd9Sstevel@tonic-gateconfFALLBACK_SMARTHOST FallbackSmartHost 35997c478bd9Sstevel@tonic-gate [undefined] Fallback smart host. 36007c478bd9Sstevel@tonic-gateconfTRY_NULL_MX_LIST TryNullMXList [False] If this host is the best MX 36017c478bd9Sstevel@tonic-gate for a host and other arrangements 36027c478bd9Sstevel@tonic-gate haven't been made, try connecting 36037c478bd9Sstevel@tonic-gate to the host directly; normally this 36047c478bd9Sstevel@tonic-gate would be a config error. 36057c478bd9Sstevel@tonic-gateconfQUEUE_LA QueueLA [varies] Load average at which 36067c478bd9Sstevel@tonic-gate queue-only function kicks in. 36077c478bd9Sstevel@tonic-gate Default values is (8 * numproc) 36087c478bd9Sstevel@tonic-gate where numproc is the number of 36097c478bd9Sstevel@tonic-gate processors online (if that can be 36107c478bd9Sstevel@tonic-gate determined). 36117c478bd9Sstevel@tonic-gateconfREFUSE_LA RefuseLA [varies] Load average at which 36127c478bd9Sstevel@tonic-gate incoming SMTP connections are 36137c478bd9Sstevel@tonic-gate refused. Default values is (12 * 36147c478bd9Sstevel@tonic-gate numproc) where numproc is the 36157c478bd9Sstevel@tonic-gate number of processors online (if 36167c478bd9Sstevel@tonic-gate that can be determined). 36177c478bd9Sstevel@tonic-gateconfREJECT_LOG_INTERVAL RejectLogInterval [3h] Log interval when 36187c478bd9Sstevel@tonic-gate refusing connections for this long. 36197c478bd9Sstevel@tonic-gateconfDELAY_LA DelayLA [0] Load average at which sendmail 36207c478bd9Sstevel@tonic-gate will sleep for one second on most 36217c478bd9Sstevel@tonic-gate SMTP commands and before accepting 36227c478bd9Sstevel@tonic-gate connections. 0 means no limit. 36237c478bd9Sstevel@tonic-gateconfMAX_ALIAS_RECURSION MaxAliasRecursion 36247c478bd9Sstevel@tonic-gate [10] Maximum depth of alias recursion. 36257c478bd9Sstevel@tonic-gateconfMAX_DAEMON_CHILDREN MaxDaemonChildren 36267c478bd9Sstevel@tonic-gate [undefined] The maximum number of 36277c478bd9Sstevel@tonic-gate children the daemon will permit. After 36287c478bd9Sstevel@tonic-gate this number, connections will be 36297c478bd9Sstevel@tonic-gate rejected. If not set or <= 0, there is 36307c478bd9Sstevel@tonic-gate no limit. 36317c478bd9Sstevel@tonic-gateconfMAX_HEADERS_LENGTH MaxHeadersLength 36327c478bd9Sstevel@tonic-gate [32768] Maximum length of the sum 36337c478bd9Sstevel@tonic-gate of all headers. 36347c478bd9Sstevel@tonic-gateconfMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength 36357c478bd9Sstevel@tonic-gate [undefined] Maximum length of 36367c478bd9Sstevel@tonic-gate certain MIME header field values. 36377c478bd9Sstevel@tonic-gateconfCONNECTION_RATE_THROTTLE ConnectionRateThrottle 36387c478bd9Sstevel@tonic-gate [undefined] The maximum number of 36397c478bd9Sstevel@tonic-gate connections permitted per second per 36407c478bd9Sstevel@tonic-gate daemon. After this many connections 36417c478bd9Sstevel@tonic-gate are accepted, further connections 36427c478bd9Sstevel@tonic-gate will be delayed. If not set or <= 0, 36437c478bd9Sstevel@tonic-gate there is no limit. 36447c478bd9Sstevel@tonic-gateconfCONNECTION_RATE_WINDOW_SIZE ConnectionRateWindowSize 36457c478bd9Sstevel@tonic-gate [60s] Define the length of the 36467c478bd9Sstevel@tonic-gate interval for which the number of 36477c478bd9Sstevel@tonic-gate incoming connections is maintained. 36487c478bd9Sstevel@tonic-gateconfWORK_RECIPIENT_FACTOR 36497c478bd9Sstevel@tonic-gate RecipientFactor [30000] Cost of each recipient. 36507c478bd9Sstevel@tonic-gateconfSEPARATE_PROC ForkEachJob [False] Run all deliveries in a 36517c478bd9Sstevel@tonic-gate separate process. 36527c478bd9Sstevel@tonic-gateconfWORK_CLASS_FACTOR ClassFactor [1800] Priority multiplier for class. 36537c478bd9Sstevel@tonic-gateconfWORK_TIME_FACTOR RetryFactor [90000] Cost of each delivery attempt. 36547c478bd9Sstevel@tonic-gateconfQUEUE_SORT_ORDER QueueSortOrder [Priority] Queue sort algorithm: 36557c478bd9Sstevel@tonic-gate Priority, Host, Filename, Random, 36567c478bd9Sstevel@tonic-gate Modification, or Time. 36577c478bd9Sstevel@tonic-gateconfMIN_QUEUE_AGE MinQueueAge [0] The minimum amount of time a job 36587c478bd9Sstevel@tonic-gate must sit in the queue between queue 36597c478bd9Sstevel@tonic-gate runs. This allows you to set the 36607c478bd9Sstevel@tonic-gate queue run interval low for better 36617c478bd9Sstevel@tonic-gate responsiveness without trying all 36627c478bd9Sstevel@tonic-gate jobs in each run. 36637c478bd9Sstevel@tonic-gateconfDEF_CHAR_SET DefaultCharSet [unknown-8bit] When converting 36647c478bd9Sstevel@tonic-gate unlabeled 8 bit input to MIME, the 36657c478bd9Sstevel@tonic-gate character set to use by default. 36667c478bd9Sstevel@tonic-gateconfSERVICE_SWITCH_FILE ServiceSwitchFile 36677c478bd9Sstevel@tonic-gate [/etc/mail/service.switch] The file 36687c478bd9Sstevel@tonic-gate to use for the service switch on 36697c478bd9Sstevel@tonic-gate systems that do not have a 36707c478bd9Sstevel@tonic-gate system-defined switch. 36717c478bd9Sstevel@tonic-gateconfHOSTS_FILE HostsFile [/etc/hosts] The file to use when doing 36727c478bd9Sstevel@tonic-gate "file" type access of hosts names. 36737c478bd9Sstevel@tonic-gateconfDIAL_DELAY DialDelay [0s] If a connection fails, wait this 36747c478bd9Sstevel@tonic-gate long and try again. Zero means "don't 36757c478bd9Sstevel@tonic-gate retry". This is to allow "dial on 36767c478bd9Sstevel@tonic-gate demand" connections to have enough time 36777c478bd9Sstevel@tonic-gate to complete a connection. 