diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 2001-09-11 19:02:52 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 2001-09-11 19:02:52 +0000 |
commit | b9658e618d8e5a4f53d0291f13222e5e19dd695f (patch) | |
tree | 347b055971d930905e6c510a18587adc19a2f124 /gnu/usr.sbin/sendmail/cf | |
parent | 03eaf40ad95c4f4c5613308db2dfe2f64ee709b0 (diff) |
merge in sendmail 8.12.0 with BSD Makefiles and mdoc man pages
Diffstat (limited to 'gnu/usr.sbin/sendmail/cf')
52 files changed, 2569 insertions, 826 deletions
diff --git a/gnu/usr.sbin/sendmail/cf/README b/gnu/usr.sbin/sendmail/cf/README index 0d3964aa208..885a650f6c1 100644 --- a/gnu/usr.sbin/sendmail/cf/README +++ b/gnu/usr.sbin/sendmail/cf/README @@ -1,28 +1,50 @@ SENDMAIL CONFIGURATION FILES -This document describes the sendmail configuration files. This package -requires a post-V7 version of m4; if you are running the 4.2bsd, SysV.2, or -7th Edition version. SunOS's /usr/5bin/m4 or BSD-Net/2's m4 both work. -GNU m4 version 1.1 or later also works. Unfortunately, the M4 on BSDI 1.0 -doesn't work -- you'll have to use a Net/2 or GNU version. GNU m4 is -available from ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the -latest version). EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x -is fine). Use GNU m4 on this platform. - -To get started, you may want to look at tcpproto.mc (for TCP-only sites), -uucpproto.mc (for UUCP-only sites), and clientproto.mc (for clusters of -clients using a single mail host). Others are versions previously used at -Berkeley. For example, ucbvax has gone away, but ucbvax.mc demonstrates -some interesting techniques. - -******************************************************************* -*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** -*** Berkeley-specific assumptions built in, such as the name *** -*** of their UUCP-relay. You'll want to create your own *** -*** domain description, and use that in place of *** -*** domain/Berkeley.EDU.m4. *** -******************************************************************* +This document describes the sendmail configuration files. It +explains how to create a sendmail.cf file for use with sendmail. +It also describes how to set options for sendmail which are explained +in the Sendmail Installation and Operation guide (doc/op/op.me). + +To get started, you may want to look at tcpproto.mc (for TCP-only +sites) and clientproto.mc (for clusters of clients using a single +mail host), or the generic-*.mc files as operating system-specific +examples. + +Table of Content: + +INTRODUCTION AND EXAMPLE +A BRIEF INTRODUCTION TO M4 +FILE LOCATIONS +OSTYPE +DOMAINS +MAILERS +FEATURES +HACKS +SITE CONFIGURATION +USING UUCP MAILERS +TWEAKING RULESETS +MASQUERADING AND RELAYING +USING LDAP FOR ALIASES, MAPS, AND CLASSES +LDAP ROUTING +ANTI-SPAM CONFIGURATION CONTROL +STARTTLS +SMTP AUTHENTICATION +ADDING NEW MAILERS OR RULESETS +ADDING NEW MAIL FILTERS +QUEUE GROUP DEFINITIONS +NON-SMTP BASED CONFIGURATIONS +WHO AM I? +ACCEPTING MAIL FOR MULTIPLE NAMES +USING MAILERTABLES +USING USERDB TO MAP FULL NAMES +MISCELLANEOUS SPECIAL FEATURES +SECURITY NOTES +TWEAKING CONFIGURATION OPTIONS +MESSAGE SUBMISSION PROGRAM +FORMAT OF FILES AND MAPS +DIRECTORY LAYOUT +ADMINISTRATIVE DETAILS +--------------------------+ @@ -106,11 +128,10 @@ definition appropriate for your environment. MAILER(`local') MAILER(`smtp') -These describe the mailers used at the default CS site. The -local mailer is always included automatically. Beware: MAILER -declarations should always be at the end of the configuration file, -and MAILER(`smtp') should always precede MAILER(`procmail'), and -MAILER(`uucp'). The general rules are that the order should be: +These describe the mailers used at the default CS site. The local +mailer is always included automatically. Beware: MAILER declarations +should always be at the end of the configuration file. The general +rules are that the order should be: VERSIONID OSTYPE @@ -118,6 +139,7 @@ MAILER(`uucp'). The general rules are that the order should be: FEATURE local macro definitions MAILER + LOCAL_CONFIG LOCAL_RULE_* LOCAL_RULESETS @@ -126,6 +148,14 @@ influence a FEATURE() should be done before that feature. For example, a define(`PROCMAIL_MAILER_PATH', ...) should be done before FEATURE(`local_procmail'). +******************************************************************* +*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** +*** Berkeley-specific assumptions built in, such as the name *** +*** of their UUCP-relay. You'll want to create your own *** +*** domain description, and use that in place of *** +*** domain/Berkeley.EDU.m4. *** +******************************************************************* + +----------------------------+ | A BRIEF INTRODUCTION TO M4 | @@ -159,6 +189,20 @@ expanded. This also applies to because ``define'' is an M4 keyword. If you want to use them, surround them with directed quotes, `like this'. + +Notice: +------- + +This package requires a post-V7 version of m4; if you are running the +4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or +BSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works. +Unfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a +Net/2 or GNU version. GNU m4 is available from +ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version). +EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU +m4 on this platform. + + +----------------+ | FILE LOCATIONS | +----------------+ @@ -265,7 +309,10 @@ QUEUE_DIR [/var/spool/mqueue] The directory containing directories. The names 'qf', 'df', and 'xf' are reserved as specific subdirectories for the corresponding queue file types as explained in - doc/op/op.me. + doc/op/op.me. See also QUEUE GROUP DEFINITIONS. +MSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing + queue files for the MSP (Mail Submission Program, + see sendmail/SECURITY). STATUS_FILE [/etc/mail/statistics] The file containing status information. LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. @@ -294,6 +341,7 @@ LOCAL_SHELL_ARGS [sh -c $u] The arguments passed to deliver "prog" mail. LOCAL_SHELL_DIR [$z:/] The directory search path in which the shell should run. +LOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. USENET_MAILER_PATH [/usr/lib/news/inews] The name of the program used to submit news. USENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. @@ -301,6 +349,7 @@ USENET_MAILER_ARGS [-m -h -n] The command line arguments for the usenet mailer. USENET_MAILER_MAX [100000] The maximum size of messages that will be accepted by the usenet mailer. +USENET_MAILER_QGRP [undefined] The queue group for the usenet mailer. SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default flags are `mDFMuX' for all SMTP-based mailers; the "esmtp" mailer adds `a'; "smtp8" adds `8'; and @@ -322,6 +371,11 @@ ESMTP_MAILER_ARGS [TCP $h] The arguments passed to the esmtp mailer. SMTP8_MAILER_ARGS [TCP $h] The arguments passed to the smtp8 mailer. DSMTP_MAILER_ARGS [TCP $h] The arguments passed to the dsmtp mailer. RELAY_MAILER_ARGS [TCP $h] The arguments passed to the relay mailer. +SMTP_MAILER_QGRP [undefined] The queue group for the smtp mailer. +ESMTP_MAILER_QGRP [undefined] The queue group for the esmtp mailer. +SMTP8_MAILER_QGRP [undefined] The queue group for the smtp8 mailer. +DSMTP_MAILER_QGRP [undefined] The queue group for the dsmtp mailer. +RELAY_MAILER_QGRP [undefined] The queue group for the relay mailer. RELAY_MAILER_MAXMSGS [undefined] If defined, the maximum number of messages to deliver in a single connection for the relay mailer. @@ -341,6 +395,7 @@ UUCP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data that ARRIVE from an address that resolves to one of the UUCP mailers and which are converted to MIME will be labeled with this character set. +UUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. FAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to submit FAX messages. FAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX @@ -397,6 +452,7 @@ QPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed to deliver qpage mail. QPAGE_MAILER_MAX [4096] If set, the maximum size message that will be accepted by the qpage mailer. +LOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: MODIFY_MAILER_FLAGS(`Name', `change') where Name is the first part of @@ -436,7 +492,7 @@ LOCAL_RELAY The site that will handle unqualified names -- that is, names without an @domain extension. Normally MAIL_HUB is preferred for this function. LOCAL_RELAY is mostly useful in conjunction with - FEATURE(stickyhost) -- see the discussion of + FEATURE(`stickyhost') -- see the discussion of stickyhost below. If not set, they are assumed to belong on this machine. This allows you to have a central site to store a company- or department-wide @@ -466,18 +522,14 @@ single machine sitting off somewhere, it is probably more work than it's worth. This is just a mechanism for combining "domain dependent knowledge" into one place. + +---------+ | MAILERS | +---------+ There are fewer mailers supported in this version than the previous version, owing mostly to a simpler world. As a general rule, put the -MAILER definitions last in your .mc file, and always put MAILER(`smtp') -before MAILER(`uucp') and MAILER(`procmail') -- several features and -definitions will modify the definition of mailers, and the smtp mailer -modifies the UUCP mailer. Moreover, MAILER(`cyrus'), MAILER(`pop'), -MAILER(`phquery'), and MAILER(`usenet') must be defined after -MAILER(`local'). +MAILER definitions last in your .mc file. local The local and prog mailers. You will almost always need these; the only exception is if you relay ALL @@ -502,9 +554,9 @@ uucp The UNIX-to-UNIX Copy Program mailer. Actually, this "uucp-new" (a.k.a. "suucp"). The latter is for when you know that the UUCP mailer at the other end can handle multiple recipients in one transfer. If the smtp mailer - is also included in your configuration, two other mailers - ("uucp-dom" and "uucp-uudom") are also defined [warning: - you MUST specify MAILER(smtp) before MAILER(uucp)]. When you + is included in your configuration, two other mailers + ("uucp-dom" and "uucp-uudom") are also defined [warning: you + MUST specify MAILER(`smtp') before MAILER(`uucp')]. When you include the uucp mailer, sendmail looks for all names in class {U} and sends them to the uucp-old mailer; all names in class {Y} are sent to uucp-new; and all @@ -545,6 +597,9 @@ procmail An interface to procmail (does not come with sendmail). If you use this with FEATURE(`local_procmail'), the FEATURE should be listed first. + Of course there are other ways to solve this particular + problem, e.g., a catch-all entry in a virtusertable. + mail11 The DECnet mail11 mailer, useful only if you have the mail11 program from gatekeeper.dec.com:/pub/DEC/gwtools (and DECnet, of course). This is for Phase IV DECnet support; @@ -558,11 +613,12 @@ phquery The phquery program. This is somewhat counterintuitively cyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to a local cyrus user. this mailer can make use of the - "user+detail@local.host" syntax; it will deliver the mail to - the user's "detail" mailbox if the mailbox's ACL permits. - The cyrusbb mailer delivers to a system-wide cyrus mailbox - if the mailbox's ACL permits. The cyrus mailer must be - defined after the local mailer. + "user+detail@local.host" syntax (see + FEATURE(`preserve_local_plus_detail')); it will deliver the + mail to the user's "detail" mailbox if the mailbox's ACL + permits. The cyrusbb mailer delivers to a system-wide + cyrus mailbox if the mailbox's ACL permits. The cyrus + mailer must be defined after the local mailer. qpage A mailer for QuickPage, a pager interface. See http://www.qpage.org/ for further information. @@ -585,7 +641,7 @@ example, the .mc line: FEATURE(`use_cw_file') tells sendmail that you want to have it read an /etc/mail/local-host-names -file to get values for class {w}. The FEATURE may contain up to 9 +file to get values for class {w}. A FEATURE may contain up to 9 optional parameters -- for example: FEATURE(`mailertable', `dbm /usr/lib/mailertable') @@ -600,6 +656,11 @@ if you specify an argument to a FEATURE. DATABASE_MAP_TYPE is only used if no argument is given for the FEATURE. It must be specified before any feature that uses a map. +Also, features which can take a map definition as an argument can also take +the special keyword `LDAP'. If that keyword is used, the map will use the +LDAP definition described in the ``USING LDAP FOR ALIASES, MAPS, AND +CLASSES'' section below. + Available features are: use_cw_file Read the file /etc/mail/local-host-names file to get @@ -627,7 +688,7 @@ nouucp Don't route UUCP addresses. This feature takes one part unless it originates from a system that is allowed to relay. `nospecial': don't do anything special with "!". - Warnings: 1. See the NOTICE in the ANTI-SPAM section. + Warnings: 1. See the notice in the anti-spam section. 2. don't remove "!" from OperatorChars if `reject' is given as parameter. @@ -752,7 +813,8 @@ always_add_domain mail. Normally it is not added on unqualified names. However, if you use a shared message store but do not use the same user name space everywhere, you may need the host - name on local names. + name on local names. An optional argument specifies + another domain to be added than the local. allmasquerade If masquerading is enabled (using MASQUERADE_AS), this feature will cause recipient addresses to also masquerade @@ -793,18 +855,26 @@ masquerade_entire_domain NOTE: only domains within your jurisdiction and current hierarchy should be masqueraded using this. +local_no_masquerade + This feature prevents the local mailer from masquerading even + if MASQUERADE_AS is used. MASQUERADE_AS will only have effect + on addresses of mail going outside the local domain. + genericstable This feature will cause unqualified addresses (i.e., without a domain) and addresses with a domain listed in class {G} to be looked up in a map and turned into another ("generic") form, which can change both the domain name and the user name. - This is similar to the userdb functionality. The same types of - addresses as for masquerading are looked up, i.e., only header - sender addresses unless the allmasquerade and/or - masquerade_envelope features are given. Qualified addresses - must have the domain part in class {G}; entries can - be added to this class by the macros GENERICS_DOMAIN or - GENERICS_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and - MASQUERADE_DOMAIN_FILE, see below). + Notice: if you use an MSP (as it is default starting with + 8.12), the MTA will only receive qualified addresses from the + MSP (as required by the RFCs). Hence you need to add your + domain to class {G}. This feature is similar to the userdb + functionality. The same types of addresses as for + masquerading are looked up, i.e., only header sender + addresses unless the allmasquerade and/or masquerade_envelope + features are given. Qualified addresses must have the domain + part in class {G}; entries can be added to this class by the + macros GENERICS_DOMAIN or GENERICS_DOMAIN_FILE (analogously + to MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE, see below). The argument of FEATURE(`genericstable') may be the map definition; the default map definition is: @@ -840,7 +910,7 @@ virtusertable A domain-specific form of aliasing, allowing multiple info@foo.com foo-info info@bar.com bar-info joe@bar.com error:nouser No such user here - jax@bar.com error:D.S.N:unavailable Address invalid + jax@bar.com error:5.7.0:unavailable Address invalid @baz.org jane@example.net then mail addressed to info@foo.com will be sent to the @@ -849,7 +919,7 @@ virtusertable A domain-specific form of aliasing, allowing multiple will be sent to jane@example.net, mail to joe@bar.com will be rejected with the specified error message, and mail to jax@bar.com will also have a RFC 1893 compliant error code - D.S.N. + 5.7.0. The username from the original address is passed as %1 allowing: @@ -858,19 +928,24 @@ virtusertable A domain-specific form of aliasing, allowing multiple meaning someone@foo.org will be sent to someone@example.com. Additionally, if the local part consists of "user+detail" - then "detail" is passed as %2 when a match against user+* - is attempted, so entries like + then "detail" is passed as %2 and "+detail" is passed as %3 + when a match against user+* is attempted, so entries like old+*@foo.org new+%2@example.com gen+*@foo.org %2@example.com - +*@foo.org %1+%2@example.com + +*@foo.org %1%3@example.com + X++@foo.org Z%3@example.com + @bar.org %1%3 and other forms are possible. Note: to preserve "+detail" - for a default case (@domain) +*@domain must be used as - exemplified above. + for a default case (@domain) %1%3 must be used as RHS. + There are two wildcards after "+": "+" matches only a non-empty + detail, "*" matches also empty details, e.g., user+@foo.org + matches +*@foo.org but not ++@foo.org. This can be used + to ensure that the parameters %2 and %3 are not empty. All the host names on the left hand side (foo.com, bar.com, - and baz.org) must be in class {w} or class {VirtHost}, the + and baz.org) must be in class {w} or class {VirtHost}. The latter can be defined by the macros VIRTUSER_DOMAIN or VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or @@ -1025,13 +1100,13 @@ relay_based_on_MX relay_mail_from Allows relaying if the mail sender is listed as RELAY in the access map. If an optional argument `domain' is given, - the domain portion of the mail sender is checked too. - This should only be used if absolutely necessary as the - sender address can be easily forged. Use of this feature - requires the "From:" tag be prepended to the key in the - access map; see the discussion of tags and - FEATURE(`relay_mail_from') in the section on ANTI-SPAM - CONFIGURATION CONTROL. + relaying can be allowed just based on the domain portion + of the sender address. This feature should only be used if + absolutely necessary as the sender address can be easily + forged. Use of this feature requires the "From:" tag be + prepended to the key in the access map; see the discussion + of tags and FEATURE(`relay_mail_from') in the section on + anti-spam configuration control. relay_local_from Allows relaying if the domain portion of the mail sender @@ -1066,13 +1141,15 @@ accept_unresolvable_domains access_db Turns on the access database feature. The access db gives you the ability to allow or refuse to accept mail from - specified domains for administrative reasons. By default, - the access database specification is: + specified domains for administrative reasons. Moreover, + it can control the behavior of sendmail in various situations. + By default, the access database specification is: - hash /etc/mail/access + hash -T<TMPF> /etc/mail/access - The format of the database is described in the anti-spam - configuration control section later in this document. + See the anti-spam configuration control section for further + important information about this feature. Notice: + "-T<TMPF>" is meant literal, do not replace it by anything. blacklist_recipients Turns on the ability to block incoming mail for certain @@ -1087,25 +1164,27 @@ delay_checks The rulesets check_mail and check_relay will not be called when a client connects or issues a MAIL command, respectively. Instead, those rulesets will be called by the check_rcpt ruleset; they will be skipped under certain circumstances. - See "Delay all checks" in "ANTI-SPAM CONFIGURATION CONTROL". - -rbl This feature is deprecated! Please use dnsbl instead. - Turns on rejection of hosts found in the Realtime Blackhole - List. If an argument is provided it is used as the domain - in which blocked hosts are listed; otherwise, the main RBL - domain rbl.maps.vix.com is used (see NOTE below). For - details, see http://maps.vix.com/rbl/. + See "Delay all checks" in the anti-spam configuration control + section. Note: this feature is incompatible to the versions + in 8.10 and 8.11. dnsbl Turns on rejection of hosts found in an DNS based rejection list. If an argument is provided it is used as the domain in which blocked hosts are listed; otherwise it defaults to blackholes.mail-abuse.org. An explanation for an DNS based - rejection list can be found http://mail-abuse.org/rbl/. A - second argument can be used to change the default error - message of Mail from $&{client_addr} refused by blackhole site - SERVER where SERVER is replaced by the first argument. This - feature can be included several times to query different DNS - based rejection lists. + rejection list can be found at http://mail-abuse.org/rbl/. + A second argument can be used to change the default error + message. Without that second argument, the error message + will be + Mail from IP-ADDRESS refused by blackhole site SERVER + where IP-ADDRESS and SERVER are replaced by the appropriate + information. By default, temporary lookup failures are + ignored. This behavior can be changed by specifying a + third argument, which must be either `t' or a full error + message. See the anti-spam configuration control section for + an example. The dnsbl feature can be included several times + to query different DNS based rejection lists. See also + enhdnsbl for an enhanced version. NOTE: The default DNS blacklist, blackholes.mail-abuse.org, is a service offered by the Mail Abuse Prevention System @@ -1114,6 +1193,30 @@ dnsbl Turns on rejection of hosts found in an DNS based rejection haven't subscribed. Contact MAPS to subscribe (http://mail-abuse.org/). +enhdnsbl Enhanced version of dnsbl (see above). Further arguments + (up to 5) can be used to specify specific return values + from lookups. Temporary lookup failures are ignored unless + a third argument is given, which must be either `t' or a full + error message. By default, any successful lookup will + generate an error. Otherwise the result of the lookup is + compared with the supplied argument(s), and only if a match + occurs an error is generated. For example, + + FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.') + + will reject the e-mail if the lookup returns the value + ``127.0.0.2.'', or generate a 451 response if the lookup + temporarily failed. The arguments can contain metasymbols + as they are allowed in the LHS of rules. As the example + shows, the default values are also used if an empty argument, + i.e., `', is specified. This feature requires that sendmail + has been compiled with the flag DNSMAP (see sendmail/README). + +lookupdotdomain Look up also .domain in the access map. This allows to + match only subdomains. It does not work well with + FEATURE(`relay_hosts_only'), because most lookups for + subdomains are suppressed by the latter feature. + loose_relay_check Normally, if % addressing is used for a recipient, e.g. user%site@othersite, and othersite is in class {R}, the @@ -1121,11 +1224,65 @@ loose_relay_check user@site for relaying. This feature changes that behavior. It should not be needed for most installations. +authinfo Provide a separate map for client side authentication + information. See SMTP AUTHENTICATION for details. + By default, the authinfo database specification is: + + hash /etc/mail/authinfo + +preserve_luser_host + Preserve the name of the recipient host if LUSER_RELAY + is used. Without this option, the domain part of the + recipient address will be replaced by the host specified + as LUSER_RELAY. + +preserve_local_plus_detail + Preserve the +detail portion of the address when passing + address to local delivery agent. Disables alias and + .forward +detail stripping (e.g., given user+detail, only + that address will be looked up in the alias file; user+* and + user will not be looked up). Only use if the local + delivery agent in use supports +detail addressing. + +compat_check Enable ruleset check_compat to look up pairs of addresses + sender<@>recipient in the access map. Valid values for + the RHS include + DISCARD silently discard message + TEMP: return a temporary error + ERROR: return a permanent error + In the last two cases, a 4xy/5xy SMTP reply code should + follow the colon. + no_default_msa Don't generate the default MSA daemon, i.e., DAEMON_OPTIONS(`Port=587,Name=MSA,M=E') To define a MSA daemon with other parameters, use this FEATURE and introduce new settings via DAEMON_OPTIONS(). +msp Defines config file for Message Submission Program. + See sendmail/SECURITY for details and cf/cf/submit.mc + how to use it. An optional argument can be used to + override the default of `localhost' to use as host to send + all e-mails to. If `MSA' is specified as second argument + then port 587 is used to contact the server. Example: + + FEATURE(`msp, `', `MSA') + + Some more hints about possible changes can be found below + in the section MESSAGE SUBMISSION PROGRAM. + +queuegroup A simple example how to select a queue group based + on the full e-mail address or the domain of the + recipient. Selection is done via entries in the + access map using the tag QGRP:, for example: + + QGRP:example.com main + QGRP:friend@some.org others + QGRP:my.domain local + + where "main", "others", and "local" are names of + queue groups. If an argument is specified, it is used + as default queue group. + +-------+ | HACKS | +-------+ @@ -1146,7 +1303,7 @@ subdomains. ***************************************************** * This section is really obsolete, and is preserved * * only for back compatibility. You should plan on * - * using mailertables for new installations. In * + * using mailertables for new installations. In * * particular, it doesn't work for the newer forms * * of UUCP mailers, such as uucp-uudom. * ***************************************************** @@ -1237,7 +1394,8 @@ The four mailers are: uucp-dom This UUCP mailer keeps everything as domain addresses. Basically, it uses the SMTP mailer rewriting rules. This mailer - is only included if MAILER(`smtp') is also specified. + is only included if MAILER(`smtp') is specified before + MAILER(`uucp'). Unfortunately, a lot of UUCP mailer transport agents require bangified addresses in the envelope, although you can use @@ -1252,7 +1410,7 @@ The four mailers are: at all (e.g., "wolf") or the host component is a UUCP host name instead of a domain name ("somehost!wolf" instead of "some.dom.ain!wolf"). This is also included only if MAILER(`smtp') - is also specified. + is also specified earlier. Examples: @@ -1378,7 +1536,10 @@ To exempt hosts or subdomains from being masqueraded, you can use MASQUERADE_EXCEPTION(`host.domain') This can come handy if you want to masquerade a whole domain -except for one (or a few) host(s). +except for one (or a few) host(s). If these names are in a file, +you can use + + MASQUERADE_EXCEPTION_FILE(`filename') Normally only header addresses are masqueraded. If you want to masquerade the envelope as well, use @@ -1392,9 +1553,9 @@ You can add users to this list using EXPOSED_USER(`usernames') -This adds users to class {E}; you could also use something like +This adds users to class {E}; you could also use - FE/etc/mail/exposed-users + EXPOSED_USER_FILE(`filename') You can also arrange to relay all unqualified names (that is, names without @host) to a relay host. For example, if you have a central @@ -1410,9 +1571,9 @@ locally aliased. You can add entries to this list using LOCAL_USER(`usernames') -This adds users to class {L}; you could also use something like +This adds users to class {L}; you could also use - FL/etc/mail/local-users + LOCAL_USER_FILE(`filename') If you want all incoming mail sent to a centralized hub, as for a shared /var/spool/mail scheme, use @@ -1468,6 +1629,290 @@ specified with a terminal dot: note the trailing dot ---^ ++-------------------------------------------+ +| USING LDAP FOR ALIASES, MAPS, AND CLASSES | ++-------------------------------------------+ + +LDAP can be used for aliases, maps, and classes by either specifying your +own LDAP map specification or using the built-in default LDAP map +specification. The built-in default specifications all provide lookups +which match against either the machine's fully qualified hostname (${j}) or +a "cluster". The cluster allows you to share LDAP entries among a large +number of machines without having to enter each of the machine names into +each LDAP entry. To set the LDAP cluster name to use for a particular +machine or set of machines, set the confLDAP_CLUSTER m4 variable to a +unique name. For example: + + define(`confLDAP_CLUSTER', `Servers') + +Here, the word `Servers' will be the cluster name. As an example, assume +that smtp.sendmail.org, etrn.sendmail.org, and mx.sendmail.org all belong +to the Servers cluster. + +Some of the LDAP LDIF examples below show use of the Servers cluster. +Every entry must have either a sendmailMTAHost or sendmailMTACluster +attribute or it will be ignored. Be careful as mixing clusters and +individual host records can have surprising results (see the CAUTION +sections below). + +See the file cf/sendmail.schema for the actual LDAP schemas. Note that +this schema (and therefore the lookups and examples below) is experimental +at this point as it has had little public review. Therefore, it may change +in future versions. Feedback via sendmail@sendmail.org is encouraged. + +------- +Aliases +------- + +The ALIAS_FILE (O AliasFile) option can be set to use LDAP for alias +lookups. To use the default schema, simply use: + + define(`ALIAS_FILE', `ldap:') + +By doing so, you will use the default schema which expands to a map +declared as follows: + + ldap -k (&(objectClass=sendmailMTAAliasObject) + (sendmailMTAAliasGrouping=aliases) + (|(sendmailMTACluster=${sendmailMTACluster}) + (sendmailMTAHost=$j)) + (sendmailMTAKey=%0)) + -v sendmailMTAAliasValue + +NOTE: The macros shown above ${sendmailMTACluster} and $j are not actually +used when the binary expands the `ldap:' token as the AliasFile option is +not actually macro-expanded when read from the sendmail.cf file. + +Example LDAP LDIF entries might be: + + dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAAlias + objectClass: sendmailMTAAliasObject + sendmailMTAAliasGrouping: aliases + sendmailMTAHost: etrn.sendmail.org + sendmailMTAKey: sendmail-list + sendmailMTAAliasValue: ca@example.org + sendmailMTAAliasValue: eric + sendmailMTAAliasValue: gshapiro@example.com + + dn: sendmailMTAKey=owner-sendmail-list, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAAlias + objectClass: sendmailMTAAliasObject + sendmailMTAAliasGrouping: aliases + sendmailMTAHost: etrn.sendmail.org + sendmailMTAKey: owner-sendmail-list + sendmailMTAAliasValue: eric + + dn: sendmailMTAKey=postmaster, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAAlias + objectClass: sendmailMTAAliasObject + sendmailMTAAliasGrouping: aliases + sendmailMTACluster: Servers + sendmailMTAKey: postmaster + sendmailMTAAliasValue: eric + +Here, the aliases sendmail-list and owner-sendmail-list will be available +only on etrn.sendmail.org but the postmaster alias will be available on +every machine in the Servers cluster (including etrn.sendmail.org). + +CAUTION: aliases are additive so that entries like these: + + dn: sendmailMTAKey=bob, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAAlias + objectClass: sendmailMTAAliasObject + sendmailMTAAliasGrouping: aliases + sendmailMTACluster: Servers + sendmailMTAKey: bob + sendmailMTAAliasValue: eric + + dn: sendmailMTAKey=bob, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAAlias + objectClass: sendmailMTAAliasObject + sendmailMTAAliasGrouping: aliases + sendmailMTAHost: etrn.sendmail.org + sendmailMTAKey: bob + sendmailMTAAliasValue: gshapiro + +would mean that on all of the hosts in the cluster, mail to bob would go to +eric EXCEPT on etrn.sendmail.org in which case it would go to BOTH eric and +gshapiro. + +If you prefer not to use the default LDAP schema for your aliases, you can +specify the map parameters when setting ALIAS_FILE. For example: + + define(`ALIAS_FILE', `ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember') + +---- +Maps +---- + +FEATURE()'s which take an optional map definition argument (e.g., access, +mailertable, virtusertable, etc.) can instead take the special keyword +`LDAP', e.g.: + + FEATURE(`access_db', `LDAP') + FEATURE(`virtusertable', `LDAP') + +When this keyword is given, that map will use LDAP lookups consisting of +the objectClass sendmailMTAClassObject, the attribute sendmailMTAMapName +with the map name, a search attribute of sendmailMTAKey, and the value +attribute sendmailMTAMapValue. + +The values for sendmailMTAMapName are: + + FEATURE() sendmailMTAMapName + --------- ------------------ + access_db access + authinfo authinfo + bitdomain bitdomain + domaintable domain + genericstable generics + mailertable mailer + uucpdomain uucpdomain + virtusertable virtuser + +For example, FEATURE(`mailertable', `LDAP') would use the map definition: + + Kmailertable ldap -k (&(objectClass=sendmailMTAMapObject) + (sendmailMTAMapName=mailer) + (|(sendmailMTACluster=${sendmailMTACluster}) + (sendmailMTAHost=$j)) + (sendmailMTAKey=%0)) + -1 -v sendmailMTAMapValue + +An example LDAP LDIF entry using this map might be: + + dn: sendmailMTAMapName=mailer, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAMap + sendmailMTACluster: Servers + sendmailMTAMapName: mailer + + dn: sendmailMTAKey=example.com, sendmailMTAMapName=mailer, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAMap + objectClass: sendmailMTAMapObject + sendmailMTAMapName: mailer + sendmailMTACluster: Servers + sendmailMTAKey: example.com + sendmailMTAMapValue: relay:[smtp.example.com] + +CAUTION: If your LDAP database contains the record above and *ALSO* a host +specific record such as: + + dn: sendmailMTAKey=example.com@etrn, sendmailMTAMapName=mailer, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAMap + objectClass: sendmailMTAMapObject + sendmailMTAMapName: mailer + sendmailMTAHost: etrn.sendmail.org + sendmailMTAKey: example.com + sendmailMTAMapValue: relay:[mx.example.com] + +then these entries will give unexpected results. When the lookup is done +on etrn.sendmail.org, the effect is that there is *NO* match at all as maps +require a single match. Since the host etrn.sendmail.org is also in the +Servers cluster, LDAP would return two answers for the example.com map key +in which case sendmail would treat this as no match at all. + +If you prefer not to use the default LDAP schema for your maps, you can +specify the map parameters when using the FEATURE(). For example: + + FEATURE(`access_db', `ldap:-1 -k (&(objectClass=mapDatabase)(key=%0)) -v value') + +------- +Classes +------- + +Normally, classes can be filled via files or programs. As of 8.12, they +can also be filled via map lookups using a new syntax: + + F{ClassName}mapkey@mapclass:mapspec + +mapkey is optional and if not provided the map key will be empty. This can +be used with LDAP to read classes from LDAP. Note that the lookup is only +done when sendmail is initially started. Use the special value `@LDAP' to +use the default LDAP schema. For example: + + RELAY_DOMAIN_FILE(`@LDAP') + +would put all of the attribute sendmailMTAClassValue values of LDAP records +with objectClass sendmailMTAClass and an attribute sendmailMTAClassName of +'R' into class $={R}. In other words, it is equivalent to the LDAP map +specification: + + F{R}@ldap:-k (&(objectClass=sendmailMTAClass) + (sendmailMTAClassName=R) + (|(sendmailMTACluster=${sendmailMTACluster}) + (sendmailMTAHost=$j))) + -v sendmailMTAClassValue + +NOTE: The macros shown above ${sendmailMTACluster} and $j are not actually +used when the binary expands the `@LDAP' token as class declarations are +not actually macro-expanded when read from the sendmail.cf file. + +This can be used with class related commands such as RELAY_DOMAIN_FILE(), +MASQUERADE_DOMAIN_FILE(), etc: + + Command sendmailMTAClassName + ------- -------------------- + CANONIFY_DOMAIN_FILE() Canonify + EXPOSED_USER_FILE() E + GENERICS_DOMAIN_FILE() G + LDAPROUTE_DOMAIN_FILE() LDAPRoute + LDAPROUTE_EQUIVALENT_FILE() LDAPRouteEquiv + LOCAL_USER_FILE() L + MASQUERADE_DOMAIN_FILE() M + MASQUERADE_EXCEPTION_FILE() N + RELAY_DOMAIN_FILE() R + VIRTUSER_DOMAIN_FILE() VirtHost + +You can also add your own as any 'F'ile class of the form: + + F{ClassName}@LDAP + ^^^^^^^^^ +will use "ClassName" for the sendmailMTAClassName. + +An example LDAP LDIF entry would look like: + + dn: sendmailMTAClassName=R, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAClass + sendmailMTACluster: Servers + sendmailMTAClassName: R + sendmailMTAClassValue: sendmail.org + sendmailMTAClassValue: example.com + sendmailMTAClassValue: 10.56.23 + +CAUTION: If your LDAP database contains the record above and *ALSO* a host +specific record such as: + + dn: sendmailMTAClassName=R@etrn.sendmail.org, dc=sendmail, dc=org + objectClass: sendmailMTA + objectClass: sendmailMTAClass + sendmailMTAHost: etrn.sendmail.org + sendmailMTAClassName: R + sendmailMTAClassValue: example.com + +the result will be similar to the aliases caution above. When the lookup +is done on etrn.sendmail.org, $={R} would contain all of the entries (from +both the cluster match and the host match). In other words, the effective +is additive. + +If you prefer not to use the default LDAP schema for your classes, you can +specify the map parameters when using the class command. For example: + + VIRTUSER_DOMAIN_FILE(`@ldap:-k (&(objectClass=virtHosts)(host=*)) -v host') + +Remember, macros can not be used in a class declaration as the binary does +not expand them. + + +--------------+ | LDAP ROUTING | +--------------+ @@ -1483,19 +1928,33 @@ LDAPROUTE_DOMAIN(), e.g.: LDAPROUTE_DOMAIN(`example.com') +Additionally, you can specify equivalent domains for LDAP routing using +LDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE(). 'Equivalent' +hostnames are mapped to $M (the masqueraded hostname for the server) before +the LDAP query. For example, if the mail is addressed to +user@host1.example.com, normally the LDAP lookup would only be done for +'user@host1.example.com' and '@host1.example.com'. However, if +LDAPROUTE_EQUIVALENT(`host1.example.com') is used, the lookups would also be +done on 'user@example.com' and '@example.com' after attempting the +host1.example.com lookups. + By default, the feature will use the schemas as specified in the draft and will not reject addresses not found by the LDAP lookup. However, this behavior can be changed by giving additional arguments to the FEATURE() command: - FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>) + FEATURE(`ldap_routing', <mailHost>, <mailRoutingAddress>, <bounce>, <detail>) where <mailHost> is a map definition describing how to lookup an alternative mail host for a particular address; <mailRoutingAddress> is a map definition -describing how to lookup an alternative address for a particular address; and +describing how to lookup an alternative address for a particular address; the <bounce> argument, if present and not the word "passthru", dictates that mail should be bounced if neither a mailHost nor mailRoutingAddress -is found. +is found; and <detail> indicates what actions to take if the address +contains +detail information -- `strip' tries the lookup with the +detail +and if no matches are found, strips the +detail and tries the lookup again; +`preserve', does the same as `strip' but if a mailRoutingAddress match is +found, the +detail information is copied to the new address. The default <mailHost> map definition is: @@ -1537,7 +1996,10 @@ address: original address *OR* bounced as unknown user -The term "local" host above means the host specified is in class {w}. +The term "local" host above means the host specified is in class {w}. If +the result would mean sending the mail to a different host, that host is +looked up in the mailertable before delivery. + Note that the last case depends on whether the third argument is given to the FEATURE() command. The default is to deliver the message to the original address. @@ -1547,7 +2009,7 @@ inetLocalMailRecipient and the address be listed in a mailLocalAddress attribute. If present, there must be only one mailHost attribute and it must contain a fully qualified host name as its value. Similarly, if present, there must be only one mailRoutingAddress attribute and it must -contain an RFC 822 compliant address. Some example LDAP records (in ldif +contain an RFC 822 compliant address. Some example LDAP records (in LDIF format): dn: uid=tom, o=example.com, c=US @@ -1563,7 +2025,8 @@ This would deliver mail for tom@example.com to thomas@mailhost.example.com. mailHost: eng.example.com This would relay mail for dick@example.com to the same address but redirect -the mail to MX records listed for the host eng.example.com. +the mail to MX records listed for the host eng.example.com (unless the +mailertable overrides). dn: uid=harry, o=example.com, c=US objectClass: inetLocalMailRecipient @@ -1604,12 +2067,14 @@ If you really want to revert to the old behaviour, you will need to use FEATURE(`promiscuous_relay'). You can allow certain domains to relay through your server by adding their domain name or IP address to class {R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the access database -(described below). The file consists (like any other file based class) -of entries listed on separate lines, e.g., +(described below). Note that IPv6 addresses must be prefaced with "IPv6:". +The file consists (like any other file based class) of entries listed on +separate lines, e.g., sendmail.org 128.32 - 1:2:3:4:5:6:7 + IPv6:2002:c0a8:02c7 + IPv6:2002:c0a8:51d2::23f4 host.mydomain.com If you use @@ -1627,16 +2092,20 @@ portion of an incoming recipient address by using For example, if your server receives a recipient of user@domain.com and domain.com lists your server in its MX records, the mail will be -accepted for relay to domain.com. Note that this will stop spammers -from using your host to relay spam but it will not stop outsiders from -using your server as a relay for their site (that is, they set up an -MX record pointing to your mail server, and you will relay mail addressed -to them without any prior arrangement). Along the same lines, +accepted for relay to domain.com. This feature may cause problems +if MX lookups for the recipient domain are slow or time out. In that +case, mail will be temporarily rejected. It is usually better to +maintain a list of hosts/domains for which the server acts as relay. +Note also that this feature will stop spammers from using your host +to relay spam but it will not stop outsiders from using your server +as a relay for their site (that is, they set up an MX record pointing +to your mail server, and you will relay mail addressed to them +without any prior arrangement). Along the same lines, FEATURE(`relay_local_from') will allow relaying if the sender specifies a return path (i.e. -MAIL FROM: <user@domain>) domain which is a local domain. This a +MAIL FROM: <user@domain>) domain which is a local domain. This is a dangerous feature as it will allow spammers to spam using your mail server by simply specifying a return address of user@your.domain.com. It should not be used unless absolutely necessary. @@ -1648,10 +2117,15 @@ which allows relaying if the mail sender is listed as RELAY in the access map. If an optional argument `domain' is given, the domain portion of the mail sender is also checked to allowing relaying. This option only works together with the tag From: for the LHS of -the access map entries (see below: Finer control...). +the access map entries (see below: Finer control...). This feature +allows spammers to abuse your mail server by specifying a return +address that you enabled in your access file. This may be harder +to figure out for spammers, but it should not be used unless +necessary. Instead use SMTP AUTH or STARTTLS to allow relaying +for roaming users. -If source routing is used in the recipient address (i.e. +If source routing is used in the recipient address (e.g., RCPT TO: <user%site.com@othersite.com>), sendmail will check user@site.com for relaying if othersite.com is an allowed relay host in either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, @@ -1679,14 +2153,30 @@ or reject those addresses. As of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has an unresolvable domain (i.e., one that DNS, your local name service, -or special case rules in ruleset 3 cannot locate). If you want to -continue to accept such domains, e.g., because you are inside a -firewall that has only a limited view of the Internet host name space -(note that you will not be able to return mail to them unless you have -some "smart host" forwarder), use +or special case rules in ruleset 3 cannot locate). This also applies +to addresses that use domain literals, e.g., <user@[1.2.3.4]>, if the +IP address can't be mapped to a host name. If you want to continue +to accept such domains, e.g., because you are inside a firewall that +has only a limited view of the Internet host name space (note that you +will not be able to return mail to them unless you have some "smart +host" forwarder), use FEATURE(`accept_unresolvable_domains') +Alternatively, you can allow specific addresses by adding them to +the access map, e.g., + + From:unresolvable.domain OK + From:[1.2.3.4] OK + From:[1.2.4] OK + +Notice: domains which are temporarily unresolvable are (temporarily) +rejected with a 451 reply code. If those domains should be accepted +(which is discouraged) then you can use + + LOCAL_CONFIG + C{ResOk}TEMP + sendmail will also refuse mail if the MAIL FROM: parameter is not fully qualified (i.e., contains a domain as well as a user). If you want to continue to accept such senders, use @@ -1696,7 +2186,7 @@ want to continue to accept such senders, use Setting the DaemonPortOptions modifier 'u' overrides the default behavior, i.e., unqualified addresses are accepted even without this FEATURE. If this FEATURE is not used, the DaemonPortOptions modifier 'f' can be used -to enforce fully qualified addresses. +to enforce fully qualified domain names. An ``access'' database can be created to accept or reject mail from selected domains. For example, you may choose to reject all mail @@ -1704,10 +2194,19 @@ originating from known spammers. To enable such a database, use FEATURE(`access_db') -The FEATURE macro can accept a second parameter giving the key file +Notice: the access database is applied to the envelope addresses +and the connection information, not to the header. + +The FEATURE macro can accept as second parameter the key file definition for the database; for example - FEATURE(`access_db', `hash /etc/mail/access') + FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map') + +Notice: If a second argument is specified it must contain the option +`-T<TMPF>' as shown above. The optional third and fourth parameters +may be `skip' or `lookupdotdomain'. The former enables SKIP as +value part (see below), the latter is another way to enable the +feature of the same name (see above). Remember, since /etc/mail/access is a database, after creating the text file as described below, you must use makemap to create the database @@ -1716,21 +2215,27 @@ map. For example: makemap hash /etc/mail/access < /etc/mail/access The table itself uses e-mail addresses, domain names, and network -numbers as keys. For example, +numbers as keys. Note that IPv6 addresses must be prefaced with "IPv6:". +For example, - spammer@aol.com REJECT - cyberspammer.com REJECT - 192.168.212 REJECT + spammer@aol.com REJECT + cyberspammer.com REJECT + 192.168.212 REJECT + IPv6:2002:c0a8:02c7 RELAY + IPv6:2002:c0a8:51d2::23f4 REJECT would refuse mail from spammer@aol.com, any user from cyberspammer.com -(or any host within the cyberspammer.com domain), and any host on the -192.168.212.* network. +(or any host within the cyberspammer.com domain), any host on the +192.168.212.* network, and the IPv6 address 2002:c0a8:51d2::23f4. It would +allow relay for the IPv6 network 2002:c0a8:02c7::/48. The value part of the map can contain: - OK Accept mail even if other rules in the - running ruleset would reject it, for example, - if the domain name is unresolvable. + OK Accept mail even if other rules in the running + ruleset would reject it, for example, if the domain + name is unresolvable. "Accept" does not mean + "relay", but at most acceptance for local + recipients. That is, OK allows less than RELAY. RELAY Accept mail addressed to the indicated domain or received from the indicated domain for relaying through your SMTP server. RELAY also serves as @@ -1742,10 +2247,16 @@ The value part of the map can contain: it affects only the designated recipient, not the whole message as it does in all other cases. This should only be used if really necessary. + SKIP This can only be used for host/domain names + and IP addresses/nets. It will abort the current + search for this entry without accepting or rejecting + it but causing the default action. ### any text where ### is an RFC 821 compliant error code and "any text" is a message to return for the command. The string should be quoted to avoid surprises, e.g., sendmail may remove spaces otherwise. + This type is deprecated, use one the two + ERROR: entries below instead. ERROR:### any text as above, but useful to mark error messages as such. ERROR:D.S.N:### any text @@ -1758,9 +2269,9 @@ For example: okay.cyberspammer.com OK sendmail.org RELAY 128.32 RELAY - 1:2:3:4:5:6:7 RELAY + IPv6:1:2:3:4:5:6:7 RELAY [127.0.0.3] OK - [1:2:3:4:5:6:7:8] OK + [IPv6:1:2:3:4:5:6:7:8] OK would accept mail from okay.cyberspammer.com, but would reject mail from all other hosts at cyberspammer.com with the indicated message. It would @@ -1768,20 +2279,22 @@ allow relaying mail from and to any hosts in the sendmail.org domain, and allow relaying from the 128.32.*.* network and the IPv6 1:2:3:4:5:6:7:* network. The latter two entries are for checks against ${client_name} if the IP address doesn't resolve to a hostname (or is considered as "may be -forged"). +forged"). That is, using square brackets means these are host names, +not network numbers. Warning: if you change the RFC 821 compliant error code from the default value of 550, then you should probably also change the RFC 1893 compliant error code to match it. For example, if you use - user@example.com 450 mailbox full + user@example.com ERROR:450 mailbox full -the error returned would be "450 4.0.0 mailbox full" which is wrong. -Use "450 4.2.2 mailbox full" or "ERROR:4.2.2:450 mailbox full" -instead. +the error returned would be "450 5.0.0 mailbox full" which is wrong. +Use "ERROR:4.2.2:450 mailbox full" instead. Note, UUCP users may need to add hostname.UUCP to the access database -or class {R}. If you also use: +or class {R}. + +If you also use: FEATURE(`relay_hosts_only') @@ -1824,13 +2337,14 @@ the example from above: Mail can't be sent to spammer@aol.com or anyone at cyberspammer.com. -There is also a ``Realtime Blackhole List'' run by the MAPS project -at http://maps.vix.com/. This is a database maintained in DNS of -spammers. To use this database, use +There are several DNS based blacklists, the first of which was +the RBL (``Realtime Blackhole List'') run by the MAPS project, +see http://mail-abuse.org/. These are databases of spammers +maintained in DNS. To use such a database, specify FEATURE(`dnsbl') -This will cause sendmail to reject mail from any site in the +This will cause sendmail to reject mail from any site in the original Realtime Blackhole List database. This default DNS blacklist, blackholes.mail-abuse.org, is a service offered by the Mail Abuse Prevention System (MAPS). As of July 31, 2001, MAPS is a subscription @@ -1840,22 +2354,46 @@ subscribed. Contact MAPS to subscribe (http://mail-abuse.org/). You can specify an alternative RBL server to check by specifying an argument to the FEATURE. The default error message is -You can specify an alternative RBL domain to check by specifying an -argument to the FEATURE. The default error message is + Mail from IP-ADDRESS refused by blackhole site SERVER - Mail from $&{client_addr} refused by blackhole site DOMAIN +where IP-ADDRESS and SERVER are replaced by the appropriate +information. A second argument can be used to specify a different +text. By default, temporary lookup failures are ignored and hence +cause the connection not to be rejected by the DNS based rejection +list. This behavior can be changed by specifying a third argument, +which must be either `t' or a full error message. For example: + + FEATURE(`dnsbl', `dnsbl.example.com', `', + `"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"') + +If `t' is used, the error message is: + + 451 Temporary lookup failure of IP-ADDRESS at SERVER + +where IP-ADDRESS and SERVER are replaced by the appropriate +information. + +This FEATURE can be included several times to query different +DNS based rejection lists, e.g., the dial-up user list (see +http://mail-abuse.org/dul/). + +Notice: to avoid checking your own local domains against those +blacklists, use the access_db feature and add: + + Connect:10.1 OK + Connect:127.0.0.1 RELAY + +to the access map, where 10.1 is your local network. You may +want to use "RELAY" instead of "OK" to allow also relaying +instead of just disabling the DNS lookups in the backlists. -where DOMAIN is the first argument of the feature. A second argument -can be used to specify a different text. This FEATURE can be -included several times to query different DNS based rejection lists, -e.g., the dial-up user list (see http://maps.vix.com/dul/). The features described above make use of the check_relay, check_mail, and check_rcpt rulesets. If you wish to include your own checks, you can put your checks in the rulesets Local_check_relay, Local_check_mail, and Local_check_rcpt. For example if you wanted to block senders with all numeric usernames (i.e. 2312343@bigisp.com), -you would use Local_check_mail and the new regex map: +you would use Local_check_mail and the regex map: LOCAL_CONFIG Kallnumbers regex -a@MATCH ^[0-9]+$ @@ -1875,6 +2413,7 @@ appropriate action is taken. Otherwise, the results of the local rewriting are ignored. Finer control by using tags for the LHS of the access map +--------------------------------------------------------- Read this section only if the options listed so far are not sufficient for your purposes. There is now the option to tag entries in the @@ -1886,7 +2425,8 @@ access map according to their type. Three tags are available: If the required item is looked up in a map, it will be tried first with the corresponding tag in front, then (as fallback to enable -backward compatibility) without any tag. For example, +backward compatibility) without any tag, unless the specific feature +requires a tag. For example, From:spammer@some.dom REJECT To:friend.domain RELAY @@ -1909,6 +2449,7 @@ reject mail from all other addresses with another.dom as domain part. Delay all checks +---------------- By using FEATURE(`delay_checks') the rulesets check_mail and check_relay will not be called when a client connects or issues a MAIL command, @@ -1943,24 +2484,33 @@ FEATURE(`delay_checks') can take an optional argument: enables spamhater test If such an argument is given, the recipient will be looked up in the access -map (using the tag To:). If the argument is `friend', then the other +map (using the tag Spam:). If the argument is `friend', then the other rulesets will be skipped if the recipient address is found and has RHS -spamfriend. If the argument is `hater', then the other rulesets will be -applied if the recipient address is found and has RHS spamhater. +friend. If the argument is `hater', then the other rulesets will be +applied if the recipient address is found and has RHS hater. This allows for simple exceptions from the tests, e.g., by activating -the spamfriend option and having +the friend option and having - To:abuse@ SPAMFRIEND + Spam:abuse@ FRIEND in the access map, mail to abuse@localdomain will get through. It is also possible to specify a full address or an address with +detail: - To:abuse@abuse.my.domain SPAMFRIEND - To:me+abuse@ SPAMFRIEND + Spam:abuse@my.domain FRIEND + Spam:me+abuse@ FRIEND + Spam:spam.domain FRIEND +Note: The required tag has been changed in 8.12 from To: to Spam:. +This change is incompatible to previous versions. However, you can +(for now) simply add the new entries to the access map, the old +ones will be ignored. As soon as you removed the old entries from +the access map, specify a third parameter (`n') to this feature and +the backward compatibility rules will not be in the generated .cf +file. Header Checks +------------- You can also reject mail on the basis of the contents of headers. This is done by adding a ruleset call to the 'H' header definition command @@ -1987,10 +2537,14 @@ defined for them can be given by: H*: $>CheckHdr -Notice: All rules act on tokens as explained in doc/op/op.{me,ps,txt}. +Notice: +1. All rules act on tokens as explained in doc/op/op.{me,ps,txt}. That may cause problems with simple header checks due to the -tokenization. It might be simpler to use a regex map and apply it +tokenization. It might be simpler to use a regex map and apply it to $&{currHeader}. +2. There are no default rulesets coming with this distribution of +sendmail. You can either write your own or you can search the +WWW for examples, e.g., http://www.digitalanswers.org/check_local/ After all of the headers are read, the check_eoh ruleset will be called for any final header-related checks. The ruleset is called with the number of @@ -2031,7 +2585,8 @@ probably not be used in production. +----------+ In this text, cert will be used as an abreviation for X.509 certificate, -DN is the distinguished name of a cert, and CA is a certification authority. +DN (CN) is the distinguished (common) name of a cert, and CA is a +certification authority, which signs (issues) certs. For STARTTLS to be offered by sendmail you need to set at least this variables (the file names and paths are just examples): @@ -2044,53 +2599,57 @@ this variables (the file names and paths are just examples): On systems which do not have the compile flag HASURANDOM set (see sendmail/README) you also must set confRAND_FILE. -See doc/op/op.{me,ps} for more information about these options, -esp. the sections ``Certificates for STARTTLS'' and ``PRNG for +See doc/op/op.