Merge sendmail 8.14.6 to HEAD

[FreeBSD/FreeBSD.git] / contrib / sendmail / doc / op / op.me

.\" Copyright (c) 1998-2005 Sendmail, Inc. and its suppliers.
.\"     All rights reserved.
.\" Copyright (c) 1983, 1995 Eric P. Allman.  All rights reserved.
.\" Copyright (c) 1983, 1993
.\"     The Regents of the University of California.  All rights reserved.
.\"
.\" By using this file, you agree to the terms and conditions set
.\" forth in the LICENSE file which can be found at the top level of
.\" the sendmail distribution.
.\"
.\"
.\"     $Id: op.me,v 8.749 2012/03/02 22:37:11 ca Exp $
.\"
.\" eqn op.me | pic | troff -me
.\"
.\" Define \(sc if not defined (for text output)
.\"
.if !c \(sc .char \(sc S
.\"
.\" Define \(dg as "*" for text output and create a new .DG macro
.\" which describes the symbol.
.\"
.if n .ds { [
.if n .ds } ]
.ie !c \(dg \{\
.char \(dg *
.de DG
an asterick
..
.\}
.el \{\
.de DG
a dagger
..
.\}
.\"
.\" Define \(dd as "#" for text output and create a new .DD macro
.\" which describes the symbol.
.\"
.ie !c \(dd \{\
.char \(dd #
.de DD
a pound sign
..
.\}
.el \{\
.de DD
a double dagger
..
.\}
.eh 'SMM:08-%''Sendmail Installation and Operation Guide'
.oh 'Sendmail Installation and Operation Guide''SMM:08-%'
.\" SD is lib if sendmail is installed in /usr/lib, sbin if in /usr/sbin
.ds SD sbin
.\" SB is bin if newaliases/mailq are installed in /usr/bin, ucb if in /usr/ucb
.ds SB bin
.nr si 3n
.de $0
.(x
.in \\$3u*3n
.ti -3n
\\$2.  \\$1
.)x
..
.de $C
.(x
.in 0
\\$1 \\$2.  \\$3
.)x
..
.+c
.(l C
.sz 16
.b SENDMAIL\u\s-6TM\s0\d
.sz 12
.sp
.b "INSTALLATION AND OPERATION GUIDE"
.(f
.b DISCLAIMER:
This documentation is under modification.
.)f
.sz 10
.sp
.r
Eric Allman
Claus Assmann
Gregory Neil Shapiro
Sendmail, Inc.
.sp
.de Ve
Version \\$2
..
.Ve $Revision: 8.749 $
.rm Ve
.sp
For Sendmail Version 8.14
.)l
.(f
Sendmail is a trademark of Sendmail, Inc.
US Patent Numbers 6865671, 6986037.
.)f
.sp 2
.pp
.i Sendmail \u\s-2TM\s0\d
implements a general purpose internetwork mail routing facility
under the UNIX\(rg
operating system.
It is not tied to any one transport protocol \*-
its function may be likened to a crossbar switch,
relaying messages from one domain into another.
In the process,
it can do a limited amount of message header editing
to put the message into a format that is appropriate
for the receiving domain.
All of this is done under the control of a configuration file.
.pp
Due to the requirements of flexibility
for
.i sendmail ,
the configuration file can seem somewhat unapproachable.
However, there are only a few basic configurations
for most sites,
for which standard configuration files have been supplied.
Most other configurations
can be built by adjusting an existing configuration file
incrementally.
.pp
.i Sendmail
is based on
RFC 821 (Simple Mail Transport Protocol),
RFC 822 (Internet Mail Headers Format),
RFC 974 (MX routing),
RFC 1123 (Internet Host Requirements),
RFC 1413 (Identification server),
RFC 1652 (SMTP 8BITMIME Extension),
RFC 1869 (SMTP Service Extensions),
RFC 1870 (SMTP SIZE Extension),
RFC 1891 (SMTP Delivery Status Notifications),
RFC 1892 (Multipart/Report),
RFC 1893 (Enhanced Mail System Status Codes),
RFC 1894 (Delivery Status Notifications),
RFC 1985 (SMTP Service Extension for Remote Message Queue Starting),
RFC 2033 (Local Message Transmission Protocol),
RFC 2034 (SMTP Service Extension for Returning Enhanced Error Codes),
RFC 2045 (MIME),
RFC 2476 (Message Submission),
RFC 2487 (SMTP Service Extension for Secure SMTP over TLS),
RFC 2554 (SMTP Service Extension for Authentication),
RFC 2821 (Simple Mail Transfer Protocol),
RFC 2822 (Internet Message Format),
RFC 2852 (Deliver By SMTP Service Extension),
and
RFC 2920 (SMTP Service Extension for Command Pipelining).
However, since
.i sendmail
is designed to work in a wider world,
in many cases it can be configured to exceed these protocols.
These cases are described herein.
.pp
Although
.i sendmail
is intended to run
without the need for monitoring,
it has a number of features
that may be used to monitor or adjust the operation
under unusual circumstances.
These features are described.
.pp
Section one describes how to do a basic
.i sendmail
installation.
Section two
explains the day-to-day information you should know
to maintain your mail system.
If you have a relatively normal site,
these two sections should contain sufficient information
for you to install
.i sendmail
and keep it happy.
Section three
has information regarding the command line arguments.
Section four
describes some parameters that may be safely tweaked.
Section five
contains the nitty-gritty information about the configuration
file.
This section is for masochists
and people who must write their own configuration file.
Section six
describes configuration that can be done at compile time.
The appendixes give a brief
but detailed explanation of a number of features
not described in the rest of the paper.
.bp 7
.sh 1 "BASIC INSTALLATION"
.pp
There are two basic steps to installing
.i sendmail .
First, you have to compile and install the binary.
If
.i sendmail
has already been ported to your operating system
that should be simple.
Second, you must build a run-time configuration file.
This is a file that
.i sendmail
reads when it starts up
that describes the mailers it knows about,
how to parse addresses,
how to rewrite the message header,
and the settings of various options.
Although the configuration file can be quite complex,
a configuration can usually be built
using an M4-based configuration language.
Assuming you have the standard
.i sendmail
distribution, see
.i cf/README
for further information.
.pp
The remainder of this section will describe the installation of
.i sendmail
assuming you can use one of the existing configurations
and that the standard installation parameters are acceptable.
All pathnames and examples
are given from the root of the
.i sendmail
subtree,
normally
.i /usr/src/usr.\*(SD/sendmail
on 4.4BSD-based systems.
.pp
Continue with the next section if you need/want to compile
.i sendmail
yourself.
If you have a running binary already on your system,
you should probably skip to section 1.2.
.sh 2 "Compiling Sendmail"
.pp
All
.i sendmail
source is in the
.i sendmail
subdirectory.
To compile sendmail,
.q cd
into the
.i sendmail
directory and type
.(b
\&./Build
.)b
This will leave the binary in an appropriately named subdirectory,
e.g.,
obj.BSD-OS.2.1.i386.
It works for multiple object versions
compiled out of the same directory.
.sh 3 "Tweaking the Build Invocation"
.pp
You can give parameters on the
.i Build
command.
In most cases these are only used when the
.i obj.*
directory is first created.
To restart from scratch, use
.i -c .
These commands include:
.nr ii 0.5i
.ip "\-L \fIlibdirs\fP"
A list of directories to search for libraries.
.ip "\-I \fIincdirs\fP"
A list of directories to search for include files.
.ip "\-E \fIenvar\fP=\fIvalue\fP"
Set an environment variable to an indicated
.i value
before compiling.
.ip "\-c"
Create a new
.i obj.*
tree before running.
.ip "\-f \fIsiteconfig\fP"
Read the indicated site configuration file.
If this parameter is not specified,
.i Build
includes
.i all
of the files
.i $BUILDTOOLS/Site/site.$oscf.m4
and
.i $BUILDTOOLS/Site/site.config.m4 ,
where $BUILDTOOLS is normally
.i \&../devtools
and $oscf is the same name as used on the
.i obj.*
directory.
See below for a description of the site configuration file.
.ip "\-S"
Skip auto-configuration.
.i Build
will avoid auto-detecting libraries if this is set.
All libraries and map definitions must be specified
in the site configuration file.
.lp
Most other parameters are passed to the
.i make
program; for details see
.i $BUILDTOOLS/README .
.sh 3 "Creating a Site Configuration File"
.\"XXX
.pp
(This section is not yet complete.
For now, see the file devtools/README for details.)
See sendmail/README for various compilation flags that can be set.
.sh 3 "Tweaking the Makefile"
.pp
.\" .b "XXX This should all be in the Site Configuration File section."
.i Sendmail
supports two different formats
for the local (on disk) version of databases,
notably the
.i aliases
database.
At least one of these should be defined if at all possible.
.nr ii 1i
.ip NDBM
The ``new DBM'' format,
available on nearly all systems around today.
This was the preferred format prior to 4.4BSD.
It allows such complex things as multiple databases
and closing a currently open database.
.ip NEWDB
The Berkeley DB package.
If you have this, use it.
It allows
long records,
multiple open databases,
real in-memory caching,
and so forth.
You can define this in conjunction with
.sm NDBM ;
if you do,
old alias databases are read,
but when a new database is created it will be in NEWDB format.
As a nasty hack,
if you have NEWDB, NDBM, and NIS defined,
and if the alias file name includes the substring
.q /yp/ ,
.i sendmail
will create both new and old versions of the alias file
during a
.i newalias
command.
This is required because the Sun NIS/YP system
reads the DBM version of the alias file.
It's ugly as sin,
but it works.
.lp
If neither of these are defined,
.i sendmail
reads the alias file into memory on every invocation.
This can be slow and should be avoided.
There are also several methods for remote database access:
.ip LDAP
Lightweight Directory Access Protocol.
.ip NIS
Sun's Network Information Services (formerly YP).
.ip NISPLUS
Sun's NIS+ services.
.ip NETINFO
NeXT's NetInfo service.
.ip HESIOD
Hesiod service (from Athena).
.lp
Other compilation flags are set in
.i conf.h
and should be predefined for you
unless you are porting to a new environment.
For more options see
.i sendmail/README .
.sh 3 "Compilation and installation"
.pp
After making the local system configuration described above,
You should be able to compile and install the system.
The script
.q Build
is the best approach on most systems:
.(b
\&./Build
.)b
This will use
.i uname (1)
to create a custom Makefile for your environment.
.pp
If you are installing in the standard places,
you should be able to install using
.(b
\&./Build install
.)b
This should install the binary in
/usr/\*(SD
and create links from
/usr/\*(SB/newaliases
and
/usr/\*(SB/mailq
to
/usr/\*(SD/sendmail.
On most systems it will also format and install man pages.
Notice: as of version 8.12
.i sendmail
will no longer be installed set-user-ID root by default.
If you really want to use the old method, you can specify it as target:
.(b
\&./Build install-set-user-id
.)b
.sh 2 "Configuration Files"
.pp
.i Sendmail
cannot operate without a configuration file.
The configuration defines the mail delivery mechanisms understood at this site,
how to access them,
how to forward email to remote mail systems,
and a number of tuning parameters.
This configuration file is detailed
in the later portion of this document.
.pp
The
.i sendmail
configuration can be daunting at first.
The world is complex,
and the mail configuration reflects that.
The distribution includes an m4-based configuration package
that hides a lot of the complexity.
See
.i cf/README
for details.
.pp
Our configuration files are processed by
.i m4
to facilitate local customization;
the directory
.i cf
of the
.i sendmail
distribution directory
contains the source files.
This directory contains several subdirectories:
.nr ii 1i
.ip cf
Both site-dependent and site-independent descriptions of hosts.
These can be literal host names
(e.g.,
.q ucbvax.mc )
when the hosts are gateways
or more general descriptions
(such as
.q "generic-solaris2.mc"
as a general description of an SMTP-connected host
running Solaris 2.x.
Files ending
.b \&.mc
(``M4 Configuration'')
are the input descriptions;
the output is in the corresponding
.b \&.cf
file.
The general structure of these files is described below.
.ip domain
Site-dependent subdomain descriptions.
These are tied to the way your organization wants to do addressing.
For example,
.b domain/CS.Berkeley.EDU.m4
is our description for hosts in the CS.Berkeley.EDU subdomain.
These are referenced using the
.sm DOMAIN
.b m4
macro in the
.b \&.mc
file.
.ip feature
Definitions of specific features that some particular host in your site
might want.
These are referenced using the
.sm FEATURE
.b m4
macro.
An example feature is
use_cw_file
(which tells
.i sendmail
to read an /etc/mail/local-host-names file on startup
to find the set of local names).
.ip hack
Local hacks, referenced using the
.sm HACK
.b m4
macro.
Try to avoid these.
The point of having them here is to make it clear that they smell.
.ip m4
Site-independent
.i m4 (1)
include files that have information common to all configuration files.
This can be thought of as a
.q #include
directory.
.ip mailer
Definitions of mailers,
referenced using the
.sm MAILER
.b m4
macro.
The mailer types that are known in this distribution are
fax,
local,
smtp,
uucp,
and usenet.
For example, to include support for the UUCP-based mailers,
use
.q MAILER(uucp) .
.ip ostype
Definitions describing various operating system environments
(such as the location of support files).
These are referenced using the
.sm OSTYPE
.b m4
macro.
.ip sh
Shell files used by the
.b m4
build process.
You shouldn't have to mess with these.
.ip siteconfig
Local UUCP connectivity information.
This directory has been supplanted by the mailertable feature;
any new configurations should use that feature to do UUCP
(and other) routing.
The use of this directory is deprecated.
.pp
If you are in a new domain
(e.g., a company),
you will probably want to create a
cf/domain
file for your domain.
This consists primarily of relay definitions
and features you want enabled site-wide:
for example, Berkeley's domain definition
defines relays for
BitNET
and UUCP.
These are specific to Berkeley,
and should be fully-qualified internet-style domain names.
Please check to make certain they are reasonable for your domain.
.pp
Subdomains at Berkeley are also represented in the
cf/domain
directory.
For example,
the domain
CS.Berkeley.EDU
is the Computer Science subdomain,
EECS.Berkeley.EDU
is the Electrical Engineering and Computer Sciences subdomain,
and
S2K.Berkeley.EDU
is the Sequoia 2000 subdomain.
You will probably have to add an entry to this directory
to be appropriate for your domain.
.pp
You will have to use or create
.b \&.mc
files in the
.i cf/cf
subdirectory for your hosts.
This is detailed in the
cf/README
file.
.sh 2 "Details of Installation Files"
.pp
This subsection describes the files that
comprise the
.i sendmail
installation.
.sh 3 "/usr/\*(SD/sendmail"
.pp
The binary for
.i sendmail
is located in /usr/\*(SD\**.
.(f
\**This is usually
/usr/sbin
on 4.4BSD and newer systems;
many systems install it in
/usr/lib.
I understand it is in /usr/ucblib
on System V Release 4.
.)f
It should be set-group-ID smmsp as described in
sendmail/SECURITY.
For security reasons,
/, /usr, and /usr/\*(SD
should be owned by root, mode 0755\**.
.(f
\**Some vendors ship them owned by bin;
this creates a security hole that is not actually related to
.i sendmail .
Other important directories that should have restrictive ownerships
and permissions are
/bin, /usr/bin, /etc, /etc/mail, /usr/etc, /lib, and /usr/lib.
.)f
.sh 3 "/etc/mail/sendmail.cf"
.pp
This is the main configuration file for
.i sendmail \**.
.(f
\**Actually, the pathname varies depending on the operating system;
/etc/mail is the preferred directory.
Some older systems install it in
.b /usr/lib/sendmail.cf ,
and I've also seen it in
.b /usr/ucblib .
If you want to move this file,
add -D_PATH_SENDMAILCF=\e"/file/name\e"
to the flags passed to the C compiler.
Moving this file is not recommended:
other programs and scripts know of this location.
.)f
This is one of the two non-library file names compiled into
.i sendmail \**,
the other is /etc/mail/submit.cf.
.(f
\**The system libraries can reference other files;
in particular, system library subroutines that
.i sendmail
calls probably reference
.i /etc/passwd
and
.i /etc/resolv.conf .
.)f
.pp
The configuration file is normally created
using the distribution files described above.
If you have a particularly unusual system configuration
you may need to create a special version.
The format of this file is detailed in later sections
of this document.
.sh 3 "/etc/mail/submit.cf"
.pp
This is the configuration file for
.i sendmail
when it is used for initial mail submission, in which case
it is also called ``Mail Submission Program'' (MSP)
in contrast to ``Mail Transfer Agent'' (MTA).
Starting with version 8.12,
.i sendmail
uses one of two different configuration files based on its operation mode
(or the new
.b \-A
option).
For initial mail submission, i.e., if one of the options
.b \-bm
(default),
.b \-bs ,
or
.b \-t
is specified, submit.cf is used (if available),
for other operations sendmail.cf is used.
Details can be found in
.i sendmail/SECURITY .
submit.cf is shipped with sendmail (in cf/cf/) and is installed by default.
If changes to the configuration need to be made, start with
cf/cf/submit.mc and follow the instruction in cf/README.
.sh 3 "/usr/\*(SB/newaliases"
.pp
The
.i newaliases
command should just be a link to
.i sendmail :
.(b
rm \-f /usr/\*(SB/newaliases
ln \-s /usr/\*(SD/sendmail /usr/\*(SB/newaliases
.)b
This can be installed in whatever search path you prefer
for your system.
.sh 3 "/usr/\*(SB/hoststat"
.pp
The
.i hoststat
command should just be a link to
.i sendmail ,
in a fashion similar to
.i newaliases .
This command lists the status of the last mail transaction
with all remote hosts.  The
.b \-v
flag will prevent the status display from being truncated.
It functions only when the
.b HostStatusDirectory
option is set.
.sh 3 "/usr/\*(SB/purgestat"
.pp
This command is also a link to
.i sendmail .
It flushes expired (Timeout.hoststatus) information that is stored in the
.b HostStatusDirectory
tree.
.sh 3 "/var/spool/mqueue"
.pp
The directory
.i /var/spool/mqueue
should be created to hold the mail queue.
This directory should be mode 0700
and owned by root.
.pp
The actual path of this directory
is defined by the
.b QueueDirectory
option of the
.i sendmail.cf
file.
To use multiple queues,
supply a value ending with an asterisk.
For example,
.i /var/spool/mqueue/qd*
will use all of the directories or symbolic links to directories
beginning with `qd' in
.i /var/spool/mqueue
as queue directories.
Do not change the queue directory structure
while sendmail is running.
.pp
If these directories have subdirectories or symbolic links to directories
named `qf', `df', and `xf', then these will be used for the different
queue file types.
That is, the data files are stored in the `df' subdirectory,
the transcript files are stored in the `xf' subdirectory, and
all others are stored in the `qf' subdirectory.
.pp
If shared memory support is compiled in,
.i sendmail
stores the available diskspace in a shared memory segment
to make the values readily available to all children without
incurring system overhead.
In this case, only the daemon updates the data;
i.e., the sendmail daemon creates the shared memory segment
and deletes it if it is terminated.
To use this,
.i sendmail
must have been compiled with support for shared memory
(-DSM_CONF_SHM)
and the option
.b SharedMemoryKey
must be set.
Notice: do not use the same key for
.i sendmail
invocations with different queue directories
or different queue group declarations.
Access to shared memory is not controlled by locks,
i.e., there is a race condition when data in the shared memory is updated.
However, since operation of
.i sendmail
does not rely on the data in the shared memory, this does not negatively
influence the behavior.
.sh 3 "/var/spool/clientmqueue"
.pp
The directory
.i /var/spool/clientmqueue
should be created to hold the mail queue.
This directory should be mode 0770
and owned by user smmsp, group smmsp.
.pp
The actual path of this directory
is defined by the
.b QueueDirectory
option of the
.i submit.cf
file.
.sh 3 "/var/spool/mqueue/.hoststat"
.pp
This is a typical value for the
.b HostStatusDirectory
option,
containing one file per host
that this sendmail has chatted with recently.
It is normally a subdirectory of
.i mqueue .
.sh 3 "/etc/mail/aliases*"
.pp
The system aliases are held in
.q /etc/mail/aliases .
A sample is given in
.q sendmail/aliases
which includes some aliases which
.i must
be defined:
.(b
cp sendmail/aliases /etc/mail/aliases
.i "edit /etc/mail/aliases"
.)b
You should extend this file with any aliases that are apropos to your system.
.pp
Normally
.i sendmail
looks at a database version of the files,
stored either in
.q /etc/mail/aliases.dir
and
.q /etc/mail/aliases.pag
or
.q /etc/mail/aliases.db
depending on which database package you are using.
The actual path of this file
is defined in the
.b AliasFile
option of the
.i sendmail.cf
file.
.pp
The permissions of the alias file and the database versions
should be 0640 to prevent local denial of service attacks
as explained in the top level
.b README
in the sendmail distribution.
If the permissions 0640 are used, be sure that only trusted users belong
to the group assigned to those files.  Otherwise, files should not even
be group readable.
.sh 3 "/etc/rc or /etc/init.d/sendmail"
.pp
It will be necessary to start up the
.i sendmail
daemon when your system reboots.
This daemon performs two functions:
it listens on the SMTP socket for connections
(to receive mail from a remote system)
and it processes the queue periodically
to insure that mail gets delivered when hosts come up.
.pp
If necessary, add the following lines to
.q /etc/rc
(or
.q /etc/rc.local
as appropriate)
in the area where it is starting up the daemons
on a BSD-base system,
or on a System-V-based system
in one of the startup files, typically
.q /etc/init.d/sendmail :
.(b
if [ \-f /usr/\*(SD/sendmail \-a \-f /etc/mail/sendmail.cf ]; then
        (cd /var/spool/mqueue; rm \-f xf*)
        /usr/\*(SD/sendmail \-bd \-q30m &
        echo \-n ' sendmail' >/dev/console
fi
.)b
The
.q cd
and
.q rm
commands insure that all transcript files have been removed;
extraneous transcript files may be left around
if the system goes down in the middle of processing a message.
The line that actually invokes
.i sendmail
has two flags:
.q \-bd
causes it to listen on the SMTP port,
and
.q \-q30m
causes it to run the queue every half hour.
.pp
Some people use a more complex startup script,
removing zero length qf/hf/Qf files and df files for which there is no
qf/hf/Qf file.
Note this is not advisable.
For example, see Figure 1
for an example of a complex script which does this clean up.
.(z
.hl
#!/bin/sh
# remove zero length qf/hf/Qf files
for qffile in qf* hf* Qf*
do
        if [ \-r $qffile ]
        then
                if [ ! \-s $qffile ]
                then
                        echo \-n " <zero: $qffile>" > /dev/console
                        rm \-f $qffile
                fi
        fi
done
# rename tf files to be qf if the qf does not exist
for tffile in tf*
do
        qffile=`echo $tffile | sed 's/t/q/'`
        if [ \-r $tffile \-a ! \-f $qffile ]
        then
                echo \-n " <recovering: $tffile>" > /dev/console
                mv $tffile $qffile
        else
                if [ \-f $tffile ]
                then
                        echo \-n " <extra: $tffile>" > /dev/console
                        rm \-f $tffile
                fi
        fi
done
# remove df files with no corresponding qf/hf/Qf files
for dffile in df*
do
        qffile=`echo $dffile | sed 's/d/q/'`
        hffile=`echo $dffile | sed 's/d/h/'`
        Qffile=`echo $dffile | sed 's/d/Q/'`
        if [ \-r $dffile \-a ! \-f $qffile \-a ! \-f $hffile \-a ! \-f $Qffile ]
        then
                echo \-n " <incomplete: $dffile>" > /dev/console
                mv $dffile `echo $dffile | sed 's/d/D/'`
        fi
done
# announce files that have been saved during disaster recovery
for xffile in [A-Z]f*
do
        if [ \-f $xffile ]
        then
                echo \-n " <panic: $xffile>" > /dev/console
        fi
done
.sp
.ce
Figure 1 \(em A complex startup script
.hl
.)z
.sh 3 "/etc/mail/helpfile"
.pp
This is the help file used by the SMTP
.b HELP
command.
It should be copied from
.q sendmail/helpfile :
.(b
cp sendmail/helpfile /etc/mail/helpfile
.)b
The actual path of this file
is defined in the
.b HelpFile
option of the
.i sendmail.cf
file.
.sh 3 "/etc/mail/statistics"
.pp
If you wish to collect statistics
about your mail traffic,
you should create the file
.q /etc/mail/statistics :
.(b
cp /dev/null /etc/mail/statistics
chmod 0600 /etc/mail/statistics
.)b
This file does not grow.
It is printed with the program
.q mailstats/mailstats.c.
The actual path of this file
is defined in the
.b S
option of the
.i sendmail.cf
file.
.sh 3 "/usr/\*(SB/mailq"
.pp
If
.i sendmail
is invoked as
.q mailq,
it will simulate the
.b \-bp
flag
(i.e.,
.i sendmail
will print the contents of the mail queue;
see below).
This should be a link to /usr/\*(SD/sendmail.
.sh 3 "sendmail.pid"
.pp
.i sendmail
stores its current pid in the file specified by the
.b PidFile
option (default is _PATH_SENDMAILPID).
.i sendmail
uses
.b TempFileMode
(which defaults to 0600) as
the permissions of that file
to prevent local denial of service attacks
as explained in the top level
.b README
in the sendmail distribution.
If the file already exists, then it might be necessary to
change the permissions accordingly, e.g.,
.(b
chmod 0600 /var/run/sendmail.pid
.)b
Note that as of version 8.13, this file is unlinked when
.i sendmail
exits.
As a result of this change, a script such as the following,
which may have worked prior to 8.13, will no longer work:
.(b
# stop & start sendmail
PIDFILE=/var/run/sendmail.pid
kill `head -1 $PIDFILE`
`tail -1 $PIDFILE`
.)b
because it assumes that the pidfile will still exist even
after killing the process to which it refers.
Below is a script which will work correctly
on both newer and older versions:
.(b
# stop & start sendmail
PIDFILE=/var/run/sendmail.pid
pid=`head -1 $PIDFILE`
cmd=`tail -1 $PIDFILE`
kill $pid
$cmd
.)b
This is just an example script, it does not perform any error checks,
e.g., whether the pidfile exists at all.
.sh 3 "Map Files"
.pp
To prevent local denial of service attacks
as explained in the top level
.b README
in the sendmail distribution,
the permissions of map files created by
.i makemap
should be 0640.
The use of 0640 implies that only trusted users belong to the group
assigned to those files.
If those files already exist, then it might be necessary to
change the permissions accordingly, e.g.,
.(b
cd /etc/mail
chmod 0640 *.db *.pag *.dir
.)b
.sh 1 "NORMAL OPERATIONS"
.sh 2 "The System Log"
.pp
The system log is supported by the
.i syslogd \|(8)
program.
All messages from
.i sendmail
are logged under the
.sm LOG_MAIL
facility\**.
.(f
\**Except on Ultrix,
which does not support facilities in the syslog.
.)f
.sh 3 "Format"
.pp
Each line in the system log
consists of a timestamp,
the name of the machine that generated it
(for logging from several machines
over the local area network),
the word
.q sendmail: ,
and a message\**.
.(f
\**This format may vary slightly if your vendor has changed
the syntax.
.)f
Most messages are a sequence of
.i name \c
=\c
.i value
pairs.
.pp
The two most common lines are logged when a message is processed.
The first logs the receipt of a message;
there will be exactly one of these per message.
Some fields may be omitted if they do not contain interesting information.
Fields are:
.ip from
The envelope sender address.
.ip size
The size of the message in bytes.
.ip class
The class (i.e., numeric precedence) of the message.
.ip pri
The initial message priority (used for queue sorting).
.ip nrcpts
The number of envelope recipients for this message
(after aliasing and forwarding).
.ip msgid
The message id of the message (from the header).
.ip bodytype
The message body type (7BIT or 8BITMIME),
as determined from the envelope.
.ip proto
The protocol used to receive this message (e.g., ESMTP or UUCP)
.ip daemon
The daemon name from the
.b DaemonPortOptions
setting.
.ip relay
The machine from which it was received.
.lp
There is also one line logged per delivery attempt
(so there can be several per message if delivery is deferred
or there are multiple recipients).
Fields are:
.ip to
A comma-separated list of the recipients to this mailer.
.ip ctladdr
The ``controlling user'', that is, the name of the user
whose credentials we use for delivery.
.ip delay
The total delay between the time this message was received
and the current delivery attempt.
.ip xdelay
The amount of time needed in this delivery attempt
(normally indicative of the speed of the connection).
.ip mailer
The name of the mailer used to deliver to this recipient.
.ip relay
The name of the host that actually accepted (or rejected) this recipient.
.ip dsn
The enhanced error code (RFC 2034) if available.
.ip stat
The delivery status.
.lp
Not all fields are present in all messages;
for example, the relay is usually not listed for local deliveries.
.sh 3 "Levels"
.pp
If you have
.i syslogd \|(8)
or an equivalent installed,
you will be able to do logging.
There is a large amount of information that can be logged.
The log is arranged as a succession of levels.
At the lowest level
only extremely strange situations are logged.
At the highest level,
even the most mundane and uninteresting events
are recorded for posterity.
As a convention,
log levels under ten
are considered generally
.q useful;
log levels above 64
are reserved for debugging purposes.
Levels from 11\-64 are reserved for verbose information
that some sites might want.
.pp
A complete description of the log levels
is given in section ``Log Level''.
.sh 2 "Dumping State"
.pp
You can ask
.i sendmail
to log a dump of the open files
and the connection cache
by sending it a
.sm SIGUSR1
signal.
The results are logged at
.sm LOG_DEBUG
priority.
.sh 2 "The Mail Queues"
.pp
Mail messages may either be delivered immediately or be held for later
delivery.
Held messages are placed into a holding directory called a mail queue.
.pp
A mail message may be queued for these reasons:
.bu
If a mail message is temporarily undeliverable, it is queued
and delivery is attempted later.
If the message is addressed to multiple recipients, it is queued
only for those recipients to whom delivery is not immediately possible.
.bu
If the SuperSafe option is set to true,
all mail messages are queued while delivery is attempted.
.bu
If the DeliveryMode option is set to queue-only or defer,
all mail is queued, and no immediate delivery is attempted.
.bu
If the load average becomes higher than the value of the QueueLA option
and the
.b QueueFactor
(\c
.b q )
option divided by the difference in the current load average and the
.b QueueLA
option plus one
is less than the priority of the message,
messages are queued rather than immediately delivered.
.bu
One or more addresses are marked as expensive and delivery is postponed
until the next queue run or one or more address are marked as held via
mailer which uses the hold mailer flag.
.bu
The mail message has been marked as quarantined via a mail filter or
rulesets.
.bu
.sh 3 "Queue Groups and Queue Directories"
.pp
There are one or more mail queues.
Each mail queue belongs to a queue group.
There is always a default queue group that is called ``mqueue''
(which is where messages go by default unless otherwise specified).
The directory or directories which comprise the default queue group
are specified by the QueueDirectory option.
There are zero or more
additional named queue groups declared using the
.b Q
command in the configuration file.
.pp
By default, a queued message is placed in the queue group
associated with the first recipient in the recipient list.
A recipient address is mapped to a queue group as follows.
First, if there is a ruleset called ``queuegroup'',
and if this ruleset maps the address to a queue group name,
then that queue group is chosen.
That is, the argument for the ruleset is the recipient address
and the result should be
.b $#
followed by the name of a queue group.
Otherwise, if the mailer associated with the address specifies
a queue group, then that queue group is chosen.
Otherwise, the default queue group is chosen.
.pp
A message with multiple recipients will be split
if different queue groups are chosen
by the mapping of recipients to queue groups.
.pp
When a message is placed in a queue group, and the queue group has
more than one queue, a queue is selected randomly.
.pp
If a message with multiple recipients is placed into a queue group
with the 'r' option (maximum number of recipients per message)
set to a positive value
.i N ,
and if there are more than
.i N
recipients
in the message, then the message will be split into multiple messages,
each of which have at most
.i N
recipients.
.pp
Notice: if multiple queue groups are used, do
.b not
move queue files around, e.g., into a different queue directory.
This may have weird effects and can cause mail not to be delivered.
Queue files and directories should be treated as opaque
and should not be manipulated directly.
.sh 3 "Queue Runs"
.pp
.i sendmail
has two different ways to process the queue(s).
The first one is to start queue runners after certain intervals
(``normal'' queue runners),
the second one is to keep queue runner processes around
(``persistent'' queue runners).
How to select either of these types is discussed in the appendix
``COMMAND LINE FLAGS''.
Persistent queue runners have the advantage that no new processes
need to be spawned at certain intervals; they just sleep for
a specified time after they finished a queue run.
Another advantage of persistent queue runners is that only one process
belonging to a workgroup (a workgroup is a set of queue groups)
collects the data for a queue run
and then multiple queue runner may go ahead using that data.
This can significantly reduce the disk I/O necessary to read the
queue files compared to starting multiple queue runners directly.
Their disadvantage is that a new queue run is only started
after all queue runners belonging to a group finished their tasks.
In case one of the queue runners tries delivery to a slow recipient site
at the end of a queue run, the next queue run may be substantially delayed.
In general this should be smoothed out due to the distribution of
those slow jobs, however, for sites with small number of
queue entries this might introduce noticable delays.
In general, persistent queue runners are only useful for
sites with big queues.
.sh 3 "Manual Intervention"
.pp
Under normal conditions the mail queue will be processed transparently.
However, you may find that manual intervention is sometimes necessary.
For example,
if a major host is down for a period of time
the queue may become clogged.
Although
.i sendmail
ought to recover gracefully when the host comes up,
you may find performance unacceptably bad in the meantime.
In that case you want to check the content of the queue
and manipulate it as explained in the next two sections.
.sh 3 "Printing the queue"
.pp
The contents of the queue(s) can be printed
using the
.i mailq
command
(or by specifying the
.b \-bp
flag to
.i sendmail ):
.(b
mailq
.)b
This will produce a listing of the queue id's,
the size of the message,
the date the message entered the queue,
and the sender and recipients.
If shared memory support is compiled in,
the flag
.b \-bP
can be used to print the number of entries in the queue(s),
provided a process updates the data.
However, as explained earlier, the output might be slightly wrong,
since access to the shared memory is not locked.
For example,
``unknown number of entries''
might be shown.
The internal counters are updated after each queue run
to the correct value again.
.sh 3 "Forcing the queue"
.pp
.i Sendmail
should run the queue automatically at intervals.
When using multiple queues,
a separate process will by default be created to
run each of the queues
unless the queue run is initiated by a user
with the verbose flag.
The algorithm is to read and sort the queue,
and then to attempt to process all jobs in order.
When it attempts to run the job,
.i sendmail
first checks to see if the job is locked.
If so, it ignores the job.
.pp
There is no attempt to insure that only one queue processor
exists at any time,
since there is no guarantee that a job cannot take forever
to process
(however,
.i sendmail
does include heuristics to try to abort jobs
that are taking absurd amounts of time;
technically, this violates RFC 821, but is blessed by RFC 1123).
Due to the locking algorithm,
it is impossible for one job to freeze the entire queue.
However,
an uncooperative recipient host
or a program recipient
that never returns
can accumulate many processes in your system.
Unfortunately,
there is no completely general way to solve this.
.pp
In some cases,
you may find that a major host going down
for a couple of days
may create a prohibitively large queue.
This will result in
.i sendmail
spending an inordinate amount of time
sorting the queue.
This situation can be fixed by moving the queue to a temporary place
and creating a new queue.
The old queue can be run later when the offending host returns to service.
.pp
To do this,
it is acceptable to move the entire queue directory:
.(b
cd /var/spool
mv mqueue omqueue; mkdir mqueue; chmod 0700 mqueue
.)b
You should then kill the existing daemon
(since it will still be processing in the old queue directory)
and create a new daemon.
.pp
To run the old mail queue, issue the following command:
.(b
/usr/\*(SD/sendmail \-C /etc/mail/queue.cf \-q
.)b
The
.b \-C
flag specifies an alternate configuration file
.b queue.cf
which should refer to the moved queue directory
.(b
O QueueDirectory=/var/spool/omqueue
.)b
and the
.b \-q
flag says to just run every job in the queue.
You can also specify the moved queue directory on the command line
.(b
/usr/\*(SD/sendmail \-oQ/var/spool/omqueue \-q
.)b
but this requires that you do not have
queue groups in the configuration file,
because those are not subdirectories of the moved directory.
See the section about ``Queue Group Declaration'' for details;
you most likely need a different configuration file to correctly deal
with this problem.
However, a proper configuration of queue groups should avoid
filling up queue directories, so you shouldn't run into
this problem.
If you have a tendency toward voyeurism,
you can use the
.b \-v
flag to watch what is going on.
.pp
When the queue is finally emptied,
you can remove the directory:
.(b
rmdir /var/spool/omqueue
.)b
.sh 3 "Quarantined Queue Items"
.pp
It is possible to "quarantine" mail messages,
otherwise known as envelopes.
Envelopes (queue files) are stored but not considered for delivery or
display unless the "quarantine" state of the envelope is undone or
delivery or display of quarantined items is requested.
Quarantined messages are tagged by using a different name for the queue
file, 'hf' instead of 'qf', and by adding the quarantine reason to the
queue file.
.pp
Delivery or display of quarantined items can be requested using the
.b \-qQ
flag to
.i sendmail
or
.i mailq .
Additionally, messages already in the queue can be quarantined or
unquarantined using the new
.b \-Q
flag to sendmail.
For example,
.(b
sendmail -Qreason -q[!][I|R|S][matchstring]
.)b
Quarantines the normal queue items matching the criteria specified by the
.b "-q[!][I|R|S][matchstring]"
using the reason given on the
.b \-Q
flag.
Likewise,
.(b
sendmail -qQ -Q[reason] -q[!][I|R|S|Q][matchstring]
.)b
Change the quarantine reason for the quarantined items matching the
criteria specified by the
.b "-q[!][I|R|S|Q][matchstring]"
using the reason given on the
.b \-Q
flag.
If there is no reason,
 unquarantine the matching items and make them normal queue items.
Note that the
.b \-qQ
flag tells sendmail to operate on quarantined items instead of normal items.
.sh 2 "Disk Based Connection Information"
.pp
.i Sendmail
stores a large amount of information about each remote system it
has connected to in memory. It is possible to preserve some
of this information on disk as well, by using the
.b HostStatusDirectory
option, so that it may be shared between several invocations of
.i sendmail .
This allows mail to be queued immediately or skipped during a queue run if
there has been a recent failure in connecting to a remote machine.
Note: information about a remote system is stored in a file
whose pathname consists of the components of the hostname in reverse order.
For example, the information for
.b host.example.com
is stored in
.b com./example./host .
For top-level domains like
.b com
this can create a large number of subdirectories
which on some filesystems can exhaust some limits.
Moreover, the performance of lookups in directory with thousands of entries
can be fairly slow depending on the filesystem implementation.
.pp
Additionally enabling
.b SingleThreadDelivery
has the added effect of single-threading mail delivery to a destination.
This can be quite helpful
if the remote machine is running an SMTP server that is easily overloaded
or cannot accept more than a single connection at a time,
but can cause some messages to be punted to a future queue run.
It also applies to
.i all
hosts, so setting this because you have one machine on site
that runs some software that is easily overrun
can cause mail to other hosts to be slowed down.
If this option is set,
you probably want to set the
.b MinQueueAge
option as well and run the queue fairly frequently;
this way jobs that are skipped because another
.i sendmail
is talking to the same host will be tried again quickly
rather than being delayed for a long time.
.pp
The disk based host information is stored in a subdirectory of the
.b mqueue
directory called
.b \&.hoststat \**.
.(f
\**This is the usual value of the
.b HostStatusDirectory
option;
it can, of course, go anywhere you like in your filesystem.
.)f
Removing this directory and its subdirectories has an effect similar to
the
.i purgestat
command and is completely safe.
However,
.i purgestat
only removes expired (Timeout.hoststatus) data.
The information in these directories can
be perused with the
.i hoststat
command, which will indicate the host name, the last access, and the
status of that access.
An asterisk in the left most column indicates that a
.i sendmail
process currently has the host locked for mail delivery.
.pp
The disk based connection information is treated the same way as memory based
connection information for the purpose of timeouts.
By default, information about host failures is valid for 30 minutes.
This can be adjusted with
the
.b Timeout.hoststatus
option.
.pp
The connection information stored on disk may be expired at any time
with the
.i purgestat
command or by invoking sendmail with the
.b \-bH
switch.
The connection information may be viewed with the
.i hoststat
command or by invoking sendmail with the
.b \-bh
switch.
.sh 2 "The Service Switch"
.pp
The implementation of certain system services
such as host and user name lookup
is controlled by the service switch.
If the host operating system supports such a switch,
and sendmail knows about it,
.i sendmail
will use the native version.
Ultrix, Solaris, and DEC OSF/1 are examples of such systems\**.
.(f
\**HP-UX 10 has service switch support,
but since the APIs are apparently not available in the libraries
.i sendmail
does not use the native service switch in this release.
.)f
.pp
If the underlying operating system does not support a service switch
(e.g., SunOS 4.X, HP-UX, BSD)
then
.i sendmail
will provide a stub implementation.
The
.b ServiceSwitchFile
option points to the name of a file that has the service definitions.
Each line has the name of a service
and the possible implementations of that service.
For example, the file:
.(b
hosts   dns files nis
aliases files nis
.)b
will ask
.i sendmail
to look for hosts in the Domain Name System first.
If the requested host name is not found, it tries local files,
and if that fails it tries NIS.
Similarly, when looking for aliases
it will try the local files first followed by NIS.
.pp
Notice: since
.i sendmail
must access MX records for correct operation, it will use
DNS if it is configured in the
.b ServiceSwitchFile
file.
Hence an entry like
.(b
hosts   files dns
.)b
will not avoid DNS lookups even if a host can be found
in /etc/hosts.
.pp
Service switches are not completely integrated.
For example, despite the fact that the host entry listed in the above example
specifies to look in NIS,
on SunOS this won't happen because the system implementation of
.i gethostbyname \|(3)
doesn't understand this.
.sh 2 "The Alias Database"
.pp
After recipient addresses are read from the SMTP connection
or command line
they are parsed by ruleset 0,
which must resolve to a
{\c
.i mailer ,
.i host ,
.i address }
triple.
If the flags selected by the
.i mailer
include the
.b A
(aliasable) flag,
the
.i address
part of the triple is looked up as the key
(i.e., the left hand side)
in the alias database.
If there is a match, the address is deleted from the send queue
and all addresses on the right hand side of the alias
are added in place of the alias that was found.
This is a recursive operation,
so aliases found in the right hand side of the alias
are similarly expanded.
.pp
The alias database exists in two forms.
One is a text form,
maintained in the file
.i /etc/mail/aliases.
The aliases are of the form
.(b
name: name1, name2, ...
.)b
Only local names may be aliased;
e.g.,
.(b
eric@prep.ai.MIT.EDU: eric@CS.Berkeley.EDU
.)b
will not have the desired effect
(except on prep.ai.MIT.EDU,
and they probably don't want me)\**.
.(f
\**Actually, any mailer that has the `A' mailer flag set
will permit aliasing;
this is normally limited to the local mailer.
.)f
Aliases may be continued by starting any continuation lines
with a space or a tab or by putting a backslash directly before
the newline.
Blank lines and lines beginning with a sharp sign
(\c
.q # )
are comments.
.pp
The second form is processed by the
.i ndbm \|(3)\**
.(f
\**The
.i gdbm
package does not work.
.)f
or the Berkeley DB library.
This form is in the file
.i /etc/mail/aliases.db
(if using NEWDB)
or
.i /etc/mail/aliases.dir
and
.i /etc/mail/aliases.pag
(if using NDBM).
This is the form that
.i sendmail
actually uses to resolve aliases.
This technique is used to improve performance.
.pp
The control of search order is actually set by the service switch.
Essentially, the entry
.(b
O AliasFile=switch:aliases
.)b
is always added as the first alias entry;
also, the first alias file name without a class
(e.g., without
.q nis:
on the front)
will be used as the name of the file for a ``files'' entry
in the aliases switch.
For example, if the configuration file contains
.(b
O AliasFile=/etc/mail/aliases
.)b
and the service switch contains
.(b
aliases nis files nisplus
.)b
then aliases will first be searched in the NIS database,
then in /etc/mail/aliases,
then in the NIS+ database.
.pp
You can also use
.sm NIS -based
alias files.
For example, the specification:
.(b
O AliasFile=/etc/mail/aliases
O AliasFile=nis:mail.aliases@my.nis.domain
.)b
will first search the /etc/mail/aliases file
and then the map named
.q mail.aliases
in
.q my.nis.domain .
Warning: if you build your own
.sm NIS -based
alias files,
be sure to provide the
.b \-l
flag to
.i makedbm (8)
to map upper case letters in the keys to lower case;
otherwise, aliases with upper case letters in their names
won't match incoming addresses.
.pp
Additional flags can be added after the colon
exactly like a
.b K
line \(em for example:
.(b
O AliasFile=nis:\-N mail.aliases@my.nis.domain
.)b
will search the appropriate NIS map and always include null bytes in the key.
Also:
.(b
O AliasFile=nis:\-f mail.aliases@my.nis.domain
.)b
will prevent sendmail from downcasing the key before the alias lookup.
.sh 3 "Rebuilding the alias database"
.pp
The
.i hash
or
.i dbm
version of the database
may be rebuilt explicitly by executing the command
.(b
newaliases
.)b
This is equivalent to giving
.i sendmail
the
.b \-bi
flag:
.(b
/usr/\*(SD/sendmail \-bi
.)b
.pp
If you have multiple aliases databases specified,
the
.b \-bi
flag rebuilds all the database types it understands
(for example, it can rebuild NDBM databases but not NIS databases).
.sh 3 "Potential problems"
.pp
There are a number of problems that can occur
with the alias database.
They all result from a
.i sendmail
process accessing the DBM version
while it is only partially built.
This can happen under two circumstances:
One process accesses the database
while another process is rebuilding it,
or the process rebuilding the database dies
(due to being killed or a system crash)
before completing the rebuild.
.pp
Sendmail has three techniques to try to relieve these problems.
First, it ignores interrupts while rebuilding the database;
this avoids the problem of someone aborting the process
leaving a partially rebuilt database.
Second,
it locks the database source file during the rebuild \(em
but that may not work over NFS or if the file is unwritable.
Third,
at the end of the rebuild
it adds an alias of the form
.(b
@: @
.)b
(which is not normally legal).
Before
.i sendmail
will access the database,
it checks to insure that this entry exists\**.
.(f
\**The
.b AliasWait
option is required in the configuration
for this action to occur.
This should normally be specified.
.)f
.sh 3 "List owners"
.pp
If an error occurs on sending to a certain address,
say
.q \fIx\fP ,
.i sendmail
will look for an alias
of the form
.q owner-\fIx\fP
to receive the errors.
This is typically useful
for a mailing list
where the submitter of the list
has no control over the maintenance of the list itself;
in this case the list maintainer would be the owner of the list.
For example:
.(b
unix-wizards: eric@ucbarpa, wnj@monet, nosuchuser,
        sam@matisse
owner-unix-wizards: unix-wizards-request
unix-wizards-request: eric@ucbarpa
.)b
would cause
.q eric@ucbarpa
to get the error that will occur
when someone sends to
unix-wizards
due to the inclusion of
.q nosuchuser
on the list.
.pp
List owners also cause the envelope sender address to be modified.
The contents of the owner alias are used if they point to a single user,
otherwise the name of the alias itself is used.
For this reason, and to obey Internet conventions,
the
.q owner-
address normally points at the
.q -request
address; this causes messages to go out with the typical Internet convention
of using ``\c
.i list -request''
as the return address.
.sh 2 "User Information Database"
.pp
This option is deprecated, use virtusertable and genericstable instead
as explained in
.i cf/README .
If you have a version of
.i sendmail
with the user information database
compiled in,
and you have specified one or more databases using the
.b U
option,
the databases will be searched for a
.i user :maildrop
entry.
If found, the mail will be sent to the specified address.
.sh 2 "Per-User Forwarding (.forward Files)"
.pp
As an alternative to the alias database,
any user may put a file with the name
.q .forward
in his or her home directory.
If this file exists,
.i sendmail
redirects mail for that user
to the list of addresses listed in the .forward file.
Note that aliases are fully expanded before forward files are referenced.
For example, if the home directory for user
.q mckusick
has a .forward file with contents:
.(b
mckusick@ernie
kirk@calder
.)b
then any mail arriving for
.q mckusick
will be redirected to the specified accounts.
.pp
Actually, the configuration file defines a sequence of filenames to check.
By default, this is the user's .forward file,
but can be defined to be more generally using the
.b ForwardPath
option.
If you change this,
you will have to inform your user base of the change;
\&.forward is pretty well incorporated into the collective subconscious.
.sh 2 "Special Header Lines"
.pp
Several header lines have special interpretations
defined by the configuration file.
Others have interpretations built into
.i sendmail
that cannot be changed without changing the code.
These built-ins are described here.
.sh 3 "Errors-To:"
.pp
If errors occur anywhere during processing,
this header will cause error messages to go to
the listed addresses.
This is intended for mailing lists.
.pp
The Errors-To: header was created in the bad old days
when UUCP didn't understand the distinction between an envelope and a header;
this was a hack to provide what should now be passed
as the envelope sender address.
It should go away.
It is only used if the
.b UseErrorsTo
option is set.
.pp
The Errors-To: header is officially deprecated
and will go away in a future release.
.sh 3 "Apparently-To:"
.pp
RFC 822 requires at least one recipient field
(To:, Cc:, or Bcc: line)
in every message.
If a message comes in with no recipients listed in the message
then
.i sendmail
will adjust the header based on the
.q NoRecipientAction
option.
One of the possible actions is to add an
.q "Apparently-To:"
header line for any recipients it is aware of.
.pp
The Apparently-To: header is non-standard
and is both deprecated and strongly discouraged.
.sh 3 "Precedence"
.pp
The Precedence: header can be used as a crude control of message priority.
It tweaks the sort order in the queue
and can be configured to change the message timeout values.
The precedence of a message also controls how
delivery status notifications (DSNs)
are processed for that message.
.sh 2 "IDENT Protocol Support"
.pp
.i Sendmail
supports the IDENT protocol as defined in RFC 1413.
Note that the RFC states
a client should wait at least 30 seconds for a response.
The default Timeout.ident is 5 seconds
as many sites have adopted the practice of dropping IDENT queries.
This has lead to delays processing mail.
Although this enhances identification
of the author of an email message
by doing a ``call back'' to the originating system to include
the owner of a particular TCP connection
in the audit trail
it is in no sense perfect;
a determined forger can easily spoof the IDENT protocol.
The following description is excerpted from RFC 1413:
.ba +5
.lp
6.  Security Considerations
.lp
The information returned by this protocol is at most as trustworthy
as the host providing it OR the organization operating the host.  For
example, a PC in an open lab has few if any controls on it to prevent
a user from having this protocol return any identifier the user
wants.  Likewise, if the host has been compromised the information
returned may be completely erroneous and misleading.
.lp
The Identification Protocol is not intended as an authorization or
access control protocol.  At best, it provides some additional