36787c478bd9Sstevel@tonic-gateconfNO_RCPT_ACTION NoRecipientAction 36797c478bd9Sstevel@tonic-gate [none] What to do if there are no legal 36807c478bd9Sstevel@tonic-gate recipient fields (To:, Cc: or Bcc:) 36817c478bd9Sstevel@tonic-gate in the message. Legal values can 36827c478bd9Sstevel@tonic-gate be "none" to just leave the 36837c478bd9Sstevel@tonic-gate nonconforming message as is, "add-to" 36847c478bd9Sstevel@tonic-gate to add a To: header with all the 36857c478bd9Sstevel@tonic-gate known recipients (which may expose 36867c478bd9Sstevel@tonic-gate blind recipients), "add-apparently-to" 36877c478bd9Sstevel@tonic-gate to do the same but use Apparently-To: 36887c478bd9Sstevel@tonic-gate instead of To: (strongly discouraged 36897c478bd9Sstevel@tonic-gate in accordance with IETF standards), 36907c478bd9Sstevel@tonic-gate "add-bcc" to add an empty Bcc: 36917c478bd9Sstevel@tonic-gate header, or "add-to-undisclosed" to 36927c478bd9Sstevel@tonic-gate add the header 36937c478bd9Sstevel@tonic-gate ``To: undisclosed-recipients:;''. 36947c478bd9Sstevel@tonic-gateconfSAFE_FILE_ENV SafeFileEnvironment 36957c478bd9Sstevel@tonic-gate [undefined] If set, sendmail will do a 36967c478bd9Sstevel@tonic-gate chroot() into this directory before 36977c478bd9Sstevel@tonic-gate writing files. 36987c478bd9Sstevel@tonic-gateconfCOLON_OK_IN_ADDR ColonOkInAddr [True unless Configuration Level > 6] 36997c478bd9Sstevel@tonic-gate If set, colons are treated as a regular 37007c478bd9Sstevel@tonic-gate character in addresses. If not set, 37017c478bd9Sstevel@tonic-gate they are treated as the introducer to 37027c478bd9Sstevel@tonic-gate the RFC 822 "group" syntax. Colons are 37037c478bd9Sstevel@tonic-gate handled properly in route-addrs. This 37047c478bd9Sstevel@tonic-gate option defaults on for V5 and lower 37057c478bd9Sstevel@tonic-gate configuration files. 37067c478bd9Sstevel@tonic-gateconfMAX_QUEUE_RUN_SIZE MaxQueueRunSize [0] If set, limit the maximum size of 37077c478bd9Sstevel@tonic-gate any given queue run to this number of 37087c478bd9Sstevel@tonic-gate entries. Essentially, this will stop 37097c478bd9Sstevel@tonic-gate reading each queue directory after this 37107c478bd9Sstevel@tonic-gate number of entries are reached; it does 37117c478bd9Sstevel@tonic-gate _not_ pick the highest priority jobs, 37127c478bd9Sstevel@tonic-gate so this should be as large as your 37137c478bd9Sstevel@tonic-gate system can tolerate. If not set, there 37147c478bd9Sstevel@tonic-gate is no limit. 37157c478bd9Sstevel@tonic-gateconfMAX_QUEUE_CHILDREN MaxQueueChildren 37167c478bd9Sstevel@tonic-gate [undefined] Limits the maximum number 37177c478bd9Sstevel@tonic-gate of concurrent queue runners active. 37187c478bd9Sstevel@tonic-gate This is to keep system resources used 37197c478bd9Sstevel@tonic-gate within a reasonable limit. Relates to 37207c478bd9Sstevel@tonic-gate Queue Groups and ForkEachJob. 37217c478bd9Sstevel@tonic-gateconfMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue 37227c478bd9Sstevel@tonic-gate [1] Only active when MaxQueueChildren 37237c478bd9Sstevel@tonic-gate defined. Controls the maximum number 37247c478bd9Sstevel@tonic-gate of queue runners (aka queue children) 37257c478bd9Sstevel@tonic-gate active at the same time in a work 37267c478bd9Sstevel@tonic-gate group. See also MaxQueueChildren. 37277c478bd9Sstevel@tonic-gateconfDONT_EXPAND_CNAMES DontExpandCnames 37287c478bd9Sstevel@tonic-gate [False] If set, $[ ... $] lookups that 37297c478bd9Sstevel@tonic-gate do DNS based lookups do not expand 37307c478bd9Sstevel@tonic-gate CNAME records. This currently violates 37317c478bd9Sstevel@tonic-gate the published standards, but the IETF 37327c478bd9Sstevel@tonic-gate seems to be moving toward legalizing 37337c478bd9Sstevel@tonic-gate this. For example, if "FTP.Foo.ORG" 37347c478bd9Sstevel@tonic-gate is a CNAME for "Cruft.Foo.ORG", then 37357c478bd9Sstevel@tonic-gate with this option set a lookup of 37367c478bd9Sstevel@tonic-gate "FTP" will return "FTP.Foo.ORG"; if 37377c478bd9Sstevel@tonic-gate clear it returns "Cruft.FOO.ORG". N.B. 37387c478bd9Sstevel@tonic-gate you may not see any effect until your 37397c478bd9Sstevel@tonic-gate downstream neighbors stop doing CNAME 37407c478bd9Sstevel@tonic-gate lookups as well. 37417c478bd9Sstevel@tonic-gateconfFROM_LINE UnixFromLine [From $g $d] The From_ line used 37427c478bd9Sstevel@tonic-gate when sending to files or programs. 37437c478bd9Sstevel@tonic-gateconfSINGLE_LINE_FROM_HEADER SingleLineFromHeader 37447c478bd9Sstevel@tonic-gate [False] From: lines that have 37457c478bd9Sstevel@tonic-gate embedded newlines are unwrapped 37467c478bd9Sstevel@tonic-gate onto one line. 37477c478bd9Sstevel@tonic-gateconfALLOW_BOGUS_HELO AllowBogusHELO [False] Allow HELO SMTP command that 37487c478bd9Sstevel@tonic-gate does not include a host name. 37497c478bd9Sstevel@tonic-gateconfMUST_QUOTE_CHARS MustQuoteChars [.'] Characters to be quoted in a full 37507c478bd9Sstevel@tonic-gate name phrase (@,;:\()[] are automatic). 37517c478bd9Sstevel@tonic-gateconfOPERATORS OperatorChars [.:%@!^/[]+] Address operator 37527c478bd9Sstevel@tonic-gate characters. 37537c478bd9Sstevel@tonic-gateconfSMTP_LOGIN_MSG SmtpGreetingMessage 37547c478bd9Sstevel@tonic-gate [$j Sendmail $v/$Z; $b] 37557c478bd9Sstevel@tonic-gate The initial (spontaneous) SMTP 37567c478bd9Sstevel@tonic-gate greeting message. The word "ESMTP" 37577c478bd9Sstevel@tonic-gate will be inserted between the first and 37587c478bd9Sstevel@tonic-gate second words to convince other 37597c478bd9Sstevel@tonic-gate sendmails to try to speak ESMTP. 