Chapter 5: sendmail administration

Table of contents

• Chapter 5: sendmail administration
  • How sendmail works
    • Outgoing mail
    • Incoming mail
    • sendmail execution
    • sendmail interfaces
    • Mail to files and programs
  • Standard sendmail configuration
    • Running mkdev cf
    • Editing the daemon invocation
    • Running and testing sendmail
  • Tuning sendmail configuration
    • Changing the queue processing interval
    • Creating a user information database
    • Altering read timeouts
    • Altering message timeouts
    • Forking during queue runs
    • Altering queue priorities
    • Setting the mail load limit
    • Setting the delivery mode
    • Log Levels
    • Changing file permissions
    • Turning off security checks
    • Setting connection caching parameters
    • Using sendmail with a name server
    • Moving the per-user forward files
    • Setting mail queue filesystem free space
    • Setting maximum message size
    • Setting privacy flags
    • Setting ``send to me too'' operation
  • Reconfiguring sendmail
  • Administering sendmail
    • Debugging sendmail
    • Changing the values of options
    • Trying a Different Configuration File
    • Logging traffic
    • Testing configuration files
    • Persistent host status information
    • Viewing the system log
    • Log entry format
    • Levels
    • Dumping state
    • Viewing the mail queue
    • Disk-based connection information
    • The service switch
    • Maintaining the alias database
    • Managing spam
    • Enabling user forwarding (.forward files)
    • Special header lines
    • IDENT protocol support
    • Summary of support files
  • Advanced sendmail configuration
    • /usr/lib/sendmail.cf overview
    • Configuration file lines
    • Building a configuration file from scratch
  • For more about sendmail

Chapter 5

sendmail administration

sendmail has several key features:

• implements a general internetwork mail routing facility, featuring aliasing and forwarding, automatic routing to network gateways, and flexible configuration.

• is a mail router that collects messages generated by a Mail User Agent (MUA) such as mail(C), determines a route for delivery, edits the message header as required by the destination and delivery agent, and calls an appropriate delivery agent (called a mailer) to deliver the mail. Typical delivery mechanisms include TCP/IP (using SMTP), UUCP, x.400, and local delivery programs such as lmail.

• supports either Internet-style addressing, such as user@domain, or UUCP-style addressing, such as host!user.

• supports delivery of mail with X.400-style addressing
  
  to an X.400 gateway machine if such a machine is specified in the configuration.

• supports anti-spamming. See ``Managing spam''

• handles text format files only. Binary data is not allowed unless included in the mail message as a uuencoded file. See the uuencode(C) manual page.
  

• is based on:
  
  RFC 822 (Internet Mail Format Protocol)
  RFC 821 (Simple Mail Transport Protocol)
  RFC 1123 (Internet Host Requirements)
  RFC 1425 (SMTP Service Extensions)

  However, in many cases sendmail can be configured to exceed these protocols, as described in this chapter.

• does not provide a user interface for composing and reading mail, nor does it do actual mail delivery. These tasks are handled by the MUA and the mailer, respectively.

• is difficult to configure manually. This implementation of sendmail, however, includes a script that creates a basic configuration that is adequate for most sites. For additional information on how to manually fine-tune this configuration, see: ``Tuning sendmail configuration'' and ``Advanced sendmail configuration''

See also:

• ``How sendmail works''

• ``Standard sendmail configuration''

• ``Reconfiguring sendmail''

• ``Administering sendmail''

• ``For more about sendmail''

This section provides an overview of how mail is processed and delivered on an SCO system when sendmail is chosen as the mail router (in place of MMDF) and sendmail is used in the standard configuration. In the standard configuration, sendmail runs as a daemon (acting as the SMTP server listening for SMTP requests) and as one or more user processes (or ``instances'') that process and deliver mail messages.

Outgoing mail

Being a mail router, sendmail does not provide a user interface for composing and sending mail. These tasks are handled by a Mail User Agent (MUA). The standard MUA on SCO systems is the mail(C) program. Others include scomail(XC) and SCO Shell Mail.

With sendmail configured and using one of the standard SCO MUAs, whether mail, scomail, scosh mail:

1. The user composes a piece of mail with an MUA.

2. The MUA uses execmail to transfer the mail to sendmail. execmail executes a new instance of sendmail and passes any command-line flags and options it received from the MUA on to sendmail These flags and options, along with the contents of the /usr/lib/sendmail.cf file, control the operations of this instance of sendmail.

3. sendmail collects the recipient address(es) prior to collecting the entire message and parses the address(es) to determine the appropriate mailer and any aliases, forwarding addresses, or expanded address lists.

4. sendmail collects the message.

5. sendmail either stores the message in the queue for delivery later or calls upon the appropriate mailer to deliver the message now.

If additional MUAs are added to the system, they may request mail routing from sendmail by a new instance of sendmail directly without going through execmail, or using SMTP directly to the local host.

Incoming mail

sendmail processes and delivers incoming mail the same way it processes and delivers outgoing mail; the only difference being the source of the mail. sendmail receives incoming mail from other hosts via servers. The standard sendmail configuration supports two servers: SMTP and UUCP.

SMTP server

One instance of sendmail, generally invoked by the /etc/rc2.d/P86sendmail script at boot time, runs as the SMTP server by default. This server listens on the SMTP (Simple Mail Transfer Protocol) port for SMTP requests. When it receives a request, the sendmail daemon executes the fork system call to start a new instance of sendmail to process the request.

UUCP server

A standard SCO distribution includes a UUCP mail server called rmail(ADMN).
This standard program routes incoming mail from UUCP to sendmail by executing a new instance of sendmail.

sendmail execution

Each time sendmail starts up, it reads a configuration file that specifies the operations of that instance of sendmail. A sendmail configuration file includes:

• definitions of mailers sendmail can use to route mail

• rules for parsing addresses

• definitions for rewriting message headers

• settings of various options

User information database

The user database allows sendmail to rewrite sender and recipient addresses under control of an external database file. It is used to locate the default maildrop at a site, but allow you to override this by sending to a specific host. If the user database is enabled, a local address is looked up in that database after aliasing and before forwarding. For more information on the user database see ``Creating a user information database''.

Using options and flags

sendmail options control operations such as whether sendmail delivers mail immediately after processing or queues the mail for delivery when the queue is next processed. Options set in the configuration file can also be overridden by passing options to sendmail as arguments.

Flags determine things such as the interval at which sendmail processes the mail queue and whether to use an alternate configuration file for this instance of sendmail.

These options and flags alter sendmail's processes of address parsing, message collection, and storage. Part of the address parsing process is the rewriting of addresses. Some additional rewriting may also take place during sendmail's delivery phase.

For a complete list of options see ``O--set option''. Command-line flags, different from the options and passed to sendmail as arguments, also influence processing. See the sendmail(ADMN) manual page for a description of these flags.

Configuration file priority

sendmail looks in two places for its configuration file and uses the highest priority file available. The highest priority is a filename passed as a flag argument to the sendmail daemon. If a filename is passed to sendmail using the -C flag, sendmail reads this file for configuration information and ignores all others.

If the -C flag is not specified on the command line, sendmail reads /usr/lib/sendmail.cf.
This is the standard configuration file created by default when initializing sendmail.

Mailers

sendmail hands off mail by executing a mailer with arguments as defined in the mailer definition in the configuration file.

The mailers in the standard sendmail configuration are:

smtp

used to route mail via the Internet by calling the SMTP server on the recipient machine of the mail recipient.

uucp

used to route mail via UUCP by executing uux(C).

local

used to deliver mail to recipients on the local host by executing lmail(ADMN). lmail delivers the

mail to the recipient's mailbox file called recipient_name at the location /usr/spool/mail/recipient_name.
The recipient extracts the mail from this file using an MUA such as mail.

prog

used to deliver mail to a program (using an invocation of the shell). This is explained further in ``Mail to files and programs''.

x400

used to deliver X.400-style addressed mail from the local


system to the X.400 gateway machine specified in the configuration file. In the standard sendmail configuration, this mailer calls the program /usr/lib/sendxmail on the X.400 gateway machine.

Recipient address parsing

Recipient addresses are passed to sendmail as arguments or via the SMTP RCPT command depending on the interface to sendmail. Each address is parsed in order to build a recipient list for the message being processed. Parsing involves resolving each address to an internally used form that identifies the mailer to be used. If the mailer identified for any address is the ``local'' mailer, the following additional processing occurs:

• sendmail checks to see if the address matches an entry in the alias database; if so, it expands the alias and appends the new address to the recipient list.

• If no alias is found (or if the alias points back to the same address), sendmail appends ``:maildrop'' to the addressee name to form a lookup key and then searches the user information database.
  If a match in the database is found, sendmail appends the new address to the recipient list.

• If no match in the user information database occurs (or if the maildrop points to the same address), sendmail checks to see if the user has a $HOME/.forward file. If so, sendmail appends the new addresses found there to the recipient list.

When new recipient addresses are appended to the recipient list through special ``local'' mailer address processing, the old name is retained in the list and a flag is set that tells the delivery phase to ignore the old name. In this way the recipient list is kept free from duplicates, preventing alias loops and duplicate messages from being delivered to the same recipient, as might occur if a person is in two groups.

At this stage, before the message is collected, the address syntax has been checked and local addresses verified; detailed checking of host names and host addresses, however, is deferred until message delivery.

Address format

Before sendmail can deliver a message, it must interpret the address. sendmail expects addresses to conform, or be convertible, to a format defined in RFC 822. sendmail passes each recipient address through a set of filters called ``rewriting rules'' to determine whether it understands the address and can deliver to that address via one of its known mailers.

The mailaddr(ADMN) manual page
and the following text provide brief overviews of the RFC 822 format.

1. Anything in parentheses is thrown away (as a comment).

2. Anything in angle brackets ( ``<>'' ) is preferred over anything else. This rule implements the Internet standard that addresses of this form will send to the electronic machine-address rather than the human user name:
   
   user name <machine-address>

3. Double quotes ( " ) quote phrases; backslashes quote characters. Backslashes are more powerful because they cause otherwise equivalent phrases to compare differently - for example, user and "user" are equivalent, but \user is different from either of them.

Parentheses, angle brackets, and double quotes must be properly balanced and nested. The rewriting rules control remaining parsing.

Special ``local'' mailer address processing

sendmail applies the following special processing to mail intended for the ``local'' mailer:

• aliasing

• user information database lookups

• forwarding

• inclusion

Aliasing

Aliasing expands recipient names into address lists using a system-wide text file that associates a recipient name with a list of addresses. Only names that parse as local are allowed as aliases. This guarantees a unique key. The identity of the alias text file is configured through the sendmail configuration file and is configured to be /usr/lib/mail/aliases
by the standard configuration. sendmail indexes this file to speed access. For more information on the alias files see the following:

• ``Aliasing''

• ``Maintaining the alias database''

Forwarding

After aliasing and a user information database lookup, local and valid recipients are checked for the existence of a .forward file in their home directory. If one exists, the message is not sent to that user, but rather to the list of users in that file. Often, this list contains a single address and is used only for network mail forwarding. For example, suppose user dbaker has a .forward file in $HOME with contents:

   dbaker@scribe.npr.com

Forwarding also permits a user to specify a private incoming mailer. For example, this forwarding line defines a different incoming mailer:

   "|/usr/local/newmail myname"

Including

The syntax for including a file is:

   :include: pathname

The intention is not to support direct use of this feature, but rather to use this as a subset of aliasing. In the following example, use of the ``include'' address format allows a project with the mail alias projectC to maintain a project mailing list without interaction with the system administration, even if the alias file is protected.

   projectC: :include:/usr/project/userlist

Message collection and storage

Once all recipient addresses are parsed and verified, sendmail collects the message. To simplify the program interface, the message is collected even if no addresses are valid; in this case the message is then returned to the sender with an error.

The message format must conform to RFC 822, which means it must consist of two parts: a message header and a message body, separated by a blank line. Further, RFC 822 requires that the header be in a format shown below. The header is parsed and stored in memory, and the body of the message is saved in a temporary file.

Message header

To conform to RFC 822, the header must be a series of lines of the form:

   field-name: field-value

Message body

No RFC 822 formatting requirements are imposed on the message body, except that they must be lines of text; binary data is not allowed. It is completely uninterpreted and untouched by sendmail, except that lines beginning with a dot have the dot doubled when transmitted over an SMTP channel. This extra dot is stripped by the receiver. (SMTP uses lines beginning with a dot to signal the end of the message.) The message body is stored in a separate file from the header information.

Message delivery

sendmail can be configured to deliver a message at the time it receives the message (immediate delivery) or to queue the message for delivery when the mail queue is processed. Immediate delivery can be configured to happen synchronously or asynchronously (in the background). This section on message delivery applies to all of the above.

The result of the recipient address parsing is a triple consisting of ``mailer, host, user'' for each recipient. The mailer is one of the defined mailers in the configuration file; host is the destination host; and user is the recipient on that host.

For each unique ``mailer,host'' pairing in the recipient list, sendmail calls the appropriate mailer. sendmail will try to batch deliver the message to all recipients on the same host in one invocation of the receiving mailer. Mailers that only accept one recipient at a time are handled accordingly. After a connection with the mailer is established, sendmail customizes the message header as necessary for correct interpretation by the recipient mailer and sends the result to the mailer.