auditing information with respect to TCP connections.  At worst, it
can provide misleading, incorrect, or maliciously incorrect
information.
.lp
The use of the information returned by this protocol for other than
auditing is strongly discouraged.  Specifically, using Identification
Protocol information to make access control decisions - either as the
primary method (i.e., no other checks) or as an adjunct to other
methods may result in a weakening of normal host security.
.lp
An Identification server may reveal information about users,
entities, objects or processes which might normally be considered
private.  An Identification server provides service which is a rough
analog of the CallerID services provided by some phone companies and
many of the same privacy considerations and arguments that apply to
the CallerID service apply to Identification.  If you wouldn't run a
"finger" server due to privacy considerations you may not want to run
this protocol.
.ba
.lp
In some cases your system may not work properly with IDENT support
due to a bug in the TCP/IP implementation.
The symptoms will be that for some hosts
the SMTP connection will be closed
almost immediately.
If this is true or if you do not want to use IDENT,
you should set the IDENT timeout to zero;
this will disable the IDENT protocol.
.sh 1 "ARGUMENTS"
.pp
The complete list of arguments to
.i sendmail
is described in detail in Appendix A.
Some important arguments are described here.
.sh 2 "Queue Interval"
.pp
The amount of time between forking a process
to run through the queue is defined by the
.b \-q
flag.
If you run with delivery mode set to
.b i
or
.b b
this can be relatively large, since it will only be relevant
when a host that was down comes back up.
If you run in
.b q
mode it should be relatively short,
since it defines the maximum amount of time that a message
may sit in the queue.
(See also the MinQueueAge option.)
.pp
RFC 1123 section 5.3.1.1 says that this value should be at least 30 minutes
(although that probably doesn't make sense if you use ``queue-only'' mode).
.pp
Notice: the meaning of the interval time depends on whether normal
queue runners or persistent queue runners are used.
For the former, it is the time between subsequent starts of a queue run.
For the latter, it is the time sendmail waits after a persistent queue
runner has finished its work to start the next one.
Hence for persistent queue runners this interval should be very low,
typically no more than two minutes.
.sh 2 "Daemon Mode"
.pp
If you allow incoming mail over an IPC connection,
you should have a daemon running.
This should be set by your
.i /etc/rc
file using the
.b \-bd
flag.
The
.b \-bd
flag and the
.b \-q
flag may be combined in one call:
.(b
/usr/\*(SD/sendmail \-bd \-q30m
.)b
.pp
An alternative approach is to invoke sendmail from
.i inetd (8)
(use the
.b \-bs \ \-Am
flags to ask sendmail to speak SMTP on its standard input and output
and to run as MTA).
This works and allows you to wrap
.i sendmail
in a TCP wrapper program,
but may be a bit slower since the configuration file
has to be re-read on every message that comes in.
If you do this, you still need to have a
.i sendmail
running to flush the queue:
.(b
/usr/\*(SD/sendmail \-q30m
.)b
.sh 2 "Forcing the Queue"
.pp
In some cases you may find that the queue has gotten clogged for some reason.
You can force a queue run
using the
.b \-q
flag (with no value).
It is entertaining to use the
.b \-v
flag (verbose)
when this is done to watch what happens:
.(b
/usr/\*(SD/sendmail \-q \-v
.)b
.pp
You can also limit the jobs to those with a particular queue identifier,
recipient, sender, quarantine reason, or queue group
using one of the queue modifiers.
For example,
.q \-qRberkeley
restricts the queue run to jobs that have the string
.q berkeley
somewhere in one of the recipient addresses.
Similarly,
.q \-qSstring
limits the run to particular senders,
.q \-qIstring
limits it to particular queue identifiers, and
.q \-qQstring
limits it to particular quarantined reasons and only operated on
quarantined queue items, and
.q \-qGstring
limits it to a particular queue group.
The named queue group will be run even if it is set to have 0 runners.
You may also place an
.b !
before the
.b I
or
.b R
or
.b S
or
.b Q
to indicate that jobs are limited to not including a particular queue
identifier, recipient or sender.
For example,
.q \-q!Rseattle
limits the queue run to jobs that do not have the string
.q seattle
somewhere in one of the recipient addresses.
Should you need to terminate the queue jobs currently active then a SIGTERM
to the parent of the process (or processes) will cleanly stop the jobs.
.sh 2 "Debugging"
.pp
There are a fairly large number of debug flags
built into
.i sendmail .
Each debug flag has a category and a level.
Higher levels increase the level of debugging activity;
in most cases, this means to print out more information.
The convention is that levels greater than nine are
.q absurd,
i.e.,
they print out so much information that you wouldn't normally
want to see them except for debugging that particular piece of code.
.pp
You should
.b never
run a production sendmail server in debug mode.
Many of the debug flags will result in debug output being sent over the
SMTP channel unless the option
.b \-D
is used.
This will confuse many mail programs.
However, for testing purposes, it can be useful
when sending mail manually via
telnet to the port you are using while debugging.
.pp
A debug category is either an integer, like 42,
or a name, like ANSI.
You can specify a range of numeric debug categories
using the syntax 17-42.
You can specify a set of named debug categories using
a glob pattern like
.q sm_trace_* .
At present, only
.q *
and
.q ?
are supported in these glob patterns.
.pp
Debug flags are set using the
.b \-d
option;
the syntax is:
.(b
.ta \w'debug-categories:M 'u
debug-flag:     \fB\-d\fP debug-list
debug-list:     debug-option [ , debug-option ]*
debug-option:   debug-categories [ . debug-level ]
debug-categories:       integer | integer \- integer | category-pattern
category-pattern:       [a-zA-Z_*?][a-zA-Z0-9_*?]*
debug-level:    integer
.)b
where spaces are for reading ease only.
For example,
.(b
\-d12   Set category 12 to level 1
\-d12.3 Set category 12 to level 3
\-d3\-17        Set categories 3 through 17 to level 1
\-d3\-17.4      Set categories 3 through 17 to level 4
\-dANSI Set category ANSI to level 1
\-dsm_trace_*.3 Set all named categories matching sm_trace_* to level 3
.)b
For a complete list of the available debug flags
you will have to look at the code
and the
.i TRACEFLAGS
file in the sendmail distribution
(they are too dynamic to keep this document up to date).
For a list of named debug categories in the sendmail binary, use
.(b
ident /usr/sbin/sendmail | grep Debug
.)b
.sh 2 "Changing the Values of Options"
.pp
Options can be overridden using the
.b \-o
or
.b \-O
command line flags.
For example,
.(b
/usr/\*(SD/sendmail \-oT2m
.)b
sets the
.b T
(timeout) option to two minutes
for this run only;
the equivalent line using the long option name is
.(b
/usr/\*(SD/sendmail -OTimeout.queuereturn=2m
.)b
.pp
Some options have security implications.
Sendmail allows you to set these,
but relinquishes its set-user-ID or set-group-ID permissions thereafter\**.
.(f
\**That is, it sets its effective uid to the real uid;
thus, if you are executing as root,
as from root's crontab file or during system startup
the root permissions will still be honored.
.)f
.sh 2 "Trying a Different Configuration File"
.pp
An alternative configuration file
can be specified using the
.b \-C
flag; for example,
.(b
/usr/\*(SD/sendmail \-Ctest.cf \-oQ/tmp/mqueue
.)b
uses the configuration file
.i test.cf
instead of the default
.i /etc/mail/sendmail.cf.
If the
.b \-C
flag has no value
it defaults to
.i sendmail.cf
in the current directory.
.pp
.i Sendmail
gives up set-user-ID root permissions
(if it has been installed set-user-ID root)
when you use this flag, so it is common to use a publicly writable directory
(such as /tmp)
as the queue directory (QueueDirectory or Q option) while testing.
.sh 2 "Logging Traffic"
.pp
Many SMTP implementations do not fully implement the protocol.
For example, some personal computer based SMTPs
do not understand continuation lines in reply codes.
These can be very hard to trace.
If you suspect such a problem, you can set traffic logging using the
.b \-X
flag.
For example,
.(b
/usr/\*(SD/sendmail \-X /tmp/traffic \-bd
.)b
will log all traffic in the file
.i /tmp/traffic .
.pp
This logs a lot of data very quickly and should
.b NEVER
be used
during normal operations.
After starting up such a daemon,
force the errant implementation to send a message to your host.
All message traffic in and out of
.i sendmail ,
including the incoming SMTP traffic,
will be logged in this file.
.sh 2 "Testing Configuration Files"
.pp
When you build a configuration table,
you can do a certain amount of testing
using the
.q "test mode"
of
.i sendmail .
For example,
you could invoke
.i sendmail
as:
.(b
sendmail \-bt \-Ctest.cf
.)b
which would read the configuration file
.q test.cf
and enter test mode.
In this mode,
you enter lines of the form:
.(b
rwset address
.)b
where
.i rwset
is the rewriting set you want to use
and
.i address
is an address to apply the set to.
Test mode shows you the steps it takes
as it proceeds,
finally showing you the address it ends up with.
You may use a comma separated list of rwsets
for sequential application of rules to an input.
For example:
.(b
3,1,21,4 monet:bollard
.)b
first applies ruleset three to the input
.q monet:bollard.
Ruleset one is then applied to the output of ruleset three,
followed similarly by rulesets twenty-one and four.
.pp
If you need more detail,
you can also use the
.q \-d21
flag to turn on more debugging.
For example,
.(b
sendmail \-bt \-d21.99
.)b
turns on an incredible amount of information;
a single word address
is probably going to print out several pages worth of information.
.pp
You should be warned that internally,
.i sendmail
applies ruleset 3 to all addresses.
In test mode
you will have to do that manually.
For example, older versions allowed you to use
.(b
0 bruce@broadcast.sony.com
.)b
This version requires that you use:
.(b
3,0 bruce@broadcast.sony.com
.)b
.pp
As of version 8.7,
some other syntaxes are available in test mode:
.nr ii 1i
.ip \&.D\|x\|value
defines macro
.i x
to have the indicated
.i value .
This is useful when debugging rules that use the
.b $& \c
.i x
syntax.
.ip \&.C\|c\|value
adds the indicated
.i value
to class
.i c .
.ip \&=S\|ruleset
dumps the contents of the indicated ruleset.
.ip \-d\|debug-spec
is equivalent to the command-line flag.
.lp
Version 8.9 introduced more features:
.nr ii 1i
.ip ?
shows a help message.
.ip =M
display the known mailers.
.ip $m
print the value of macro m.
.ip $=c
print the contents of class c.
.ip /mx\ host
returns the MX records for `host'.
.ip /parse\ address
parse address, returning the value of
.i crackaddr ,
and the parsed address.
.ip /try\ mailer\ addr
rewrite address into the form it will have when
presented to the indicated mailer.
.ip /tryflags\ flags
set flags used by parsing.  The flags can be `H' for
Header or `E' for Envelope, and `S' for Sender or `R'
for Recipient.  These can be combined, `HR' sets
flags for header recipients.
.ip /canon\ hostname
try to canonify hostname.
.ip /map\ mapname\ key
look up `key' in the indicated `mapname'.
.ip /quit
quit address test mode.
.lp
.sh 2 "Persistent Host Status Information"
.pp
When
.b HostStatusDirectory
is enabled,
information about the status of hosts is maintained on disk
and can thus be shared between different instantiations of
.i sendmail .
The status of the last connection with each remote host
may be viewed with the command:
.(b
sendmail \-bh
.)b
This information may be flushed with the command:
.(b
sendmail \-bH
.)b
Flushing the information prevents new
.i sendmail
processes from loading it,
but does not prevent existing processes from using the status information
that they already have.
.sh 1 "TUNING"
.pp
There are a number of configuration parameters
you may want to change,
depending on the requirements of your site.
Most of these are set
using an option in the configuration file.
For example,
the line
.q "O Timeout.queuereturn=5d"
sets option
.q Timeout.queuereturn
to the value
.q 5d
(five days).
.pp
Most of these options have appropriate defaults for most sites.
However,
sites having very high mail loads may find they need to tune them
as appropriate for their mail load.
In particular,
sites experiencing a large number of small messages,
many of which are delivered to many recipients,
may find that they need to adjust the parameters
dealing with queue priorities.
.pp
All versions of
.i sendmail
prior to 8.7
had single character option names.
As of 8.7,
options have long (multi-character names).
Although old short names are still accepted,
most new options do not have short equivalents.
.pp
This section only describes the options you are most likely
to want to tweak;
read section
.\"XREF
5
for more details.
.sh 2 "Timeouts"
.pp
All time intervals are set
using a scaled syntax.
For example,
.q 10m
represents ten minutes, whereas
.q 2h30m
represents two and a half hours.
The full set of scales is:
.(b
.ta 4n
s       seconds
m       minutes
h       hours
d       days
w       weeks
.)b
.sh 3 "Queue interval"
.pp
The argument to the
.b \-q
flag specifies how often a sub-daemon will run the queue.
This is typically set to between fifteen minutes and one hour.
If not set, or set to zero,
the queue will not be run automatically.
RFC 1123 section 5.3.1.1 recommends that this be at least 30 minutes.
Should you need to terminate the queue jobs currently active then a SIGTERM
to the parent of the process (or processes) will cleanly stop the jobs.
.sh 3 "Read timeouts"
.pp
Timeouts all have option names
.q Timeout.\fIsuboption\fP .
Most of these control SMTP operations.
The recognized
.i suboption s,
their default values, and the minimum values
allowed by RFC 2821 section 4.5.3.2 (or RFC 1123 section 5.3.2) are:
.nr ii 1i
.ip connect
The time to wait for an SMTP connection to open
(the
.i connect (2)
system call)
[0, unspecified].
If zero, uses the kernel default.
In no case can this option extend the timeout
longer than the kernel provides, but it can shorten it.
This is to get around kernels that provide an absurdly long connection timeout
(90 minutes in one case).
.ip iconnect
The same as
.i connect,
except it applies only to the initial attempt to connect to a host
for a given message
[0, unspecified].
The concept is that this should be very short (a few seconds);
hosts that are well connected and responsive will thus be serviced immediately.
Hosts that are slow will not hold up other deliveries in the initial
delivery attempt.
.ip aconnect
[0, unspecified]
The overall timeout waiting for all connection for a single delivery
attempt to succeed.
If 0, no overall limit is applied.
This can be used to restrict the total amount of time trying to connect to
a long list of host that could accept an e-mail for the recipient.
This timeout does not apply to
.b FallbackMXhost ,
i.e., if the time is exhausted, the
.b FallbackMXhost
is tried next.
.ip initial
The wait for the initial 220 greeting message
[5m, 5m].
.ip helo
The wait for a reply from a HELO or EHLO command
[5m, unspecified].
This may require a host name lookup, so
five minutes is probably a reasonable minimum.
.ip mail\(dg
The wait for a reply from a MAIL command
[10m, 5m].
.ip rcpt\(dg
The wait for a reply from a RCPT command
[1h, 5m].
This should be long
because it could be pointing at a list
that takes a long time to expand
(see below).
.ip datainit\(dg
The wait for a reply from a DATA command
[5m, 2m].
.ip datablock\(dg\(dd
The wait for reading a data block
(that is, the body of the message).
[1h, 3m].
This should be long because it also applies to programs
piping input to
.i sendmail
which have no guarantee of promptness.
.ip datafinal\(dg
The wait for a reply from the dot terminating a message.
[1h, 10m].
If this is shorter than the time actually needed
for the receiver to deliver the message,
duplicates will be generated.
This is discussed in RFC 1047.
.ip rset
The wait for a reply from a RSET command
[5m, unspecified].
.ip quit
The wait for a reply from a QUIT command
[2m, unspecified].
.ip misc
The wait for a reply from miscellaneous (but short) commands
such as NOOP (no-operation) and VERB (go into verbose mode).
[2m, unspecified].
.ip command\(dg\(dd
In server SMTP,
the time to wait for another command.
[1h, 5m].
.ip ident\(dd
The timeout waiting for a reply to an IDENT query
[5s\**, unspecified].
.(f
\**On some systems the default is zero to turn the protocol off entirely.
.)f
.ip lhlo
The wait for a reply to an LMTP LHLO command
[2m, unspecified].
.ip auth
The timeout for a reply in an SMTP AUTH dialogue
[10m, unspecified].
.ip starttls
The timeout for a reply to an SMTP STARTTLS command and the TLS handshake
[1h, unspecified].
.ip fileopen\(dd
The timeout for opening .forward and :include: files [60s, none].
.ip control\(dd
The timeout for a complete control socket transaction to complete [2m, none].
.ip hoststatus\(dd
How long status information about a host
(e.g., host down)
will be cached before it is considered stale
[30m, unspecified].
.ip resolver.retrans\(dd
The resolver's
retransmission time interval
(in seconds)
[varies].
Sets both
.i Timeout.resolver.retrans.first
and
.i Timeout.resolver.retrans.normal .
.ip resolver.retrans.first\(dd
The resolver's
retransmission time interval
(in seconds)
for the first attempt to
deliver a message
[varies].
.ip resolver.retrans.normal\(dd
The resolver's
retransmission time interval
(in seconds)
for all resolver lookups
except the first delivery attempt
[varies].
.ip resolver.retry\(dd
The number of times
to retransmit a resolver query.
Sets both
.i Timeout.resolver.retry.first
and
.i Timeout.resolver.retry.normal
[varies].
.ip resolver.retry.first\(dd
The number of times
to retransmit a resolver query
for the first attempt
to deliver a message
[varies].
.ip resolver.retry.normal\(dd
The number of times
to retransmit a resolver query
for all resolver lookups
 except the first delivery attempt
[varies].
.lp
For compatibility with old configuration files,
if no
.i suboption
is specified,
all the timeouts marked with
.DG
(\(dg) are set to the indicated value.
All but those marked with
.DD
(\(dd) apply to client SMTP.
.pp
For example, the lines:
.(b
O Timeout.command=25m
O Timeout.datablock=3h
.)b
sets the server SMTP command timeout to 25 minutes
and the input data block timeout to three hours.
.sh 3 "Message timeouts"
.pp
After sitting in the queue for a few days,
an undeliverable message will time out.
This is to insure that at least the sender is aware
of the inability to send a message.
The timeout is typically set to five days.
It is sometimes considered convenient to also send a warning message
if the message is in the queue longer than a few hours
(assuming you normally have good connectivity;
if your messages normally took several hours to send
you wouldn't want to do this because it wouldn't be an unusual event).
These timeouts are set using the
.b Timeout.queuereturn
and
.b Timeout.queuewarn
options in the configuration file
(previously both were set using the
.b T
option).
.pp
If the message is submitted using the
.sm NOTIFY
.sm SMTP
extension,
warning messages will only be sent if
.sm NOTIFY=DELAY
is specified.
The queuereturn and queuewarn timeouts
can be further qualified with a tag based on the Precedence: field
in the message;
they must be one of
.q urgent
(indicating a positive non-zero precedence),
.q normal
(indicating a zero precedence), or
.q non-urgent
(indicating negative precedences).
For example, setting
.q Timeout.queuewarn.urgent=1h
sets the warning timeout for urgent messages only
to one hour.
The default if no precedence is indicated
is to set the timeout for all precedences.
If the message has a normal (default) precedence
and it is a delivery status notification (DSN),
.b Timeout.queuereturn.dsn
and
.b Timeout.queuewarn.dsn
can be used to give an alternative warn and return time
for DSNs.
The value "now" can be used for
-O Timeout.queuereturn
to return entries immediately during a queue run,
e.g., to bounce messages independent of their time in the queue.
.pp
Since these options are global,
and since you cannot know
.i "a priori"
how long another host outside your domain will be down,
a five day timeout is recommended.
This allows a recipient to fix the problem even if it occurs
at the beginning of a long weekend.
RFC 1123 section 5.3.1.1 says that this parameter
should be ``at least 4\-5 days''.
.pp
The
.b Timeout.queuewarn
value can be piggybacked on the
.b T
option by indicating a time after which
a warning message should be sent;
the two timeouts are separated by a slash.
For example, the line
.(b
OT5d/4h
.)b
causes email to fail after five days,
but a warning message will be sent after four hours.
This should be large enough that the message will have been tried
several times.
.sh 2 "Forking During Queue Runs"
.pp
By setting the
.b ForkEachJob
(\c
.b Y )
option,
.i sendmail
will fork before each individual message
while running the queue.
This option was used with earlier releases to prevent
.i sendmail
from consuming large amounts of memory.
It should no longer be necessary with
.i sendmail
8.12.
If the
.b ForkEachJob
option is not set,
.i sendmail
will keep track of hosts that are down during a queue run,
which can improve performance dramatically.
.pp
If the
.b ForkEachJob
option is set,
.i sendmail
cannot use connection caching.
.sh 2 "Queue Priorities"
.pp
Every message is assigned a priority when it is first instantiated,
consisting of the message size (in bytes)
offset by the message class
(which is determined from the Precedence: header)
times the
.q "work class factor"
and the number of recipients times the
.q "work recipient factor."
The priority is used to order the queue.
Higher numbers for the priority mean that the message will be processed later
when running the queue.
.pp
The message size is included so that large messages are penalized
relative to small messages.
The message class allows users to send
.q "high priority"
messages by including a
.q Precedence:
field in their message;
the value of this field is looked up in the
.b P
lines of the configuration file.
Since the number of recipients affects the amount of load a message presents
to the system,
this is also included into the priority.
.pp
The recipient and class factors
can be set in the configuration file using the
.b RecipientFactor
(\c
.b y )
and
.b ClassFactor
(\c
.b z )
options respectively.
They default to 30000 (for the recipient factor)
and 1800
(for the class factor).
The initial priority is:
.EQ
pri = msgsize - (class times bold ClassFactor) + (nrcpt times bold RecipientFactor)
.EN
(Remember, higher values for this parameter actually mean
that the job will be treated with lower priority.)
.pp
The priority of a job can also be adjusted each time it is processed
(that is, each time an attempt is made to deliver it)
using the
.q "work time factor,"
set by the
.b RetryFactor
(\c
.b Z )
option.
This is added to the priority,
so it normally decreases the precedence of the job,
on the grounds that jobs that have failed many times
will tend to fail again in the future.
The
.b RetryFactor
option defaults to 90000.
.sh 2 "Load Limiting"
.pp
.i Sendmail
can be asked to queue (but not deliver) mail
if the system load average gets too high using the
.b QueueLA
(\c
.b x )
option.
When the load average exceeds the value of the
.b QueueLA
option, the delivery mode is set to
.b q
(queue only) if the
.b QueueFactor
(\c
.b q )
option divided by the difference in the current load average and the
.b QueueLA
option plus one
is less than the priority of the message \(em
that is, the message is queued iff:
.EQ
pri > { bold QueueFactor } over { LA - { bold QueueLA } + 1 }
.EN
The
.b QueueFactor
option defaults to 600000,
so each point of load average is worth 600000 priority points
(as described above).
.pp
For drastic cases, the
.b RefuseLA
(\c
.b X )
option defines a load average at which
.i sendmail
will refuse to accept network connections.
Locally generated mail, i.e., mail which is not submitted via SMTP
(including incoming UUCP mail),
is still accepted.
Notice that the MSP submits mail to the MTA via SMTP, and hence
mail will be queued in the client queue in such a case.
Therefore it is necessary to run the client mail queue periodically.
.sh 2 "Resource Limits"
.pp
.i Sendmail
has several parameters to control resource usage.
Besides those mentionted in the previous section, there are at least
.b MaxDaemonChildren ,
.b ConnectionRateThrottle ,
.b MaxQueueChildren ,
and
.b MaxRunnersPerQueue .
The latter two limit the number of
.i sendmail
processes that operate on the queue.
These are discussed in the section
``Queue Group Declaration''.
The former two can be used to limit the number of incoming connections.
Their appropriate values depend on the host operating system and
the hardware, e.g., amount of memory.
In many situations it might be useful to set limits to prevent
to have too many
.i sendmail
processes, however, these limits can be abused to mount a
denial of service attack.
For example, if
.b MaxDaemonChildren=10
then an attacker needs to open only 10 SMTP sessions to the server,
leave them idle for most of the time,
and no more connections will be accepted.
If this option is set then the timeouts used in a SMTP session
should be lowered from their default values to
their minimum values as specified in RFC 2821 and listed in
section
.\"XREF
4.1.2.
.sh 2 "Measures against Denial of Service Attacks"
.pp
.i Sendmail
has some built-in measures against simple denial of service (DoS) attacks.
The SMTP server by default slows down if too many bad commands are
issued or if some commands are repeated too often within a session.
Details can be found in the source file
.b sendmail/srvrsmtp.c
by looking for the macro definitions of
.b MAXBADCOMMANDS ,
.b MAXNOOPCOMMANDS ,
.b MAXHELOCOMMANDS ,
.b MAXVRFYCOMMANDS ,
and
.b MAXETRNCOMMANDS .
If an SMTP command is issued more often than the corresponding
.b MAXcmdCOMMANDS 
value, then the response is delayed exponentially,
starting with a sleep time of one second,
up to a maximum of four minutes (as defined by
.b MAXTIMEOUT ).
If the option
.b MaxDaemonChildren
is set to a value greater than zero,
then this could make a DoS attack even worse since it
keeps a connection open longer than necessary.
Therefore a connection is terminated with a 421 SMTP reply code
if the number of commands exceeds the limit by a factor of two and
.b MAXBADCOMMANDS 
is set to a value greater than zero (the default is 25).
.sh 2 "Delivery Mode"
.pp
There are a number of delivery modes that
.i sendmail
can operate in,
set by the
.b DeliveryMode
(\c
.b d )
configuration option.
These modes
specify how quickly mail will be delivered.
Legal modes are:
.(b
.ta 4n
i       deliver interactively (synchronously)
b       deliver in background (asynchronously)
q       queue only (don't deliver)
d       defer delivery attempts (don't deliver)
.)b
There are tradeoffs.
Mode
.q i
gives the sender the quickest feedback,
but may slow down some mailers and
is hardly ever necessary.
Mode
.q b
delivers promptly but
can cause large numbers of processes
if you have a mailer that takes a long time to deliver a message.
Mode
.q q
minimizes the load on your machine,
but means that delivery may be delayed for up to the queue interval.
Mode
.q d
is identical to mode
.q q
except that it also prevents lookups in maps including the
.b -D
flag from working during the initial queue phase;
it is intended for ``dial on demand'' sites where DNS lookups
might cost real money.
Some simple error messages
(e.g., host unknown during the SMTP protocol)
will be delayed using this mode.
Mode
.q b
is the usual default.
.pp
If you run in mode
.q q
(queue only),
.q d
(defer),
or
.q b
(deliver in background)
.i sendmail
will not expand aliases and follow .forward files
upon initial receipt of the mail.
This speeds up the response to RCPT commands.
Mode
.q i
should not be used by the SMTP server.
.sh 2 "Log Level"
.pp
The level of logging can be set for
.i sendmail .
The default using a standard configuration table is level 9.
The levels are as follows:
.nr ii 0.5i
.ip 0
Minimal logging.
.ip 1
Serious system failures and potential security problems.
.ip 2
Lost communications (network problems) and protocol failures.
.ip 3
Other serious failures, malformed addresses, transient forward/include
errors, connection timeouts.
.ip 4
Minor failures, out of date alias databases, connection rejections
via check_ rulesets.
.ip 5
Message collection statistics.
.ip 6
Creation of error messages,
VRFY and EXPN commands.
.ip 7
Delivery failures (host or user unknown, etc.).
.ip 8
Successful deliveries and alias database rebuilds.
.ip 9
Messages being deferred
(due to a host being down, etc.).
.ip 10
Database expansion (alias, forward, and userdb lookups)
and authentication information.
.ip 11
NIS errors and end of job processing.
.ip 12
Logs all SMTP connections.
.ip 13
Log bad user shells, files with improper permissions, and other
questionable situations.
.ip 14
Logs refused connections.
.ip 15
Log all incoming and outgoing SMTP commands.
.ip 20
Logs attempts to run locked queue files.
These are not errors,
but can be useful to note if your queue appears to be clogged.
.ip 30
Lost locks (only if using lockf instead of flock).
.lp
Additionally,
values above 64 are reserved for extremely verbose debugging output.
No normal site would ever set these.
.sh 2 "File Modes"
.pp
The modes used for files depend on what functionality you want
and the level of security you require.
In many cases
.i sendmail
does careful checking of the modes
of files and directories
to avoid accidental compromise;
if you want to make it possible to have group-writable support files
you may need to use the
.b DontBlameSendmail
option to turn off some of these checks.
.sh 3 "To suid or not to suid?"
.pp
.i Sendmail
is no longer installed
set-user-ID to root.
sendmail/SECURITY
explains how to configure and install
.i sendmail
without set-user-ID to root but set-group-ID
which is the default configuration starting with 8.12.
.pp
The daemon usually runs as root, unless other measures are taken.
At the point where
.i sendmail
is about to
.i exec \|(2)
a mailer,
it checks to see if the userid is zero (root);
if so,
it resets the userid and groupid to a default
(set by the
.b U=
equate in the mailer line;
if that is not set, the
.b DefaultUser
option is used).
This can be overridden
by setting the
.b S
flag to the mailer
for mailers that are trusted
and must be called as root.
However,
this will cause mail processing
to be accounted
(using
.i sa \|(8))
to root
rather than to the user sending the mail.
.pp
A middle ground is to set the
.b RunAsUser
option.
This causes
.i sendmail
to become the indicated user as soon as it has done the startup
that requires root privileges
(primarily, opening the
.sm SMTP
socket).
If you use
.b RunAsUser ,
the queue directory
(normally
.i /var/spool/mqueue )
should be owned by that user,
and all files and databases
(including user
.i \&.forward
files,
alias files,
:include: files,
and external databases)
must be readable by that user.
Also, since sendmail will not be able to change its uid,
delivery to programs or files will be marked as unsafe,
e.g., undeliverable,
in
.i \&.forward ,
aliases,
and :include: files.
Administrators can override this by setting the
.b DontBlameSendmail
option to the setting
.b NonRootSafeAddr .
.b RunAsUser
is probably best suited for firewall configurations
that don't have regular user logins.
If the option is used on a system which performs local delivery,
then the local delivery agent must have the proper permissions
(i.e., usually set-user-ID root)
since it will be invoked by the
.b RunAsUser ,
not by root.
.sh 3 "Turning off security checks"
.pp
.i Sendmail
is very particular about the modes of files that it reads or writes.
For example, by default it will refuse to read most files
that are group writable
on the grounds that they might have been tampered with
by someone other than the owner;
it will even refuse to read files in group writable directories.
Also, sendmail will refuse to create a new aliases database in an
unsafe directory.  You can get around this by manually creating the
database file as a trusted user ahead of time and then rebuilding the
aliases database with
.b newaliases .
.pp
If you are
.i quite
sure that your configuration is safe and you want
.i sendmail
to avoid these security checks,
you can turn off certain checks using the
.b DontBlameSendmail
option.
This option takes one or more names that disable checks.
In the descriptions that follow,
.q "unsafe directory"
means a directory that is writable by anyone other than the owner.
The values are:
.nr ii 0.5i
.ip Safe
No special handling.
.ip AssumeSafeChown
Assume that the
.i chown
system call is restricted to root.
Since some versions of UNIX permit regular users
to give away their files to other users on some filesystems,
.i sendmail
often cannot assume that a given file was created by the owner,
particularly when it is in a writable directory.
You can set this flag if you know that file giveaway is restricted
on your system.
.ip ClassFileInUnsafeDirPath
When reading class files (using the
.b F
line in the configuration file),
allow files that are in unsafe directories.
.ip DontWarnForwardFileInUnsafeDirPath
Prevent logging of
unsafe directory path warnings
for non-existent forward files.
.ip ErrorHeaderInUnsafeDirPath
Allow the file named in the
.b ErrorHeader
option to be in an unsafe directory.
.ip FileDeliveryToHardLink
Allow delivery to files that are hard links.
.ip FileDeliveryToSymLink
Allow delivery to files that are symbolic links.
.ip ForwardFileInGroupWritableDirPath
Allow
.i \&.forward
files in group writable directories.
.ip ForwardFileInUnsafeDirPath
Allow
.i \&.forward
files in unsafe directories.
.ip ForwardFileInUnsafeDirPathSafe
Allow a
.i \&.forward
file that is in an unsafe directory to include references
to program and files.
.ip GroupReadableKeyFile
Accept a group-readable key file for STARTTLS.
.ip GroupReadableSASLDBFile
Accept a group-readable Cyrus SASL password file.
.ip GroupWritableAliasFile
Allow group-writable alias files.
.ip GroupWritableDirPathSafe
Change the definition of
.q "unsafe directory"
to consider group-writable directories to be safe.
World-writable directories are always unsafe.
.ip GroupWritableForwardFile
Allow group writable
.i \&.forward
files.
.ip GroupWritableForwardFileSafe
Accept group-writable
.i \&.forward
files as safe for program and file delivery.
.ip GroupWritableIncludeFile
Allow group wriable
.i :include:
files.
.ip GroupWritableIncludeFileSafe
Accept group-writable
.i :include:
files as safe for program and file delivery.
.ip GroupWritableSASLDBFile
Accept a group-writable Cyrus SASL password file.
.ip HelpFileInUnsafeDirPath
Allow the file named in the
.b HelpFile
option to be in an unsafe directory.
.ip IncludeFileInGroupWritableDirPath
Allow
.i :include:
files in group writable directories.
.ip IncludeFileInUnsafeDirPath
Allow
.i :include:
files in unsafe directories.
.ip IncludeFileInUnsafeDirPathSafe
Allow a
.i :include:
file that is in an unsafe directory to include references
to program and files.
.ip InsufficientEntropy
Try to use STARTTLS even if the PRNG for OpenSSL is not properly seeded
despite the security problems.
.ip LinkedAliasFileInWritableDir
Allow an alias file that is a link in a writable directory.
.ip LinkedClassFileInWritableDir
Allow class files that are links in writable directories.
.ip LinkedForwardFileInWritableDir
Allow
.i \&.forward
files that are links in writable directories.
.ip LinkedIncludeFileInWritableDir
Allow
.i :include:
files that are links in writable directories.
.ip LinkedMapInWritableDir
Allow map files that are links in writable directories.
This includes alias database files.
.ip LinkedServiceSwitchFileInWritableDir
Allow the service switch file to be a link
even if the directory is writable.
.ip MapInUnsafeDirPath
Allow maps (e.g.,
.i hash ,
.i btree ,
and
.i dbm
files)
in unsafe directories.
This includes alias database files.
.ip NonRootSafeAddr
Do not mark file and program deliveries as unsafe
if sendmail is not running with root privileges.
.ip RunProgramInUnsafeDirPath
Run programs that are in writable directories without logging a warning.
.ip RunWritableProgram
Run programs that are group- or world-writable without logging a warning.
.ip TrustStickyBit
Allow group or world writable directories
if the sticky bit is set on the directory.
Do not set this on systems which do not honor
the sticky bit on directories.
.ip WorldWritableAliasFile
Accept world-writable alias files.
.ip WorldWritableForwardfile
Allow world writable
.i \&.forward
files.
.ip WorldWritableIncludefile
Allow world wriable
.i :include:
files.
.ip WriteMapToHardLink
Allow writes to maps that are hard links.
.ip WriteMapToSymLink
Allow writes to maps that are symbolic links.
.ip WriteStatsToHardLink
Allow the status file to be a hard link.
.ip WriteStatsToSymLink
Allow the status file to be a symbolic link.
.sh 2 "Connection Caching"
.pp
When processing the queue,
.i sendmail
will try to keep the last few open connections open
to avoid startup and shutdown costs.
This only applies to IPC and LPC connections.
.pp
When trying to open a connection
the cache is first searched.
If an open connection is found, it is probed to see if it is still active
by sending a
.sm RSET
command.
It is not an error if this fails;
instead, the connection is closed and reopened.
.pp
Two parameters control the connection cache.
The
.b ConnectionCacheSize
(\c
.b k )
option defines the number of simultaneous open connections
that will be permitted.
If it is set to zero,
connections will be closed as quickly as possible.
The default is one.
This should be set as appropriate for your system size;
it will limit the amount of system resources that
.i sendmail
will use during queue runs.
Never set this higher than 4.
.pp
The
.b ConnectionCacheTimeout
(\c
.b K )
option specifies the maximum time that any cached connection
will be permitted to idle.
When the idle time exceeds this value
the connection is closed.
This number should be small
(under ten minutes)
to prevent you from grabbing too many resources
from other hosts.
The default is five minutes.
.sh 2 "Name Server Access"
.pp
Control of host address lookups is set by the
.b hosts
service entry in your service switch file.
If you are on a system that has built-in service switch support
(e.g., Ultrix, Solaris, or DEC OSF/1)
then your system is probably configured properly already.
Otherwise,
.i sendmail
will consult the file
.b /etc/mail/service.switch ,
which should be created.
.i Sendmail
only uses two entries:
.b hosts
and
.b aliases ,
although system routines may use other services
(notably the
.b passwd
service for user name lookups by
.i getpwname ).
.pp
However, some systems (such as SunOS 4.X)
will do DNS lookups
regardless of the setting of the service switch entry.
In particular, the system routine
.i gethostbyname (3)
is used to look up host names,
and many vendor versions try some combination of DNS, NIS,
and file lookup in /etc/hosts
without consulting a service switch.
.i Sendmail
makes no attempt to work around this problem,
and the DNS lookup will be done anyway.
If you do not have a nameserver configured at all,
such as at a UUCP-only site,
.i sendmail
will get a
.q "connection refused"
message when it tries to connect to the name server.
If the
.b hosts
switch entry has the service
.q dns
listed somewhere in the list,
.i sendmail
will interpret this to mean a temporary failure
and will queue the mail for later processing;
otherwise, it ignores the name server data.
.pp
The same technique is used to decide whether to do MX lookups.
If you want MX support, you
.i must
have
.q dns
listed as a service in the
.b hosts
switch entry.
.pp
The
.b ResolverOptions
(\c
.b I )
option allows you to tweak name server options.
The command line takes a series of flags as documented in
.i resolver (3)
(with the leading
.q RES_
deleted).
Each can be preceded by an optional `+' or `\(mi'.
For example, the line
.(b
O ResolverOptions=+AAONLY \(miDNSRCH
.)b
turns on the AAONLY (accept authoritative answers only)
and turns off the DNSRCH (search the domain path) options.
Most resolver libraries default DNSRCH, DEFNAMES, and RECURSE
flags on and all others off.
If NETINET6 is enabled, most libraries default to USE_INET6 as well.
You can also include
.q HasWildcardMX
to specify that there is a wildcard MX record matching your domain;
this turns off MX matching when canonifying names,
which can lead to inappropriate canonifications.
Use
.q WorkAroundBrokenAAAA
when faced with a broken nameserver that returns SERVFAIL
(a temporary failure)
on T_AAAA (IPv6) lookups
during hostname canonification.
Notice: it might be necessary to apply the same (or similar) options to
.i submit.cf
too.
.pp
Version level 1 configurations (see the section about
``Configuration Version Level'')
turn DNSRCH and DEFNAMES off when doing delivery lookups,
but leave them on everywhere else.
Version 8 of
.i sendmail
ignores them when doing canonification lookups
(that is, when using $[ ... $]),
and always does the search.
If you don't want to do automatic name extension,
don't call $[ ... $].
.pp
The search rules for $[ ... $] are somewhat different than usual.
If the name being looked up
has at least one dot, it always tries the unmodified name first.
If that fails, it tries the reduced search path,
and lastly tries the unmodified name
(but only for names without a dot,
since names with a dot have already been tried).
This allows names such as
``utc.CS''
to match the site in Czechoslovakia
rather than the site in your local Computer Science department.
It also prefers A and CNAME records over MX records \*-
that is, if it finds an MX record it makes note of it,
but keeps looking.
This way, if you have a wildcard MX record matching your domain,
it will not assume that all names match.
.pp
To completely turn off all name server access
on systems without service switch support
(such as SunOS 4.X)
you will have to recompile with
\-DNAMED_BIND=0
and remove \-lresolv from the list of libraries to be searched
when linking.
.sh 2 "Moving the Per-User Forward Files"
.pp
Some sites mount each user's home directory
from a local disk on their workstation,
so that local access is fast.
However, the result is that .forward file lookups
from a central mail server are slow.
In some cases,
mail can even be delivered on machines inappropriately
because of a file server being down.
The performance can be especially bad if you run the automounter.
.pp
The
.b ForwardPath
(\c
.b J )
option allows you to set a path of forward files.
For example, the config file line
.(b
O ForwardPath=/var/forward/$u:$z/.forward.$w
.)b
would first look for a file with the same name as the user's login
in /var/forward;
if that is not found (or is inaccessible)
the file
``.forward.\c
.i machinename ''
in the user's home directory is searched.
A truly perverse site could also search by sender
by using $r, $s, or $f.
.pp
If you create a directory such as /var/forward,
it should be mode 1777
(that is, the sticky bit should be set).
Users should create the files mode 0644.
Note that you must use the
ForwardFileInUnsafeDirPath and
ForwardFileInUnsafeDirPathSafe
flags with the
.b DontBlameSendmail
option to allow forward files in a world writable directory.
This might also be used as a denial of service attack
(users could create forward files for other users);
a better approach might be to create
/var/forward
mode 0755
and create empty files for each user,
owned by that user,
mode 0644.
If you do this, you don't have to set the DontBlameSendmail options
indicated above.
.sh 2 "Free Space"
.pp
On systems that have one of the system calls in the
.i statfs (2)
family
(including
.i statvfs
and
.i ustat ),
you can specify a minimum number of free blocks on the queue filesystem
using the
.b MinFreeBlocks
(\c
.b b )
option.
If there are fewer than the indicated number of blocks free
on the filesystem on which the queue is mounted
the SMTP server will reject mail
with the
452 error code.
This invites the SMTP client to try again later.
.pp
Beware of setting this option too high;
it can cause rejection of email
when that mail would be processed without difficulty.
.sh 2 "Maximum Message Size"
.pp
To avoid overflowing your system with a large message,
the
.b MaxMessageSize
option can be set to set an absolute limit
on the size of any one message.
This will be advertised in the ESMTP dialogue
and checked during message collection.
.sh 2 "Privacy Flags"
.pp
The
.b PrivacyOptions
(\c
.b p )
option allows you to set certain
``privacy''
flags.
Actually, many of them don't give you any extra privacy,
rather just insisting that client SMTP servers
use the HELO command
before using certain commands
or adding extra headers to indicate possible spoof attempts.
.pp
The option takes a series of flag names;
the final privacy is the inclusive or of those flags.
For example:
.(b
O PrivacyOptions=needmailhelo, noexpn
.)b
insists that the HELO or EHLO command be used before a MAIL command is accepted
and disables the EXPN command.
.pp
The flags are detailed in section
.\"XREF
5.6.
.sh 2 "Send to Me Too"
.pp
Beginning with version 8.10,
.i sendmail
includes by default the (envelope) sender in any list expansions.
For example, if
.q matt
sends to a list that contains
.q matt
as one of the members he will get a copy of the message.
If the
.b MeToo
option is set to
.sm FALSE
(in the configuration file or via the command line),
this behavior is changed, i.e.,
the (envelope) sender is excluded in list expansions.
.sh 1 "THE WHOLE SCOOP ON THE CONFIGURATION FILE"
.pp
This section describes the configuration file
in detail.
.pp
There is one point that should be made clear immediately:
the syntax of the configuration file
is designed to be reasonably easy to parse,
since this is done every time
.i sendmail
starts up,
rather than easy for a human to read or write.
The configuration file should be generated via the method described in
.b cf/README ,
it should not be edited directly unless someone is familiar
with the internals of the syntax described here and it is
not possible to achieve the desired result via the default method.
.pp
The configuration file is organized as a series of lines,
each of which begins with a single character
defining the semantics for the rest of the line.
Lines beginning with a space or a tab
are continuation lines
(although the semantics are not well defined in many places).
Blank lines and lines beginning with a sharp symbol
(`#')
are comments.
.sh 2 "R and S \*- Rewriting Rules"
.pp
The core of address parsing
are the rewriting rules.
These are an ordered production system.
.i Sendmail
scans through the set of rewriting rules
looking for a match on the left hand side
(LHS)
of the rule.
When a rule matches,
the address is replaced by the right hand side
(RHS)
of the rule.
.pp
There are several sets of rewriting rules.
Some of the rewriting sets are used internally
and must have specific semantics.
Other rewriting sets
do not have specifically assigned semantics,
and may be referenced by the mailer definitions
or by other rewriting sets.
.pp
The syntax of these two commands are:
.(b F
.b S \c
.i n
.)b
Sets the current ruleset being collected to
.i n .
If you begin a ruleset more than once
it appends to the old definition.
.(b F
.b R \c
.i lhs
.i rhs
.i comments
.)b
The
fields must be separated
by at least one tab character;
there may be embedded spaces
in the fields.
The
.i lhs
is a pattern that is applied to the input.
If it matches,
the input is rewritten to the
.i rhs .
The
.i comments
are ignored.
.pp
Macro expansions of the form
.b $ \c
.i x
are performed when the configuration file is read.
A literal
.b $
can be included using
.b $$ .
Expansions of the form
.b $& \c
.i x
are performed at run time using a somewhat less general algorithm.
This is intended only for referencing internally defined macros
such as
.b $h
that are changed at runtime.
.sh 3 "The left hand side"
.pp
The left hand side of rewriting rules contains a pattern.
Normal words are simply matched directly.
Metasyntax is introduced using a dollar sign.
The metasymbols are:
.(b
.ta \w'\fB$=\fP\fIx\fP  'u
\fB$*\fP        Match zero or more tokens
\fB$+\fP        Match one or more tokens
\fB$\-\fP       Match exactly one token
\fB$=\fP\fIx\fP Match any phrase in class \fIx\fP
\fB$~\fP\fIx\fP Match any word not in class \fIx\fP
.)b
If any of these match,
they are assigned to the symbol
.b $ \c
.i n
for replacement on the right hand side,
where
.i n
is the index in the LHS.
For example,
if the LHS:
.(b
$\-:$+
.)b
is applied to the input:
.(b
UCBARPA:eric
.)b
the rule will match, and the values passed to the RHS will be:
.(b
.ta 4n
$1      UCBARPA
$2      eric
.)b
.pp
Additionally, the LHS can include
.b $@
to match zero tokens.
This is
.i not
bound to a
.b $ \c
.i n
on the RHS, and is normally only used when it stands alone
in order to match the null input.
.sh 3 "The right hand side"
.pp
When the left hand side of a rewriting rule matches,
the input is deleted and replaced by the right hand side.
Tokens are copied directly from the RHS
unless they begin with a dollar sign.
Metasymbols are:
.(b
.ta \w'$#mailer\0\0\0'u
\fB$\fP\fIn\fP  Substitute indefinite token \fIn\fP from LHS
\fB$[\fP\fIname\fP\fB$]\fP      Canonicalize \fIname\fP
\fB$(\fP\fImap key\fP \fB$@\fP\fIarguments\fP \fB$:\fP\fIdefault\fP \fB$)\fP
        Generalized keyed mapping function
\fB$>\fP\fIn\fP \*(lqCall\*(rq ruleset \fIn\fP
\fB$#\fP\fImailer\fP    Resolve to \fImailer\fP
\fB$@\fP\fIhost\fP      Specify \fIhost\fP
\fB$:\fP\fIuser\fP      Specify \fIuser\fP
.)b
.pp
The
.b $ \c
.i n
syntax substitutes the corresponding value from a
.b $+ ,
.b $\- ,
.b $* ,
.b $= ,
or
.b $~
match on the LHS.
It may be used anywhere.
.pp
A host name enclosed between
.b $[
and
.b $]
is looked up in the host database(s)
and replaced by the canonical name\**.
.(f
\**This is actually
completely equivalent
to $(host \fIhostname\fP$).
In particular, a
.b $:
default can be used.
.)f
For example,
.q $[ftp$]
might become
.q ftp.CS.Berkeley.EDU
and
.q $[[128.32.130.2]$]
would become
.q vangogh.CS.Berkeley.EDU.
.i Sendmail
recognizes its numeric IP address
without calling the name server
and replaces it with its canonical name.
.pp
The
.b $(
\&...
.b $)
syntax is a more general form of lookup;
it uses a named map instead of an implicit map.
If no lookup is found, the indicated
.i default
is inserted;
if no default is specified and no lookup matches,
the value is left unchanged.
The
.i arguments
are passed to the map for possible use.
.pp
The
.b $> \c
.i n
syntax
causes the remainder of the line to be substituted as usual
and then passed as the argument to ruleset
.i n .
The final value of ruleset
.i n
then becomes
the substitution for this rule.
The
.b $>
syntax expands everything after the ruleset name
to the end of the replacement string
and then passes that as the initial input to the ruleset.
Recursive calls are allowed.
For example,
.(b
$>0 $>3 $1
.)b
expands $1, passes that to ruleset 3, and then passes the result
of ruleset 3 to ruleset 0.
.pp
The
.b $#
syntax should
.i only
be used in ruleset zero,
a subroutine of ruleset zero,
or rulesets that return decisions (e.g., check_rcpt).
It causes evaluation of the ruleset to terminate immediately,
and signals to
.i sendmail
that the address has completely resolved.
The complete syntax for ruleset 0 is:
.(b
\fB$#\fP\fImailer\fP \fB$@\fP\fIhost\fP \fB$:\fP\fIuser\fP
.)b
This specifies the
{mailer, host, user}
3-tuple necessary to direct the mailer.
Note: the third element (
.i user
) is often also called
.i address
part.
If the mailer is local
the host part may be omitted\**.
.(f
\**You may want to use it for special
.q "per user"
extensions.
For example, in the address
.q jgm+foo@CMU.EDU ;
the
.q +foo
part is not part of the user name,
and is passed to the local mailer for local use.
.)f
The
.i mailer
must be a single word,
but the
.i host
and
.i user
may be multi-part.
If the
.i mailer
is the built-in IPC mailer,
the
.i host
may be a colon-separated list of hosts
that are searched in order for the first working address
(exactly like MX records).
The
.i user
is later rewritten by the mailer-specific envelope rewriting set
and assigned to the
.b $u
macro.
As a special case, if the mailer specified has the
.b F=@
flag specified
and the first character of the
.b $:
value is
.q @ ,
the
.q @
is stripped off, and a flag is set in the address descriptor
that causes sendmail to not do ruleset 5 processing.
.pp
Normally, a rule that matches is retried,
that is,
the rule loops until it fails.
A RHS may also be preceded by a
.b $@
or a
.b $:
to change this behavior.
A
.b $@
prefix causes the ruleset to return with the remainder of the RHS
as the value.
A
.b $:
prefix causes the rule to terminate immediately,
but the ruleset to continue;
this can be used to avoid continued application of a rule.
The prefix is stripped before continuing.
.pp
The
.b $@
and
.b $:
prefixes may precede a
.b $>
spec;
for example:
.(b
.ta 8n
R$+     $: $>7 $1
.)b
matches anything,
passes that to ruleset seven,
and continues;
the
.b $:
is necessary to avoid an infinite loop.
.pp
Substitution occurs in the order described,
that is,
parameters from the LHS are substituted,
hostnames are canonicalized,
.q subroutines
are called,
and finally
.b $# ,
.b $@ ,
and
.b $:
are processed.
.sh 3 "Semantics of rewriting rule sets"
.pp
There are six rewriting sets
that have specific semantics.
Five of these are related as depicted by figure 1.
.(z
.hl
.ie n \{\
.(c
                    +---+
                 -->| 0 |-->resolved address
                /   +---+
               /            +---+   +---+
              /        ---->| 1 |-->| S |--
       +---+ / +---+  /     +---+   +---+  \e    +---+
addr-->| 3 |-->| D |--                      --->| 4 |-->msg
       +---+   +---+  \e     +---+   +---+  /    +---+
                        --->| 2 |-->| R |--
                            +---+   +---+
.)c