37607c478bd9Sstevel@tonic-gateconfDONT_INIT_GROUPS DontInitGroups [False] If set, the initgroups(3) 37617c478bd9Sstevel@tonic-gate routine will never be invoked. You 37627c478bd9Sstevel@tonic-gate might want to do this if you are 37637c478bd9Sstevel@tonic-gate running NIS and you have a large group 37647c478bd9Sstevel@tonic-gate map, since this call does a sequential 37657c478bd9Sstevel@tonic-gate scan of the map; in a large site this 37667c478bd9Sstevel@tonic-gate can cause your ypserv to run 37677c478bd9Sstevel@tonic-gate essentially full time. If you set 37687c478bd9Sstevel@tonic-gate this, agents run on behalf of users 37697c478bd9Sstevel@tonic-gate will only have their primary 37707c478bd9Sstevel@tonic-gate (/etc/passwd) group permissions. 37717c478bd9Sstevel@tonic-gateconfUNSAFE_GROUP_WRITES UnsafeGroupWrites 377249218d4fSjbeck [True] If set, group-writable 37737c478bd9Sstevel@tonic-gate :include: and .forward files are 37747c478bd9Sstevel@tonic-gate considered "unsafe", that is, programs 37757c478bd9Sstevel@tonic-gate and files cannot be directly referenced 37767c478bd9Sstevel@tonic-gate from such files. World-writable files 37777c478bd9Sstevel@tonic-gate are always considered unsafe. 377849218d4fSjbeck Notice: this option is deprecated and 377949218d4fSjbeck will be removed in future versions; 378049218d4fSjbeck Set GroupWritableForwardFileSafe 378149218d4fSjbeck and GroupWritableIncludeFileSafe in 378249218d4fSjbeck DontBlameSendmail if required. 37837c478bd9Sstevel@tonic-gateconfCONNECT_ONLY_TO ConnectOnlyTo [undefined] override connection 37847c478bd9Sstevel@tonic-gate address (for testing). 37857c478bd9Sstevel@tonic-gateconfCONTROL_SOCKET_NAME ControlSocketName 37867c478bd9Sstevel@tonic-gate [undefined] Control socket for daemon 37877c478bd9Sstevel@tonic-gate management. 37887c478bd9Sstevel@tonic-gateconfDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress 37897c478bd9Sstevel@tonic-gate [postmaster] If an error occurs when 37907c478bd9Sstevel@tonic-gate sending an error message, send that 37917c478bd9Sstevel@tonic-gate "double bounce" error message to this 37927c478bd9Sstevel@tonic-gate address. If it expands to an empty 37937c478bd9Sstevel@tonic-gate string, double bounces are dropped. 37947c478bd9Sstevel@tonic-gateconfDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce 37957c478bd9Sstevel@tonic-gate messages which could not be returned 37967c478bd9Sstevel@tonic-gate to the user or sent to postmaster. 37977c478bd9Sstevel@tonic-gate If not set, the queue file will 37987c478bd9Sstevel@tonic-gate be renamed. 37997c478bd9Sstevel@tonic-gateconfRRT_IMPLIES_DSN RrtImpliesDsn [False] Return-Receipt-To: header 38007c478bd9Sstevel@tonic-gate implies DSN request. 38017c478bd9Sstevel@tonic-gateconfRUN_AS_USER RunAsUser [undefined] If set, become this user 38027c478bd9Sstevel@tonic-gate when reading and delivering mail. 38037c478bd9Sstevel@tonic-gate Causes all file reads (e.g., .forward 38047c478bd9Sstevel@tonic-gate and :include: files) to be done as 38057c478bd9Sstevel@tonic-gate this user. Also, all programs will 38067c478bd9Sstevel@tonic-gate be run as this user, and all output 38077c478bd9Sstevel@tonic-gate files will be written as this user. 38087c478bd9Sstevel@tonic-gateconfMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage 38097c478bd9Sstevel@tonic-gate [infinite] If set, allow no more than 38107c478bd9Sstevel@tonic-gate the specified number of recipients in 38117c478bd9Sstevel@tonic-gate an SMTP envelope. Further recipients 38127c478bd9Sstevel@tonic-gate receive a 452 error code (i.e., they 38137c478bd9Sstevel@tonic-gate are deferred for the next delivery 38147c478bd9Sstevel@tonic-gate attempt). 38157c478bd9Sstevel@tonic-gateconfBAD_RCPT_THROTTLE BadRcptThrottle [infinite] If set and the specified 38167c478bd9Sstevel@tonic-gate number of recipients in a single SMTP 38177c478bd9Sstevel@tonic-gate transaction have been rejected, sleep 38187c478bd9Sstevel@tonic-gate for one second after each subsequent 38197c478bd9Sstevel@tonic-gate RCPT command in that transaction. 38207c478bd9Sstevel@tonic-gateconfDONT_PROBE_INTERFACES DontProbeInterfaces 38217c478bd9Sstevel@tonic-gate [False] If set, sendmail will _not_ 38227c478bd9Sstevel@tonic-gate insert the names and addresses of any 38237c478bd9Sstevel@tonic-gate local interfaces into class {w} 38247c478bd9Sstevel@tonic-gate (list of known "equivalent" addresses). 38257c478bd9Sstevel@tonic-gate If you set this, you must also include 38267c478bd9Sstevel@tonic-gate some support for these addresses (e.g., 38277c478bd9Sstevel@tonic-gate in a mailertable entry) -- otherwise, 38287c478bd9Sstevel@tonic-gate mail to addresses in this list will 38297c478bd9Sstevel@tonic-gate bounce with a configuration error. 38307c478bd9Sstevel@tonic-gate If set to "loopback" (without 38317c478bd9Sstevel@tonic-gate quotes), sendmail will skip 38327c478bd9Sstevel@tonic-gate loopback interfaces (e.g., "lo0"). 38337c478bd9Sstevel@tonic-gateconfPID_FILE PidFile [system dependent] Location of pid 38347c478bd9Sstevel@tonic-gate file. 38357c478bd9Sstevel@tonic-gateconfPROCESS_TITLE_PREFIX ProcessTitlePrefix 38367c478bd9Sstevel@tonic-gate [undefined] Prefix string for the 38377c478bd9Sstevel@tonic-gate process title shown on 'ps' listings. 38387c478bd9Sstevel@tonic-gateconfDONT_BLAME_SENDMAIL DontBlameSendmail 38397c478bd9Sstevel@tonic-gate [safe] Override sendmail's file 38407c478bd9Sstevel@tonic-gate safety checks. This will definitely 38417c478bd9Sstevel@tonic-gate compromise system security and should 38427c478bd9Sstevel@tonic-gate not be used unless absolutely 38437c478bd9Sstevel@tonic-gate necessary. 38447c478bd9Sstevel@tonic-gateconfREJECT_MSG - [550 Access denied] The message 38457c478bd9Sstevel@tonic-gate given if the access database contains 38467c478bd9Sstevel@tonic-gate REJECT in the value portion. 