The receiving mailer status code is caught and checked. If any mail is rejected by the mailer, a flag is set to invoke the return-to-sender function after all delivery completes. An exit code from the receiving mailer must conform to a system standard; otherwise, sendmail forwards a generic message such as Service unavailable to the originator of the mail.

If the mailer returns a status code indicating that the message should be sent later, sendmail puts the mail on the queue and tries again later.

Return to sender

If errors occur during processing, sendmail returns the message to the sender for retransmission. If the user agent (mail) detects the error, then it is put in the dead.letter file located in the sender's home directory. If a sendmail server is connecting with a sendmail client on another machine, then the user is presumed to have become detached from the transaction, and so the message is mailed back to them.

Queued messages

If the mailer returns a temporary failure exit status, the message is queued. A control file for the message describes the recipients to be sent to and various other parameters. This control file is formatted as a series of lines, each describing a sender, a recipient, the time of submission, or some other significant parameter of the message. The header of the message is stored in the control file, so that the associated data file in the queue is just the temporary message file that was originally collected. See ``Viewing the mail queue'' for more information on the mail queue.

sendmail interfaces

There are three ways sendmail communicates, both in receiving and in sending mail. These are:

• using the conventional UNIX system argument vector/return status

• speaking SMTP over a pair of UNIX system pipes

• speaking SMTP over a socket

For simplicity, the following descriptions of these three methods assume sendmail is sending to a mailer.

Argument vector/exit status

This technique is the standard UNIX system method for communicating with a process. A list of recipients is sent in the argument vector, and the message is sent on the standard input. This is the method by which sendmail communicates with execmail, rmail, lmail, and uux. Anything that the recipient mailer prints is simply collected and sent back to the mail sender if there were any problems. The exit status from the mailer is collected after the message is sent, and a diagnostic is printed if appropriate.

SMTP over pipes

The SMTP protocol can be used to run an interactive lock-step interface with a mailer over a pair of named pipes. A subprocess is still created, but no recipient addresses are passed to the mailer via the argument list. Instead, they are passed one at a time in commands sent to the mailer's standard input. Anything appearing on the mailer's standard output must be an SMTP reply code. This method is not used in the standard configuration. This method is useful when the mailer is a program, such as lmail, but the number of recipients is larger than the allowable number of arguments that can be passed in the argument vector.

SMTP over a socket

This method is similar to SMTP over pipes, except that it uses a socket. This method is exceptionally flexible in that the mailer need not reside on the same machine. It is normally used to connect to a sendmail process on another machine. This is the method by which sendmail routes and receives mail across the Internet via TCP/IP.

Files and programs are legitimate message recipients. Files provide archival storage of messages, useful for project administration and history. Programs are useful as recipients in a variety of situations, for example, to maintain a public repository of systems messages (such as the Berkeley msgs program).

Any address passing through the initial parsing algorithm as a local address (not appearing to be a valid address for another mailer) is scanned for two special cases. If prefixed by a vertical bar (``|'') the rest of the address is processed as a shell command. If the user name begins with a slash mark (``/'') the name is used as a file name, instead of a login name.

Files that have setuid or setgid bits set but no execute bits set have those bits honored if sendmail is running as root.

Standard sendmail configuration

Execute the command mkdev cf to perform sendmail configuration. The major tasks of mkdev cf are to:

• lead you through an interactive configuration utility for entering information needed for the sendmail configuration file, such as the host and domain name of the local system, the identity (if present) of a UUCP gateway and UUCP connections, and the identity (if present) of an X.400 gateway

• combine the information you enter with a default configuration source file to build and install a standard sendmail configuration file. If successful, the configuration file /usr/lib/sendmail.cf is created.
  

The default configuration created here supports both UUCP and Internet style addressing. The user entered information allows a network administrator to designate a machine on the network as the UUCP gateway machine, which will process all UUCP requests for the net or subnet. If an X.400 gateway is specified by the user information, sendmail also will forward mail that is addressed in X.400 style to that gateway. The user information also provides for telling sendmail to use NIS maps to define mail aliases.

Running mkdev cf

When ready to configure sendmail, enter:

mkdev cf.

A menu with nine items appears. sendmail remembers the user inputs entered the last time mkdev cf was run and displays those entries as the current state/value. The following describes the menu items, including which are mandatory and which are optional.

1. Edit UUCP Connections

If you wish this host to forward mail to other machines via UUCP, you must enter the names of those machines here. You can enter them manually or let this script get them with the uuname command.

2. Edit Domain

This is a mandatory item.
You must either enter a domain name manually (for example, sco.com) or let this script assign it using the hostname command.

3. NIS Support

Network Information Service (NIS) is a networked system administration service that provides a facility (maps) for maintaining mail aliases. See ``How NIS works'' in the Networking Guide for more information. If you wish to use NIS maps to define aliases, answer yes to the initial prompt under this menu item. The script will run the domainname command to obtain the NIS domain name. If domainname returns successfully, this script displays the NIS domain name. If it is unsuccessful, it will warn you that NIS does not appear to be installed. You may quit this configuration to install NIS or you may complete the remainder of this configuration, then install NIS, and then reconfigure sendmail, executing this step again.

4. Edit Alternate Host Names

This menu item is optional; but if mail is addressed to your machine by names other than that returned by the hostname or uuname utilities, you must enter these names here in order to receive that mail.

5. Miscellaneous Items

This menu item displays a submenu of four items regarding network connections to this host. All these network connections have a default status of no. If the status of any of these should be yes, select that item and respond accordingly. When the status of these four items is correct for this host, select menu item 5 to return to the main menu.

6. Set up X.400 Gateway Configuration

This menu item is optional; but if you want to send mail addressed in X.400 format from the local host, you must enter the name of an X.400 gateway machine to which sendmail can forward this mail for delivery.

7. Review configuration information

This menu item displays the current state or values of the configuration parameters set with items one to six.

8. Generate sendmail.cf file

This item first invokes menu item #7.
After you press <Enter> it prompts you with this message:

Do you wish to change anything? [y/n]

If you enter y (yes), it returns you to the main menu. If you enter n (no), it generates the file /usr/lib/sendmail.cf from one through six menu items and from a default configuration source file. If /usr/lib/sendmail.cf already exists, this script saves the old sendmail.cf file as /usr/lib/sendmail.cf-. When finished, it displays that the new file has been installed, it kills the sendmail daemon if one is running, and starts a new daemon. It then returns you to the main menu.

9. Quit

Use this item to quit after generating the new configuration file or if you want to interrupt the configuration process.

In the standard sendmail configuration, one instance of



sendmail runs as a daemon that typically serves two purposes:

1. It serves as the SMTP server.

2. It forks a sub-daemon at specified intervals to process the mail queue.

To run sendmail in its entirety after running mkdev cf, start the sendmail SMTP server daemon using the command in the /etc/rc2.d/P86sendmail script. If you do not start this daemon, sendmail will only deliver outgoing messages that are not queued and incoming messages from UUCP that are not queued.

Test sendmail by creating and sending mail messages with mail(C). There are three sources for information about sendmail processing:

• error messages which sendmail mails to the mail sender if mail is undeliverable

• the logging mechanism; messages are logged through the syslogd(ADM) facility (the location of log files is defined in /etc/syslog.conf) and the logging level is set as an option either in the configuration file or as an argument to sendmail

• debugging levels selected as an argument passed to sendmail

There are a number of configuration parameters you may want to change, depending on the requirements of your site. Most of these are set using an option in the configuration file or by editing the sendmail daemon invocation in the /etc/rc2.d/P86sendmail script. For example, the line ``OT3d'' sets option ``T'' to the value ``3d'' (three days). See ``O--set option'' for a complete listing of these options.

Most of these options have defaults appropriate for most sites. However, sites having very high mail loads may find they need to tune them as appropriate for that load. In particular, sites experiencing a large number of small messages, many of which are delivered to many recipients, may find that they need to adjust the parameters dealing with queue priorities.

When making any configuration file changes, see ``Reconfiguring sendmail''.

Timeout options syntax

All options that specify time intervals use a set of predefined units:

s

seconds

m

minutes

h

hours

d

days

w

weeks

The sendmail daemon started by the /etc/rc2.d/P86sendmail script sets to one hour the interval at which this daemon will fork a process to process the mail queue. You can change this interval by changing the value assigned to the -q argument to the sendmail command in the /etc/rc2.d/P86sendmail script. This interval is typically set to between fifteen minutes and one hour.

Creating a user information database

The user database is built from a text file using the makemap utility. The text file is a series of lines corresponding to user database records; each line has a key and a value separated by white space. The key is always in the format described in ``Structure of the user database''. For example:

   eric:maildrop

Then reference the database file in the sendmail configuration file. For example, include the following line in the configuration file:

OU/etc/userdb

sendmail adds the .db suffix when doing the database search.

The location of this database is controlled with the UserDatabaseSpec option.

Structure of the user database

The database is a sorted (BTree-based) structure. User records are stored with the key:

user-name:field-name

The sorted database format ensures that user records are clustered together. Meta-information is always stored with a leading colon.

Field names define both the syntax and semantics of the value. Currently, the defined fields include:

``maildrop''

The delivery address for this user. There may be multiple values of this record. In particular, mailing lists will have one maildrop record for each user on the list.

``mailname''

The outgoing mailname for this user. For each outgoing name, there should be an appropriate maildrop record for that name to allow return mail. Also see :default:mailname information in ``User database semantics''.

User database semantics

If you have specified one or more databases using the U option, the databases will be searched for a ``user:maildrop'' entry. If found, the mail will be sent to the specified address.

If the first token passed to the user part of the ``local'' mailer is an at sign, the at sign will be stripped off and the database lookup will be skipped. The intent is that the user database will act as a set of defaults for a cluster (for example, the computer science department of a university); mail sent to a specific machine should ignore these defaults.

When mail is sent, the name of the sender is looked up in the database. If that sender has a mailname record, the value of that record is used as their outgoing name. For example, eric might have a record:

   eric:mailname   Eric.Allman@CS.Berkeley.EDU

If a ``maildrop'' is found for the sender, but no corresponding ``mailname'' record exists, the record ``:default:mailname'' is consulted. If present, this is the name of a host to override the local host (for example, CS.Berkeley.EDU). The effect is that anyone known in the database gets their outgoing mail stamped as user@CS.Berkeley.EDU, but people not listed in the database use the local hostname. ``Creating a user information database''.

Altering read timeouts

It is possible to time out when reading the standard input or when reading from a remote SMTP server. These timeouts are set using the Timeout (r) option in the configuration file. The option names are all of the form Timeout.suboption. The recognized suboptions, their default values, and the minimum values allowed by RFC 1123 section 5.3.2 are:

connect

The time to wait for an SMTP connection to open (the connect(SSC) system call) [0, unspecified]. If zero, uses the kernel default. In no case can this option extend the timeout longer than the kernel provides, but it can shorten it. This is to get around kernels that provide an absurdly long connection timeout (90 minutes in one case).

iconnect

The same as connect, except it applies only to the initial attempt to connect to a host for a given message [0, unspecified]. The concept is that this should be very short (a few seconds); hosts that are well connected and responsive will thus be serviced immediately. Hosts that are slow will not hold up other deliveries in the initial delivery attempt.

initial

The wait for the initial 220 greeting message [5m, 5m].

helo

The wait for a reply from a HELO or EHLO command [5m, unspecified]. This may require a host name lookup, so five minutes is probably a reasonable minimum.

mail+

The wait for a reply from a MAIL command [10m, 5m].

rcpt+

The wait for a reply from an RCPT command [1h, 5m]. This should be long because it could be pointing at a list that takes a long time to expand.

datainit+

The wait for a reply from a DATA command [5m, 2m].

datablock+

The wait for reading a data block (that is, the body of the message). [1h, 3m]. This should be long because it also applies to programs piping input to sendmail which have no guarantee of promptness.

datafinal+

The wait for a reply from the dot terminating a message. [1h, 10m]. If this is shorter than the time actually needed for the receiver to deliver the message, duplicates will be generated. This is discussed in RFC 1047.

rset

The wait for a reply from a RSET command [5m, unspecified].

quit

The wait for a reply from a QUIT command [2m, unspecified].

misc

The wait for a reply from miscellaneous (but short) commands such as NOOP (no-operation) and VERB (go into verbose mode). [2m, unspecified].

command+

In server SMTP, the time to wait for another command. [1h, 5m].

ident

The timeout waiting for a reply to an IDENT query [30s, unspecified].

fileopen

The timeout for opening .forward and :include: files [60s, none].

control

The timeout for a complete control socket transaction to complete [2m, none].

hoststatus

How long status information about a host (such as host down) will be cached before it is considered stale [30m, unspecified].

resolver.retrans

The resolver's retransmission time interval (in seconds) [varies]. Sets both Timeout.resolver.retrans.first and Timeout.resolver.retrans.normal.

resolver.retrans.first

The resolver's retransmission time interval (in seconds) for the first attempt to deliver a message [varies].

resolver.retrans.normal

The resolver's retransmission time interval (in seconds) for all resolver lookups except the first delivery attempt [varies].

resolver.retry

The number of times to retransmit a resolver query. Sets both Timeout.resolver.retry.first and Timeout.resolver.retry.normal [varies].

resolver.retry.first

The number of times to retransmit a resolver query for the first attempt to deliver a message [varies].

resolver.retry.normal

The number of times to retransmit a resolver query for all resolver lookups except the first delivery attempt [varies].