{me,ps,txt} for more information about these options, +especially the sections ``Certificates for STARTTLS'' and ``PRNG for STARTTLS''. Macros related to STARTTLS are: ${cert_issuer} holds the DN of the CA (the cert issuer). ${cert_subject} holds the DN of the cert (called the cert subject). +${cn_issuer} holds the CN of the CA (the cert issuer). +${cn_subject} holds the CN of the cert (called the cert subject). ${tls_version} the TLS/SSL version used for the connection, e.g., TLSv1, - SSLv3, SSLv2. + TLSv1/SSLv3, SSLv3, SSLv2. ${cipher} the cipher used for the connection, e.g., EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA. ${cipher_bits} the keylength (in bits) of the symmetric encryption algorithm used for the connection. -${verify} holds the result of the verification of the presented cert. Possible - values are: - OK verification succeeded. - NO no cert presented. - FAIL cert presented but could not be verified, e.g., the signing - CA is missing. - NONE STARTTLS has not been performed. - TEMP temporary error occurred. - PROTOCOL some protocol error occurred. +${verify} holds the result of the verification of the presented cert. + Possible values are: + OK verification succeeded. + NO no cert presented. + NOT no cert requested. + FAIL cert presented but could not be verified, + e.g., the cert of the signing CA is missing. + NONE STARTTLS has not been performed. + TEMP temporary error occurred. + PROTOCOL protocol error occurred (SMTP level). SOFTWARE STARTTLS handshake failed. -${server_name} the name of the server of the current outgoing SMTP +${server_name} the name of the server of the current outgoing SMTP connection. -${server_addr} the address of the server of the current outgoing SMTP +${server_addr} the address of the server of the current outgoing SMTP connection. Relaying +-------- SMTP STARTTLS can allow relaying for senders who have successfully -authenticated themselves. This is done in the ruleset RelayAuth. If the +authenticated themselves. This is done in the ruleset RelayAuth. If the verification of the cert failed (${verify} != OK), relaying is subject to -the usual rules. Otherwise the DN of the issuer is looked up in the access -map using the tag CERTISSUER. If the resulting value is RELAY, relaying is -allowed. If it is SUBJECT, the DN of the cert subject is looked up next in -the access map. using the tag CERTSUBJECT. If the value is RELAY, relaying +the usual rules. Otherwise the DN of the issuer is looked up in the access +map using the tag CERTISSUER. If the resulting value is RELAY, relaying is +allowed. If it is SUBJECT, the DN of the cert subject is looked up next in +the access map using the tag CERTSUBJECT. If the value is RELAY, relaying is allowed. To make things a bit more flexible (or complicated), the values for ${cert_issuer} and ${cert_subject} can be optionally modified by regular expressions defined in the m4 variables _CERT_REGEX_ISSUER_ and -_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in +_CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in rulesets and map lookups, they are modified as follows: each non-printable character and the characters '<', '>', '(', ')', '"', '+' are replaced by -their HEX value with a leading '+'. For example: +their HEX value with a leading '+'. For example: /C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email= darth+cert@endmail.org @@ -2111,29 +2670,49 @@ R$* $: $&{verify} ROK $# OK Allowing Connections +-------------------- -The rulesets tls_server and tls_client are used to decide whether an SMTP -connection is accepted (or should continue). +The rulesets tls_server, tls_client, and tls_rcpt are used to decide whether +an SMTP connection is accepted (or should continue). tls_server is called when sendmail acts as client after a STARTTLS command -(should) have been issued. The parameter is the value of ${verify}. +(should) have been issued. The parameter is the value of ${verify}. tls_client is called when sendmail acts as server, after a STARTTLS command -has been issued, and from check_mail. The parameter is the value of +has been issued, and from check_mail. The parameter is the value of ${verify} and STARTTLS or MAIL, respectively. -Both rulesets behave the same. If no access map is in use, the connection +Both rulesets behave the same. If no access map is in use, the connection will be accepted unless ${verify} is SOFTWARE, in which case the connection -is always aborted. Otherwise, ${client_name} (${server_name}) is looked -up in the access map using the tag TLS_Srv (or TLS_Clt), which is done -with the ruleset LookUpDomain. If no entry is found, ${client_addr} +is always aborted. For tls_server/tls_client, ${client_name}/${server_name} +is looked up in the access map using the tag TLS_Srv/TLS_Clt, which is done +with the ruleset LookUpDomain. If no entry is found, ${client_addr} (${server_addr}) is looked up in the access map (same tag, ruleset -LookUpAddr). If this doesn't result in an entry either, just the tag is -looked up in the access map (included the trailing :). The result of the -lookups is then used to call the ruleset tls_connection, which checks the -requirement specified by the RHS in the access map against the actual -parameters of the current TLS connection, esp. ${verify} and -${cipher_bits}. Legal RHSs in the access map are: +LookUpAddr). If this doesn't result in an entry either, just the tag is +looked up in the access map (included the trailing colon). Notice: +requiring that e-mail is sent to a server only encrypted, e.g., via + +TLS_Srv:secure.domain ENCR:112 + +doesn't necessarily mean that e-mail sent to that domain is encrypted. +If the domain has multiple MX servers, e.g., + +secure.domain. IN MX 10 mail.secure.domain. +secure.domain. IN MX 50 mail.other.domain. + +then mail to user@secure.domain may go unencrypted to mail.other.domain. +tls_rcpt can be used to address this problem. + +tls_rcpt is called before a RCPT TO: command is sent. The parameter is the +current recipient. This ruleset is only defined if FEATURE(`access_db') +is selected. A recipient address user@domain is looked up in the access +map in four formats: TLS_Rcpt:user@domain, TLS_Rcpt:user@, TLS_Rcpt:domain, +and TLS_Rcpt:; the first match is taken. + +The result of the lookups is then used to call the ruleset TLS_connection, +which checks the requirement specified by the RHS in the access map against +the actual parameters of the current TLS connection, esp. ${verify} and +${cipher_bits}. Legal RHSs in the access map are: VERIFY verification must have succeeded VERIFY:bits verification must have succeeded and ${cipher_bits} must @@ -2141,39 +2720,64 @@ VERIFY:bits verification must have succeeded and ${cipher_bits} must ENCR:bits ${cipher_bits} must be greater than or equal bits. The RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary -or permanent error. The default is a temporary error code (403 4.7.0) +or permanent error. The default is a temporary error code (403 4.7.0) unless the macro TLS_PERM_ERR is set during generation of the .cf file. If a certain level of encryption is required, then it might also be possible that this level is provided by the security layer from a SASL algorithm, e.g., DIGEST-MD5. +Furthermore, there can be a list of extensions added. Such a list +starts with '+' and the items are separated by '++'. Allowed +extensions are: + +CN:name name must match ${cn_subject} +CN ${server_name} must match ${cn_subject} +CS:name name must match ${cert_subject} +CI:name name must match ${cert_issuer} + Example: e-mail sent to secure.example.com should only use an encrypted -connection. e-mail received from hosts within the laptop.example.com domain -should only be accepted if they have been authenticated. +connection. E-mail received from hosts within the laptop.example.com domain +should only be accepted if they have been authenticated. The host which +receives e-mail for darth@endmail.org must present a cert that uses the +CN smtp.endmail.org. + TLS_Srv:secure.example.com ENCR:112 TLS_Clt:laptop.example.com PERM+VERIFY:112 +TLS_Rcpt:darth@endmail.org ENCR:112+CN:smtp.endmail.org -Notice: requiring that e-mail is sent to a server only encrypted, -e.g., via -TLS_Srv:secure.domain ENCR:112 +Disabling STARTTLS And Setting SMTP Server Features +--------------------------------------------------- -doesn't necessarily mean that e-mail sent to that domain is encrypted. -If the domain has multiple MX servers, e.g., +By default STARTTLS is used whenever possible. However, there are +some broken MTAs that don't properly implement STARTTLS. To be able +to send to (or receive from) those MTAs, the ruleset try_tls +(srv_features) can be used that work together with the access map. +Entries for the access map must be tagged with Try_TLS (Srv_Features) +and refer to the hostname or IP address of the connecting system. +A default case can be specified by using just the tag. For example, +the following entries in the access map: -secure.domain. IN MX 10 mail.secure.domain. -secure.domain. IN MX 50 mail.other.domain. + Try_TLS:broken.server NO + Srv_Features:my.domain v + Srv_Features: V -then mail to user@secure.domain may go unencrypted to mail.other.domain. +will turn off STARTTLS when sending to broken.server (or any host +in that domain), and request a client certificate during the TLS +handshake only for hosts in my.domain. The valid entries on the RHS +for Srv_Features are listed in the Sendmail Installation and +Operations Guide. Received: Header +---------------- -The Received: header reveals whether STARTTLS has been used. It contains an +The Received: header reveals whether STARTTLS has been used. It contains an extra line: -(using ${tls_version} with cipher ${cipher} (${cipher_bits} bits) verified ${verify}) +(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) + +---------------------+ | SMTP AUTHENTICATION | @@ -2198,7 +2802,7 @@ RDIGEST-MD5 $| $+@$=w $# OK to allow relaying for users that authenticated using DIGEST-MD5 and have an identity in the local domains. -The ruleset Strust_auth is used to determine whether a given AUTH= +The ruleset trust_auth is used to determine whether a given AUTH= parameter (that is passed to this ruleset) should be trusted. This ruleset may make use of the other ${auth_*} macros. Only if the ruleset resolves to the error mailer, the AUTH= parameter is not @@ -2216,6 +2820,44 @@ If the selected mechanism provides a security layer the number of bits used for the key of the symmetric cipher is stored in the macro ${auth_ssf}. + +If sendmail acts as client, it needs some information how to +authenticate against another MTA. This information can be provided +by the ruleset authinfo or by the option AuthMechanisms. The +authinfo ruleset looks up {server_name} using the tag AuthInfo: in +the access map. If no entry is found, {server_addr} is looked up +in the same way and finally just the tag AuthInfo: to provide +default values. + +The RHS for an Auth: entry in the access map should consists of a +list of tokens, each of which has the form: "TDstring" (including +the quotes). T is a tag which describes the item, D is a delimiter, +either ':' for simple text or '=' for a base64 encoded string. +Valid values for the tag are: + + U user (authorization) id + I authentication id + P password + R realm + M list of mechanisms delimited by spaces + +Example entries are: + +AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5" +AuthInfo:more.dom "U:user" "P=c2VjcmV0" + +User or authentication id must exist as well as the password. All +other entries have default values. If one of user or authentication +id is missing, the existing value is used for the missing item. +Realm defaults to $j and the list of mechanisms to those specified +by AuthMechanisms. + +Since this map contains sensitive information, either the access +map must be unreadable by everyone but root (or the trusted user) +or FEATURE(`authinfo') must be used which provides a separate map. +Notice: It is not checked whether the map is actually +group/world-unreadable, this is left to the user. + +--------------------------------+ | ADDING NEW MAILERS OR RULESETS | +--------------------------------+ @@ -2232,8 +2874,19 @@ LOCAL_RULESETS respectively. For example: Smyruleset ... +Local additions for the rulesets srv_features, try_tls, tls_rcpt, +tls_client, and tls_server can be made using LOCAL_SRV_FEATURES, +LOCAL_TRY_TLS, LOCAL_TLS_RCPT, LOCAL_TLS_CLIENT, and LOCAL_TLS_SERVER, +respectively. For example, to add a local ruleset that decides +whether to try STARTTLS in a sendmail client, use: + + LOCAL_TRY_TLS + R... + +Note: you don't need to add a name for the ruleset, it is implicitly +defined by using the appropriate macro. + -#if _FFR_MILTER +-------------------------+ | ADDING NEW MAIL FILTERS | +-------------------------+ @@ -2275,9 +2928,21 @@ more filters than you want to use for `confINPUT_MAIL_FILTERS'. Note that setting `confINPUT_MAIL_FILTERS' after any INPUT_MAIL_FILTER() commands will clear the list created by the prior INPUT_MAIL_FILTER() commands. -#endif /* _FFR_MILTER */ ++-------------------------+ +| QUEUE GROUP DEFINITIONS | ++-------------------------+ + +In addition to the queue directory (which is the default queue group +called "mqueue"), sendmail can deal with multiple queue groups, which +are collections of queue directories with the same behaviour. Queue +groups can be defined using the command: + + QUEUE_GROUP(`name', `equates') + +For details about queue groups, please see doc/op/op.{me,ps,txt}. + +-------------------------------+ | NON-SMTP BASED CONFIGURATIONS | +-------------------------------+ @@ -2537,6 +3202,11 @@ confDOMAIN_NAME $j macro If defined, sets $j. This should domain name. confCF_VERSION $Z macro If defined, this is appended to the configuration version name. +confLDAP_CLUSTER ${sendmailMTACluster} macro + If defined, this is the LDAP + cluster to use for LDAP searches + as described above in ``USING LDAP + FOR ALIASES, MAPS, AND CLASSES''. confFROM_HEADER From: [$?x$x <$g>$|$g$.] The format of an internally generated From: address. confRECEIVED_HEADER Received: @@ -2607,13 +3277,6 @@ confCHECKPOINT_INTERVAL CheckpointInterval [10] Checkpoint queue files every N recipients. confDELIVERY_MODE DeliveryMode [background] Default delivery mode. -confAUTO_REBUILD AutoRebuildAliases - [False] Automatically rebuild alias - file if needed. - There is a potential for a denial - of service attack if this is set. - This option is deprecated and will - be removed from a future version. confERROR_MODE ErrorMode [print] Error message mode. confERROR_MESSAGE ErrorHeader [undefined] Error message header/file. confSAVE_FROM_LINES SaveFromLine Save extra leading From_ lines. @@ -2671,13 +3334,15 @@ confCHECK_ALIASES CheckAliases [False] Check RHS of aliases when considerably on large alias files. confOLD_STYLE_HEADERS* OldStyleHeaders [True] Assume that headers without special chars are old style. -confCLIENT_OPTIONS ClientPortOptions - [none] Options for outgoing SMTP client - connections. confPRIVACY_FLAGS PrivacyOptions [authwarnings] Privacy flags. confCOPY_ERRORS_TO PostmasterCopy [undefined] Address for additional copies of all error messages. confQUEUE_FACTOR QueueFactor [600000] Slope of queue-only function. +confQUEUE_FILE_MODE QueueFileMode [undefined] Default permissions for + queue files (octal). If not set, + sendmail uses 0600 unless its real + and effective uid are different in + which case it uses 0644. confDONT_PRUNE_ROUTES DontPruneRoutes [False] Don't prune down route-addr syntax addresses to the minimum possible. @@ -2697,6 +3362,11 @@ confTO_ICONNECT Timeout.iconnect This allows a single very fast pass followed by more careful delivery attempts in the future. +confTO_ACONNECT Timeout.aconnect + [0] The overall timeout waiting for + all connection for a single delivery + attempt to succeed. If 0, no overall + limit is applied. confTO_HELO Timeout.helo [5m] The timeout waiting for a response to a HELO or EHLO command. confTO_MAIL Timeout.mail [10m] The timeout waiting for a @@ -2726,6 +3396,13 @@ confTO_IDENT Timeout.ident [5s] The timeout waiting for a confTO_FILEOPEN Timeout.fileopen [60s] The timeout waiting for a file (e.g., :include: file) to be opened. +confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response + to an LMTP LHLO command. +confTO_AUTH Timeout.auth [10m] The timeout waiting for a + response in an AUTH dialogue. +confTO_STARTTLS Timeout.starttls + [1h] The timeout waiting for a + response to an SMTP STARTTLS command. confTO_CONTROL Timeout.control [2m] The timeout for a complete control socket transaction to complete. @@ -2824,6 +3501,10 @@ confREFUSE_LA RefuseLA [varies] Load average at which numproc) where numproc is the number of processors online (if that can be determined). +confDELAY_LA DelayLA [0] Load average at which sendmail + will sleep for one second on most + SMTP commands and before accepting + connections. 0 means no limit. confMAX_ALIAS_RECURSION MaxAliasRecursion [10] Maximum depth of alias recursion. confMAX_DAEMON_CHILDREN MaxDaemonChildren @@ -2840,11 +3521,11 @@ confMAX_MIME_HEADER_LENGTH MaxMimeHeaderLength certain MIME header field values. confCONNECTION_RATE_THROTTLE ConnectionRateThrottle [undefined] The maximum number of - connections permitted per second. - After this many connections are - accepted, further connections will be - delayed. If not set or <= 0, there is - no limit. + connections permitted per second per + daemon. After this many connections + are accepted, further connections + will be delayed. If not set or <= 0, + there is no limit. confWORK_RECIPIENT_FACTOR RecipientFactor [30000] Cost of each recipient. confSEPARATE_PROC ForkEachJob [False] Run all deliveries in a @@ -2852,7 +3533,8 @@ confSEPARATE_PROC ForkEachJob [False] Run all deliveries in a confWORK_CLASS_FACTOR ClassFactor [1800] Priority multiplier for class. confWORK_TIME_FACTOR RetryFactor [90000] Cost of each delivery attempt. confQUEUE_SORT_ORDER QueueSortOrder [Priority] Queue sort algorithm: - Priority, Host, Filename, or Time. + Priority, Host, Filename, Random, + Modification, or Time. confMIN_QUEUE_AGE MinQueueAge [0] The minimum amount of time a job must sit in the queue between queue runs. This allows you to set the @@ -2884,9 +3566,11 @@ confNO_RCPT_ACTION NoRecipientAction known recipients (which may expose blind recipients), "add-apparently-to" to do the same but use Apparently-To: - instead of To:, "add-bcc" to add an - empty Bcc: header, or - "add-to-undisclosed" to add the header + instead of To: (strongly discouraged + in accordance with IETF standards), + "add-bcc" to add an empty Bcc: + header, or "add-to-undisclosed" to + add the header ``To: undisclosed-recipients:;''. confSAFE_FILE_ENV SafeFileEnvironment [undefined] If set, sendmail will do a @@ -2909,6 +3593,18 @@ confMAX_QUEUE_RUN_SIZE MaxQueueRunSize [0] If set, limit the maximum size of so this should be as large as your system can tolerate. If not set, there is no limit. +confMAX_QUEUE_CHILDREN MaxQueueChildren + [undefined] Limits the maximum number + of concurrent queue runners active. + This is to keep system resources used + within a reasonable limit. Relates to + Queue Groups and ForkAllJobs. +confMAX_RUNNERS_PER_QUEUE MaxRunnersPerQueue + [1] Only active when MaxQueueChildren + defined. Controls the maximum number + of queue runners (aka queue children) + active at the same time in a work + group. See also MaxQueueChildren. confDONT_EXPAND_CNAMES DontExpandCnames [False] If set, $[ ... $] lookups that do DNS based lookups do not expand @@ -2969,7 +3665,8 @@ confDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress [postmaster] If an error occurs when sending an error message, send that "double bounce" error message to this - address. + address. If it expands to an empty + string, double bounces are dropped. confDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce messages which could not be returned to the user or sent to postmaster. @@ -2993,6 +3690,11 @@ confMAX_RCPTS_PER_MESSAGE MaxRecipientsPerMessage receive a 452 error code (i.e., they are deferred for the next delivery attempt). +confBAD_RCPT_THROTTLE BadRcptThrottle [infinite] If set and more than the + specified number of recipients in an + envelope are rejected, sleep for one + second after each rejected RCPT + command. confDONT_PROBE_INTERFACES DontProbeInterfaces [False] If set, sendmail will _not_ insert the names and addresses of any @@ -3003,6 +3705,9 @@ confDONT_PROBE_INTERFACES DontProbeInterfaces in a mailertable entry) -- otherwise, mail to addresses in this list will bounce with a configuration error. + If set to "loopback" (without + quotes), sendmail will skip + loopback interfaces (e.g., "lo0"). confPID_FILE PidFile [system dependent] Location of pid file. confPROCESS_TITLE_PREFIX ProcessTitlePrefix @@ -3017,6 +3722,9 @@ confDONT_BLAME_SENDMAIL DontBlameSendmail confREJECT_MSG - [550 Access denied] The message given if the access database contains REJECT in the value portion. +confRELAY_MSG - [550 Relaying denied] The message + given if an unauthorized relaying + attempt is rejected. confDF_BUFFER_SIZE DataFileBufferSize [4096] The maximum size of a memory-buffered data (df) file @@ -3036,36 +3744,39 @@ confAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5 by the CYRUS SASL library. confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains authentication information for - outgoing connections. This file - must contain the user id, the - authorization id, the password - (plain text), and the realm to use, - each on a separate line and must be - readable by root (or the trusted - user) only. If no realm is - specified, $j is used. - - NOTE: Currently, AuthMechanisms is - used to determine the list of - mechanisms to use on an outgoing - connection. Sites which require a - different list of mechanisms for - incoming connections and outgoing - connections will have the ability - to do this in 8.11 by specifying a - list of mechanisms as the fifth - line of the DefaultAuthInfo file. - If no mechanisms are given in the - file, AuthMechanisms is used. The - code for doing so is included as - in the sendmail source code but - disabled. It can be enabled by - recompiling sendmail with: - -D_FFR_DEFAUTHINFO_MECHS -confAUTH_OPTIONS AuthOptions [undefined] If this options is 'A' + outgoing connections. This file must + contain the user id, the authorization + id, the password (plain text), the + realm to use, and the list of + mechanisms to try, each on a separate + line and must be readable by root (or + the trusted user) only. If no realm + is specified, $j is used. If no + mechanisms are given in the file, + AuthMechanisms is used. Notice: this + option is deprecated and will be + removed in future versions; it doesn't + work for the MSP since it can't read + the file. Use the authinfo ruleset + instead. +confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' then the AUTH= parameter for the MAIL FROM command is only issued when authentication succeeded. + Other values (which should be listed + one after the other without any + intervening characters except for + space or comma) are a, c, d, f, p, + and y. See doc/op/op.me for + details. +confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption + strength for the security layer in + SMTP AUTH (SASL). Default is + essentially unlimited. +confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client + verification is performed, i.e., + the server doesn't ask for a + certificate. confLDAP_DEFAULT_SPEC LDAPDefaultSpec [undefined] Default map specification for LDAP maps. The value should only contain LDAP @@ -3102,15 +3813,64 @@ confRAND_FILE RandFile [undefined] File containing random requires this option if the compile flag HASURANDOM is not set (see sendmail/README). +confNICE_QUEUE_RUN NiceQueueRun [undefined] If set, the priority of + queue runners is set the given value + (nice(3)). +confDIRECT_SUBMISSION_MODIFIERS DirectSubmissionModifiers + [undefined] Defines {daemon_flags} + for direct submissions. +confUSE_MSP UseMSP [false] Use as mail submission + program, see sendmail/SECURITY. +confDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By + SMTP Service Extension (RFC 2852). +confSHARED_MEMORY_KEY SharedMemoryKey [0] Key for shared memory. +confFAST_SPLIT FastSplit [1] If set to a value greater than + zero, the initial MX lookups on + addresses is suppressed when they + are sorted which may result in faster + envelope splitting. +confMAILBOX_DATABASE MailboxDatabase [pw] Type of lookup to find + information about local mailboxes. +confDEQUOTE_OPTS - [empty] Additional options for the + dequote map. +confINPUT_MAIL_FILTERS InputMailFilters + A comma separated list of filters + which determines which filters and + the invocation sequence are + contacted for incoming SMTP + messages. If none are set, no + filters will be contacted. +confMILTER_LOG_LEVEL Milter.LogLevel [9] Log level for input mail filter + actions, defaults to LogLevel. +confMILTER_MACROS_CONNECT Milter.macros.connect + [empty] Macros to transmit to milters + when a session connection starts. +confMILTER_MACROS_HELO Milter.macros.helo + [empty] Macros to transmit to milters + after HELO command. +confMILTER_MACROS_ENVFROM Milter.macros.envfrom + [empty] Macros to transmit to milters + after MAIL FROM command. +confMILTER_MACROS_ENVRCPT Milter.macros.envrcpt + [empty] Macros to transmit to milters + after RCPT TO command. + See also the description of OSTYPE for some parameters that can be tweaked (generally pathnames to mailers). -DaemonPortOptions are a special case since multiple daemons can be -defined. This can be done via +ClientPortOptions and DaemonPortOptions are special cases since multiple +clients/daemons can be defined. This can be done via + CLIENT_OPTIONS(`field1=value1,field2=value2,...') DAEMON_OPTIONS(`field1=value1,field2=value2,...') +Note that multiple CLIENT_OPTIONS() commands (and therefore multiple +ClientPortOptions settings) are allowed in order to give settings for each +protocol family (e.g., one for Family=inet and one for Family=inet6). A +restriction placed on one family only affects outgoing connections on that +particular family. + If DAEMON_OPTIONS is not used, then the default is DAEMON_OPTIONS(`Port=smtp, Name=MTA') @@ -3152,10 +3912,113 @@ Notice: Do NOT use the 'a' modifier on a public accessible MTA! Finally, the M=E modifier shown above disables ETRN as required by RFC 2476. +Mail filters can be defined using the INPUT_MAIL_FILTER() and MAIL_FILTER() +commands: -+-----------+ -| HIERARCHY | -+-----------+ + INPUT_MAIL_FILTER(`sample', `S=local:/var/run/f1.sock') + MAIL_FILTER(`myfilter', `S=inet:3333@localhost') + +The INPUT_MAIL_FILTER() command causes the filter(s) to be called in the +same order they were specified by also setting confINPUT_MAIL_FILTERS. A +filter can be defined without adding it to the input filter list by using +MAIL_FILTER() instead of INPUT_MAIL_FILTER() in your .mc file. +Alternatively, you can reset the list of filters and their order by setting +confINPUT_MAIL_FILTERS option after all INPUT_MAIL_FILTER() commands in +your .mc file. + + ++----------------------------+ +| MESSAGE SUBMISSION PROGRAM | ++----------------------------+ + +The purpose of the message submission program (MSP) is explained +in sendmail/SECURITY. This section contains a list of caveats and +a few hints how for those who want to tweak the default configuration +for it (which is installed as submit.cf). + +Notice: do not add options/features to submit.mc unless you are +absolutely sure you need them. Options you may want to change +include: + +- confTIME_ZONE on OS that don't use the default, e.g., Irix. +- confDELIVERY_MODE is set to interactive in msp.m4 instead + of the default background mode. + +Some things are not intended to work with the MSP. These include +features that influence the delivery process (e.g., mailertable, +aliases), or those that are only important for a SMTP server (e.g., +virtusertable, DaemonPortOptions). Other things don't work well +with the MSP and require tweaking or workarounds. For example, to +allow for client authentication it is not just sufficient to provide +a client certificate and the corresponding key, but it is also +necessary to make the key group (smmsp) readable and tell sendmail +not to complain about that, i.e., + + define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') + +If the MSP should actually use AUTH then the necessary data +should be placed in a map as explained in SMTP AUTHENTICATION: + +FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') + +/etc/mail/msp-authinfo should contain an entry like: + + AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" + +The file and the map created by makemap should be owned by smmsp, +its group should be smmsp, and it should have mode 640. The database +used by the MTA for AUTH must have a corresponding entry. +Additionally the MTA must trust this authentication data so the AUTH= +part will be relayed on to the next hop. This can be achieved by +adding the following to your sendmail.mc file: + + LOCAL_RULESETS + SLocal_trust_auth + R$* $: $&{auth_authen} + Rsmmsp $# OK + +feature/msp.m4 defines almost all settings for the MSP. Most of +those should not be changed at all. Some of the features and options +can be overridden if really necessary. It is a bit tricky to do +this, because it depends on the actual way the option is defined +in feature/msp.m4. If it is directly defined (i.e., define()) then +the modified value must be defined after + + FEATURE(`msp') + +If it is conditionally defined (i.e., ifdef()) then the desired +value must be defined before the FEATURE line in the .mc file. +To see how the options are defined read feature/msp.m4. + + ++--------------------------+ +| FORMAT OF FILES AND MAPS | ++--------------------------+ + +Files that define classes, i.e., F{classname}, consist of lines +each of which contains a single element of the class. For example, +/etc/mail/local-host-names may have the following content: + +my.domain +another.domain + +Maps must be created using makemap(8) , e.g., + + makemap hash MAP < MAP + +In general, a text file from which a map is created contains lines +of the form + +key value + +where 'key' and 'value' are also called LHS and RHS, respectively. +By default, the delimiter between LHS and RHS is a non-empty sequence +of white space characters. + + ++------------------+ +| DIRECTORY LAYOUT | ++------------------+ Within this directory are several subdirectories, to wit: @@ -3313,4 +4176,4 @@ M4 DIVERSIONS 8 DNS based blacklists 9 special local rulesets (1 and 2) -$Revision: 1.8 $, Last updated $Date: 2001/08/21 16:31:39 $ +$Revision: 1.9 $, Last updated $Date: 2001/09/11 19:02:48 $ diff --git a/gnu/usr.sbin/sendmail/cf/cf/Makefile b/gnu/usr.sbin/sendmail/cf/cf/Makefile index 7e33d49134c..7595f34006b 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/Makefile +++ b/gnu/usr.sbin/sendmail/cf/cf/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.10 2001/05/29 01:31:11 millert Exp $ +# $OpenBSD: Makefile,v 1.11 2001/09/11 19:02:48 millert Exp $ # # Makefile for configuration files. # -# $Sendmail: Makefile,v 8.40.8.5 2001/04/12 22:39:52 gshapiro Exp $ +# $Sendmail: Makefile,v 8.54 2001/08/20 15:16:48 gshapiro Exp $ # # @@ -25,20 +25,34 @@ RM= rm -f ( cd ${.CURDIR} && $(M4) ${CFDIR}/m4/cf.m4 ${@:R}.mc > ${.OBJDIR}/$@ ) $(CHMOD) $(ROMODE) $@ -ALL= clientproto.cf openbsd-proto.cf courtesan.cf courtesan-nonet.cf \ - courtesan-lists.cf openbsd-lists.cf gandalf.cf alatar.cf \ - nettan.cf waldorf.cf lucifier.cf elbereth.cf corpse.cf knecht.cf +ALL= submit.cf clientproto.cf tcpproto.cf openbsd-localhost.cf \ + openbsd-proto.cf courtesan.cf courtesan-nonet.cf courtesan-lists.cf \ + openbsd-lists.cf gandalf.cf alatar.cf nettan.cf waldorf.cf lucifier.cf \ + elbereth.cf corpse.cf knecht.cf all: $(ALL) clean cleandir: - $(RM) $(ALL) core + $(RM) $(ALL) *.core -depend install: +depend: + +install: + @if test -e ${DESTDIR}/etc/mail/sendmail.cf -a \ + \! -e ${DESTDIR}/etc/mail/submit.cf; then \ + echo "WARNING: installed missing ${DESTDIR}/etc/mail/submit.cf"; \ + echo "You should probably rebuild ${DESTDIR}/etc/mail/sendmail.cf"; \ + ${INSTALL} ${INSTALL_COPY} -o root -g wheel -m 644 submit.cf \ + ${DESTDIR}/etc/mail/submit.cf; \ + fi distribution: openbsd-proto.cf ${INSTALL} ${INSTALL_COPY} -o root -g wheel -m 644 openbsd-proto.cf \ ${DESTDIR}/etc/mail/sendmail.cf + ${INSTALL} ${INSTALL_COPY} -o root -g wheel -m 644 openbsd-localhost.cf \ + ${DESTDIR}/etc/mail/localhost.cf + ${INSTALL} ${INSTALL_COPY} -o root -g wheel -m 644 submit.cf \ + ${DESTDIR}/etc/mail/submit.cf # this is overkill, but.... M4FILES=\ @@ -48,22 +62,30 @@ M4FILES=\ ${CFDIR}/domain/S2K.Berkeley.EDU.m4 \ ${CFDIR}/domain/berkeley-only.m4 \ ${CFDIR}/domain/generic.m4 \ + ${CFDIR}/domain/sigmasoft.m4 \ ${CFDIR}/feature/accept_unqualified_senders.m4 \ ${CFDIR}/feature/accept_unresolvable_domains.m4 \ ${CFDIR}/feature/access_db.m4 \ ${CFDIR}/feature/allmasquerade.m4 \ ${CFDIR}/feature/always_add_domain.m4 \ + ${CFDIR}/feature/authinfo.m4 \ ${CFDIR}/feature/bestmx_is_local.m4 \ ${CFDIR}/feature/bitdomain.m4 \ ${CFDIR}/feature/blacklist_recipients.m4 \ + ${CFDIR}/feature/compat_check.m4 \ + ${CFDIR}/feature/delay_checks.m4 \ ${CFDIR}/feature/dnsbl.m4 \ ${CFDIR}/feature/domaintable.m4 \ + ${CFDIR}/feature/enhdnsbl.m4 \ ${CFDIR}/feature/generics_entire_domain.m4 \ ${CFDIR}/feature/genericstable.m4 \ ${CFDIR}/feature/ldap_routing.m4 \ + ${CFDIR}/feature/msp.m4 \ ${CFDIR}/feature/limited_masquerade.m4 \ ${CFDIR}/feature/local_lmtp.m4 \ + ${CFDIR}/feature/local_no_masquerade.m4 \ ${CFDIR}/feature/local_procmail.m4 \ + ${CFDIR}/feature/lookupdotdomain.m4 \ ${CFDIR}/feature/loose_relay_check.m4 \ ${CFDIR}/feature/mailertable.m4 \ ${CFDIR}/feature/masquerade_entire_domain.m4 \ @@ -74,8 +96,10 @@ M4FILES=\ ${CFDIR}/feature/notsticky.m4 \ ${CFDIR}/feature/nouucp.m4 \ ${CFDIR}/feature/nullclient.m4 \ + ${CFDIR}/feature/preserve_local_plus_detail.m4 \ + ${CFDIR}/feature/preserve_luser_host.m4 \ ${CFDIR}/feature/promiscuous_relay.m4 \ - ${CFDIR}/feature/rbl.m4 \ + ${CFDIR}/feature/queuegroup.m4 \ ${CFDIR}/feature/redirect.m4 \ ${CFDIR}/feature/relay_based_on_MX.m4 \ ${CFDIR}/feature/relay_entire_domain.m4 \ @@ -105,19 +129,22 @@ M4FILES=\ ${CFDIR}/mailer/smtp.m4 \ ${CFDIR}/mailer/usenet.m4 \ ${CFDIR}/mailer/uucp.m4 \ - ${CFDIR}/ostype/aix2.m4 \ ${CFDIR}/ostype/aix3.m4 \ ${CFDIR}/ostype/aix4.m4 \ + ${CFDIR}/ostype/aix5.m4 \ ${CFDIR}/ostype/altos.m4 \ ${CFDIR}/ostype/amdahl-uts.m4 \ + ${CFDIR}/ostype/a-ux.m4 \ ${CFDIR}/ostype/bsd4.3.m4 \ ${CFDIR}/ostype/bsd4.4.m4 \ ${CFDIR}/ostype/bsdi.m4 \ ${CFDIR}/ostype/bsdi1.0.m4 \ ${CFDIR}/ostype/bsdi2.0.m4 \ + ${CFDIR}/ostype/darwin.m4 \ ${CFDIR}/ostype/dgux.m4 \ ${CFDIR}/ostype/domainos.m4 \ ${CFDIR}/ostype/dynix3.2.m4 \ + ${CFDIR}/ostype/freebsd4.m4 \ ${CFDIR}/ostype/gnu.m4 \ ${CFDIR}/ostype/hpux10.m4 \ ${CFDIR}/ostype/hpux11.m4 \ @@ -142,6 +169,7 @@ M4FILES=\ ${CFDIR}/ostype/solaris2.m4 \ ${CFDIR}/ostype/solaris2.ml.m4 \ ${CFDIR}/ostype/solaris2.pre5.m4 \ + ${CFDIR}/ostype/solaris8.m4 \ ${CFDIR}/ostype/sunos3.5.m4 \ ${CFDIR}/ostype/sunos4.1.m4 \ ${CFDIR}/ostype/svr4.m4 \ diff --git a/gnu/usr.sbin/sendmail/cf/cf/courtesan-lists.mc b/gnu/usr.sbin/sendmail/cf/cf/courtesan-lists.mc index 5934c9e3c0a..36a203aee2b 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/courtesan-lists.