.\}
.el \{\
.ie !"\*(.T"" \{\
.PS
boxwid = 0.3i
boxht = 0.3i
movewid = 0.3i
moveht = 0.3i
linewid = 0.3i
lineht = 0.3i

        box invis "addr"; arrow
Box3:   box "3"
A1:     arrow
BoxD:   box "D"; line; L1: Here
C:      [
        C1:     arrow; box "1"; arrow; box "S"; line; E1: Here
                move to C1 down 0.5; right
        C2:     arrow; box "2"; arrow; box "R"; line; E2: Here
        ] with .w at L1 + (0.5, 0)
        move to C.e right 0.5
L4:     arrow; box "4"; arrow; box invis "msg"
        line from L1 to C.C1
        line from L1 to C.C2
        line from C.E1 to L4
        line from C.E2 to L4
        move to BoxD.n up 0.6; right
Box0:   arrow; box "0"
        arrow; box invis "resolved address" width 1.3
        line from 1/3 of the way between A1 and BoxD.w to Box0
.PE
.\}
.el .sp 2i
.\}
.ce
Figure 1 \*- Rewriting set semantics
.(c
D \*- sender domain addition
S \*- mailer-specific sender rewriting
R \*- mailer-specific recipient rewriting
.)c
.hl
.)z
.pp
Ruleset three
should turn the address into
.q "canonical form."
This form should have the basic syntax:
.(b
local-part@host-domain-spec
.)b
Ruleset three
is applied by
.i sendmail
before doing anything with any address.
.pp
If no
.q @
sign is specified,
then the
host-domain-spec
.i may
be appended (box
.q D
in Figure 1)
from the
sender address
(if the
.b C
flag is set in the mailer definition
corresponding to the
.i sending
mailer).
.pp
Ruleset zero
is applied after ruleset three
to addresses that are going to actually specify recipients.
It must resolve to a
.i "{mailer, host, address}"
triple.
The
.i mailer
must be defined in the mailer definitions
from the configuration file.
The
.i host
is defined into the
.b $h
macro
for use in the argv expansion of the specified mailer.
Notice: since the envelope sender address will be used if
a delivery status notification must be send,
i.e., is may specify a recipient,
it is also run through ruleset zero.
If ruleset zero returns a temporary error
.b 4xy
then delivery is deferred.
This can be used to temporarily disable delivery,
e.g., based on the time of the day or other varying parameters.
It should not be used to quarantine e-mails.
.pp
Rulesets one and two
are applied to all sender and recipient addresses respectively.
They are applied before any specification
in the mailer definition.
They must never resolve.
.pp
Ruleset four is applied to all addresses
in the message.
It is typically used
to translate internal to external form.
.pp
In addition,
ruleset 5 is applied to all local addresses
(specifically, those that resolve to a mailer with the `F=5'
flag set)
that do not have aliases.
This allows a last minute hook for local names.
.sh 3 "Ruleset hooks"
.pp
A few extra rulesets are defined as
.q hooks
that can be defined to get special features.
They are all named rulesets.
The
.q check_*
forms all give accept/reject status;
falling off the end or returning normally is an accept,
and resolving to
.b $#error
is a reject or quarantine.
Quarantining is chosen by specifying
.b quarantine
in the second part of the mailer triplet:
.(b
$#error $@ quarantine $: Reason for quarantine
.)b
Many of these can also resolve to the special mailer name
.b $#discard ;
this accepts the message as though it were successful
but then discards it without delivery.
Note,
this mailer cannot be chosen as a mailer in ruleset 0.
Note also that all
.q check_*
rulesets have to deal with temporary failures, especially for map lookups,
themselves, i.e., they should return a temporary error code
or at least they should make a proper decision in those cases.
.sh 4 "check_relay"
.pp
The
.i check_relay
ruleset is called after a connection is accepted by the daemon.
It is not called when sendmail is started using the
.b \-bs
option.
It is passed
.(b
client.host.name $| client.host.address
.)b
where
.b $|
is a metacharacter separating the two parts.
This ruleset can reject connections from various locations.
Note that it only checks the connecting SMTP client IP address and hostname.
It does not check for third party message relaying.
The
.i check_rcpt
ruleset discussed below usually does third party message relay checking.
.sh 4 "check_mail"
.pp
The
.i check_mail
ruleset is passed the user name parameter of the
.sm "SMTP MAIL"
command.
It can accept or reject the address.
.sh 4 "check_rcpt"
.pp
The
.i check_rcpt
ruleset is passed the user name parameter of the
.sm "SMTP RCPT"
command.
It can accept or reject the address.
.sh 4 "check_data"
.pp
The
.i check_data
ruleset is called after the
.sm "SMTP DATA"
command, its parameter is the number of recipients.
It can accept or reject the command.
.sh 4 "check_compat"
.pp
The
.i check_compat
ruleset is passed
.(b
sender-address $| recipient-address
.)b
where
.b $|
is a metacharacter separating the addresses.
It can accept or reject mail transfer between these two addresses
much like the
.i checkcompat()
function.
Note:
while other
.i check_*
rulesets are invoked during the SMTP mail receiption stage
(i.e., in the SMTP server),
.i check_compat
is invoked during the mail delivery stage.
.sh 4 "check_eoh"
.pp
The
.i check_eoh
ruleset is passed
.(b
number-of-headers $| size-of-headers
.)b
where
.b $|
is a metacharacter separating the numbers.
These numbers can be used for size comparisons with the
.b arith
map.
The ruleset is triggered after
all of the headers have been read.
It can be used to correlate information gathered
from those headers using the
.b macro
storage map.
One possible use is to check for a missing header.
For example:
.(b
.ta 1.5i
Kstorage macro
HMessage-Id: $>CheckMessageId

SCheckMessageId
# Record the presence of the header
R$*                     $: $(storage {MessageIdCheck} $@ OK $) $1
R< $+ @ $+ >            $@ OK
R$*                     $#error $: 553 Header Error