38477c478bd9Sstevel@tonic-gateconfRELAY_MSG - [550 Relaying denied] The message 38487c478bd9Sstevel@tonic-gate given if an unauthorized relaying 38497c478bd9Sstevel@tonic-gate attempt is rejected. 38507c478bd9Sstevel@tonic-gateconfDF_BUFFER_SIZE DataFileBufferSize 38517c478bd9Sstevel@tonic-gate [4096] The maximum size of a 38527c478bd9Sstevel@tonic-gate memory-buffered data (df) file 38537c478bd9Sstevel@tonic-gate before a disk-based file is used. 38547c478bd9Sstevel@tonic-gateconfXF_BUFFER_SIZE XScriptFileBufferSize 38557c478bd9Sstevel@tonic-gate [4096] The maximum size of a 38567c478bd9Sstevel@tonic-gate memory-buffered transcript (xf) 38577c478bd9Sstevel@tonic-gate file before a disk-based file is 38587c478bd9Sstevel@tonic-gate used. 38597c478bd9Sstevel@tonic-gateconfTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client 38607c478bd9Sstevel@tonic-gate verification is performed, i.e., 38617c478bd9Sstevel@tonic-gate the server doesn't ask for a 38627c478bd9Sstevel@tonic-gate certificate. 38637c478bd9Sstevel@tonic-gateconfLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map 38647c478bd9Sstevel@tonic-gate specification for LDAP maps. The 38657c478bd9Sstevel@tonic-gate value should only contain LDAP 38667c478bd9Sstevel@tonic-gate specific settings such as "-h host 38677c478bd9Sstevel@tonic-gate -p port -d bindDN", etc. The 38687c478bd9Sstevel@tonic-gate settings will be used for all LDAP 38697c478bd9Sstevel@tonic-gate maps unless they are specified in 38707c478bd9Sstevel@tonic-gate the individual map specification 38717c478bd9Sstevel@tonic-gate ('K' command). 38727c478bd9Sstevel@tonic-gateconfCACERT_PATH CACertPath [undefined] Path to directory 38737c478bd9Sstevel@tonic-gate with certs of CAs. 38747c478bd9Sstevel@tonic-gateconfCACERT CACertFile [undefined] File containing one CA 38757c478bd9Sstevel@tonic-gate cert. 38767c478bd9Sstevel@tonic-gateconfSERVER_CERT ServerCertFile [undefined] File containing the 38777c478bd9Sstevel@tonic-gate cert of the server, i.e., this cert 38787c478bd9Sstevel@tonic-gate is used when sendmail acts as 38797c478bd9Sstevel@tonic-gate server. 38807c478bd9Sstevel@tonic-gateconfSERVER_KEY ServerKeyFile [undefined] File containing the 38817c478bd9Sstevel@tonic-gate private key belonging to the server 38827c478bd9Sstevel@tonic-gate cert. 38837c478bd9Sstevel@tonic-gateconfCLIENT_CERT ClientCertFile [undefined] File containing the 38847c478bd9Sstevel@tonic-gate cert of the client, i.e., this cert 38857c478bd9Sstevel@tonic-gate is used when sendmail acts as 38867c478bd9Sstevel@tonic-gate client. 38877c478bd9Sstevel@tonic-gateconfCLIENT_KEY ClientKeyFile [undefined] File containing the 38887c478bd9Sstevel@tonic-gate private key belonging to the client 38897c478bd9Sstevel@tonic-gate cert. 38907c478bd9Sstevel@tonic-gateconfCRL CRLFile [undefined] File containing certificate 38917c478bd9Sstevel@tonic-gate revocation status, useful for X.509v3 38927c478bd9Sstevel@tonic-gate authentication. Note that CRL requires 38937c478bd9Sstevel@tonic-gate at least OpenSSL version 0.9.7. 38947c478bd9Sstevel@tonic-gateconfDH_PARAMETERS DHParameters [undefined] File containing the 38957c478bd9Sstevel@tonic-gate DH parameters. 38967c478bd9Sstevel@tonic-gateconfRAND_FILE RandFile [undefined] File containing random 38977c478bd9Sstevel@tonic-gate data (use prefix file:) or the 38987c478bd9Sstevel@tonic-gate name of the UNIX socket if EGD is 38997c478bd9Sstevel@tonic-gate used (use prefix egd:). STARTTLS 39007c478bd9Sstevel@tonic-gate requires this option if the compile 39017c478bd9Sstevel@tonic-gate flag HASURANDOM is not set (see 39027c478bd9Sstevel@tonic-gate sendmail/README). 39037c478bd9Sstevel@tonic-gateconfNICE_QUEUE_RUN NiceQueueRun [undefined] If set, the priority of 39047c478bd9Sstevel@tonic-gate queue runners is set the given value 39057c478bd9Sstevel@tonic-gate (nice(3)). 39067c478bd9Sstevel@tonic-gateconfDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers 39077c478bd9Sstevel@tonic-gate [undefined] Defines {daemon_flags} 39087c478bd9Sstevel@tonic-gate for direct submissions. 390949218d4fSjbeckconfUSE_MSP UseMSP [undefined] Use as mail submission 39107c478bd9Sstevel@tonic-gate program. 39117c478bd9Sstevel@tonic-gateconfDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By 39127c478bd9Sstevel@tonic-gate SMTP Service Extension (RFC 2852). 39137c478bd9Sstevel@tonic-gateconfREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can 39147c478bd9Sstevel@tonic-gate be used to turn off the compile time 39157c478bd9Sstevel@tonic-gate flag REQUIRES_DIR_FSYNC at runtime. 39167c478bd9Sstevel@tonic-gate See sendmail/README for details. 39177c478bd9Sstevel@tonic-gateconfSHARED_MEMORY_KEY SharedMemoryKey [0] Key for shared memory. 3918*058561cbSjbeckconfSHARED_MEMORY_KEY_FILE 3919*058561cbSjbeck SharedMemoryKeyFile 3920*058561cbSjbeck [undefined] File where the 3921*058561cbSjbeck automatically selected key for 3922*058561cbSjbeck shared memory is stored. 39237c478bd9Sstevel@tonic-gateconfFAST_SPLIT FastSplit [1] If set to a value greater than 39247c478bd9Sstevel@tonic-gate zero, the initial MX lookups on 39257c478bd9Sstevel@tonic-gate addresses is suppressed when they 39267c478bd9Sstevel@tonic-gate are sorted which may result in 39277c478bd9Sstevel@tonic-gate faster envelope splitting. If the 39287c478bd9Sstevel@tonic-gate mail is submitted directly from the 39297c478bd9Sstevel@tonic-gate command line, then the value also 39307c478bd9Sstevel@tonic-gate limits the number of processes to 39317c478bd9Sstevel@tonic-gate deliver the envelopes. 