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/courtesan-lists.mc @@ -6,7 +6,7 @@ divert(-1) # divert(0)dnl -VERSIONID(`$OpenBSD: courtesan-lists.mc,v 1.3 2001/08/01 01:01:40 millert Exp $') +VERSIONID(`$OpenBSD: courtesan-lists.mc,v 1.4 2001/09/11 19:02:48 millert Exp $') OSTYPE(openbsd)dnl dnl dnl Advertise ourselves as ``lists.courtesan.com'' @@ -26,6 +26,10 @@ dnl dnl Always use fully qualified domains FEATURE(always_add_domain) dnl +dnl Some broken nameservers will return SERVFAIL (a temporary failure) +dnl on T_AAAA (IPv6) lookups. +define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl +dnl dnl Need to add domo and mailman as "trusted users" to rewrite From lines define(`confTRUSTED_USERS', `domo mailman')dnl dnl diff --git a/gnu/usr.sbin/sendmail/cf/cf/courtesan.mc b/gnu/usr.sbin/sendmail/cf/cf/courtesan.mc index b91f5d3ad56..64b27fef2dd 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/courtesan.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/courtesan.mc @@ -4,7 +4,7 @@ divert(-1) # divert(0)dnl -VERSIONID(`$OpenBSD: courtesan.mc,v 1.6 2001/08/01 01:01:40 millert Exp $') +VERSIONID(`$OpenBSD: courtesan.mc,v 1.7 2001/09/11 19:02:48 millert Exp $') OSTYPE(openbsd) dnl dnl First, we override some default values @@ -13,6 +13,10 @@ define(`confSMTP_LOGIN_MSG', `$m Sendmail $v/$Z/courtesan ready at $b')dnl define(`confMAX_HOP', `20')dnl define(`confMAX_MIME_HEADER_LENGTH', `256/128')dnl dnl +dnl Some broken nameservers will return SERVFAIL (a temporary failure) +dnl on T_AAAA (IPv6) lookups. +define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl +dnl dnl Next, we define the features we want FEATURE(nouucp, `reject')dnl FEATURE(always_add_domain)dnl diff --git a/gnu/usr.sbin/sendmail/cf/cf/gandalf.mc b/gnu/usr.sbin/sendmail/cf/cf/gandalf.mc index 360af6a3100..2d05dd8f30b 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/gandalf.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/gandalf.mc @@ -29,14 +29,13 @@ divert(-1) # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # -VERSIONID(`$OpenBSD: gandalf.mc,v 1.2 2000/04/02 21:22:35 millert Exp $')dnl +VERSIONID(`$OpenBSD: gandalf.mc,v 1.3 2001/09/11 19:02:48 millert Exp $')dnl OSTYPE(openbsd)dnl DOMAIN(sigmasoft)dnl MASQUERADE_AS(SigmaSoft.COM)dnl FEATURE(allmasquerade)dnl FEATURE(local_procmail)dnl FEATURE(access_db)dnl -define(`confAUTO_REBUILD', True)dnl MAILER(local)dnl MAILER(smtp)dnl MAILER(procmail)dnl diff --git a/gnu/usr.sbin/sendmail/cf/cf/generic-hpux10.mc b/gnu/usr.sbin/sendmail/cf/cf/generic-hpux10.mc index 0fe393e14a6..c7fb58de436 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/generic-hpux10.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/generic-hpux10.mc @@ -20,7 +20,7 @@ divert(-1) # divert(0)dnl -VERSIONID(`$Sendmail: generic-hpux10.mc,v 8.11.22.2 2001/05/29 17:30:18 ca Exp $') +VERSIONID(`$Sendmail: generic-hpux10.mc,v 8.13 2001/05/29 17:29:52 ca Exp $') OSTYPE(hpux10)dnl DOMAIN(generic)dnl MAILER(local)dnl diff --git a/gnu/usr.sbin/sendmail/cf/cf/knecht.mc b/gnu/usr.sbin/sendmail/cf/cf/knecht.mc index 394a53bb7dc..114bf8a455a 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/knecht.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/knecht.mc @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -15,31 +15,54 @@ divert(-1) # # This is specific to Eric's home machine. # +# Run daemon with -bd -q5m +# + +divert(0) +VERSIONID(`$Sendmail: knecht.mc,v 8.55 2001/08/01 22:20:40 eric Exp $') +OSTYPE(bsd4.4) +DOMAIN(generic) + +define(`ALIAS_FILE', ``/etc/mail/aliases, /var/listmanager/aliases'') +define(`confFORWARD_PATH', `$z/.forward.$w:$z/.forward+$h:$z/.forward') +define(`confDEF_USER_ID', `mailnull') +define(`confHOST_STATUS_DIRECTORY', `.hoststat') +define(`confTO_ICONNECT', `10s') +define(`confCOPY_ERRORS_TO', `Postmaster') +define(`confTO_QUEUEWARN', `8h') +define(`confMIN_QUEUE_AGE', `27m') +define(`confTRUSTED_USERS', ``www listmgr'') +define(`confPRIVACY_FLAGS', ``authwarnings,noexpn,novrfy'') + +define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs') +define(`confCACERT_PATH', `CERT_DIR') +define(`confCACERT', `CERT_DIR/CAcert.pem') +define(`confSERVER_CERT', `CERT_DIR/MYcert.pem') +define(`confSERVER_KEY', `CERT_DIR/MYkey.pem') +define(`confCLIENT_CERT', `CERT_DIR/MYcert.pem') +define(`confCLIENT_KEY', `CERT_DIR/MYkey.pem') + +FEATURE(access_db) +FEATURE(local_lmtp) +FEATURE(virtusertable) + +FEATURE(`nocanonify', `canonify_hosts') +CANONIFY_DOMAIN(`sendmail.org') +CANONIFY_DOMAIN_FILE(`/etc/mail/canonify-domains') + +dnl # at most 10 queue runners +define(`confMAX_QUEUE_CHILDREN', `20') + +define(`confMAX_RUNNERS_PER_QUEUE', `5') + +dnl # run at most 10 concurrent processes for initial submission +define(`confFAST_SPLIT', `10') -divert(0)dnl -VERSIONID(`$Sendmail: knecht.mc,v 8.37.16.3 2001/02/22 22:38:39 ca Exp $') -OSTYPE(bsd4.4)dnl -DOMAIN(generic)dnl -define(`confFORWARD_PATH', `$z/.forward.$w:$z/.forward+$h:$z/.forward')dnl -define(`confDEF_USER_ID', `mailnull')dnl -define(`confHOST_STATUS_DIRECTORY', `.hoststat')dnl -define(`confTO_ICONNECT', `10s')dnl -define(`confCOPY_ERRORS_TO', `Postmaster')dnl -define(`confTO_QUEUEWARN', `8h')dnl -define(`confTRUSTED_USERS', `www')dnl -define(`confPRIVACY_FLAGS', ``authwarnings,noexpn,novrfy'')dnl -define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl -define(`confCACERT_PATH', `CERT_DIR')dnl -define(`confCACERT', `CERT_DIR/CAcert.pem')dnl -define(`confSERVER_CERT', `CERT_DIR/MYcert.pem')dnl -define(`confSERVER_KEY', `CERT_DIR/MYkey.pem')dnl -define(`confCLIENT_CERT', `CERT_DIR/MYcert.pem')dnl -define(`confCLIENT_KEY', `CERT_DIR/MYkey.pem')dnl -FEATURE(virtusertable)dnl -FEATURE(access_db)dnl -FEATURE(local_lmtp)dnl -MAILER(local)dnl -MAILER(smtp)dnl +dnl # 10 runners, split into at most 15 recipients per envelope +QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue, R=5, r=15, F=f') + +MAILER(local) +MAILER(smtp) LOCAL_CONFIG # @@ -69,9 +92,80 @@ SCheckMessageId R< $+ @ $+ > $@ OK R$* $#error $: "554 Header error" +HReceived: $>CheckReceived + +SCheckReceived +R$* ......................................................... $* + $#error $: "554 Header error" + +# +# Reject certain senders +# Regex match to catch things in quotes +# +HFrom: $>+CheckFrom +KCheckFrom regex -a@MATCH + [^a-z]?(Net-Pa)[^a-z] + +SCheckFrom +R$* $: $( CheckFrom $1 $) +R@MATCH $#error $: "553 Header error" + LOCAL_RULESETS SLocal_check_mail # check address against various regex checks R$* $: $>Parse0 $>3 $1 R$+ $: $(checkaddress $1 $) R@MATCH $#error $: "553 Header error" + +# +# Following code from Anthony Howe <achowe@snert.com>. The check +# for the Outlook Express marker may hit some legal messages, but +# the Content-Disposition is clearly illegal. +# + +######################################################################### +# +# w32.sircam.worm@mm +# +# There are serveral patterns that appear common ONLY to SirCam worm and +# not to Outlook Express, which claims to have sent the worm. There are +# four headers that always appear together and in this order: +# +# X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 +# X-Mailer: Microsoft Outlook Express 5.50.4133.2400 +# Content-Type: multipart/mixed; boundary="----27AA9124_Outlook_Express_message_boundary" +# Content-Disposition: Multipart message +# +# Empirical study of the worm message headers vs. true Outlook Express +# (5.50.4133.2400 & 5.50.4522.1200) messages with multipart/mixed attachments +# shows Outlook Express does: +# +# a) NOT supply a Content-Disposition header for multipart/mixed messages. +# b) NOT specify the header X-MimeOLE header name in all-caps +# c) NOT specify boundary tag with the expression "_Outlook_Express_message_boundary" +# +# The solution below catches any one of this three issues. This is not an ideal +# solution, but a temporary measure. A correct solution would be to check for +# the presence of ALL three header attributes. Also the solution is incomplete +# since Outlook Express 5.0 and 4.0 were not compared. +# +# NOTE regex keys are first dequoted and spaces removed before matching. +# This caused me no end of grief. +# +######################################################################### + +LOCAL_RULESETS + +KSirCamWormMarker regex -f -aSUSPECT multipart/mixed;boundary=----.+_Outlook_Express_message_boundary +HContent-Type: $>CheckContentType + +SCheckContentType +R$+ $: $(SirCamWormMarker $1 $) +RSUSPECT $#error $: "553 Possible virus, see http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html" + +HContent-Disposition: $>CheckContentDisposition + +SCheckContentDisposition +R$- $@ OK +R$- ; $+ $@ OK +R$* $#error $: "553 Illegal Content-Disposition" diff --git a/gnu/usr.sbin/sendmail/cf/cf/lucifier.mc b/gnu/usr.sbin/sendmail/cf/cf/lucifier.mc index a73d331fdc4..2ef1b38b02e 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/lucifier.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/lucifier.mc @@ -30,17 +30,17 @@ divert(-1) # SUCH DAMAGE. # -VERSIONID(`$OpenBSD: lucifier.mc,v 1.1 2000/04/02 19:48:13 millert Exp $')dnl +VERSIONID(`$OpenBSD: lucifier.mc,v 1.2 2001/09/11 19:02:48 millert Exp $')dnl OSTYPE(openbsd)dnl -MAILER(local)dnl -MAILER(smtp)dnl MASQUERADE_AS(lucifier.dial-up.user.akula.net)dnl MASQUERADE_DOMAIN(lucifier.dial-up.user.akula.net)dnl FEATURE(allmasquerade)dnl +MAILER(local)dnl +MAILER(smtp)dnl + define(`BITNET_RELAY', relay.uu.net)dnl -define(`confAUTO_REBUILD', True)dnl define(`confCHECK_ALIASES', True)dnl define(`confMIN_FREE_BLOCKS', 1024)dnl diff --git a/gnu/usr.sbin/sendmail/cf/cf/openbsd-lists.mc b/gnu/usr.sbin/sendmail/cf/cf/openbsd-lists.mc index 27706ad7fe6..a08746733df 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/openbsd-lists.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/openbsd-lists.mc @@ -6,7 +6,7 @@ divert(-1) # divert(0)dnl -VERSIONID(`$OpenBSD: openbsd-lists.mc,v 1.5 2001/08/01 01:01:40 millert Exp $') +VERSIONID(`$OpenBSD: openbsd-lists.mc,v 1.6 2001/09/11 19:02:48 millert Exp $') OSTYPE(openbsd)dnl dnl dnl Advertise ourselves as ``openbsd.org'' @@ -22,6 +22,10 @@ define(`confPRIVACY_FLAGS', `authwarnings, nobodyreturn')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confMAX_HOP', `30')dnl dnl +dnl Some broken nameservers will return SERVFAIL (a temporary failure) +dnl on T_AAAA (IPv6) lookups. +define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl +dnl dnl Keep host status on disk between sendmail runs in the .hoststat dir define(`confHOST_STATUS_DIRECTORY', `.hoststat')dnl define(`confTO_HOSTSTATUS', `1h')dnl diff --git a/gnu/usr.sbin/sendmail/cf/cf/openbsd-proto.mc b/gnu/usr.sbin/sendmail/cf/cf/openbsd-proto.mc index 6b0293a46b9..0c58549d405 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/openbsd-proto.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/openbsd-proto.mc @@ -17,7 +17,7 @@ divert(-1) # divert(0)dnl -VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.3 $') +VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.4 $') OSTYPE(openbsd) FEATURE(nouucp, `reject') MAILER(local) @@ -25,6 +25,10 @@ MAILER(smtp) DAEMON_OPTIONS(`Family=inet, address=0.0.0.0, Name=MTA')dnl DAEMON_OPTIONS(`Family=inet6, address=::, Name=MTA6, M=O')dnl dnl +dnl Some broken nameservers will return SERVFAIL (a temporary failure) +dnl on T_AAAA (IPv6) lookups. +define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl +dnl dnl Enforce valid Message-Id to help stop spammers dnl LOCAL_RULESETS diff --git a/gnu/usr.sbin/sendmail/cf/cf/tcpproto.mc b/gnu/usr.sbin/sendmail/cf/cf/tcpproto.mc index f7abc26b043..55a1fc85361 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/tcpproto.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/tcpproto.mc @@ -26,7 +26,7 @@ divert(-1) # divert(0)dnl -VERSIONID(`$Sendmail: tcpproto.mc,v 8.13.22.1 2000/08/03 15:25:20 ca Exp $') +VERSIONID(`$Sendmail: tcpproto.mc,v 8.14 2000/08/03 15:26:50 ca Exp $') OSTYPE(`openbsd') FEATURE(`nouucp', `reject') MAILER(`local') diff --git a/gnu/usr.sbin/sendmail/cf/cf/uucpproto.mc b/gnu/usr.sbin/sendmail/cf/cf/uucpproto.mc index e2dd7a3b1db..afd5e4d097a 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/uucpproto.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/uucpproto.mc @@ -27,7 +27,7 @@ divert(-1) divert(0)dnl VERSIONID(`$Sendmail: uucpproto.mc,v 8.15 1999/02/07 07:26:05 gshapiro Exp $') -OSTYPE(unknown) +OSTYPE(openbsd) FEATURE(promiscuous_relay)dnl FEATURE(accept_unresolvable_domains)dnl MAILER(local)dnl diff --git a/gnu/usr.sbin/sendmail/cf/cf/waldorf.mc b/gnu/usr.sbin/sendmail/cf/cf/waldorf.mc index 9bbbc003d31..9fcf3e5ce43 100644 --- a/gnu/usr.sbin/sendmail/cf/cf/waldorf.mc +++ b/gnu/usr.sbin/sendmail/cf/cf/waldorf.mc @@ -1,5 +1,5 @@ divert(-1) -# $OpenBSD: waldorf.mc,v 1.1 2000/04/02 19:48:14 millert Exp $ +# $OpenBSD: waldorf.mc,v 1.2 2001/09/11 19:02:48 millert Exp $ # # Copyright (c) 1996 Niklas Hallqvist # All rights reserved. @@ -32,7 +32,7 @@ divert(-1) # SUCH DAMAGE. # -VERSIONID(`$OpenBSD: waldorf.mc,v 1.1 2000/04/02 19:48:14 millert Exp $') +VERSIONID(`$OpenBSD: waldorf.mc,v 1.2 2001/09/11 19:02:48 millert Exp $') OSTYPE(openbsd)dnl MASQUERADE_AS(appli.se) @@ -40,15 +40,13 @@ MASQUERADE_DOMAIN(appli.se) FEATURE(local_procmail)dnl -MAILER(local)dnl -MAILER(smtp)dnl - FEATURE(limited_masquerade)dnl FEATURE(always_add_domain)dnl FEATURE(virtusertable)dnl FEATURE(use_cw_file)dnl -define(`confAUTO_REBUILD', True)dnl +MAILER(local)dnl +MAILER(smtp)dnl LOCAL_RULE_0 # We take care of all mail directed to either appli.se or *.appli.se diff --git a/gnu/usr.sbin/sendmail/cf/domain/sigmasoft.m4 b/gnu/usr.sbin/sendmail/cf/domain/sigmasoft.m4 index 0df67ecfbb6..458dcd92be6 100644 --- a/gnu/usr.sbin/sendmail/cf/domain/sigmasoft.m4 +++ b/gnu/usr.sbin/sendmail/cf/domain/sigmasoft.m4 @@ -29,10 +29,10 @@ divert(-1) # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # divert(0) -VERSIONID(`$OpenBSD: sigmasoft.m4,v 1.1 2000/04/02 19:48:14 millert Exp $')dnl +VERSIONID(`$OpenBSD: sigmasoft.m4,v 1.2 2001/09/11 19:02:48 millert Exp $')dnl define(`UUCP_RELAY', relay1.uu.net)dnl define(`BITNET_RELAY', relay2.uu.net)dnl define(`confME_TOO', True)dnl -FEATURE(rbl)dnl +FEATURE(dnsbl, `rbl.maps.vix.com', `Rejected - see http://www.mail-abuse.org/rbl/')dnl FEATURE(redirect)dnl FEATURE(relay_based_on_MX)dnl diff --git a/gnu/usr.sbin/sendmail/cf/feature/access_db.m4 b/gnu/usr.sbin/sendmail/cf/feature/access_db.m4 index 9e13f9c59cb..de078d94707 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/access_db.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/access_db.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -10,14 +10,28 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: access_db.m4,v 8.15 1999/07/22 17:55:34 gshapiro Exp $') +VERSIONID(`$Sendmail: access_db.m4,v 8.23 2001/03/16 00:51:25 gshapiro Exp $') divert(-1) define(`_ACCESS_TABLE_', `') define(`_TAG_DELIM_', `:')dnl should be in OperatorChars +ifelse(lower(_ARG2_),`skip',`define(`_ACCESS_SKIP_', `1')') +ifelse(lower(_ARG2_),`lookupdotdomain',`define(`_LOOKUPDOTDOMAIN_', `1')') +ifelse(lower(_ARG3_),`skip',`define(`_ACCESS_SKIP_', `1')') +ifelse(lower(_ARG3_),`lookupdotdomain',`define(`_LOOKUPDOTDOMAIN_', `1')') +define(`_ATMPF_', `<TMPF>')dnl +dnl check whether arg contains -T`'_ATMPF_ +ifelse(defn(`_ARG_'), `', `', + defn(`_ARG_'), `LDAP', `', + `ifelse(index(_ARG_, _ATMPF_), `-1', + `errprint(`*** WARNING: missing -T'_ATMPF_` in argument of FEATURE(`access_db',' defn(`_ARG_')`) +') + define(`_ABP_', index(_ARG_, ` ')) + define(`_NARG_', `substr(_ARG_, 0, _ABP_) -T'_ATMPF_` substr(_ARG_, _ABP_)') +')') LOCAL_CONFIG # Access list database (for spam stomping) -Kaccess ifelse(defn(`_ARG_'), `', - DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`access', - `_ARG_') +Kaccess ifelse(defn(`_ARG_'), `', DATABASE_MAP_TYPE -T`'_ATMPF_ MAIL_SETTINGS_DIR`access', + defn(`_ARG_'), `LDAP', `ldap -T`'_ATMPF_ -1 -v sendmailMTAMapValue -k (&(objectClass=sendmailMTAMapObject)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAMapName=access)(sendmailMTAKey=%0))', + defn(`_NARG_'), `', `_ARG_', `_NARG_') diff --git a/gnu/usr.sbin/sendmail/cf/feature/allmasquerade.m4 b/gnu/usr.sbin/sendmail/cf/feature/allmasquerade.m4 index 731d7b5fc41..1a6819331d5 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/allmasquerade.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/allmasquerade.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,7 +13,13 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: allmasquerade.m4,v 8.11 1999/08/06 01:28:26 gshapiro Exp $') +VERSIONID(`$Sendmail: allmasquerade.m4,v 8.13 2000/09/12 22:00:53 ca Exp $') divert(-1) +ifdef(`_MAILER_local_', + `errprint(`*** MAILER(`local') must appear after FEATURE(`allmasquerade')') +')dnl +ifdef(`_MAILER_uucp_', + `errprint(`*** MAILER(`uucp') must appear after FEATURE(`allmasquerade')') +')dnl define(`_ALL_MASQUERADE_', 1) diff --git a/gnu/usr.sbin/sendmail/cf/feature/always_add_domain.m4 b/gnu/usr.sbin/sendmail/cf/feature/always_add_domain.m4 index c7c6ebfcc42..f899347bd67 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/always_add_domain.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/always_add_domain.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,7 +13,10 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: always_add_domain.m4,v 8.9 1999/02/07 07:26:08 gshapiro Exp $') +VERSIONID(`$Sendmail: always_add_domain.m4,v 8.11 2000/09/12 22:00:53 ca Exp $') divert(-1) -define(`_ALWAYS_ADD_DOMAIN_', 1) +ifdef(`_MAILER_local_', + `errprint(`*** MAILER(`local') must appear after FEATURE(`always_add_domain')') +')dnl +define(`_ALWAYS_ADD_DOMAIN_', ifelse(len(X`'_ARG_),`1',`',_ARG_)) diff --git a/gnu/usr.sbin/sendmail/cf/feature/bestmx_is_local.m4 b/gnu/usr.sbin/sendmail/cf/feature/bestmx_is_local.m4 index b8065ddccfb..7938d9d8b41 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/bestmx_is_local.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/bestmx_is_local.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,10 +13,10 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: bestmx_is_local.m4,v 8.24 1999/10/18 21:50:24 ca Exp $') +VERSIONID(`$Sendmail: bestmx_is_local.m4,v 8.26 2000/09/17 17:30:00 gshapiro Exp $') divert(-1) -define(_BESTMX_IS_LOCAL_, _ARG_) +define(`_BESTMX_IS_LOCAL_', _ARG_) LOCAL_CONFIG # turn on bestMX lookup table diff --git a/gnu/usr.sbin/sendmail/cf/feature/bitdomain.m4 b/gnu/usr.sbin/sendmail/cf/feature/bitdomain.m4 index d6423dd5470..57bada72479 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/bitdomain.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/bitdomain.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,13 +13,13 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: bitdomain.m4,v 8.23 1999/07/22 17:55:34 gshapiro Exp $') +VERSIONID(`$Sendmail: bitdomain.m4,v 8.28 2001/03/16 00:51:25 gshapiro Exp $') divert(-1) define(`_BITDOMAIN_TABLE_', `') LOCAL_CONFIG # BITNET mapping table -Kbitdomain ifelse(defn(`_ARG_'), `', - DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`bitdomain', +Kbitdomain ifelse(defn(`_ARG_'), `', DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`bitdomain', + defn(`_ARG_'), `LDAP', `ldap -1 -v sendmailMTAMapValue -k (&(objectClass=sendmailMTAMapObject)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAMapName=bitdomain)(sendmailMTAKey=%0))', `_ARG_') diff --git a/gnu/usr.sbin/sendmail/cf/feature/delay_checks.m4 b/gnu/usr.sbin/sendmail/cf/feature/delay_checks.m4 index be92bcd6665..0791f488137 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/delay_checks.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/delay_checks.m4 @@ -10,7 +10,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: delay_checks.m4,v 8.7 2000/02/26 01:32:02 gshapiro Exp $') +VERSIONID(`$Sendmail: delay_checks.m4,v 8.8 2000/12/05 18:50:45 ca Exp $') divert(-1) define(`_DELAY_CHECKS_', 1) @@ -20,3 +20,6 @@ ifelse(defn(`_ARG_'), `', `', `errprint(`*** ERROR: illegal argument _ARG_ for FEATURE(delay_checks) ') ') + +dnl be backward compatible by default +ifelse(len(X`'_ARG2_), `1', `define(`_DELAY_COMPAT_8_10_', 1)', `') diff --git a/gnu/usr.sbin/sendmail/cf/feature/dnsbl.m4 b/gnu/usr.sbin/sendmail/cf/feature/dnsbl.m4 index 4c595e98f5c..a66f47ed8cb 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/dnsbl.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/dnsbl.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -11,15 +11,22 @@ divert(-1) divert(0) ifdef(`_DNSBL_R_',`dnl',`dnl -VERSIONID(`$Sendmail: dnsbl.m4,v 8.18.16.1 2000/11/22 01:13:21 ca Exp $')') +VERSIONID(`$Sendmail: dnsbl.m4,v 8.24 2001/03/29 20:48:45 gshapiro Exp $') +define(`_DNSBL_R_',`') +LOCAL_CONFIG +# map for DNS based blacklist lookups +Kdnsbl host -T<TMP>') divert(-1) define(`_DNSBL_SRV_', `ifelse(len(X`'_ARG_),`1',`blackholes.mail-abuse.org',_ARG_)')dnl define(`_DNSBL_MSG_', `ifelse(len(X`'_ARG2_),`1',`"550 Mail from " $`'&{client_addr} " refused by blackhole site '_DNSBL_SRV_`"',`_ARG2_')')dnl +define(`_DNSBL_MSG_TMP_', `ifelse(_ARG3_,`t',`"451 Temporary lookup failure of " $`'&{client_addr} " at '_DNSBL_SRV_`"',`_ARG2_')')dnl divert(8) # DNS based IP address spam list _DNSBL_SRV_ R$* $: $&{client_addr} -R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1._DNSBL_SRV_. $: OK $) -R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1._DNSBL_SRV_. $: OK $) +R$-.$-.$-.$- $: <?> $(dnsbl $4.$3.$2.$1._DNSBL_SRV_. $: OK $) R<?>OK $: OKSOFAR +ifelse(len(X`'_ARG3_),`1', +`R<?>$+<TMP> $: TMPOK', +`R<?>$+<TMP> $#error $@ 4.7.1 $: _DNSBL_MSG_TMP_') R<?>$+ $#error $@ 5.7.1 $: _DNSBL_MSG_ divert(-1) diff --git a/gnu/usr.sbin/sendmail/cf/feature/domaintable.m4 b/gnu/usr.sbin/sendmail/cf/feature/domaintable.m4 index 5542e315f29..c2a27a493ca 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/domaintable.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/domaintable.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,13 +13,13 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: domaintable.m4,v 8.17 1999/07/22 17:55:35 gshapiro Exp $') +VERSIONID(`$Sendmail: domaintable.m4,v 8.22 2001/03/16 00:51:25 gshapiro Exp $') divert(-1) define(`_DOMAIN_TABLE_', `') LOCAL_CONFIG # Domain table (adding domains) -Kdomaintable ifelse(defn(`_ARG_'), `', - DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`domaintable', +Kdomaintable ifelse(defn(`_ARG_'), `', DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`domaintable', + defn(`_ARG_'), `LDAP', `ldap -1 -v sendmailMTAMapValue -k (&(objectClass=sendmailMTAMapObject)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAMapName=domain)(sendmailMTAKey=%0))', `_ARG_') diff --git a/gnu/usr.sbin/sendmail/cf/feature/genericstable.m4 b/gnu/usr.sbin/sendmail/cf/feature/genericstable.m4 index f03a7af8530..72b6790c1a8 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/genericstable.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/genericstable.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,13 +13,13 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: genericstable.m4,v 8.16 1999/07/22 17:55:35 gshapiro Exp $') +VERSIONID(`$Sendmail: genericstable.m4,v 8.21 2001/03/16 00:51:26 gshapiro Exp $') divert(-1) define(`_GENERICS_TABLE_', `') LOCAL_CONFIG # Generics table (mapping outgoing addresses) -Kgenerics ifelse(defn(`_ARG_'), `', - DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`genericstable', +Kgenerics ifelse(defn(`_ARG_'), `', DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`genericstable', + defn(`_ARG_'), `LDAP', `ldap -1 -v sendmailMTAMapValue -k (&(objectClass=sendmailMTAMapObject)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAMapName=generics)(sendmailMTAKey=%0))', `_ARG_') diff --git a/gnu/usr.sbin/sendmail/cf/feature/ldap_routing.m4 b/gnu/usr.sbin/sendmail/cf/feature/ldap_routing.m4 index 4f2e7799fa4..677ce67d8c5 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/ldap_routing.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/ldap_routing.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1999-2000 Sendmail, Inc. and its suppliers. +# Copyright (c) 1999-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -10,7 +10,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: ldap_routing.m4,v 8.5.4.1 2000/07/15 18:05:05 gshapiro Exp $') +VERSIONID(`$Sendmail: ldap_routing.m4,v 8.8 2001/06/27 21:46:31 gshapiro Exp $') divert(-1) # Check first two arguments. If they aren't set, may need to warn in proto.m4 @@ -23,6 +23,11 @@ ifelse(len(X`'_ARG3_), `1', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')', _ARG3_, `passthru', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')', `define(`_LDAP_ROUTING_', `_MUST_EXIST_')') +# Check for fouth argument to indicate how to deal with +detail info +ifelse(len(X`'_ARG4_), `1', `', + _ARG4_, `strip', `define(`_LDAP_ROUTE_DETAIL_', `_STRIP_')', + _ARG4_, `preserve', `define(`_LDAP_ROUTE_DETAIL_', `_PRESERVE_')') + LOCAL_CONFIG # LDAP routing maps Kldapmh ifelse(len(X`'_ARG1_), `1', diff --git a/gnu/usr.sbin/sendmail/cf/feature/local_lmtp.m4 b/gnu/usr.sbin/sendmail/cf/feature/local_lmtp.m4 index f680970fd3b..b7d74fa843a 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/local_lmtp.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/local_lmtp.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -10,7 +10,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: local_lmtp.m4,v 8.15 1999/11/18 05:06:22 ca Exp $') +VERSIONID(`$Sendmail: local_lmtp.m4,v 8.16 2000/08/18 18:58:45 ca Exp $') divert(-1) ifdef(`_MAILER_local_', @@ -24,3 +24,4 @@ define(`LOCAL_MAILER_PATH', define(`LOCAL_MAILER_FLAGS', `PSXfmnz9') define(`LOCAL_MAILER_ARGS', `mail.local -l') define(`LOCAL_MAILER_DSN_DIAGNOSTIC_CODE', `SMTP') +define(`_LOCAL_LMTP_', `1') diff --git a/gnu/usr.sbin/sendmail/cf/feature/mailertable.m4 b/gnu/usr.sbin/sendmail/cf/feature/mailertable.m4 index ad6088e0d66..b425860cc2e 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/mailertable.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/mailertable.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,13 +13,13 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: mailertable.m4,v 8.18 1999/07/22 17:55:35 gshapiro Exp $') +VERSIONID(`$Sendmail: mailertable.m4,v 8.23 2001/03/16 00:51:26 gshapiro Exp $') divert(-1) define(`_MAILER_TABLE_', `') LOCAL_CONFIG # Mailer table (overriding domains) -Kmailertable ifelse(defn(`_ARG_'), `', - DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`mailertable', +Kmailertable ifelse(defn(`_ARG_'), `', DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`mailertable', + defn(`_ARG_'), `LDAP', `ldap -1 -v sendmailMTAMapValue -k (&(objectClass=sendmailMTAMapObject)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAMapName=mailer)(sendmailMTAKey=%0))', `_ARG_') diff --git a/gnu/usr.sbin/sendmail/cf/feature/no_default_msa.m4 b/gnu/usr.sbin/sendmail/cf/feature/no_default_msa.m4 index 52a18653f21..11aa676aa92 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/no_default_msa.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/no_default_msa.m4 @@ -10,7 +10,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: no_default_msa.m4,v 8.1.10.1 2000/09/17 17:04:22 gshapiro Exp $') +VERSIONID(`$Sendmail: no_default_msa.m4,v 8.2 2001/02/14 05:03:22 gshapiro Exp $') divert(-1) define(`_NO_MSA_', `1') diff --git a/gnu/usr.sbin/sendmail/cf/feature/nullclient.m4 b/gnu/usr.sbin/sendmail/cf/feature/nullclient.m4 index 568774bfb18..656c6b7f193 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/nullclient.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/nullclient.m4 @@ -22,7 +22,7 @@ ifelse(defn(`_ARG_'), `', `errprint(`Feature "nullclient" requires argument')', # divert(0) -VERSIONID(`$Sendmail: nullclient.m4,v 8.21.16.3 2000/09/17 17:04:22 gshapiro Exp $') +VERSIONID(`$Sendmail: nullclient.m4,v 8.24 2000/09/17 17:30:00 gshapiro Exp $') divert(-1) undefine(`ALIAS_FILE') diff --git a/gnu/usr.sbin/sendmail/cf/feature/promiscuous_relay.m4 b/gnu/usr.sbin/sendmail/cf/feature/promiscuous_relay.m4 index 8aac82e1965..4d9d711b9cf 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/promiscuous_relay.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/promiscuous_relay.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -10,7 +10,10 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: promiscuous_relay.m4,v 8.10 1999/02/07 07:26:11 gshapiro Exp $') +VERSIONID(`$Sendmail: promiscuous_relay.m4,v 8.12 2001/02/06 17:14:35 ca Exp $') divert(-1) define(`_PROMISCUOUS_RELAY_', 1) +errprint(`*** WARNING: FEATURE(`promiscuous_relay') configures your system as open + relay. Do NOT use it on a server that is connected to the Internet! +') diff --git a/gnu/usr.sbin/sendmail/cf/feature/relay_local_from.m4 b/gnu/usr.sbin/sendmail/cf/feature/relay_local_from.m4 index 8be79252014..d793976c9eb 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/relay_local_from.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/relay_local_from.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -10,7 +10,11 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: relay_local_from.m4,v 8.5 1999/02/07 07:26:12 gshapiro Exp $') +VERSIONID(`$Sendmail: relay_local_from.m4,v 8.6 2001/02/06 15:55:21 ca Exp $') divert(-1) define(`_RELAY_LOCAL_FROM_', 1) +errprint(`*** WARNING: FEATURE(`relay_local_from') may cause your system to act as open + relay. Use SMTP AUTH or STARTTLS instead. If you cannot use those, + try FEATURE(`relay_mail_from'). +') diff --git a/gnu/usr.sbin/sendmail/cf/feature/relay_mail_from.m4 b/gnu/usr.sbin/sendmail/cf/feature/relay_mail_from.m4 index e65890c1c44..fc134746a1f 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/relay_mail_from.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/relay_mail_from.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -10,11 +10,14 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: relay_mail_from.m4,v 8.2 1999/04/02 02:25:13 gshapiro Exp $') +VERSIONID(`$Sendmail: relay_mail_from.m4,v 8.3 2001/02/06 16:07:12 ca Exp $') divert(-1) ifdef(`_ACCESS_TABLE_', `define(`_RELAY_DB_FROM_', 1) ifelse(_ARG_,`domain',`define(`_RELAY_DB_FROM_DOMAIN_', 1)')', - `errprint(`*** ERROR: FEATURE(relay_mail_from) requires FEATURE(access_db) + `errprint(`*** ERROR: FEATURE(`relay_mail_from') requires FEATURE(`access_db') ')') +errprint(`*** WARNING: FEATURE(`relay_mail_from') may cause your system to act as open + relay. Use SMTP AUTH or STARTTLS instead. +') diff --git a/gnu/usr.sbin/sendmail/cf/feature/use_ct_file.m4 b/gnu/usr.sbin/sendmail/cf/feature/use_ct_file.m4 index db6c308e6ab..c010fdf655b 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/use_ct_file.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/use_ct_file.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,12 +13,11 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: use_ct_file.m4,v 8.9 1999/02/07 07:26:13 gshapiro Exp $') +VERSIONID(`$Sendmail: use_ct_file.m4,v 8.11 2001/08/26 20:58:57 gshapiro Exp $') divert(-1) -# if defined, the sendmail.cf will read the /etc/sendmail.ct file -# to find the names of trusted users. There should only be a few -# of these, and normally this is done directly in the .cf file. +# if defined, the sendmail.cf will read the /etc/mail/trusted-users file to +# find the names of trusted users. There should only be a few of these. define(`_USE_CT_FILE_', `') diff --git a/gnu/usr.sbin/sendmail/cf/feature/use_cw_file.m4 b/gnu/usr.sbin/sendmail/cf/feature/use_cw_file.m4 index bad558f352e..15e77707cef 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/use_cw_file.