Scheck_eoh
# Check the macro
R$*                     $: < $&{MessageIdCheck} >
# Clear the macro for the next message
R$*                     $: $(storage {MessageIdCheck} $) $1
# Has a Message-Id: header
R< $+ >                 $@ OK
# Allow missing Message-Id: from local mail
R$*                     $: < $&{client_name} >
R< >                    $@ OK
R< $=w >                $@ OK
# Otherwise, reject the mail
R$*                     $#error $: 553 Header Error
.)b
Keep in mind the Message-Id: header is not a required header and
is not a guaranteed spam indicator.
This ruleset is an example and
should probably not be used in production.
.sh 4 "check_eom"
.pp
The
.i check_eom
ruleset is called after the end of a message,
its parameter is the message size.
It can accept or reject the message.
.sh 4 "check_etrn"
.pp
The
.i check_etrn
ruleset is passed the parameter of the
.sm "SMTP ETRN"
command.
It can accept or reject the command.
.sh 4 "check_expn"
.pp
The
.i check_expn
ruleset is passed the user name parameter of the
.sm "SMTP EXPN"
command.
It can accept or reject the address.
.sh 4 "check_vrfy"
.pp
The
.i check_vrfy
ruleset is passed the user name parameter of the
.sm "SMTP VRFY"
command.
It can accept or reject the command.
.sh 4 "trust_auth"
.pp
The
.i trust_auth
ruleset is passed the AUTH= parameter of the
.sm "SMTP MAIL"
command.
It is used to determine whether this value should be
trusted. In order to make this decision, the ruleset
may make use of the various
.b ${auth_*}
macros.
If the ruleset does resolve to the
.q error
mailer the AUTH= parameter is not trusted and hence
not passed on to the next relay.
.sh 4 "tls_client"
.pp
The
.i tls_client
ruleset is called when sendmail acts as server, after a STARTTLS command
has been issued, and from
.i check_mail.
The parameter is the value of
.b ${verify}
and STARTTLS or MAIL, respectively.
If the ruleset does resolve to the
.q error
mailer, the appropriate error code is returned to the client.
.sh 4 "tls_server"
.pp
The
.i tls_server
ruleset is called when sendmail acts as client after a STARTTLS command
(should) have been issued.
The parameter is the value of
.b ${verify} .
If the ruleset does resolve to the
.q error
mailer, the connection is aborted
(treated as non-deliverable with a permanent or temporary error).
.sh 4 "tls_rcpt"
.pp
The
.i tls_rcpt
ruleset is called each time before a RCPT TO command is sent.
The parameter is the current recipient.
If the ruleset does resolve to the
.q error
mailer, the RCPT TO command is suppressed
(treated as non-deliverable with a permanent or temporary error).
This ruleset allows to require encryption or verification of
the recipient's MTA even if the mail is somehow redirected
to another host.
For example, sending mail to
.i luke@endmail.org
may get redirected to a host named
.i death.star
and hence the tls_server ruleset won't apply.
By introducing per recipient restrictions such attacks
(e.g., via DNS spoofing) can be made impossible.
See
.i cf/README
how this ruleset can be used.
.sh 4 "srv_features"
.pp
The
.i srv_features
ruleset is called with the connecting client's host name
when a client connects to sendmail.
This ruleset should return
.b $#
followed by a list of options (single characters
delimited by white space).
If the return value starts with anything else it is silently ignored.
Generally upper case characters turn off a feature
while lower case characters turn it on.
Option `S' causes the server not to offer STARTTLS,
which is useful to interact with MTAs/MUAs that have broken
STARTTLS implementations by simply not offering it.
`V' turns off the request for a client certificate during the TLS handshake.
Options `A' and `P' suppress SMTP AUTH and PIPELINING, respectively.
`c' is the equivalent to AuthOptions=p, i.e.,
it doesn't permit mechanisms susceptible to simple
passive attack (e.g., PLAIN, LOGIN), unless a security layer is active.
Option `l' requires SMTP AUTH for a connection.
Options 'B', 'D', 'E', and 'X' suppress SMTP VERB, DSN, ETRN, and EXPN,
respectively.
.(b
.ta 9n
A       Do not offer AUTH
a       Offer AUTH (default)
B       Do not offer VERB
b       Offer VERB (default)
C       Do not require security layer for
        plaintext AUTH (default)
c       Require security layer for plaintext AUTH
D       Do not offer DSN
d       Offer DSN (default)
E       Do not offer ETRN
e       Offer ETRN (default)
L       Do not require AUTH (default)
l       Require AUTH
P       Do not offer PIPELINING
p       Offer PIPELINING (default)
S       Do not offer STARTTLS
s       Offer STARTTLS (default)
V       Do not request a client certificate
v       Request a client certificate (default)
X       Do not offer EXPN
x       Offer EXPN (default)
.)b
Note: the entries marked as ``(default)'' may require that some
configuration has been made, e.g., SMTP AUTH is only available if
properly configured.
Moreover, many options can be changed on a global basis via other
settings as explained in this document, e.g., via DaemonPortOptions.
.pp
The ruleset may return `$#temp' to indicate that there is a temporary
problem determining the correct features, e.g., if a map is unavailable.
In that case, the SMTP server issues a temporary failure and does not
accept email.
.sh 4 "try_tls"
.pp
The
.i try_tls
ruleset is called when sendmail connects to another MTA.
If the ruleset does resolve to the
.q error
mailer, sendmail does not try STARTTLS even if it is offered.
This is useful to interact with MTAs that have broken
STARTTLS implementations by simply not using it.
.sh 4 "authinfo"
.pp
The
.i authinfo
ruleset is called when sendmail tries to authenticate to another MTA.
It should return
.b $#
followed by a list of tokens that are used for SMTP AUTH.
If the return value starts with anything else it is silently ignored.
Each token is a tagged string of the form:
"TDstring"
(including the quotes), where
.(b
.ta 9n
T       Tag which describes the item
D       Delimiter: ':' simple text follows
        '=' string is base64 encoded
string  Value of the item
.)b
Valid values for the tag are:
.(b
.ta 9n
U       user (authorization) id
I       authentication id
P       password
R       realm
M       list of mechanisms delimited by spaces
.)b
If this ruleset is defined, the option
.b DefaultAuthInfo
is ignored (even if the ruleset does not return a ``useful'' result).
.sh 4 "queuegroup"
.pp
The
.i queuegroup
ruleset is used to map a recipient address to a queue group name.
The input for the ruleset is a recipient address as specified by the
.sm "SMTP RCPT"
command.
The ruleset should return
.b $#
followed by the name of a queue group.
If the return value starts with anything else it is silently ignored.
See the section about ``Queue Groups and Queue Directories''
for further information.
.sh 4 "greet_pause"
.pp
The
.i greet_pause
ruleset is used to specify the amount of time to pause before sending the
initial SMTP 220 greeting.
If any traffic is received during that pause, an SMTP 554 rejection
response is given instead of the 220 greeting and all SMTP commands are
rejected during that connection.
This helps protect sites from open proxies and SMTP slammers.
The ruleset should return
.b $#
followed by the number of milliseconds (thousandths of a second) to
pause.
If the return value starts with anything else or is not a number,
it is silently ignored.
Note: this ruleset is not invoked (and hence the feature is disabled)
when the smtps (SMTP over SSL) is used, i.e.,
the
.i s
modifier is set for the daemon via
.b DaemonPortOptions ,
because in this case the SSL handshake is performed before
the greeting is sent.
.sh 3 "IPC mailers"
.pp
Some special processing occurs
if the ruleset zero resolves to an IPC mailer
(that is, a mailer that has
.q [IPC]
listed as the Path in the
.b M
configuration line.
The host name passed after
.q $@
has MX expansion performed if not delivering via a named socket;
this looks the name up in DNS to find alternate delivery sites.
.pp
The host name can also be provided as a dotted quad
or an IPv6 address in square brackets;
for example:
.(b
[128.32.149.78]
.)b
or
.(b
[IPv6:2002:c0a8:51d2::23f4]
.)b
This causes direct conversion of the numeric value
to an IP host address.
.pp
The host name passed in after the
.q $@
may also be a colon-separated list of hosts.
Each is separately MX expanded and the results are concatenated
to make (essentially) one long MX list.
The intent here is to create
.q fake
MX records that are not published in DNS
for private internal networks.
.pp
As a final special case, the host name can be passed in
as a text string
in square brackets:
.(b
[ucbvax.berkeley.edu]
.)b
This form avoids the MX mapping.
.b N.B.:
.i
This is intended only for situations where you have a network firewall
or other host that will do special processing for all your mail,
so that your MX record points to a gateway machine;
this machine could then do direct delivery to machines
within your local domain.
Use of this feature directly violates RFC 1123 section 5.3.5:
it should not be used lightly.
.r
.sh 2 "D \*- Define Macro"
.pp
Macros are named with a single character
or with a word in {braces}.
The names ``x'' and ``{x}'' denote the same macro
for every single character ``x''.
Single character names may be selected from the entire ASCII set,
but user-defined macros
should be selected from the set of upper case letters only.
Lower case letters
and special symbols
are used internally.
Long names beginning with a lower case letter or a punctuation character
are reserved for use by sendmail,
so user-defined long macro names should begin with an upper case letter.
.pp
The syntax for macro definitions is:
.(b F
.b D \c
.i x\|val
.)b
where
.i x
is the name of the macro
(which may be a single character
or a word in braces)
and
.i val
is the value it should have.
There should be no spaces given
that do not actually belong in the macro value.
.pp
Macros are interpolated
using the construct
.b $ \c
.i x ,
where
.i x
is the name of the macro to be interpolated.
This interpolation is done when the configuration file is read,
except in
.b M
lines.
The special construct
.b $& \c
.i x
can be used in
.b R
lines to get deferred interpolation.
.pp
Conditionals can be specified using the syntax:
.(b
$?x text1 $| text2 $.
.)b
This interpolates
.i text1
if the macro
.b $x
is set and non-null,
and
.i text2
otherwise.
The
.q else
(\c
.b $| )
clause may be omitted.
.pp
The following macros are defined and/or used internally by
.i sendmail
for interpolation into argv's for mailers
or for other contexts.
The ones marked \(dg are information passed into sendmail\**,
.(f
\**As of version 8.6,
all of these macros have reasonable defaults.
Previous versions required that they be defined.
.)f
the ones marked \(dd are information passed both in and out of sendmail,
and the unmarked macros are passed out of sendmail
but are not otherwise used internally.
These macros are:
.nr ii 5n
.ip $a
The origination date in RFC 822 format.
This is extracted from the Date: line.
.ip $b
The current date in RFC 822 format.
.ip $c
The hop count.
This is a count of the number of Received: lines
plus the value of the
.b \-h
command line flag.
.ip $d
The current date in UNIX (ctime) format.
.ip $e\(dg
(Obsolete; use SmtpGreetingMessage option instead.)
The SMTP entry message.
This is printed out when SMTP starts up.
The first word must be the
.b $j
macro as specified by RFC 821.
Defaults to
.q "$j Sendmail $v ready at $b" .
Commonly redefined to include the configuration version number, e.g.,
.q "$j Sendmail $v/$Z ready at $b"
.ip $f
The envelope sender (from) address.
.ip $g
The sender address relative to the recipient.
For example, if
.b $f
is
.q foo ,
.b $g
will be
.q host!foo ,
.q foo@host.domain ,
or whatever is appropriate for the receiving mailer.
.ip $h
The recipient host.
This is set in ruleset 0 from the $@ field of a parsed address.
.ip $i
The queue id,
e.g.,
.q f344MXxp018717 .
.ip $j\(dd
The \*(lqofficial\*(rq domain name for this site.
This is fully qualified if the full qualification can be found.
It
.i must
be redefined to be the fully qualified domain name
if your system is not configured so that information can find
it automatically.
.ip $k
The UUCP node name (from the uname system call).
.ip $l\(dg
(Obsolete; use UnixFromLine option instead.)
The format of the UNIX from line.
Unless you have changed the UNIX mailbox format,
you should not change the default,
which is
.q "From $g $d" .
.ip $m
The domain part of the \fIgethostname\fP return value.
Under normal circumstances,
.b $j
is equivalent to
.b $w.$m .
.ip $n\(dg
The name of the daemon (for error messages).
Defaults to
.q MAILER-DAEMON .
.ip $o\(dg
(Obsolete: use OperatorChars option instead.)
The set of \*(lqoperators\*(rq in addresses.
A list of characters
which will be considered tokens
and which will separate tokens
when doing parsing.
For example, if
.q @
were in the
.b $o
macro, then the input
.q a@b
would be scanned as three tokens:
.q a,
.q @,
and
.q b.
Defaults to
.q ".:@[]" ,
which is the minimum set necessary to do RFC 822 parsing;
a richer set of operators is
.q ".:%@!/[]" ,
which adds support for UUCP, the %-hack, and X.400 addresses.
.ip $p
Sendmail's process id.
.ip $q\(dg
Default format of sender address.
The
.b $q
macro specifies how an address should appear in a message
when it is defaulted.
Defaults to
.q "<$g>" .
It is commonly redefined to be
.q "$?x$x <$g>$|$g$."
or
.q "$g$?x ($x)$." ,
corresponding to the following two formats:
.(b
Eric Allman <eric@CS.Berkeley.EDU>
eric@CS.Berkeley.EDU (Eric Allman)
.)b
.i Sendmail
properly quotes names that have special characters
if the first form is used.
.ip $r
Protocol used to receive the message.
Set from the
.b \-p
command line flag or by the SMTP server code.
.ip $s
Sender's host name.
Set from the
.b \-p
command line flag or by the SMTP server code
(in which case it is set to the EHLO/HELO parameter).
.ip $t
A numeric representation of the current time in the format YYYYMMDDHHmm
(4 digit year 1900-9999, 2 digit month 01-12, 2 digit day 01-31,
2 digit hours 00-23, 2 digit minutes 00-59).
.ip $u
The recipient user.
.ip $v
The version number of the
.i sendmail
binary.
.ip $w\(dd
The hostname of this site.
This is the root name of this host (but see below for caveats).
.ip $x
The full name of the sender.
.ip $z
The home directory of the recipient.
.ip $_
The validated sender address.
See also
.b ${client_resolve} .
.ip ${addr_type}
The type of the address which is currently being rewritten.
This macro contains up to three characters, the first
is either `e' or `h' for envelope/header address,
the second is a space,
and the third is either `s' or `r' for sender/recipient address.
.ip ${alg_bits}
The maximum keylength (in bits) of the symmetric encryption algorithm
used for a TLS connection.
This may be less than the effective keylength,
which is stored in
.b ${cipher_bits} ,
for ``export controlled'' algorithms.
.ip ${auth_authen}
The client's authentication credentials as determined by authentication
(only set if successful).
The format depends on the mechanism used, it might be just `user',
or `user@realm', or something similar (SMTP AUTH only).
.ip ${auth_author}
The authorization identity, i.e. the AUTH= parameter of the
.sm "SMTP MAIL"
command if supplied.
.ip ${auth_type}
The mechanism used for SMTP authentication
(only set if successful).
.ip ${auth_ssf}
The keylength (in bits) of the symmetric encryption algorithm
used for the security layer of a SASL mechanism.
.ip ${bodytype}
The message body type
(7BIT or 8BITMIME),
as determined from the envelope.
.ip ${cert_issuer}
The DN (distinguished name) of the CA (certificate authority)
that signed the presented certificate (the cert issuer)
(STARTTLS only).
.ip ${cert_md5}
The MD5 hash of the presented certificate (STARTTLS only).
.ip ${cert_subject}
The DN of the presented certificate (called the cert subject)
(STARTTLS only).
.ip ${cipher}
The cipher suite used for the connection, e.g., EDH-DSS-DES-CBC3-SHA,
EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA
(STARTTLS only).
.ip ${cipher_bits}
The effective keylength (in bits) of the symmetric encryption algorithm
used for a TLS connection.
.ip ${client_addr}
The IP address of the SMTP client.
IPv6 addresses are tagged with "IPv6:" before the address.
Defined in the SMTP server only.
.ip ${client_connections}
The number of open connections in the SMTP server for the client IP address.
.ip ${client_flags}
The flags specified by the
Modifier= part of
.b ClientPortOptions
where flags are separated from each other by spaces
and upper case flags are doubled.
That is,
Modifier=hA
will be represented as
"h AA" in
.b ${client_flags} ,
which is required for testing the flags in rulesets.
.ip ${client_name}
The host name of the SMTP client.
This may be the client's bracketed IP address
in the form [ nnn.nnn.nnn.nnn ] for IPv4
and [ IPv6:nnnn:...:nnnn ] for IPv6
if the client's
IP address is not resolvable, or if it is resolvable
but the IP address of the resolved hostname
doesn't match the original IP address.
Defined in the SMTP server only.
See also
.b ${client_resolve} .
.ip ${client_port}
The port number of the SMTP client.
Defined in the SMTP server only.
.ip ${client_ptr}
The result of the PTR lookup for the client IP address.
Note: this is the same as
.b ${client_name}
if and only if
.b ${client_resolve}
is OK.
Defined in the SMTP server only.
.ip ${client_rate}
The number of incoming connections for the client IP address
over the time interval specified by ConnectionRateWindowSize.
.ip ${client_resolve}
Holds the result of the resolve call for
.b ${client_name} .
Possible values are:
.(b
.ta 10n
OK      resolved successfully
FAIL    permanent lookup failure
FORGED  forward lookup doesn't match reverse lookup
TEMP    temporary lookup failure
.)b
Defined in the SMTP server only.
.i sendmail
performs a hostname lookup on the IP address of the connecting client.
Next the IP addresses of that hostname are looked up.
If the client IP address does not appear in that list,
then the hostname is maybe forged.
This is reflected as the value FORGED for
.b ${client_resolve}
and it also shows up in
.b $_
as "(may be forged)".
.ip ${cn_issuer}
The CN (common name) of the CA that signed the presented certificate
(STARTTLS only).
Note: if the CN cannot be extracted properly it will be replaced by
one of these strings based on the encountered error:
.(b
.ta 25n
BadCertificateContainsNUL       CN contains a NUL character
BadCertificateTooLong   CN is too long
BadCertificateUnknown   CN could not be extracted
.)b
In the last case, some other (unspecific) error occurred.
.ip ${cn_subject}
The CN (common name) of the presented certificate
(STARTTLS only).
See
.b ${cn_issuer}
for possible replacements.
.ip ${currHeader}
Header value as quoted string
(possibly truncated to
.b MAXNAME ).
This macro is only available in header check rulesets.
.ip ${daemon_addr}
The IP address the daemon is listening on for connections.
.ip ${daemon_family}
The network family
if the daemon is accepting network connections.
Possible values include
.q inet ,
.q inet6 ,
.q iso ,
.q ns ,
.q x.25
.ip ${daemon_flags}
The flags for the daemon as specified by the
Modifier= part of
.b DaemonPortOptions
whereby the flags are separated from each other by spaces,
and upper case flags are doubled.
That is,
Modifier=Ea
will be represented as
"EE a" in
.b ${daemon_flags} ,
which is required for testing the flags in rulesets.
.ip ${daemon_info}
Some information about a daemon as a text string.
For example,
.q SMTP+queueing@00:30:00 .
.ip ${daemon_name}
The name of the daemon from
.b DaemonPortOptions
Name= suboption.
If this suboption is not set,
"Daemon#",
where # is the daemon number,
is used.
.ip ${daemon_port}
The port the daemon is accepting connection on.
Unless
.b DaemonPortOptions
is set, this will most likely be
.q 25 .
.ip ${deliveryMode}
The current delivery mode sendmail is using.
It is initially set to the value of the
.b DeliveryMode
option.
.ip ${envid}
The envelope id parameter (ENVID=) passed to sendmail as part of the envelope.
.ip ${hdrlen}
The length of the header value which is stored in
${currHeader} (before possible truncation).
If this value is greater than or equal to
.b MAXNAME
the header has been truncated.
.ip ${hdr_name}
The name of the header field for which the current header
check ruleset has been called.
This is useful for a default header check ruleset to get
the name of the header;
the macro is only available in header check rulesets.
.ip ${if_addr}
The IP address of the interface of an incoming connection
unless it is in the loopback net.
IPv6 addresses are tagged with "IPv6:" before the address.
.ip ${if_addr_out}
The IP address of the interface of an outgoing connection
unless it is in the loopback net.
IPv6 addresses are tagged with "IPv6:" before the address.
.ip ${if_family}
The IP family of the interface of an incoming connection
unless it is in the loopback net.
.ip ${if_family_out}
The IP family of the interface of an outgoing connection
unless it is in the loopback net.
.ip ${if_name}
The hostname associated with the interface of an incoming connection.
This macro can be used for
SmtpGreetingMessage and HReceived for virtual hosting.
For example:
.(b
O SmtpGreetingMessage=$?{if_name}${if_name}$|$j$. MTA
.)b
.ip ${if_name_out}
The name of the interface of an outgoing connection.
.ip ${load_avg}
The current load average.
.ip ${mail_addr}
The address part of the resolved triple of the address given for the
.sm "SMTP MAIL"
command.
Defined in the SMTP server only.
.ip ${mail_host}
The host from the resolved triple of the address given for the
.sm "SMTP MAIL"
command.
Defined in the SMTP server only.
.ip ${mail_mailer}
The mailer from the resolved triple of the address given for the
.sm "SMTP MAIL"
command.
Defined in the SMTP server only.
.ip ${msg_id}
The value of the Message-Id: header.
.ip ${msg_size}
The value of the SIZE= parameter,
i.e., usually the size of the message (in an ESMTP dialogue),
before the message has been collected, thereafter
the message size as computed by
.i sendmail
(and can be used in check_compat).
.ip ${nbadrcpts}
The number of bad recipients for a single message.
.ip ${nrcpts}
The number of validated recipients for a single message.
Note: since recipient validation happens after
.i check_rcpt
has been called, the value in this ruleset
is one less than what might be expected.
.ip ${ntries}
The number of delivery attempts.
.ip ${opMode}
The current operation mode (from the
.b \-b
flag).
.ip ${quarantine}
The quarantine reason for the envelope,
if it is quarantined.
.ip ${queue_interval}
The queue run interval given by the
.b \-q
flag.
For example,
.b \-q30m
would set
.b ${queue_interval}
to
.q 00:30:00 .
.ip ${rcpt_addr}
The address part of the resolved triple of the address given for the
.sm "SMTP RCPT"
command.
Defined in the SMTP server only after a RCPT command.
.ip ${rcpt_host}
The host from the resolved triple of the address given for the
.sm "SMTP RCPT"
command.
Defined in the SMTP server only after a RCPT command.
.ip ${rcpt_mailer}
The mailer from the resolved triple of the address given for the
.sm "SMTP RCPT"
command.
Defined in the SMTP server only after a RCPT command.
.ip ${server_addr}
The address of the server of the current outgoing SMTP connection.
For LMTP delivery the macro is set to the name of the mailer.
.ip ${server_name}
The name of the server of the current outgoing SMTP or LMTP connection.
.ip ${time}
The output of the
.i time (3)
function, i.e., the number of seconds since 0 hours, 0 minutes,
0 seconds, January 1, 1970, Coordinated Universal Time (UTC).
.ip ${tls_version}
The TLS/SSL version used for the connection, e.g., TLSv1, SSLv3, SSLv2;
defined after STARTTLS has been used.
.ip ${total_rate}
The total number of incoming connections over the time interval specified
by ConnectionRateWindowSize.
.ip ${verify}
The result of the verification of the presented cert;
only defined after STARTTLS has been used (or attempted).
Possible values are:
.(b
.ta 13n
OK      verification succeeded.
NO      no cert presented.
NOT     no cert requested.
FAIL    cert presented but could not be verified,
        e.g., the signing CA is missing.
NONE    STARTTLS has not been performed.
TEMP    temporary error occurred.
PROTOCOL        some protocol error occurred
        at the ESMTP level (not TLS).
SOFTWARE        STARTTLS handshake failed,
        which is a fatal error for this session,
        the e-mail will be queued.
.)b
.pp
There are three types of dates that can be used.
The
.b $a
and
.b $b
macros are in RFC 822 format;
.b $a
is the time as extracted from the
.q Date:
line of the message
(if there was one),
and
.b $b
is the current date and time
(used for postmarks).
If no
.q Date:
line is found in the incoming message,
.b $a
is set to the current time also.
The
.b $d
macro is equivalent to the
.b $b
macro in UNIX
(ctime)
format.
.pp
The macros
.b $w ,
.b $j ,
and
.b $m
are set to the identity of this host.
.i Sendmail
tries to find the fully qualified name of the host
if at all possible;
it does this by calling
.i gethostname (2)
to get the current hostname
and then passing that to
.i gethostbyname (3)
which is supposed to return the canonical version of that host name.\**
.(f
\**For example, on some systems
.i gethostname
might return
.q foo
which would be mapped to
.q foo.bar.com
by
.i gethostbyname .
.)f
Assuming this is successful,
.b $j
is set to the fully qualified name
and
.b $m
is set to the domain part of the name
(everything after the first dot).
The
.b $w
macro is set to the first word
(everything before the first dot)
if you have a level 5 or higher configuration file;
otherwise, it is set to the same value as
.b $j .
If the canonification is not successful,
it is imperative that the config file set
.b $j
to the fully qualified domain name\**.
.(f
\**Older versions of sendmail didn't pre-define
.b $j
at all, so up until 8.6,
config files
.i always
had to define
.b $j .
.)f
.pp
The
.b $f
macro is the id of the sender
as originally determined;
when mailing to a specific host
the
.b $g
macro is set to the address of the sender
.ul
relative to the recipient.
For example,
if I send to
.q bollard@matisse.CS.Berkeley.EDU
from the machine
.q vangogh.CS.Berkeley.EDU
the
.b $f
macro will be
.q eric
and the
.b $g
macro will be
.q eric@vangogh.CS.Berkeley.EDU.
.pp
The
.b $x
macro is set to the full name of the sender.
This can be determined in several ways.
It can be passed as flag to
.i sendmail .
It can be defined in the
.sm NAME
environment variable.
The third choice is the value of the
.q Full-Name:
line in the header if it exists,
and the fourth choice is the comment field
of a
.q From:
line.
If all of these fail,
and if the message is being originated locally,
the full name is looked up in the
.i /etc/passwd
file.
.pp
When sending,
the
.b $h ,
.b $u ,
and
.b $z
macros get set to the host, user, and home directory
(if local)
of the recipient.
The first two are set from the
.b $@
and
.b $:
part of the rewriting rules, respectively.
.pp
The
.b $p
and
.b $t
macros are used to create unique strings
(e.g., for the
.q Message-Id:
field).
The
.b $i
macro is set to the queue id on this host;
if put into the timestamp line
it can be extremely useful for tracking messages.
The
.b $v
macro is set to be the version number of
.i sendmail ;
this is normally put in timestamps
and has been proven extremely useful for debugging.
.pp
The
.b $c
field is set to the
.q "hop count,"
i.e., the number of times this message has been processed.
This can be determined
by the
.b \-h
flag on the command line
or by counting the timestamps in the message.
.pp
The
.b $r
and
.b $s
fields are set to the protocol used to communicate with
.i sendmail
and the sending hostname.
They can be set together using the
.b \-p
command line flag or separately using the
.b \-M
or
.b \-oM
flags.
.pp
The
.b $_
is set to a validated sender host name.
If the sender is running an RFC 1413 compliant IDENT server
and the receiver has the IDENT protocol turned on,
it will include the user name on that host.
.pp
The
.b ${client_name} ,
.b ${client_addr} ,
and
.b ${client_port}
macros
are set to the name, address, and port number of the SMTP client
who is invoking
.i sendmail
as a server.
These can be used in the
.i check_*
rulesets (using the
.b $&
deferred evaluation form, of course!).
.sh 2 "C and F \*- Define Classes"
.pp
Classes of phrases may be defined
to match on the left hand side of rewriting rules,
where a
.q phrase
is a sequence of characters that does not contain space characters.
For example
a class of all local names for this site
might be created
so that attempts to send to oneself
can be eliminated.
These can either be defined directly in the configuration file
or read in from another file.
Classes are named as a single letter or a word in {braces}.
Class names beginning with lower case letters
and special characters are reserved for system use.
Classes defined in config files may be given names
from the set of upper case letters for short names
or beginning with an upper case letter for long names.
.pp
The syntax is:
.(b F
.b C \c
.i c\|phrase1
.i phrase2...
.br
.b F \c
.i c\|file
.br
.b F \c
.i c\||program
.br
.b F \c
.i c\|[mapkey]@mapclass:mapspec
.)b
The first form defines the class
.i c
to match any of the named words.
If
.i phrase1
or
.i phrase2
is another class,
e.g.,
.i $=S ,
the contents of class
.i S
are added to class
.i c .
It is permissible to split them among multiple lines;
for example, the two forms:
.(b
CHmonet ucbmonet
.)b
and
.(b
CHmonet
CHucbmonet
.)b
are equivalent.
The ``F'' forms
read the elements of the class
.i c
from the named
.i file ,
.i program ,
or
.i "map specification" .
Each element should be listed on a separate line.
To specify an optional file, use ``\-o'' between the class
name and the file name, e.g.,
.(b
Fc \-o /path/to/file
.)b
If the file can't be used,
.i sendmail
will not complain but silently ignore it.
The map form should be an optional map key, an at sign,
and a map class followed by the specification for that map.
Examples include:
.(b
F{VirtHosts}@ldap:\-k (&(objectClass=virtHosts)(host=*)) \-v host
F{MyClass}foo@hash:/etc/mail/classes
.)b
will fill the class
.b $={VirtHosts}
from an LDAP map lookup and
.b $={MyClass}
from a hash database map lookup of the
.b foo .
There is also a built-in schema that can be accessed by only specifying:
.(b
F{\c
.i ClassName }@LDAP
.)b
This will tell sendmail to use the default schema:
.(b
\-k (&(objectClass=sendmailMTAClass)
     (sendmailMTAClassName=\c
.i ClassName )
     (|(sendmailMTACluster=${sendmailMTACluster})
       (sendmailMTAHost=$j)))
\-v sendmailMTAClassValue
.)b
Note that the lookup is only done when sendmail is initially started.
.pp
Elements of classes can be accessed in rules using
.b $=
or
.b $~ .
The
.b $~
(match entries not in class)
only matches a single word;
multi-word entries in the class are ignored in this context.
.pp
Some classes have internal meaning to
.i sendmail :
.nr ii 0.5i
.\".ip $=b
.\"A set of Content-Types that will not have the newline character
.\"translated to CR-LF before encoding into base64 MIME.
.\"The class can have major times
.\"(e.g.,
.\".q image )
.\"or full types
.\"(such as
.\".q application/octet-stream ).
.\"The class is initialized with
.\".q application/octet-stream ,
.\".q image ,
.\".q audio ,
.\"and
.\".q video .
.ip $=e
contains the Content-Transfer-Encodings that can be 8\(->7 bit encoded.
It is predefined to contain
.q 7bit ,
.q 8bit ,
and
.q binary .
.ip $=k
set to be the same as
.b $k ,
that is, the UUCP node name.
.ip $=m
set to the set of domains by which this host is known,
initially just
.b $m .
.ip $=n
can be set to the set of MIME body types
that can never be eight to seven bit encoded.
It defaults to
.q multipart/signed .
Message types
.q message/*
and
.q multipart/*
are never encoded directly.
Multipart messages are always handled recursively.
The handling of message/* messages
are controlled by class
.b $=s .
.ip $=q
A set of Content-Types that will never be encoded as base64
(if they have to be encoded, they will be encoded as quoted-printable).
It can have primary types
(e.g.,
.q text )
or full types
(such as
.q text/plain ).
The class is initialized to have
.q text/plain
only.
.ip $=s
contains the set of subtypes of message that can be treated recursively.
By default it contains only
.q rfc822 .
Other
.q message/*
types cannot be 8\(->7 bit encoded.
If a message containing eight bit data is sent to a seven bit host,
and that message cannot be encoded into seven bits,
it will be stripped to 7 bits.
.ip $=t
set to the set of trusted users by the
.b T
configuration line.
If you want to read trusted users from a file, use
.b Ft \c
.i /file/name .
.ip $=w
set to be the set of all names
this host is known by.
This can be used to match local hostnames.
.ip $={persistentMacros}
set to the macros that should be saved across queue runs.
Care should be taken when adding macro names to this class.
.pp
.i Sendmail
can be compiled to allow a
.i scanf (3)
string on the
.b F
line.
This lets you do simplistic parsing of text files.
For example, to read all the user names in your system
.i /etc/passwd
file into a class, use
.(b
FL/etc/passwd %[^:]
.)b
which reads every line up to the first colon.
.sh 2 "M \*- Define Mailer"
.pp
Programs and interfaces to mailers
are defined in this line.
The format is:
.(b F
.b M \c
.i name ,
{\c
.i field =\c
.i value \|}*
.)b
where
.i name
is the name of the mailer
(used internally only)
and the
.q field=name
pairs define attributes of the mailer.
Fields are:
.(b
.ta 1i
Path    The pathname of the mailer
Flags   Special flags for this mailer
Sender  Rewriting set(s) for sender addresses
Recipient       Rewriting set(s) for recipient addresses
recipients      Maximum number of recipients per connection
Argv    An argument vector to pass to this mailer
Eol     The end-of-line string for this mailer
Maxsize The maximum message length to this mailer
maxmessages     The maximum message deliveries per connection
Linelimit       The maximum line length in the message body
Directory       The working directory for the mailer
Userid  The default user and group id to run as
Nice    The nice(2) increment for the mailer
Charset The default character set for 8-bit characters
Type    Type information for DSN diagnostics
Wait    The maximum time to wait for the mailer
Queuegroup      The default queue group for the mailer
/       The root directory for the mailer
.)b
Only the first character of the field name is checked
(it's case-sensitive).
.pp
The following flags may be set in the mailer description.
Any other flags may be used freely
to conditionally assign headers to messages
destined for particular mailers.
Flags marked with \(dg
are not interpreted by the
.i sendmail
binary;
these are the conventionally used to correlate to the flags portion
of the
.b H
line.
Flags marked with \(dd
apply to the mailers for the sender address
rather than the usual recipient mailers.
.nr ii 4n
.ip a
Run Extended SMTP (ESMTP) protocol (defined in RFCs 1869, 1652, and 1870).
This flag defaults on if the SMTP greeting message includes the word
.q ESMTP .
.ip A
Look up the user (address) part of the resolved mailer triple,
in the alias database.
Normally this is only set for local mailers.
.ip b
Force a blank line on the end of a message.
This is intended to work around some stupid versions of
/bin/mail
that require a blank line, but do not provide it themselves.
It would not normally be used on network mail.
.ip B
Strip leading backslashes (\e) off of the address;
this is a subset of the functionality of the
.b s
flag.
.ip c
Do not include comments in addresses.
This should only be used if you have to work around
a remote mailer that gets confused by comments.
This strips addresses of the form
.q "Phrase <address>"
or
.q "address (Comment)"
down to just
.q address .
.ip C\(dd
If mail is
.i received
from a mailer with this flag set,
any addresses in the header that do not have an at sign
(\c
.q @ )
after being rewritten by ruleset three
will have the
.q @domain
clause from the sender envelope address
tacked on.
This allows mail with headers of the form:
.(b
From: usera@hosta
To: userb@hostb, userc
.)b
to be rewritten as:
.(b
From: usera@hosta
To: userb@hostb, userc@hosta
.)b
automatically.
However, it doesn't really work reliably.
.ip d
Do not include angle brackets around route-address syntax addresses.
This is useful on mailers that are going to pass addresses to a shell
that might interpret angle brackets as I/O redirection.
However, it does not protect against other shell metacharacters.
Therefore, passing addresses to a shell should not be considered secure.
.ip D\(dg
This mailer wants a
.q Date:
header line.
.ip e
This mailer is expensive to connect to,
so try to avoid connecting normally;
any necessary connection will occur during a queue run.
See also option
.b HoldExpensive .
.ip E
Escape lines beginning with
.q From\0
in the message with a `>' sign.
.ip f
The mailer wants a
.b \-f
.i from
flag,
but only if this is a network forward operation
(i.e.,
the mailer will give an error
if the executing user
does not have special permissions).
.ip F\(dg
This mailer wants a
.q From:
header line.
.ip g
Normally,
.i sendmail
sends internally generated email (e.g., error messages)
using the null return address
as required by RFC 1123.
However, some mailers don't accept a null return address.
If necessary,
you can set the
.b g
flag to prevent
.i sendmail
from obeying the standards;
error messages will be sent as from the MAILER-DAEMON
(actually, the value of the
.b $n
macro).
.ip h
Upper case should be preserved in host names
(the $@ portion of the mailer triplet resolved from ruleset 0)
for this mailer.
.ip i
Do User Database rewriting on envelope sender address.
.ip I
This mailer will be speaking SMTP
to another
.i sendmail
\*-
as such it can use special protocol features.
This flag should not be used except for debugging purposes
because it uses
.b VERB
as SMTP command.
.ip j
Do User Database rewriting on recipients as well as senders.
.ip k
Normally when
.i sendmail
connects to a host via SMTP,
it checks to make sure that this isn't accidently the same host name
as might happen if
.i sendmail
is misconfigured or if a long-haul network interface is set in loopback mode.
This flag disables the loopback check.
It should only be used under very unusual circumstances.
.ip K
Currently unimplemented.
Reserved for chunking.
.ip l
This mailer is local
(i.e.,
final delivery will be performed).
.ip L
Limit the line lengths as specified in RFC 821.
This deprecated option should be replaced by the
.b L=
mail declaration.
For historic reasons, the
.b L
flag also sets the
.b 7
flag.
.ip m
This mailer can send to multiple users
on the same host
in one transaction.
When a
.b $u
macro occurs in the
.i argv
part of the mailer definition,
that field will be repeated as necessary
for all qualifying users.
Removing this flag can defeat duplicate supression on a remote site
as each recipient is sent in a separate transaction.
.ip M\(dg
This mailer wants a
.q Message-Id:
header line.
.ip n
Do not insert a UNIX-style
.q From
line on the front of the message.
.ip o
Always run as the owner of the recipient mailbox.
Normally
.i sendmail
runs as the sender for locally generated mail
or as
.q daemon
(actually, the user specified in the
.b u
option)
when delivering network mail.
The normal behavior is required by most local mailers,
which will not allow the envelope sender address
to be set unless the mailer is running as daemon.
This flag is ignored if the
.b S
flag is set.
.ip p
Use the route-addr style reverse-path in the SMTP
.q "MAIL FROM:"
command
rather than just the return address;
although this is required in RFC 821 section 3.1,
many hosts do not process reverse-paths properly.
Reverse-paths are officially discouraged by RFC 1123.
.ip P\(dg
This mailer wants a
.q Return-Path:
line.
.ip q
When an address that resolves to this mailer is verified
(SMTP VRFY command),
generate 250 responses instead of 252 responses.
This will imply that the address is local.
.ip r
Same as
.b f ,
but sends a
.b \-r
flag.
.ip R
Open SMTP connections from a
.q secure
port.
Secure ports aren't
(secure, that is)
except on UNIX machines,
so it is unclear that this adds anything.
.i sendmail
must be running as root to be able to use this flag.
.ip s
Strip quote characters (" and \e) off of the address
before calling the mailer.
.ip S
Don't reset the userid
before calling the mailer.
This would be used in a secure environment
where
.i sendmail
ran as root.
This could be used to avoid forged addresses.
If the
.b U=
field is also specified,
this flag causes the effective user id to be set to that user.
.ip u
Upper case should be preserved in user names for this mailer.  Standards
require preservation of case in the local part of addresses, except for
those address for which your system accepts responsibility.
RFC 2142 provides a long list of addresses which should be case
insensitive.
If you use this flag, you may be violating RFC 2142.
Note that postmaster is always treated as a case insensitive address
regardless of this flag.
.ip U
This mailer wants UUCP-style
.q From
lines with the ugly
.q "remote from <host>"
on the end.
.ip w
The user must have a valid account on this machine,
i.e.,
.i getpwnam
must succeed.
If not, the mail is bounced.
See also the
.b MailBoxDatabase
option.
This is required to get
.q \&.forward
capability.
.ip W
Ignore long term host status information (see Section
"Persistent Host Status Information").
.ip x\(dg
This mailer wants a
.q Full-Name:
header line.
.ip X
This mailer wants to use the hidden dot algorithm as specified in RFC 821;
basically, any line beginning with a dot will have an extra dot prepended
(to be stripped at the other end).
This insures that lines in the message containing a dot
will not terminate the message prematurely.
.ip z
Run Local Mail Transfer Protocol (LMTP)
between
.i sendmail
and the local mailer.
This is a variant on SMTP
defined in RFC 2033
that is specifically designed for delivery to a local mailbox.
.ip Z
Apply DialDelay (if set) to this mailer.
.ip 0
Don't look up MX records for hosts sent via SMTP/LMTP.
Do not apply
.b FallbackMXhost
either.
.ip 1
Don't send null characters ('\\0') to this mailer.
.ip 2
Don't use ESMTP even if offered; this is useful for broken
systems that offer ESMTP but fail on EHLO (without recovering
when HELO is tried next).
.ip 3
Extend the list of characters converted to =XX notation
when converting to Quoted-Printable
to include those that don't map cleanly between ASCII and EBCDIC.
Useful if you have IBM mainframes on site.
.ip 5
If no aliases are found for this address,
pass the address through ruleset 5 for possible alternate resolution.
This is intended to forward the mail to an alternate delivery spot.
.ip 6
Strip headers to seven bits.
.ip 7
Strip all output to seven bits.
This is the default if the
.b L
flag is set.
Note that clearing this option is not
sufficient to get full eight bit data passed through
.i sendmail .
If the
.b 7
option is set, this is essentially always set,
since the eighth bit was stripped on input.
Note that this option will only impact messages
that didn't have 8\(->7 bit MIME conversions performed.
.ip 8
If set,
it is acceptable to send eight bit data to this mailer;
the usual attempt to do 8\(->7 bit MIME conversions will be bypassed.
.ip 9
If set,
do
.i limited
7\(->8 bit MIME conversions.
These conversions are limited to text/plain data.
.ip :
Check addresses to see if they begin
.q :include: ;
if they do, convert them to the
.q *include*
mailer.
.ip |
Check addresses to see if they begin with a `|';
if they do, convert them to the
.q prog
mailer.
.ip /
Check addresses to see if they begin with a `/';
if they do, convert them to the
.q *file*
mailer.
.ip @
Look up addresses in the user database.
.ip %
Do not attempt delivery on initial receipt of a message
or on queue runs
unless the queued message is selected
using one of the -qI/-qR/-qS queue run modifiers
or an ETRN request.
.pp
Configuration files prior to level 6
assume the `A', `w', `5', `:', `|', `/', and `@' options
on the mailer named
.q local .
.pp
The mailer with the special name
.q error
can be used to generate a user error.
The (optional) host field is an exit status to be returned,
and the user field is a message to be printed.
The exit status may be numeric or one of the values
USAGE, NOUSER, NOHOST, UNAVAILABLE, SOFTWARE, TEMPFAIL, PROTOCOL, or CONFIG
to return the corresponding EX_ exit code,
or an enhanced error code as described in RFC 1893,
.ul
Enhanced Mail System Status Codes.
For example, the entry:
.(b
$#error $@ NOHOST $: Host unknown in this domain
.)b
on the RHS of a rule
will cause the specified error to be generated
and the
.q "Host unknown"
exit status to be returned
if the LHS matches.
This mailer is only functional in rulesets 0, 5,
or one of the check_* rulesets.
The host field can also contain the special token
.b quarantine
which instructs sendmail to quarantine the current message.
.pp
The mailer with the special name
.q discard
causes any mail sent to it to be discarded
but otherwise treated as though it were successfully delivered.
This mailer cannot be used in ruleset 0,
only in the various address checking rulesets.
.pp
The mailer named
.q local
.i must
be defined in every configuration file.
This is used to deliver local mail,
and is treated specially in several ways.
Additionally, three other mailers named
.q prog ,
.q *file* ,
and
.q *include*
may be defined to tune the delivery of messages to programs,
files,
and :include: lists respectively.
They default to:
.(b
Mprog, P=/bin/sh, F=lsoDq9, T=DNS/RFC822/X-Unix, A=sh \-c $u
M*file*, P=[FILE], F=lsDFMPEouq9, T=DNS/RFC822/X-Unix, A=FILE $u
M*include*, P=/dev/null, F=su, A=INCLUDE $u
.)b
.pp
Builtin pathnames are [FILE] and [IPC], the former is used for
delivery to files, the latter for delivery via interprocess communication.
For mailers that use [IPC] as pathname the argument vector (A=)
must start with TCP or FILE for delivery via a TCP or a Unix domain socket.
If TCP is used, the second argument must be the name of the host
to contact.
Optionally a third argument can be used to specify a port,
the default is smtp (port 25).
If FILE is used, the second argument must be the name of
the Unix domain socket.
.pp
If the argument vector does not contain $u then
.i sendmail
will speak SMTP (or LMTP if the mailer flag z is specified) to the mailer.
.pp
If no Eol field is defined, then the default is "\\r\\n" for
SMTP mailers and "\\n" of others.
.pp
The Sender and Recipient rewriting sets
may either be a simple ruleset id
or may be two ids separated by a slash;
if so, the first rewriting set is applied to envelope
addresses
and the second is applied to headers.
Setting any value to zero disables corresponding mailer-specific rewriting.
.pp
The Directory
is actually a colon-separated path of directories to try.
For example, the definition
.q D=$z:/
first tries to execute in the recipient's home directory;
if that is not available,
it tries to execute in the root of the filesystem.
This is intended to be used only on the
.q prog
mailer,
since some shells (such as
.i csh )
refuse to execute if they cannot read the current directory.
Since the queue directory is not normally readable by unprivileged users
.i csh
scripts as recipients can fail.
.pp
The Userid
specifies the default user and group id to run as,
overriding the
.b DefaultUser
option (q.v.).
If the
.b S
mailer flag is also specified,
this user and group will be set as the
effective uid and gid for the process.
This may be given as
.i user:group
to set both the user and group id;
either may be an integer or a symbolic name to be looked up
in the
.i passwd
and
.i group
files respectively.
If only a symbolic user name is specified,
the group id in the
.i passwd
file for that user is used as the group id.
.pp
The Charset field
is used when converting a message to MIME;
this is the character set used in the
Content-Type: header.
If this is not set, the
.b DefaultCharset
option is used,
and if that is not set, the value
.q unknown-8bit
is used.
.b WARNING:
this field applies to the sender's mailer,
not the recipient's mailer.
For example, if the envelope sender address
lists an address on the local network
and the recipient is on an external network,
the character set will be set from the Charset= field
for the local network mailer,
not that of the external network mailer.
.pp
The Type= field
sets the type information
used in MIME error messages
as defined by
RFC 1894.
It is actually three values separated by slashes:
the MTA-type (that is, the description of how hosts are named),
the address type (the description of e-mail addresses),
and the diagnostic type (the description of error diagnostic codes).
Each of these must be a registered value
or begin with
.q X\- .
The default is
.q dns/rfc822/smtp .
.pp
The m= field specifies the maximum number of messages
to attempt to deliver on a single SMTP or LMTP connection.
The default is infinite.
.pp
The r= field specifies the maximum number of recipients
to attempt to deliver in a single envelope.
It defaults to 100.
.pp
The /= field specifies a new root directory for the mailer.  The path is
macro expanded and then passed to the
.q chroot
system call.  The root directory is changed before the Directory field is
consulted or the uid is changed.
.pp
The Wait= field specifies the maximum time to wait for the
mailer to return after sending all data to it.
This applies to mailers that have been forked by
.i sendmail .
.pp
The Queuegroup= field specifies the default queue group in which
received mail should be queued.
This can be overridden by other means as explained in section
``Queue Groups and Queue Directories''.
.sh 2 "H \*- Define Header"
.pp
The format of the header lines that
.i sendmail
inserts into the message
are defined by the
.b H
line.
The syntax of this line is one of the following:
.(b F
.b H \c
.i hname \c
.b :
.i htemplate
.)b
.(b F
.b H [\c
.b ? \c
.i mflags \c
.b ? \c
.b ]\c
.i hname \c
.b :
.i htemplate
.)b
.(b F
.b H [\c
.b ?$ \c
.i {macro} \c
.b ? \c
.b ]\c
.i hname \c
.b :
.i htemplate
.)b
Continuation lines in this spec
are reflected directly into the outgoing message.
The
.i htemplate
is macro-expanded before insertion into the message.
If the
.i mflags
(surrounded by question marks)
are specified,
at least one of the specified flags
must be stated in the mailer definition
for this header to be automatically output.
If a
.i ${macro}
(surrounded by question marks)
is specified,
the header will be automatically output
if the macro is set.
The macro may be set using any of the normal methods,
including using the
.b macro
storage map in a ruleset.
If one of these headers is in the input
it is reflected to the output
regardless of these flags or macros.
Notice:
If a
.i ${macro}
is used to set a header, then it is useful to add that macro to class
.i $={persistentMacros}
which consists of the macros that should be saved across queue runs.
.pp
Some headers have special semantics
that will be described later.
.pp
A secondary syntax allows validation of headers as they are being read.
To enable validation, use:
.(b
.b H \c
.i Header \c
.b ": $>" \c
.i Ruleset
.b H \c
.i Header \c
.b ": $>+" \c
.i Ruleset
.)b
The indicated
.i Ruleset
is called for the specified
.i Header ,
and can return
.b $#error
to reject or quarantine the message or
.b $#discard
to discard the message
(as with the other
.b check_ *
rulesets).
The ruleset receives the header field-body as argument,
i.e., not the header field-name; see also
${hdr_name} and ${currHeader}.
The header is treated as a structured field,
that is,
text in parentheses is deleted before processing,
unless the second form
.b $>+
is used.
Note: only one ruleset can be associated with a header;
.i sendmail
will silently ignore multiple entries.
.pp
For example, the configuration lines:
.(b
HMessage-Id: $>CheckMessageId