For compatibility with old configuration files, if no ``suboption'' is specified, all the timeouts marked with + are set to the indicated value.

Many of the RFC 1123 minimum values may well be too short. sendmail was designed to the RFC 822 protocols, which did not specify read timeouts; hence, versions of sendmail prior to 8.1 does not guarantee to reply to messages promptly. In particular, a RCPT command specifying a mailing list will expand and verify the entire list; a large list on a slow system may take more than five minutes. (This verification includes looking up every address with the name server; this involves network delays and can be considerable in some cases.) A one hour timeout is recommended. Because this failure is rare, a long timeout is not onerous and may ultimately help reduce network load.

For example, the following line sets the server SMTP command timeout to 25 minutes and the input data block timeout to three hours:

   O Timeout.command=25m
   O Timeout.datablock=3h

   Orcommand=25m,datablock=3h

After sitting in the queue for a few days, a message will time out. This is to insure that at least the sender is aware of the inability to send a message. The timeout is typically set to five days. It is sometimes considered convenient to also send a warning message if the message is in the queue longer than a few hours (assuming you normally have good connectivity; if your messages normally took several hours to send you wouldn't want to do this because it wouldn't be an unusual event). These timeouts are set using the Timeout.queuereturn and Timeout.queuewarn options in the configuration file (previously both were set using the T option).

If the message is submitted using the NOTIFY SMTP extension, warning messages will only be sent if NOTIFY=DELAY is specified. The queuereturn and queuewarn timeouts can be further qualified with a tag based on the Precedence: field in the message; they must be one of "urgent" (indicating a positive non-zero precedence) "normal" (indicating a zero precedence), or "non-urgent" (indicating negative precedences). For example, setting "Timeout.queuewarn.urgent=1h" sets the warning timeout for urgent messages only to one hour. The default if no precedence is indicated is to set the timeout for all precedences. The value "now" can be used for -O Timeout.queuereturn to return entries immediately during a queue run, (for example, to bounce messages independent of their time in the queue.

Since these options are global, and since you cannot know how long another host outside your domain will be down, a five day timeout is recommended. This allows a recipient to fix the problem even if it occurs at the beginning of a long weekend. RFC 1123 section 5.3.1.1 says that this parameter should be ``at least 4-5 days''.

The Timeout.queuewarn value can be piggybacked on the T option by indicating a time after which a warning message should be sent; the two timeouts are separated by a slash. For example, the line:

   OT5d/4h

When the ForkEachJob (Y) option is set, sendmail forks before each individual message while running the queue. This prevents sendmail from consuming large amounts of memory, and so it may be useful in memory-poor environments. However, if the ForkEachJob option is not set, sendmail keeps track of hosts that are down during a queue run, which can improve performance dramatically.

If the ForkEachJob option is set, sendmail can not use connection caching.

Altering queue priorities

Every message is assigned a priority when it is first instantiated, consisting of the message size (in bytes) offset by the message class (determined from the Precedence: header) multiplied by the ``work class factor'' and the number of recipients multiplied by the ``work recipient factor.'' The priority is used to order the queue. Higher numbers for the priority mean that the message is processed later, when running the queue.

The message size is included so that large messages are penalized relative to small messages. The message class allows users to send high-priority messages by including a ``Precedence:'' field in their message; the value of this field is looked up in the P lines of the configuration file. Because the number of recipients affects the size of load a message presents to the system, this is also included in the priority.

The recipient and class factors can be set in the configuration file by using the RecipientFactor (y) and ClassFactor (z) options, respectively. They default to 30,000 (for the recipient factor) and 1800 (for the class factor). The initial priority is:

   pri = msgsize - (class * ClassFactor) + (nrcpt * RecipientFactor)

The priority of a job can also be adjusted each time it is processed (that is, each time an attempt is made to deliver it) using the ``work time factor,'' set by the RetryFactor (Z) option. This is added to the priority, so it normally decreases the precedence of the job, on the grounds that jobs that have failed many times tend to fail again in the future. The RetryFactor option defaults to 90,000.

Setting the mail load limit

sendmail can be asked to queue (but not deliver) mail if the system load average gets too high using the QueueLA (x) option. When the load average exceeds the value of the QueueLA option, the delivery mode is set to q (queue only) if the QueueFactor (q option) divided by the difference in the current load average and the QueueLA option plus one exceeds the priority of the message--that is, the message is queued if:

pri > QueueFactor divided by (LA-QueueLA+1)

The QueueFactor option defaults to 600,000, so each point of load average is worth 600,000 priority points (as described above).

For drastic cases, the RefuseLA (X) option defines a load average at which sendmail will refuse to accept network connections. Locally generated mail (including incoming UUCP mail) is still accepted.

Setting the delivery mode

There are a number of delivery modes for sendmail set by the DeliveryMode (d) configuration option. These modes specify how quickly mail is delivered. Legal modes are:

i

deliver interactively (synchronously)

b

deliver in background (asynchronously)

q

queue only (do not deliver)

d

defer delivery attempts (do not deliver)

If you run in mode ``q,'' ``d,'' or ``b,'' sendmail will not expand aliases and follow .forward files upon initial receipt of the mail. This speeds up the response to RCPT commands.

Mode ``i'' cannot be used by the SMTP server.

Log Levels

The level of logging can be set for sendmail. The default using a standard configuration table is level 9. The levels are as follows:

0

Minimal logging.

1

Serious system failures and potential security problems.

2

Lost communications (network problems) and protocol failures.

3

Other serious failures, malformed addresses, transient forward/include errors, connection timeouts.

4

Minor failures, out of date alias databases, connection rejections via check_ rulesets.

5

Message collection statistics.

6

Creation of error messages, VRFY and EXPN commands.

7

Delivery failures (host or user unknown, and so on).

8

Successful deliveries and alias database rebuilds.

9

Messages being deferred (due to a host being down, and so on).

10

Database expansion (alias, forward, and userdb lookups) and authentication information.

11

NIS errors and end of job processing.

12

Logs all SMTP connections.

13

Log bad user shells, files with improper permissions, and other questionable situations.

14

Logs refused connections.

15

Log all incoming and outgoing SMTP commands.

20

Logs attempts to run locked queue files. These are not errors, but can be useful to note if your queue appears to be clogged.

30

Lost locks (only if using lockf instead of flock).

There are several files involved with sendmail that can have a number of modes. The modes depend on the functionality you want and the level of security you require.

suid root options

Sendmail is normally installed setuid to root. At the point where it is about to exec(S) a mailer, it checks to see if the userid is zero (root); if so, it resets the userid and groupid to a default (set by the U= equate in the mailer line; if that is not set, the DefaultUser option is used). This can be overridden by setting the S flag to the mailer for mailers that are trusted and must be called as root. However, this will cause mail processing to be accounted to root rather than to the user sending the mail.

If you don't make sendmail setuid to root, it will still run but you lose a lot of functionality and a lot of privacy, since you'll have to make the queue directory world readable. You could also make sendmail setuid to some pseudo-user (for example, create a user called sendmail and make sendmail setuid to that) which will fix the privacy problems but not the functionality issues. It also introduces problems on some operating systems if sendmail needs to give up the setuid special privileges. Also, this isn't a guarantee of security: for example, root occasionally sends mail, and the daemon often runs as root. Note however that sendmail must run as root or the trusted user in order to create the SMTP listener socket.

A middle ground is to make sendmail setuid to root, but set the RunAsUser option. This causes sendmail to become the indicated user as soon as it has done the startup that requires root privileges (primarily, opening the SMTP socket). If you use RunAsUser, the queue directory (normally /var/spool/mqueue) should be owned by that user, and all files and databases (including user .forward files, alias files, :include: files, and external databases) must be readable by that user. Also, since sendmail will not be able to change it's uid, delivery to programs or files will be marked as unsafe, that is, undeliverable, in .forward, aliases, and :include: files. Administrators can override this by setting the DontBlameSendmail option to the setting NonRootSafeAddr. RunAsUser is probably best suited for firewall configurations that don't have regular user logins.

Turning off security checks

sendmail is very particular about the modes of files that it reads or writes. For example, by default it will refuse to read most files that are group writable on the grounds that they might have been tampered with by someone other than the owner; it will even refuse to read files in group writable directories.

If you are certain that your configuration is safe and you want sendmail to avoid these security checks, you can turn off certain checks using the DontBlameSendmail option. This option takes one or more names that disable checks. In the descriptions that follow, unsafe directory means a directory that is writable by anyone other than the owner. The values are:

Safe

No special handling.

AssumeSafeChown

Assume that the chown(S) system call is restricted to root. Since some versions of Unix permit regular users to give away their files to other users on some filesystems, sendmail often cannot assume that a given file was created by the owner, particularly when it is in a writable directory. You can set this flag if you know that file giveaway is restricted on your system.

ClassFileInUnsafeDirPath

When reading class files (using the F line in the configuration file), allow files that are in unsafe directories.

DontWarnForwardFileInUnsafeDirPath

Prevent logging of unsafe directory path warnings for non-existent forward files.

ErrorHeaderInUnsafeDirPath

Allow the file named in the ErrorHeader option to be in an unsafe directory.

GroupWritableDirPathSafe

Change the definition of unsafe directory to consider group-writable directories to be safe. World-writable directories are always unsafe.

GroupWritableForwardFileSafe

Accept group-writable .forward files.

GroupWritableIncludeFileSafe

Accept group-writable :include: files.

GroupWritableAliasFile

Allow group-writable alias files.

HelpFileInUnsafeDirPath

Allow the file named in the HelpFile option to be in an unsafe directory.

WorldWritableAliasFile

Accept world-writable alias files.

ForwardFileInGroupWritableDirPath

Allow .forward files in group writable directories.

IncludeFileInGroupWritableDirPath

Allow :include: files in group writable directories.

ForwardFileInUnsafeDirPath

Allow .forward files in unsafe directories.

IncludeFileInUnsafeDirPath

Allow :include: files in unsafe directories.

ForwardFileInUnsafeDirPathSafe

Allow a .forward file that is in an unsafe directory to include references to program and files.

IncludeFileInUnsafeDirPathSafe

Allow an :include: file that is in an unsafe directory to include references to program and files.

InsufficientEntropy

Try to use STARTTLS even if the PRNG for OpenSSL is not properly seeded despite the security problems.

MapInUnsafeDirPath

Allow maps (such as hash, btree, and dbm files) in unsafe directories.

LinkedAliasFileInWritableDir

Allow an alias file that is a link in a writable directory.

LinkedClassFileInWritableDir

Allow class files that are links in writable directories.

LinkedForwardFileInWritableDir

Allow .forward files that are links in writable directories.

LinkedIncludeFileInWritableDir

Allow :include: files that are links in writable directories.

LinkedMapInWritableDir

Allow map files that are links in writable directories.

LinkedServiceSwitchFileInWritableDir

Allow the service switch file to be a link even if the directory is writable.

FileDeliveryToHardLink

Allow delivery to files that are hard links.

FileDeliveryToSymLink

Allow delivery to files that are symbolic links.

RunProgramInUnsafeDirPath

Go ahead and run programs that are in writable directories.

RunWritableProgram

Go ahead and run programs that are group- or world-writable.

WriteMapToHardLink

Allow writes to maps that are hard links.

WriteMapToSymLink

Allow writes to maps that are symbolic links.

WriteStatsToHardLink

Allow the status file to be a hard link.

WriteStatsToSymLink

Allow the status file to be a symbolic link.

TrustStickyBit

Allow group or world writable directories if the sticky bit is set on the directory. Do not set this on systems which do not honor the sticky bit on directories.

NonRootSafeAddr

Do not mark file and program deliveries as unsafe if sendmail is not running with root privileges.

When processing the queue, sendmail will try to keep the last few open connections open to avoid startup and shutdown costs. This only applies to IPC connections.

When trying to open a connection, the cache is first searched. If an open connection is found, it is probed to see if it is still active by sending a RSET command. It is not an error if this fails; instead, the connection is closed and reopened.

Two parameters control the connection cache. The ConnectionCacheSize (k) option defines the number of simultaneous open connections that will be permitted. If it is set to zero, connections will be closed as quickly as possible. The default is one. This should be set as appropriate for your system size; it will limit the amount of system resources that sendmail will use during queue runs. Never set this higher than 4.

The ConnectionCacheTimeout (K) option specifies the maximum time that any cached connection will be permitted to idle. When the idle time exceeds this value the connection is closed. This number should be small (under ten minutes) to prevent you from grabbing too many resources from other hosts. The default is five minutes.

Using sendmail with a name server

If your system is configured to use the Domain Name Service, then sendmail will use it by default.

Control of host address lookups can also be set using a ``service switch''. sendmail can be configured to use the service switch by setting the hosts service entry in the /etc/mail/service.switch file. sendmail uses only two entries, hosts and aliases, although system routines may use other services, notably the passwd service for user name lookups by getpwname.

However, if you do not have a name server configured at all, such as at a UUCP-only site, sendmail will get a ``connection refused'' message when it tries to connect to the name server (either indirectly by calling gethostbyname or directly by looking up MX records). If the I option is set, sendmail will interpret this to mean a temporary failure and will queue the mail for later processing; otherwise, it ignores the name server data. If your name server is running properly, the setting of this option is not relevant; however, it is important that it be set properly to make error handling work properly.

This option also allows you to modify name server options. The command line takes a series of flags as documented in resolver(SLIB) (with the leading ``RES_'' deleted). Each can be preceded by an optional ``+'' or ``-''. For example, the following line turns on the AAONLY (accept authoritative answers only) and turns off the DNSRCH (search the domain path) options.