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/use_cw_file.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,12 +13,12 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: use_cw_file.m4,v 8.9 1999/02/07 07:26:13 gshapiro Exp $') +VERSIONID(`$Sendmail: use_cw_file.m4,v 8.11 2001/08/26 20:58:57 gshapiro Exp $') divert(-1) -# if defined, the sendmail.cf will read the /etc/sendmail.cw file -# to find alternate names for this host. Typically only used when -# several hosts have been squashed into one another at high speed. +# if defined, the sendmail.cf will read the /etc/mail/local-host-names file +# to find alternate names for this host. Typically only used when several +# hosts have been squashed into one another at high speed. define(`USE_CW_FILE', `') diff --git a/gnu/usr.sbin/sendmail/cf/feature/uucpdomain.m4 b/gnu/usr.sbin/sendmail/cf/feature/uucpdomain.m4 index 0f7f78b99f2..88e975d58ae 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/uucpdomain.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/uucpdomain.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,13 +13,13 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: uucpdomain.m4,v 8.22 1999/07/22 17:55:35 gshapiro Exp $') +VERSIONID(`$Sendmail: uucpdomain.m4,v 8.27 2001/03/16 00:51:26 gshapiro Exp $') divert(-1) define(`_UUDOMAIN_TABLE_', `') LOCAL_CONFIG # UUCP domain table -Kuudomain ifelse(defn(`_ARG_'), `', - DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`uudomain', +Kuudomain ifelse(defn(`_ARG_'), `', DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`uudomain', + defn(`_ARG_'), `LDAP', `ldap -1 -v sendmailMTAMapValue -k (&(objectClass=sendmailMTAMapObject)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAMapName=uucpdomain)(sendmailMTAKey=%0))', `_ARG_') diff --git a/gnu/usr.sbin/sendmail/cf/feature/virtusertable.m4 b/gnu/usr.sbin/sendmail/cf/feature/virtusertable.m4 index 1210ee98285..608cb33f789 100644 --- a/gnu/usr.sbin/sendmail/cf/feature/virtusertable.m4 +++ b/gnu/usr.sbin/sendmail/cf/feature/virtusertable.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998, 1999, 2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,13 +13,13 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: virtusertable.m4,v 8.16 1999/07/22 17:55:36 gshapiro Exp $') +VERSIONID(`$Sendmail: virtusertable.m4,v 8.21 2001/03/16 00:51:26 gshapiro Exp $') divert(-1) define(`_VIRTUSER_TABLE_', `') LOCAL_CONFIG # Virtual user table (maps incoming users) -Kvirtuser ifelse(defn(`_ARG_'), `', - DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`virtusertable', +Kvirtuser ifelse(defn(`_ARG_'), `', DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`virtusertable', + defn(`_ARG_'), `LDAP', `ldap -1 -v sendmailMTAMapValue -k (&(objectClass=sendmailMTAMapObject)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAMapName=virtuser)(sendmailMTAKey=%0))', `_ARG_') diff --git a/gnu/usr.sbin/sendmail/cf/m4/cfhead.m4 b/gnu/usr.sbin/sendmail/cf/m4/cfhead.m4 index 603b4fafe5e..da0cfbfd72b 100644 --- a/gnu/usr.sbin/sendmail/cf/m4/cfhead.m4 +++ b/gnu/usr.sbin/sendmail/cf/m4/cfhead.m4 @@ -23,6 +23,10 @@ include(TEMPFILE)dnl syscmd(rm -f TEMPFILE)dnl')', `dnl') ##### ###################################################################### +##### +##### DO NOT EDIT THIS FILE! Only edit the source .mc file. +##### +###################################################################### ###################################################################### divert(-1) @@ -46,8 +50,6 @@ define(`OSTYPE', ## helpful functions define(`lower', `translit(`$1', `ABCDEFGHIJKLMNOPQRSTUVWXYZ', `abcdefghijklmnopqrstuvwx')') define(`strcasecmp', `ifelse(lower($1), lower($2), `1', `0')') -## new FEATUREs -define(`_DNSBL_R_',`') ## access to further arguments in FEATURE/HACK define(`_ACC_ARG_1_',`$1') define(`_ACC_ARG_2_',`$2') @@ -101,14 +103,21 @@ dnl in MAILER.m4: _MODMF_(LMF,`LOCAL') dnl ---------------------------------------- define(`MAILER', `define(`_M_N_', `ifelse(`$2', `', `$1', `$2')')dnl -ifdef(_MAILER_`'_M_N_`'_, `dnl`'', +ifdef(`_MAILER_DEFINED_', `', `define(`_MAILER_DEFINED_', `1')')dnl +ifdef(_MAILER_`'_M_N_`'_, +`errprint(`*** ERROR: MAILER('_M_N_`) already included +')', `define(_MAILER_`'_M_N_`'_, `')define(`_ARG_', `$2')define(`_ARGS_', `shift($@)')PUSHDIVERT(7)include(_CF_DIR_`'mailer/$1.m4)POPDIVERT`'')') define(`DOMAIN', `PUSHDIVERT(-1)define(`_ARG_', `$2')include(_CF_DIR_`'domain/$1.m4)POPDIVERT`'') -define(`FEATURE', `PUSHDIVERT(-1)define(`_ARG_', `$2')define(`_ARGS_', `shift($@)')include(_CF_DIR_`'feature/$1.m4)POPDIVERT`'') +define(`FEATURE', `PUSHDIVERT(-1)ifdef(`_MAILER_DEFINED_',`errprint(`*** ERROR: FEATURE() should be before MAILER() +')')define(`_ARG_', `$2')define(`_ARGS_', `shift($@)')include(_CF_DIR_`'feature/$1.m4)POPDIVERT`'') define(`HACK', `PUSHDIVERT(-1)define(`_ARG_', `$2')define(`_ARGS_', `shift($@)')include(_CF_DIR_`'hack/$1.m4)POPDIVERT`'') define(`_DPO_',`') define(`DAEMON_OPTIONS', `define(`_DPO_', defn(`_DPO_') O DaemonPortOptions=`$1')') +define(`_CPO_',`') +define(`CLIENT_OPTIONS', `define(`_CPO_', defn(`_CPO_') +O ClientPortOptions=`$1')') define(`_MAIL_FILTERS_', `') define(`MAIL_FILTER', `define(`_MAIL_FILTERS_', defn(`_MAIL_FILTERS_') X`'$1`, '`$2')') @@ -116,7 +125,10 @@ define(`INPUT_MAIL_FILTER', `MAIL_FILTER(`$1', `$2') ifelse(defn(`confINPUT_MAIL_FILTERS')X, `X', `define(`confINPUT_MAIL_FILTERS', $1)', `define(`confINPUT_MAIL_FILTERS', defn(`confINPUT_MAIL_FILTERS')`, '`$1')')') -define(`CF_LEVEL', `9')dnl +define(`_QUEUE_GROUP_', `') +define(`QUEUE_GROUP', `define(`_QUEUE_GROUP_', defn(`_QUEUE_GROUP_') +Q`'$1`, '`$2')') +define(`CF_LEVEL', `10')dnl define(`VERSIONID', ``##### $1 #####'') define(`LOCAL_RULE_0', `divert(3)') define(`LOCAL_RULE_1', @@ -139,6 +151,36 @@ define(`LOCAL_RULESETS', `divert(9) ') +define(`LOCAL_SRV_FEATURES', +`define(`_LOCAL_SRV_FEATURES_') +ifdef(`_MAILER_DEFINED_',,`errprint(`*** WARNING: MAILER() should be before LOCAL_SRV_FEATURES +')') +divert(9) +SLocal_srv_features') +define(`LOCAL_TRY_TLS', +`define(`_LOCAL_TRY_TLS_') +ifdef(`_MAILER_DEFINED_',,`errprint(`*** WARNING: MAILER() should be before LOCAL_TRY_TLS +')') +divert(9) +SLocal_try_tls') +define(`LOCAL_TLS_RCPT', +`define(`_LOCAL_TLS_RCPT_') +ifdef(`_MAILER_DEFINED_',,`errprint(`*** WARNING: MAILER() should be before LOCAL_TLS_RCPT +')') +divert(9) +SLocal_tls_rcpt') +define(`LOCAL_TLS_CLIENT', +`define(`_LOCAL_TLS_CLIENT_') +ifdef(`_MAILER_DEFINED_',,`errprint(`*** WARNING: MAILER() should be before LOCAL_TLS_CLIENT +')') +divert(9) +SLocal_tls_client') +define(`LOCAL_TLS_SERVER', +`define(`_LOCAL_TLS_SERVER_') +ifdef(`_MAILER_DEFINED_',,`errprint(`*** WARNING: MAILER() should be before LOCAL_TLS_SERVER +')') +divert(9) +SLocal_tls_server') define(`LOCAL_RULE_3', `divert(2)') define(`LOCAL_CONFIG', `divert(6)') define(`MAILER_DEFINITIONS', `divert(7)') @@ -149,17 +191,19 @@ define(`DOL', ``$'$1') define(`SITECONFIG', `CONCAT(D, $3, $2) define(`_CLASS_$3_', `')dnl -ifelse($3, U, Cw$2 $2.UUCP, `dnl') +ifelse($3, U, C{w}$2 $2.UUCP, `dnl') define(`SITE', `ifelse(CONCAT($'2`, $3), SU, CONCAT(CY, $'1`), CONCAT(C, $3, $'1`))') sinclude(_CF_DIR_`'siteconfig/$1.m4)') define(`EXPOSED_USER', `PUSHDIVERT(5)C{E}$1 POPDIVERT`'dnl`'') -ifdef(`_FFR_EXPOSED_USER_FILE', `define(`EXPOSED_USER_FILE', `PUSHDIVERT(5)F{E}$1 -POPDIVERT`'dnl`'')', `dnl') +define(`EXPOSED_USER_FILE', `PUSHDIVERT(5)F{E}$1 +POPDIVERT`'dnl`'') define(`LOCAL_USER', `PUSHDIVERT(5)C{L}$1 POPDIVERT`'dnl`'') +define(`LOCAL_USER_FILE', `PUSHDIVERT(5)F{L}$1 +POPDIVERT`'dnl`'') define(`MASQUERADE_AS', `define(`MASQUERADE_NAME', $1)') define(`MASQUERADE_DOMAIN', `PUSHDIVERT(5)C{M}$1 POPDIVERT`'dnl`'') @@ -167,6 +211,8 @@ define(`MASQUERADE_EXCEPTION', `PUSHDIVERT(5)C{N}$1 POPDIVERT`'dnl`'') define(`MASQUERADE_DOMAIN_FILE', `PUSHDIVERT(5)F{M}$1 POPDIVERT`'dnl`'') +define(`MASQUERADE_EXCEPTION_FILE', `PUSHDIVERT(5)F{N}$1 +POPDIVERT`'dnl`'') define(`LOCAL_DOMAIN', `PUSHDIVERT(5)C{w}$1 POPDIVERT`'dnl`'') define(`CANONIFY_DOMAIN', `PUSHDIVERT(5)C{Canonify}$1 @@ -181,6 +227,10 @@ define(`LDAPROUTE_DOMAIN', `PUSHDIVERT(5)C{LDAPRoute}$1 POPDIVERT`'dnl`'') define(`LDAPROUTE_DOMAIN_FILE', `PUSHDIVERT(5)F{LDAPRoute}$1 POPDIVERT`'dnl`'') +define(`LDAPROUTE_EQUIVALENT', `PUSHDIVERT(5)C{LDAPRouteEquiv}$1 +POPDIVERT`'dnl`'') +define(`LDAPROUTE_EQUIVALENT_FILE', `PUSHDIVERT(5)F{LDAPRouteEquiv}$1 +POPDIVERT`'dnl`'') define(`VIRTUSER_DOMAIN', `PUSHDIVERT(5)C{VirtHost}$1 define(`_VIRTHOSTS_') POPDIVERT`'dnl`'') @@ -191,7 +241,7 @@ define(`RELAY_DOMAIN', `PUSHDIVERT(5)C{R}$1 POPDIVERT`'dnl`'') define(`RELAY_DOMAIN_FILE', `PUSHDIVERT(5)F{R}$1 POPDIVERT`'dnl`'') -define(`TRUST_AUTH_MECH', `PUSHDIVERT(5)C{TrustAuthMech}$1 +define(`TRUST_AUTH_MECH', `_DEFIFNOT(`_USE_AUTH_',`1')PUSHDIVERT(5)C{TrustAuthMech}$1 POPDIVERT`'dnl`'') define(`_OPTINS', `ifdef(`$1', `$2$1$3')') @@ -211,14 +261,14 @@ define(`confFROM_LINE', `From $g $d') define(`confOPERATORS', `.:%@!^/[]+') define(`confSMTP_LOGIN_MSG', `$j Sendmail $v/$Z; $b') define(`_REC_AUTH_', `$.$?{auth_type}(authenticated') -define(`_REC_FULL_AUTH_', `$.$?{auth_type}(authenticated as ${auth_authen} $?{auth_author}for ${auth_author} $.with ${auth_type}') +define(`_REC_FULL_AUTH_', `$.$?{auth_type}(user=${auth_authen} $?{auth_author}author=${auth_author} $.mech=${auth_type}') define(`_REC_HDR_', `$?sfrom $s $.$?_($?s$|from $.$_)') define(`_REC_END_', `for $u; $|; $.$b') -define(`_REC_TLS_', `(using ${tls_version} with cipher ${cipher} (${cipher_bits} bits) verified ${verify})$.$?u') +define(`_REC_TLS_', `(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})$.$?u') define(`_REC_BY_', `$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}') define(`confRECEIVED_HEADER', `_REC_HDR_ - _REC_AUTH_$?{auth_ssf} (${auth_ssf} bits)$.) + _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.) _REC_BY_ _REC_TLS_ _REC_END_') @@ -251,4 +301,4 @@ define(`confMILTER_MACROS_ENVRCPT', ``{rcpt_mailer}, {rcpt_host}, {rcpt_addr}'') divert(0)dnl -VERSIONID(`$Sendmail: cfhead.m4,v 8.76.4.16 2001/03/06 22:56:36 ca Exp $') +VERSIONID(`$Sendmail: cfhead.m4,v 8.107 2001/07/22 03:25:37 ca Exp $') diff --git a/gnu/usr.sbin/sendmail/cf/m4/proto.m4 b/gnu/usr.sbin/sendmail/cf/m4/proto.m4 index cf721de8d37..dc2ae85c02c 100644 --- a/gnu/usr.sbin/sendmail/cf/m4/proto.m4 +++ b/gnu/usr.sbin/sendmail/cf/m4/proto.m4 @@ -1,6 +1,6 @@ divert(-1) # -# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983, 1995 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -13,14 +13,16 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: proto.m4,v 8.446.2.5.2.44 2001/07/31 22:25:49 gshapiro Exp $') - -MAILER(local)dnl +VERSIONID(`$Sendmail: proto.m4,v 8.620 2001/08/20 00:55:08 ca Exp $') # level CF_LEVEL config file format V`'CF_LEVEL/ifdef(`VENDOR_NAME', `VENDOR_NAME', `Berkeley') divert(-1) +dnl if MAILER(`local') not defined: do it ourself; be nice +dnl maybe we should issue a warning? +ifdef(`_MAILER_local_',`', `MAILER(local)') + # do some sanity checking ifdef(`__OSTYPE__',, `errprint(`*** ERROR: No system type defined (use OSTYPE macro) @@ -76,8 +78,10 @@ define(`_OPTION', `ifdef(`$2', `O $1`'ifelse(defn(`$2'), `',, `=$2')', `#O $1`'i dnl required to "rename" the check_* rulesets... define(`_U_',ifdef(`_DELAY_CHECKS_',`',`_')) dnl default relaying denied message -ifdef(`confRELAY_MSG', `', `define(`confRELAY_MSG', `"550 Relaying denied"')') -define(`CODE553', `553') +ifdef(`confRELAY_MSG', `', `define(`confRELAY_MSG', +ifdef(`_USE_AUTH_', `"550 Relaying denied. Proper authentication required."', `"550 Relaying denied"'))') +ifdef(`confRCPTREJ_MSG', `', `define(`confRCPTREJ_MSG', `"550 Mailbox disabled for this recipient"')') +define(`_CODE553', `553') divert(0)dnl # override file safeties - setting this option compromises system security, @@ -93,6 +97,10 @@ _OPTION(LDAPDefaultSpec, `confLDAP_DEFAULT_SPEC', `-h localhost') # local info # ################## +# my LDAP cluster +# need to set this before any LDAP lookups are done (including classes) +ifdef(`confLDAP_CLUSTER', `D{sendmailMTACluster}`'confLDAP_CLUSTER', `#D{sendmailMTACluster}$m') + Cwlocalhost ifdef(`USE_CW_FILE', `# file containing names of hosts for which we receive email @@ -131,7 +139,7 @@ CPFAX ')dnl # "Smart" relay host (may be null) -DS`'ifdef(`SMART_HOST', SMART_HOST) +DS`'ifdef(`SMART_HOST', `SMART_HOST') ifdef(`LUSER_RELAY', `dnl # place to which unknown users should be forwarded @@ -151,15 +159,18 @@ C[[ ifdef(`_ACCESS_TABLE_', `dnl # access_db acceptance class C{Accept}OK RELAY -ifdef(`_DELAY_CHECKS_',`dnl +ifdef(`_DELAY_COMPAT_8_10_',`dnl ifdef(`_BLACKLIST_RCPT_',`dnl # possible access_db RHS for spam friends/haters C{SpamTag}SPAMFRIEND SPAMHATER')')', `dnl') +dnl mark for "domain is ok" (resolved or accepted anyway) +define(`_RES_OK_', `OKR')dnl ifdef(`_ACCEPT_UNRESOLVABLE_DOMAINS_',`dnl',`dnl # Resolve map (to check if a host exists in check_mail) -Kresolve host -a<OK> -T<TEMP>') +Kresolve host -a<_RES_OK_> -T<TEMP>') +C{ResOk}_RES_OK_ ifdef(`_NEED_MACRO_MAP_', `dnl ifdef(`_MACRO_MAP_', `', `# macro storage map @@ -171,16 +182,20 @@ ifdef(`confCR_FILE', `dnl FR`'confCR_FILE', `dnl') -define(`TLS_SRV_TAG', `TLS_Srv')dnl -define(`TLS_CLT_TAG', `TLS_Clt')dnl -define(`TLS_TRY_TAG', `Try_TLS')dnl -define(`TLS_OFF_TAG', `Offer_TLS')dnl +define(`TLS_SRV_TAG', `"TLS_Srv"')dnl +define(`TLS_CLT_TAG', `"TLS_Clt"')dnl +define(`TLS_RCPT_TAG', `"TLS_Rcpt"')dnl +define(`TLS_TRY_TAG', `"Try_TLS"')dnl +define(`SRV_FEAT_TAG', `"Srv_Features"')dnl dnl this may be useful in other contexts too ifdef(`_ARITH_MAP_', `', `# arithmetic map define(`_ARITH_MAP_', `1')dnl Karith arith') ifdef(`_ACCESS_TABLE_', `dnl -# possible values for tls_connect in access map +ifdef(`_MACRO_MAP_', `', `# macro storage map +define(`_MACRO_MAP_', `1')dnl +Kmacro macro') +# possible values for TLS_connection in access map C{tls}VERIFY ENCR', `dnl') ifdef(`_CERT_REGEX_ISSUER_', `dnl # extract relevant part from cert issuer @@ -189,14 +204,16 @@ ifdef(`_CERT_REGEX_SUBJECT_', `dnl # extract relevant part from cert subject KCERTSubject regex _CERT_REGEX_SUBJECT_', `dnl') +ifdef(`LOCAL_RELAY', `dnl # who I send unqualified names to (null means deliver locally) -DR`'ifdef(`LOCAL_RELAY', LOCAL_RELAY) +DR`'LOCAL_RELAY') +ifdef(`MAIL_HUB', `dnl # who gets all local email traffic ($R has precedence for unqualified names) -DH`'ifdef(`MAIL_HUB', MAIL_HUB) +DH`'MAIL_HUB') # dequoting map -Kdequote dequote +Kdequote dequote`'ifdef(`confDEQUOTE_OPTS', ` confDEQUOTE_OPTS', `') divert(0)dnl # end of nullclient diversion # class E: names that should be exposed as from this host, even if we masquerade @@ -207,8 +224,9 @@ divert(0)dnl # end of nullclient diversion undivert(5)dnl ifdef(`_VIRTHOSTS_', `CR$={VirtHost}', `dnl') +ifdef(`MASQUERADE_NAME', `dnl # who I masquerade as (null for no masquerading) (see also $=M) -DM`'ifdef(`MASQUERADE_NAME', MASQUERADE_NAME) +DM`'MASQUERADE_NAME') # my name for error messages ifdef(`confMAILER_NAME', `Dn`'confMAILER_NAME', `#DnMAILER-DAEMON') @@ -219,6 +237,10 @@ include(_CF_DIR_`m4/version.m4') ############### # Options # ############### +ifdef(`confAUTO_REBUILD', +`errprint(WARNING: `confAUTO_REBUILD' is no longer valid. + There was a potential for a denial of service attack if this is set. +)')dnl # strip message body to 7 bits on input? _OPTION(SevenBitInput, `confSEVEN_BIT_INPUT', `False') @@ -250,11 +272,6 @@ _OPTION(CheckpointInterval, `confCHECKPOINT_INTERVAL', `10') # default delivery mode _OPTION(DeliveryMode, `confDELIVERY_MODE', `background') -# automatically rebuild the alias database? -# NOTE: There is a potential for a denial of service attack if this is set. -# This option is deprecated and will be removed from a future version. -_OPTION(AutoRebuildAliases, `confAUTO_REBUILD', `False') - # error message header/file _OPTION(ErrorHeader, `confERROR_MESSAGE', `MAIL_SETTINGS_DIR`'error-header') @@ -264,6 +281,9 @@ _OPTION(ErrorMode, `confERROR_MODE', `print') # save Unix-style "From_" lines at top of header? _OPTION(SaveFromLine, `confSAVE_FROM_LINES', `False') +# queue file mode (qf files) +_OPTION(QueueFileMode, `confQUEUE_FILE_MODE', `0600') + # temporary file mode _OPTION(TempFileMode, `confTEMP_FILE_MODE', `0600') @@ -321,12 +341,23 @@ ifelse(defn(`confDAEMON_OPTIONS'), `', `dnl', )'dnl `DAEMON_OPTIONS(`confDAEMON_OPTIONS')') ifelse(defn(`_DPO_'), `', -`ifdef(`_NETINET6_', `O DaemonPortOptions=Name=MTA-IPv4, Family=inet -O DaemonPortOptions=Name=MTA-IPv6, Family=inet6',`O DaemonPortOptions=Name=MTA')', `_DPO_') +`ifdef(`_NETINET6_', `O DaemonPortOptions=Name=MTA-v4, Family=inet +O DaemonPortOptions=Name=MTA-v6, Family=inet6',`O DaemonPortOptions=Name=MTA')', `_DPO_') ifdef(`_NO_MSA_', `dnl', `O DaemonPortOptions=Port=587, Name=MSA, M=E') # SMTP client options -_OPTION(ClientPortOptions, `confCLIENT_OPTIONS', `Address=0.0.0.0') +ifelse(defn(`confCLIENT_OPTIONS'), `', `dnl', +`errprint(WARNING: `confCLIENT_OPTIONS' is no longer valid. See cf/README for more information. +)'dnl +`CLIENT_OPTIONS(`confCLIENT_OPTIONS')') +ifelse(defn(`_CPO_'), `', +`#O ClientPortOptions=Family=inet, Address=0.0.0.0', `_CPO_') + +# Modifiers to `define' {daemon_flags} for direct submissions +_OPTION(DirectSubmissionModifiers, `confDIRECT_SUBMISSION_MODIFIERS', `') + +# Use as mail submission program? See sendmail/SECURITY +_OPTION(UseMSP, `confUSE_MSP', `') # privacy flags _OPTION(PrivacyOptions, `confPRIVACY_FLAGS', `authwarnings') @@ -337,12 +368,37 @@ _OPTION(PostmasterCopy, `confCOPY_ERRORS_TO', `Postmaster') # slope of queue-only function _OPTION(QueueFactor, `confQUEUE_FACTOR', `600000') +# limit on number of concurrent queue runners +_OPTION(MaxQueueChildren, `confMAX_QUEUE_CHILDREN', `') + +# maximum number of queue-runners per queue-grouping with multiple queues +_OPTION(MaxRunnersPerQueue, `confMAX_RUNNERS_PER_QUEUE', `1') + +# priority of queue runners (nice(3)) +_OPTION(NiceQueueRun, `confNICE_QUEUE_RUN', `') + +# shall we sort the queue by hostname first? +_OPTION(QueueSortOrder, `confQUEUE_SORT_ORDER', `priority') + +# minimum time in queue before retry +_OPTION(MinQueueAge, `confMIN_QUEUE_AGE', `30m') + +# how many jobs can you process in the queue? +_OPTION(MaxQueueRunSize, `confMAX_QUEUE_RUN_SIZE', `10000') + +# perform initial split of envelope without checking MX records +_OPTION(FastSplit, `confFAST_SPLIT', `1') + # queue directory O QueueDirectory=ifdef(`QUEUE_DIR', QUEUE_DIR, `/var/spool/mqueue') +# key for shared memory; 0 to turn off +_OPTION(SharedMemoryKey, `confSHARED_MEMORY_KEY', `0') + # timeouts (many of these) _OPTION(Timeout.initial, `confTO_INITIAL', `5m') _OPTION(Timeout.connect, `confTO_CONNECT', `5m') +_OPTION(Timeout.aconnect, `confTO_ACONNECT', `0s') _OPTION(Timeout.iconnect, `confTO_ICONNECT', `5m') _OPTION(Timeout.helo, `confTO_HELO', `5m') _OPTION(Timeout.mail, `confTO_MAIL', `10m') @@ -372,6 +428,12 @@ _OPTION(Timeout.resolver.retrans.normal, `confTO_RESOLVER_RETRANS_NORMAL', `5s') _OPTION(Timeout.resolver.retry, `confTO_RESOLVER_RETRY', `4') _OPTION(Timeout.resolver.retry.first, `confTO_RESOLVER_RETRY_FIRST', `4') _OPTION(Timeout.resolver.retry.normal, `confTO_RESOLVER_RETRY_NORMAL', `4') +_OPTION(Timeout.lhlo, `confTO_LHLO', `2m') +_OPTION(Timeout.auth, `confTO_AUTH', `10m') +_OPTION(Timeout.starttls, `confTO_STARTTLS', `1h') + +# time for DeliverBy; extension disabled if less than 0 +_OPTION(DeliverByMin, `confDELIVER_BY_MIN', `0') # should we not prune routes in route-addr syntax addresses? _OPTION(DontPruneRoutes, `confDONT_PRUNE_ROUTES', `False') @@ -408,6 +470,9 @@ _OPTION(QueueLA, `confQUEUE_LA', `8') # load average at which we refuse connections _OPTION(RefuseLA, `confREFUSE_LA', `12') +# load average at which we delay connections; 0 means no limit +_OPTION(DelayLA, `confDELAY_LA', `0') + # maximum number of children we allow at one time _OPTION(MaxDaemonChildren, `confMAX_DAEMON_CHILDREN', `12') @@ -426,16 +491,10 @@ _OPTION(ClassFactor, `confWORK_CLASS_FACTOR', `1800') # work time factor _OPTION(RetryFactor, `confWORK_TIME_FACTOR', `90000') -# shall we sort the queue by hostname first? -_OPTION(QueueSortOrder, `confQUEUE_SORT_ORDER', `priority') - -# minimum time in queue before retry -_OPTION(MinQueueAge, `confMIN_QUEUE_AGE', `30m') - # default character set _OPTION(DefaultCharSet, `confDEF_CHAR_SET', `iso-8859-1') -# service switch file (ignored on Solaris, Ultrix, OSF/1, others) +# service switch file (name hardwired on Solaris, Ultrix, OSF/1, others) _OPTION(ServiceSwitchFile, `confSERVICE_SWITCH_FILE', `MAIL_SETTINGS_DIR`'service.switch') # hosts file (normally /etc/hosts) @@ -453,9 +512,6 @@ _OPTION(SafeFileEnvironment, `confSAFE_FILE_ENV', `/arch') # are colons OK in addresses? _OPTION(ColonOkInAddr, `confCOLON_OK_IN_ADDR', `True') -# how many jobs can you process in the queue? -_OPTION(MaxQueueRunSize, `confMAX_QUEUE_RUN_SIZE', `10000') - # shall I avoid expanding CNAMEs (violates protocols)? _OPTION(DontExpandCnames, `confDONT_EXPAND_CNAMES', `False') @@ -481,7 +537,11 @@ _OPTION(OperatorChars, `confOPERATORS', `.:@[]') _OPTION(DontInitGroups, `confDONT_INIT_GROUPS', `False') # are group-writable `:include:' and .forward files (un)trustworthy? +# True (the default) means they are not trustworthy. _OPTION(UnsafeGroupWrites, `confUNSAFE_GROUP_WRITES', `True') +ifdef(`confUNSAFE_GROUP_WRITES', +`errprint(`WARNING: confUNSAFE_GROUP_WRITES is deprecated; use confDONT_BLAME_SENDMAIL. +')') # where do errors that occur when sending errors get sent? _OPTION(DoubleBounceAddress, `confDOUBLE_BOUNCE_ADDRESS', `postmaster') @@ -495,6 +555,10 @@ _OPTION(RunAsUser, `confRUN_AS_USER', `sendmail') # maximum number of recipients per SMTP envelope _OPTION(MaxRecipientsPerMessage, `confMAX_RCPTS_PER_MESSAGE', `100') +# limit the rate recipients per SMTP envelope are accepted +# once the threshold number of recipients have been rejected +_OPTION(BadRcptThrottle, `confBAD_RCPT_THROTTLE', `20') + # shall we get local names from our installed interfaces? _OPTION(DontProbeInterfaces, `confDONT_PROBE_INTERFACES', `False') @@ -531,8 +595,11 @@ _OPTION(DataFileBufferSize, `confDF_BUFFER_SIZE', `4096') # Transcript file (xf) memory-buffer file maximum size _OPTION(XscriptFileBufferSize, `confXF_BUFFER_SIZE', `4096') +# lookup type to find information about local mailboxes +_OPTION(MailboxDatabase, `confMAILBOX_DATABASE', `pw') + # list of authentication mechanisms -_OPTION(AuthMechanisms, `confAUTH_MECHANISMS', `GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5') +_OPTION(AuthMechanisms, `confAUTH_MECHANISMS', `EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5') # default authentication information for outgoing connections _OPTION(DefaultAuthInfo, `confDEF_AUTH_INFO', `MAIL_SETTINGS_DIR`'default-auth-info') @@ -540,11 +607,18 @@ _OPTION(DefaultAuthInfo, `confDEF_AUTH_INFO', `MAIL_SETTINGS_DIR`'default-auth-i # SMTP AUTH flags _OPTION(AuthOptions, `confAUTH_OPTIONS', `') -ifdef(`_FFR_MILTER', ` +# SMTP AUTH maximum encryption strength +_OPTION(AuthMaxBits, `confAUTH_MAX_BITS', `') + +# SMTP STARTTLS server options +_OPTION(TLSSrvOptions, `confTLS_SRV_OPTIONS', `') + # Input mail filters _OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `') +ifdef(`confINPUT_MAIL_FILTERS', `dnl # Milter options +_OPTION(Milter.LogLevel, `confMILTER_LOG_LEVEL', `') _OPTION(Milter.macros.connect, `confMILTER_MACROS_CONNECT', `') _OPTION(Milter.macros.helo, `confMILTER_MACROS_HELO', `') _OPTION(Milter.macros.envfrom, `confMILTER_MACROS_ENVFROM', `') @@ -567,10 +641,10 @@ _OPTION(DHParameters, `confDH_PARAMETERS', `') # Random data source (required for systems without /dev/urandom under OpenSSL) _OPTION(RandFile, `confRAND_FILE', `') -ifdef(`confQUEUE_FILE_MODE', -`# queue file mode (qf files) -O QueueFileMode=confQUEUE_FILE_MODE -') +############################ +`# QUEUE GROUP DEFINITIONS #' +############################ +_QUEUE_GROUP_ ########################### # Message precedences # @@ -631,9 +705,9 @@ R$@ $@ <@> R$* $: $1 <@> mark addresses R$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr> R@ $* <@> $: @ $1 unmark @host:... +R$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr R$* :: $* <@> $: $1 :: $2 unmark node::addr R:`include': $* <@> $: :`include': $1 unmark :`include':... -R$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr R$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon R$* : $* <@> $: $2 strip colon if marked R$* <@> $: $1 unmark @@ -656,10 +730,15 @@ ifdef(`_USE_DEPRECATED_ROUTE_ADDR_',`dnl R@ $+ , $+ @ $1 : $2 change all "," to ":" # localize and dispose of route-based addresses +dnl XXX: IPv6 colon conflict +ifdef(`NO_NETINET6', `dnl', +`R@ [$+] : $+ $@ $>Canonify2 < @ [$1] > : $2 handle <route-addr>') R@ $+ : $+ $@ $>Canonify2 < @$1 > : $2 handle <route-addr> dnl',`dnl # strip route address <@a,@b,@c:user@d> -> <user@d> R@ $+ , $+ $2 +ifdef(`NO_NETINET6', `dnl', +`R@ [ $* ] : $+ $2') R@ $+ : $+ $2 dnl') @@ -672,8 +751,9 @@ R$+ @ $+ $: $1 < @ $2 > focus on domain R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right R$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical -# do some sanity checking -R$* < @ $* : $* > $* $1 < @ $2 $3 > $4 nix colons in addrs +dnl This is flagged as an error in S0; no need to silently fix it here. +dnl # do some sanity checking +dnl R$* < @ $~[ $* : $* > $* $1 < @ $2 $3 > $4 nix colons in addrs ifdef(`_NO_UUCP_', `dnl', `# convert old-style addresses to a domain-based address @@ -708,13 +788,8 @@ R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain ifdef(`_NO_UUCP_', `dnl', `R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain') -# check for IPv6 domain literal (save quoted form) -R$* < @ [ IPv6 : $+ ] > $* $: $2 $| $1 < @@ [ $(dequote $2 $) ] > $3 mark IPv6 addr -R$+ $| $* < @@ $=w > $* $: $2 < @ $j . > $4 self-literal -R$+ $| $* < @@ [ $+ ] > $* $@ $2 < @ [ IPv6 : $1 ] > $4 canon IP addr - -# check for IPv4 domain literal -R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [a.b.c.d] +# check for IPv4/IPv6 domain literal +R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr] R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr @@ -780,7 +855,7 @@ dnl this should only apply to unqualified hostnames dnl but if a valid character inside an unqualified hostname is an OperatorChar dnl then $- does not work. # lookup unqualified hostnames -R$* $| $* < @ $* > $* $: $2 < @ $[ $3 $] > $4', `dnl')', `dnl +R$* $| $* < @ $* > $* $: $2 < @ $[ $3 $] > $4', `dnl')', `dnl dnl _NO_CANONIFY_ is not set: canonify unless: dnl {daemon_flags} contains CC (do not canonify) dnl but add a trailing dot to qualified hostnames so other rules will work @@ -803,6 +878,12 @@ ifdef(`_VIRTUSER_ENTIRE_DOMAIN_', `R$* < @ $* $={VirtHost} > $* $: $1 < @ $2 $3 . > $4', `R$* < @ $={VirtHost} > $* $: $1 < @ $2 . > $3')', `dnl') +ifdef(`_GENERICS_TABLE_', `dnl +dnl hosts for genericstable are also canonical +ifdef(`_GENERICS_ENTIRE_DOMAIN_', +`R$* < @ $* $=G > $* $: $1 < @ $2 $3 . > $4', +`R$* < @ $=G > $* $: $1 < @ $2 . > $3')', +`dnl') dnl remove superfluous dots (maybe repeatedly) which may have been added dnl by one of the rules before R$* < @ $* . . > $* $1 < @ $2 . > $3 @@ -870,26 +951,41 @@ R$* $: $>Parse1 $1 final parsing SParse0 R<@> $@ <@> special case error msgs -R$* : $* ; <@> $#error $@ 5.1.3 $: "CODE553 List:; syntax illegal for recipient addresses" +R$* : $* ; <@> $#error $@ 5.1.3 $: "_CODE553 List:; syntax illegal for recipient addresses" R@ <@ $* > < @ $1 > catch "@@host" bogosity -R<@ $+> $#error $@ 5.1.3 $: "CODE553 User address required" +R<@ $+> $#error $@ 5.1.3 $: "_CODE553 User address required" +R$+ <@> $#error $@ 5.1.3 $: "_CODE553 Hostname required" R$* $: <> $1 -R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3 -R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "CODE553 Colon illegal in host name part" +dnl allow tricks like [host1]:[host2] +R<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4 +R<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4 +dnl but no a@[b]c +R<> $* < @ [ $* ] $+ > $* $#error $@ 5.1.2 $: "_CODE553 Invalid address" +R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3 +R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "_CODE553 Colon illegal in host name part" R<> $* $1 -R$* < @ . $* > $* $#error $@ 5.1.2 $: "CODE553 Invalid host name" -R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "CODE553 Invalid host name" +R$* < @ . $* > $* $#error $@ 5.1.2 $: "_CODE553 Invalid host name" +R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "_CODE553 Invalid host name" +dnl no a@b@ +R$* < @ $* @ > $* $#error $@ 5.1.2 $: "_CODE553 Invalid route address" +dnl no a@b@c +R$* @ $* < @ $* > $* $#error $@ 5.1.3 $: "_CODE553 Invalid route address" dnl comma only allowed before @; this check is not complete -R$* , $~O $* $#error $@ 5.1.2 $: "CODE553 Invalid route address" +R$* , $~O $* $#error $@ 5.1.3 $: "_CODE553 Invalid route address" + +ifdef(`_STRICT_RFC821_', `# more RFC 821 checks +R$* . < @ $* > $* $#error $@ 5.1.2 $: "_CODE553 Local part must not end with a dot" +R. $* < @ $* > $* $#error $@ 5.1.2 $: "_CODE553 Local part must not begin with a dot" +dnl', `dnl') # now delete the local info -- note $=O to find characters that cause forwarding R$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user R< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ... R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here -R< @ $+ > $#error $@ 5.1.3 $: "CODE553 User address required" +R< @ $+ > $#error $@ 5.1.3 $: "_CODE553 User address required" R$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@here -> ... R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo" -R< @ *LOCAL* > $#error $@ 5.1.3 $: "CODE553 User address required" +R< @ *LOCAL* > $#error $@ 5.1.3 $: "_CODE553 User address required" R$* $=O $* < @ *LOCAL* > $@ $>Parse0 $>canonify $1 $2 $3 ...@*LOCAL* -> ... R$* < @ *LOCAL* > $: $1 @@ -901,7 +997,8 @@ R$* < @ *LOCAL* > $: $1 SParse1 ifdef(`_LDAP_ROUTING_', `dnl # handle LDAP routing for hosts in $={LDAPRoute} -R$+ < @ $={LDAPRoute} . > $: $>LDAPExpand <$1 < @ $2 . >> <$1 @ $2>', +R$+ < @ $={LDAPRoute} . > $: $>LDAPExpand <$1 < @ $2 . >> <$1 @ $2> <> +R$+ < @ $={LDAPRouteEquiv} . > $: $>LDAPExpand <$1 < @ $2 . >> <$1 @ $M> <>', `dnl') ifdef(`_MAILER_smtp_', @@ -909,35 +1006,63 @@ ifdef(`_MAILER_smtp_', dnl there is no check whether this is really an IP number R$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec R$* < @ [ $+ ] > $* $1 < @ [ $2 ] : $S > $3 Add smart host to path -R$* < @ [ IPv6 : $+ ] : > $* - $#_SMTP_ $@ [ $(dequote $2 $) ] $: $1 < @ [IPv6 : $2 ] > $3 no smarthost: send -R$* < @ [ $+ ] : > $* $#_SMTP_ $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send +R$* < @ [ $+ ] : > $* $#_SMTP_ $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send R$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost with mailer R$* < @ [ $+ ] : $+ > $* $#_SMTP_ $@ $3 $: $1 < @ [$2] > $4 smarthost without mailer', `dnl') ifdef(`_VIRTUSER_TABLE_', `dnl # handle virtual users +ifdef(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_',`dnl +dnl this is not a documented option +dnl it stops looping in virtusertable mapping if input and output +dnl are identical, i.e., if address A is mapped to A. +dnl it does not deal with multi-level recursion +# handle full domains in RHS of virtusertable +R$+ < @ $+ > $: $(macro {RecipientAddress} $) $1 < @ $2 > +R$+ < @ $+ > $: <?