SCheckMessageId
R< $+ @ $+  >   $@ OK
R$*             $#error $: Illegal Message-Id header
.)b
would refuse any message that had a Message-Id: header of any of the
following forms:
.(b
Message-Id: <>
Message-Id: some text
Message-Id: <legal text@domain> extra crud
.)b
A default ruleset that is called for headers which don't have a
specific ruleset defined for them can be specified by:
.(b
.b H \c
.i * \c
.b ": $>" \c
.i Ruleset
.)b
or
.(b
.b H \c
.i * \c
.b ": $>+" \c
.i Ruleset
.)b
.sh 2 "O \*- Set Option"
.pp
There are a number of global options that
can be set from a configuration file.
Options are represented by full words;
some are also representable as single characters for back compatibility.
The syntax of this line is:
.(b F
.b O \0
.i option \c
.b = \c
.i value
.)b
This sets option
.i option
to be
.i value .
Note that there
.i must
be a space between the letter `O' and the name of the option.
An older version is:
.(b F
.b O \c
.i o\|value
.)b
where the option
.i o
is a single character.
Depending on the option,
.i value
may be a string, an integer,
a boolean
(with legal values
.q t ,
.q T ,
.q f ,
or
.q F ;
the default is TRUE),
or
a time interval.
.pp
All filenames used in options should be absolute paths,
i.e., starting with '/'.
Relative filenames most likely cause surprises during operation
(unless otherwise noted).
.pp
The options supported (with the old, one character names in brackets) are:
.nr ii 1i
.ip "AliasFile=\fIspec, spec, ...\fP"
[A]
Specify possible alias file(s).
Each
.i spec
should be in the format
``\c
.i class \c
.b :
.i info ''
where
.i class \c
.b :
is optional and defaults to ``implicit''.
Note that
.i info
is required for all
.i class es
except
.q ldap .
For the
.q ldap
class,
if
.i info
is not specified,
a default
.i info
value is used as follows:
.(b
\-k (&(objectClass=sendmailMTAAliasObject)
     (sendmailMTAAliasName=aliases)
     (|(sendmailMTACluster=${sendmailMTACluster})
       (sendmailMTAHost=$j))
     (sendmailMTAKey=%0))
\-v sendmailMTAAliasValue
.)b
Depending on how
.i sendmail
is compiled, valid classes are
.q implicit
(search through a compiled-in list of alias file types,
for back compatibility),
.q hash
(if
.sm NEWDB
is specified),
.q btree
(if
.sm NEWDB
is specified),
.q dbm
(if
.sm NDBM
is specified),
.q stab
(internal symbol table \*- not normally used
unless you have no other database lookup),
.q sequence
(use a sequence of maps
previously declared),
.q ldap
(if
.sm LDAPMAP
is specified),
or
.q nis
(if
.sm NIS
is specified).
If a list of
.i spec s
are provided,
.i sendmail
searches them in order.
.ip AliasWait=\fItimeout\fP
[a]
If set,
wait up to
.i timeout
(units default to minutes)
for an
.q @:@
entry to exist in the alias database
before starting up.
If it does not appear in the
.i timeout
interval issue a warning.
.ip AllowBogusHELO
[no short name]
If set, allow HELO SMTP commands that don't include a host name.
Setting this violates RFC 1123 section 5.2.5,
but is necessary to interoperate with several SMTP clients.
If there is a value, it is still checked for legitimacy.
.ip AuthMaxBits=\fIN\fP
[no short name]
Limit the maximum encryption strength for the security layer in
SMTP AUTH (SASL). Default is essentially unlimited.
This allows to turn off additional encryption in SASL if
STARTTLS is already encrypting the communication, because the
existing encryption strength is taken into account when choosing
an algorithm for the security layer.
For example, if STARTTLS is used and the symmetric cipher is 3DES,
then the the keylength (in bits) is 168.
Hence setting
.b AuthMaxBits
to 168 will disable any encryption in SASL.
.ip AuthMechanisms
[no short name]
List of authentication mechanisms for AUTH (separated by spaces).
The advertised list of authentication mechanisms will be the
intersection of this list and the list of available mechanisms as
determined by the Cyrus SASL library.
If STARTTLS is active, EXTERNAL will be added to this list.
In that case, the value of {cert_subject} is used as authentication id.
.ip AuthOptions
[no short name]
List of options for SMTP AUTH consisting of single characters
with intervening white space or commas.
.(b
.ta 4n
A       Use the AUTH= parameter for the MAIL FROM
        command only when authentication succeeded.
        This can be used as a workaround for broken
        MTAs that do not implement RFC 2554 correctly.
a       protection from active (non-dictionary) attacks
        during authentication exchange.
c       require mechanisms which pass client credentials,
        and allow mechanisms which can pass credentials
        to do so.
d       don't permit mechanisms susceptible to passive
        dictionary attack.
f       require forward secrecy between sessions
        (breaking one won't help break next).
m       require mechanisms which provide mutual authentication
        (only available if using Cyrus SASL v2 or later).
p       don't permit mechanisms susceptible to simple
        passive attack (e.g., PLAIN, LOGIN), unless a
        security layer is active.
y       don't permit mechanisms that allow anonymous login.
.)b
The first option applies to sendmail as a client, the others to a server.
Example:
.(b
O AuthOptions=p,y
.)b
would disallow ANONYMOUS as AUTH mechanism and would
allow PLAIN and LOGIN only if a security layer (e.g.,
provided by STARTTLS) is already active.
The options 'a', 'c', 'd', 'f', 'p', and 'y' refer to properties of the
selected SASL mechanisms.
Explanations of these properties can be found in the Cyrus SASL documentation.
.ip AuthRealm
[no short name]
The authentication realm that is passed to the Cyrus SASL library.
If no realm is specified,
.b $j
is used.
.ip BadRcptThrottle=\fIN\fP
[no short name]
If set and the specified number of recipients in a single SMTP
transaction have been rejected, sleep for one second after each subsequent
RCPT command in that transaction.
.ip BlankSub=\fIc\fP
[B]
Set the blank substitution character to
.i c .
Unquoted spaces in addresses are replaced by this character.
Defaults to space (i.e., no change is made).
.ip CACertPath
[no short name]
Path to directory with certificates of CAs.
This directory directory must contain the hashes of each CA certificate
as filenames (or as links to them).
.ip CACertFile
[no short name]
File containing one or more CA certificates;
see section about STARTTLS for more information.
.ip CheckAliases
[n]
Validate the RHS of aliases when rebuilding the alias database.
.ip CheckpointInterval=\fIN\fP
[C]
Checkpoints the queue every
.i N
(default 10)
addresses sent.
If your system crashes during delivery to a large list,
this prevents retransmission to any but the last
.i N
recipients.
.ip ClassFactor=\fIfact\fP
[z]
The indicated
.i fact or
is multiplied by the message class
(determined by the Precedence: field in the user header
and the
.b P
lines in the configuration file)
and subtracted from the priority.
Thus, messages with a higher Priority: will be favored.
Defaults to 1800.
.ip ClientCertFile
[no short name]
File containing the certificate of the client, i.e., this certificate
is used when
.i sendmail
acts as client (for STARTTLS).
.ip ClientKeyFile
[no short name]
File containing the private key belonging to the client certificate
(for STARTTLS if
.i sendmail
runs as client).
.ip ClientPortOptions=\fIoptions\fP
[O]
Set client SMTP options.
The options are
.i key=value
pairs separated by commas.
Known keys are:
.(b
.ta 1i
Port    Name/number of source port for connection (defaults to any free port)
Addr    Address mask (defaults INADDR_ANY)
Family  Address family (defaults to INET)
SndBufSize      Size of TCP send buffer
RcvBufSize      Size of TCP receive buffer
Modifier        Options (flags) for the client
.)b
The
.i Addr ess
mask may be a numeric address in dot notation
or a network name.
.i Modifier
can be the following character:
.(b
.ta 1i
h       use name of interface for HELO command
A       don't use AUTH when sending e-mail
S       don't use STARTTLS when sending e-mail
.)b
If ``h'' is set, the name corresponding to the outgoing interface
address (whether chosen via the Connection parameter or
the default) is used for the HELO/EHLO command.
However, the name must not start with a square bracket
and it must contain at least one dot.
This is a simple test whether the name is not
an IP address (in square brackets) but a qualified hostname.
Note that multiple ClientPortOptions settings are allowed
in order to give settings for each protocol family
(e.g., one for Family=inet and one for Family=inet6).
A restriction placed on one family only affects
outgoing connections on that particular family.
.ip ColonOkInAddr
[no short name]
If set, colons are acceptable in e-mail addresses
(e.g.,
.q host:user ).
If not set, colons indicate the beginning of a RFC 822 group construct
(\c
.q "groupname: member1, member2, ... memberN;" ).
Doubled colons are always acceptable
(\c
.q nodename::user )
and proper route-addr nesting is understood
(\c
.q <@relay:user@host> ).
Furthermore, this option defaults on if the configuration version level
is less than 6 (for back compatibility).
However, it must be off for full compatibility with RFC 822.
.ip ConnectionCacheSize=\fIN\fP
[k]
The maximum number of open connections that will be cached at a time.
The default is one.
This delays closing the current connection until
either this invocation of
.i sendmail
needs to connect to another host
or it terminates.
Setting it to zero defaults to the old behavior,
that is, connections are closed immediately.
Since this consumes file descriptors,
the connection cache should be kept small:
4 is probably a practical maximum.
.ip ConnectionCacheTimeout=\fItimeout\fP
[K]
The maximum amount of time a cached connection will be permitted to idle
without activity.
If this time is exceeded,
the connection is immediately closed.
This value should be small (on the order of ten minutes).
Before
.i sendmail
uses a cached connection,
it always sends a RSET command
to check the connection;
if this fails, it reopens the connection.
This keeps your end from failing if the other end times out.
The point of this option is to be a good network neighbor
and avoid using up excessive resources
on the other end.
The default is five minutes.
.ip ConnectOnlyTo=\fIaddress\fP
[no short name]
This can be used to
override the connection address (for testing purposes).
.ip ConnectionRateThrottle=\fIN\fP
[no short name]
If set to a positive value,
allow no more than
.i N
incoming connections in a one second period per daemon.
This is intended to flatten out peaks
and allow the load average checking to cut in.
Defaults to zero (no limits).
.ip ConnectionRateWindowSize=\fIN\fP
[no short name]
Define the length of the interval for which
the number of incoming connections is maintained.
The default is 60 seconds.
.ip ControlSocketName=\fIname\fP
[no short name]
Name of the control socket for daemon management.
A running
.i sendmail
daemon can be controlled through this named socket.
Available commands are:
.i help,
.i mstat,
.i restart,
.i shutdown,
and
.i status.
The
.i status
command returns the current number of daemon children,
the maximum number of daemon children,
the free disk space (in blocks) of the queue directory,
and the load average of the machine expressed as an integer.
If not set, no control socket will be available.
Solaris and pre-4.4BSD kernel users should see the note in sendmail/README .
.ip CRLFile=\fIname\fP
[no short name]
Name of file that contains certificate
revocation status, useful for X.509v3 authentication.
CRL checking requires at least OpenSSL version 0.9.7.
Note: if a CRLFile is specified but the file is unusable,
STARTTLS is disabled.
.ip DHParameters
Possible values are:
.(b
.ta 1i
5       use 512 bit prime
1       use 1024 bit prime
none    do not use Diffie-Hellman
NAME    load prime from file
.)b
This is only required if a ciphersuite containing DSA/DH is used.
If ``5'' is selected, then precomputed, fixed primes are used.
This is the default for the client side.
If ``1'' is selected, then prime values are computed during startup.
This is the default for the server side.
Note: this operation can take a significant amount of time on a
slow machine (several seconds), but it is only done once at startup.
If ``none'' is selected, then TLS ciphersuites containing DSA/DH
cannot be used.
If a file name is specified (which must be an absolute path),
then the primes are read from it.
.ip DaemonPortOptions=\fIoptions\fP
[O]
Set server SMTP options.
Each instance of
.b DaemonPortOptions
leads to an additional incoming socket.
The options are
.i key=value
pairs.
Known keys are:
.(b
.ta 1i
Name    User-definable name for the daemon (defaults to "Daemon#")
Port    Name/number of listening port (defaults to "smtp")
Addr    Address mask (defaults INADDR_ANY)
Family  Address family (defaults to INET)
InputMailFilters        List of input mail filters for the daemon
Listen  Size of listen queue (defaults to 10)
Modifier        Options (flags) for the daemon
SndBufSize      Size of TCP send buffer
RcvBufSize      Size of TCP receive buffer
children        maximum number of children per daemon, see \fBMaxDaemonChildren\fP.
DeliveryMode    Delivery mode per daemon, see \fBDeliveryMode\fP.
refuseLA        RefuseLA per daemon
delayLA         DelayLA per daemon
queueLA         QueueLA per daemon
.)b
The
.i Name
key is used for error messages and logging.
The
.i Addr ess
mask may be a numeric address in dot notation
or a network name.
The
.i Family
key defaults to INET (IPv4).
IPv6 users who wish to also accept IPv6 connections
should add additional Family=inet6
.b DaemonPortOptions
lines.
The
.i InputMailFilters
key overrides the default list of input mail filters listed in the
.b InputMailFilters
option.
If multiple input mail filters are required, they must be separated
by semicolons (not commas).
.i Modifier
can be a sequence (without any delimiters)
of the following characters:
.(b
.ta 1i
a       always require authentication
b       bind to interface through which mail has been received
c       perform hostname canonification (.cf)
f       require fully qualified hostname (.cf)
s       Run smtps (SMTP over SSL) instead of smtp
u       allow unqualified addresses (.cf)
A       disable AUTH (overrides 'a' modifier)
C       don't perform hostname canonification
E       disallow ETRN (see RFC 2476)
O       optional; if opening the socket fails ignore it
S       don't offer STARTTLS
.)b
That is, one way to specify a message submission agent (MSA) that
always requires authentication is:
.(b
O DaemonPortOptions=Name=MSA, Port=587, M=Ea
.)b
The modifiers that are marked with "(.cf)" have only
effect in the standard configuration file, in which
they are available via
.b ${daemon_flags} .
Notice: Do
.b not
use the ``a'' modifier on a public accessible MTA!
It should only be used for a MSA that is accessed by authorized
users for initial mail submission.
Users must authenticate to use a MSA which has this option turned on.
The flags ``c'' and ``C'' can change the default for
hostname canonification in the
.i sendmail.cf
file.
See the relevant documentation for
.sm FEATURE(nocanonify) .
The modifier ``f'' disallows addresses of the form
.b user@host
unless they are submitted directly.
The flag ``u'' allows unqualified sender addresses,
i.e., those without @host.
``b'' forces sendmail to bind to the interface
through which the e-mail has been
received for the outgoing connection.
.b WARNING:
Use ``b''
only if outgoing mail can be routed through the incoming connection's
interface to its destination. No attempt is made to catch problems due to a
misconfiguration of this parameter, use it only for virtual hosting
where each virtual interface can connect to every possible location.
This will also override possible settings via
.b ClientPortOptions.
Note,
.i sendmail
will listen on a new socket
for each occurence of the
.b DaemonPortOptions
option in a configuration file.
The modifier ``O'' causes sendmail to ignore a socket
if it can't be opened.
This applies to failures from the socket(2) and bind(2) calls.
.ip DefaultAuthInfo
[no short name]
Filename that contains default authentication information for outgoing
connections. This file must contain the user id, the authorization id,
the password (plain text), the realm and the list of mechanisms to use
on separate lines and must be readable by
root (or the trusted user) only.
If no realm is specified,
.b $j
is used.
If no mechanisms are specified, the list given by
.b AuthMechanisms
is used.
Notice: this option is deprecated and will be removed in future versions.
Moreover, it doesn't work for the MSP since it can't read the file
(the file must not be group/world-readable otherwise
.i sendmail
will complain).
Use the authinfo ruleset instead which provides more control over
the usage of the data anyway.
.ip DefaultCharSet=\fIcharset\fP
[no short name]
When a message that has 8-bit characters but is not in MIME format
is converted to MIME
(see the EightBitMode option)
a character set must be included in the Content-Type: header.
This character set is normally set from the Charset= field
of the mailer descriptor.
If that is not set, the value of this option is used.
If this option is not set, the value
.q unknown-8bit
is used.
.ip DataFileBufferSize=\fIthreshold\fP
[no short name]
Set the
.i threshold ,
in bytes,
before a memory-based
queue data file
becomes disk-based.
The default is 4096 bytes.
.ip DeadLetterDrop=\fIfile\fP
[no short name]
Defines the location of the system-wide dead.letter file,
formerly hardcoded to /usr/tmp/dead.letter.
If this option is not set (the default),
sendmail will not attempt to save to a system-wide dead.letter file
in the event
it cannot bounce the mail to the user or postmaster.
Instead, it will rename the qf file
as it has in the past
when the dead.letter file could not be opened.
.ip DefaultUser=\fIuser:group\fP
[u]
Set the default userid for mailers to
.i user:group .
If
.i group
is omitted and
.i user
is a user name
(as opposed to a numeric user id)
the default group listed in the /etc/passwd file for that user is used
as the default group.
Both
.i user
and
.i group
may be numeric.
Mailers without the
.i S
flag in the mailer definition
will run as this user.
Defaults to 1:1.
The value can also be given as a symbolic user name.\**
.(f
\**The old
.b g
option has been combined into the
.b DefaultUser
option.
.)f
.ip DelayLA=\fILA\fP
[no short name]
When the system load average exceeds
.i LA ,
.i sendmail
will sleep for one second on most SMTP commands and
before accepting connections.
.ip DeliverByMin=\fItime\fP
[0]
Set minimum time for Deliver By SMTP Service Extension (RFC 2852).
If 0, no time is listed, if less than 0, the extension is not offered,
if greater than 0, it is listed as minimum time
for the EHLO keyword DELIVERBY.
.ip DeliveryMode=\fIx\fP
[d]
Deliver in mode
.i x .
Legal modes are:
.(b
.ta 4n
i       Deliver interactively (synchronously)
b       Deliver in background (asynchronously)
q       Just queue the message (deliver during queue run)
d       Defer delivery and all map lookups (deliver during queue run)
.)b
Defaults to ``b'' if no option is specified,
``i'' if it is specified but given no argument
(i.e., ``Od'' is equivalent to ``Odi'').
The
.b \-v
command line flag sets this to
.b i .
Note: for internal reasons,
``i'' does not work
if a milter is enabled which can reject or delete recipients.
In that case the mode will be changed to ``b''.
.ip DialDelay=\fIsleeptime\fP
[no short name]
Dial-on-demand network connections can see timeouts
if a connection is opened before the call is set up.
If this is set to an interval and a connection times out
on the first connection being attempted
.i sendmail
will sleep for this amount of time and try again.
This should give your system time to establish the connection
to your service provider.
Units default to seconds, so
.q DialDelay=5
uses a five second delay.
Defaults to zero
(no retry).
This delay only applies to mailers which have the
Z flag set.
.ip DirectSubmissionModifiers=\fImodifiers\fP
Defines
.b ${daemon_flags}
for direct (command line) submissions.
If not set,
.b ${daemon_flags}
is either "CC f" if the option
.b \-G
is used or "c u" otherwise.
Note that only the the "CC", "c", "f", and "u" flags are checked.
.ip DontBlameSendmail=\fIoption,option,...\fP
[no short name]
In order to avoid possible cracking attempts
caused by world- and group-writable files and directories,
.i sendmail
does paranoid checking when opening most of its support files.
If for some reason you absolutely must run with,
for example,
a group-writable
.i /etc
directory,
then you will have to turn off this checking
(at the cost of making your system more vulnerable to attack).
The possible arguments have been described earlier.
The details of these flags are described above.
.\"XXX should have more here!!!  XXX
.b "Use of this option is not recommended."
.ip DontExpandCnames
[no short name]
The standards say that all host addresses used in a mail message
must be fully canonical.
For example, if your host is named
.q Cruft.Foo.ORG
and also has an alias of
.q FTP.Foo.ORG ,
the former name must be used at all times.
This is enforced during host name canonification
($[ ... $] lookups).
If this option is set, the protocols are ignored and the
.q wrong
thing is done.
However, the IETF is moving toward changing this standard,
so the behavior may become acceptable.
Please note that hosts downstream may still rewrite the address
to be the true canonical name however.
.ip DontInitGroups
[no short name]
If set,
.i sendmail
will avoid using the initgroups(3) call.
If you are running NIS,
this causes a sequential scan of the groups.byname map,
which can cause your NIS server to be badly overloaded in a large domain.
The cost of this is that the only group found for users
will be their primary group (the one in the password file),
which will make file access permissions somewhat more restrictive.
Has no effect on systems that don't have group lists.
.ip DontProbeInterfaces
[no short name]
.i Sendmail
normally finds the names of all interfaces active on your machine
when it starts up
and adds their name to the
.b $=w
class of known host aliases.
If you have a large number of virtual interfaces
or if your DNS inverse lookups are slow
this can be time consuming.
This option turns off that probing.
However, you will need to be certain to include all variant names
in the
.b $=w
class by some other mechanism.
If set to
.b loopback ,
loopback interfaces (e.g., lo0) will not be probed.
.ip DontPruneRoutes
[R]
Normally,
.i sendmail
tries to eliminate any unnecessary explicit routes
when sending an error message
(as discussed in RFC 1123 \(sc 5.2.6).
For example,
when sending an error message to
.(b
<@known1,@known2,@known3:user@unknown>
.)b
.i sendmail
will strip off the
.q @known1,@known2
in order to make the route as direct as possible.
However, if the
.b R
option is set, this will be disabled,
and the mail will be sent to the first address in the route,
even if later addresses are known.
This may be useful if you are caught behind a firewall.
.ip DoubleBounceAddress=\fIerror-address\fP
[no short name]
If an error occurs when sending an error message,
send the error report
(termed a
.q "double bounce"
because it is an error
.q bounce
that occurs when trying to send another error
.q bounce )
to the indicated address.
The address is macro expanded
at the time of delivery.
If not set, defaults to
.q postmaster .
If set to an empty string, double bounces are dropped.
.ip EightBitMode=\fIaction\fP
[8]
Set handling of eight-bit data.
There are two kinds of eight-bit data:
that declared as such using the
.b BODY=8BITMIME
ESMTP declaration or the
.b \-B8BITMIME
command line flag,
and undeclared 8-bit data, that is,
input that just happens to be eight bits.
There are three basic operations that can happen:
undeclared 8-bit data can be automatically converted to 8BITMIME,
undeclared 8-bit data can be passed as-is without conversion to MIME
(``just send 8''),
and declared 8-bit data can be converted to 7-bits
for transmission to a non-8BITMIME mailer.
The possible
.i action s
are:
.(b
.\"  r  Reject undeclared 8-bit data;
.\"     don't convert 8BITMIME\(->7BIT (``reject'')
  s     Reject undeclared 8-bit data (``strict'')
.\"     do convert 8BITMIME\(->7BIT (``strict'')
.\"  c  Convert undeclared 8-bit data to MIME;
.\"     don't convert 8BITMIME\(->7BIT (``convert'')
  m     Convert undeclared 8-bit data to MIME (``mime'')
.\"     do convert 8BITMIME\(->7BIT (``mime'')
.\"  j  Pass undeclared 8-bit data;
.\"     don't convert 8BITMIME\(->7BIT (``just send 8'')
  p     Pass undeclared 8-bit data (``pass'')
.\"     do convert 8BITMIME\(->7BIT (``pass'')
.\"  a  Adaptive algorithm: see below
.)b
.\"The adaptive algorithm is to accept 8-bit data,
.\"converting it to 8BITMIME only if the receiver understands that,
.\"otherwise just passing it as undeclared 8-bit data;
.\"8BITMIME\(->7BIT conversions are done.
In all cases properly declared 8BITMIME data will be converted to 7BIT
as needed.
.ip ErrorHeader=\fIfile-or-message\fP
[E]
Prepend error messages with the indicated message.
If it begins with a slash,
it is assumed to be the pathname of a file
containing a message (this is the recommended setting).
Otherwise, it is a literal message.
The error file might contain the name, email address, and/or phone number
of a local postmaster who could provide assistance
to end users.
If the option is missing or null,
or if it names a file which does not exist or which is not readable,
no message is printed.
.ip ErrorMode=\fIx\fP
[e]
Dispose of errors using mode
.i x .
The values for
.i x
are:
.(b
p       Print error messages (default)
q       No messages, just give exit status
m       Mail back errors
w       Write back errors (mail if user not logged in)
e       Mail back errors (when applicable) and give zero exit stat always
.)b
Note that the last mode,
.q e ,
is for Berknet error processing and
should not be used in normal circumstances.
Note, too, that mode
.q q ,
only applies to errors recognized before sendmail forks for
background delivery.
.ip FallbackMXhost=\fIfallbackhost\fP
[V]
If specified, the
.i fallbackhost
acts like a very low priority MX
on every host.
MX records will be looked up for this host,
unless the name is surrounded by square brackets.
This is intended to be used by sites with poor network connectivity.
Messages which are undeliverable due to temporary address failures
(e.g., DNS failure)
also go to the FallbackMXhost.
.ip FallBackSmartHost=\fIhostname\fP
If specified, the
.i FallBackSmartHost
will be used in a last-ditch effort for each host.
This is intended to be used by sites with "fake internal DNS",
e.g., a company whose DNS accurately reflects the world
inside that company's domain but not outside.
.ip FastSplit
[no short name]
If set to a value greater than zero (the default is one),
it suppresses the MX lookups on addresses
when they are initially sorted, i.e., for the first delivery attempt.
This usually results in faster envelope splitting unless the MX records
are readily available in a local DNS cache.
To enforce initial sorting based on MX records set
.b FastSplit
to zero.
If the mail is submitted directly from the command line, then
the value also limits the number of processes to deliver the envelopes;
if more envelopes are created they are only queued up
and must be taken care of by a queue run.
Since the default submission method is via SMTP (either from a MUA
or via the MSP), the value of
.b FastSplit
is seldom used to limit the number of processes to deliver the envelopes.
.ip ForkEachJob
[Y]
If set,
deliver each job that is run from the queue in a separate process.
.ip ForwardPath=\fIpath\fP
[J]
Set the path for searching for users' .forward files.
The default is
.q $z/.forward .
Some sites that use the automounter may prefer to change this to
.q /var/forward/$u
to search a file with the same name as the user in a system directory.
It can also be set to a sequence of paths separated by colons;
.i sendmail
stops at the first file it can successfully and safely open.
For example,
.q /var/forward/$u:$z/.forward
will search first in /var/forward/\c
.i username
and then in
.i ~username /.forward
(but only if the first file does not exist).
.ip HeloName=\fIname\fP
[no short name]
Set the name to be used for HELO/EHLO (instead of $j).
.ip HoldExpensive
[c]
If an outgoing mailer is marked as being expensive,
don't connect immediately.
.ip HostsFile=\fIpath\fP
[no short name]
The path to the hosts database,
normally
.q /etc/hosts .
This option is only consulted when sendmail
is canonifying addresses,
and then only when
.q files
is in the
.q hosts
service switch entry.
In particular, this file is
.i never
used when looking up host addresses;
that is under the control of the system
.i gethostbyname (3)
routine.
.ip HostStatusDirectory=\fIpath\fP
[no short name]
The location of the long term host status information.
When set,
information about the status of hosts
(e.g., host down or not accepting connections)
will be shared between all
.i sendmail
processes;
normally, this information is only held within a single queue run.
This option requires a connection cache of at least 1 to function.
If the option begins with a leading `/',
it is an absolute pathname;
otherwise,
it is relative to the mail queue directory.
A suggested value for sites desiring persistent host status is
.q \&.hoststat
(i.e., a subdirectory of the queue directory).
.ip IgnoreDots
[i]
Ignore dots in incoming messages.
This is always disabled (that is, dots are always accepted)
when reading SMTP mail.
.ip InputMailFilters=\fIname,name,...\fP
A comma separated list of filters which determines which filters
(see the "X \*- Mail Filter (Milter) Definitions" section)
and the invocation sequence are contacted for incoming SMTP messages.
If none are set, no filters will be contacted.
.ip LDAPDefaultSpec=\fIspec\fP
[no short name]
Sets a default map specification for LDAP maps.
The value should only contain LDAP specific settings
such as
.q "-h host -p port -d bindDN" .
The settings will be used for all LDAP maps
unless the individual map specification overrides a setting.
This option should be set before any LDAP maps are defined.
.ip LogLevel=\fIn\fP
[L]
Set the log level to
.i n .
Defaults to 9.
.ip M\fIx\|value\fP
[no long version]
Set the macro
.i x
to
.i value .
This is intended only for use from the command line.
The
.b \-M
flag is preferred.
.ip MailboxDatabase
[no short name]
Type of lookup to find information about local mailboxes,
defaults to ``pw'' which uses
.i getpwnam .
Other types can be introduced by adding them to the source code,
see libsm/mbdb.c for details.
.ip UseMSP
[no short name]
Use as mail submission program, i.e.,
allow group writable queue files
if the group is the same as that of a set-group-ID sendmail binary.
See the file
.b sendmail/SECURITY
in the distribution tarball.
.ip MatchGECOS
[G]
Allow fuzzy matching on the GECOS field.
If this flag is set,
and the usual user name lookups fail
(that is, there is no alias with this name and a
.i getpwnam
fails),
sequentially search the password file
for a matching entry in the GECOS field.
This also requires that MATCHGECOS
be turned on during compilation.
This option is not recommended.
.ip MaxAliasRecursion=\fIN\fP
[no short name]
The maximum depth of alias recursion (default: 10).
.ip MaxDaemonChildren=\fIN\fP
[no short name]
If set,
.i sendmail
will refuse connections when it has more than
.i N
children processing incoming mail or automatic queue runs.
This does not limit the number of outgoing connections.
If the default
.b DeliveryMode
(background) is used, then
.i sendmail
may create an almost unlimited number of children
(depending on the number of transactions and the
relative execution times of mail receiption and mail delivery).
If the limit should be enforced, then a
.b DeliveryMode
other than background must be used.
If not set, there is no limit to the number of children --
that is, the system load average controls this.
.ip MaxHeadersLength=\fIN\fP
[no short name]
The maximum length of the sum of all headers.
This can be used to prevent a denial of service attack.
The default is no limit.
.ip MaxHopCount=\fIN\fP
[h]
The maximum hop count.
Messages that have been processed more than
.i N
times are assumed to be in a loop and are rejected.
Defaults to 25.
.ip MaxMessageSize=\fIN\fP
[no short name]
Specify the maximum message size
to be advertised in the ESMTP EHLO response.
Messages larger than this will be rejected.
If set to a value greater than zero,
that value will be listed in the SIZE response,
otherwise SIZE is advertised in the ESMTP EHLO response
without a parameter.
.ip MaxMimeHeaderLength=\fIN[/M]\fP
[no short name]
Sets the maximum length of certain MIME header field values to
.i N
characters.
These MIME header fields are determined by being a member of
class {checkMIMETextHeaders}, which currently contains only
the header Content-Description.
For some of these headers which take parameters,
the maximum length of each parameter is set to
.i M
if specified.  If
.i /M
is not specified, one half of
.i N
will be used.
By default,
these values are 2048 and 1024, respectively.
To allow any length, a value of 0 can be specified.
.ip MaxNOOPCommands=\fIN\fP
Override the default of
.b MAXNOOPCOMMANDS
for the number of
.i useless
commands, see Section
"Measures against Denial of Service Attacks".
.ip MaxQueueChildren=\fIN\fP
[no short name]
When set, this limits the number of concurrent queue runner processes to
.i N.
This helps to control the amount of system resources used when processing
the queue.  When there are multiple queue groups defined and the total number
of queue runners for these queue groups would exceed
.i MaxQueueChildren
then the queue groups will not all run concurrently. That is, some portion
of the queue groups will run concurrently such that
.i MaxQueueChildren
will not be exceeded, while the remaining queue groups will be run later (in
round robin order). See also
.i MaxRunnersPerQueue
and the section \fBQueue Group Declaration\fP.
Notice:
.i sendmail
does not count individual queue runners, but only sets of processes
that act on a workgroup.
Hence the actual number of queue runners may be lower than the limit
imposed by
.i MaxQueueChildren .
This discrepancy can be large if some queue runners have to wait
for a slow server and if short intervals are used.
.ip MaxQueueRunSize=\fIN\fP
[no short name]
The maximum number of jobs that will be processed
in a single queue run.
If not set, there is no limit on the size.
If you have very large queues or a very short queue run interval
this could be unstable.
However, since the first
.i N
jobs in queue directory order are run (rather than the
.i N
highest priority jobs)
this should be set as high as possible to avoid
.q losing
jobs that happen to fall late in the queue directory.
Note: this option also restricts the number of entries printed by
.i mailq .
That is, if
.i MaxQueueRunSize
is set to a value
.b N
larger than zero,
then only
.b N
entries are printed per queue group.
.ip MaxRecipientsPerMessage=\fIN\fP
[no short name]
The maximum number of recipients that will be accepted per message
in an SMTP transaction.
Note: setting this too low can interfere with sending mail from
MUAs that use SMTP for initial submission.
If not set, there is no limit on the number of recipients per envelope.
.ip MaxRunnersPerQueue=\fIN\fP
[no short name]
This sets the default maximum number of queue runners for queue groups.
Up to
.i N
queue runners will work in parallel on a queue group's messages.
This is useful where the processing of a message in the queue might
delay the processing of subsequent messages. Such a delay may be the result
of non-erroneous situations such as a low bandwidth connection.