39327c478bd9Sstevel@tonic-gateconfMAILBOX_DATABASE MailboxDatabase [pw] Type of lookup to find 39337c478bd9Sstevel@tonic-gate information about local mailboxes. 39347c478bd9Sstevel@tonic-gateconfDEQUOTE_OPTS - [empty] Additional options for the 39357c478bd9Sstevel@tonic-gate dequote map. 3936*058561cbSjbeckconfMAX_NOOP_COMMANDS MaxNOOPCommands [20] Maximum number of "useless" 3937*058561cbSjbeck commands before the SMTP server 3938*058561cbSjbeck will slow down responding. 3939*058561cbSjbeckconfHELO_NAME HeloName If defined, use as name for EHLO/HELO 3940*058561cbSjbeck command (instead of $j). 39417c478bd9Sstevel@tonic-gateconfINPUT_MAIL_FILTERS InputMailFilters 39427c478bd9Sstevel@tonic-gate A comma separated list of filters 39437c478bd9Sstevel@tonic-gate which determines which filters and 39447c478bd9Sstevel@tonic-gate the invocation sequence are 39457c478bd9Sstevel@tonic-gate contacted for incoming SMTP 39467c478bd9Sstevel@tonic-gate messages. If none are set, no 39477c478bd9Sstevel@tonic-gate filters will be contacted. 39487c478bd9Sstevel@tonic-gateconfMILTER_LOG_LEVEL Milter.LogLevel [9] Log level for input mail filter 39497c478bd9Sstevel@tonic-gate actions, defaults to LogLevel. 39507c478bd9Sstevel@tonic-gateconfMILTER_MACROS_CONNECT Milter.macros.connect 39517c478bd9Sstevel@tonic-gate [j, _, {daemon_name}, {if_name}, 39527c478bd9Sstevel@tonic-gate {if_addr}] Macros to transmit to 39537c478bd9Sstevel@tonic-gate milters when a session connection 39547c478bd9Sstevel@tonic-gate starts. 39557c478bd9Sstevel@tonic-gateconfMILTER_MACROS_HELO Milter.macros.helo 39567c478bd9Sstevel@tonic-gate [{tls_version}, {cipher}, 39577c478bd9Sstevel@tonic-gate {cipher_bits}, {cert_subject}, 39587c478bd9Sstevel@tonic-gate {cert_issuer}] Macros to transmit to 39597c478bd9Sstevel@tonic-gate milters after HELO/EHLO command. 39607c478bd9Sstevel@tonic-gateconfMILTER_MACROS_ENVFROM Milter.macros.envfrom 39617c478bd9Sstevel@tonic-gate [i, {auth_type}, {auth_authen}, 39627c478bd9Sstevel@tonic-gate {auth_ssf}, {auth_author}, 39637c478bd9Sstevel@tonic-gate {mail_mailer}, {mail_host}, 39647c478bd9Sstevel@tonic-gate {mail_addr}] Macros to transmit to 39657c478bd9Sstevel@tonic-gate milters after MAIL FROM command. 39667c478bd9Sstevel@tonic-gateconfMILTER_MACROS_ENVRCPT Milter.macros.envrcpt 39677c478bd9Sstevel@tonic-gate [{rcpt_mailer}, {rcpt_host}, 39687c478bd9Sstevel@tonic-gate {rcpt_addr}] Macros to transmit to 39697c478bd9Sstevel@tonic-gate milters after RCPT TO command. 39707c478bd9Sstevel@tonic-gateconfMILTER_MACROS_EOM Milter.macros.eom 39717c478bd9Sstevel@tonic-gate [{msg_id}] Macros to transmit to 39727c478bd9Sstevel@tonic-gate milters after DATA command. 39737c478bd9Sstevel@tonic-gate 39747c478bd9Sstevel@tonic-gate 39757c478bd9Sstevel@tonic-gateSee also the description of OSTYPE for some parameters that can be 39767c478bd9Sstevel@tonic-gatetweaked (generally pathnames to mailers). 39777c478bd9Sstevel@tonic-gate 39787c478bd9Sstevel@tonic-gateClientPortOptions and DaemonPortOptions are special cases since multiple 39797c478bd9Sstevel@tonic-gateclients/daemons can be defined. This can be done via 39807c478bd9Sstevel@tonic-gate 39817c478bd9Sstevel@tonic-gate CLIENT_OPTIONS(`field1=value1,field2=value2,...') 39827c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`field1=value1,field2=value2,...') 39837c478bd9Sstevel@tonic-gate 39847c478bd9Sstevel@tonic-gateNote that multiple CLIENT_OPTIONS() commands (and therefore multiple 39857c478bd9Sstevel@tonic-gateClientPortOptions settings) are allowed in order to give settings for each 39867c478bd9Sstevel@tonic-gateprotocol family (e.g., one for Family=inet and one for Family=inet6). A 39877c478bd9Sstevel@tonic-gaterestriction placed on one family only affects outgoing connections on that 39887c478bd9Sstevel@tonic-gateparticular family. 39897c478bd9Sstevel@tonic-gate 39907c478bd9Sstevel@tonic-gateIf DAEMON_OPTIONS is not used, then the default is 39917c478bd9Sstevel@tonic-gate 39927c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`Port=smtp, Name=MTA') 39937c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') 39947c478bd9Sstevel@tonic-gate 39957c478bd9Sstevel@tonic-gateIf you use one DAEMON_OPTIONS macro, it will alter the parameters 39967c478bd9Sstevel@tonic-gateof the first of these. The second will still be defaulted; it 39977c478bd9Sstevel@tonic-gaterepresents a "Message Submission Agent" (MSA) as defined by RFC 39987c478bd9Sstevel@tonic-gate2476 (see below). To turn off the default definition for the MSA, 39997c478bd9Sstevel@tonic-gateuse FEATURE(`no_default_msa') (see also FEATURES). If you use 40007c478bd9Sstevel@tonic-gateadditional DAEMON_OPTIONS macros, they will add additional daemons. 40017c478bd9Sstevel@tonic-gate 40027c478bd9Sstevel@tonic-gateExample 1: To change the port for the SMTP listener, while 40037c478bd9Sstevel@tonic-gatestill using the MSA default, use 40047c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`Port=925, Name=MTA') 40057c478bd9Sstevel@tonic-gate 40067c478bd9Sstevel@tonic-gateExample 2: To change the port for the MSA daemon, while still 40077c478bd9Sstevel@tonic-gateusing the default SMTP port, use 40087c478bd9Sstevel@tonic-gate FEATURE(`no_default_msa') 40097c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`Name=MTA') 40107c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`Port=987, Name=MSA, M=E') 40117c478bd9Sstevel@tonic-gate 40127c478bd9Sstevel@tonic-gateNote that if the first of those DAEMON_OPTIONS lines were omitted, then 40137c478bd9Sstevel@tonic-gatethere would be no listener on the standard SMTP port. 40147c478bd9Sstevel@tonic-gate 40157c478bd9Sstevel@tonic-gateExample 3: To listen