> $1 < @ $2 > $| $>final $1 < @ $2 > +R<?> $+ $| $+ $: $1 $(macro {RecipientAddress} $@ $2 $) +R<?> $+ $| $* $: $1', +`dnl') R$+ $: <!> $1 Mark for lookup +dnl input: <!> local<@domain> ifdef(`_VIRTUSER_ENTIRE_DOMAIN_', `R<!> $+ < @ $* $={VirtHost} . > $: < $(virtuser $1 @ $2 $3 $@ $1 $: @ $) > $1 < @ $2 $3 . >', `R<!> $+ < @ $={VirtHost} . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >') +dnl input: <result-of-lookup | @> local<@domain> | <!> local<@domain> R<!> $+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . > +dnl if <@> local<@domain>: no match but try lookup +dnl user+detail: try user++@domain if detail not empty +R<@> $+ + $+ < @ $* . > + $: < $(virtuser $1 + + @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . > +dnl user+detail: try user+*@domain R<@> $+ + $* < @ $* . > - $: < $(virtuser $1 + * @ $3 $@ $1 $@ $2 $: @ $) > $1 + $2 < @ $3 . > + $: < $(virtuser $1 + * @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . > +dnl user+detail: try user@domain R<@> $+ + $* < @ $* . > - $: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . > + $: < $(virtuser $1 @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . > dnl try default entry: @domain +dnl ++@domain +R<@> $+ + $+ < @ $+ . > $: < $(virtuser + + @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . > dnl +*@domain -R<@> $+ + $+ < @ $+ . > $: < $(virtuser + * @ $3 $@ $1 $@ $2 $: @ $) > $1 + $2 < @ $3 . > +R<@> $+ + $* < @ $+ . > $: < $(virtuser + * @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . > dnl @domain if +detail exists -R<@> $+ + $* < @ $+ . > $: < $(virtuser @ $3 $@ $1 $@ $2 $: @ $) > $1 + $2 < @ $3 . > +R<@> $+ + $* < @ $+ . > $: < $(virtuser @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . > dnl without +detail (or no match) R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . > +dnl no match R<@> $+ $: $1 +dnl remove mark R<!> $+ $: $1 R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4 R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2 +ifdef(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_',`dnl +# check virtuser input address against output address, if same, skip recursion +R< $+ > $+ < @ $+ > $: < $1 > $2 < @ $3 > $| $1 +# it is the same: stop now +R< $+ > $+ < @ $+ > $| $&{RecipientAddress} $: $>ParseLocal $>Parse0 $>canonify $1 +R< $+ > $+ < @ $+ > $| $* $: < $1 > $2 < @ $3 > +dnl', `dnl') dnl this is not a documented option dnl it performs no looping at all for virtusertable ifdef(`_NO_VIRTUSER_RECURSION_', @@ -1020,7 +1145,7 @@ R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost nam # deal with other remote names ifdef(`_MAILER_smtp_', `R$* < @$* > $* $#_SMTP_ $@ $2 $: $1 < @ $2 > $3 user@host.domain', -`R$* < @$* > $* $#error $@ 5.1.2 $: "CODE553 Unrecognized host name " $2') +`R$* < @$* > $* $#error $@ 5.1.2 $: "_CODE553 Unrecognized host name " $2') # handle locally delivered names R$=L $#_LOCAL_ $: @ $1 special local names @@ -1033,15 +1158,25 @@ R$+ $#_LOCAL_ $: $1 regular local names SLocal_localaddr Slocaladdr=5 R$+ $: $1 $| $>"Local_localaddr" $1 +R$+ $| $#ok $@ $1 no change R$+ $| $#$* $#$2 R$+ $| $* $: $1 -ifdef(`_FFR_5_', ` +ifdef(`_PRESERVE_LUSER_HOST_', `dnl +# Preserve rcpt_host in {Host} +R$+ $: $1 $| $&h $| $&{Host} check h and {Host} +R$+ $| $| $: $(macro {Host} $@ $) $1 no h or {Host} +R$+ $| $| $+ $: $1 h not set, {Host} set +R$+ $| +$* $| $* $: $1 h is +detail, {Host} set +R$+ $| $+ $| $* $: $(macro {Host} $@ @$2 $) $1 set {Host} to h +')dnl + +ifdef(`_FFR_5_', `dnl # Preserve host in a macro R$+ $: $(macro {LocalAddrHost} $) $1 R$+ @ $+ $: $(macro {LocalAddrHost} $@ @ $2 $) $1') -ifdef(`_PRESERVE_LOCAL_PLUS_DETAIL_', `', ` +ifdef(`_PRESERVE_LOCAL_PLUS_DETAIL_', `', `dnl # deal with plussed users so aliases work nicely R$+ + * $#_LOCAL_ $@ $&h $: $1`'ifdef(`_FFR_5_', ` $&{LocalAddrHost}') R$+ + $* $#_LOCAL_ $@ + $2 $: $1 + *`'ifdef(`_FFR_5_', ` $&{LocalAddrHost}') @@ -1051,35 +1186,61 @@ R$+ $: <> $1 ifdef(`LUSER_RELAY', `dnl # send unrecognized local users to a relay host -ifdef(`_PRESERVE_LOCAL_PLUS_DETAIL_', ` +ifdef(`_PRESERVE_LOCAL_PLUS_DETAIL_', `dnl R< > $+ + $* $: < ? $L > <+ $2> $(user $1 $) look up user+ R< > $+ $: < ? $L > < > $(user $1 $) look up user R< ? $* > < $* > $+ <> $: < > $3 $2 found; strip $L R< ? $* > < $* > $+ $: < $1 > $3 $2 not found', ` R< > $+ $: < $L > $(user $1 $) look up user -R< $* > $+ <> $: < > $2 found; strip $L')', -`dnl') +R< $* > $+ <> $: < > $2 found; strip $L') +ifdef(`_PRESERVE_LUSER_HOST_', `dnl +R< $+ > $+ $: < $1 > $2 $&{Host}') +dnl') -# see if we have a relay or a hub -R< > $+ $: < $H > $1 try hub -R< > $+ $: < $R > $1 try relay -ifdef(`_PRESERVE_LOCAL_PLUS_DETAIL_', ` -R< > $+ $@ $1', ` +ifdef(`MAIL_HUB', `dnl +R< > $+ $: < $H > $1 try hub', `dnl') +ifdef(`LOCAL_RELAY', `dnl +R< > $+ $: < $R > $1 try relay', `dnl') +ifdef(`_PRESERVE_LOCAL_PLUS_DETAIL_', `dnl +R< > $+ $@ $1', `dnl R< > $+ $: < > < $1 <> $&h > nope, restore +detail +ifdef(`_PRESERVE_LUSER_HOST_', `dnl +R< > < $+ @ $+ <> + $* > $: < > < $1 + $3 @ $2 > check whether +detail') R< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail R< > < $+ <> $* > $: < > < $1 > else discard R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part R< > < $+ > + $* $#_LOCAL_ $@ $2 $: @ $1`'ifdef(`_FFR_5_', ` $&{LocalAddrHost}') strip the extra + R< > < $+ > $@ $1 no +detail R$+ $: $1 <> $&h add +detail back in +ifdef(`_PRESERVE_LUSER_HOST_', `dnl +R$+ @ $+ <> + $* $: $1 + $3 @ $2 check whether +detail') R$+ <> + $* $: $1 + $2 check whether +detail R$+ <> $* $: $1 else discard') R< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension R< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension -R< $- : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 > +ifdef(`_PRESERVE_LUSER_HOST_', `dnl +dnl it is $~[ instead of $- to avoid matches on IPv6 addresses +R< $~[ : $+ > $+ @ $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $4 >') +R< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 > +ifdef(`_PRESERVE_LUSER_HOST_', `dnl +R< $+ > $+ @ $+ $@ $>MailerToTriple < $1 > $2 < @ $3 >') R< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 > ifdef(`_MAILER_TABLE_', `dnl +ifdef(`_LDAP_ROUTING_', `dnl +################################################################### +### Ruleset LDAPMailertable -- mailertable lookup for LDAP ### +dnl input: <Domain> FullAddress +################################################################### + +SLDAPMailertable +R< $+ > $* $: < $(mailertable $1 $) > $2 lookup +R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 check resolved? +R< $+ > $* $: < $1 > $>Mailertable <$1> $2 try domain +R< $+ > $#$* $#$2 found +R< $+ > $* $#_RELAY_ $@ $1 $: $2 not found, direct relay', +`dnl') + ################################################################### ### Ruleset 90 -- try domain part of mailertable entry ### dnl input: LeftPartOfDomain <RightPartOfDomain> FullAddress @@ -1108,7 +1269,6 @@ dnl <error:text> -> error dnl <mailer:user@host> lp<@domain>rest -> mailer host user dnl <mailer:host> address -> mailer host address dnl <localdomain> address -> address -dnl <[IPv6:number]> address -> relay number address dnl <host> address -> relay host address ################################################################### @@ -1117,10 +1277,10 @@ R< > $* $@ $1 strip off null relay R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4 R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2 R< local : $* > $* $>CanonLocal < $1 > $2 -R< $- : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal user -R< $- : $+ > $* $# $1 $@ $2 $: $3 try qualified mailer +dnl it is $~[ instead of $- to avoid matches on IPv6 addresses +R< $~[ : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal user +R< $~[ : $+ > $* $# $1 $@ $2 $: $3 try qualified mailer R< $=w > $* $@ $2 delete local host -R< [ IPv6 : $+ ] > $* $#_RELAY_ $@ $(dequote $1 $) $: $2 use unqualified mailer R< $+ > $* $#_RELAY_ $@ $1 $: $2 use unqualified mailer ################################################################### @@ -1170,6 +1330,7 @@ R$+ < @ *LOCAL* > $: < $1@$j > $1 < @ *LOCAL* > @ mark dnl workspace: either user<@domain> or <user@domain> user <@domain> @ dnl ignore the first case for now dnl if it has the mark lookup full address +dnl broken: %1 is full address not just detail R< $+ > $+ < $* > @ $: < $(generics $1 $: @ $1 $) > $2 < $3 > dnl workspace: ... or <match|@user@domain> user <@domain> dnl no match, try user+detail@domain @@ -1194,6 +1355,7 @@ R< > $* $: $1 not found', # do not masquerade anything in class N R$* < @ $* $=N . > $@ $1 < @ $2 $3 . > +ifdef(`MASQUERADE_NAME', `dnl # special case the users that should be exposed R$=E < @ *LOCAL* > $@ $1 < @ $j . > leave exposed ifdef(`_MASQUERADE_ENTIRE_DOMAIN_', @@ -1211,6 +1373,9 @@ ifdef(`_LIMITED_MASQUERADE_', `dnl', R$* < @ *LOCAL* > $* $: $1 < @ $j . @ $M > $2 R$* < @ $+ @ > $* $: $1 < @ $2 > $3 $M is null R$* < @ $+ @ $+ > $* $: $1 < @ $3 . > $4 $M is not null +dnl', `dnl no masquerading +dnl just fix *LOCAL* leftovers +R$* < @ *LOCAL* > $@ $1 < @ $j . >') ################################################################### ### Ruleset 94 -- convert envelope names to masqueraded form ### @@ -1229,115 +1394,183 @@ SParseLocal=98 undivert(3)dnl LOCAL_RULE_0 ifdef(`_LDAP_ROUTING_', `dnl +###################################################################### +### LDAPExpand: Expand address using LDAP routing +### +### Parameters: +### <$1> -- parsed address (user < @ domain . >) (pass through) +### <$2> -- RFC822 address (user @ domain) (used for lookup) +### <$3> -- +detail information +### +### Returns: +### Mailer triplet ($#mailer $@ host $: address) +### Parsed address (user < @ domain . >) +###################################################################### + SLDAPExpand # do the LDAP lookups -R<$+><$+> $: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> +R<$+><$+><$*> $: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> <$3> # if mailRoutingAddress and local or non-existant mailHost, # return the new mailRoutingAddress -R< $+ > < $=w > < $+ > < $+ > $@ $>Parse0 $>canonify $1 -R< $+ > < > < $+ > < $+ > $@ $>Parse0 $>canonify $1 +ifelse(_LDAP_ROUTE_DETAIL_, `_PRESERVE_', `dnl +R<$+@$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 $6 @ $2 +R<$+@$+> <> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 $5 @ $2') +R<$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 +R<$+> <> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 # if mailRoutingAddress and non-local mailHost, # relay to mailHost with new mailRoutingAddress -R< $+ > < $+ > < $+ > < $+ > $#_RELAY_ $@ $2 $: $>canonify $1 +ifelse(_LDAP_ROUTE_DETAIL_, `_PRESERVE_', `dnl +ifdef(`_MAILER_TABLE_', `dnl +# check mailertable for host, relay from there +R<$+@$+> <$+> <$+> <$+> <$*> $>LDAPMailertable <$3> $>canonify $1 $6 @ $2', +`R<$+@$+> <$+> <$+> <$+> <$*> $#_RELAY_ $@ $3 $: $>canonify $1 $6 @ $2')') +ifdef(`_MAILER_TABLE_', `dnl +# check mailertable for host, relay from there +R<$+> <$+> <$+> <$+> <$*> $>LDAPMailertable <$2> $>canonify $1', +`R<$+> <$+> <$+> <$+> <$*> $#_RELAY_ $@ $2 $: $>canonify $1') # if no mailRoutingAddress and local mailHost, # return original address -R< > < $=w > <$+> <$+> $@ $2 +R<> <$=w> <$+> <$+> <$*> $@ $2 # if no mailRoutingAddress and non-local mailHost, # relay to mailHost with original address -R< > < $+ > <$+> <$+> $#_RELAY_ $@ $1 $: $2 +ifdef(`_MAILER_TABLE_', `dnl +# check mailertable for host, relay from there +R<> <$+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2', +`R<> <$+> <$+> <$+> <$*> $#_RELAY_ $@ $1 $: $2') -# if no mailRoutingAddress and no mailHost, +ifdef(`_LDAP_ROUTE_DETAIL_', +`# if no mailRoutingAddress and no mailHost, +# try without +detail +R<> <> <$+> <$+ + $* @ $+> <> $@ $>LDAPExpand <$1> <$2 @ $4> <+$3>')dnl + +# if still no mailRoutingAddress and no mailHost, # try @domain -R< > < > <$+> <$+ @ $+> $@ $>LDAPExpand <$1> <@ $3> +ifelse(_LDAP_ROUTE_DETAIL_, `_PRESERVE_', `dnl +R<> <> <$+> <$+ + $* @ $+> <> $@ $>LDAPExpand <$1> <@ $4> <+$3>') +R<> <> <$+> <$+ @ $+> <$*> $@ $>LDAPExpand <$1> <@ $3> <$4> # if no mailRoutingAddress and no mailHost and this was a domain attempt, ifelse(_LDAP_ROUTING_, `_MUST_EXIST_', `dnl # user does not exist -R< > < > <$+> <@ $+> $#error $@ nouser $: "550 User unknown"', +R<> <> <$+> <@ $+> <$*> $: <?> < $&{addr_type} > < $1 > +# only give error for envelope recipient +R<?> <e r> <$+> $#error $@ nouser $: "550 User unknown" +R<?> <$*> <$+> $@ $2', `dnl # return the original address -R< > < > <$+> <@ $+> $@ $1')', +R<> <> <$+> <@ $+> <$*> $@ $1')', `dnl') ifelse(substr(confDELIVERY_MODE,0,1), `d', `errprint(`WARNING: Antispam rules not available in deferred delivery mode. ')') -ifdef(`_ACCESS_TABLE_', `dnl +ifdef(`_ACCESS_TABLE_', `dnl', `divert(-1)') ###################################################################### -### LookUpDomain -- search for domain in access database +### D: LookUpDomain -- search for domain in access database ### ### Parameters: ### <$1> -- key (domain name) ### <$2> -- default (what to return if not found in db) dnl must not be empty -### <$3> -- passthru (additional data passed unchanged through) -### <$4> -- mark (must be <(!|+) single-token>) +### <$3> -- mark (must be <(!|+) single-token>) ### ! does lookup only with tag ### + does lookup with and without tag +### <$4> -- passthru (additional data passed unchanged through) dnl returns: <default> <passthru> dnl <result> <passthru> ###################################################################### -SLookUpDomain -dnl remove IPv6 mark and dequote address -dnl it is a bit ugly because it is checked on each "iteration" -R<[IPv6 : $+]> <$+> <$*> <$*> $: <[$(dequote $1 $)]> <$2> <$3> <$4> +SD dnl workspace <key> <default> <passthru> <mark> dnl lookup with tag (in front, no delimiter here) -R<$*> <$+> <$*> <$- $-> $: < $(access $5`'_TAG_DELIM_`'$1 $: ? $) > <$1> <$2> <$3> <$4 $5> +dnl 2 3 4 5 +R<$*> <$+> <$- $-> <$*> $: < $(access $4`'_TAG_DELIM_`'$1 $: ? $) > <$1> <$2> <$3 $4> <$5> dnl workspace <result-of-lookup|?> <key> <default> <passthru> <mark> -ifdef(`_FFR_LOOKUPDOTDOMAIN', `dnl omit first component: lookup .rest -R<?> <$+.$+> <$+> <$*> <$- $-> $: < $(access $5`'_TAG_DELIM_`'.$2 $: ? $) > <$1.$2> <$3> <$4> <$5 $6>', `dnl') dnl lookup without tag? -R<?> <$+> <$+> <$*> <+ $*> $: < $(access $1 $: ? $) > <$1> <$2> <$3> <+ $4> -ifdef(`_FFR_LOOKUPDOTDOMAIN', `dnl omit first component: lookup .rest -R<?> <$+.$+> <$+> <$*> <+ $*> $: < $(access .$2 $: ? $) > <$1.$2> <$3> <$4> <+ $5>', `dnl') -dnl lookup IP address (no check is done whether it is an IP number!) -R<?> <[$+.$-]> <$+> <$*> <$*> $@ $>LookUpDomain <[$1]> <$3> <$4> <$5> -dnl lookup IPv6 address -R<?> <[$+::$-]> <$+> <$*> <$*> $: $>LookUpDomain <[$1]> <$3> <$4> <$5> -R<?> <[$+:$-]> <$+> <$*> <$*> $: $>LookUpDomain <[$1]> <$3> <$4> <$5> +dnl 1 2 3 4 +R<?> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4> +ifdef(`_LOOKUPDOTDOMAIN_', `dnl omit first component: lookup .rest +dnl XXX apply this also to IP addresses? +dnl currently it works the wrong way round for [1.2.3.4] +dnl 1 2 3 4 5 6 +R<?> <$+.$+> <$+> <$- $-> <$*> $: < $(access $5`'_TAG_DELIM_`'.$2 $: ? $) > <$1.$2> <$3> <$4 $5> <$6> +dnl 1 2 3 4 5 +R<?> <$+.$+> <$+> <+ $-> <$*> $: < $(access .$2 $: ? $) > <$1.$2> <$3> <+ $4> <$5>', `dnl') +ifdef(`_ACCESS_SKIP_', `dnl +dnl found SKIP: return <default> and <passthru> +dnl 1 2 3 4 5 +R<SKIP> <$+> <$+> <$- $-> <$*> $@ <$2> <$5>', `dnl') +dnl not found: IPv4 net (no check is done whether it is an IP number!) +dnl 1 2 3 4 5 6 +R<?> <[$+.$-]> <$+> <$- $-> <$*> $@ $>D <[$1]> <$3> <$4 $5> <$6> +ifdef(`NO_NETINET6', `dnl', +`dnl not found: IPv6 net +dnl (could be merged with previous rule if we have a class containing .:) +dnl 1 2 3 4 5 6 +R<?> <[$+::$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6> +R<?> <[$+:$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6>') dnl not found, but subdomain: try again -R<?> <$+.$+> <$+> <$*> <$*> $@ $>LookUpDomain <$2> <$3> <$4> <$5> -dnl not found, no subdomain: return default -R<?> <$+> <$+> <$*> <$*> $@ <$2> <$3> -dnl return result of lookup -R<$*> <$+> <$+> <$*> <$*> $@ <$1> <$4> +dnl 1 2 3 4 5 6 +R<?> <$+.$+> <$+> <$- $-> <$*> $@ $>D <$2> <$3> <$4 $5> <$6> +dnl not found, no subdomain: return <default> and <passthru> +dnl 1 2 3 4 5 +R<?> <$+> <$+> <$- $-> <$*> $@ <$2> <$5> +ifdef(`_ATMPF_', `dnl tempfail? +dnl 2 3 4 5 6 +R<$* _ATMPF_> <$+> <$+> <$- $-> <$*> $@ <_ATMPF_> <$6>', `dnl') +dnl return <result of lookup> and <passthru> +dnl 2 3 4 5 6 +R<$*> <$+> <$+> <$- $-> <$*> $@ <$1> <$6> ###################################################################### -### LookUpAddress -- search for host address in access database +### A: LookUpAddress -- search for host address in access database ### ### Parameters: ### <$1> -- key (dot quadded host address) ### <$2> -- default (what to return if not found in db) dnl must not be empty -### <$3> -- passthru (additional data passed through) -### <$4> -- mark (must be <(!|+) single-token>) +### <$3> -- mark (must be <(!|+) single-token>) ### ! does lookup only with tag ### + does lookup with and without tag +### <$4> -- passthru (additional data passed through) dnl returns: <default> <passthru> dnl <result> <passthru> ###################################################################### -SLookUpAddress +SA dnl lookup with tag -R<$+> <$+> <$*> <$- $+> $: < $(access $5`'_TAG_DELIM_`'$1 $: ? $) > <$1> <$2> <$3> <$4 $5> +dnl 2 3 4 5 +R<$+> <$+> <$- $-> <$*> $: < $(access $4`'_TAG_DELIM_`'$1 $: ? $) > <$1> <$2> <$3 $4> <$5> dnl lookup without tag -R<?> <$+> <$+> <$*> <+ $+> $: < $(access $1 $: ? $) > <$1> <$2> <$3> <+ $4> -dnl no match; IPv6: remove last part -R<?> <$+::$-> <$+> <$*> <$*> $@ $>LookUpAddress <$1> <$3> <$4> <$5> -R<?> <$+:$-> <$+> <$*> <$*> $@ $>LookUpAddress <$1> <$3> <$4> <$5> +dnl 1 2 3 4 +R<?> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4> +dnl workspace <result-of-lookup|?> <key> <default> <mark> <passthru> +ifdef(`_ACCESS_SKIP_', `dnl +dnl found SKIP: return <default> and <passthru> +dnl 1 2 3 4 5 +R<SKIP> <$+> <$+> <$- $-> <$*> $@ <$2> <$5>', `dnl') +ifdef(`NO_NETINET6', `dnl', +`dnl no match; IPv6: remove last part +dnl 1 2 3 4 5 6 +R<?> <$+::$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6> +R<?> <$+:$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>') dnl no match; IPv4: remove last part -R<?> <$+.$-> <$+> <$*> <$*> $@ $>LookUpAddress <$1> <$3> <$4> <$5> +dnl 1 2 3 4 5 6 +R<?> <$+.$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6> dnl no match: return default -R<?> <$+> <$+> <$*> <$*> $@ <$2> <$3> +dnl 1 2 3 4 5 +R<?> <$+> <$+> <$- $-> <$*> $@ <$2> <$5> +ifdef(`_ATMPF_', `dnl tempfail? +dnl 2 3 4 5 6 +R<$* _ATMPF_> <$+> <$+> <$- $-> <$*> $@ <_ATMPF_> <$6>', `dnl') dnl match: return result -R<$*> <$+> <$+> <$*> <$*> $@ <$1> <$4>', -`dnl') - +dnl 2 3 4 5 6 +R<$*> <$+> <$+> <$- $-> <$*> $@ <$1> <$6> +dnl endif _ACCESS_TABLE_ +divert(0) ###################################################################### ### CanonAddr -- Convert an address into a standard form for ### relay checking. Route address syntax is @@ -1385,23 +1618,18 @@ R<?> $* $=O $* < @ $* > $: <NO> $1 $2 $3 < @ $4> dnl no $=O in localpart: return R<?> $* $@ $1 -dnl workspace: <?> localpart<@domain>, where localpart contains $=O +dnl workspace: <NO> localpart<@domain>, where localpart contains $=O dnl mark everything which has an "authorized" domain with <RELAY> ifdef(`_RELAY_ENTIRE_DOMAIN_', `dnl # if we relay, check username portion for user%host so host can be checked also R<NO> $* < @ $* $=m > $: <RELAY> $1 < @ $2 $3 >', `dnl') - -ifdef(`_RELAY_MX_SERVED_', `dnl -dnl do "we" ($=w) act as backup MX server for the destination domain? -R<NO> $* < @ $+ > $: <MX> < : $(mxserved $2 $) : > < $1 < @$2 > > -R<MX> < : $* <TEMP> : > $* $#error $@ 4.7.1 $: "450 Can not check MX records for recipient host " $1 -dnl yes: mark it as <RELAY> -R<MX> < $* : $=w. : $* > < $+ > $: <RELAY> $4 -dnl no: put old <NO> mark back -R<MX> < : $* : > < $+ > $: <NO> $2', `dnl') - dnl workspace: <(NO|RELAY)> localpart<@domain>, where localpart contains $=O dnl if mark is <NO> then change it to <RELAY> if domain is "authorized" + +dnl what if access map returns something else than RELAY? +dnl we are only interested in RELAY entries... +dnl other To: entries: blacklist recipient; generic entries? +dnl if it is an error we probably do not want to relay anyway ifdef(`_RELAY_HOSTS_ONLY_', `R<NO> $* < @ $=R > $: <RELAY> $1 < @ $2 > ifdef(`_ACCESS_TABLE_', `dnl @@ -1409,12 +1637,23 @@ R<NO> $* < @ $+ > $: <$(access To:$2 $: NO $)> $1 < @ $2 > R<NO> $* < @ $+ > $: <$(access $2 $: NO $)> $1 < @ $2 >',`dnl')', `R<NO> $* < @ $* $=R > $: <RELAY> $1 < @ $2 $3 > ifdef(`_ACCESS_TABLE_', `dnl -R<NO> $* < @ $+ > $: $>LookUpDomain <$2> <NO> <$1 < @ $2 >> <+To> +R<NO> $* < @ $+ > $: $>D <$2> <NO> <+ To> <$1 < @ $2 >> R<$+> <$+> $: <$1> $2',`dnl')') +ifdef(`_RELAY_MX_SERVED_', `dnl +dnl do "we" ($=w) act as backup MX server for the destination domain? +R<NO> $* < @ $+ > $: <MX> < : $(mxserved $2 $) : > < $1 < @$2 > > +R<MX> < : $* <TEMP> : > $* $#TEMP $@ 4.7.1 $: "450 Can not check MX records for recipient host " $1 +dnl yes: mark it as <RELAY> +R<MX> < $* : $=w. : $* > < $+ > $: <RELAY> $4 +dnl no: put old <NO> mark back +R<MX> < : $* : > < $+ > $: <NO> $2', `dnl') + +dnl do we relay to this recipient domain? R<RELAY> $* < @ $* > $@ $>ParseRecipient $1 -R<$-> $* $@ $2 +dnl something else +R<$+> $* $@ $2 ###################################################################### @@ -1435,26 +1674,26 @@ R< $* > $* $: $2 ifdef(`_ACCESS_TABLE_', `dnl dnl workspace: {client_name} $| {client_addr} -R$+ $| $+ $: $>LookUpDomain < $1 > <?> < $2 > <+Connect> -dnl workspace: <result-of-lookup> <{client_addr}> -R<?> <$+> $: $>LookUpAddress < $1 > <?> < $1 > <+Connect> no: another lookup -dnl workspace: <result-of-lookup> <{client_addr}> -R<?> < $+ > $: $1 found nothing +R$+ $| $+ $: $>D < $1 > <?> <+ Connect> < $2 > dnl workspace: <result-of-lookup> <{client_addr}> -dnl or {client_addr} -R<$={Accept}> < $* > $@ $1 return value of lookup -R<REJECT> $* $#error ifdef(`confREJECT_MSG', `$: "confREJECT_MSG"', `$@ 5.7.1 $: "550 Access denied"') -R<DISCARD> $* $#discard $: discard +R<?> <$+> $: $>A < $1 > <?> <+ Connect> <> no: another lookup +dnl workspace: <result-of-lookup> (<>|<{client_addr}>) +R<?> <$*> $: OK found nothing +dnl workspace: <result-of-lookup> (<>|<{client_addr}>) | OK +R<$={Accept}> <$*> $@ $1 return value of lookup +R<REJECT> <$*> $#error ifdef(`confREJECT_MSG', `$: "confREJECT_MSG"', `$@ 5.7.1 $: "550 Access denied"') +R<DISCARD> <$*> $#discard $: discard dnl error tag R<ERROR:$-.$-.$-:$+> <$*> $#error $@ $1.$2.$3 $: $4 R<ERROR:$+> <$*> $#error $: $1 +ifdef(`_ATMPF_', `R<$* _ATMPF_> <$*> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') dnl generic error from access map R<$+> <$*> $#error $: $1', `dnl') ifdef(`_RBL_',`dnl # DNS based IP address spam list +dnl workspace: ignored... R$* $: $&{client_addr} -R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1._RBL_. $: OK $) R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1._RBL_. $: OK $) R<?>OK $: OKSOFAR R<?>$+ $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused by blackhole site _RBL_"', @@ -1529,7 +1768,7 @@ dnl workspace: < ? $&{client_name} > <user@localhost|host> dnl or: <address> dnl or: <?> <address> (thanks to u in ${daemon_flags}) R<? $=w> $* $: $2 local client: ok -R<? $+> <$+> $#error $@ 5.5.4 $: "CODE553 Real domain name required for sender address" +R<? $+> <$+> $#error $@ 5.5.4 $: "_CODE553 Real domain name required for sender address" dnl remove <?> (happens only if ${client_name} == "" or u in ${daemon_flags}) R<?> $* $: $1') dnl workspace: address (or <address>) @@ -1541,23 +1780,23 @@ R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dots R<?> $* < @ $* $=P > $: <OK> $1 < @ $2 $3 > dnl workspace <mark> CanonicalAddress where mark is ? or OK ifdef(`_ACCEPT_UNRESOLVABLE_DOMAINS_', -`R<?> $* < @ $+ > $: <OK> $1 < @ $2 > ... unresolvable OK', +`R<?> $* < @ $+ > $: <_RES_OK_> $1 < @ $2 > ... unresolvable OK', `R<?> $* < @ $+ > $: <? $(resolve $2 $: $2 <PERM> $) > $1 < @ $2 > R<? $* <$->> $* < @ $+ > $: <$2> $3 < @ $4 >') -dnl workspace <mark> CanonicalAddress where mark is ?, OK, PERM, TEMP +dnl workspace <mark> CanonicalAddress where mark is ?, _RES_OK_, PERM, TEMP dnl mark is ? iff the address is user (wo @domain) ifdef(`_ACCESS_TABLE_', `dnl # check sender address: user@address, user@, address dnl should we remove +ext from user? -dnl workspace: <mark> CanonicalAddress where mark is: ?, OK, PERM, TEMP -R<$+> $+ < @ $* > $: @<$1> <$2 < @ $3 >> $| <F:$2@$3> <U:$2@> <H:$3> +dnl workspace: <mark> CanonicalAddress where mark is: ?, _RES_OK_, PERM, TEMP +R<$+> $+ < @ $* > $: @<$1> <$2 < @ $3 >> $| <F:$2@$3> <U:$2@> <D:$3> R<$+> $+ $: @<$1> <$2> $| <U:$2@> dnl workspace: @<mark> <CanonicalAddress> $| <@type:address> .... dnl $| is used as delimiter, otherwise false matches may occur: <user<@domain>> dnl will only return user<@domain when "reversing" the args -R@ <$+> <$*> $| <$+> $: <@> <$1> <$2> $| $>SearchList <+From> $| <$3> <> +R@ <$+> <$*> $| <$+> $: <@> <$1> <$2> $| $>SearchList <+ From> $| <$3> <> dnl workspace: <@><mark> <CanonicalAddress> $| <result> R<@> <$+> <$*> $| <$*> $: <$3> <$1> <$2> reverse result dnl workspace: <result> <mark> <CanonicalAddress> @@ -1574,25 +1813,26 @@ ifdef(`_ACCEPT_UNQUALIFIED_SENDERS_',`dnl',`dnl dnl prepend daemon_flags R<?> $* $: $&{daemon_flags} $| <?> $1 dnl accept unqualified sender: change mark to avoid test -R$* u $* $| <?> $* $: <OK> $3 +R$* u $* $| <?> $* $: <_RES_OK_> $3 dnl remove daemon_flags R$* $| $* $: $2 R<?> $* $: < ? $&{client_name} > $1 R<?> $* $@ <OK> ...local unqualed ok -R<? $+> $* $#error $@ 5.5.4 $: "CODE553 Domain name required for sender address " $&f +R<? $+> $* $#error $@ 5.5.4 $: "_CODE553 Domain name required for sender address " $&f ...remote is not') # check results R<?> $* $: @ $1 mark address: nothing known about it -R<OK> $* $@ <OK> +R<$={ResOk}> $* $@ <_RES_OK_> domain ok: stop R<TEMP> $* $#error $@ 4.1.8 $: "451 Domain of sender address " $&f " does not resolve" -R<PERM> $* $#error $@ 5.1.8 $: "CODE553 Domain of sender address " $&f " does not exist" +R<PERM> $* $#error $@ 5.1.8 $: "_CODE553 Domain of sender address " $&f " does not exist" ifdef(`_ACCESS_TABLE_', `dnl -R<$={Accept}> $* $# $1 +R<$={Accept}> $* $# $1 accept from access map R<DISCARD> $* $#discard $: discard R<REJECT> $* $#error ifdef(`confREJECT_MSG', `$: "confREJECT_MSG"', `$@ 5.7.1 $: "550 Access denied"') dnl error tag R<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4 R<ERROR:$+> $* $#error $: $1 +ifdef(`_ATMPF_', `R<_ATMPF_> $* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') dnl generic error from access map R<$+> $* $#error $: $1 error from access db', `dnl') @@ -1608,27 +1848,76 @@ R$* $| $#$* $#$2 R$* $| $* $@ $>"Basic_check_rcpt" $1 SBasic_check_rcpt +# empty address? +R<> $#error $@ nouser $: "553 User address required" +R$@ $#error $@ nouser $: "553 User address required" # check for deferred delivery mode R$* $: < ${deliveryMode} > $1 R< d > $* $@ deferred R< $* > $* $: $2 ifdef(`_REQUIRE_QUAL_RCPT_', `dnl -# require qualified recipient? +dnl this code checks for user@host where host is not a FQHN. +dnl it is not activated. +dnl notice: code to check for a recipient without a domain name is +dnl available down below; look for the same macro. +dnl this check is done here because the name might be qualified by the +dnl canonicalization. +# require fully qualified domain part? +dnl very simple canonification: make sure the address is in < > R$+ $: <?> $1 -R<?><$+> $: <@> <$1> -R<?>$+ $: <@> <$1> +R<?> <$+> $: <@> <$1> +R<?> $+ $: <@> <$1> +R<@> < postmaster > $: postmaster +R<@> < $* @ $+ . $+ > $: < $3 @ $4 . $5 > dnl prepend daemon_flags -R$* $: $&{daemon_flags} $| $1 +R<@> $* $: $&{daemon_flags} $| <@> $1 dnl workspace: ${daemon_flags} $| <@> <address> dnl do not allow these at all or only from local systems? -R$* r $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 > +R$* r $* $| <@> < $* @ $* > $: < ? $&{client_name} > < $3 @ $4 > R<?> < $* > $: <$1> R<? $=w> < $* > $: <$1> -R<? $+> <$+> $#error $@ 5.5.4 $: "553 Domain name required" +R<? $+> <$+> $#error $@ 5.5.4 $: "553 Fully qualified domain name required" dnl remove daemon_flags for other cases R$* $| <@> $* $: $2', `dnl') +dnl ################################################################## +dnl call subroutines for recipient and relay +dnl possible returns from subroutines: +dnl $#TEMP temporary failure +dnl $#error permanent failure (or temporary if from access map) +dnl $#other stop processing +dnl RELAY RELAYing allowed +dnl other otherwise +###################################################################### +R$* $: $1 $| @ $>"Rcpt_ok" $1 +dnl temporary failure? remove mark @ and remember +R$* $| @ $#TEMP $+ $: $1 $| T $2 +dnl error or ok (stop) +R$* $| @ $#$* $#$2 +ifdef(`_PROMISCUOUS_RELAY_', `divert(-1)', `dnl') +R$* $| @ RELAY $@ RELAY +dnl something else: call check sender (relay) +R$* $| @ $* $: O $| $>"Relay_ok" $1 +dnl temporary failure: call check sender (relay) +R$* $| T $+ $: T $2 $| $>"Relay_ok" $1 +dnl temporary failure? return that +R$* $| $#TEMP $+ $#error $2 +dnl error or ok (stop) +R$* $| $#$* $#$2 +R$* $| RELAY $@ RELAY +dnl something else: return previous temp failure +R T $+ $| $* $#error $1 +# anything else is bogus +R$* $#error $@ 5.7.1 $: confRELAY_MSG +divert(0) + +###################################################################### +### Rcpt_ok: is the recipient ok? +dnl input: recipient address (RCPT TO) +dnl output: see explanation at call +###################################################################### +SRcpt_ok ifdef(`_LOOSE_RELAY_CHECK_',`dnl R$* $: $>CanonAddr $1 R$* < @ $* . > $1 < @ $2 > strip trailing dots', @@ -1641,7 +1930,7 @@ R$* < @ $* > $* $: $1 < @ $2 @@ $(bestmx $2 $) > $3', `dnl # limit bestmx to $=B R$* < @ $* $=B > $* $: $1 < @ $2 $3 @@ $(bestmx $2 $3 $) > $4') -R$* $=O $* < @ $* @@ $=w . > $* $@ $>"Basic_check_rcpt" $1 $2 $3 +R$* $=O $* < @ $* @@ $=w . > $* $@ $>"Rcpt_ok" $1 $2 $3 R$* < @ $* @@ $=w . > $* $: $1 < @ $3 > $4 R$* < @ $* @@ $* > $* $: $1 < @ $2 > $4') @@ -1651,50 +1940,58 @@ ifdef(`_ACCESS_TABLE_', `dnl R$* $: <?> $1 dnl user is now tagged with @ to be consistent with check_mail dnl and to distinguish users from hosts (com would be host, com@ would be user) -R<?> $+ < @ $=w > $: <> <$1 < @ $2 >> $| <F:$1@$2> <U:$1@> <H:$2> -R<?> $+ < @ $* > $: <> <$1 < @ $2 >> $| <F:$1@$2> <H:$2> +R<?> $+ < @ $=w > $: <> <$1 < @ $2 >> $| <F:$1@$2> <U:$1@> <D:$2> +R<?> $+ < @ $* > $: <> <$1 < @ $2 >> $| <F:$1@$2> <D:$2> R<?> $+ $: <> <$1> $| <U:$1@> dnl $| is used as delimiter, otherwise false matches may occur: <user<@domain>> dnl will only return user<@domain when "reversing" the args -R<> <$*> $| <$+> $: <@> <$1> $| $>SearchList <+To> $| <$2> <> +R<> <$*> $| <$+> $: <@> <$1> $| $>SearchList <+ To> $| <$2> <> R<@> <$*> $| <$*> $: <$2> <$1> reverse result R<?