May be overridden on a per queue group basis by setting the
.i Runners
option; see the section \fBQueue Group Declaration\fP.
The default is 1 when not set.
.ip MeToo
[m]
Send to me too,
even if I am in an alias expansion.
This option is deprecated
and will be removed from a future version.
.ip Milter
[no short name]
This option has several sub(sub)options.
The names of the suboptions are separated by dots.
At the first level the following options are available:
.(b
.ta \w'LogLevel'u+3n
LogLevel        Log level for input mail filter actions, defaults to LogLevel.
macros          Specifies list of macro to transmit to filters.
                See list below.
.)b
The ``macros'' option has the following suboptions
which specify the list of macro to transmit to milters
after a certain event occurred.
.(b
.ta \w'envfrom'u+3n
connect After session connection start
helo    After EHLO/HELO command
envfrom After MAIL From command
envrcpt After RCPT To command
data    After DATA command.
eoh     After DATA command and header
eom     After DATA command and terminating ``.''
.)b
By default the lists of macros are empty.
Example:
.(b
O Milter.LogLevel=12
O Milter.macros.connect=j, _, {daemon_name}
.)b
.ip MinFreeBlocks=\fIN\fP
[b]
Insist on at least
.i N
blocks free on the filesystem that holds the queue files
before accepting email via SMTP.
If there is insufficient space
.i sendmail
gives a 452 response
to the MAIL command.
This invites the sender to try again later.
.ip MinQueueAge=\fIage\fP
[no short name]
Don't process any queued jobs
that have been in the queue less than the indicated time interval.
This is intended to allow you to get responsiveness
by processing the queue fairly frequently
without thrashing your system by trying jobs too often.
The default units are minutes.
Note:
This option is ignored for queue runs that select a subset
of the queue, i.e.,
.q \-q[!][I|R|S|Q][string]
.ip MustQuoteChars=\fIs\fP
[no short name]
Sets the list of characters that must be quoted if used in a full name
that is in the phrase part of a ``phrase <address>'' syntax.
The default is ``\'.''.
The characters ``@,;:\e()[]'' are always added to this list.
.ip NiceQueueRun
[no short name]
The priority of queue runners (nice(3)).
This value must be greater or equal zero.
.ip NoRecipientAction
[no short name]
The action to take when you receive a message that has no valid
recipient headers (To:, Cc:, Bcc:, or Apparently-To: \(em
the last included for back compatibility with old
.i sendmail s).
It can be
.b None
to pass the message on unmodified,
which violates the protocol,
.b Add-To
to add a To: header with any recipients it can find in the envelope
(which might expose Bcc: recipients),
.b Add-Apparently-To
to add an Apparently-To: header
(this is only for back-compatibility
and is officially deprecated),
.b Add-To-Undisclosed
to add a header
.q "To: undisclosed-recipients:;"
to make the header legal without disclosing anything,
or
.b Add-Bcc
to add an empty Bcc: header.
.ip OldStyleHeaders
[o]
Assume that the headers may be in old format,
i.e.,
spaces delimit names.
This actually turns on
an adaptive algorithm:
if any recipient address contains a comma, parenthesis,
or angle bracket,
it will be assumed that commas already exist.
If this flag is not on,
only commas delimit names.
Headers are always output with commas between the names.
Defaults to off.
.ip OperatorChars=\fIcharlist\fP
[$o macro]
The list of characters that are considered to be
.q operators ,
that is, characters that delimit tokens.
All operator characters are tokens by themselves;
sequences of non-operator characters are also tokens.
White space characters separate tokens
but are not tokens themselves \(em for example,
.q AAA.BBB
has three tokens, but
.q "AAA BBB"
has two.
If not set, OperatorChars defaults to
.q \&.\|:\|@\|[\|] ;
additionally, the characters
.q (\|)\|<\|>\|,\|;
are always operators.
Note that OperatorChars must be set in the
configuration file before any rulesets.
.ip PidFile=\fIfilename\fP
[no short name]
Filename of the pid file.
(default is _PATH_SENDMAILPID).
The
.i filename
is macro-expanded before it is opened, and unlinked when
.i sendmail
exits.
.ip PostmasterCopy=\fIpostmaster\fP
[P]
If set,
copies of error messages will be sent to the named
.i postmaster .
Only the header of the failed message is sent.
Errors resulting from messages with a negative precedence will not be sent.
Since most errors are user problems,
this is probably not a good idea on large sites,
and arguably contains all sorts of privacy violations,
but it seems to be popular with certain operating systems vendors.
The address is macro expanded
at the time of delivery.
Defaults to no postmaster copies.
.ip PrivacyOptions=\fI\|opt,opt,...\fP
[p]
Set the privacy
.i opt ions.
``Privacy'' is really a misnomer;
many of these are just a way of insisting on stricter adherence
to the SMTP protocol.
The
.i opt ions
can be selected from:
.(b
.ta \w'noactualrecipient'u+3n
public  Allow open access
needmailhelo    Insist on HELO or EHLO command before MAIL
needexpnhelo    Insist on HELO or EHLO command before EXPN
noexpn  Disallow EXPN entirely, implies noverb.
needvrfyhelo    Insist on HELO or EHLO command before VRFY
novrfy  Disallow VRFY entirely
noetrn  Disallow ETRN entirely
noverb  Disallow VERB entirely
restrictmailq   Restrict mailq command
restrictqrun    Restrict \-q command line flag
restrictexpand  Restrict \-bv and \-v command line flags
noreceipts      Don't return success DSNs\**
nobodyreturn    Don't return the body of a message with DSNs
goaway  Disallow essentially all SMTP status queries
authwarnings    Put X-Authentication-Warning: headers in messages
                and log warnings
noactualrecipient       Don't put X-Actual-Recipient lines in DSNs
                which reveal the actual account that addresses map to.
.)b
.(f
\**N.B.:
the
.b noreceipts
flag turns off support for RFC 1891
(Delivery Status Notification).
.)f
The
.q goaway
pseudo-flag sets all flags except
.q noreceipts ,
.q restrictmailq ,
.q restrictqrun ,
.q restrictexpand ,
.q noetrn ,
and
.q nobodyreturn .
If mailq is restricted,
only people in the same group as the queue directory
can print the queue.
If queue runs are restricted,
only root and the owner of the queue directory
can run the queue.
The
.q restrictexpand
pseudo-flag instructs
.i sendmail
to drop privileges when the
.b \-bv
option is given by users who are neither root nor the TrustedUser
so users cannot read private aliases, forwards, or :include: files.
It will add the
.q NonRootSafeAddr
to the
.q DontBlameSendmail
option to prevent misleading unsafe address warnings.
It also overrides the
.b \-v
(verbose) command line option to prevent information leakage.
Authentication Warnings add warnings about various conditions
that may indicate attempts to spoof the mail system,
such as using a non-standard queue directory.
.ip ProcessTitlePrefix=\fIstring\fP
[no short name]
Prefix the process title shown on 'ps' listings with
.i string .
The
.i string
will be macro processed.
.ip QueueDirectory=\fIdir\fP
[Q]
The QueueDirectory option serves two purposes.
First, it specifies the directory or set of directories that comprise
the default queue group.
Second, it specifies the directory D which is the ancestor of all queue
directories, and which sendmail uses as its current working directory.
When sendmail dumps core, it leaves its core files in D.
There are two cases.
If \fIdir\fR ends with an asterisk (eg, \fI/var/spool/mqueue/qd*\fR),
then all of the directories or symbolic links to directories
beginning with `qd' in
.i /var/spool/mqueue
will be used as queue directories of the default queue group,
and
.i /var/spool/mqueue
will be used as the working directory D.
Otherwise,
\fIdir\fR must name a directory (usually \fI/var/spool/mqueue\fR):
the default queue group consists of the single queue directory \fIdir\fR,
and the working directory D is set to \fIdir\fR.
To define additional groups of queue directories,
use the configuration file `Q' command.
Do not change the queue directory structure
while sendmail is running.
.ip QueueFactor=\fIfactor\fP
[q]
Use
.i factor
as the multiplier in the map function
to decide when to just queue up jobs rather than run them.
This value is divided by the difference between the current load average
and the load average limit
(\c
.b QueueLA
option)
to determine the maximum message priority
that will be sent.
Defaults to 600000.
.ip QueueLA=\fILA\fP
[x]
When the system load average exceeds
.i LA
and the
.b QueueFactor
(\c
.b q )
option divided by the difference in the current load average and the
.b QueueLA
option plus one
is less than the priority of the message,
just queue messages
(i.e., don't try to send them).
Defaults to 8 multiplied by
the number of processors online on the system
(if that can be determined).
.ip QueueFileMode=\fImode\fP
[no short name]
Default permissions for queue files (octal).
If not set, sendmail uses 0600 unless its real
and effective uid are different in which case it uses 0644.
.ip QueueSortOrder=\fIalgorithm\fP
[no short name]
Sets the
.i algorithm
used for sorting the queue.
Only the first character of the value is used.
Legal values are
.q host
(to order by the name of the first host name of the first recipient),
.q filename
(to order by the name of the queue file name),
.q time
(to order by the submission/creation time),
.q random
(to order randomly),
.q modification
(to order by the modification time of the qf file (older entries first)),
.q none
(to not order),
and
.q priority
(to order by message priority).
Host ordering makes better use of the connection cache,
but may tend to process low priority messages
that go to a single host
over high priority messages that go to several hosts;
it probably shouldn't be used on slow network links.
Filename and modification time ordering saves the overhead of
reading all of the queued items
before starting the queue run.
Creation (submission) time ordering is almost always a bad idea,
since it allows large, bulk mail to go out
before smaller, personal mail,
but may have applicability on some hosts with very fast connections.
Random is useful if several queue runners are started by hand
which try to drain the same queue since odds are they will be working
on different parts of the queue at the same time.
Priority ordering is the default.
.ip QueueTimeout=\fItimeout\fP
[T]
A synonym for
.q Timeout.queuereturn .
Use that form instead of the
.q QueueTimeout
form.
.ip RandFile
[no short name]
Name of file containing random data or the name of the UNIX socket
if EGD is used.
A (required) prefix "egd:" or "file:" specifies the type.
STARTTLS requires this filename if the compile flag HASURANDOMDEV is not set
(see sendmail/README).
.ip ResolverOptions=\fIoptions\fP
[I]
Set resolver options.
Values can be set using
.b + \c
.i flag
and cleared using
.b \- \c
.i flag ;
the
.i flag s
can be
.q debug ,
.q aaonly ,
.q usevc ,
.q primary ,
.q igntc ,
.q recurse ,
.q defnames ,
.q stayopen ,
.q use_inet6 ,
or
.q dnsrch .
The string
.q HasWildcardMX
(without a
.b +
or
.b \- )
can be specified to turn off matching against MX records
when doing name canonifications.
The string
.q WorkAroundBrokenAAAA
(without a
.b +
or
.b \- )
can be specified to work around some broken nameservers
which return SERVFAIL (a temporary failure) on T_AAAA (IPv6) lookups.
Notice: it might be necessary to apply the same (or similar) options to
.i submit.cf
too.
.ip RequiresDirfsync
[no short name]
This option can be used to override the compile time flag
.b REQUIRES_DIR_FSYNC
at runtime by setting it to
.sm false .
If the compile time flag is not set, the option is ignored.
The flag turns on support for file systems that require to call
.i fsync()
for a directory if the meta-data in it has been changed.
This should be turned on at least for older versions of ReiserFS;
it is enabled by default for Linux.
According to some information this flag is not needed
anymore for kernel 2.4.16 and newer.
.ip RrtImpliesDsn
[R]
If this option is set, a
.q Return-Receipt-To:
header causes the request of a DSN, which is sent to
the envelope sender as required by RFC 1891,
not to the address given in the header.
.ip RunAsUser=\fIuser\fP
[no short name]
The
.i user
parameter may be a user name
(looked up in
.i /etc/passwd )
or a numeric user id;
either form can have
.q ":group"
attached
(where group can be numeric or symbolic).
If set to a non-zero (non-root) value,
.i sendmail
will change to this user id shortly after startup\**.
.(f
\**When running as a daemon,
it changes to this user after accepting a connection
but before reading any
.sm SMTP
commands.
.)f
This avoids a certain class of security problems.
However, this means that all
.q \&.forward
and
.q :include:
files must be readable by the indicated
.i user
and all files to be written must be writable by
.i user
Also, all file and program deliveries will be marked unsafe
unless the option
.b DontBlameSendmail=NonRootSafeAddr
is set,
in which case the delivery will be done as
.i user .
It is also incompatible with the
.b SafeFileEnvironment
option.
In other words, it may not actually add much to security on an average system,
and may in fact detract from security
(because other file permissions must be loosened).
However, it should be useful on firewalls and other
places where users don't have accounts and the aliases file is
well constrained.
.ip RecipientFactor=\fIfact\fP
[y]
The indicated
.i fact or
is added to the priority (thus
.i lowering
the priority of the job)
for each recipient,
i.e., this value penalizes jobs with large numbers of recipients.
Defaults to 30000.
.ip RefuseLA=\fILA\fP
[X]
When the system load average exceeds
.i LA ,
refuse incoming SMTP connections.
Defaults to 12 multiplied by
the number of processors online on the system
(if that can be determined).
.ip RejectLogInterval=\fItimeout\fP
[no short name]
Log interval when refusing connections for this long
(default: 3h).
.ip RetryFactor=\fIfact\fP
[Z]
The
.i fact or
is added to the priority
every time a job is processed.
Thus,
each time a job is processed,
its priority will be decreased by the indicated value.
In most environments this should be positive,
since hosts that are down are all too often down for a long time.
Defaults to 90000.
.ip SafeFileEnvironment=\fIdir\fP
[no short name]
If this option is set,
.i sendmail
will do a
.i chroot (2)
call into the indicated
.i dir ectory
before doing any file writes.
If the file name specified by the user begins with
.i dir ,
that partial path name will be stripped off before writing,
so (for example)
if the SafeFileEnvironment variable is set to
.q /safe
then aliases of
.q /safe/logs/file
and
.q /logs/file
actually indicate the same file.
Additionally, if this option is set,
.i sendmail
refuses to deliver to symbolic links.
.ip SaveFromLine
[f]
Save
UNIX-style
.q From
lines at the front of headers.
Normally they are assumed redundant
and discarded.
.ip SendMimeErrors
[j]
If set, send error messages in MIME format
(see RFC 2045 and RFC 1344 for details).
If disabled,
.i sendmail
will not return the DSN keyword in response to an EHLO
and will not do Delivery Status Notification processing as described in
RFC 1891.
.ip ServerCertFile
[no short name]
File containing the certificate of the server, i.e., this certificate
is used when sendmail acts as server
(used for STARTTLS).
.ip ServerKeyFile
[no short name]
File containing the private key belonging to the server certificate
(used for STARTTLS).
.ip ServiceSwitchFile=\fIfilename\fP
[no short name]
If your host operating system has a service switch abstraction
(e.g., /etc/nsswitch.conf on Solaris
or /etc/svc.conf on Ultrix and DEC OSF/1)
that service will be consulted and this option is ignored.
Otherwise, this is the name of a file
that provides the list of methods used to implement particular services.
The syntax is a series of lines,
each of which is a sequence of words.
The first word is the service name,
and following words are service types.
The services that
.i sendmail
consults directly are
.q aliases
and
.q hosts.
Service types can be
.q dns ,
.q nis ,
.q nisplus ,
or
.q files
(with the caveat that the appropriate support
must be compiled in
before the service can be referenced).
If ServiceSwitchFile is not specified, it defaults to
/etc/mail/service.switch.
If that file does not exist, the default switch is:
.(b
aliases files
hosts   dns nis files
.)b
The default file is
.q /etc/mail/service.switch .
.ip SevenBitInput
[7]
Strip input to seven bits for compatibility with old systems.
This shouldn't be necessary.
.ip SharedMemoryKey
[no short name]
Key to use for shared memory segment;
if not set (or 0), shared memory will not be used.
If set to
-1
.i sendmail
can select a key itself provided that also
.b SharedMemoryKeyFile
is set.
Requires support for shared memory to be compiled into
.i sendmail .
If this option is set,
.i sendmail
can share some data between different instances.
For example, the number of entries in a queue directory
or the available space in a file system.
This allows for more efficient program execution, since only
one process needs to update the data instead of each individual
process gathering the data each time it is required.
.ip SharedMemoryKeyFile
[no short name]
If
.b SharedMemoryKey
is set to
-1
then the automatically selected shared memory key will be stored
in the specified file.
.ip SingleLineFromHeader
[no short name]
If set, From: lines that have embedded newlines are unwrapped
onto one line.
This is to get around a botch in Lotus Notes
that apparently cannot understand legally wrapped RFC 822 headers.
.ip SingleThreadDelivery
[no short name]
If set, a client machine will never try to open two SMTP connections
to a single server machine at the same time,
even in different processes.
That is, if another
.i sendmail
is already talking to some host a new
.i sendmail
will not open another connection.
This property is of mixed value;
although this reduces the load on the other machine,
it can cause mail to be delayed
(for example, if one
.i sendmail
is delivering a huge message, other
.i sendmail s
won't be able to send even small messages).
Also, it requires another file descriptor
(for the lock file)
per connection, so you may have to reduce the
.b ConnectionCacheSize
option to avoid running out of per-process file descriptors.
Requires the
.b HostStatusDirectory
option.
.ip SmtpGreetingMessage=\fImessage\fP
[$e macro]
The message printed when the SMTP server starts up.
Defaults to
.q "$j Sendmail $v ready at $b".
.ip SoftBounce
If set, issue temporary errors (4xy) instead of permanent errors (5xy).
This can be useful during testing of a new configuration to avoid
erroneous bouncing of mails.
.ip StatusFile=\fIfile\fP
[S]
Log summary statistics in the named
.i file .
If no file name is specified, "statistics" is used.
If not set,
no summary statistics are saved.
This file does not grow in size.
It can be printed using the
.i mailstats (8)
program.
.ip SuperSafe
[s]
This option can be set to True, False, Interactive, or PostMilter.
If set to True,
.i sendmail
will be super-safe when running things,
i.e., always instantiate the queue file,
even if you are going to attempt immediate delivery.
.i Sendmail
always instantiates the queue file
before returning control to the client
under any circumstances.
This should really
.i always
be set to True.
The Interactive value has been introduced in 8.12 and can
be used together with
.b DeliveryMode=i .
It skips some synchronization calls which are effectively
doubled in the code execution path for this mode.
If set to PostMilter,
.i sendmail
defers synchronizing the queue file until any milters have
signaled acceptance of the message.
PostMilter is useful only when
.i sendmail
is running as an SMTP server; in all other situations it
acts the same as True.
.ip TLSSrvOptions
[no short name]
List of options for SMTP STARTTLS for the server
consisting of single characters
with intervening white space or commas.
The flag ``V'' disables client verification, and hence
it is not possible to use a client certificate for relaying.
Currently there are no other flags available.
.ip TempFileMode=\fImode\fP
[F]
The file mode for transcript files, files to which
.i sendmail
delivers directly, files in the
.b HostStatusDirectory ,
and
.b StatusFile .
It is interpreted in octal by default.
Defaults to 0600.
.ip Timeout.\fItype\fP=\|\fItimeout\fP
[r; subsumes old T option as well]
Set timeout values.
For more information,
see section
.\" XREF
4.1.
.ip TimeZoneSpec=\fItzinfo\fP
[t]
Set the local time zone info to
.i tzinfo
\*- for example,
.q PST8PDT .
Actually, if this is not set,
the TZ environment variable is cleared (so the system default is used);
if set but null, the user's TZ variable is used,
and if set and non-null the TZ variable is set to this value.
.ip TrustedUser=\fIuser\fP
[no short name]
The
.i user
parameter may be a user name
(looked up in
.i /etc/passwd )
or a numeric user id.
Trusted user for file ownership and starting the daemon.  If set, generated
alias databases and the control socket (if configured) will automatically
be owned by this user.
.ip TryNullMXList
[w]
If this system is the
.q best
(that is, lowest preference)
MX for a given host,
its configuration rules should normally detect this situation
and treat that condition specially
by forwarding the mail to a UUCP feed,
treating it as local,
or whatever.
However, in some cases (such as Internet firewalls)
you may want to try to connect directly to that host
as though it had no MX records at all.
Setting this option causes
.i sendmail
to try this.
The downside is that errors in your configuration
are likely to be diagnosed as
.q "host unknown"
or
.q "message timed out"
instead of something more meaningful.
This option is disrecommended.
.ip UnixFromLine=\fIfromline\fP
[$l macro]
Defines the format used when
.i sendmail
must add a UNIX-style From_ line
(that is, a line beginning
.q From<space>user ).
Defaults to
.q "From $g  $d" .
Don't change this unless your system uses a different UNIX mailbox format
(very unlikely).
.ip UnsafeGroupWrites
[no short name]
If set (default),
:include: and .forward files that are group writable are considered
.q unsafe ,
that is,
they cannot reference programs or write directly to files.
World writable :include: and .forward files
are always unsafe.
Note: use
.b DontBlameSendmail
instead; this option is deprecated.
.ip UseErrorsTo
[l]
If there is an
.q Errors-To:
header, send error messages to the addresses listed there.
They normally go to the envelope sender.
Use of this option causes
.i sendmail
to violate RFC 1123.
This option is disrecommended and deprecated.
.ip UserDatabaseSpec=\fIudbspec\fP
[U]
The user database specification.
.ip Verbose
[v]
Run in verbose mode.
If this is set,
.i sendmail
adjusts options
.b HoldExpensive
(old
.b c )
and
.b DeliveryMode
(old
.b d )
so that all mail is delivered completely
in a single job
so that you can see the entire delivery process.
Option
.b Verbose
should
.i never
be set in the configuration file;
it is intended for command line use only.
Note that the use of option
.b Verbose
can cause authentication information to leak, if you use a
sendmail client to authenticate to a server.
If the authentication mechanism uses plain text passwords
(as with LOGIN or PLAIN),
then the password could be compromised.
To avoid this, do not install sendmail set-user-ID root,
and disable the
.b VERB
SMTP command with a suitable
.b PrivacyOptions
setting.
.ip XscriptFileBufferSize=\fIthreshold\fP
[no short name]
Set the
.i threshold ,
in bytes,
before a memory-based
queue transcript file
becomes disk-based.
The default is 4096 bytes.
.lp
All options can be specified on the command line using the
\-O or \-o flag,
but most will cause
.i sendmail
to relinquish its set-user-ID permissions.
The options that will not cause this are
SevenBitInput [7],
EightBitMode [8],
MinFreeBlocks [b],
CheckpointInterval [C],
DeliveryMode [d],
ErrorMode [e],
IgnoreDots [i],
SendMimeErrors [j],
LogLevel [L],
MeToo [m],
OldStyleHeaders [o],
PrivacyOptions [p],
SuperSafe [s],
Verbose [v],
QueueSortOrder,
MinQueueAge,
DefaultCharSet,
Dial Delay,
NoRecipientAction,
ColonOkInAddr,
MaxQueueRunSize,
SingleLineFromHeader,
and
AllowBogusHELO.
Actually, PrivacyOptions [p] given on the command line
are added to those already specified in the
.i sendmail.cf
file, i.e., they can't be reset.
Also, M (define macro) when defining the r or s macros
is also considered
.q safe .
.sh 2 "P \*- Precedence Definitions"
.pp
Values for the
.q "Precedence:"
field may be defined using the
.b P
control line.
The syntax of this field is:
.(b
\fBP\fP\fIname\fP\fB=\fP\fInum\fP
.)b
When the
.i name
is found in a
.q Precedence:
field,
the message class is set to
.i num .
Higher numbers mean higher precedence.
Numbers less than zero
have the special property
that if an error occurs during processing
the body of the message will not be returned;
this is expected to be used for
.q "bulk"
mail such as through mailing lists.
The default precedence is zero.
For example,
our list of precedences is:
.(b
Pfirst-class=0
Pspecial-delivery=100
Plist=\-30
Pbulk=\-60
Pjunk=\-100
.)b
People writing mailing list exploders
are encouraged to use
.q "Precedence: list" .
Older versions of
.i sendmail
(which discarded all error returns for negative precedences)
didn't recognize this name, giving it a default precedence of zero.
This allows list maintainers to see error returns
on both old and new versions of
.i sendmail .
.sh 2 "V \*- Configuration Version Level"
.pp
To provide compatibility with old configuration files,
the
.b V
line has been added to define some very basic semantics
of the configuration file.
These are not intended to be long term supports;
rather, they describe compatibility features
which will probably be removed in future releases.
.pp
.b N.B.:
these version
.i levels
have nothing
to do with the version
.i number
on the files.
For example,
as of this writing
version 10 config files
(specifically, 8.10)
used version level 9 configurations.
.pp
.q Old
configuration files are defined as version level one.
Version level two files make the following changes:
.np
Host name canonification ($[ ... $])
appends a dot if the name is recognized;
this gives the config file a way of finding out if anything matched.
(Actually, this just initializes the
.q host
map with the
.q \-a.
flag \*- you can reset it to anything you prefer
by declaring the map explicitly.)
.np
Default host name extension is consistent throughout processing;
version level one configurations turned off domain extension
(that is, adding the local domain name)
during certain points in processing.
Version level two configurations are expected to include a trailing dot
to indicate that the name is already canonical.
.np
Local names that are not aliases
are passed through a new distinguished ruleset five;
this can be used to append a local relay.
This behavior can be prevented by resolving the local name
with an initial `@'.
That is, something that resolves to a local mailer and a user name of
.q vikki
will be passed through ruleset five,
but a user name of
.q @vikki
will have the `@' stripped,
will not be passed through ruleset five,
but will otherwise be treated the same as the prior example.
The expectation is that this might be used to implement a policy
where mail sent to
.q vikki
was handled by a central hub,
but mail sent to
.q vikki@localhost
was delivered directly.
.pp
Version level three files
allow # initiated comments on all lines.
Exceptions are backslash escaped # marks
and the $# syntax.
.pp
Version level four configurations
are completely equivalent to level three
for historical reasons.
.pp
Version level five configuration files
change the default definition of
.b $w
to be just the first component of the hostname.
.pp
Version level six configuration files
change many of the local processing options
(such as aliasing and matching the beginning of the address for
`|' characters)
to be mailer flags;
this allows fine-grained control over the special local processing.
Level six configuration files may also use long option names.
The
.b ColonOkInAddr
option (to allow colons in the local-part of addresses)
defaults
.b on
for lower numbered configuration files;
the configuration file requires some additional intelligence
to properly handle the RFC 822 group construct.
.pp
Version level seven configuration files
used new option names to replace old macros
(\c
.b $e
became
.b SmtpGreetingMessage ,
.b $l
became
.b UnixFromLine ,
and
.b $o
became
.b OperatorChars .
Also, prior to version seven,
the
.b F=q
flag (use 250 instead of 252 return value for
.sm "SMTP VRFY"
commands)
was assumed.
.pp
Version level eight configuration files allow
.b $#
on the left hand side of ruleset lines.
.pp
Version level nine configuration files allow
parentheses in rulesets, i.e. they are not treated
as comments and hence removed.
.pp
Version level ten configuration files allow
queue group definitions.
.pp
The
.b V
line may have an optional
.b / \c
.i vendor
to indicate that this configuration file uses modifications
specific to a particular vendor\**.
.(f
\**And of course, vendors are encouraged to add themselves
to the list of recognized vendors by editing the routine
.i setvendor
in
.i conf.c .
Please send e-mail to sendmail@Sendmail.ORG
to register your vendor dialect.
.)f
You may use
.q /Berkeley
to emphasize that this configuration file
uses the Berkeley dialect of
.i sendmail .
.sh 2 "K \*- Key File Declaration"
.pp
Special maps can be defined using the line:
.(b
Kmapname mapclass arguments
.)b
The
.i mapname
is the handle by which this map is referenced in the rewriting rules.
The
.i mapclass
is the name of a type of map;
these are compiled in to
.i sendmail .
The
.i arguments
are interpreted depending on the class;
typically,
there would be a single argument naming the file containing the map.
.pp
Maps are referenced using the syntax:
.(b
$( \fImap\fP \fIkey\fP $@ \fIarguments\fP $: \fIdefault\fP $)
.)b
where either or both of the
.i arguments
or
.i default
portion may be omitted.
The
.i "$@ arguments"
may appear more than once.
The indicated
.i key
and
.i arguments
are passed to the appropriate mapping function.
If it returns a value, it replaces the input.
If it does not return a value and the
.i default
is specified, the
.i default
replaces the input.
Otherwise, the input is unchanged.
.pp
The
.i arguments
are passed to the map for arbitrary use.
Most map classes can interpolate these arguments
into their values using the syntax
.q %\fIn\fP
(where
.i n
is a digit)
to indicate the corresponding
.i argument .
Argument
.q %0
indicates the database key.
For example, the rule
.(b
.ta 1.5i
R$\- ! $+       $: $(uucp $1 $@ $2 $: $2 @ $1 . UUCP $)
.)b
Looks up the UUCP name in a (user defined) UUCP map;
if not found it turns it into
.q \&.UUCP
form.
The database might contain records like:
.(b
decvax  %1@%0.DEC.COM
research        %1@%0.ATT.COM
.)b
Note that
.i default
clauses never do this mapping.
.pp
The built-in map with both name and class
.q host
is the host name canonicalization lookup.
Thus,
the syntax:
.(b
$(host \fIhostname\fP$)
.)b
is equivalent to:
.(b
$[\fIhostname\fP$]
.)b
.pp
There are many defined classes.
.ip dbm
Database lookups using the ndbm(3) library.
.i Sendmail
must be compiled with
.b NDBM
defined.
.ip btree
Database lookups using the btree interface to the Berkeley DB
library.
.i Sendmail
must be compiled with
.b NEWDB
defined.
.ip hash
Database lookups using the hash interface to the Berkeley DB
library.
.i Sendmail
must be compiled with
.b NEWDB
defined.
.ip nis
NIS lookups.
.i Sendmail
must be compiled with
.b NIS
defined.
.ip nisplus
NIS+ lookups.
.i Sendmail
must be compiled with
.b NISPLUS
defined.
The argument is the name of the table to use for lookups,
and the
.b \-k
and
.b \-v
flags may be used to set the key and value columns respectively.
.ip hesiod
Hesiod lookups.
.i Sendmail
must be compiled with
.b HESIOD
defined.
.ip ldap
LDAP X500 directory lookups.
.i Sendmail
must be compiled with
.b LDAPMAP
defined.
The map supports most of the standard arguments
and most of the command line arguments of the
.i ldapsearch
program.
Note that,
by default,
if a single query matches multiple values,
only the first value will be returned
unless the
.b \-z
(value separator)
map flag is set.
Also, the
.b \-1
map flag will treat a multiple value return
as if there were no matches.
.ip netinfo
NeXT NetInfo lookups.
.i Sendmail
must be compiled with
.b NETINFO
defined.
.ip text
Text file lookups.
The format of the text file is defined by the
.b \-k
(key field number),
.b \-v
(value field number),
and
.b \-z
(field delimiter)
flags.
.ip ph
PH query map.
Contributed and supported by
Mark Roth, roth@uiuc.edu.
For more information,
consult the web site
.q http://www-dev.cites.uiuc.edu/sendmail/ .
.ip nsd
nsd map for IRIX 6.5 and later.
Contributed and supported by Bob Mende of SGI,
mende@sgi.com.
.ip stab
Internal symbol table lookups.
Used internally for aliasing.
.ip implicit
Really should be called
.q alias
\(em this is used to get the default lookups
for alias files,
and is the default if no class is specified for alias files.
.ip user
Looks up users using
.i getpwnam (3).
The
.b \-v
flag can be used to specify the name of the field to return
(although this is normally used only to check the existence
of a user).
.ip host
Canonifies host domain names.
Given a host name it calls the name server
to find the canonical name for that host.
.ip bestmx
Returns the best MX record for a host name given as the key.
The current machine is always preferred \*-
that is, if the current machine is one of the hosts listed as a
lowest-preference MX record, then it will be guaranteed to be returned.
This can be used to find out if this machine is the target for an MX record,
and mail can be accepted on that basis.
If the
.b \-z
flag is given, then all MX names are returned,
separated by the given delimiter.
.ip dns
This map requires the option -R to specify the DNS resource record
type to lookup. The following types are supported:
A, AAAA, AFSDB, CNAME, MX, NS, PTR, SRV, and TXT.
A map lookup will return only one record.
Hence for some types, e.g., MX records, the return value might be a random
element of the list due to randomizing in the DNS resolver.
.ip sequence
The arguments on the `K' line are a list of maps;
the resulting map searches the argument maps in order
until it finds a match for the indicated key.
For example, if the key definition is:
.(b
Kmap1 ...
Kmap2 ...
Kseqmap sequence map1 map2
.)b
then a lookup against
.q seqmap
first does a lookup in map1.
If that is found, it returns immediately.
Otherwise, the same key is used for map2.
.ip syslog
the key is logged via
.i syslogd \|(8).
The lookup returns the empty string.
.ip switch
Much like the
.q sequence
map except that the order of maps is determined by the service switch.
The argument is the name of the service to be looked up;
the values from the service switch are appended to the map name
to create new map names.
For example, consider the key definition:
.(b
Kali switch aliases
.)b
together with the service switch entry:
.(b
aliases nis files
.)b
This causes a query against the map
.q ali
to search maps named
.q ali.nis
and
.q ali.files
in that order.
.ip dequote
Strip double quotes (") from a name.
It does not strip backslashes,
and will not strip quotes if the resulting string
would contain unscannable syntax
(that is, basic errors like unbalanced angle brackets;
more sophisticated errors such as unknown hosts are not checked).
The intent is for use when trying to accept mail from systems such as
DECnet
that routinely quote odd syntax such as
.(b
"49ers::ubell"
.)b
A typical usage is probably something like:
.(b
Kdequote dequote