   OITrue +AAONLY -DNSRCH

Version level 1 configurations turn DNSRCH and DEFNAMES off when doing delivery lookups, but leave them on everywhere else. Version 8 of sendmail ignores them when doing canonification lookups (that is, when using $[ ... $]), and always does the search. If you do not want to do automatic name extension, do not call $[ ... $].

The search rules for $[ ... $] are somewhat different than usual. If the name (that is, the ``...'') has at least one dot, it always tries the unmodified name first. If that fails, it tries the reduced search path, and lastly tries the unmodified name (but only for names without a dot, because names with a dot have already been tried). This allows names such as ``utc.CS'' to match the site in Czechoslovakia rather than the site in your local computer science department. It also prefers A and CNAME records over MX records - that is, if it finds an MX record it makes note of it, but keeps looking. This way, if you have a wildcard MX record matching your domain, it will not assume that all names match.

Moving the per-user forward files

Some sites mount each user's home directory from a local disk on their workstation, so that local access is fast. However, the result is that .forward file lookups are slow. In some cases, mail can even be delivered on machines inappropriately because of a file server being down. The performance can be especially bad if you run the automount facility.

The ForwardPath (J) option allows you to set a path of forward files. For example, the following configuration file line would first look for a file with the same name as the user's login in /usr/forward; if that is not found (or is inaccessible) the file .forward in the user's home directory is searched.

   O ForwardPath=/usr/forward/$u:$z/.forward

If you create a directory such as /usr/forward, it should be mode 1777 (that is, the sticky bit should be set). Users should create the files mode 644. Note that you must use the forwardfileinunsafedirpath and forwardfileinunsafedirpathsafe flags with the DontBlameSendmail option to allow forward files in a world writable directory. This might also be used as a denial of service attack (users could create forward files for other users); a better approach might be to create /var/forward mode 755 and create empty files for each user, owned by that user, mode 644. If you do this, you don't have to set the DontBlameSendmail options indicated above.

Setting mail queue filesystem free space

You can specify a minimum number of free blocks on the queue filesystem using the MinFreeBlocks (b) option. If there are fewer than the indicated number of blocks free on the filesystem on which the queue is mounted, the SMTP server will reject mail with the 452 error code. This invites the SMTP client to try again later.

Beware of setting this option too high; it can cause rejection of email when that mail would be processed without difficulty.

Setting maximum message size

To avoid overflowing your system with a large message, the MaxMessageSize option can be set to set an absolute limit on the size of any one message. This will be advertised in the ESMTP dialogue and checked during message collection.

Setting privacy flags

The PrivacyOptions (p) option allows you to set certain ``privacy'' flags. Many of them do not give you any extra privacy, rather just insisting that client SMTP servers use the HELO command before using certain commands or adding extra headers to indicate possible spoof attacks.

The option takes a series of flag names; the final privacy is the inclusive ``or'' of those flags. For example:

   O PrivacyOptions=needmailhelo, noexpn

For more information, see ``O--set option''.

Setting ``send to me too'' operation

Beginning with version 8.10, sendmail includes by default the (envelope) sender in any list expansions. For example, if ``mary'' sends to a list that contains ``mary'' as one of the members, she will get a copy of the message. If the MeToo option is set to FALSE (in the configuration file or via the command line), this behavior is changed (that is, the sender is excluded in list expansions).

Reconfiguring sendmail

You can change the sendmail configuration at any time. How you change the configuration depends on what you want to change. When sendmail is installed, a standard configuration file is created by combining user prompted input with non-prompted configuration information. sendmail obtains the non-prompted configuration information from a default configuration source file, /usr/lib/sendmail.d/sendmail.src.

If you want to change any of the information for which mkdev cf prompts, the easiest approach is to rerun mkdev cf and respond to the prompts. sendmail remembers the previous responses to these prompts, so you need only make changes. For a description of the information for which mkdev cf prompts, see ``Running mkdev cf''.

If you want to change information for which mkdev cf does not prompt:

1. Back up the default configuration source file, /usr/lib/sendmail.d/sendmail.src, if you want to retain online an original version of this file.

2. Change /usr/lib/sendmail.d/sendmail.src according to your needs.

3. Run mkdev cf to rebuild the /usr/lib/sendmail.cf file, integrating the changed /usr/lib/sendmail.d/sendmail.src. See ``Running mkdev cf'' for a description of mkdev cf.

Administering sendmail

System administration with sendmail consists of:

• debugging sendmail,

• changing option values,

• using a different configuration file,

• logging traffic,

• monitoring the system log file,

• managing the mail queue,

• maintaining the system alias file,

• managing spam,

• and performing other related actions.

There is a fairly large number of debug flags built into sendmail. Each debug flag has a number and a level, where higher levels cause more information to be printed out. The convention is that levels greater than nine are not required. They print out so much information that you would not normally want to see them, except for debugging that particular piece of code. Debug flags are set using the sendmail -d command-line flag. The syntax is:

debug-flag:

-d debug-list

debug-list:

debug-option [ , debug-option ]*

debug-option:

debug-range [ . debug-level ]

debug-range:

integer | integer - integer

debug-level:

integer

-d12

Set flag 12 to level 1.

-d12.3

Set flag 12 to level 3.

-d3-17

Set flags 3 through 17 to level 1.

-d3-17.4

Set flags 3 through 17 to level 4.

Options can be overridden using the -o or -O command line flags. For example:

sendmail -oT2m

sets the T (timeout) option to two minutes for this run only; the equivalent line using the long option name is:

sendmail -OTimeout.queuereturn=2m

Some options have security implications. Sendmail allows you to set these, but relinquishes its setuid root permissions thereafter.

Trying a Different Configuration File

An alternative configuration file can be specified using the -C flag; for example,

sendmail -Ctest.cf -oQ/tmp/mqueue

uses the configuration file test.cf instead of the default /usr/lib/sendmail.cf. If the -C flag has no value it defaults to sendmail.cf in the current directory.

sendmail gives up its setuid root permissions when you use this flag, so it is common to use a publicly writable directory (such as /tmp) as the spool directory (QueueDirectory or Q option) while testing.

Logging traffic

Many SMTP implementations do not fully implement the protocol. For example, some personal computer based SMTPs do not understand continuation lines in reply codes. These can be very hard to trace. If you suspect such a problem, you can set traffic logging using the -X flag. For example, the following will log all traffic in the file /tmp/traffic.

/usr/lib/sendmail -X /tmp/traffic -bd

This logs a lot of data very quickly and should never be used during normal operations. After starting up such a daemon, force the errant implementation to send a message to your host. All message traffic in and out of sendmail, including the incoming SMTP traffic, will be logged in this file.

Testing configuration files

When you build a configuration table, you can do a certain amount of testing using the test mode of sendmail. For example:

sendmail -bt -Ctest.cf

would read the configuration file test.cf and enter test mode. In this mode, you enter lines of the form:

rwset address

where rwset is the rewriting set you want to use and address is an address to apply the set to. Test mode shows you the steps it takes as it proceeds, finally showing you the address it ends up with. You may use a comma separated list of rwsets for sequential application of rules to an input. For example:

   3,1,21,4 monet:bollard

If you need more detail, you can also use the -d21 flag to turn on more debugging. For example:

sendmail -bt -d21.99

turns on an incredible amount of information; a single word address is probably going to print out several pages worth of information.

   0 bruce@broadcast.sony.com

   3,0 bruce@broadcast.sony.com

As of version 8.7, additional syntaxes are available in test mode:

.D x value

defines macro x to have the indicated value. This is useful when debugging rules that use the $&x syntax.

C c value

adds the indicated value to class c.

.S ruleset

dumps the contents of the indicated ruleset.

-d debug-spec

is equivalent to the command-line flag.

When HostStatusDirectory is enabled, information about the status of hosts is maintained on disk and can thus be shared between different implementations of sendmail. The status of the last connection with each remote host may be viewed with the command:

sendmail -bh

This information may be flushed with the command:

sendmail -bH

Flushing the information prevents new sendmail processes from loading it, but does not prevent existing processes from using the status information that they already have.

Viewing the system log

The system log appears in the file logged to by the syslogd(ADM) utility.
All messages from sendmail are logged under the LOG_MAIL facility. Each line in the system log consists of a timestamp, the name of the machine that generated it (for logging from several machines over the network), the word ``sendmail,'' and a message.

Log entry format

Each line in the system log consists of a timestamp, the name of the machine that generated it (for logging from several machines over the local area network), the word "sendmail:", and a message.

The two most common lines are logged when a message is processed. The first logs the receipt of a message; there will be exactly one of these per message. Some fields may be omitted if they do not contain interesting information. Fields are:

from

The envelope sender address.

size

The size of the message in bytes.

class

The class (numeric precedence) of the message.

pri

The initial message priority (used for queue sorting).

nrcpts

The number of envelope recipients for this message (after aliasing and forwarding).

msgid

The message id of the message (from the header).

proto

The protocol used to receive this message (such as ESMTP or UUCP)

relay

The machine from which it was received.

to

A comma-separated list of the recipients to this mailer.

ctladdr

The ``controlling user'', that is, the name of the user whose credentials we use for delivery.

delay

The total delay between the time this message was received and the time it was delivered.

xdelay

The amount of time needed in this delivery attempt (normally indicative of the speed of the connection).

mailer

The name of the mailer used to deliver to this recipient.

relay

The name of the host that actually accepted (or rejected) this recipient.

stat

The delivery status.

A large amount of information can be logged. The log is arranged as a succession of levels. At the lowest level, only extremely strange situations are logged. At the highest level, even the most mundane and uninteresting events are recorded for posterity. As a convention, log levels under 10 are considered ``useful''; log levels above 64 are reserved for debugging purposes. Levels from 11-64 are reserved for verbose information that some sites might want.

The log level is set with the L configuration option. See ``Log Levels'' for a complete description of log levels.

Dumping state

You can ask sendmail to log a dump of the open files and the connection cache by sending it a SIGUSR1 signal. The results are logged at LOG_DEBUG priority.

Viewing the mail queue

The mail queue should be processed transparently. However, you may find that manual intervention is sometimes necessary. For example, if a major host is down for a period of time the queue may become clogged. Although sendmail ought to recover gracefully when the host comes up, you may find performance unacceptably bad in the meantime.

The contents of the queue can be printed using the mailq command (or by specifying the -bp flag to sendmail):

mailq

This produces a listing of the queue identifiers, the size of the message, the date the message entered the queue, and the sender and recipients.

Format of sendmail queue files

sendmail queue files live in the directory defined by the Q option in the /usr/lib/sendmail.cf file, usually /usr/spool/mqueue.
The individual qf, df, and xf files may be stored in separate if they are present in the queue directory.

To use multiple queues, supply a value ending with an asterisk. For example, /var/spool/mqueue/q* will use all of the directories or symbolic links to directories beginning with `q' in /var/spool/mqueue as queue directories. New messages will be randomly placed into one of the queues. Do not change the queue directory structure while sendmail is running.

All queue files have the name xfYMDhmsNPPPPP where YMDhmsNPPPPP is the id for this message and the x is a type. The individual letters in the id are:

Y

Encoded year

M

Encoded month

D

Encoded day

h

Encoded hour

m

Encoded minute

s

Encoded second

N

Envelope number

PPPPP

First five digits of the process ID

The types are:

d

data file. The message body (excluding the header) is kept in this file.

q

queue control file. This file contains the information necessary to process the job.

t

temporary file. This is an image of the qf file when it is being rebuilt. It should be renamed to a qf file very quickly.

x

transcript file, existing during the life of a session, showing everything that happens during that session

The qf file is structured as a series of lines, each beginning with a code letter. The lines are as follows:

A

The information given by the AUTH= parameter of the "MAIL FROM:" command or $f@$j if sendmail has been called directly.

D

name of the data file. There can only be one of these lines.

H

header definition. There can be any number of these lines. The order is important: it represents the order in the final message. This uses the same syntax as header definitions in the configuration file.

C

controlling address. The syntax is ``localuser:aliasname''. Recipient addresses following this line will be flagged so that deliveries will be run as the localuser (a user name from the /etc/passwd file); aliasname is the name of the alias that expanded to this address (used for printing messages).

Q

The ``original recipient'', specified by the ORCPT= field in an ESMTP transaction. Used exclusively for Delivery Status Notifications. It applies only to the immediately following `R' line.

R

recipient address. This is normally completely aliased, but is actually re-aliased when the job is processed. There is one line for each recipient. Version 1 qf files also include a leading colon-terminated list of flags, which can be `S' to return a message on successful final delivery, `F' to return a message on failure, `D' to return a message if the message is delayed, `B' to indicate that the body should be returned, `N' to suppress returning the body, and `P' to declare this as a ``primary'' (command line or SMTP-session) address.

S

sender address. There can only be one of these lines.

E

error address. If any such lines exist, they represent the addresses that should receive error messages.

T

job creation time. This computes how long a job remains in the queue undelivered, before being returned to the sender.

P

current message priority. This orders the queue. Higher numbers mean lower priorities. The priority changes as the message sits in the queue. The initial priority depends on the message class and the size of the message.

M

message. This line is printed by the mailq command, and is generally used to store status information. It can contain any text.