> <$*> $: @ $1 mark address as no match +dnl we may have to filter here because otherwise some RHSs +dnl would be interpreted as generic error messages... +dnl error messages should be "tagged" by prefixing them with error: ! +dnl that would make a lot of things easier. R<$={Accept}> <$*> $: @ $2 mark address as no match -ifdef(`_DELAY_CHECKS_',`dnl +ifdef(`_ACCESS_SKIP_', `dnl +R<SKIP> <$*> $: @ $1 mark address as no match', `dnl') +ifdef(`_DELAY_COMPAT_8_10_',`dnl +dnl compatility with 8.11/8.10: dnl we have to filter these because otherwise they would be interpreted dnl as generic error message... dnl error messages should be "tagged" by prefixing them with error: ! dnl that would make a lot of things easier. dnl maybe we should stop checks already here (if SPAM_xyx)? R<$={SpamTag}> <$*> $: @ $2 mark address as no match') -R<REJECT> $* $#error $@ 5.2.1 $: "550 Mailbox disabled for this recipient" +R<REJECT> $* $#error $@ 5.2.1 $: confRCPTREJ_MSG R<DISCARD> $* $#discard $: discard dnl error tag R<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4 R<ERROR:$+> $* $#error $: $1 +ifdef(`_ATMPF_', `R<_ATMPF_> $* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') dnl generic error from access map R<$+> $* $#error $: $1 error from access db R@ $* $1 remove mark', `dnl')', `dnl') -ifdef(`_PROMISCUOUS_RELAY_', `divert(-1)') -# authenticated? -dnl do this unconditionally? this requires to manage CAs carefully -dnl just because someone has a CERT signed by a "trusted" CA -dnl does not mean we want to allow relaying for her, -dnl either use a subroutine or provide something more sophisticated -dnl this could for example check the DN (maybe an access map lookup) -R$* $: $1 $| $>RelayAuth $1 $| $&{verify} client authenticated? -R$* $| $# $+ $# $2 error/ok? -R$* $| $* $: $1 no - -# authenticated by a trusted mechanism? -R$* $: $1 $| $&{auth_type} +ifdef(`_PROMISCUOUS_RELAY_', `divert(-1)', `dnl') +# authenticated via TLS? +R$* $: $1 $| $>RelayTLS client authenticated? +R$* $| $# $+ $# $2 error/ok? +R$* $| $* $: $1 no + +R$* $: $1 $| $>"Local_Relay_Auth" $&{auth_type} +dnl workspace: localpart<@domain> $| result of Local_Relay_Auth +R$* $| $# $* $# $2 +dnl if Local_Relay_Auth returns NO then do not check $={TrustAuthMech} +R$* $| NO $: $1 +R$* $| $* $: $1 $| $&{auth_type} +dnl workspace: localpart<@domain> [ $| ${auth_type} ] dnl empty ${auth_type}? R$* $| $: $1 dnl mechanism ${auth_type} accepted? dnl use $# to override further tests (delay_checks): see check_rcpt below -R$* $| $={TrustAuthMech} $# RELAYAUTH -dnl undo addition of ${auth_type} +R$* $| $={TrustAuthMech} $# RELAY +dnl remove ${auth_type} R$* $| $* $: $1 dnl workspace: localpart<@domain> | localpart ifelse(defn(`_NO_UUCP_'), `r', @@ -1702,20 +1999,21 @@ ifelse(defn(`_NO_UUCP_'), `r', R$* ! $* $: <REMOTE> $2 < @ BANG_PATH >', `dnl') # anything terminating locally is ok ifdef(`_RELAY_ENTIRE_DOMAIN_', `dnl -R$+ < @ $* $=m > $@ RELAYTO', `dnl') -R$+ < @ $=w > $@ RELAYTO +R$+ < @ $* $=m > $@ RELAY', `dnl') +R$+ < @ $=w > $@ RELAY ifdef(`_RELAY_HOSTS_ONLY_', -`R$+ < @ $=R > $@ RELAYTO +`R$+ < @ $=R > $@ RELAY ifdef(`_ACCESS_TABLE_', `dnl R$+ < @ $+ > $: <$(access To:$2 $: ? $)> <$1 < @ $2 >> dnl workspace: <Result-of-lookup | ?> <localpart<@domain>> R<?> <$+ < @ $+ >> $: <$(access $2 $: ? $)> <$1 < @ $2 >>',`dnl')', -`R$+ < @ $* $=R > $@ RELAYTO +`R$+ < @ $* $=R > $@ RELAY ifdef(`_ACCESS_TABLE_', `dnl -R$+ < @ $+ > $: $>LookUpDomain <$2> <?> <$1 < @ $2 >> <+To>',`dnl')') +R$+ < @ $+ > $: $>D <$2> <?> <+ To> <$1 < @ $2 >>',`dnl')') ifdef(`_ACCESS_TABLE_', `dnl dnl workspace: <Result-of-lookup | ?> <localpart<@domain>> -R<RELAY> $* $@ RELAYTO +R<RELAY> $* $@ RELAY +ifdef(`_ATMPF_', `R<$* _ATMPF_> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') R<$*> <$*> $: $2',`dnl') @@ -1723,8 +2021,8 @@ ifdef(`_RELAY_MX_SERVED_', `dnl # allow relaying for hosts which we MX serve R$+ < @ $+ > $: < : $(mxserved $2 $) : > $1 < @ $2 > dnl this must not necessarily happen if the client is checked first... -R< : $* <TEMP> : > $* $#error $@ 4.7.1 $: "450 Can not check MX records for recipient host " $1 -R<$* : $=w . : $*> $* $@ RELAYTO +R< : $* <TEMP> : > $* $#TEMP $@ 4.7.1 $: "450 Can not check MX records for recipient host " $1 +R<$* : $=w . : $*> $* $@ RELAY R< : $* : > $* $: $2', `dnl') @@ -1737,7 +2035,7 @@ dnl but we should accept it anyway (maybe making it an option: dnl RequireFQDN ?) dnl postmaster must be accepted without domain (DRUMS) ifdef(`_REQUIRE_QUAL_RCPT_', `dnl -R<?> postmaster $@ TOPOSTMASTER +R<?> postmaster $@ OK # require qualified recipient? dnl prepend daemon_flags R<?> $+ $: $&{daemon_flags} $| <?> $1 @@ -1747,31 +2045,38 @@ dnl r flag? add client_name R$* r $* $| <?> $+ $: < ? $&{client_name} > <?> $3 dnl no r flag: relay to local user (only local part) # no qualified recipient required -R$* $| <?> $+ $@ RELAYTOLOCAL +R$* $| <?> $+ $@ RELAY dnl client_name is empty -R<?> <?> $+ $@ RELAYTOLOCAL +R<?> <?> $+ $@ RELAY dnl client_name is local -R<? $=w> <?> $+ $@ RELAYTOLOCAL +R<? $=w> <?> $+ $@ RELAY dnl client_name is not local R<? $+> $+ $#error $@ 5.5.4 $: "553 Domain name required"', `dnl dnl no qualified recipient required -R<?> $+ $@ RELAYTOLOCAL') +R<?> $+ $@ RELAY') dnl it is a remote user: remove mark and then check client R<$+> $* $: $2 dnl currently the recipient address is not used below +###################################################################### +### Relay_ok: is the relay/sender ok? +dnl input: ignored +dnl output: see explanation at call +###################################################################### +SRelay_ok # anything originating locally is ok # check IP address R$* $: $&{client_addr} -R$@ $@ RELAYFROM originated locally -R0 $@ RELAYFROM originated locally -R$=R $* $@ RELAYFROM relayable IP address +R$@ $@ RELAY originated locally +R0 $@ RELAY originated locally +R$=R $* $@ RELAY relayable IP address ifdef(`_ACCESS_TABLE_', `dnl -R$* $: $>LookUpAddress <$1> <?> <$1> <+Connect> -R<RELAY> $* $@ RELAYFROM relayable IP address +R$* $: $>A <$1> <?> <+ Connect> <$1> +R<RELAY> $* $@ RELAY relayable IP address +ifdef(`_ATMPF_', `R<_ATMPF_> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') R<$*> <$*> $: $2', `dnl') R$* $: [ $1 ] put brackets around it... -R$=w $@ RELAYFROM ... and see if it is local +R$=w $@ RELAY ... and see if it is local ifdef(`_RELAY_DB_FROM_', `define(`_RELAY_MAIL_FROM_', `1')')dnl ifdef(`_RELAY_LOCAL_FROM_', `define(`_RELAY_MAIL_FROM_', `1')')dnl @@ -1780,48 +2085,56 @@ dnl input: {client_addr} or something "broken" dnl just throw the input away; we do not need it. # check whether FROM is allowed to use system as relay R$* $: <?> $>CanonAddr $&f +R<?> $+ < @ $+ . > <?> $1 < @ $2 > remove trailing dot ifdef(`_RELAY_LOCAL_FROM_', `dnl # check whether local FROM is ok -R<?> $+ < @ $=w . > $@ RELAYFROMMAIL FROM local', `dnl') +R<?> $+ < @ $=w > $@ RELAY FROM local', `dnl') ifdef(`_RELAY_DB_FROM_', `dnl -R<?> $+ < @ $+ . > <?> $1 < @ $2 > remove trailing dot -R<?> $+ < @ $+ > $: $1 < @ $2 > $| $>SearchList <! From> $| <F:$1@$2> ifdef(`_RELAY_DB_FROM_DOMAIN_', `<H:$2>') <> -R$* <RELAY> $@ RELAYFROMMAIL RELAY FROM sender ok', `dnl -ifdef(`_RELAY_DB_FROM_DOMAIN_', `errprint(`*** ERROR: _RELAY_DB_FROM_DOMAIN_ requires _RELAY_DB_FROM_ +R<?> $+ < @ $+ > $: <@> $>SearchList <! From> $| <F:$1@$2> ifdef(`_RELAY_DB_FROM_DOMAIN_', `<D:$2>') <> +R<@> <RELAY> $@ RELAY RELAY FROM sender ok +ifdef(`_ATMPF_', `R<@> <_ATMPF_> $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') +', `dnl +ifdef(`_RELAY_DB_FROM_DOMAIN_', +`errprint(`*** ERROR: _RELAY_DB_FROM_DOMAIN_ requires _RELAY_DB_FROM_ ')', `dnl') dnl')', `dnl') +dnl notice: the rulesets above do not leave a unique workspace behind. +dnl it does not matter in this case because the following rule ignores +dnl the input. otherwise these rules must "clean up" the workspace. # check client name: first: did it resolve? dnl input: ignored R$* $: < $&{client_resolve} > -R<TEMP> $#error $@ 4.7.1 $: "450 Relaying temporarily denied. Cannot resolve PTR record for " $&{client_addr} +R<TEMP> $#TEMP $@ 4.7.1 $: "450 Relaying temporarily denied. Cannot resolve PTR record for " $&{client_addr} R<FORGED> $#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name} R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name} dnl ${client_resolve} should be OK, so go ahead -R$* $: <?> $&{client_name} +R$* $: <@> $&{client_name} +dnl should not be necessary since it has been done for client_addr already +R<@> $@ RELAY +dnl workspace: <@> ${client_name} (not empty) # pass to name server to make hostname canonical -R<?> $* $~P $:<?> $[ $1 $2 $] +R<@> $* $=P $:<?> $1 $2 +R<@> $+ $:<?> $[ $1 $] +dnl workspace: <?> ${client_name} (canonified) R$* . $1 strip trailing dots -dnl should not be necessary since it has been done for client_addr already -R<?> $@ RELAYFROM ifdef(`_RELAY_ENTIRE_DOMAIN_', `dnl -R<?> $* $=m $@ RELAYFROM', `dnl') -R<?> $=w $@ RELAYFROM +R<?> $* $=m $@ RELAY', `dnl') +R<?> $=w $@ RELAY ifdef(`_RELAY_HOSTS_ONLY_', -`R<?> $=R $@ RELAYFROM +`R<?> $=R $@ RELAY ifdef(`_ACCESS_TABLE_', `dnl R<?> $* $: <$(access Connect:$1 $: ? $)> <$1> R<?> <$*> $: <$(access $1 $: ? $)> <$1>',`dnl')', -`R<?> $* $=R $@ RELAYFROM +`R<?> $* $=R $@ RELAY ifdef(`_ACCESS_TABLE_', `dnl -R<?> $* $: $>LookUpDomain <$1> <?> <$1> <+Connect>',`dnl')') +R<?> $* $: $>D <$1> <?> <+ Connect> <$1>',`dnl')') ifdef(`_ACCESS_TABLE_', `dnl -R<RELAY> $* $@ RELAYFROM +R<RELAY> $* $@ RELAY +ifdef(`_ATMPF_', `R<$* _ATMPF_> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') R<$*> <$*> $: $2',`dnl') - -# anything else is bogus -R$* $#error $@ 5.7.1 $: confRELAY_MSG +dnl end of _PROMISCUOUS_RELAY_ divert(0) ifdef(`_DELAY_CHECKS_',`dnl # turn a canonical address in the form user<@domain> @@ -1849,11 +2162,11 @@ ifdef(`_ACCESS_TABLE_', `', dnl one of the next two rules is supposed to match dnl this code has been copied from BLACKLIST... etc dnl and simplified by omitting some < >. -R<?> $+ < @ $=w > $: <> $1 < @ $2 > $| <F: $1@$2 > <U: $1@> -R<?> $+ < @ $* > $: <> $1 < @ $2 > $| <F: $1@$2 > +R<?> $+ < @ $=w > $: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 > <U: $1@> +R<?> $+ < @ $* > $: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 > dnl R<?> $@ something_is_very_wrong_here -# lookup the addresses only with To tag -R<> $* $| <$+> $: <@> $1 $| $>SearchList <!To> $| <$2> <> +# lookup the addresses only with Spam tag +R<> $* $| <$+> $: <@> $1 $| $>SearchList <! Spam> $| <$2> <> R<@> $* $| $* $: $2 $1 reverse result dnl', `dnl') ifdef(`_SPAM_FRIEND_', @@ -1861,12 +2174,12 @@ ifdef(`_SPAM_FRIEND_', ifdef(`_SPAM_HATER_', `errprint(`*** ERROR: define either SpamHater or SpamFriend ')', `dnl') -R<SPAMFRIEND> $+ $@ SPAMFRIEND +R<FRIEND> $+ $@ SPAMFRIEND R<$*> $+ $: $2', `dnl') ifdef(`_SPAM_HATER_', `# is the recipient no spam hater? -R<SPAMHATER> $+ $: $1 spam hater: continue checks +R<HATER> $+ $: $1 spam hater: continue checks R<$*> $+ $@ NOSPAMHATER everyone else: stop dnl',`dnl') dnl run further checks: check_mail @@ -1878,7 +2191,144 @@ R$* $: $1 $| $>checkrelay $&{client_name} $| $&{client_addr} R$* $| $#$* $#$2 R$* $| $* $: $1 ', `dnl') -ifdef(`_ACCESS_TABLE_', `dnl + +ifdef(`_ACCESS_TABLE_', `dnl', `divert(-1)') +###################################################################### +### F: LookUpFull -- search for an entry in access database +### +### lookup of full key (which should be an address) and +### variations if +detail exists: +* and without +detail +### +### Parameters: +### <$1> -- key +### <$2> -- default (what to return if not found in db) +dnl must not be empty +### <$3> -- mark (must be <(!|+) single-token>) +### ! does lookup only with tag +### + does lookup with and without tag +### <$4> -- passthru (additional data passed unchanged through) +dnl returns: <default> <passthru> +dnl <result> <passthru> +###################################################################### + +SF +dnl workspace: <key> <def> <o tag> <thru> +dnl full lookup +dnl 2 3 4 5 +R<$+> <$*> <$- $-> <$*> $: <$(access $4`'_TAG_DELIM_`'$1 $: ? $)> <$1> <$2> <$3 $4> <$5> +dnl no match, try without tag +dnl 1 2 3 4 +R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4> +dnl no match, +detail: try +* +dnl 1 2 3 4 5 6 7 +R<?> <$+ + $* @ $+> <$*> <$- $-> <$*> + $: <$(access $6`'_TAG_DELIM_`'$1+*@$3 $: ? $)> <$1+$2@$3> <$4> <$5 $6> <$7> +dnl no match, +detail: try +* without tag +dnl 1 2 3 4 5 6 +R<?> <$+ + $* @ $+> <$*> <+ $-> <$*> + $: <$(access $1+*@$3 $: ? $)> <$1+$2@$3> <$4> <+ $5> <$6> +dnl no match, +detail: try without +detail +dnl 1 2 3 4 5 6 7 +R<?> <$+ + $* @ $+> <$*> <$- $-> <$*> + $: <$(access $6`'_TAG_DELIM_`'$1@$3 $: ? $)> <$1+$2@$3> <$4> <$5 $6> <$7> +dnl no match, +detail: try without +detail and without tag +dnl 1 2 3 4 5 6 +R<?> <$+ + $* @ $+> <$*> <+ $-> <$*> + $: <$(access $1@$3 $: ? $)> <$1+$2@$3> <$4> <+ $5> <$6> +dnl no match, return <default> <passthru> +dnl 1 2 3 4 5 +R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5> +ifdef(`_ATMPF_', `dnl tempfail? +dnl 2 3 4 5 +R<$+ _ATMPF_> <$*> <$- $-> <$*> $@ <_ATMPF_> <$5>', `dnl') +dnl match, return <match> <passthru> +dnl 2 3 4 5 +R<$+> <$*> <$- $-> <$*> $@ <$1> <$5> + +###################################################################### +### E: LookUpExact -- search for an entry in access database +### +### Parameters: +### <$1> -- key +### <$2> -- default (what to return if not found in db) +dnl must not be empty +### <$3> -- mark (must be <(!|+) single-token>) +### ! does lookup only with tag +### + does lookup with and without tag +### <$4> -- passthru (additional data passed unchanged through) +dnl returns: <default> <passthru> +dnl <result> <passthru> +###################################################################### + +SE +dnl 2 3 4 5 +R<$*> <$*> <$- $-> <$*> $: <$(access $4`'_TAG_DELIM_`'$1 $: ? $)> <$1> <$2> <$3 $4> <$5> +dnl no match, try without tag +dnl 1 2 3 4 +R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4> +dnl no match, return default passthru +dnl 1 2 3 4 5 +R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5> +ifdef(`_ATMPF_', `dnl tempfail? +dnl 2 3 4 5 +R<$+ _ATMPF_> <$*> <$- $-> <$*> $@ <_ATMPF_> <$5>', `dnl') +dnl match, return <match> <passthru> +dnl 2 3 4 5 +R<$+> <$*> <$- $-> <$*> $@ <$1> <$5> + +###################################################################### +### U: LookUpUser -- search for an entry in access database +### +### lookup of key (which should be a local part) and +### variations if +detail exists: +* and without +detail +### +### Parameters: +### <$1> -- key (user@) +### <$2> -- default (what to return if not found in db) +dnl must not be empty +### <$3> -- mark (must be <(!|+) single-token>) +### ! does lookup only with tag +### + does lookup with and without tag +### <$4> -- passthru (additional data passed unchanged through) +dnl returns: <default> <passthru> +dnl <result> <passthru> +###################################################################### + +SU +dnl user lookups are always with trailing @ +dnl 2 3 4 5 +R<$+> <$*> <$- $-> <$*> $: <$(access $4`'_TAG_DELIM_`'$1 $: ? $)> <$1> <$2> <$3 $4> <$5> +dnl no match, try without tag +dnl 1 2 3 4 +R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4> +dnl do not remove the @ from the lookup: +dnl it is part of the +detail@ which is omitted for the lookup +dnl no match, +detail: try +* +dnl 1 2 3 4 5 6 +R<?> <$+ + $* @> <$*> <$- $-> <$*> + $: <$(access $5`'_TAG_DELIM_`'$1+*@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6> +dnl no match, +detail: try +* without tag +dnl 1 2 3 4 5 +R<?> <$+ + $* @> <$*> <+ $-> <$*> + $: <$(access $1+*@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5> +dnl no match, +detail: try without +detail +dnl 1 2 3 4 5 6 +R<?> <$+ + $* @> <$*> <$- $-> <$*> + $: <$(access $5`'_TAG_DELIM_`'$1@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6> +dnl no match, +detail: try without +detail and without tag +dnl 1 2 3 4 5 +R<?> <$+ + $* @> <$*> <+ $-> <$*> + $: <$(access $1@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5> +dnl no match, return <default> <passthru> +dnl 1 2 3 4 5 +R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5> +ifdef(`_ATMPF_', `dnl tempfail? +dnl 2 3 4 5 +R<$+ _ATMPF_> <$*> <$- $-> <$*> $@ <_ATMPF_> <$5>', `dnl') +dnl match, return <match> <passthru> +dnl 2 3 4 5 +R<$+> <$*> <$- $-> <$*> $@ <$1> <$5> + ###################################################################### ### SearchList: search a list of items in the access map ### Parameters: @@ -1887,7 +2337,7 @@ dnl maybe we should have a @ (again) in front of the mark to dnl avoid errorneous matches (with error messages?) dnl if we can make sure that tag is always a single token dnl then we can omit the delimiter $|, otherwise we need it -dnl to avoid errorneous matchs (first rule: H: if there +dnl to avoid errorneous matchs (first rule: D: if there dnl is that mark somewhere in the list, it will be taken). dnl moreover, we can do some tricks to enforce lookup with dnl the tag only, e.g.: @@ -1897,7 +2347,7 @@ dnl the tag only, e.g.: dnl Warning: + and ! should be in OperatorChars (otherwise there must be dnl a blank between them and the tag. ### possible values for "mark" are: -### H: recursive host lookup (LookUpDomain) +### D: recursive host lookup (LookUpDomain) dnl A: recursive address lookup (LookUpAddress) [not yet required] ### E: exact lookup, no modifications ### F: full lookup, try user+ext@domain and user@domain @@ -1907,42 +2357,32 @@ dnl A: recursive address lookup (LookUpAddress) [not yet required] # class with valid marks for SearchList dnl if A is activated: add it -C{src}E F H U +C{src}E F D U ifdef(`_FFR_SRCHLIST_A', `A') SSearchList -# mark H: lookup domain -R<$+> $| <H:$+> <$*> $: <$1> $| <@> $>LookUpDomain <$2> <?> <$3> <$1> -R<$+> $| <@> <$+> <$*> $: <$1> $| <$2> <$3> -dnl A: NOT YET REQUIRED -dnl R<$+> $| <A:$+> <$*> $: <$1> $| <@> $>LookUpAddress <$2> <?> <$3> <$1> -dnl R<$+> $| <@> <$+> <$*> $: <$1> $| <$2> <$3> -dnl lookup of the item with tag -dnl this applies to F: U: E: -R<$- $-> $| <$={src}:$+> <$*> $: <$1 $2> $| <$(access $2`'_TAG_DELIM_`'$4 $: $3:$4 $)> <$5> -dnl no match, try without tag -R<+ $-> $| <$={src}:$+> <$*> $: <+ $1> $| <$(access $3 $: $2:$3 $)> <$4> -dnl do we really have to distinguish these cases? -dnl probably yes, there might be a + in the domain part (is that allowed?) -dnl user+detail lookups: should it be: -dnl user+detail, user+*, user; just like aliases? -R<$- $-> $| <F:$* + $*@$+> <$*> $: <$1 $2> $| <$(access $2`'_TAG_DELIM_`'$3@$5 $: F:$3 + $4@$5$)> <$6> -R<+ $-> $| <F:$* + $*@$+> <$*> $: <+ $1> $| <$(access $2@$4 $: F:$2 + $3@$4$)> <$5> -dnl user lookups are always with trailing @ -dnl do not remove the @ from the lookup: -dnl it is part of the +detail@ which is omitted for the lookup -R<$- $-> $| <U:$* + $*> <$*> $: <$1 $2> $| <$(access $2`'_TAG_DELIM_`'$3@ $: U:$3 + $4$)> <$5> -dnl no match, try without tag -R<+ $-> $| <U:$* + $*> <$*> $: <+ $1> $| <$(access $2@ $: U:$2 + $3$)> <$4> -dnl no match, try rest of list -R<$+> $| <$={src}:$+> <$+> $@ $>SearchList <$1> $| <$4> -dnl no match, list empty: return failure -R<$+> $| <$={src}:$+> <> $@ <?> -dnl got result, return it -R<$+> $| <$+> <$*> $@ <$2> +# just call the ruleset with the name of the tag... nice trick... +dnl 2 3 4 +R<$+> $| <$={src}:$*> <$*> $: <$1> $| <$4> $| $>$2 <$3> <?> <$1> <> +dnl workspace: <o tag> $| <rest> $| <result of lookup> <> +dnl no match and nothing left: return +R<$+> $| <> $| <?> <> $@ <?> +dnl no match but something left: continue +R<$+> $| <$+> $| <?> <> $@ $>SearchList <$1> $| <$2> +dnl match: return +R<$+> $| <$*> $| <$+> <> $@ <$3> dnl return result from recursive invocation -R<$+> $| <$+> $@ <$2>', `dnl') +R<$+> $| <$+> $@ <$2> +dnl endif _ACCESS_TABLE_ +divert(0) + +###################################################################### +### trust_auth: is user trusted to authenticate as someone else? +### +### Parameters: +### $1: AUTH= parameter from MAIL command +###################################################################### -# is user trusted to authenticate as someone else? -dnl AUTH= parameter from MAIL command +dnl empty ruleset definition so it can be called +SLocal_trust_auth Strust_auth R$* $: $&{auth_type} $| $1 # required by RFC 2554 section 4. @@ -1956,111 +2396,288 @@ R$* $| $#$* $#$2 dnl default: error R$* $#error $@ 5.7.1 $: "550 " $&{auth_authen} " not allowed to act as " $&{auth_author} -dnl empty ruleset definition so it can be called -SLocal_trust_auth +###################################################################### +### Relay_Auth: allow relaying based on authentication? +### +### Parameters: +### $1: ${auth_type} +###################################################################### +SLocal_Relay_Auth -ifdef(`_FFR_TLS_O_T', `dnl -Soffer_tls -R$* $: $>LookUpDomain <$&{client_name}> <?> <> <! TLS_OFF_TAG> -R<?>$* $: $>LookUpAddress <$&{client_addr}> <?> <> <! TLS_OFF_TAG> -R<?>$* $: <$(access TLS_OFF_TAG: $: ? $)> +ifdef(`_ACCESS_TABLE_', `dnl +###################################################################### +### srv_features: which features to offer to a client? +### (done in server) +###################################################################### +Ssrv_features +ifdef(`_LOCAL_SRV_FEATURES_', `dnl +R$* $: $1 $| $>"Local_srv_features" $1 +R$* $| $#$* $#$2 +R$* $| $* $: $1', `dnl') +R$* $: $>D <$&{client_name}> <?> <! SRV_FEAT_TAG> <> +R<?>$* $: $>A <$&{client_addr}> <?> <! SRV_FEAT_TAG> <> +R<?>$* $: <$(access SRV_FEAT_TAG: $: ? $)> R<?>$* $@ OK -R<NO> <> $#error $@ 5.7.1 $: "550 do not offer TLS for " $&{client_name} " ["$&{client_addr}"]" +ifdef(`_ATMPF_', `dnl tempfail? +R<$* _ATMPF_>$* $#temp', `dnl') +R<$+>$* $# $1 +###################################################################### +### try_tls: try to use STARTTLS? +### (done in client) +###################################################################### Stry_tls -R$* $: $>LookUpDomain <$&{server_name}> <?> <> <! TLS_TRY_TAG> -R<?>$* $: $>LookUpAddress <$&{server_addr}> <?> <> <! TLS_TRY_TAG> +ifdef(`_LOCAL_TRY_TLS_', `dnl +R$* $: $1 $| $>"Local_try_tls" $1 +R$* $| $#$* $#$2 +R$* $| $* $: $1', `dnl') +R$* $: $>D <$&{server_name}> <?> <! TLS_TRY_TAG> <> +R<?>$* $: $>A <$&{server_addr}> <?> <! TLS_TRY_TAG> <> R<?>$* $: <$(access TLS_TRY_TAG: $: ? $)> R<?>$* $@ OK +ifdef(`_ATMPF_', `dnl tempfail? +R<$* _ATMPF_>$* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') R<NO>$* $#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"]" -')dnl + +###################################################################### +### tls_rcpt: is connection with server "good" enough? +### (done in client, per recipient) +dnl called from deliver() before RCPT command +### +### Parameters: +### $1: recipient +###################################################################### +Stls_rcpt +ifdef(`_LOCAL_TLS_RCPT_', `dnl +R$* $: $1 $| $>"Local_tls_rcpt" $1 +R$* $| $#$* $#$2 +R$* $| $* $: $1', `dnl') +dnl store name of other side +R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1 +dnl canonify recipient address +R$+ $: <?> $>CanonAddr $1 +dnl strip trailing dots +R<?> $+ < @ $+ . > <?> $1 <@ $2 > +dnl full address? +R<?> $+ < @ $+ > $: $1 <@ $2 > $| <F:$1@$2> <U:$1@> <D:$2> <E:> +dnl only localpart? +R<?> $+ $: $1 $| <U:$1@> <E:> +dnl look it up +dnl also look up a default value via E: +R$* $| $+ $: $1 $| $>SearchList <! TLS_RCPT_TAG> $| $2 <> +dnl found nothing: stop here +R$* $| <?> $@ OK +ifdef(`_ATMPF_', `dnl tempfail? +R$* $| <$* _ATMPF_> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') +dnl use the generic routine (for now) +R$* $| <$+> $@ $>"TLS_connection" $&{verify} $| <$2>') -# is connection with client "good" enough? (done in server) -# input: ${verify} $| (MAIL|STARTTLS) +###################################################################### +### tls_client: is connection with client "good" enough? +### (done in server) +### +### Parameters: +### ${verify} $| (MAIL|STARTTLS) +###################################################################### dnl MAIL: called from check_mail dnl STARTTLS: called from smtp() after STARTTLS has been accepted Stls_client +ifdef(`_LOCAL_TLS_CLIENT_', `dnl +R$* $: $1 $| $>"Local_tls_client" $1 +R$* $| $#$* $#$2 +R$* $| $* $: $1', `dnl') ifdef(`_ACCESS_TABLE_', `dnl +dnl store name of other side +R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1 dnl ignore second arg for now dnl maybe use it to distinguish permanent/temporary error? dnl if MAIL: permanent (STARTTLS has not been offered) dnl if STARTTLS: temporary (offered but maybe failed) -R$* $| $* $: $1 $| $>LookUpDomain <$&{client_name}> <?> <> <! TLS_CLT_TAG> -R$* $| <?>$* $: $1 $| $>LookUpAddress <$&{client_addr}> <?> <> <! TLS_CLT_TAG> +R$* $| $* $: $1 $| $>D <$&{client_name}> <?> <! TLS_CLT_TAG> <> +R$* $| <?>$* $: $1 $| $>A <$&{client_addr}> <?> <! TLS_CLT_TAG> <> dnl do a default lookup: just TLS_CLT_TAG R$* $| <?>$* $: $1 $| <$(access TLS_CLT_TAG`'_TAG_DELIM_ $: ? $)> -R$* $@ $>"tls_connection" $1', `dnl -R$* $| $* $@ $>"tls_connection" $1') +ifdef(`_ATMPF_', `dnl tempfail? +R$* $| <$* _ATMPF_> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') +R$* $@ $>"TLS_connection" $1', `dnl +R$* $| $* $@ $>"TLS_connection" $1') -# is connection with server "good" enough? (done in client) +###################################################################### +### tls_server: is connection with server "good" enough? +### (done in client) +### +### Parameter: +### ${verify} +###################################################################### dnl i.e. has the server been authenticated and is encryption active? dnl called from deliver() after STARTTLS command -# input: ${verify} Stls_server +ifdef(`_LOCAL_TLS_SERVER_', `dnl +R$* $: $1 $| $>"Local_tls_server" $1 +R$* $| $#$* $#$2 +R$* $| $* $: $1', `dnl') ifdef(`_ACCESS_TABLE_', `dnl -R$* $: $1 $| $>LookUpDomain <$&{server_name}> <?> <> <! TLS_SRV_TAG> -R$* $| <?>$* $: $1 $| $>LookUpAddress <$&{server_addr}> <?> <> <! TLS_SRV_TAG> +dnl store name of other side +R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1 +R$* $: $1 $| $>D <$&{server_name}> <?> <! TLS_SRV_TAG> <> +R$* $| <?>$* $: $1 $| $>A <$&{server_addr}> <?> <! TLS_SRV_TAG> <> dnl do a default lookup: just TLS_SRV_TAG R$* $| <?>$* $: $1 $| <$(access TLS_SRV_TAG`'_TAG_DELIM_ $: ? $)> -R$* $@ $>"tls_connection" $1', `dnl -R$* $@ $>"tls_connection" $1') +ifdef(`_ATMPF_', `dnl tempfail? +R$* $| <$* _ATMPF_> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl') +R$* $@ $>"TLS_connection" $1', `dnl +R$* $@ $>"TLS_connection" $1') -Stls_connection +###################################################################### +### TLS_connection: is TLS connection "good" enough? +### +### Parameters: ifdef(`_ACCESS_TABLE_', `dnl +### ${verify} $| <Requirement> [<>]', `dnl +### ${verify}') +### Requirement: RHS from access map, may be ? for none. +dnl syntax for Requirement: +dnl [(PERM|TEMP)+] (VERIFY[:bits]|ENCR:bits) [+extensions] +dnl extensions: could be a list of further requirements +dnl for now: CN:string {cn_subject} == string +###################################################################### +STLS_connection +ifdef(`_ACCESS_TABLE_', `dnl', `dnl use default error +dnl deal with TLS handshake failures: abort +RSOFTWARE $#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') TLS handshake." +divert(-1)') dnl common ruleset for tls_{client|server} -dnl input: $&{verify} $| <ResultOfLookup> [<>] +dnl input: ${verify} $| <ResultOfLookup> [<>] dnl remove optional <> R$* $| <$*>$* $: $1 $| <$2> +dnl workspace: ${verify} $| <ResultOfLookup> +# create the appropriate error codes dnl permanent or temporary error? R$* $| <PERM + $={tls} $*> $: $1 $| <503:5.7.0> <$2 $3> R$* $| <TEMP + $={tls} $*> $: $1 $| <403:4.7.0> <$2 $3> dnl default case depends on TLS_PERM_ERR R$* $| <$={tls} $*> $: $1 $| <ifdef(`TLS_PERM_ERR', `503:5.7.0', `403:4.7.0')> <$2 $3> -dnl deal with TLS handshake failures: abort +dnl workspace: ${verify} $| [<SMTP:ESC>] <ResultOfLookup> +# deal with TLS handshake failures: abort RSOFTWARE $| <$-:$+> $* $#error $@ $2 $: $1 " TLS handshake failed." dnl no <reply:dns> i.e. not requirements in the access map dnl use default error RSOFTWARE $| $* $#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') TLS handshake failed." -R$* $| <$*> <VERIFY> $: <$2> <VERIFY> $1 -R$* $| <$*> <$={tls}:$->$* $: <$2> <$3:$4> $1 +R$* $| <$*> <VERIFY> $: <$2> <VERIFY> <> $1 +dnl separate optional requirements +R$* $| <$*> <VERIFY + $+> $: <$2> <VERIFY> <$3> $1 +R$* $| <$*> <$={tls}:$->$* $: <$2> <$3:$4> <> $1 +dnl separate optional requirements +R$* $| <$*> <$={tls}:$- + $+>$* $: <$2> <$3:$4> <$5> $1 dnl some other value in access map: accept dnl this also allows to override the default case (if used) R$* $| $* $@ OK # authentication required: give appropriate error # other side did authenticate (via STARTTLS) -dnl workspace: <SMTP:ESC> <{VERIFY,ENCR}[:BITS]> ${verify} +dnl workspace: <SMTP:ESC> <{VERIFY,ENCR}[:BITS]> <[extensions]> ${verify} dnl only verification required and it succeeded -R<$*><VERIFY> OK $@ OK +R<$*><VERIFY> <> OK $@ OK +dnl verification required and it succeeded but extensions are given +dnl change it to <SMTP:ESC> <REQ:0> <extensions> +R<$*><VERIFY> <$+> OK $: <$1> <REQ:0> <$2> dnl verification required + some level of encryption -R<$*><VERIFY:$-> OK $: <$1> <REQ:$2> +R<$*><VERIFY:$-> <$*> OK $: <$1> <REQ:$2> <$3> dnl just some level of encryption required -R<$*><ENCR:$-> $* $: <$1> <REQ:$2> -dnl verification required but ${verify} is not set -R<$-:$+><VERIFY $*> $#error $@ $2 $: $1 " authentication required" -R<$-:$+><VERIFY $*> FAIL $#error $@ $2 $: $1 " authentication failed" -R<$-:$+><VERIFY $*> NO $#error $@ $2 $: $1 " not authenticated" -R<$-:$+><VERIFY $*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS" +R<$*><ENCR:$-> <$*> $* $: <$1> <REQ:$2> <$3> +dnl workspace: +dnl 1. <SMTP:ESC> <VERIFY [:bits]> <[extensions]> {verify} (!