\&...

R$\-    $: $(dequote $1 $)
R$\- $+ $: $>3 $1 $2
.)b
Care must be taken to prevent unexpected results;
for example,
.(b
"|someprogram < input > output"
.)b
will have quotes stripped,
but the result is probably not what you had in mind.
Fortunately these cases are rare.
.ip regex
The map definition on the
.b K
line contains a regular expression.
Any key input is compared to that expression using the
POSIX regular expressions routines regcomp(), regerr(), and regexec().
Refer to the documentation for those routines for more information
about the regular expression matching.
No rewriting of the key is done if the
.b \-m
flag is used.  Without it, the key is discarded or if
.b \-s
if used, it is substituted by the substring matches, delimited by
.b $|
or the string specified with the the
.b \-d
flag.  The flags available for the map are
.(b
.ta 4n
-n      not
-f      case sensitive
-b      basic regular expressions (default is extended)
-s      substring match
-d      set the delimiter used for -s
-a      append string to key
-m      match only, do not replace/discard value
-D      perform no lookup in deferred delivery mode.
.)b
The
.b \-s
flag can include an optional parameter which can be used
to select the substrings in the result of the lookup.  For example,
.(b
-s1,3,4
.)b
Notes: to match a
.b $
in a string,
\\$$
must be used.
If the pattern contains spaces, they must be replaced
with the blank substitution character, unless it is
space itself.
.ip program
The arguments on the
.b K
line are the pathname to a program and any initial parameters to be passed.
When the map is called,
the key is added to the initial parameters
and the program is invoked
as the default user/group id.
The first line of standard output is returned as the value of the lookup.
This has many potential security problems,
and has terrible performance;
it should be used only when absolutely necessary.
.ip macro
Set or clear a macro value.
To set a macro,
pass the value as the first argument in the map lookup.
To clear a macro,
do not pass an argument in the map lookup.
The map always returns the empty string.
Example of typical usage include:
.(b
Kstorage macro

\&...

# set macro ${MyMacro} to the ruleset match
R$+     $: $(storage {MyMacro} $@ $1 $) $1
# set macro ${MyMacro} to an empty string
R$*     $: $(storage {MyMacro} $@ $) $1
# clear macro ${MyMacro}
R$\-    $: $(storage {MyMacro} $) $1
.)b
.ip arith
Perform simple arithmetic operations.
The operation is given as key, currently
+, -, *, /, %,
|, & (bitwise OR, AND),
l (for less than), =,
and r (for random) are supported.
The two operands are given as arguments.
The lookup returns the result of the computation,
i.e.,
.sm TRUE
or
.sm FALSE
for comparisons, integer values otherwise.
The r operator returns a pseudo-random number whose value
lies between the first and second operand
(which requires that the first operand is smaller than the second).
All options which are possible for maps are ignored.
A simple example is:
.(b
Kcomp arith

\&...

Scheck_etrn
R$*     $: $(comp l $@ $&{load_avg} $@ 7 $) $1
RFALSE  $# error \&...
.)b
.ip socket
The socket map uses a simple request/reply protocol over TCP or UNIX domain
sockets to query an external server.
Both requests and replies are text based and encoded as netstrings,
i.e., a string "hello there" becomes:
.(b
11:hello there,
.)b
Note: neither requests nor replies end with CRLF.

The request consists of the database map name and the lookup key separated
by a space character:

.(b
<mapname> ' ' <key>
.)b

The server responds with a status indicator and the result (if any):

.(b
<status> ' ' <result>
.)b

The status indicator specifies the result of the lookup operation itself
and is one of the following upper case words:
.(b
.ta 9n
OK      the key was found, result contains the looked up value
NOTFOUND        the key was not found, the result is empty
TEMP    a temporary failure occured
TIMEOUT a timeout occured on the server side
PERM    a permanent failure occured
.)b

In case of errors (status TEMP, TIMEOUT or PERM) the result field may 
contain an explanatory message.
However, the explanatory message is not used any further by
.i sendmail .

Example replies:
.(b
31:OK resolved.address@example.com,
.)b

.(b
56:OK error:550 5.7.1 User does not accept mail from sender,
.)b

in case of successful lookups, or:
.(b
8:NOTFOUND, 
.)b

in case the key was not found, or:
.(b
55:TEMP this text explains that we had a temporary failure,
.)b

in case of a temporary map lookup failure.

The socket map uses the same syntax as milters
(see Section "X \*- Mail Filter (Milter) Definitions")
to specify the remote endpoint, e.g.,
.(b
Ksocket mySocketMap inet:12345@127.0.0.1
.)b

If multiple socket maps define the same remote endpoint, they will share
a single connection to this endpoint.
.pp
Most of these accept as arguments the same optional flags
and a filename
(or a mapname for NIS;
the filename is the root of the database path,
so that
.q .db
or some other extension appropriate for the database type
will be added to get the actual database name).
Known flags are:
.ip "\-o"
Indicates that this map is optional \*- that is,
if it cannot be opened,
no error is produced,
and
.i sendmail
will behave as if the map existed but was empty.
.ip "\-N, \-O"
If neither
.b \-N
or
.b \-O
are specified,
.i sendmail
uses an adaptive algorithm to decide whether or not to look for null bytes
on the end of keys.
It starts by trying both;
if it finds any key with a null byte it never tries again without a null byte
and vice versa.
If
.b \-N
is specified it never tries without a null byte and
if
.b \-O
is specified it never tries with a null byte.
Setting one of
these can speed matches but are never necessary.
If both
.b \-N
and
.b \-O
are specified,
.i sendmail
will never try any matches at all \(em
that is, everything will appear to fail.
.ip "\-a\fIx\fP"
Append the string
.i x
on successful matches.
For example, the default
.i host
map appends a dot on successful matches.
.ip "\-T\fIx\fP"
Append the string
.i x
on temporary failures.
For example,
.i x
would be appended if a DNS lookup returned
.q "server failed"
or an NIS lookup could not locate a server.
See also the
.b \-t
flag.
.ip "\-f"
Do not fold upper to lower case before looking up the key.
.ip "\-m"
Match only (without replacing the value).
If you only care about the existence of a key and not the value
(as you might when searching the NIS map
.q hosts.byname
for example),
this flag prevents the map from substituting the value.
However,
The \-a argument is still appended on a match,
and the default is still taken if the match fails.
.ip "\-k\fIkeycol\fP"
The key column name (for NIS+) or number
(for text lookups).
For LDAP maps this is an LDAP filter string
in which %s is replaced with the literal contents of the lookup key
and %0 is replaced with the LDAP escaped contents of the lookup key
according to RFC 2254.
If the flag
.b \-K
is used, then %1 through %9 are replaced with the LDAP escaped contents
of the arguments specified in the map lookup.
.ip "\-v\fIvalcol\fP"
The value column name (for NIS+) or number
(for text lookups).
For LDAP maps this is the name of one or more
attributes to be returned;
multiple attributes can be separated by commas.
If not specified, all attributes found in the match
will be returned.
The attributes listed can also include a type and one or more
objectClass values for matching as described in the LDAP section.
.ip "\-z\fIdelim\fP"
The column delimiter (for text lookups).
It can be a single character or one of the special strings
.q \|\en
or
.q \|\et
to indicate newline or tab respectively.
If omitted entirely,
the column separator is any sequence of white space.
For LDAP maps this is the separator character
to combine multiple values
into a single return string.
If not set,
the LDAP lookup will only return the first match found.
For DNS maps this is the separator character at which
the result of a query is cut off if is too long.
.ip "\-t"
Normally, when a map attempts to do a lookup
and the server fails
(e.g.,
.i sendmail
couldn't contact any name server;
this is
.i not
the same as an entry not being found in the map),
the message being processed is queued for future processing.
The
.b \-t
flag turns off this behavior,
letting the temporary failure (server down)
act as though it were a permanent failure (entry not found).
It is particularly useful for DNS lookups,
where someone else's misconfigured name server can cause problems
on your machine.
However, care must be taken to ensure that you don't bounce mail
that would be resolved correctly if you tried again.
A common strategy is to forward such mail
to another, possibly better connected, mail server.
.ip "\-D"
Perform no lookup in deferred delivery mode.
This flag is set by default for the
.i host
map.
.ip "\-S\fIspacesub\fP
The character to use to replace space characters
after a successful map lookup (esp. useful for regex
and syslog maps).
.ip "\-s\fIspacesub\fP
For the dequote map only,
the character to use to replace space characters
after a successful dequote.
.ip "\-q"
Don't dequote the key before lookup.
.ip "\-L\fIlevel\fP
For the syslog map only, it specifies the level
to use for the syslog call.
.ip "\-A"
When rebuilding an alias file,
the
.b \-A
flag causes duplicate entries in the text version
to be merged.
For example, two entries:
.(b
list:   user1, user2
list:   user3
.)b
would be treated as though it were the single entry
.(b
list:   user1, user2, user3
.)b
in the presence of the
.b \-A
flag.
.pp
Some additional flags are available for the host and dns maps:
.ip "\-d"
delay: specify the resolver's retransmission time interval (in seconds).
.ip "\-r"
retry: specify the number of times to retransmit a resolver query.
.pp
The dns map has another flag:
.ip "\-B"
basedomain: specify a domain that is always appended to queries.
.pp
The following additional flags are present in the ldap map only:
.ip "\-R"
Do not auto chase referrals.  sendmail must be compiled with
.b \-DLDAP_REFERRALS
to use this flag.
.ip "\-n"
Retrieve attribute names only.
.ip "\-V\fIsep\fP"
Retrieve both attributes name and value(s),
separated by
.i sep .
.ip "\-r\fIderef\fP"
Set the alias dereference option to one of never, always, search, or find.
.ip "\-s\fIscope\fP"
Set search scope to one of base, one (one level), or sub (subtree).
.ip "\-h\fIhost\fP"
LDAP server hostname.
Some LDAP libraries allow you to specify multiple, space-separated hosts for
redundancy.
In addition, each of the hosts listed can be followed by a colon and a port
number to override the default LDAP port.
.ip "\-p\fIport\fP"
LDAP service port.
.ip "\-H \fILDAPURI\fP"
Use the specified LDAP URI instead of specifying the hostname and port
separately with the the
.b \-h
and
.b \-p
options shown above.
For example,
.(b
-h server.example.com -p 389 -b dc=example,dc=com
.)b
is equivalent to
.(b
-H ldap://server.example.com:389 -b dc=example,dc=com
.)b
If the LDAP library supports it,
the LDAP URI format however can also request LDAP over SSL by using
.b ldaps://
instead of
.b ldap:// .
For example:
.(b
O LDAPDefaultSpec=-H ldaps://ldap.example.com -b dc=example,dc=com
.)b
Similarly, if the LDAP library supports it,
It can also be used to specify a UNIX domain socket using
.b ldapi:// :
.(b
O LDAPDefaultSpec=-H ldapi://socketfile -b dc=example,dc=com
.)b
.ip "\-b\fIbase\fP"
LDAP search base.
.ip "\-l\fItimelimit\fP"
Time limit for LDAP queries.
.ip "\-Z\fIsizelimit\fP"
Size (number of matches) limit for LDAP or DNS queries.
.ip "\-d\fIdistinguished_name\fP"
The distinguished name to use to login to the LDAP server.
.ip "\-M\fImethod\fP"
The method to authenticate to the LDAP server.
Should be one of
.b LDAP_AUTH_NONE ,
.b LDAP_AUTH_SIMPLE ,
or
.b LDAP_AUTH_KRBV4 .
.ip "\-P\fIpasswordfile\fP"
The file containing the secret key for the
.b LDAP_AUTH_SIMPLE
authentication method
or the name of the Kerberos ticket file for
.b LDAP_AUTH_KRBV4 .
.ip "\-1"
Force LDAP searches to only succeed if a single match is found.
If multiple values are found,
the search is treated as if no match was found.
.ip "\-w\fIversion\fP"
Set the LDAP API/protocol version to use.
The default depends on the LDAP client libraries in use.
For example,
.b "\-w 3"
will cause
.i sendmail
to use LDAPv3 when communicating with the LDAP server.
.ip "\-K"
Treat the LDAP search key as multi-argument and
replace %1 through %9 in the key with
the LDAP escaped contents of the lookup arguments specified in the map lookup.
.pp
The
.i dbm
map appends the strings
.q \&.pag
and
.q \&.dir
to the given filename;
the
.i hash
and
.i btree
maps append
.q \&.db .
For example, the map specification
.(b
Kuucp dbm \-o \-N /etc/mail/uucpmap
.)b
specifies an optional map named
.q uucp
of class
.q dbm ;
it always has null bytes at the end of every string,
and the data is located in
/etc/mail/uucpmap.{dir,pag}.
.pp
The program
.i makemap (8)
can be used to build any of the three database-oriented maps.
It takes the following flags:
.ip \-f
Do not fold upper to lower case in the map.
.ip \-N
Include null bytes in keys.
.ip \-o
Append to an existing (old) file.
.ip \-r
Allow replacement of existing keys;
normally, re-inserting an existing key is an error.
.ip \-v
Print what is happening.
.lp
The
.i sendmail
daemon does not have to be restarted to read the new maps
as long as you change them in place;
file locking is used so that the maps won't be read
while they are being updated.
.pp
New classes can be added in the routine
.b setupmaps
in file
.b conf.c .
.sh 2 "Q \*- Queue Group Declaration"
.pp
In addition to the option
.i QueueDirectory,
queue groups can be declared that define a (group of) queue directories
under a common name.
The syntax is as follows:
.(b F
.b Q \c
.i name
{, \c
.i field =\c
.i value \|}+
.)b
where
.i name
is the symbolic name of the queue group under which
it can be referenced in various places
and the
.q field=value
pairs define attributes of the queue group.
The name must only consist of alphanumeric characters.
Fields are:
.ip Flags
Flags for this queue group.
.ip Nice
The nice(2) increment for the queue group.
This value must be greater or equal zero.
.ip Interval
The time between two queue runs.
.ip Path
The queue directory of the group (required).
.ip Runners
The number of parallel runners processing the queue.
Note that
.b F=f
must be set if this value is greater than one.
.ip Jobs
The maximum number of jobs (messages delivered) per queue run.
.ip recipients
The maximum number of recipients per envelope.
Envelopes with more than this number of recipients will be split
into multiple envelopes in the same queue directory.
The default value 0 means no limit.
.lp
Only the first character of the field name is checked.
.pp
By default, a queue group named
.i mqueue
is defined that uses the value of the
.i QueueDirectory
option as path.
Notice: all paths that are used for queue groups must
be subdirectories of
.i QueueDirectory .
Since they can be symbolic links, this isn't a real restriction,
If
.i QueueDirectory
uses a wildcard, then the directory one level up is considered
the ``base'' directory which all other queue directories must share.
Please make sure that the queue directories do not overlap,
e.g., do not specify
.(b
O QueueDirectory=/var/spool/mqueue/*
Qone, P=/var/spool/mqueue/dir1
Qtwo, P=/var/spool/mqueue/dir2
.)b
because this also includes
.q dir1
and
.q dir2
in the default queue group.
However,
.(b
O QueueDirectory=/var/spool/mqueue/main*
Qone, P=/var/spool/mqueue/dir
Qtwo, P=/var/spool/mqueue/other*
.)b
is a valid queue group specification.
.pp
Options listed in the ``Flags'' field can be used to modify
the behavior of a queue group.
The ``f'' flag must be set if multiple queue runners are
supposed to work on the entries in a queue group.
Otherwise
.i sendmail
will work on the entries strictly sequentially.
.pp
The ``Interval'' field sets the time between queue runs.
If no queue group specific interval is set, then the parameter of the
.b -q
option from the command line is used.
.pp
To control the overall number of concurrently active queue runners
the option
.b MaxQueueChildren
can be set.
This limits the number of processes used for running the queues to
.b MaxQueueChildren ,
though at any one time fewer processes may be active
as a result of queue options, completed queue runs, system load, etc.
.pp
The maximum number of queue runners for an individual queue group can be
controlled via the
.b Runners
option.
If set to 0, entries in the queue will not be processed, which
is useful to ``quarantine'' queue files.
The number of runners per queue group may also be set with the option
.b MaxRunnersPerQueue ,
which applies to queue groups that have no individual limit.
That is, the default value for
.b Runners
is
.b MaxRunnersPerQueue
if set, otherwise 1.
.pp
The field Jobs describes the maximum number of jobs
(messages delivered) per queue run, which is the queue group specific
value of
.b MaxQueueRunSize .
.pp
Notice: queue groups should be declared after all queue related options
have been set because queue groups take their defaults from those options.
If an option is set after a queue group declaration, the values of
options in the queue group are set to the defaults of
.i sendmail
unless explicitly set in the declaration.
.pp
Each envelope is assigned to a queue group based on the algorithm
described in section
``Queue Groups and Queue Directories''.
.sh 2 "X \*- Mail Filter (Milter) Definitions"
.pp
The
.i sendmail
Mail Filter API (Milter) is designed to allow third-party programs access
to mail messages as they are being processed in order to filter
meta-information and content.
They are declared in the configuration file as:
.(b F
.b X \c
.i name
{, \c
.i field =\c
.i value \|}*
.)b
where
.i name
is the name of the filter
(used internally only)
and the
.q field=name
pairs define attributes of the filter.
Also see the documentation for the
.b InputMailFilters
option for more information.
.pp
Fields are:
.(b
.ta 1i
Socket          The socket specification
Flags           Special flags for this filter
Timeouts        Timeouts for this filter
.)b
Only the first character of the field name is checked
(it's case-sensitive).
.pp
The socket specification is one of the following forms:
.(b F
.b S= \c
.b inet \c
.b :
.i port
.b @
.i host
.)b
.(b F
.b S= \c
.b inet6 \c
.b :
.i port
.b @
.i host
.)b
.(b F
.b S= \c
.b local \c
.b :
.i path
.)b
The first two describe an IPv4 or IPv6 socket listening on a certain
.i port
at a given
.i host
or IP address.
The final form describes a named socket on the filesystem at the given
.i path .
.pp
The following flags may be set in the filter description.
.nr ii 4n
.ip R
Reject connection if filter unavailable.
.ip T
Temporary fail connection if filter unavailable.
.pp
If neither F=R nor F=T is specified, the message is passed through
.i sendmail
in case of filter errors as if the failing filters were not present.
.pp
The timeouts can be set using the four fields inside of the
.b T=
equate:
.nr ii 4n
.ip C
Timeout for connecting to a filter.
If set to 0, the system's
.i connect()
timeout will be used.
.ip S
Timeout for sending information from the MTA to a filter.
.ip R
Timeout for reading reply from the filter.
.ip E
Overall timeout between sending end-of-message to filter and waiting for
the final acknowledgment.
.pp
Note the separator between each timeout field is a
.b ';' .
The default values (if not set) are:
.b T=C:5m;S:10s;R:10s;E:5m
where
.b s
is seconds and
.b m
is minutes.
.pp
Examples:
.(b
Xfilter1, S=local:/var/run/f1.sock, F=R
Xfilter2, S=inet6:999@localhost, F=T, T=S:1s;R:1s;E:5m
Xfilter3, S=inet:3333@localhost, T=C:2m
.)b
.sh 2 "The User Database"
.pp
The user database is deprecated in favor of ``virtusertable''
and ``genericstable'' as explained in the file
.b cf/README .
If you have a version of
.i sendmail
with the user database package
compiled in,
the handling of sender and recipient addresses
is modified.
.pp
The location of this database is controlled with the
.b UserDatabaseSpec
option.
.sh 3 "Structure of the user database"
.pp
The database is a sorted (BTree-based) structure.
User records are stored with the key:
.(b
\fIuser-name\fP\fB:\fP\fIfield-name\fP
.)b
The sorted database format ensures that user records are clustered together.
Meta-information is always stored with a leading colon.
.pp
Field names define both the syntax and semantics of the value.
Defined fields include:
.nr ii 1i
.ip maildrop
The delivery address for this user.
There may be multiple values of this record.
In particular,
mailing lists will have one
.i maildrop
record for each user on the list.
.ip "mailname"
The outgoing mailname for this user.
For each outgoing name,
there should be an appropriate
.i maildrop
record for that name to allow return mail.
See also
.i :default:mailname .
.ip mailsender
Changes any mail sent to this address to have the indicated envelope sender.
This is intended for mailing lists,
and will normally be the name of an appropriate -request address.
It is very similar to the owner-\c
.i list
syntax in the alias file.
.ip fullname
The full name of the user.
.ip office-address
The office address for this user.
.ip office-phone
The office phone number for this user.
.ip office-fax
The office FAX number for this user.
.ip home-address
The home address for this user.
.ip home-phone
The home phone number for this user.
.ip home-fax
The home FAX number for this user.
.ip project
A (short) description of the project this person is affiliated with.
In the University this is often just the name of their graduate advisor.
.ip plan
A pointer to a file from which plan information can be gathered.
.pp
As of this writing,
only a few of these fields are actually being used by
.i sendmail :
.i maildrop
and
.i mailname .
A
.i finger
program that uses the other fields is planned.
.sh 3 "User database semantics"
.pp
When the rewriting rules submit an address to the local mailer,
the user name is passed through the alias file.
If no alias is found (or if the alias points back to the same address),
the name (with
.q :maildrop
appended)
is then used as a key in the user database.
If no match occurs (or if the maildrop points at the same address),
forwarding is tried.
.pp
If the first token of the user name returned by ruleset 0
is an
.q @
sign, the user database lookup is skipped.
The intent is that the user database will act as a set of defaults
for a cluster (in our case, the Computer Science Division);
mail sent to a specific machine should ignore these defaults.
.pp
When mail is sent,
the name of the sending user is looked up in the database.
If that user has a
.q mailname
record,
the value of that record is used as their outgoing name.
For example, I might have a record:
.(b
eric:mailname   Eric.Allman@CS.Berkeley.EDU
.)b
This would cause my outgoing mail to be sent as Eric.Allman.
.pp
If a
.q maildrop
is found for the user,
but no corresponding
.q mailname
record exists,
the record
.q :default:mailname
is consulted.
If present, this is the name of a host to override the local host.
For example, in our case we would set it to
.q CS.Berkeley.EDU .
The effect is that anyone known in the database
gets their outgoing mail stamped as
.q user@CS.Berkeley.EDU ,
but people not listed in the database use the local hostname.
.sh 3 "Creating the database\**"
.(f
\**These instructions are known to be incomplete.
Other features are available which provide similar functionality,
e.g., virtual hosting and mapping local addresses into a
generic form as explained in cf/README.
.)f
.pp
The user database is built from a text file
using the
.i makemap
utility
(in the distribution in the makemap subdirectory).
The text file is a series of lines corresponding to userdb records;
each line has a key and a value separated by white space.
The key is always in the format described above \*-
for example:
.(b
eric:maildrop
.)b
This file is normally installed in a system directory;
for example, it might be called
.i /etc/mail/userdb .
To make the database version of the map, run the program:
.(b
makemap btree /etc/mail/userdb < /etc/mail/userdb
.)b
Then create a config file that uses this.
For example, using the V8 M4 configuration, include the
following line in your .mc file:
.(b
define(\`confUSERDB_SPEC\', /etc/mail/userdb)
.)b
.sh 1 "OTHER CONFIGURATION"
.pp
There are some configuration changes that can be made by
recompiling
.i sendmail .
This section describes what changes can be made
and what has to be modified to make them.
In most cases this should be unnecessary
unless you are porting
.i sendmail
to a new environment.
.sh 2 "Parameters in devtools/OS/$oscf"
.pp
These parameters are intended to describe the compilation environment,
not site policy,
and should normally be defined in the operating system
configuration file.
.b "This section needs a complete rewrite."
.ip NDBM
If set,
the new version of the DBM library
that allows multiple databases will be used.
If neither NDBM nor NEWDB are set,
a much less efficient method of alias lookup is used.
.ip NEWDB
If set, use the new database package from Berkeley (from 4.4BSD).
This package is substantially faster than DBM or NDBM.
If NEWDB and NDBM are both set,
.i sendmail
will read DBM files,
but will create and use NEWDB files.
.ip NIS
Include support for NIS.
If set together with
.i both
NEWDB and NDBM,
.i sendmail
will create both DBM and NEWDB files if and only if
an alias file includes the substring
.q /yp/
in the name.
This is intended for compatibility with Sun Microsystems'
.i mkalias
program used on YP masters.
.ip NISPLUS
Compile in support for NIS+.
.ip NETINFO
Compile in support for NetInfo (NeXT stations).
.ip LDAPMAP
Compile in support for LDAP X500 queries.
Requires libldap and liblber
from the Umich LDAP 3.2 or 3.3 release
or equivalent libraries for other LDAP libraries
such as OpenLDAP.
.ip HESIOD
Compile in support for Hesiod.
.ip MAP_NSD
Compile in support for IRIX NSD lookups.
.ip MAP_REGEX
Compile in support for regular expression matching.
.ip DNSMAP
Compile in support for DNS map lookups in the
.i sendmail.cf
file.
.ip PH_MAP
Compile in support for ph lookups.
.ip SASL
Compile in support for SASL,
a required component for SMTP Authentication support.
.ip STARTTLS
Compile in support for STARTTLS.
.ip EGD
Compile in support for the "Entropy Gathering Daemon"
to provide better random data for TLS.
.ip TCPWRAPPERS
Compile in support for TCP Wrappers.
.ip _PATH_SENDMAILCF
The pathname of the sendmail.cf file.
.ip _PATH_SENDMAILPID
The pathname of the sendmail.pid file.
.ip SM_CONF_SHM
Compile in support for shared memory, see section about
"/var/spool/mqueue".
.ip MILTER
Compile in support for contacting external mail filters built with the
Milter API.
.pp
There are also several compilation flags to indicate the environment
such as
.q _AIX3
and
.q _SCO_unix_ .
See the sendmail/README
file for the latest scoop on these flags.
.sh 2 "Parameters in sendmail/conf.h"
.pp
Parameters and compilation options
are defined in conf.h.
Most of these need not normally be tweaked;
common parameters are all in sendmail.cf.
However, the sizes of certain primitive vectors, etc.,
are included in this file.
The numbers following the parameters
are their default value.
.pp
This document is not the best source of information
for compilation flags in conf.h \(em
see sendmail/README or sendmail/conf.h itself.
.nr ii 1.2i
.ip "MAXLINE [2048]"
The maximum line length of any input line.
If message lines exceed this length
they will still be processed correctly;
however, header lines,
configuration file lines,
alias lines,
etc.,
must fit within this limit.
.ip "MAXNAME [256]"
The maximum length of any name,
such as a host or a user name.
.ip "MAXPV [256]"
The maximum number of parameters to any mailer.
This limits the number of recipients that may be passed in one transaction.
It can be set to any arbitrary number above about 10,
since
.i sendmail
will break up a delivery into smaller batches as needed.
A higher number may reduce load on your system, however.
.ip "MAXQUEUEGROUPS [50]"
The maximum number of queue groups.
.ip "MAXATOM [1000]"
The maximum number of atoms
(tokens)
in a single address.
For example,
the address
.q "eric@CS.Berkeley.EDU"
is seven atoms.
.ip "MAXMAILERS [25]"
The maximum number of mailers that may be defined
in the configuration file.
This value is defined in include/sendmail/sendmail.h.
.ip "MAXRWSETS [200]"
The maximum number of rewriting sets
that may be defined.
The first half of these are reserved for numeric specification
(e.g., ``S92''),
while the upper half are reserved for auto-numbering
(e.g., ``Sfoo'').
Thus, with a value of 200 an attempt to use ``S99'' will succeed,
but ``S100'' will fail.
.ip "MAXPRIORITIES [25]"
The maximum number of values for the
.q Precedence:
field that may be defined
(using the
.b P
line in sendmail.cf).
.ip "MAXUSERENVIRON [100]"
The maximum number of items in the user environment
that will be passed to subordinate mailers.
.ip "MAXMXHOSTS [100]"
The maximum number of MX records we will accept for any single host.
.ip "MAXMAPSTACK [12]"
The maximum number of maps that may be "stacked" in a
.b sequence
class map.
.ip "MAXMIMEARGS [20]"
The maximum number of arguments in a MIME Content-Type: header;
additional arguments will be ignored.
.ip "MAXMIMENESTING [20]"
The maximum depth to which MIME messages may be nested
(that is, nested Message or Multipart documents;
this does not limit the number of components in a single Multipart document).
.ip "MAXDAEMONS [10]"
The maximum number of sockets sendmail will open for accepting connections
on different ports.
.ip "MAXMACNAMELEN [25]"
The maximum length of a macro name.
.lp
A number of other compilation options exist.
These specify whether or not specific code should be compiled in.
Ones marked with \(dg
are 0/1 valued.
.nr ii 1.2i
.ip NETINET\(dg
If set,
support for Internet protocol networking is compiled in.
Previous versions of
.i sendmail
referred to this as
.sm DAEMON ;
this old usage is now incorrect.
Defaults on;
turn it off in the Makefile
if your system doesn't support the Internet protocols.
.ip NETINET6\(dg
If set,
support for IPv6 networking is compiled in.
It must be separately enabled by adding
.b DaemonPortOptions
settings.
.ip NETISO\(dg
If set,
support for ISO protocol networking is compiled in
(it may be appropriate to #define this in the Makefile instead of conf.h).
.ip NETUNIX\(dg
If set,
support for UNIX domain sockets is compiled in.
This is used for control socket support.
.ip LOG
If set,
the
.i syslog
routine in use at some sites is used.
This makes an informational log record
for each message processed,
and makes a higher priority log record
for internal system errors.
.b "STRONGLY RECOMMENDED"
\(em if you want no logging, turn it off in the configuration file.
.ip MATCHGECOS\(dg
Compile in the code to do ``fuzzy matching'' on the GECOS field
in /etc/passwd.
This also requires that the
.b MatchGECOS
option be turned on.
.ip NAMED_BIND\(dg
Compile in code to use the
Berkeley Internet Name Domain (BIND) server
to resolve TCP/IP host names.
.ip NOTUNIX
If you are using a non-UNIX mail format,
you can set this flag to turn off special processing
of UNIX-style
.q "From "
lines.
.ip USERDB\(dg
Include the
.b experimental
Berkeley user information database package.
This adds a new level of local name expansion
between aliasing and forwarding.
It also uses the NEWDB package.
This may change in future releases.
.lp
The following options are normally turned on
in per-operating-system clauses in conf.h.
.ip IDENTPROTO\(dg
Compile in the IDENT protocol as defined in RFC 1413.
This defaults on for all systems except Ultrix,
which apparently has the interesting
.q feature
that when it receives a
.q "host unreachable"
message it closes all open connections to that host.
Since some firewall gateways send this error code
when you access an unauthorized port (such as 113, used by IDENT),
Ultrix cannot receive email from such hosts.
.ip SYSTEM5
Set all of the compilation parameters appropriate for System V.
.ip HASFLOCK\(dg
Use Berkeley-style
.b flock
instead of System V
.b lockf
to do file locking.
Due to the highly unusual semantics of locks
across forks in
.b lockf ,
this should always be used if at all possible.
.ip HASINITGROUPS
Set this if your system has the
.i initgroups()
call
(if you have multiple group support).
This is the default if SYSTEM5 is
.i not
defined or if you are on HPUX.
.ip HASUNAME
Set this if you have the
.i uname (2)
system call (or corresponding library routine).
Set by default if
SYSTEM5
is set.
.ip HASGETDTABLESIZE
Set this if you have the
.i getdtablesize (2)
system call.
.ip HASWAITPID
Set this if you have the
.i haswaitpid (2)
system call.
.ip FAST_PID_RECYCLE
Set this if your system can possibly
reuse the same pid in the same second of time.
.ip SFS_TYPE
The mechanism that can be used to get file system capacity information.
The values can be one of
SFS_USTAT (use the ustat(2) syscall),
SFS_4ARGS (use the four argument statfs(2) syscall),
SFS_VFS (use the two argument statfs(2) syscall including <sys/vfs.h>),
SFS_MOUNT (use the two argument statfs(2) syscall including <sys/mount.h>),
SFS_STATFS (use the two argument statfs(2) syscall including <sys/statfs.h>),
SFS_STATVFS (use the two argument statfs(2) syscall including <sys/statvfs.h>),
or
SFS_NONE (no way to get this information).
.ip LA_TYPE
The load average type.
Details are described below.
.lp
The are several built-in ways of computing the load average.
.i Sendmail
tries to auto-configure them based on imperfect guesses;
you can select one using the
.i cc
option
.b \-DLA_TYPE= \c
.i type ,
where
.i type
is:
.ip LA_INT
The kernel stores the load average in the kernel as an array of long integers.
The actual values are scaled by a factor FSCALE
(default 256).
.ip LA_SHORT
The kernel stores the load average in the kernel as an array of short integers.
The actual values are scaled by a factor FSCALE
(default 256).
.ip LA_FLOAT
The kernel stores the load average in the kernel as an array of
double precision floats.
.ip LA_MACH
Use MACH-style load averages.
.ip LA_SUBR
Call the
.i getloadavg
routine to get the load average as an array of doubles.
.ip LA_ZERO
Always return zero as the load average.
This is the fallback case.
.lp
If type
.sm LA_INT ,
.sm LA_SHORT ,
or
.sm LA_FLOAT
is specified,
you may also need to specify
.sm _PATH_UNIX
(the path to your system binary)
and
.sm LA_AVENRUN
(the name of the variable containing the load average in the kernel;
usually
.q _avenrun
or
.q avenrun ).
.sh 2 "Configuration in sendmail/conf.c"
.pp
The following changes can be made in conf.c.
.sh 3 "Built-in Header Semantics"
.pp
Not all header semantics are defined in the configuration file.
Header lines that should only be included by certain mailers
(as well as other more obscure semantics)
must be specified in the
.i HdrInfo
table in
.i conf.c .
This table contains the header name
(which should be in all lower case)
and a set of header control flags (described below),
The flags are:
.ip H_ACHECK
Normally when the check is made to see if a header line is compatible
with a mailer,
.i sendmail
will not delete an existing line.
If this flag is set,
.i sendmail
will delete
even existing header lines.
That is,
if this bit is set and the mailer does not have flag bits set
that intersect with the required mailer flags
in the header definition in
sendmail.cf,
the header line is
.i always
deleted.
.ip H_EOH
If this header field is set,
treat it like a blank line,
i.e.,
it will signal the end of the header
and the beginning of the message text.
.ip H_FORCE
Add this header entry
even if one existed in the message before.
If a header entry does not have this bit set,
.i sendmail
will not add another header line if a header line
of this name already existed.
This would normally be used to stamp the message
by everyone who handled it.
.ip H_TRACE
If set,
this is a timestamp
(trace)
field.
If the number of trace fields in a message
exceeds a preset amount
the message is returned
on the assumption that it has an aliasing loop.
.ip H_RCPT
If set,
this field contains recipient addresses.
This is used by the
.b \-t
flag to determine who to send to
when it is collecting recipients from the message.
.ip H_FROM
This flag indicates that this field
specifies a sender.
The order of these fields in the
.i HdrInfo
table specifies
.i sendmail 's
preference
for which field to return error messages to.
.ip H_ERRORSTO
Addresses in this header should receive error messages.
.ip H_CTE
This header is a Content-Transfer-Encoding header.
.ip H_CTYPE
This header is a Content-Type header.
.ip H_STRIPVAL
Strip the value from the header (for Bcc:).
.nr ii 5n
.lp
Let's look at a sample
.i HdrInfo
specification:
.(b
.ta 4n +\w'"content-transfer-encoding",  'u
struct hdrinfo  HdrInfo[] =
\&{
             /* originator fields, most to least significant  */
        "resent-sender",        H_FROM,
        "resent-from",  H_FROM,
        "sender",       H_FROM,
        "from", H_FROM,
        "full-name",    H_ACHECK,
        "errors-to",    H_FROM\^|\^H_ERRORSTO,
             /* destination fields */
        "to",   H_RCPT,
        "resent-to",    H_RCPT,
        "cc",   H_RCPT,
        "bcc",  H_RCPT\^|\^H_STRIPVAL,
             /* message identification and control */
        "message",      H_EOH,
        "text", H_EOH,
             /* trace fields */
        "received",     H_TRACE\^|\^H_FORCE,
             /* miscellaneous fields */
        "content-transfer-encoding",    H_CTE,
        "content-type", H_CTYPE,