F

flag bits, represented as one letter per flag. Defined flag bits are r indicating that this is a response message and w indicating that a warning message has been sent announcing that the mail has been delayed.

N

The total number of delivery attempts.

K

The time (as seconds since January 1, 1970) of the last delivery attempt.

OI

The i-number of the data file; this can be used to recover your mail queue after a disastrous disk crash.

$

a macro definition. The values of certain macros (as of this writing, only $r and $s ) are passed through to the queue run phase.

B

the body type. The remainder of the line is a text string defining the body type. If this field is missing, the body type is assumed to be ``undefined'' and no special processing is attempted. Legal values are 7BIT and 8BITMIME. LI Z The original envelope id (from the ESMTP transaction). For Deliver Status Notifications only.

As an example, the following is a queue file sent to ``eric@mammoth.Berkeley.EDU'' and ``bostic@okeeffe.CS.Berkeley.EDU''. (This example is contrived and probably inaccurate for your environment. Glance over it to get an idea; nothing can replace looking at what your own system generates.)

   P835771
   T404261372
   DdfAAA13557
   Seric
   Eowner-sendmail@vango.CS.Berkeley.EDU
   Ceric:sendmail@vango.CS.Berkeley.EDU
   Reric@mammoth.Berkeley.EDU
   Rbostic@okeeffe.CS.Berkeley.EDU
   H?P?return-path: <owner-sendmail@vango.CS.Berkeley.EDU>
   Hreceived: by vango.CS.Berkeley.EDU (5.108/2.7) id AAA06703;
   	Fri, 17 Jul 92 00:28:55 -0700
   Hreceived: from mail.CS.Berkeley.EDU by vango.CS.Berkeley.EDU (5.108/2.7)
   	id AAA06698; Fri, 17 Jul 92 00:28:54 -0700
   Hreceived: from [128.32.31.21] by mail.CS.Berkeley.EDU (5.96/2.5)
   	id AA22777; Fri, 17 Jul 92 03:29:14 -0400
   Hreceived: by foo.bar.baz.de (5.57/Ultrix3.0-C)
   	id AA22757; Fri, 17 Jul 92 09:31:25 GMT
   H?F?from: eric@foo.bar.baz.de (Eric Allman)
   H?x?full-name: Eric Allman
   Hmessage-id: <9207170931.AA22757@foo.bar.baz.de>
   HTo: sendmail@vango.CS.Berkeley.EDU
   Hsubject: this is an example message

Queue interval

The amount of time between forking a process to run through the queue is defined by the -q flag. If you run sendmail in delivery mode i or b, this can be relatively large, because it is only relevant when a host that was down comes back up. If you run sendmail in delivery mode q, it should be relatively short, because it defines the amount of time that a message may sit in the queue before sendmail tries to deliver it. The delivery mode is a configuration option. (See also the MinQueueAge option.)

RFC 1123 section 5.3.1.1 says that this value should be at least 30 minutes (although that probably does not make sense if you use ``queue-only'' mode).

Forcing the queue

The sendmail program should run the queue automatically at intervals. The algorithm is to read and sort the queue, then to attempt to process all jobs in order. When using multiple queues, a separate process will be created to run each of the queues unless the queue run is initiated by a user with the verbose flag. When it attempts to run the job, sendmail first checks to see if the job is locked. If so, it ignores the job.

There is no attempt to ensure that only one queue processor exists at any time, because there is no guarantee that a job cannot take forever to process (however, sendmail does include heuristics to try to abort jobs that are taking absurd amounts of time; technically, this violates RFC 821, but is blessed by RFC 1123). Due to the locking algorithm, it is impossible for one job to freeze the queue. However, an uncooperative recipient host or a program recipient that never returns can accumulate many processes in your system. Unfortunately, there is no completely general way to resolve this.

In some cases, you may find that if a major host goes down for a couple of days, this can create a prohibitively large queue. This situation causes sendmail to spend an inordinate amount of time sorting the queue. This situation can be fixed by moving the queue to a temporary place and creating a new queue. The old queue can be run later, when the offending host returns to service.

To do this, it is acceptable to move the entire queue directory:

cd /usr/spool
mv mqueue omqueue; mkdir mqueue; chmod 700 mqueue

You should then kill the existing daemon (because it is still processing in the old queue directory) and create a new daemon. To kill the existing daemon and create a new daemon, reboot the system.

To run the old mail queue, run the following command:

/usr/lib/sendmail -oQ/usr/spool/omqueue -q

The -oQ flag specifies an alternate queue directory, and the -q flag says just to run every job in the queue. Use the -v flag to view what is going on.

When the queue is finally emptied, you can remove the directory:

rmdir /usr/spool/omqueue

You can also limit the jobs to those with a particular queue identifier, sender, or recipient using one of the queue modifiers. For example, ``-qRberkeley'' restricts the queue run to jobs that have the string ``berkeley'' somewhere in one of the recipient addresses. Similarly, -qSsender limits the run to a particular sender and -qIidentifier limits it to a particular queue identifier.

Disk-based connection information

sendmail stores a large amount of information about each remote system it has connected to in memory. It is now possible to preserve some of this information on disk as well, by using the HostStatusDirectory option, so that it may be shared between several invocations of sendmail. This allows mail to be queued immediately or skipped during a queue run if there has been a recent failure in connecting to a remote machine.

Additionally enabling SingleThreadDelivery has the added effect of single-threading mail delivery to a destination. This can be quite helpful if the remote machine is running an SMTP server that is easily overloaded or cannot accept more than a single connection at a time, but can cause some messages to be punted to a future queue run. It also applies to all hosts, so setting this because you have one machine on site that runs some software that is easily overrun can cause mail to other hosts to be slowed down. If this option is set, you probably want to set the MinQueueAge option as well and run the queue fairly frequently; this way jobs that are skipped because another sendmail is talking to the same host will be tried again quickly rather than being delayed for a long time.

The disk based host information is stored in a subdirectory of the mqueue directory called .hoststat (controlled by the HostStatusDirectory option). Removing this directory and its subdirectories has an effect similar to the purgestat command and is completely safe. The information in these directories can be perused with the hoststat command, which will indicate the host name, the last access, and the status of that access. An asterisk in the left most column indicates that a sendmail process currently has the host locked for mail delivery.

The disk based connection information is treated the same way as memory based connection information for the purpose of timeouts. By default, information about host failures is valid for 30 minutes. This can be adjusted with the Timeout.hoststatus option.

The connection information stored on disk may be purged at any time with the purgestat command or by invoking sendmail with the -bH switch. The connection information may be viewed with the hoststat command or by invoking sendmail with the -bh switch.

The service switch

The implementation of certain system services such as host and user name lookup is controlled by the service switch. The ServiceSwitchFile option points to the name of a file that has the service definitions. Each line has the name of a service and the possible implementations of that service. For example, the file:

   hosts	dns files nis
   aliases	files nis

The alias database exists in two forms. One is a text form, maintained in the file /usr/lib/mail/aliases.
The aliases are of the form:

name: name1, name2, ...

Only local names can be aliased. For example:

eric@prep.ai.MIT.EDU: eric@CS.Berkeley.EDU

This does not have the desired effect. Aliases can be continued by starting any continuation line with a space or a tab, or by putting a backslash directly before the newline. Blank lines and lines beginning with a number sign (``#'') are comments.

The second form is processed by the ndbm(NS) or the Berkeley db library. This form is in the files /usr/lib/mail/aliases.db (if using Berkeley db) or /usr/lib/mail/aliases.dir and /usr/lib/mail/aliases.pag (if using ndbm). This is the form that sendmail actually uses to resolve aliases. This technique improves performance.

The control of search order is actually set by the service switch. Essentially, the entry

   O AliasFile=switch:aliases

   O AliasFile=/usr/lib/mail/aliases

   aliases nis files nisplus

You can also use NIS-based alias files. For example, the following specification will first search the /usr/lib/mail/aliases file and then the map named mail.aliases in my.nis.domain.

   O AliasFile=/usr/lib/mail/aliases
   O AliasFile=nis:mail.aliases@my.nis.domain

Additional flags can be added after the colon exactly like a K line. For example:

   OAnis:-N mail.aliases@my.nis.domain

Rebuilding the alias database

The hash or dbm version of the database can be rebuilt explicitly by executing the command:

/usr/bin/newaliases

This is equivalent to giving sendmail the -bi flag:

/usr/lib/sendmail -bi

If the RebuildAliases (old D) option is specified in the configuration, sendmail rebuilds the alias database automatically, if possible, when it is out of date. Auto-rebuild can be dangerous on heavily loaded machines with large alias files; if it might take more than the rebuild timeout (option AliasWait (old a) which is normally five minutes) to rebuild the database, there is a chance that several processes start the rebuild process simultaneously.

If you have multiple aliases databases specified, the -bi flag rebuilds all the database types it understands (for example, it can rebuild db databases but not NIS databases).

Potential alias database problems

There are a number of problems that can occur with the alias database. They all result when a sendmail process accesses the DBM version while it is only partially built. This can happen under two circumstances: either one process accesses the database while another process is rebuilding it, or the process rebuilding the database dies (due to being killed or a system crash) before completing the rebuild.

The sendmail program includes three techniques to try to relieve these problems. First, it ignores interrupts while rebuilding the database; this avoids the problem of someone aborting the process and leaving a partially rebuilt database. Second, it locks the database source file during the rebuild, but this may not work over NFS or if the file is unwritable. Third, at the end of the rebuild it adds an alias of the form:

   @: @

List owners

If an error occurs on sending to a certain address, say ``x,'' sendmail looks for an alias of the form ``owner-x'' to receive the errors. This is typically useful for a mailing list where the submitter of the list has no control over the maintenance of the list itself; in this case the list maintainer would be the owner of the list. For example:

   mail-wizards: eric@ucbarpa, wnj@monet, nosuchuser,
   	sam@matisse
   owner-mail-wizards: eric@ucbarpa

List owners also cause the envelope sender address to be modified. The contents of the owner alias are used if they point to a single user, otherwise the name of the alias itself is used. For this reason, and to obey Internet conventions, a typical scheme would be:

   list:	some, set, of, addresses
   list-request:	list-admin-1, list-admin-2, ...
   owner-list:	list-request

Stopping and restarting sendmail

To stop and restart sendmail:

1. Log in to the system as root.

2. Enter the following commands:
   
   cd /etc/rc2.d
   ./P86sendmail stop
   ./P86sendmail start

Unsolicited email, or ``spam'', is an increasing problem on the Internet. You can use anti-spam rulesets to:

• prevent your site from being used as an intermediate site between a sender and a recipient, using check_rcpt (enabled by default)

• prevent mail from being sent from a pre-defined list of fully qualified domain names and/or IP numbers, regardless of recipient, using check_relay

• require that the domain of the sender specified in the "Mail From:" SMTP command resolves to a valid fully-qualified domain name, using check_mail

• prevent mail from being sent from a pre-defined list of domain names or email addresses to a specified list of recipients, using check_compat

Currently, anti-spam features cannot be enabled with the SCOadmin Sendmail Configuration Manager, mkdev cf, or the Internet Manager's mail configuration options. With the exception of check_rcpt, modifications made to /usr/lib/sendmail.cf to enable anti-spam features are not preserved across successive executions of these configuration utilities. Be sure to save your changes to /usr/lib/sendmail.cf so that you can re-enable the anti-spam features should you run one of the sendmail configuration utilities.

Using the check_rcpt ruleset

Those sending spam mail often try to use an intermediate system in an attempt to hide the source of electronic mail. The check_rcpt ruleset prevents your site from being used as an intermediate site between a sender and a recipient.

To implement check_rcpt:

1. Uncomment the check_rcpt, Parse0, and matchvdom rulesets, as well as the Krelays line, in /usr/lib/sendmail.cf.

2. Add entries to the relays file for those sites that are allowed to send mail through this site.

3. Restart sendmail.

• the site is contained in the relays map entries in /usr/lib/mail/antispam/relays, or

• the recipient address is in the same domain as this system

• the recipient is in the domain of one of the virtual domains served by this system

The class R, defined by entries in the file /usr/lib/mail/antispam/sendmail.cR, allows additional relays not defined in the relays map. You must also have DD and Cw defined for this ruleset to function properly.

Adding entries to the relays map

The relays file (/usr/lib/mail/antispam/relays), used by the the check_rcpt ruleset, specifies those sites and IP numbers that are allowed to use this site as an intermediate relay.

Add entries to the file using this <Tab>-separated format:

   address	OK

For example, to allow the site bomb20.pdev.sco.com to use this site as an intermediate relay, add the following line to the file:

   bomb20.pdev.sco.com	OK

This example shows a specific IP number:

   10.0.67.15	OK

After adding or deleting entries from this file, rebuild the relays map:

1. Log in to the system as root.

2. Enter the following commands:
   
   cd /usr/lib/mail/antispam
   makemap hash relays < relays

Using the check_relay ruleset

This ruleset prevents mail from being sent from a pre-defined list of fully qualified domain names and/or IP numbers, regardless of recipient.

To implement this feature:

1. Uncomment the check_relay ruleset and the Kspammers line in /usr/lib/sendmail.cf.

2. Modify and rebuild the spammers file.

3. Restart sendmail.

Adding entries to the spammers map

The spammers file (/usr/lib/mail/antispam/spammers), used by the check_relay or check_mail rulesets, identifies systems from which mail will be rejected.