= OK) +dnl 2. <SMTP:ESC> <REQ:bits> <[extensions]> +dnl verification required but ${verify} is not set (case 1.) +R<$-:$+><VERIFY $*> <$*> $#error $@ $2 $: $1 " authentication required" +R<$-:$+><VERIFY $*> <$*> FAIL $#error $@ $2 $: $1 " authentication failed" +R<$-:$+><VERIFY $*> <$*> NO $#error $@ $2 $: $1 " not authenticated" +R<$-:$+><VERIFY $*> <$*> NOT $#error $@ $2 $: $1 " no authentication requested" +R<$-:$+><VERIFY $*> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS" dnl some other value for ${verify} -R<$-:$+><VERIFY $*> $+ $#error $@ $2 $: $1 " authentication failure " $4 -dnl some level of encryption required: get the maximum level -R<$*><REQ:$-> $: <$1> <REQ:$2> $>max $&{cipher_bits} : $&{auth_ssf} +R<$-:$+><VERIFY $*> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4 +dnl some level of encryption required: get the maximum level (case 2.) +R<$*><REQ:$-> <$*> $: <$1> <REQ:$2> <$3> $>max $&{cipher_bits} : $&{auth_ssf} dnl compare required bits with actual bits -R<$*><REQ:$-> $- $: <$1> <$2:$3> $(arith l $@ $3 $@ $2 $) -R<$-:$+><$-:$-> TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3 +R<$*><REQ:$-> <$*> $- $: <$1> <$2:$4> <$3> $(arith l $@ $4 $@ $2 $) +R<$-:$+><$-:$-> <$*> TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3 +dnl strength requirements fulfilled +dnl TLS Additional Requirements Separator +dnl this should be something which does not appear in the extensions itself +dnl @ could be part of a CN, DN, etc... +dnl use < > ? those are encoded in CN, DN, ... +define(`_TLS_ARS_', `++')dnl +dnl workspace: +dnl <SMTP:ESC> <REQ:bits> <extensions> result-of-compare +R<$-:$+><$-:$-> <$*> $* $: <$1:$2 _TLS_ARS_ $5> +dnl workspace: <SMTP:ESC _TLS_ARS_ extensions> +dnl continue: check extensions +R<$-:$+ _TLS_ARS_ > $@ OK +dnl split extensions into own list +R<$-:$+ _TLS_ARS_ $+ > $: <$1:$2> <$3> +R<$-:$+> < $+ _TLS_ARS_ $+ > <$1:$2> <$3> <$4> +R<$-:$+> $+ $@ $>"TLS_req" $3 $| <$1:$2> +###################################################################### +### TLS_req: check additional TLS requirements +### +### Parameters: [<list> <of> <req>] $| <$-:$+> +### $-: SMTP reply code +### $+: Enhanced Status Code +dnl further requirements for this ruleset: +dnl name of "other side" is stored is {TLS_name} (client/server_name) +dnl +dnl currently only CN[:common_name] is implemented +dnl right now this is only a logical AND +dnl i.e. all requirements must be true +dnl how about an OR? CN must be X or CN must be Y or .. +dnl use a macro to compute this as a trivial sequential +dnl operations (no precedences etc)? +###################################################################### +STLS_req +dnl no additional requirements: ok +R $| $+ $@ OK +dnl require CN: but no CN specified: use name of other side +R<CN> $* $| <$+> $: <CN:$&{TLS_Name}> $1 $| <$2> +dnl match, check rest +R<CN:$&{cn_subject}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2> +dnl CN does not match +dnl 1 2 3 4 +R<CN:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " CN " $&{cn_subject} " does not match " $1 +dnl cert subject +R<CS:$&{cert_subject}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2> +dnl CS does not match +dnl 1 2 3 4 +R<CS:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " CERT Subject " $&{cert_subject} " does not match " $1 +dnl match, check rest +R<CI:$&{cert_issuer}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2> +dnl CI does not match +dnl 1 2 3 4 +R<CI:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " CERT Issuer " $&{cert_issuer} " does not match " $1 +dnl return from recursive call +ROK $@ OK + +###################################################################### +### max: return the maximum of two values separated by : +### +### Parameters: [$-]:[$-] +###################################################################### Smax -dnl compute the max of two values separated by : R: $: 0 R:$- $: $1 R$-: $: $1 R$-:$- $: $(arith l $@ $1 $@ $2 $) : $1 : $2 RTRUE:$-:$- $: $2 -R$-:$-:$- $: $2', -`dnl use default error -dnl deal with TLS handshake failures: abort -RSOFTWARE $#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') TLS handshake."') +R$-:$-:$- $: $2 +dnl endif _ACCESS_TABLE_ +divert(0) -SRelayAuth +###################################################################### +### RelayTLS: allow relaying based on TLS authentication +### +### Parameters: +### none +###################################################################### +SRelayTLS # authenticated? dnl we do not allow relaying for anyone who can present a cert dnl signed by a "trusted" CA. For example, even if we put verisigns @@ -2073,24 +2690,54 @@ dnl (maybe after extracting a part with a regular expression) dnl if this returns RELAY we relay without further questions dnl if it returns SUBJECT we perform a similar check on the dnl cert subject. -R$* $| OK $: $1 -R$* $| $* $@ NO not authenticated ifdef(`_ACCESS_TABLE_', `dnl +R$* $: <?> $&{verify} +R<?> OK $: OK authenticated: continue +R<?> $* $@ NO not authenticated ifdef(`_CERT_REGEX_ISSUER_', `dnl -R$* $: $1 $| $(CERTIssuer $&{cert_issuer} $)', -`R$* $: $1 $| $&{cert_issuer}') -R$* $| $+ $: $1 $| $(access CERTISSUER:$2 $) +R$* $: $(CERTIssuer $&{cert_issuer} $)', +`R$* $: $&{cert_issuer}') +R$+ $: $(access CERTISSUER:$1 $) dnl use $# to stop further checks (delay_check) -R$* $| RELAY $# RELAYCERTISSUER +RRELAY $# RELAY ifdef(`_CERT_REGEX_SUBJECT_', `dnl -R$* $| SUBJECT $: $1 $| <@> $(CERTSubject $&{cert_subject} $)', -`R$* $| SUBJECT $: $1 $| <@> $&{cert_subject}') -R$* $| <@> $+ $: $1 $| <@> $(access CERTSUBJECT:$2 $) -R$* $| <@> RELAY $# RELAYCERTSUBJECT -R$* $| $* $: $1', `dnl') +RSUBJECT $: <@> $(CERTSubject $&{cert_subject} $)', +`RSUBJECT $: <@> $&{cert_subject}') +R<@> $+ $: <@> $(access CERTSUBJECT:$1 $) +R<@> RELAY $# RELAY +R$* $: NO', `dnl') + +###################################################################### +### authinfo: lookup authinfo in the access map +### +### Parameters: +### $1: {server_name} +### $2: {server_addr} +dnl both are currently ignored +dnl if it should be done via another map, we either need to restrict +dnl functionality (it calls D and A) or copy those rulesets (or add another +dnl parameter which I want to avoid, it's quite complex already) +###################################################################### +dnl omit this ruleset if neither is defined? +dnl it causes DefaultAuthInfo to be ignored +dnl (which may be considered a good thing). +Sauthinfo +ifdef(`_AUTHINFO_TABLE_', `dnl +R$* $: <$(authinfo AuthInfo:$&{server_name} $: ? $)> +R<?> $: <$(authinfo AuthInfo:$&{server_addr} $: ? $)> +R<?> $: <$(authinfo AuthInfo: $: ? $)> +R<?> $@ no no authinfo available +R<$*> $# $1 +dnl', `dnl +ifdef(`_ACCESS_TABLE_', `dnl +R$* $: $1 $| $>D <$&{server_name}> <?> <! AuthInfo> <> +R$* $| <?>$* $: $1 $| $>A <$&{server_addr}> <?> <! AuthInfo> <> +R$* $| <?>$* $: $1 $| <$(access AuthInfo: $: ? $)> <> +R$* $| <?>$* $@ no no authinfo available +R$* $| <$*> <> $# $2 +dnl', `dnl')') undivert(9)dnl LOCAL_RULESETS -ifdef(`_FFR_MILTER', ` # ###################################################################### ###################################################################### @@ -2099,7 +2746,7 @@ ifdef(`_FFR_MILTER', ` ##### ###################################################################### ###################################################################### -_MAIL_FILTERS_') +_MAIL_FILTERS_ # ###################################################################### ###################################################################### diff --git a/gnu/usr.sbin/sendmail/cf/m4/version.m4 b/gnu/usr.sbin/sendmail/cf/m4/version.m4 index 366d1d8c144..d4b63a5fc5f 100644 --- a/gnu/usr.sbin/sendmail/cf/m4/version.m4 +++ b/gnu/usr.sbin/sendmail/cf/m4/version.m4 @@ -11,8 +11,8 @@ divert(-1) # the sendmail distribution. # # -VERSIONID(`$Sendmail: version.m4,v 8.39.4.35 2001/08/20 14:45:34 gshapiro Exp $') +VERSIONID(`$Sendmail: version.m4,v 8.71 2001/09/07 20:59:45 ca Exp $') # divert(0) # Configuration version number -DZ8.11.6`'ifdef(`confCF_VERSION', `/confCF_VERSION') +DZ8.12.0`'ifdef(`confCF_VERSION', `/confCF_VERSION') diff --git a/gnu/usr.sbin/sendmail/cf/mailer/cyrus.m4 b/gnu/usr.sbin/sendmail/cf/mailer/cyrus.m4 index 384d26a798a..16eed11d5e8 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/cyrus.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/cyrus.m4 @@ -1,6 +1,6 @@ PUSHDIVERT(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -35,9 +35,6 @@ PUSHDIVERT(-1) # Contributed to Berkeley by John Gardiner Myers <jgm+@CMU.EDU>. # -ifdef(`_MAILER_local_', `', - `errprint(`*** MAILER(`local') must appear before MAILER(`cyrus')')')dnl - _DEFIFNOT(`CYRUS_MAILER_FLAGS', `Ah5@/:|') ifdef(`CYRUS_MAILER_PATH',, `define(`CYRUS_MAILER_PATH', /usr/cyrus/bin/deliver)') ifdef(`CYRUS_MAILER_ARGS',, `define(`CYRUS_MAILER_ARGS', `deliver -e -m $h -- $u')') @@ -51,7 +48,7 @@ POPDIVERT ### Cyrus Mailer specification ### ################################################## -VERSIONID(`$Sendmail: cyrus.m4,v 8.21 1999/10/18 04:57:52 gshapiro Exp $ (Carnegie Mellon)') +VERSIONID(`$Sendmail: cyrus.m4,v 8.22 2000/09/02 17:46:43 ca Exp $ (Carnegie Mellon)') Mcyrus, P=CYRUS_MAILER_PATH, F=_MODMF_(CONCAT(`lsDFMnPq', CYRUS_MAILER_FLAGS), `CYRUS'), S=EnvFromL, R=EnvToL/HdrToL, ifdef(`CYRUS_MAILER_MAX', `M=CYRUS_MAILER_MAX, ')U=CYRUS_MAILER_USER, T=DNS/RFC822/X-Unix, diff --git a/gnu/usr.sbin/sendmail/cf/mailer/local.m4 b/gnu/usr.sbin/sendmail/cf/mailer/local.m4 index 81ce246ef11..8ce1652788f 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/local.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/local.m4 @@ -21,65 +21,73 @@ _DEFIFNOT(`LOCAL_SHELL_FLAGS', `eu9') ifdef(`LOCAL_SHELL_PATH',, `define(`LOCAL_SHELL_PATH', /bin/sh)') ifdef(`LOCAL_SHELL_ARGS',, `define(`LOCAL_SHELL_ARGS', `sh -c $u')') ifdef(`LOCAL_SHELL_DIR',, `define(`LOCAL_SHELL_DIR', `$z:/')') +define(`LOCAL_RWR', `ifdef(`_LOCAL_LMTP_', +`S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL', +`S=EnvFromL/HdrFromL, R=EnvToL/HdrToL')') +define(`_LOCAL_QGRP', `ifelse(defn(`LOCAL_MAILER_QGRP'),`',`', ` Q=LOCAL_MAILER_QGRP,')')dnl +define(`_PROG_QGRP', `ifelse(defn(`LOCAL_PROG_QGRP'),`',`', ` Q=LOCAL_PROG_QGRP,')')dnl POPDIVERT ################################################## ### Local and Program Mailer specification ### ################################################## -VERSIONID(`$Sendmail: local.m4,v 8.50.16.2 2000/09/17 17:04:22 gshapiro Exp $') +VERSIONID(`$Sendmail: local.m4,v 8.58 2000/10/26 01:58:29 ca Exp $') # # Envelope sender rewriting # -SEnvFromL=10 +SEnvFromL R<@> $n errors to mailer-daemon R@ <@ $*> $n temporarily bypass Sun bogosity R$+ $: $>AddDomain $1 add local domain if needed -R$* $: $>MasqEnv $1 do masquerading +ifdef(`_LOCAL_NO_MASQUERADE_', `dnl', `dnl +R$* $: $>MasqEnv $1 do masquerading') # # Envelope recipient rewriting # -SEnvToL=20 +SEnvToL R$+ < @ $* > $: $1 strip host part -ifdef(`_FFR_ADDR_TYPE', `dnl -ifdef(`confUSERDB_SPEC', `dnl', -`dnl Do not forget to bump V9 to V10 before removing _FFR_ADDR_TYPE check +ifdef(`confUSERDB_SPEC', `dnl', `dnl R$+ + $* $: < $&{addr_type} > $1 + $2 mark with addr type R<e s> $+ + $* $: $1 remove +detail for sender -R< $* > $+ $: $2 else remove mark')', `dnl') +R< $* > $+ $: $2 else remove mark') # # Header sender rewriting # -SHdrFromL=30 +SHdrFromL R<@> $n errors to mailer-daemon R@ <@ $*> $n temporarily bypass Sun bogosity R$+ $: $>AddDomain $1 add local domain if needed -R$* $: $>MasqHdr $1 do masquerading +ifdef(`_LOCAL_NO_MASQUERADE_', `dnl', `dnl +R$* $: $>MasqHdr $1 do masquerading') # # Header recipient rewriting # -SHdrToL=40 +SHdrToL R$+ $: $>AddDomain $1 add local domain if needed -ifdef(`_ALL_MASQUERADE_', -`R$* $: $>MasqHdr $1 do all-masquerading', +ifdef(`_ALL_MASQUERADE_', `dnl +ifdef(`_LOCAL_NO_MASQUERADE_', `dnl', `dnl +R$* $: $>MasqHdr $1 do all-masquerading')', `R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2') # # Common code to add local domain name (only if always-add-domain) # -SAddDomain=50 +SAddDomain ifdef(`_ALWAYS_ADD_DOMAIN_', `dnl R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified +ifelse(len(X`'_ALWAYS_ADD_DOMAIN_),`1',` R$+ $@ $1 < @ *LOCAL* > add local qualification', +`R$+ $@ $1 < @ _ALWAYS_ADD_DOMAIN_ > add qualification')', `dnl') -Mlocal, P=LOCAL_MAILER_PATH, F=_MODMF_(CONCAT(_DEF_LOCAL_MAILER_FLAGS, LOCAL_MAILER_FLAGS), `LOCAL'), S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,_OPTINS(`LOCAL_MAILER_EOL', ` E=', `, ') - _OPTINS(`LOCAL_MAILER_MAX', `M=', `, ')_OPTINS(`LOCAL_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`LOCAL_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`LOCAL_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/LOCAL_MAILER_DSN_DIAGNOSTIC_CODE, +Mlocal, P=LOCAL_MAILER_PATH, F=_MODMF_(CONCAT(_DEF_LOCAL_MAILER_FLAGS, LOCAL_MAILER_FLAGS), `LOCAL'), LOCAL_RWR,_OPTINS(`LOCAL_MAILER_EOL', ` E=', `, ') + _OPTINS(`LOCAL_MAILER_MAX', `M=', `, ')_OPTINS(`LOCAL_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`LOCAL_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`LOCAL_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/LOCAL_MAILER_DSN_DIAGNOSTIC_CODE,_LOCAL_QGRP A=LOCAL_MAILER_ARGS Mprog, P=LOCAL_SHELL_PATH, F=CONCAT(_DEF_LOCAL_SHELL_FLAGS, LOCAL_SHELL_FLAGS), S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=LOCAL_SHELL_DIR, - _OPTINS(`LOCAL_MAILER_MAX', `M=', `, ')T=X-Unix/X-Unix/X-Unix, + _OPTINS(`LOCAL_MAILER_MAX', `M=', `, ')T=X-Unix/X-Unix/X-Unix,_PROG_QGRP A=LOCAL_SHELL_ARGS diff --git a/gnu/usr.sbin/sendmail/cf/mailer/mail11.m4 b/gnu/usr.sbin/sendmail/cf/mailer/mail11.m4 index 54261dfd470..a7346f78edd 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/mail11.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/mail11.m4 @@ -1,6 +1,6 @@ PUSHDIVERT(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set @@ -41,13 +41,9 @@ POPDIVERT ### UTK-MAIL11 Mailer specification ### ########################################### -VERSIONID(`$Sendmail: mail11.m4,v 8.19 1999/10/18 04:57:54 gshapiro Exp $') +VERSIONID(`$Sendmail: mail11.m4,v 8.21 2001/07/19 00:16:16 ca Exp $') -SMail11From=15 -R$+ $: $>25 $1 preprocess -R$w :: $+ $@ $w :: $1 ready to go - -SMail11To=25 +SMail11To R$+ < @ $- .UUCP > $: $2 ! $1 back to old style R$+ < @ $- .DECNET > $: $2 :: $1 convert to DECnet style R$+ < @ $- .LOCAL > $: $2 :: $1 convert to DECnet style @@ -55,6 +51,10 @@ R$+ < @ $=w. > $: $2 :: $1 convert to DECnet style R$=w :: $+ $2 strip local names R$+ :: $+ $@ $1 :: $2 already qualified +SMail11From +R$+ $: $>Mail11To $1 preprocess +R$w :: $+ $@ $w :: $1 ready to go + Mmail11, P=MAIL11_MAILER_PATH, F=_MODMF_(MAIL11_MAILER_FLAGS, `MAIL11'), S=Mail11From, R=Mail11To, T=DNS/X-DECnet/X-Unix, A=MAIL11_MAILER_ARGS diff --git a/gnu/usr.sbin/sendmail/cf/mailer/phquery.m4 b/gnu/usr.sbin/sendmail/cf/mailer/phquery.m4 index 3d1263aedab..2b709d7c33a 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/phquery.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/phquery.m4 @@ -1,6 +1,6 @@ PUSHDIVERT(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -14,9 +14,6 @@ PUSHDIVERT(-1) # Contributed by Kimmo Suominen <kim@tac.nyc.ny.us>. # -ifdef(`_MAILER_local_', `', - `errprint(`*** MAILER(`local') must appear before MAILER(`phquery')')')dnl - ifdef(`PH_MAILER_PATH',, `define(`PH_MAILER_PATH', /usr/local/etc/phquery)') _DEFIFNOT(`PH_MAILER_FLAGS', `ehmu') ifdef(`PH_MAILER_ARGS',, `define(`PH_MAILER_ARGS', `phquery -- $u')') @@ -27,7 +24,7 @@ POPDIVERT ### PH Mailer specification ### #################################### -VERSIONID(`$Sendmail: phquery.m4,v 8.15 1999/10/18 04:57:54 gshapiro Exp $') +VERSIONID(`$Sendmail: phquery.m4,v 8.16 2000/09/02 17:46:43 ca Exp $') Mph, P=PH_MAILER_PATH, F=_MODMF_(CONCAT(`nrDFM', PH_MAILER_FLAGS), `PH'), S=EnvFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix, diff --git a/gnu/usr.sbin/sendmail/cf/mailer/pop.m4 b/gnu/usr.sbin/sendmail/cf/mailer/pop.m4 index 2c286406b81..16bd707eac3 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/pop.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/pop.m4 @@ -1,6 +1,6 @@ PUSHDIVERT(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -12,9 +12,6 @@ PUSHDIVERT(-1) # # -ifdef(`_MAILER_local_', `', - `errprint(`*** MAILER(`local') must appear before MAILER(`pop')')')dnl - ifdef(`POP_MAILER_PATH',, `define(`POP_MAILER_PATH', /usr/lib/mh/spop)') _DEFIFNOT(`POP_MAILER_FLAGS', `Penu') ifdef(`POP_MAILER_ARGS',, `define(`POP_MAILER_ARGS', `pop $u')') @@ -25,7 +22,7 @@ POPDIVERT ### POP Mailer specification ### #################################### -VERSIONID(`$Sendmail: pop.m4,v 8.20 1999/10/18 04:57:54 gshapiro Exp $') +VERSIONID(`$Sendmail: pop.m4,v 8.21 2000/09/02 17:46:43 ca Exp $') Mpop, P=POP_MAILER_PATH, F=_MODMF_(CONCAT(`lsDFMq', POP_MAILER_FLAGS), `POP'), S=EnvFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix, diff --git a/gnu/usr.sbin/sendmail/cf/mailer/procmail.m4 b/gnu/usr.sbin/sendmail/cf/mailer/procmail.m4 index b523be61765..2fd3534cc21 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/procmail.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/procmail.m4 @@ -1,6 +1,6 @@ PUSHDIVERT(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -12,9 +12,6 @@ PUSHDIVERT(-1) # # -ifdef(`_MAILER_smtp_', `', - `errprint(`*** MAILER(`smtp') must appear before MAILER(`procmail')')')dnl - ifdef(`PROCMAIL_MAILER_PATH',, `ifdef(`PROCMAIL_PATH', `define(`PROCMAIL_MAILER_PATH', PROCMAIL_PATH)', @@ -29,7 +26,7 @@ POPDIVERT ### PROCMAIL Mailer specification ### ##################*****################## -VERSIONID(`$Sendmail: procmail.m4,v 8.20 1999/10/18 04:57:54 gshapiro Exp $') +VERSIONID(`$Sendmail: procmail.m4,v 8.21 2000/09/02 17:46:43 ca Exp $') Mprocmail, P=PROCMAIL_MAILER_PATH, F=_MODMF_(CONCAT(`DFM', PROCMAIL_MAILER_FLAGS), `PROCMAIL'), S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP/HdrFromSMTP, ifdef(`PROCMAIL_MAILER_MAX', `M=PROCMAIL_MAILER_MAX, ')T=DNS/RFC822/X-Unix, diff --git a/gnu/usr.sbin/sendmail/cf/mailer/smtp.m4 b/gnu/usr.sbin/sendmail/cf/mailer/smtp.m4 index 26656295034..0259481541e 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/smtp.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/smtp.m4 @@ -1,6 +1,6 @@ PUSHDIVERT(-1) # -# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -19,24 +19,29 @@ ifdef(`ESMTP_MAILER_ARGS',, `define(`ESMTP_MAILER_ARGS', `TCP $h')') ifdef(`SMTP8_MAILER_ARGS',, `define(`SMTP8_MAILER_ARGS', `TCP $h')') ifdef(`DSMTP_MAILER_ARGS',, `define(`DSMTP_MAILER_ARGS', `TCP $h')') ifdef(`RELAY_MAILER_ARGS',, `define(`RELAY_MAILER_ARGS', `TCP $h')') +define(`_SMTP_QGRP', `ifelse(defn(`SMTP_MAILER_QGRP'),`',`', ` Q=SMTP_MAILER_QGRP,')')dnl +define(`_ESMTP_QGRP', `ifelse(defn(`ESMTP_MAILER_QGRP'),`',`', ` Q=ESMTP_MAILER_QGRP,')')dnl +define(`_SMTP8_QGRP', `ifelse(defn(`SMTP8_MAILER_QGRP'),`',`', ` Q=SMTP8_MAILER_QGRP,')')dnl +define(`_DSMTP_QGRP', `ifelse(defn(`DSMTP_MAILER_QGRP'),`',`', ` Q=DSMTP_MAILER_QGRP,')')dnl +define(`_RELAY_QGRP', `ifelse(defn(`RELAY_MAILER_QGRP'),`',`', ` Q=RELAY_MAILER_QGRP,')')dnl POPDIVERT ##################################### ### SMTP Mailer specification ### ##################################### -VERSIONID(`$Sendmail: smtp.m4,v 8.56.2.1.2.3 2000/09/25 13:53:27 ca Exp $') +VERSIONID(`$Sendmail: smtp.m4,v 8.64 2001/04/03 01:52:54 gshapiro Exp $') # # common sender and masquerading recipient rewriting # -SMasqSMTP=61 +SMasqSMTP R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified R$+ $@ $1 < @ *LOCAL* > add local qualification # # convert pseudo-domain addresses to real domain addresses # -SPseudoToReal=51 +SPseudoToReal # pass <route-addr>s through R< @ $+ > $* $@ < @ $1 > $2 resolve <route-addr> @@ -44,7 +49,7 @@ R< @ $+ > $* $@ < @ $1 > $2 resolve <route-addr> # output fake domains as user%fake@relay ifdef(`BITNET_RELAY', `R$+ <@ $+ .BITNET. > $: $1 % $2 .BITNET < @ $B > user@host.BITNET -R$+.BITNET <@ $+:$+ > $: $1 .BITNET < @ $3 > strip mailer: part', +R$+.BITNET <@ $~[ $*:$+ > $: $1 .BITNET < @ $4 > strip mailer: part', `dnl') ifdef(`_NO_UUCP_', `dnl', ` # do UUCP heuristics; note that these are shared with UUCP mailers @@ -56,14 +61,14 @@ R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. > R< $&h ! > $-.$+ ! $+ $@ $3 < @ $1.$2 > R< $&h ! > $+ $@ $1 < @ $&h .UUCP. > R< $+ ! > $+ $: $1 ! $2 < @ $Y > use UUCP_RELAY -R$+ < @ $+ : $+ > $@ $1 < @ $3 > strip mailer: part +R$+ < @ $~[ $* : $+ > $@ $1 < @ $4 > strip mailer: part R$+ < @ > $: $1 < @ *LOCAL* > if no UUCP_RELAY') # # envelope sender rewriting # -SEnvFromSMTP=11 +SEnvFromSMTP R$+ $: $>PseudoToReal $1 sender/recipient common R$* :; <@> $@ list:; special case R$* $: $>MasqSMTP $1 qualify unqual'ed names @@ -74,7 +79,7 @@ R$+ $: $>MasqEnv $1 do masquerading # envelope recipient rewriting -- # also header recipient if not masquerading recipients # -SEnvToSMTP=21 +SEnvToSMTP R$+ $: $>PseudoToReal $1 sender/recipient common R$+ $: $>MasqSMTP $1 qualify unqual'ed names R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2 @@ -82,7 +87,7 @@ R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2 # # header sender and masquerading header recipient rewriting # -SHdrFromSMTP=31 +SHdrFromSMTP R$+ $: $>PseudoToReal $1 sender/recipient common R:; <@> $@ list:; special case @@ -96,22 +101,22 @@ R$+ $: $>MasqHdr $1 do masquerading # # relay mailer header masquerading recipient rewriting # -SMasqRelay=71 +SMasqRelay R$+ $: $>MasqSMTP $1 R$+ $: $>MasqHdr $1 Msmtp, P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, SMTP_MAILER_FLAGS), `SMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990, - _OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP, + _OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP,_SMTP_QGRP A=SMTP_MAILER_ARGS -Mesmtp, P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a', SMTP_MAILER_FLAGS), `SMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990, - _OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP, +Mesmtp, P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a', SMTP_MAILER_FLAGS), `ESMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990, + _OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP,_ESMTP_QGRP A=ESMTP_MAILER_ARGS -Msmtp8, P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `8', SMTP_MAILER_FLAGS), `SMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990, - _OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP, +Msmtp8, P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `8', SMTP_MAILER_FLAGS), `SMTP8'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990, + _OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP,_SMTP8_QGRP A=SMTP8_MAILER_ARGS -Mdsmtp, P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a%', SMTP_MAILER_FLAGS), `SMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990, - _OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP, +Mdsmtp, P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a%', SMTP_MAILER_FLAGS), `DSMTP'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), E=\r\n, L=990, + _OPTINS(`SMTP_MAILER_MAX', `M=', `, ')_OPTINS(`SMTP_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')_OPTINS(`SMTP_MAILER_CHARSET', `C=', `, ')T=DNS/RFC822/SMTP,_DSMTP_QGRP A=DSMTP_MAILER_ARGS Mrelay, P=[IPC], F=_MODMF_(CONCAT(_DEF_SMTP_MAILER_FLAGS, `a8', RELAY_MAILER_FLAGS), `RELAY'), S=EnvFromSMTP/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `MasqSMTP/MasqRelay', `MasqSMTP'), E=\r\n, L=2040, - _OPTINS(`RELAY_MAILER_CHARSET', `C=', `, ')_OPTINS(`RELAY_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')T=DNS/RFC822/SMTP, + _OPTINS(`RELAY_MAILER_CHARSET', `C=', `, ')_OPTINS(`RELAY_MAILER_MAXMSGS', `m=', `, ')_OPTINS(`SMTP_MAILER_MAXRCPTS', `r=', `, ')T=DNS/RFC822/SMTP,_RELAY_QGRP A=RELAY_MAILER_ARGS diff --git a/gnu/usr.sbin/sendmail/cf/mailer/usenet.m4 b/gnu/usr.sbin/sendmail/cf/mailer/usenet.m4 index 6c0c13833a0..3a981dff5ee 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/usenet.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/usenet.m4 @@ -1,6 +1,6 @@ PUSHDIVERT(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -12,19 +12,17 @@ PUSHDIVERT(-1) # # -ifdef(`_MAILER_local_', `', - `errprint(`*** MAILER(`local') must appear before MAILER(`usenet')')')dnl - ifdef(`USENET_MAILER_PATH',, `define(`USENET_MAILER_PATH', /usr/lib/news/inews)') _DEFIFNOT(`USENET_MAILER_FLAGS', `rsDFMmn') ifdef(`USENET_MAILER_ARGS',, `define(`USENET_MAILER_ARGS', `inews -m -h -n')') +define(`_USENET_QGRP', `ifelse(defn(`USENET_MAILER_QGRP'),`',`', ` Q=USENET_MAILER_QGRP,')')dnl POPDIVERT #################################### ### USENET Mailer specification ### #################################### -VERSIONID(`$Sendmail: usenet.m4,v 8.19 1999/11/16 03:33:04 gshapiro Exp $') +VERSIONID(`$Sendmail: usenet.m4,v 8.21 2000/10/26 02:08:19 ca Exp $') Musenet, P=USENET_MAILER_PATH, F=_MODMF_(USENET_MAILER_FLAGS, `USENET'), S=EnvFromL, R=EnvToL, - _OPTINS(`USENET_MAILER_MAX', `M=', `, ')T=X-Usenet/X-Usenet/X-Unix, + _OPTINS(`USENET_MAILER_MAX', `M=', `, ')T=X-Usenet/X-Usenet/X-Unix,USENET_MAILER_QGRP A=USENET_MAILER_ARGS $u diff --git a/gnu/usr.sbin/sendmail/cf/mailer/uucp.m4 b/gnu/usr.sbin/sendmail/cf/mailer/uucp.m4 index 9ea08b3a3d4..d772c702c54 100644 --- a/gnu/usr.sbin/sendmail/cf/mailer/uucp.m4 +++ b/gnu/usr.sbin/sendmail/cf/mailer/uucp.m4 @@ -1,6 +1,6 @@ PUSHDIVERT(-1) # -# Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers. +# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # Copyright (c) 1983 Eric P. Allman. All rights reserved. # Copyright (c) 1988, 1993 @@ -11,8 +11,6 @@ PUSHDIVERT(-1) # the sendmail distribution. # # -ifdef(`_MAILER_smtp_', `', - `errprint(`*** MAILER(`smtp') must appear before MAILER(`uucp')')')dnl ifdef(`UUCP_MAILER_PATH',, `define(`UUCP_MAILER_PATH', /usr/bin/uux)') ifdef(`UUCP_MAILER_ARGS',, `define(`UUCP_MAILER_ARGS', `uux - -r -a$g -gC $h!rmail ($u)')') @@ -20,17 +18,18 @@ _DEFIFNOT(`UUCP_MAILER_FLAGS', `') ifdef(`UUCP_MAILER_MAX',, `define(`UUCP_MAILER_MAX', `ifdef(`UUCP_MAX_SIZE', `UUCP_MAX_SIZE', 100000)')') +define(`_UUCP_QGRP', `ifelse(defn(`UUCP_MAILER_QGRP'),`',`', ` Q=UUCP_MAILER_QGRP,')')dnl POPDIVERT ##################################### ### UUCP Mailer specification ### ##################################### -VERSIONID(`$Sendmail: uucp.m4,v 8.38 1999/10/18 04:57:55 gshapiro Exp $') +VERSIONID(`$Sendmail: uucp.m4,v 8.44 2001/08/24 19:49:08 ca Exp $') # # envelope and header sender rewriting # -SFromU=12 +SFromU # handle error address as a special case R<@> $n errors to mailer-daemon @@ -52,7 +51,7 @@ R! $+ $: $k ! $1 in case $U undefined # # envelope recipient rewriting # -SEnvToU=22 +SEnvToU # list:; should disappear R:; <@> $@ @@ -67,7 +66,7 @@ R$* < @ $+ > $2 ! $1 convert to UUCP format # # header recipient rewriting # -SHdrToU=42 +SHdrToU # list:; syntax should disappear R:; <@> $@ @@ -88,7 +87,7 @@ ifdef(`_MAILER_smtp_', `# # envelope sender rewriting for uucp-dom mailer # -SEnvFromUD=52 +SEnvFromUD # handle error address as a special case R<@> $n errors to mailer-daemon @@ -99,7 +98,7 @@ R$* $@ $>EnvFromSMTP $1 # # envelope sender rewriting for uucp-uudom mailer # -SEnvFromUUD=72 +SEnvFromUUD # handle error address as a special case R<@> $n errors to mailer-daemon @@ -111,8 +110,10 @@ R$* < @ $* . > $* $1 < @ $2 > $3 strip trailing dots R<@ $- . UUCP > : $+ $@ $1 ! $2 convert to UUCP format R<@ $+ > : $+ $@ $1 ! $2 convert to UUCP format R$* < @ $- . UUCP > $@ $2 ! $1 convert to UUCP format -R$* < @ $+ > $@ $2 ! $1 convert to UUCP format') - +R$* < @ $+ > $@ $2 ! $1 convert to UUCP format', +`errprint(`*** MAILER(`smtp') must appear before MAILER(`uucp') + if uucp-dom should be included.') +') PUSHDIVERT(4) # resolve locally connected UUCP links @@ -128,29 +129,29 @@ POPDIVERT # old UUCP mailer (two names) Muucp, P=UUCP_MAILER_PATH, F=_MODMF_(CONCAT(`DFMhuUd', UUCP_MAILER_FLAGS), `UUCP'), S=FromU, R=EnvToU/HdrToU, - M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix, + M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix,_UUCP_QGRP A=UUCP_MAILER_ARGS Muucp-old, P=UUCP_MAILER_PATH, F=_MODMF_(CONCAT(`DFMhuUd', UUCP_MAILER_FLAGS), `UUCP'), S=FromU, R=EnvToU/HdrToU, - M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix, + M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix,_UUCP_QGRP A=UUCP_MAILER_ARGS # smart UUCP mailer (handles multiple addresses) (two names) Msuucp, P=UUCP_MAILER_PATH, F=_MODMF_(CONCAT(`mDFMhuUd', UUCP_MAILER_FLAGS), `UUCP'), S=FromU, R=EnvToU/HdrToU, - M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix, + M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix,_UUCP_QGRP A=UUCP_MAILER_ARGS Muucp-new, P=UUCP_MAILER_PATH, F=_MODMF_(CONCAT(`mDFMhuUd', UUCP_MAILER_FLAGS), `UUCP'), S=FromU, R=EnvToU/HdrToU, - M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix, + M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix,_UUCP_QGRP A=UUCP_MAILER_ARGS ifdef(`_MAILER_smtp_', `# domain-ized UUCP mailer Muucp-dom, P=UUCP_MAILER_PATH, F=_MODMF_(CONCAT(`mDFMhud', UUCP_MAILER_FLAGS), `UUCP'), S=EnvFromUD/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), - M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix, + M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix,_UUCP_QGRP A=UUCP_MAILER_ARGS # domain-ized UUCP mailer with UUCP-style sender envelope Muucp-uudom, P=UUCP_MAILER_PATH, F=_MODMF_(CONCAT(`mDFMhud', UUCP_MAILER_FLAGS), `UUCP'), S=EnvFromUUD/HdrFromSMTP, R=ifdef(`_ALL_MASQUERADE_', `EnvToSMTP/HdrFromSMTP', `EnvToSMTP'), - M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix, + M=UUCP_MAILER_MAX, _OPTINS(`UUCP_MAILER_CHARSET', `C=', `, ')T=X-UUCP/X-UUCP/X-Unix,_UUCP_QGRP A=UUCP_MAILER_ARGS') diff --git a/gnu/usr.sbin/sendmail/cf/ostype/aix5.m4 b/gnu/usr.sbin/sendmail/cf/ostype/aix5.m4 index fae7533435f..f982f432955 100644 --- a/gnu/usr.sbin/sendmail/cf/ostype/aix5.m4 +++ b/gnu/usr.sbin/sendmail/cf/ostype/aix5.m4 @@ -10,7 +10,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: aix5.m4,v 1.1.2.1 2000/12/09 03:32:08 ca Exp $') +VERSIONID(`$Sendmail: aix5.m4,v 1.1 2000/12/08 21:53:36 ca Exp $') ifdef(`LOCAL_MAILER_PATH',, `define(`LOCAL_MAILER_PATH', /bin/bellmail)')dnl ifdef(`LOCAL_MAILER_ARGS',, `define(`LOCAL_MAILER_ARGS', mail -F $g $u)')dnl _DEFIFNOT(`LOCAL_MAILER_FLAGS', `mn9')dnl diff --git a/gnu/usr.sbin/sendmail/cf/ostype/darwin.m4 b/gnu/usr.sbin/sendmail/cf/ostype/darwin.m4 index 9dcf28aeab1..094a4646940 100644 --- a/gnu/usr.sbin/sendmail/cf/ostype/darwin.m4 +++ b/gnu/usr.sbin/sendmail/cf/ostype/darwin.m4 @@ -11,7 +11,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: darwin.m4,v 8.1.2.1 2000/06/15 06:37:04 gshapiro Exp $') +VERSIONID(`$Sendmail: darwin.m4,v 8.1 2000/06/15 06:36:30 gshapiro Exp $') ifdef(`STATUS_FILE',, `define(`STATUS_FILE', `/var/log/sendmail.st')')dnl ifdef(`LOCAL_MAILER_PATH',, `define(`LOCAL_MAILER_PATH', /usr/libexec/mail.local)')dnl ifdef(`UUCP_MAILER_ARGS',, `define(`UUCP_MAILER_ARGS', `uux - -r -z -a$g $h!rmail ($u)')')dnl diff --git a/gnu/usr.sbin/sendmail/cf/ostype/linux.m4 b/gnu/usr.sbin/sendmail/cf/ostype/linux.m4 index 0e3abf17be1..839eff4dcc4 100644 --- a/gnu/usr.sbin/sendmail/cf/ostype/linux.m4 +++ b/gnu/usr.sbin/sendmail/cf/ostype/linux.m4 @@ -13,7 +13,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: linux.m4,v 8.11.16.2 2000/09/17 17:04:22 gshapiro Exp $') +VERSIONID(`$Sendmail: linux.m4,v 8.13 2000/09/17 17:30:00 gshapiro Exp $') define(`confEBINDIR', `/usr/sbin') ifdef(`PROCMAIL_MAILER_PATH',, define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')) diff --git a/gnu/usr.sbin/sendmail/cf/ostype/mklinux.m4 b/gnu/usr.sbin/sendmail/cf/ostype/mklinux.m4 index d4e2ed8e315..cbd3e62e649 100644 --- a/gnu/usr.sbin/sendmail/cf/ostype/mklinux.m4 +++ b/gnu/usr.sbin/sendmail/cf/ostype/mklinux.m4 @@ -15,7 +15,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: mklinux.m4,v 8.14.4.1 2000/05/09 18:48:58 gshapiro Exp $') +VERSIONID(`$Sendmail: mklinux.m4,v 8.15 2000/05/09 18:48:56 gshapiro Exp $') define(`confEBINDIR', `/usr/sbin') ifdef(`STATUS_FILE',, `define(`STATUS_FILE', `/var/log/sendmail.st')') diff --git a/gnu/usr.sbin/sendmail/cf/ostype/solaris8.m4 b/gnu/usr.sbin/sendmail/cf/ostype/solaris8.m4 index 2897167bd18..8add7856337 100644 --- a/gnu/usr.sbin/sendmail/cf/ostype/solaris8.m4 +++ b/gnu/usr.sbin/sendmail/cf/ostype/solaris8.m4 @@ -15,7 +15,7 @@ divert(-1) # divert(0) -VERSIONID(`$Sendmail: solaris8.m4,v 8.1.2.2 2000/08/23 16:10:01 gshapiro Exp $') +VERSIONID(`$Sendmail: solaris8.m4,v 8.2 2000/08/23 16:10:49 gshapiro Exp $') divert(-1) ifdef(`UUCP_MAILER_ARGS',, `define(`UUCP_MAILER_ARGS', `uux - -r -a$g $h!rmail ($u)')') |