        NULL,   0,
};
.)b
This structure indicates that the
.q To: ,
.q Resent-To: ,
and
.q Cc:
fields
all specify recipient addresses.
Any
.q Full-Name:
field will be deleted unless the required mailer flag
(indicated in the configuration file)
is specified.
The
.q Message:
and
.q Text:
fields will terminate the header;
these are used by random dissenters around the network world.
The
.q Received:
field will always be added,
and can be used to trace messages.
.pp
There are a number of important points here.
First,
header fields are not added automatically just because they are in the
.i HdrInfo
structure;
they must be specified in the configuration file
in order to be added to the message.
Any header fields mentioned in the configuration file but not
mentioned in the
.i HdrInfo
structure have default processing performed;
that is,
they are added unless they were in the message already.
Second,
the
.i HdrInfo
structure only specifies cliched processing;
certain headers are processed specially by ad hoc code
regardless of the status specified in
.i HdrInfo .
For example,
the
.q Sender:
and
.q From:
fields are always scanned on ARPANET mail
to determine the sender\**;
.(f
\**Actually, this is no longer true in SMTP;
this information is contained in the envelope.
The older ARPANET protocols did not completely distinguish
envelope from header.
.)f
this is used to perform the
.q "return to sender"
function.
The
.q "From:"
and
.q "Full-Name:"
fields are used to determine the full name of the sender
if possible;
this is stored in the macro
.b $x
and used in a number of ways.
.sh 3 "Restricting Use of Email"
.pp
If it is necessary to restrict mail through a relay,
the
.i checkcompat
routine can be modified.
This routine is called for every recipient address.
It returns an exit status
indicating the status of the message.
The status
.sm EX_OK
accepts the address,
.sm EX_TEMPFAIL
queues the message for a later try,
and other values
(commonly
.sm EX_UNAVAILABLE )
reject the message.
It is up to
.i checkcompat
to print an error message
(using
.i usrerr )
if the message is rejected.
For example,
.i checkcompat
could read:
.(b
.re
.sz -1
.ta 4n +4n +4n +4n +4n +4n +4n
int
checkcompat(to, e)
        register ADDRESS *to;
        register ENVELOPE *e;
\&{
        register STAB *s;

        s = stab("private", ST_MAILER, ST_FIND);
        if (s != NULL && e\->e_from.q_mailer != LocalMailer &&
            to->q_mailer == s->s_mailer)
        {
                usrerr("No private net mail allowed through this machine");
                return (EX_UNAVAILABLE);
        }
        if (MsgSize > 50000 && bitnset(M_LOCALMAILER, to\->q_mailer))
        {
                usrerr("Message too large for non-local delivery");
                e\->e_flags |= EF_NORETURN;
                return (EX_UNAVAILABLE);
        }
        return (EX_OK);
}
.sz
.)b
This would reject messages greater than 50000 bytes
unless they were local.
The
.i EF_NORETURN
flag can be set in
.i e\(->e_flags
to suppress the return of the actual body
of the message in the error return.
The actual use of this routine is highly dependent on the
implementation,
and use should be limited.
.sh 3 "New Database Map Classes"
.pp
New key maps can be added by creating a class initialization function
and a lookup function.
These are then added to the routine
.i setupmaps.
.pp
The initialization function is called as
.(b
\fIxxx\fP_map_init(MAP *map, char *args)
.)b
The
.i map
is an internal data structure.
The
.i args
is a pointer to the portion of the configuration file line
following the map class name;
flags and filenames can be extracted from this line.
The initialization function must return
.sm true
if it successfully opened the map,
.sm false
otherwise.
.pp
The lookup function is called as
.(b
\fIxxx\fP_map_lookup(MAP *map, char buf[], char **av, int *statp)
.)b
The
.i map
defines the map internally.
The
.i buf
has the input key.
This may be (and often is) used destructively.
The
.i av
is a list of arguments passed in from the rewrite line.
The lookup function should return a pointer to the new value.
If the map lookup fails,
.i *statp
should be set to an exit status code;
in particular, it should be set to
.sm EX_TEMPFAIL
if recovery is to be attempted by the higher level code.
.sh 3 "Queueing Function"
.pp
The routine
.i shouldqueue
is called to decide if a message should be queued
or processed immediately.
Typically this compares the message priority to the current load average.
The default definition is:
.(b
bool
shouldqueue(pri, ctime)
        long pri;
        time_t ctime;
{
        if (CurrentLA < QueueLA)
                return false;
        return (pri > (QueueFactor / (CurrentLA \- QueueLA + 1)));
}
.)b
If the current load average
(global variable
.i CurrentLA ,
which is set before this function is called)
is less than the low threshold load average
(option
.b x ,
variable
.i QueueLA ),
.i shouldqueue
returns
.sm false
immediately
(that is, it should
.i not
queue).
If the current load average exceeds the high threshold load average
(option
.b X ,
variable
.i RefuseLA ),
.i shouldqueue
returns
.sm true
immediately.
Otherwise, it computes the function based on the message priority,
the queue factor
(option
.b q ,
global variable
.i QueueFactor ),
and the current and threshold load averages.
.pp
An implementation wishing to take the actual age of the message into account
can also use the
.i ctime
parameter,
which is the time that the message was first submitted to
.i sendmail .
Note that the
.i pri
parameter is already weighted
by the number of times the message has been tried
(although this tends to lower the priority of the message with time);
the expectation is that the
.i ctime
would be used as an
.q "escape clause"
to ensure that messages are eventually processed.
.sh 3 "Refusing Incoming SMTP Connections"
.pp
The function
.i refuseconnections
returns
.sm true
if incoming SMTP connections should be refused.
The current implementation is based exclusively on the current load average
and the refuse load average option
(option
.b X ,
global variable
.i RefuseLA ):
.(b
bool
refuseconnections()
{
        return (RefuseLA > 0 && CurrentLA >= RefuseLA);
}
.)b
A more clever implementation
could look at more system resources.
.sh 3 "Load Average Computation"
.pp
The routine
.i getla
returns the current load average (as a rounded integer).
The distribution includes several possible implementations.
If you are porting to a new environment
you may need to add some new tweaks.\**
.(f
\**If you do, please send updates to
sendmail@Sendmail.ORG.
.)f
.sh 2 "Configuration in sendmail/daemon.c"
.pp
The file
.i sendmail/daemon.c
contains a number of routines that are dependent
on the local networking environment.
The version supplied assumes you have BSD style sockets.
.pp
In previous releases,
we recommended that you modify the routine
.i maphostname
if you wanted to generalize
.b $[
\&...\&
.b $]
lookups.
We now recommend that you create a new keyed map instead.
.sh 2 "LDAP"
.pp
In this section we assume that
.i sendmail
has been compiled with support for LDAP.
.sh 3 "LDAP Recursion"
.pp
LDAP Recursion allows you to add types to the search attributes on an
LDAP map specification.
The syntax is:
.ip "\-v \fIATTRIBUTE\fP[:\fITYPE\fP[:\fIOBJECTCLASS\fP[|\fIOBJECTCLASS\fP|...]]]
.pp
The new \fITYPE\fPs are:
.nr ii 1i
.ip NORMAL
This attribute type specifies the attribute to add to the results string.
This is the default.
.ip DN
Any matches for this attribute are expected to have a value of a
fully qualified distinguished name.
.i sendmail
will lookup that DN and apply the attributes requested to the
returned DN record.
.ip FILTER
Any matches for this attribute are expected to have a value of an
LDAP search filter.
.i sendmail
will perform a lookup with the same parameters as the original
search but replaces the search filter with the one specified here.
.ip URL
Any matches for this attribute are expected to have a value of an LDAP URL.
.i sendmail
will perform a lookup of that URL and use the results from the attributes
named in that URL.
Note however that the search is done using the current LDAP connection,
regardless of what is specified as the scheme, LDAP host, and LDAP
port in the LDAP URL.
.lp
Any untyped attributes are considered
.sm NORMAL
attributes as described above.
.pp
The optional \fIOBJECTCLASS\fP (| separated) list contains the
objectClass values for which that attribute applies.
If the list is given,
the attribute named will only be used if the LDAP record being returned is a
member of that object class.
Note that if these new value attribute \fITYPE\fPs are used in an
AliasFile
option setting, it will need to be double quoted to prevent
.i sendmail
from misparsing the colons.
.pp
Note that LDAP recursion attributes which do not ultimately point to an
LDAP record are not considered an error.
.sh 4 "Example"
.pp
Since examples usually help clarify, here is an example which uses all
four of the new types:
.(b
O LDAPDefaultSpec=-h ldap.example.com -b dc=example,dc=com

Kexample ldap
         -z,
         -k (&(objectClass=sendmailMTAAliasObject)(sendmailMTAKey=%0))
         -v sendmailMTAAliasValue,mail:NORMAL:inetOrgPerson,
            uniqueMember:DN:groupOfUniqueNames,
            sendmailMTAAliasSearch:FILTER:sendmailMTAAliasObject,
            sendmailMTAAliasURL:URL:sendmailMTAAliasObject
.)b
.pp
That definition specifies that:
.bu
Any value in a
.sm sendmailMTAAliasValue
attribute will be added to the result string regardless of object class.
.bu
The
.sm mail
attribute will be added to the result string if
the LDAP record is a member of the
.sm inetOrgPerson
object class.
.bu
The
.sm uniqueMember
attribute is a recursive attribute, used only in
.sm groupOfUniqueNames
records, and should contain an LDAP DN pointing to another LDAP record.
The desire here is to return the
.sm mail
attribute from those DNs.
.bu
The
.sm sendmailMTAAliasSearch
attribute and
.sm sendmailMTAAliasURL
are both used only if referenced in a
.sm sendmailMTAAliasObject .
They are both recursive, the first for a new LDAP search string and the
latter for an LDAP URL.
.sh 2 "STARTTLS"
.pp
In this section we assume that
.i sendmail
has been compiled with support for STARTTLS.
To properly understand the use of STARTTLS in
.i sendmail ,
it is necessary to understand at least some basics about X.509 certificates
and public key cryptography.
This information can be found in books about SSL/TLS
or on WWW sites, e.g.,
.q http://www.OpenSSL.org/ .
.sh 3 "Certificates for STARTTLS"
.pp
When acting as a server,
.i sendmail
requires X.509 certificates to support STARTTLS:
one as certificate for the server (ServerCertFile and corresponding
private ServerKeyFile)
at least one root CA (CACertFile),
i.e., a certificate that is used to sign other certificates,
and a path to a directory which contains other CAs (CACertPath).
The file specified via
CACertFile
can contain several certificates of CAs.
The DNs of these certificates are sent
to the client during the TLS handshake (as part of the
CertificateRequest) as the list of acceptable CAs.
However, do not list too many root CAs in that file, otherwise
the TLS handshake may fail; e.g.,
.(b
error:14094417:SSL routines:SSL3_READ_BYTES:
sslv3 alert illegal parameter:s3_pkt.c:964:SSL alert number 47
.)b
You should probably put only the CA cert into that file
that signed your own cert(s), or at least only those you trust.
The CACertPath directory must contain the hashes of each CA certificate
as filenames (or as links to them).
Symbolic links can be generated with the following
two (Bourne) shell commands:
.(b
C=FileName_of_CA_Certificate
ln -s $C `openssl x509 -noout -hash < $C`.0
.)b
An X.509 certificate is also required for authentication in client mode
(ClientCertFile and corresponding private ClientKeyFile), however,
.i sendmail
will always use STARTTLS when offered by a server.
The client and server certificates can be identical.
Certificates can be obtained from a certificate authority
or created with the help of OpenSSL.
The required format for certificates and private keys is PEM.
To allow for automatic startup of sendmail, private keys
(ServerKeyFile, ClientKeyFile)
must be stored unencrypted.
The keys are only protected by the permissions of the file system.
Never make a private key available to a third party.
.sh 3 "PRNG for STARTTLS"
.pp
STARTTLS requires a strong pseudo random number generator (PRNG)
to operate properly.
Depending on the TLS library you use, it may be required to explicitly
initialize the PRNG with random data.
OpenSSL makes use of
.b /dev/urandom(4)
if available (this corresponds to the compile flag HASURANDOMDEV).
On systems which lack this support, a random file must be specified in the
.i sendmail.cf
file using the option RandFile.
It is
.b strongly
advised to use the "Entropy Gathering Daemon" EGD
from Brian Warner on those systems to provide useful random data.
In this case,
.i sendmail
must be compiled with the flag EGD, and the
RandFile option must point to the EGD socket.
If neither
.b /dev/urandom(4)
nor EGD are available, you have to make sure
that useful random data is available all the time in RandFile.
If the file hasn't been modified in the last 10 minutes before
it is supposed to be used by
.i sendmail
the content is considered obsolete.
One method for generating this file is:
.(b
openssl rand -out /etc/mail/randfile -rand \c
.i /path/to/file:... \c
256
.)b
See the OpenSSL documentation for more information.
In this case, the PRNG for TLS is only
seeded with other random data if the
.b DontBlameSendmail
option
.b InsufficientEntropy
is set.
This is most likely not sufficient for certain actions, e.g.,
generation of (temporary) keys.
.pp
Please see the OpenSSL documentation or other sources
for further information about certificates, their creation and their usage,
the importance of a good PRNG, and other aspects of TLS.
.sh 2 "Encoding of STARTTLS and AUTH related Macros"
.pp
Macros that contain STARTTLS and AUTH related data which comes from outside
sources, e.g., all macros containing information from certificates,
are encoded to avoid problems with non-printable or special characters.
The latter are '\\', '<', '>', '(', ')', '"', '+', and ' '.
All of these characters are replaced by their value in hexadecimal
with a leading '+'.
For example:
.(b
/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/
Email=darth+cert@endmail.org
.)b
is encoded as:
.(b
/C=US/ST=California/O=endmail.org/OU=private/
CN=Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
.)b
(line breaks have been inserted for readability).
The macros which are subject to this encoding are
{cert_subject}, {cert_issuer}, {cn_subject}, {cn_issuer},
as well as
{auth_authen} and {auth_author}.
.sh 1 "ACKNOWLEDGEMENTS"
.pp
I've worked on
.i sendmail
for many years,
and many employers have been remarkably patient
about letting me work on a large project
that was not part of my official job.
This includes time on the INGRES Project at
the University of California at Berkeley,
at Britton Lee,
and again on the Mammoth and Titan Projects at Berkeley.
.pp
Much of the second wave of improvements
resulting in version 8.1
should be credited to Bryan Costales of the
International Computer Science Institute.
As he passed me drafts of his book on
.i sendmail
I was inspired to start working on things again.
Bryan was also available to bounce ideas off of.
.pp
Gregory Neil Shapiro
of Worcester Polytechnic Institute
has become instrumental in all phases of
.i sendmail
support and development,
and was largely responsible for getting versions 8.8 and 8.9
out the door.
.pp
Many, many people contributed chunks of code and ideas to
.i sendmail .
It has proven to be a group network effort.
Version 8 in particular was a group project.
The following people and organizations made notable contributions:
.(l
Claus Assmann
John Beck, Hewlett-Packard & Sun Microsystems
Keith Bostic, CSRG, University of California, Berkeley
Andrew Cheng, Sun Microsystems
Michael J. Corrigan, University of California, San Diego
Bryan Costales, International Computer Science Institute & InfoBeat
Pa\*:r (Pell) Emanuelsson
Craig Everhart, Transarc Corporation
Per Hedeland, Ericsson
Tom Ivar Helbekkmo, Norwegian School of Economics
Kari Hurtta, Finnish Meteorological Institute
Allan E. Johannesen, WPI
Jonathan Kamens, OpenVision Technologies, Inc.
Takahiro Kanbe, Fuji Xerox Information Systems Co., Ltd.
Brian Kantor, University of California, San Diego
John Kennedy, Cal State University, Chico
Murray S. Kucherawy, HookUp Communication Corp.
Bruce Lilly, Sony U.S.
Karl London
Motonori Nakamura, Ritsumeikan University & Kyoto University
John Gardiner Myers, Carnegie Mellon University
Neil Rickert, Northern Illinois University
Gregory Neil Shapiro, WPI
Eric Schnoebelen, Convex Computer Corp.
Eric Wassenaar, National Institute for Nuclear and High Energy Physics, Amsterdam
Randall Winchester, University of Maryland
Christophe Wolfhugel, Pasteur Institute & Herve Schauer Consultants (Paris)
Exactis.com, Inc.
.)l
I apologize for anyone I have omitted, misspelled, misattributed, or
otherwise missed.
At this point, I suspect that at least a hundred people
have contributed code,
and many more have contributed ideas, comments, and encouragement.
I've tried to list them in the RELEASE_NOTES in the distribution directory.
I appreciate their contribution as well.
.pp
Special thanks are reserved for Michael Corrigan and Christophe Wolfhugel,
who besides being wonderful guinea pigs and contributors
have also consented to be added to the ``sendmail@Sendmail.ORG'' list
and, by answering the bulk of the questions sent to that list,
have freed me up to do other work.
.++ A
.+c "COMMAND LINE FLAGS"
.ba 0
.nr ii 1i
.pp
Arguments must be presented with flags before addresses.
The flags are:
.ip \-A\fIx\fP
Select an alternative .cf file which is either
.i sendmail.cf
for
.b \-Am
or
.i submit.cf
for
.b \-Ac .
By default the .cf file is chosen based on the operation mode.
For
.b -bm
(default),
.b -bs ,
and
.b -t
it is
.i submit.cf
if it exists, for all others it is
.i sendmail.cf .
.ip \-b\fIx\fP
Set operation mode to
.i x .
Operation modes are:
.(b
.ta 4n
m       Deliver mail (default)
s       Speak SMTP on input side
a\(dg   ``Arpanet'' mode (get envelope sender information from header)
d       Run as a daemon in background
D       Run as a daemon in foreground
t       Run in test mode
v       Just verify addresses, don't collect or deliver
i       Initialize the alias database
p       Print the mail queue
P       Print overview over the mail queue (requires shared memory)
h       Print the persistent host status database
H       Purge expired entries from the persistent host status database
.)b
.(f
\(dgDeprecated.
.)f
.ip \-B\fItype\fP
Indicate body type.
.ip \-C\fIfile\fP
Use a different configuration file.
.i Sendmail
runs as the invoking user (rather than root)
when this flag is specified.
.ip "\-D \fIlogfile\fP"
Send debugging output to the indicated
.i logfile
instead of stdout.
.ip \-d\fIlevel\fP
Set debugging level.
.ip "\-f\ \fIaddr\fP"
The envelope sender address is set to
.i addr .
This address may also be used in the From: header
if that header is missing during initial submission.
The envelope sender address is used as the recipient
for delivery status notifications
and may also appear in a Return-Path: header.
.ip \-F\ \fIname\fP
Sets the full name of this user to
.i name .
.ip \-G
When accepting messages via the command line,
indicate that they are for relay (gateway) submission.
sendmail may complain about syntactically invalid messages,
e.g., unqualified host names,
rather than fixing them when this flag is set.
sendmail will not do any canonicalization in this mode.
.ip "\-h\ \fIcnt\fP"
Sets the
.q "hop count"
to
.i cnt .
This represents the number of times this message has been processed
by
.i sendmail
(to the extent that it is supported by the underlying networks).
.i Cnt
is incremented during processing,
and if it reaches
MAXHOP
(currently 25)
.i sendmail
throws away the message with an error.
.ip "\-L \fItag\fP"
Sets the identifier used for syslog.
Note that this identifier is set
as early as possible.
However,
.i sendmail
may be used
if problems arise
before the command line arguments
are processed.
.ip \-n
Don't do aliasing or forwarding.
.ip "\-N \fInotifications\fP"
Tag all addresses being sent as wanting the indicated
.i notifications ,
which consists of the word
.q NEVER
or a comma-separated list of
.q SUCCESS ,
.q FAILURE ,
and
.q DELAY
for successful delivery,
failure,
and a message that is stuck in a queue somewhere.
The default is
.q FAILURE,DELAY .
.ip "\-r\ \fIaddr\fP"
An obsolete form of
.b \-f .
.ip \-o\fIx\|value\fP
Set option
.i x
to the specified
.i value .
These options are described in Section 5.6.
.ip \-O\fIoption\fP\fB=\fP\fIvalue\fP
Set
.i option
to the specified
.i value
(for long form option names).
These options are described in Section 5.6.
.ip \-M\fIx\|value\fP
Set macro
.i x
to the specified
.i value .
.ip \-p\fIprotocol\fP
Set the sending protocol.
Programs are encouraged to set this.
The protocol field can be in the form
.i protocol \c
.b : \c
.i host
to set both the sending protocol and sending host.
For example,
.q \-pUUCP:uunet
sets the sending protocol to UUCP
and the sending host to uunet.
(Some existing programs use \-oM to set the r and s macros;
this is equivalent to using \-p.)
.ip \-q\fItime\fP
Try to process the queued up mail.
If the time is given,
a
.i sendmail
will start one or more processes to run through the queue(s) at the specified
time interval to deliver queued mail; otherwise, it only runs once.
Each of these processes acts on a workgroup.
These processes are also known as workgroup processes or WGP's for short.
Each workgroup is responsible for controlling the processing of one or
more queues; workgroups help manage the use of system resources by sendmail.
Each workgroup may have one or more children concurrently processing
queues depending on the setting of \fIMaxQueueChildren\fP.
.ip \-qp\fItime\fP
Similar to \-q with a time argument,
except that instead of periodically starting WGP's
sendmail starts persistent WGP's
that alternate between processing queues and sleeping.
The sleep time is specified by the time argument; it defaults to 1 second,
except that a WGP always sleeps at least 5 seconds if their queues were
empty in the previous run.
Persistent processes are managed by a queue control process (QCP).
The QCP is the parent process of the WGP's.
Typically the QCP will be the sendmail daemon (when started with \-bd or \-bD)
or a special process (named Queue control) (when started without \-bd or \-bD).
If a persistent WGP ceases to be active for some reason
another WGP will be started by the QCP for the same workgroup
in most cases. When a persistent WGP has core dumped, the debug flag
\fIno_persistent_restart\fP is set or the specific persistent WGP has been
restarted too many times already then the WGP will not be started again
and a message will be logged to this effect.
To stop (SIGTERM) or restart (SIGHUP) persistent WGP's the appropriate
signal should be sent to the QCP. The QCP will propagate the signal to all of
the WGP's and if appropriate restart the persistent WGP's.
.ip \-q\fIGname\fP
Run the jobs in the queue group
.i name
once.
.ip \-q[!]\fIXstring\fP
Run the queue once,
limiting the jobs to those matching
.i Xstring .
The key letter
.i X
can be
.b I
to limit based on queue identifier,
.b R
to limit based on recipient,
.b S
to limit based on sender,
or
.b Q
to limit based on quarantine reason for quarantined jobs.
A particular queued job is accepted if one of the corresponding attributes
contains the indicated
.i string .
The optional ! character negates the condition tested.
Multiple
.i \-q\fIX\fP
flags are permitted,
with items with the same key letter
.q or'ed
together, and items with different key letters
.q and'ed
together.
.ip "\-Q[reason]"
Quarantine a normal queue items with the given reason or
unquarantine quarantined queue items if no reason is given.
This should only be used with some sort of item matching using
.b \-q[!]\fIXstring\fP
as described above.
.ip "\-R ret"
What information you want returned if the message bounces;
.i ret
can be
.q HDRS
for headers only or
.q FULL
for headers plus body.
This is a request only;
the other end is not required to honor the parameter.
If
.q HDRS
is specified local bounces also return only the headers.
.ip \-t
Read the header for
.q To: ,
.q Cc: ,
and
.q Bcc:
lines, and send to everyone listed in those lists.
The
.q Bcc:
line will be deleted before sending.
Any addresses in the argument vector will be deleted
from the send list.
.ip "\-V envid"
The indicated
.i envid
is passed with the envelope of the message
and returned if the message bounces.
.ip "\-X \fIlogfile\fP"
Log all traffic in and out of
.i sendmail
in the indicated
.i logfile
for debugging mailer problems.
This produces a lot of data very quickly and should be used sparingly.
.pp
There are a number of options that may be specified as
primitive flags.
These are the e, i, m, and v options.
Also,
the f option
may be specified as the
.b \-s
flag.
The DSN related options
.q "\-N" ,
.q "\-R" ,
and
.q "\-V"
have no effects on
.i sendmail
running as daemon.
.+c "QUEUE FILE FORMATS"
.pp
This appendix describes the format of the queue files.
These files live in a queue directory.
The individual qf, hf, Qf, df, and xf files
may be stored in separate
.i qf/ ,
.i df/ ,
and
.i xf/
subdirectories
if they are present in the queue directory.
.pp
All queue files have the name
.i ttYMDhmsNNppppp
where
.i YMDhmsNNppppp
is the
.i id
for this message
and the
.i tt
is a type.
The individual letters in the
.i id
are:
.nr ii 0.5i
.ip Y
Encoded year
.ip M
Encoded month
.ip D
Encoded day
.ip h
Encoded hour
.ip m
Encoded minute
.ip s
Encoded second
.ip NN
Encoded envelope number
.ip ppppp
At least five decimal digits of the process ID
.pp
All files with the same id collectively define one message.
Due to the use of memory-buffered files,
some of these files may never appear on disk.
.pp
The types are:
.nr ii 0.5i
.ip qf
The queue control file.
This file contains the information necessary to process the job.
.ip hf
The same as a queue control file, but for a quarantined queue job.
.ip df
The data file.
The message body (excluding the header) is kept in this file.
Sometimes the df file is not stored in the same directory as the qf file;
in this case,
the qf file contains a `d' record which names the queue directory
that contains the df file.
.ip tf
A temporary file.
This is an image of the
.b qf
file when it is being rebuilt.
It should be renamed to a
.b qf
file very quickly.
.ip xf
A transcript file,
existing during the life of a session
showing everything that happens
during that session.
Sometimes the xf file must be generated before a queue group has been selected;
in this case,
the xf file will be stored in a directory of the default queue group.
.ip Qf
A ``lost'' queue control file.
.i sendmail
renames a
.b qf
file to
.b Qf
if there is a severe (configuration) problem that cannot be solved without
human intervention.
Search the logfile for the queue file id to figure out what happened.
After you resolved the problem, you can rename the
.b Qf
file to
.b qf
and send it again.
.pp
The queue control file is structured as a series of lines
each beginning with a code letter.
The lines are as follows:
.ip V
The version number of the queue file format,
used to allow new
.i sendmail
binaries to read queue files created by older versions.
Defaults to version zero.
Must be the first line of the file if present.
For 8.12 the version number is 6.
.ip A
The information given by the AUTH= parameter of the
.q "MAIL FROM:"
command or $f@$j
if sendmail has been called directly.
.ip H
A header definition.
There may be any number of these lines.
The order is important:
they represent the order in the final message.
These use the same syntax
as header definitions in the configuration file.
.ip C
The controlling address.
The syntax is
.q localuser:aliasname .
Recipient addresses following this line
will be flagged so that deliveries will be run as the
.i localuser
(a user name from the /etc/passwd file);
.i aliasname
is the name of the alias that expanded to this address
(used for printing messages).
.ip q
The quarantine reason for quarantined queue items.
.ip Q
The ``original recipient'',
specified by the ORCPT= field in an ESMTP transaction.
Used exclusively for Delivery Status Notifications.
It applies only to the following `R' line.
.ip r
The ``final recipient''
used for Delivery Status Notifications.
It applies only to the following `R' line.
.ip R
A recipient address.
This will normally be completely aliased,
but is actually realiased when the job is processed.
There will be one line for each recipient.
Version 1 qf files
also include a leading colon-terminated list of flags,
which can be
`S' to return a message on successful final delivery,
`F' to return a message on failure,
`D' to return a message if the message is delayed,
`B' to indicate that the body should be returned,
`N' to suppress returning the body,
and
`P' to declare this as a ``primary'' (command line or SMTP-session) address.
.ip S
The sender address.
There may only be one of these lines.
.ip T
The job creation time.
This is used to compute when to time out the job.
.ip P
The current message priority.
This is used to order the queue.
Higher numbers mean lower priorities.
The priority changes
as the message sits in the queue.
The initial priority depends on the message class
and the size of the message.
.ip M
A message.
This line is printed by the
.i mailq
command,
and is generally used to store status information.
It can contain any text.
.ip F
Flag bits, represented as one letter per flag.
Defined flag bits are
.b r
indicating that this is a response message
and
.b w
indicating that a warning message has been sent
announcing that the mail has been delayed.
Other flag bits are:
.b 8 :
the body contains 8bit data,
.b b :
a Bcc: header should be removed,
.b d :
the mail has RET parameters (see RFC 1894),
.b n :
the body of the message should not be returned
in case of an error,
.b s :
the envelope has been split.
.ip N
The total number of delivery attempts.
.ip K
The time (as seconds since January 1, 1970)
of the last delivery attempt.
.ip d
If the df file is in a different directory than the qf file,
then a `d' record is present,
specifying the directory in which the df file resides.
.ip I
The i-number of the data file;
this can be used to recover your mail queue
after a disastrous disk crash.
.ip $
A macro definition.
The values of certain macros
are passed through to the queue run phase.
.ip B
The body type.
The remainder of the line is a text string defining the body type.
If this field is missing,
the body type is assumed to be
.q "undefined"
and no special processing is attempted.
Legal values are
.q 7BIT
and
.q 8BITMIME .
.ip Z
The original envelope id (from the ESMTP transaction).
For Deliver Status Notifications only.
.pp
As an example,
the following is a queue file sent to
.q eric@mammoth.Berkeley.EDU
and
.q bostic@okeeffe.CS.Berkeley.EDU \**:
.(f
\**This example is contrived and probably inaccurate for your environment.
Glance over it to get an idea;
nothing can replace looking at what your own system generates.
.)f
.(b
V4
T711358135
K904446490
N0
P2100941
$_eric@localhost
${daemon_flags}
Seric
Ceric:100:1000:sendmail@vangogh.CS.Berkeley.EDU
RPFD:eric@mammoth.Berkeley.EDU
RPFD:bostic@okeeffe.CS.Berkeley.EDU
H?P?Return-path: <^g>
H??Received: by vangogh.CS.Berkeley.EDU (5.108/2.7) id AAA06703;
        Fri, 17 Jul 1992 00:28:55 -0700
H??Received: from mail.CS.Berkeley.EDU by vangogh.CS.Berkeley.EDU (5.108/2.7)
        id AAA06698; Fri, 17 Jul 1992 00:28:54 -0700
H??Received: from [128.32.31.21] by mail.CS.Berkeley.EDU (5.96/2.5)
        id AA22777; Fri, 17 Jul 1992 03:29:14 -0400
H??Received: by foo.bar.baz.de (5.57/Ultrix3.0-C)
        id AA22757; Fri, 17 Jul 1992 09:31:25 GMT
H?F?From: eric@foo.bar.baz.de (Eric Allman)
H?x?Full-name: Eric Allman
H??Message-id: <9207170931.AA22757@foo.bar.baz.de>
H??To: sendmail@vangogh.CS.Berkeley.EDU
H??Subject: this is an example message
.)b
This shows
the person who sent the message,
the submission time
(in seconds since January 1, 1970),
the message priority,
the message class,
the recipients,
and the headers for the message.
.+c "SUMMARY OF SUPPORT FILES"
.pp
This is a summary of the support files
that
.i sendmail
creates or generates.
Many of these can be changed by editing the sendmail.cf file;
check there to find the actual pathnames.
.nr ii 1i
.ip "/usr/\*(SD/sendmail"
The binary of
.i sendmail .
.ip /usr/\*(SB/newaliases
A link to /usr/\*(SD/sendmail;
causes the alias database to be rebuilt.
Running this program is completely equivalent to giving
.i sendmail
the
.b \-bi
flag.
.ip /usr/\*(SB/mailq
Prints a listing of the mail queue.
This program is equivalent to using the
.b \-bp
flag to
.i sendmail .
.ip /etc/mail/sendmail.cf
The configuration file,
in textual form.
.ip /etc/mail/helpfile
The SMTP help file.
.ip /etc/mail/statistics
A statistics file; need not be present.
.ip /etc/mail/sendmail.pid
Created in daemon mode;
it contains the process id of the current SMTP daemon.
If you use this in scripts;
use ``head \-1'' to get just the first line;
the second line contains the command line used to invoke the daemon,
and later versions of
.i sendmail
may add more information to subsequent lines.
.ip /etc/mail/aliases
The textual version of the alias file.
.ip /etc/mail/aliases.db
The alias file in
.i hash \|(3)
format.
.ip /etc/mail/aliases.{pag,dir}
The alias file in
.i ndbm \|(3)
format.
.ip /var/spool/mqueue
The directory in which the mail queue(s)
and temporary files reside.
.ip /var/spool/mqueue/qf*
Control (queue) files for messages.
.ip /var/spool/mqueue/df*
Data files.
.ip /var/spool/mqueue/tf*
Temporary versions of the qf files,
used during queue file rebuild.
.ip /var/spool/mqueue/xf*
A transcript of the current session.
.if o \
\{\
.       bp
.       rs
.       sp |4i
.       ce 2
This page intentionally left blank;
replace it with a blank sheet for double-sided output.
.\}
.\".ro
.\".ls 1
.\".tp
.\".sp 2i
.\".in 0
.\".ce 100
.\".sz 24
.\".b SENDMAIL
.\".sz 14
.\".sp
.\"INSTALLATION AND OPERATION GUIDE
.\".sp
.\".sz 10
.\"Eric Allman
.\".sp
.\"Version $Revision: 8.749 $
.\".ce 0
.bp 3
.ce
.sz 12
TABLE OF CONTENTS
.sz 10
.sp
.\" remove some things to avoid "out of temp file space" problem
.rm sh
.rm (x
.rm )x
.rm ip
.rm pp
.rm lp
.rm he
.rm fo
.rm eh
.rm oh
.rm ef
.rm of
.xp
.if o \
\{\
.       bp
.       rs
.       sp |4i
.       ce 2
This page intentionally left blank;
replace it with a blank sheet for double-sided output.
.\}