Add entries to the file using this <Tab>-separated format:

   address	message

   bomb20.pdev.sco.com	Mail rejected, contact postmaster@mydomain.com
   10.0.67.15		Mail rejected, contact postmaster@mydomain.com

After editing this file, rebuild the spammers map:

1. Log in to the system as root.

2. Enter the following commands:
   
   cd /usr/lib/mail/antispam
   makemap hash spammers < spammers

Using the check_mail ruleset

This ruleset requires that the domain of the sender specified in the "Mail From:" SMTP command resolves to a valid fully-qualified DNS domain name. Additionally, the client making the connection to the local SMTP server is checked against a pre-defined list of fully qualified domain names.

To implement this feature:

1. Uncomment the check_mail ruleset and the Kspammers line from /usr/lib/sendmail.cf.

2. Modify and rebuild the spammers file.

3. Restart sendmail.

Using the check_compat ruleset

Use check_compat to prevent mail from being sent from a pre-defined list of domain names or email addresses to a specified list of recipients. For example, you may use this ruleset for preventing all mail from any user in domain foobar.com from being sent to any user in domain barfoo.com, but still allow mail from users in foobar.com to be sent to users in other domains. This is useful for combating individual spam attacks from individual sites to a specific set of users or domains.

To implement this feature:

1. Uncomment the check_compat, matchprotected, and matchspam rulesets, and the Kspammers2 and Kprotected lines, from /usr/lib/sendmail.cf.

2. Add users and domains from which mail will possibly be rejected to the spammers2 file and rebuild the map.

3. Add users and domains that are considered 'protected' from spam attacks from the first set of addresses to the protected file and rebuild the map.

4. Restart sendmail.

Adding entries to the spammers2 map

The spammers2 file (/usr/lib/mail/antispam/spammers2), used by the check_compat ruleset, specifies those addresses that are to be considered as potential spammers against those addresses in the protected map.

Add entries to the file using this <Tab>-separated format:

   address	SPAMMER

   isendspam.com		SPAMMER

To specify an individual user instead, enter their individual addresses:

   chris@sendyouspam.com	SPAMMER

All entries must contain the string SPAMMER on the right hand side.

After editing this file, rebuild the spammers2 map:

1. Log in to the system as root.

2. Enter the following commands:
   
   cd /usr/lib/mail/antispam
   makemap hash spammers2 < spammers2

Because you can block whole domains from access to your protected users, you may also exclude valid e-mail addresses. In this case, it is best to target individual addresses in the spammers2 file.

Adding entries to the protected users map

The protected users file (/usr/lib/mail/antispam/protected), used by the check_compat ruleset, specifies those addresses that are to be considered 'protected' from spam attacks by the addresses in the spammers2 map.

Add entries to the file using this <Tab>-separated format:

   address	PROTECTED

   foobar.com	PROTECTED

To protect individual users rather than entire domains, enter their individual addresses:

   chris				PROTECTED
   chris@foobar.com		PROTECTED

All entries must contain the string PROTECTED on the right hand side.

After editing this file, rebuild the protected map:

1. Log in to the system as root.

2. Enter the following commands:
   
   cd /usr/lib/mail/antispam
   makemap hash protected < protected

As an alternative to the alias database, any user can put a file with the name .forward in his or her home directory. If this file exists, sendmail redirects mail for that user to the list of addresses listed in the .forward file. For example, suppose the home directory for user mckee has a .forward file with contents:

   mckee@ernie
   kirk@calder

Actually, the configuration file defines a sequence of filenames to check. By default, this is the user's .forward file, but can be defined to be more files by using the ForwardPath (J) option. If you change this, you will have to inform your user base of the change; .forward is the standard place to define mail redirection.

Special header lines

Several header lines have special interpretations defined by the configuration file. Others have interpretations built into sendmail that cannot be changed. These built-ins are described here.

Errors-To:

If errors occur anywhere during processing, this header causes error messages to go to the listed addresses rather than to the sender. This is intended for mailing lists.

The ``Errors-To:'' header was created when UUCP did not understand the distinction between an envelope and a header; this was a work-around that provided what should now be passed as the envelope sender address. It should go away. It is only used if the UseErrorsTo (l) option is set.

Apparently-To:

RFC 822 requires at least one recipient field (To:, Cc:, or Bcc: line) in every message. If a message comes in with no recipients listed in the message then sendmail will adjust the header based on the ``NoRecipientAction'' option. One of the possible actions is to add an ``Apparently-To:'' header line for any recipients it is aware of.

The Apparently-To: header is non-standard and discouraged.

Precedence:

The Precedence: header can be used as a crude control of message priority. It tweaks the sort order in the queue and can be configured to change the message timeout values. The precedence of a message also controls how delivery status notifications (DSNs) are processed for that message.

IDENT protocol support

sendmail supports the IDENT protocol as defined in RFC 1413. Note that the RFC states a client should wait at least 30 seconds for a response. The default Timeout.ident is 5 seconds as many sites have adopted the practice of dropping IDENT queries. This has lead to delays processing mail. Although this enhances identification of the author of an email message by doing a ``call back'' to the originating system to include the owner of a particular TCP/IP connection in the audit trail it is in no sense perfect; a determined forger can easily spoof the IDENT protocol. The following description is excerpted from RFC 1413:

6. Security Considerations
The information returned by this protocol is at most as trustworthy as the host providing it OR the organization operating the host. For example, a PC in an open lab has few if any controls on it to prevent a user from having this protocol return any identifier the user wants. Likewise, if the host has been compromised the information returned may be completely erroneous and misleading.

The Identification Protocol is not intended as an authorization or access control protocol. At best, it provides some additional auditing information with respect to TCP connections. At worst, it can provide misleading, incorrect, or maliciously incorrect information.

The use of the information returned by this protocol for other than auditing is strongly discouraged. Specifically, using Identification Protocol information to make access control decisions - either as the primary method (no other checks) or as an adjunct to other methods may result in a weakening of normal host security.

An Identification server may reveal information about users, entities, objects or processes which might normally be considered private. An Identification server provides service which is a rough analog of the CallerID services provided by some phone companies and many of the same privacy considerations and arguments that apply to the CallerID service apply to Identification. If you wouldn't run a "finger" server due to privacy considerations you may not want to run this protocol.

This is a summary of the support files that sendmail creates or generates. Many of these can be changed by editing the sendmail.cf file; these are noted below.

/usr/lib/sendmail

binary of sendmail; should be setuid root.

/usr/bin/newaliases

link to /usr/lib/sendmail; causes the alias database to be rebuilt. Running this program is completely equivalent to giving sendmail the -bi flag.

/usr/bin/mailq

prints a listing of the mail queue. This program is equivalent to using the -bp flag to sendmail.

/usr/lib/sendmail.cf

configuration file, in textual form.

/usr/lib/sendmail.hf

help file used by the SMTP HELP command; the actual path of this file is defined in the H option of the sendmail.cf file.

/usr/lib/sendmail.st

statistics file. If you wish to collect statistics about your mail traffic, you should create this file:

   cp /dev/null /usr/lib/sendmail.st
   chmod 666 /usr/lib/sendmail.st

Print this file with the command mailstats(ADMN).

The actual path of this file is defined in the S option of the sendmail.cf file.

/etc/sendmail.pid

process id file. Created in daemon mode; contains the process id of the current SMTP daemon. If you use this in scripts, use ``head -1'' to get just the first line; later versions of sendmail may add information to subsequent lines.

/usr/lib/mail/aliases

textual version of the alias file.

/usr/lib/mail/aliases.db

alias file in db format.

/usr/spool/mqueue

directory in which the mail queue and temporary files reside; this directory should be mode 700 and owned by root; the actual path of this directory is defined in the Q option of the sendmail.cf file.

/usr/spool/mqueue/qf*

control (queue) files for messages.

/usr/spool/mqueue/df*

data files.

/usr/spool/mqueue/tf*

temporary versions of the qf files, used during queue-file rebuild.

/usr/spool/mqueue/xf*

transcript of the current session.

Most sendmail configuration is accomplished by editing the configuration file, /usr/lib/sendmail.cf.
The syntax of this file is designed to be reasonably easy to parse, because this is done every time sendmail starts up. As a result, the configuration file is not particularly easy for a human to read or write.

The configuration file has three major purposes:

• setting up the environment for sendmail

• rewriting addresses in the message

• mapping addresses into the set of instructions that will deliver the message

This section provides an overview of the standard configuration file built with the mkdev cf script, provides the specifications for configuration file lines, and describes building a configuration file from scratch.

/usr/lib/sendmail.cf overview

A sendmail configuration file is organized as a series of lines, each of which begins with a single character defining the semantics for the rest of the line. Lines beginning with a space or a tab are continuation lines (although the semantics are not well defined in many places). Blank lines and lines beginning with a number sign (``#'') are comments.

The following paragraphs in this description of the standard configuration file refer to ``sections'' of the standard configuration file. When viewing the configuration file /usr/lib/sendmail.cf, these sections are differentiated by comments constructed to look like headers by encircling them with number signs (``#'').

Macros

The first two sections of the standard configuration file consist of macro definitions. These are lines that begin with the letter ``D''. The defined macros are described in ``D--define macro''.

Macros can be used in three ways. They can transmit unstructured textual information into the mail system. An example of this is the name that sendmail uses to identify itself in error messages; the default, ``MAILER-DAEMON'', is defined like this:

   DnMAILER-DAEMON

Other example macros:

   DlFrom $g $d
   Do.:%@!^/[]

Options

The next section in the file consists of options. These are lines that begin with the letter ``O''. There are several options that can be set from the configuration file. These include the pathnames of various support files, timeouts, default modes, and so forth. See ``O--set option'' for a complete list of these options. Because options can also be set as an argument in the invocation of sendmail, some of the most useful are also listed in the sendmail(ADMN) manual page.

Example options:

   OA/usr/lib/mail/aliases
   OT3d

Message precedences

This next section in the file assigns values to mail precedence names. These values are used to compute a priority for a mail message. sendmail uses this priority to order mail messages in the mail queue. See ``Altering queue priorities'' for a description of how precedence values are used.

Example precedence setting:

   Pspecial-delivery=100

Format of headers

This next section in the file contains header declarations that inform sendmail of the format of known header lines. Knowledge of a few header lines is built into sendmail, such as the ``From:'' and ``Date:'' lines. See ``H--define header'' for a description of how headers are declared and ``D--define macro''. for a description of the macros used.

Most configured headers are automatically inserted into the outgoing message if they do not exist in the incoming message. Certain headers are suppressed by some mailers.

Example header format:

   H?D?Date: $a
   H?F?From: $q

Address rewriting rules

The next several sections of the file are the rewriting rules which sendmail uses to parse addresses. These are lines beginning with the letter ``S'', which names the ruleset to which the following rules belong, and the letter ``R'', which are the rules.

There are multiple rule sets with specific purposes. These purposes are discussed in ``Semantics of rewriting rule sets''.

Mailer declarations

At the end of the standard configuration file are sections that contain the mailer declarations. These are lines beginning with the letter ``M''. You will see rewriting rule lines between and after the mailer declaration lines. These are for rulesets that customize addresses for specific mailers.

Mailer declarations tell sendmail of the various mailers available to it. A mailer declaration specifies the internal name of the mailer, the pathname of the program to call, some of the flags associated with the mailer, and an argument vector to be used in the call to the mailer. See ``M--define mailer''.

Example mailer declaration:

   Mlocal, P=/usr/bin/lmail, F=lsFDMPuhCE, S=10, R=20, A=lmail $u

The following sections define the syntax for each key letter used in a sendmail configuration file:

• ``R and S--rewriting rules''

• ``The left-hand side (LHS)''

• ``The right-hand side (RHS)''

• ``Semantics of rewriting rule sets''

• ``IPC mailers''

• ``D--define macro''

• ``C and F--define classes''

• ``M--define mailer''

• ``H--define header''

• ``O--set option''

• ``P--precedence definitions''

• ``V--configuration version level''

• ``K--key file declaration''

R and S--rewriting rules

The core of address parsing is the rewriting rules. These are an ordered list of pattern-replacement rules which are applied to each address. The sendmail command scans through the set of rewriting rules looking for a match on the left-hand side (lhs) of the rule. When a rule matches, the address is replaced by the right-hand side (rhs) of the rule.

There are several sets of rewriting rules. Some of the rewriting sets are used internally and must have specific semantics. Other rewriting sets do not have specifically assigned semantics, and may be referenced by the mailer definitions or by other rewriting sets.

The syntax of these two commands is:

Sn

Sets the current ruleset being collected to n. If you begin a ruleset more than once, it appends it to the old definition.

Rlhs rhs comments

The lhs is a pattern that is applied to the input. If it matches, the input is rewritten to the rhs. The comments are ignored. The fields must be separated by at least one tab character; there may be embedded spaces in the fields.

The left-hand side (LHS)

The left-hand side of rewriting rules contains a pattern. Normal words are simply matched directly. Metasyntax is introduced using a dollar sign. The metasymbols are:

 $*      match zero or more tokens
 $+      match one or more tokens
 $-      match exactly one token
 $=x     match any phrase in class x 
 $~x     match any word not in class x 

   $-:$+

   UCBARPA:eric

Additionally, the LHS can include $@ to match zero tokens. This is not bound to a $n on the RHS and is normally only used when it stands alone in order to match the null input.