on both IPv4 and IPv6 interfaces, use 40167c478bd9Sstevel@tonic-gate 40177c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`Name=MTA-v4, Family=inet') 40187c478bd9Sstevel@tonic-gate DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6') 40197c478bd9Sstevel@tonic-gate 40207c478bd9Sstevel@tonic-gateA "Message Submission Agent" still uses all of the same rulesets for 40217c478bd9Sstevel@tonic-gateprocessing the message (and therefore still allows message rejection via 40227c478bd9Sstevel@tonic-gatethe check_* rulesets). In accordance with the RFC, the MSA will ensure 40237c478bd9Sstevel@tonic-gatethat all domains in envelope addresses are fully qualified if the message 40247c478bd9Sstevel@tonic-gateis relayed to another MTA. It will also enforce the normal address syntax 40257c478bd9Sstevel@tonic-gaterules and log error messages. Additionally, by using the M=a modifier you 40267c478bd9Sstevel@tonic-gatecan require authentication before messages are accepted by the MSA. 40277c478bd9Sstevel@tonic-gateNotice: Do NOT use the 'a' modifier on a public accessible MTA! Finally, 40287c478bd9Sstevel@tonic-gatethe M=E modifier shown above disables ETRN as required by RFC 2476. 40297c478bd9Sstevel@tonic-gate 40307c478bd9Sstevel@tonic-gateMail filters can be defined using the INPUT_MAIL_FILTER() and MAIL_FILTER() 40317c478bd9Sstevel@tonic-gatecommands: 40327c478bd9Sstevel@tonic-gate 40337c478bd9Sstevel@tonic-gate INPUT_MAIL_FILTER(`sample', `S=local:/var/run/f1.sock') 40347c478bd9Sstevel@tonic-gate MAIL_FILTER(`myfilter', `S=inet:3333@localhost') 40357c478bd9Sstevel@tonic-gate 40367c478bd9Sstevel@tonic-gateThe INPUT_MAIL_FILTER() command causes the filter(s) to be called in the 40377c478bd9Sstevel@tonic-gatesame order they were specified by also setting confINPUT_MAIL_FILTERS. A 40387c478bd9Sstevel@tonic-gatefilter can be defined without adding it to the input filter list by using 40397c478bd9Sstevel@tonic-gateMAIL_FILTER() instead of INPUT_MAIL_FILTER() in your .mc file. 40407c478bd9Sstevel@tonic-gateAlternatively, you can reset the list of filters and their order by setting 40417c478bd9Sstevel@tonic-gateconfINPUT_MAIL_FILTERS option after all INPUT_MAIL_FILTER() commands in 40427c478bd9Sstevel@tonic-gateyour .mc file. 40437c478bd9Sstevel@tonic-gate 40447c478bd9Sstevel@tonic-gate 40457c478bd9Sstevel@tonic-gate+----------------------------+ 40467c478bd9Sstevel@tonic-gate| MESSAGE SUBMISSION PROGRAM | 40477c478bd9Sstevel@tonic-gate+----------------------------+ 40487c478bd9Sstevel@tonic-gate 40497c478bd9Sstevel@tonic-gateThis section contains a list of caveats and 40507c478bd9Sstevel@tonic-gatea few hints how for those who want to tweak the default configuration 40517c478bd9Sstevel@tonic-gatefor it (which is installed as submit.cf). 40527c478bd9Sstevel@tonic-gate 40537c478bd9Sstevel@tonic-gateNotice: do not add options/features to submit.mc unless you are 40547c478bd9Sstevel@tonic-gateabsolutely sure you need them. Options you may want to change 40557c478bd9Sstevel@tonic-gateinclude: 40567c478bd9Sstevel@tonic-gate 40577c478bd9Sstevel@tonic-gate- confTRUSTED_USERS, FEATURE(`use_ct_file'), and confCT_FILE for 40587c478bd9Sstevel@tonic-gate avoiding X-Authentication warnings. 40597c478bd9Sstevel@tonic-gate- confTIME_ZONE to change it from the default `USE_TZ'. 40607c478bd9Sstevel@tonic-gate- confDELIVERY_MODE is set to interactive in msp.m4 instead 40617c478bd9Sstevel@tonic-gate of the default background mode. 40627c478bd9Sstevel@tonic-gate- FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses 40637c478bd9Sstevel@tonic-gate to the LOCAL_RELAY instead of the default relay. 40647c478bd9Sstevel@tonic-gate 40657c478bd9Sstevel@tonic-gateThe MSP performs hostname canonicalization by default. Mail may end 40667c478bd9Sstevel@tonic-gateup for various DNS related reasons in the MSP queue. This problem 40677c478bd9Sstevel@tonic-gatecan be minimized by using 40687c478bd9Sstevel@tonic-gate 40697c478bd9Sstevel@tonic-gate FEATURE(`nocanonify', `canonify_hosts') 40707c478bd9Sstevel@tonic-gate define(`confDIRECT_SUBMISSION_MODIFIERS', `C') 40717c478bd9Sstevel@tonic-gate 40727c478bd9Sstevel@tonic-gateSee the discussion about nocanonify for possible side effects. 40737c478bd9Sstevel@tonic-gate 40747c478bd9Sstevel@tonic-gateSome things are not intended to work with the MSP. These include 40757c478bd9Sstevel@tonic-gatefeatures that influence the delivery process (e.g., mailertable, 40767c478bd9Sstevel@tonic-gatealiases), or those that are only important for a SMTP server (e.g., 40777c478bd9Sstevel@tonic-gatevirtusertable, DaemonPortOptions, multiple queues). Moreover, 40787c478bd9Sstevel@tonic-gaterelaxing certain restrictions (RestrictQueueRun, permissions on 40797c478bd9Sstevel@tonic-gatequeue directory) or adding features (e.g., enabling prog/file mailer) 40807c478bd9Sstevel@tonic-gatecan cause security problems. 40817c478bd9Sstevel@tonic-gate 40827c478bd9Sstevel@tonic-gateOther things don't work well with the MSP and require tweaking or 40837c478bd9Sstevel@tonic-gateworkarounds. 40847c478bd9Sstevel@tonic-gate 40857c478bd9Sstevel@tonic-gateThe file and the map created by makemap should be owned by smmsp, 40867c478bd9Sstevel@tonic-gateits group should be smmsp, and it should have mode 640. 40877c478bd9Sstevel@tonic-gate 40887c478bd9Sstevel@tonic-gatefeature/msp.m4 defines almost all settings for the MSP. Most of 40897c478bd9Sstevel@tonic-gatethose should not be changed at all. Some of the features and options 40907c478bd9Sstevel@tonic-gatecan be overridden if really necessary. It is a bit tricky to do 40917c478bd9Sstevel@tonic-gatethis, because it depends on the actual way the option is defined 40927c478bd9Sstevel@tonic-gatein feature/msp.m4. If it is directly defined (i.e., define()) then 40937c478bd9Sstevel@tonic-gatethe modified value must be defined after 40947c478bd9Sstevel@tonic-gate 40957c478bd9Sstevel@tonic-gate FEATURE(`msp') 40967c478bd9Sstevel@tonic-gate 40977c478bd9Sstevel@tonic-gateIf it is conditionally defined (i.e., ifdef()) then the desired 40987c478bd9Sstevel@tonic-gatevalue must be defined before the FEATURE line in the .mc file. 40997c478bd9Sstevel@tonic-gateTo see how the options are defined read feature/msp.m4. 41007c478bd9Sstevel@tonic-gate 41017c478bd9Sstevel@tonic-gate 41027c478bd9Sstevel@tonic-gate+--------------------------+ 41037c478bd9Sstevel@tonic-gate| FORMAT OF FILES AND MAPS | 41047c478bd9Sstevel@tonic-gate+--------------------------+ 41057c478bd9Sstevel@tonic-gate 41067c478bd9Sstevel@tonic-gateFiles that define classes, i.e., F{classname}, consist of lines 41077c478bd9Sstevel@tonic-gateeach of which contains a single element of the class. For example, 41087c478bd9Sstevel@tonic-gate/etc/mail/local-host-names may have the following content: 41097c478bd9Sstevel@tonic-gate 41107c478bd9Sstevel@tonic-gatemy.domain 41117c478bd9Sstevel@tonic-gateanother.domain 41127c478bd9Sstevel@tonic-gate 41137c478bd9Sstevel@tonic-gateMaps must be created using makemap(8) , e.g., 41147c478bd9Sstevel@tonic-gate 41157c478bd9Sstevel@tonic-gate makemap hash MAP < MAP 41167c478bd9Sstevel@tonic-gate 41177c478bd9Sstevel@tonic-gateIn general, a text file from which a map is created contains lines 41187c478bd9Sstevel@tonic-gateof the form 41197c478bd9Sstevel@tonic-gate 41207c478bd9Sstevel@tonic-gatekey value 41217c478bd9Sstevel@tonic-gate 41227c478bd9Sstevel@tonic-gatewhere 'key' and 'value' are also called LHS and RHS, respectively. 41237c478bd9Sstevel@tonic-gateBy default, the delimiter between LHS and RHS is a non-empty sequence 41247c478bd9Sstevel@tonic-gateof white space characters. 41257c478bd9Sstevel@tonic-gate 41267c478bd9Sstevel@tonic-gate 41277c478bd9Sstevel@tonic-gate+------------------+ 41287c478bd9Sstevel@tonic-gate| DIRECTORY LAYOUT | 41297c478bd9Sstevel@tonic-gate+------------------+ 41307c478bd9Sstevel@tonic-gate 41317c478bd9Sstevel@tonic-gateWithin this directory are several subdirectories, to wit: 41327c478bd9Sstevel@tonic-gate 41337c478bd9Sstevel@tonic-gatem4 General support routines. These are typically 41347c478bd9Sstevel@tonic-gate very important and should not be changed without 41357c478bd9Sstevel@tonic-gate very careful consideration. 41367c478bd9Sstevel@tonic-gate 41377c478bd9Sstevel@tonic-gatecf The configuration files themselves. They have 41387c478bd9Sstevel@tonic-gate ".mc" suffixes, and must be run through m4 to 41397c478bd9Sstevel@tonic-gate become complete. The resulting output should 41407c478bd9Sstevel@tonic-gate have a ".cf" suffix. 41417c478bd9Sstevel@tonic-gate 41427c478bd9Sstevel@tonic-gateostype Definitions describing a particular operating 41437c478bd9Sstevel@tonic-gate system type. These should always be referenced 41447c478bd9Sstevel@tonic-gate using the OSTYPE macro in the .mc file. Examples 41457c478bd9Sstevel@tonic-gate include "bsd4.3", "bsd4.4", "sunos3.5", and 41467c478bd9Sstevel@tonic-gate "sunos4.1". 41477c478bd9Sstevel@tonic-gate 41487c478bd9Sstevel@tonic-gatedomain Definitions describing a particular domain, referenced 41497c478bd9Sstevel@tonic-gate using the DOMAIN macro in the .mc file. These are 41507c478bd9Sstevel@tonic-gate site dependent; for example, "CS.Berkeley.EDU.m4" 41517c478bd9Sstevel@tonic-gate describes hosts in the CS.Berkeley.EDU subdomain. 41527c478bd9Sstevel@tonic-gate 41537c478bd9Sstevel@tonic-gatemailer Descriptions of mailers. These are referenced using 41547c478bd9Sstevel@tonic-gate the MAILER macro in the .mc file. 41557c478bd9Sstevel@tonic-gate 41567c478bd9Sstevel@tonic-gatesh Shell files used when building the .cf file from the 41577c478bd9Sstevel@tonic-gate .mc file in the cf subdirectory. 41587c478bd9Sstevel@tonic-gate 41597c478bd9Sstevel@tonic-gatefeature These hold special orthogonal features that you might 41607c478bd9Sstevel@tonic-gate want to include. They should be referenced using 41617c478bd9Sstevel@tonic-gate the FEATURE macro. 41627c478bd9Sstevel@tonic-gate 41637c478bd9Sstevel@tonic-gatehack Local hacks. These can be referenced using the HACK 41647c478bd9Sstevel@tonic-gate macro. They shouldn't be of more than voyeuristic 41657c478bd9Sstevel@tonic-gate interest outside the .Berkeley.EDU domain, but who knows? 41667c478bd9Sstevel@tonic-gate 41677c478bd9Sstevel@tonic-gatesiteconfig Site configuration -- e.g., tables of locally connected 41687c478bd9Sstevel@tonic-gate UUCP sites. 41697c478bd9Sstevel@tonic-gate 41707c478bd9Sstevel@tonic-gate 41717c478bd9Sstevel@tonic-gate+------------------------+ 41727c478bd9Sstevel@tonic-gate| ADMINISTRATIVE DETAILS | 41737c478bd9Sstevel@tonic-gate+------------------------+ 41747c478bd9Sstevel@tonic-gate 41757c478bd9Sstevel@tonic-gateThe following sections detail usage of certain internal parts of the 41767c478bd9Sstevel@tonic-gatesendmail.cf file. Read them carefully if you are trying to modify 41777c478bd9Sstevel@tonic-gatethe current model. If you find the above descriptions adequate, these 41787c478bd9Sstevel@tonic-gateshould be {boring, confusing, tedious, ridiculous} (pick one or more). 