The right-hand side (RHS)

When the left-hand side of a rewriting rule matches, the input is deleted and replaced by the right-hand side. Tokens are copied directly from the RHS, unless they begin with a dollar sign. Metasymbols are:

 $n           substitutes indefinite token n 
              from LHS
 $[name$]     canonicalizes name 
 $(map key $@arguments $:default $)
              generalized keyed mapping function
 $>n          calls ruleset n 
 $#mailer     resolves to mailer 
 $@host       specifies host 
 $:user       specifies user 

The $n syntax substitutes the corresponding value from a $+, $-, $*, $=, or $~ match on the LHS. It can be used anywhere.

A host name enclosed between $[ and $] is looked up using the gethostbyname(SLIB) routines and replaced by the canonical name. (This is actually completely equivalent to:

$(host hostname $)

In particular, a $: default can be used.) For example, $[[128.32.130.2]$] might become vango.CS.Berkeley.EDU, and $[csam$] might become lbl-csam.arpa. sendmail recognizes its numeric IP address without calling the name server and replaces it with its canonical name.

The $( ... $) syntax is a more general form of lookup; it uses a named map instead of an implicit map. If no lookup is found, the indicated default is inserted; if no default is specified and no lookup matches, the value is left unchanged. The arguments are passed to the map for possible use.

The $>n syntax causes the remainder of the line to be substituted as usual and then passed as the argument to ruleset n. The final value of ruleset n then becomes the substitution for this rule. The $> syntax expands everything after the ruleset name to the end of the replacement string and then passes that as the initial input to the ruleset. Recursive calls are allowed. For example:

   $>0 $>3 $1

The $# syntax should only be used in ruleset zero or a subroutine of ruleset zero. It causes evaluation of the ruleset to terminate immediately, and it signals to sendmail that the address has completely resolved. The complete syntax is:

$#mailer $@host $:user

This specifies the {mailer, host, user} triple necessary to direct the mailer. If the mailer is local, the host part can be omitted. (You may want to use it for special ``per user'' extensions. For example, at CMU you can send email to ``jgm+foo''; the part after the plus sign is not part of the user name, and is passed to the local mailer for local use.) The mailer must be a single word, but the host and the user can be multi-part. If the mailer is the built-in IPC mailer, the host may be a colon-separated list of hosts that are searched in order for the first working address (exactly like MX records). The user is later rewritten by the mailer-specific envelope rewriting set and assigned to the $u macro. As a special case, if mailer specified has the F=@ flag specified and the first character of the ``$:'' value is ``@'', the ``@'' is stripped off and a flag is set in the address descriptor that causes sendmail not to do ruleset 5 processing.

Normally, a rule that matches is retried, that is, the rule loops until it fails.

A RHS can also be preceded by a $@ or a $: to change this behavior. A $@ prefix causes the ruleset to return with the remainder of the RHS as the value. A $: prefix causes the rule to terminate immediately, but the ruleset to continue. This can avoid continued application of a rule. The prefix is stripped before continuing.

The $@ and $: prefixes can precede a $> specification. For example, the form:

   R$+      $: $>7 $1

Substitution occurs in the order described; that is, parameters from the LHS are substituted, hostnames are canonicalized, ``subroutines'' are called and, finally, $#, $@, and $: are processed.

Semantics of rewriting rule sets

There are six rewriting sets that have specific semantics. Five of these are related as depicted in the figure.

Figure 5-1 Rewriting set semantics

Ruleset three should turn the address into ``canonical form.'' This form should have the basic syntax:

   local-part@host-domain-spec

Ruleset zero is applied after ruleset three to addresses that are actually going to specify recipients. It must resolve to a {mailer, host, address} triple. The mailer must be defined in the mailer definitions from the configuration file. The host is defined into the $h macro for use in the argv expansion of the specified mailer.

Rulesets one and two are applied to all sender and recipient addresses, respectively. They are applied before any specification in the mailer definition. They must never resolve.

Ruleset four is applied to all addresses in the message. It is typically used to translate internal to external form.

In addition, ruleset 5 is applied to all local addresses (specifically, those that resolve to a mailer with the F=5 flag set) that do not have aliases. This allows a last minute hook for local names.

Ruleset hooks

A few extra rulesets are defined as ``hooks'' that can be defined to get special features. They are all named rulesets. The ``check_*'' forms all give accept/reject status; falling off the end or returning normally is an accept, and resolving to $#error is a reject. Many of these can also resolve to the special mailer name $#discard; this accepts the message as though it were successful but then discards it without delivery. Note that this mailer can not be chosen as a mailer in ruleset 0.

check_relay

The check_relay ruleset is called after a connection is accepted by the daemon. It is not called when sendmail is started using the -bs option. It is passed

   client.host.name $| client.host.address

check_mail

The check_mail ruleset is passed the user name parameter of the SMTP MAIL command. It can accept or reject the address.

check_rcpt

The check_rcpt ruleset is passed the user name parameter of the SMTP RCPT command. It can accept or reject the address.

check_compat

The check_compat ruleset is passed

   sender-address $| recipient-address

check_eoh

The check_eoh ruleset is passed

   number-of-headers $| size-of-headers

   Kstorage macro
   HMessage-Id: $>CheckMessageId
   

   SCheckMessageId
   # Record the presence of the header
   R$*			$: $(storage {MessageIdCheck} $@ OK $) $1
   R< $+ @ $+ >		$@ OK
   R$*			$#error $: 553 Header Error
   

   Scheck_eoh
   # Check the macro
   R$*			$: < $&{MessageIdCheck} >
   # Clear the macro for the next message
   R$*			$: $(storage {MessageIdCheck} $) $1
   # Has a Message-Id: header
   R< $+ >			$@ OK
   # Allow missing Message-Id: from local mail
   R$*			$: < $&{client_name} >
   R< >			$@ OK
   R< $=w >		$@ OK
   # Otherwise, reject the mail
   R$*			$#error $: 553 Header Error

check_etrn

The check_etrn ruleset is passed the parameter of the SMTP ETRN command. It can accept or reject the command.

check_expn

The check_expn ruleset is passed the user name parameter of the SMTP EXPN command. It can accept or reject the address.

check_vrfy

The check_vrfy ruleset is passed the user name parameter of the SMTP VRFY command. It can accept or reject the command.

trust_auth

The trust_auth ruleset is passed the AUTH= parameter of the SMTP MAIL command. It is used to determine whether this value should be trusted. In order to make this decision, the ruleset may make use of the various ${auth_*} macros. If the ruleset does resolve to the ``error'' mailer the AUTH= parameter is not trusted and hence not passed on to the next relay.

tls_client

The tls_client ruleset is called when sendmail acts as server, after a STARTTLS command has been issued, and from check_mail. The parameter is the value of ${verify} and STARTTLS or MAIL, respectively. If the ruleset does resolve to the ``error'' mailer, the appropriate error code is returned to the client.

tls_server

The tls_server ruleset is called when sendmail acts as client after a STARTTLS command (should) have been issued. The parameter is the value of ${verify}. If the ruleset does resolve to the ``error'' mailer, the connection is aborted (treated as non-deliverable with a permanent or temporary error).

IPC mailers

Some special processing occurs if the ruleset zero resolves to an IPC mailer (that is, a mailer that has ``[IPC]'' listed as the Path in the M configuration line). The host name passed after ``$@'' has MX expansion performed if not delivering via a named socket; this looks the name up in DNS to find alternate delivery sites.

The host name can also be provided as a dotted quad in square brackets; for example:

   [128.32.149.78]

The host name passed in after the ``$@'' may also be a colon-separated list of hosts. Each is separately MX expanded and the results are concatenated to make (essentially) one long MX list. The intent here is to create ``fake'' MX records that are not published in DNS for private internal networks.

As a final special case, the host name can be passed in as a text string in square brackets:

   [ucbvax.berkeley.edu]

D--define macro

Macros are named with a single character or with a word in {braces}. These can be selected from the entire ASCII set, but user-defined macros should be selected from the set of uppercase letters only. Lowercase letters and special symbols are used internally. Long names beginning with a lower case letter or a punctuation character are reserved for use by sendmail, so user-defined long macro names should begin with an upper case letter.

The syntax for macro definitions is:

Dxval

Here x is the name of the macro and val is the value it should have.

Macros are interpolated using the construct $x, where x is the name of the macro to be interpolated. This interpolation is done when the configuration file is read, except in M lines. The special construct $&x can be used in R lines to get deferred interpolation.

Conditionals can be specified using the syntax:

$?x

if

$|

else

$.

endif

This interpolates text1 if the macro $x is set, and text2 otherwise. The ``else'' ($|) clause can be omitted.

Lowercase macro names are reserved to have special semantics, used to pass information in or out of sendmail; some special characters are reserved to provide conditionals; and so on. Uppercase names (that is, $A through $Z) are specifically reserved for configuration file authors.

The following macros are defined and/or used internally by sendmail for interpolation into argv's for mailers or for other contexts. The ones marked + are information passed into sendmail, the ones marked ++ are information passed both in and out of sendmail, and the unmarked macros are passed out of sendmail but are not otherwise used internally.

$a

the origination date in RFC 822 format.

$b

the current date in RFC 822 format.

$c

the hop count.

$d

the current date in UNIX system (ctime) format.

$e+

(Obsolete; use SmtpGreetingMessage option instead.) the SMTP entry message. This is printed out when SMTP starts up. The first word must be the $j macro as specified by RFC 821. Defaults to ``$j Sendmail $v ready at $b''. Commonly redefined to include the configuration version number, for example, ``$j Sendmail $v/$Z ready at $b''.

$f

the sender (from) address.

$g

the sender address relative to the recipient. For example, if $f is ``foo'' , $g will be ``host!foo'', ``foo@host.domain'' , or whatever is appropriate for the receiving mailer.

$h

the recipient host. This is set in ruleset 0 from the $@ field of a parsed address.

$i

the queue id. (For example: ``HAA12345'').

$j++

the ``official'' domain name for this site.
This is fully qualified if the full qualification can be found. It must be redefined to be the fully qualified domain name if your system is not configured so that sendmail can find it automatically.

$k

the UUCP node name (from the uname system call).

$l+

(Obsolete; use UnixFromLine option instead.) the format of the UNIX mail ``From'' line. Unless you have changed the UNIX system mailbox format, you should not change the default, which is ``From $g $d''.

$m

the domain part of the gethostname return value. Under normal circumstances, $j is equivalent to ``$w.$m''.

$n+

the name of the daemon (for error messages). Defaults to ``MAILER-DAEMON''.

$o+

(Obsolete: use OperatorChars option instead.) the set of ``operators'' in addresses. This macro defines a list of characters which, during parsing, are considered tokens and are considered separators of tokens. For example, if ``@'' were in the $o macro, then the input a@b would be scanned as three tokens: ``a'', ``@'', and ``b''. Defaults to the characters ``.:@[]'', which is the minimum set necessary to do RFC 822 parsing; a richer set of operators is ``.:%@!/[]'', which adds support for UUCP, the %-hack, and X.400 addresses.

$p

sendmail's process id.

$q+

default format of sender address. The $q macro specifies how an address should appear in a message when it is defaulted. Defaults to ``<$g>''. It is commonly redefined to be

   $?x$x <$g>$|$g$.

or

   $g$?x ($x)$.

which correspond to the following two formats:

Eric Allman <eric@CS.Berkeley.EDU>
eric@CS.Berkeley.EDU (Eric Allman)

sendmail properly quotes names that have special characters if the first form is used.

$r

protocol used to receive the message.

$s

sender's host name.

$t

a numeric representation of the current time.

$u

the recipient user.

$v

the version number of sendmail.

$w++

the hostname of this site. The $w macro is set to the root name of this host (but see below for caveats).

$x

the full name of the sender.

$z

the home directory of the recipient.

$_

the validated sender address.

${auth_authen}

The client's authentication credentials as determined by authentication (only set if successful).

${auth_author}

The authorization identity, that is, the AUTH= parameter of the SMTP MAIL command if supplied.

${auth_type}

The mechanism used for authentication (only set if successful).

${auth_ssf}

The keylength (in bits) of the symmetric encryption algorithm used for the security layer of a SASL mechanism.

${bodytype}

The message body type (7BIT or 8BITMIME), as determined from the envelope.

${cert_issuer}

The DN (distinguished name) of the CA (certificate authority) that signed the presented certificate (the cert issuer).

${cert_subject}

The DN of the presented certificate (called the cert subject).

${cipher}

The cipher suite used for the connection, for example: EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC-SHA, DES-CBC-MD5, DES-CBC3-SHA.

${cipher_bits}

The keylength (in bits) of the symmetric encryption algorithm used for a TLS connection.

${client_addr}

The IP address of the SMTP client. Defined in the SMTP server only.

${client_name}

The host name of the SMTP client. This may be the client's bracketed IP address in the form [ nnn.nnn.nnn.nnn ] if the client's IP address is not resolvable, or if the resolved name doesn't match ${client_name}. Defined in the SMTP server only.

${client_port}

The port number of the SMTP client. Defined in the SMTP server only.

${client_resolve}

Holds the result of the resolve call for ${client_name}: OK, FAIL, FORGED, TEMP. Defined in the SMTP server only.

${currHeader}

Header value as quoted string (possibly truncated to MAXNAME).

${daemon_addr}

The IP address the daemon is listening on for connections. Unless DaemonPortOptions is set, this will be ``0.0.0.0''.

${daemon_family}

The network family if the daemon is accepting network connections. Possible values include: inet, iso, ns, x.25.