41797c478bd9Sstevel@tonic-gate 41807c478bd9Sstevel@tonic-gateRULESETS (* means built in to sendmail) 41817c478bd9Sstevel@tonic-gate 41827c478bd9Sstevel@tonic-gate 0 * Parsing 41837c478bd9Sstevel@tonic-gate 1 * Sender rewriting 41847c478bd9Sstevel@tonic-gate 2 * Recipient rewriting 41857c478bd9Sstevel@tonic-gate 3 * Canonicalization 41867c478bd9Sstevel@tonic-gate 4 * Post cleanup 41877c478bd9Sstevel@tonic-gate 5 * Local address rewrite (after aliasing) 41887c478bd9Sstevel@tonic-gate 1x mailer rules (sender qualification) 41897c478bd9Sstevel@tonic-gate 2x mailer rules (recipient qualification) 41907c478bd9Sstevel@tonic-gate 3x mailer rules (sender header qualification) 41917c478bd9Sstevel@tonic-gate 4x mailer rules (recipient header qualification) 41927c478bd9Sstevel@tonic-gate 5x mailer subroutines (general) 41937c478bd9Sstevel@tonic-gate 6x mailer subroutines (general) 41947c478bd9Sstevel@tonic-gate 7x mailer subroutines (general) 41957c478bd9Sstevel@tonic-gate 8x reserved 41967c478bd9Sstevel@tonic-gate 90 Mailertable host stripping 41977c478bd9Sstevel@tonic-gate 96 Bottom half of Ruleset 3 (ruleset 6 in old sendmail) 41987c478bd9Sstevel@tonic-gate 97 Hook for recursive ruleset 0 call (ruleset 7 in old sendmail) 41997c478bd9Sstevel@tonic-gate 98 Local part of ruleset 0 (ruleset 8 in old sendmail) 42007c478bd9Sstevel@tonic-gate 42017c478bd9Sstevel@tonic-gate 42027c478bd9Sstevel@tonic-gateMAILERS 42037c478bd9Sstevel@tonic-gate 42047c478bd9Sstevel@tonic-gate 0 local, prog local and program mailers 42057c478bd9Sstevel@tonic-gate 1 [e]smtp, relay SMTP channel 42067c478bd9Sstevel@tonic-gate 2 uucp-* UNIX-to-UNIX Copy Program 42077c478bd9Sstevel@tonic-gate 3 netnews Network News delivery 42087c478bd9Sstevel@tonic-gate 4 fax Sam Leffler's HylaFAX software 42097c478bd9Sstevel@tonic-gate 5 mail11 DECnet mailer 42107c478bd9Sstevel@tonic-gate 42117c478bd9Sstevel@tonic-gate 42127c478bd9Sstevel@tonic-gateMACROS 42137c478bd9Sstevel@tonic-gate 42147c478bd9Sstevel@tonic-gate A 42157c478bd9Sstevel@tonic-gate B Bitnet Relay 42167c478bd9Sstevel@tonic-gate C DECnet Relay 42177c478bd9Sstevel@tonic-gate D The local domain -- usually not needed 42187c478bd9Sstevel@tonic-gate E reserved for X.400 Relay 42197c478bd9Sstevel@tonic-gate F FAX Relay 42207c478bd9Sstevel@tonic-gate G 42217c478bd9Sstevel@tonic-gate H mail Hub (for mail clusters) 42227c478bd9Sstevel@tonic-gate I 42237c478bd9Sstevel@tonic-gate J 42247c478bd9Sstevel@tonic-gate K 42257c478bd9Sstevel@tonic-gate L Luser Relay 42267c478bd9Sstevel@tonic-gate M Masquerade (who you claim to be) 42277c478bd9Sstevel@tonic-gate N 42287c478bd9Sstevel@tonic-gate O 42297c478bd9Sstevel@tonic-gate P 42307c478bd9Sstevel@tonic-gate Q 42317c478bd9Sstevel@tonic-gate R Relay (for unqualified names) 42327c478bd9Sstevel@tonic-gate S Smart Host 42337c478bd9Sstevel@tonic-gate T 42347c478bd9Sstevel@tonic-gate U my UUCP name (if you have a UUCP connection) 42357c478bd9Sstevel@tonic-gate V UUCP Relay (class {V} hosts) 42367c478bd9Sstevel@tonic-gate W UUCP Relay (class {W} hosts) 42377c478bd9Sstevel@tonic-gate X UUCP Relay (class {X} hosts) 42387c478bd9Sstevel@tonic-gate Y UUCP Relay (all other hosts) 42397c478bd9Sstevel@tonic-gate Z Version number 42407c478bd9Sstevel@tonic-gate 42417c478bd9Sstevel@tonic-gate 42427c478bd9Sstevel@tonic-gateCLASSES 42437c478bd9Sstevel@tonic-gate 42447c478bd9Sstevel@tonic-gate A 42457c478bd9Sstevel@tonic-gate B domains that are candidates for bestmx lookup 42467c478bd9Sstevel@tonic-gate C 42477c478bd9Sstevel@tonic-gate D 42487c478bd9Sstevel@tonic-gate E addresses that should not seem to come from $M 42497c478bd9Sstevel@tonic-gate F hosts this system forward for 42507c478bd9Sstevel@tonic-gate G domains that should be looked up in genericstable 42517c478bd9Sstevel@tonic-gate H 42527c478bd9Sstevel@tonic-gate I 42537c478bd9Sstevel@tonic-gate J 42547c478bd9Sstevel@tonic-gate K 42557c478bd9Sstevel@tonic-gate L addresses that should not be forwarded to $R 42567c478bd9Sstevel@tonic-gate M domains that should be mapped to $M 42577c478bd9Sstevel@tonic-gate N host/domains that should not be mapped to $M 42587c478bd9Sstevel@tonic-gate O operators that indicate network operations (cannot be in local names) 42597c478bd9Sstevel@tonic-gate P top level pseudo-domains: BITNET, DECNET, FAX, UUCP, etc. 42607c478bd9Sstevel@tonic-gate Q 42617c478bd9Sstevel@tonic-gate R domains this system is willing to relay (pass anti-spam filters) 42627c478bd9Sstevel@tonic-gate S 42637c478bd9Sstevel@tonic-gate T 42647c478bd9Sstevel@tonic-gate U locally connected UUCP hosts 42657c478bd9Sstevel@tonic-gate V UUCP hosts connected to relay $V 42667c478bd9Sstevel@tonic-gate W UUCP hosts connected to relay $W 42677c478bd9Sstevel@tonic-gate X UUCP hosts connected to relay $X 42687c478bd9Sstevel@tonic-gate Y locally connected smart UUCP hosts 42697c478bd9Sstevel@tonic-gate Z locally connected domain-ized UUCP hosts 42707c478bd9Sstevel@tonic-gate . the class containing only a dot 42717c478bd9Sstevel@tonic-gate [ the class containing only a left bracket 42727c478bd9Sstevel@tonic-gate 42737c478bd9Sstevel@tonic-gate 42747c478bd9Sstevel@tonic-gateM4 DIVERSIONS 42757c478bd9Sstevel@tonic-gate 42767c478bd9Sstevel@tonic-gate 1 Local host detection and resolution 42777c478bd9Sstevel@tonic-gate 2 Local Ruleset 3 additions 42787c478bd9Sstevel@tonic-gate 3 Local Ruleset 0 additions 42797c478bd9Sstevel@tonic-gate 4 UUCP Ruleset 0 additions 42807c478bd9Sstevel@tonic-gate 5 locally interpreted names (overrides $R) 42817c478bd9Sstevel@tonic-gate 6 local configuration (at top of file) 42827c478bd9Sstevel@tonic-gate 7 mailer definitions 42837c478bd9Sstevel@tonic-gate 8 DNS based blacklists 42847c478bd9Sstevel@tonic-gate 9 special local rulesets (1 and 2) 42857c478bd9Sstevel@tonic-gate 4286*058561cbSjbeck$Revision: 8.716 $, Last updated $Date: 2007/01/08 18:32:25 $ 42877c478bd9Sstevel@tonic-gateident "%Z%%M% %I% %E% SMI" 4288