${daemon_flags}

The flags for the daemon as specified by the Modifier= part of DaemonPortOptions whereby the flags are separated from each other by spaces, and upper case flags are doubled. That is, Modifier=Ea will be represented as "EE a" in ${daemon_flags} , which is required for testing the flags in rulesets.

${daemon_info}

Some information about a daemon as a text string. For example, ``SMTP+queueing@00:30:00''.

${daemon_name}

The name of the daemon from DaemonPortOptions Name= suboption. If this suboption is not set, "Daemon#", where # is the daemon number, is used.

${daemon_port}

The port the daemon is accepting connection on. Unless DaemonPortOptions is set, this will most likely be ``25''.

${deliveryMode}

The current delivery mode sendmail is using. It is initially set to the value of the DeliveryMode option.

${envid}

The envelope id passed to sendmail as part of the envelope.

${hdrlen}

The length of the header value which is stored in ${currHeader} (before possible truncation). If this value is greater than or equal MAXNAME the header has been truncated.

${hdr_name}

The name of the header field for which the current header check ruleset has been called. This is useful for a default header check ruleset to get the name of the header.

${if_addr}

The IP address of the interface of an incoming connection unless it is in the loopback net.

${if_name}

The name of the interface of an incoming connection. This macro can be used for SmtpGreetingMessage and HReceived for virtual hosting. For example:

   O SmtpGreetingMessage=$?{if_name}${if_name}$|$j$. Sendmail $v/$Z; $b

${mail_addr}

The address part of the resolved triple of the address given for the SMTP MAIL command. Defined in the SMTP server only.

${mail_host}

The host from the resolved triple of the address given for the SMTP MAIL command. Defined in the SMTP server only.

${mail_mailer}

The mailer from the resolved triple of the address given for the SMTP MAIL command. Defined in the SMTP server only.

${ntries}

The number of delivery attempts.

${opMode}

The current operation mode (from the -b flag).

${queue_interval}

The queue run interval given by the -q flag. For example, -q30m would set ${queue_interval} ``00:30:00''.

${rcpt_addr}

The address part of the resolved triple of the address given for the SMTP RCPT command. Defined in the SMTP server only.

${rcpt_host}

The host from the resolved triple of the address given for the SMTP RCPT command. Defined in the SMTP server only.

${rcpt_mailer}

The mailer from the resolved triple of the address given for the "SMTP RCPT command. Defined in the SMTP server only.

${server_addr}

The address of the server of the current outgoing SMTP connection.

${server_name}

The name of the server of the current outgoing SMTP connection.

${tls_version}

The TLS/SSL version used for the connection, (example: TLSv1, SSLv3, SSLv2.)

${verify}

The result of the verification of the presented cert. Possible values are:

 OK         verification succeeded.
 NO         no cert presented.
 FAIL       cert presented but could not be
            verified, for example, the
            signing CA is missing.
 NONE       STARTTLS has not been performed.
 TEMP       temporary error occurred.
 PROTOCOL   some protocol error occurred.
 SOFTWARE   STARTTLS handshake failed.

The $f macro is the ID of the sender as originally determined; when you are mailing to a specific host, the $g macro is set to the address of the sender relative to the recipient. For example, if eric sends to bollard@matisse.CS.Berkeley.EDU from the machine vango.CS.Berkeley.EDU, the $f macro is ``eric'' and the $g macro is ``eric@vango.CS.Berkeley.EDU''.

The $x macro is set to the full name of the sender. This can be determined in several ways. It can be passed as a flag to sendmail. The second choice is the value of the ``Full-name:'' line in the header if it exists, and the third choice is the comment field of a ``From:'' line. If all of these fail, and if the message is being originated locally, the full name is looked up in the /etc/passwd file.

When sending, the $h, $u, and $z macros are set to the host, user, and home directories (if local) of the recipient. The first two are set from the $@ and $: parts of the rewriting rules, respectively.

The $p and $t macros create unique strings (for example, for the ``Message-Id:'' field). The $i macro is set to the queue ID on this host; if put into the timestamp line, it can be extremely useful for tracking messages. The $v macro is set to be the version number of sendmail; this is normally put in timestamps and has proved extremely useful for debugging.

The $c macro is set to the ``hop count,'' that is, the number of times this message has been processed. This can be determined by the -h flag on the command line or by counting the timestamps in the message.

The $r and $s macros are set to the protocol used to communicate with sendmail and the sending hostname.

The $_ macro is set to a validated sender host name. If the sender is running an RFC 1413 compliant IDENT server and the receiver has the IDENT protocol turned on, it will include the user name on that host.

The ${client_name}, ${client_addr}, and ${client_port} macros are set to the name, address, and port number of the SMTP client who is invoking sendmail as a server. These can be used in the check_* rulesets (using the $& deferred evaluation form).

C and F--define classes

Classes of phrases may be defined to match on the left-hand side of rewriting rules, where a ``phrase'' is a sequence of characters that do not contain space characters. For example, a class of all local names for this site might be created so that attempts to send to oneself can be eliminated. These can either be defined directly in the configuration file or read in from another file. Classes are named as a single letter or a word in {braces}. Class names beginning with lower case letters and special characters are reserved for system use. Classes defined in config files may be given names from the set of upper case letters for short names or beginning with an upper case letter for long names.

The syntax is:

Ccphrase1 phrase2...
Fcfile

The first form defines the class c to match any of the named words. It is permissible to split them among multiple lines, for example:

   CHmonet ucbmonet

   CHmonet
   CHucbmonet

   Fc -o /path/to/file

Elements of classes can be accessed in rules using $= or $~. The $~ (match entries not in class) only matches a single word; multi-word entries in the class are ignored in this context.

Some classes have internal meaning to sendmail:

$=e

contains the Content-Transfer-Encodings that can be 8→7 bit encoded. It is predefined to contain ``7bit'', ``8bit'', and ``binary''.

$=k

set to be the same as $k, that is, the UUCP node name.

$=m

set to the set of domains by which this host is known, initially just $m.

$=n

can be set to the set of MIME body types that can never be eight to seven bit encoded. It defaults to ``multipart/signed''. Message types ``message/*'' and ``multipart/*'' are never encoded directly. Multipart messages are always handled recursively. The handling of message/* messages are controlled by class $=s.

$=q

A set of Content-Types that will never be encoded as base64 (if they have to be encoded, they will be encoded as quoted-printable). It can have primary types (for example: ``text'') or full types (such as ``text/plain''). The class is initialized to have ``text/plain'' only.

$=s

contains the set of subtypes of message that can be treated recursively. By default it contains only ``rfc822''. Other ``message/*'' types cannot be 8→7 bit encoded. If a message containing eight bit data is sent to a seven bit host, and that message cannot be encoded into seven bits, it will be stripped to 7 bits.

$=t

set to the set of trusted users by the T configuration line. If you want to read trusted users from a file, use Ft/file/name.

$=w

set to be the set of all names this host is known by. This can be used to match local hostnames.

$={persistentMacros}

set to the macros would should be saved across queue runs. Care should be taken when adding macro names to this class.

sendmail can be compiled to allow a scanf(S) string on the F line. This lets you do simplistic parsing of text files. For example, to read all the user names in your system /etc/passwd file into a class, use

   FL/etc/passwd %[^:]

which reads every line up to the first colon.

M--define mailer

Programs and interfaces to mailers are defined in this line. The format is:

Mname, {field=value}*

Here name is the name of the mailer (used internally only) and the ``field=name'' pairs define attributes of the mailer. Fields are:

 Path          The pathname of the mailer
 Flags         Special flags for this mailer
 Sender        Rewriting set(s) for sender addresses
 Recipient     Rewriting set(s) for recipient addresses
 Argv          An argument vector to pass to this mailer
 Eol           The end-of-line string for this mailer
 Maxsize       The maximum message length to this mailer
 maxmessages   The maximum message deliveries per connection
 Linelimit     The maximum line length in the message body
 Directory     The working directory for the mailer
 Userid        The default user and group id to run as
 Nice          The nice increment for the mailer
 Charset       The default character set for 8-bit characters
 Type          Type information for DSN diagnostics
 Wait          The maximum time to wait for the mailer
 /             The root directory for the mailer

The following flags may be set in the mailer description. Any other flags may be used freely to conditionally assign headers to messages destined for particular mailers.

A

Look up the user part of the address in the alias database. Normally this is only set for local mailers.

a

run Extended SMTP (ESMTP) protocol (defined in RFCs 1425, 1426, and 1427).

b

force a blank line on the end of a message. This is intended to work around some versions of /bin/mail that require a blank line, but do not provide it themselves. It would not normally be used on network mail.

c

do not include comments in addresses. This should only be used if you have to work around a remote mailer that gets confused by comments.

C

If mail is received from a mailer with this flag set, any addresses in the header that do not have an at sign (``@'') after being rewritten by ruleset three have the @domain clause from the sender tacked on. This allows mail with headers of the following form to be rewritten automatically; for example:

   From: usera@hosta
   To: userb@hostb, userc

becomes:

   From: usera@hosta
   To: userb@hostb, userc@hosta

d

Do not include angle brackets around route-address syntax addresses. This is useful on mailers that are going to pass addresses to a shell that might interpret angle brackets as I/O redirection. However, it does not protect against other shell metacharacters. Therefore, passing addresses to a shell should not be considered secure.

D

This mailer wants a ``Date:'' header line.

e

This mailer is expensive to connect to, so try to avoid connecting normally. Any necessary connection occurs during a queue run.

E

escape lines beginning with ``From'' in the message with a ``>'' sign.

f

The mailer wants a -f from flag, but only if this is a network forward operation (that is, the mailer gives an error if the executing user does not have special permissions).

F

This mailer wants a ``From:'' header line.

g

Normally, sendmail sends internally generated email (for example, error messages) using the null return address as required by RFC 1123. (Actually, this only applies to SMTP, which uses the ``MAIL FROM:<>'' command.) However, some mailers do not accept a null return address. If necessary, you can set the g flag to prevent sendmail from obeying the standards; error messages will be sent as from the MAILER-DAEMON (actually, the value of the $n macro).

h

Uppercase should be preserved in host names for this mailer.

i

Do User Database rewriting on envelope sender address.

I

This mailer is speaking SMTP to another sendmail. As such, it can use special protocol features. This option is not required (that is, if this option is omitted, the transmission still operates successfully, although perhaps not as efficiently as possible).

j

Do User Database rewriting on recipients as well as senders.

k

Normally when sendmail connects to a host via SMTP, it checks to make sure that this isn't accidentally the same host name as might happen if sendmail is misconfigured or if a long-haul network interface is set in loopback mode. This flag disables the loopback check. It should only be used under very unusual circumstances.

l

This mailer is local (that is, final delivery is performed).

L

Limit the line lengths as specified in RFC 821. This deprecated option should be replaced by the ``L='' mail declaration. For historic reasons, the L flag also sets the 7 flag.

m

This mailer can send to multiple users on the same host in one transaction. When a $u macro occurs in the argv part of the mailer definition, that field is repeated as necessary for all qualifying users. Removing this flag can defeat duplicate suppression on a remote site as each recipient is sent in a separate transaction.

M

This mailer wants a ``Message-Id:'' header line.

n

Do not insert a UNIX system style ``From:'' line on the front of the message.

o

Always run as the owner of the recipient mailbox. Normally sendmail runs as the sender for locally generated mail or as ``daemon'' (actually, the user specified in the u option) when delivering network mail. The normal behavior is required by most local mailers, which will not allow the envelope sender address to be set unless the mailer is running as daemon. This flag is ignored if the S flag is set.

p

Use the route-addr style reverse-path in the SMTP ``MAIL FROM:'' command, rather than just the return address. Although this is required in RFC 821 section 3.1, many hosts do not process reverse-paths properly. Reverse-paths are officially discouraged by RFC 1123.

P

This mailer requires a ``Return-Path:'' line.

q

When an address that resolves to this mailer is verified (SMTP VRFY command), generate 250 responses instead of 252 responses. This will imply that the address is local.

r

This is the same as f, but sends a -r flag.

R

Open SMTP connections from a "secure" port. Secure ports aren't (secure, that is) except on UNIX machines, so it is unclear that this adds anything.

s

Strip quote characters off the address before calling the mailer.

S

Do not reset the user ID before calling the mailer. This would be used in a secure environment where sendmail ran as root. This could be used to avoid forged addresses. If the U= field is also specified, this flag causes the effective user id to be set to that user.

u

Uppercase should be preserved in user names for this mailer. Standards require preservation of case in the local part of addresses, except for those addresses for which your system accepts responsibility.

U

This mailer wants UNIX system style ``From'' lines with the UUCP-style ``remote from <host>'' on the end.

w

The user must have a valid account on this machine, that is, getpwnam must succeed. If not, the mail is bounced. This is required to get ``.forward'' capability.

x

This mailer wants a ``Full-Name:'' header line.

X

This mailer wants to use the hidden dot algorithm as specified in RFC 821. Basically, any line beginning with a dot has an extra dot prepended (to be stripped at the other end). This ensures that lines in the message containing a dot do not terminate the message prematurely.

z

Run Local Mail Transfer Protocol (LMTP) between sendmail and the local mailer. This is a variant on SMTP defined in RFC 2033 that is specifically designed for delivery to a local mailbox.

0

Don't look up MX records for hosts sent via SMTP.

3

Extend the list of characters converted to =XX notation when converting to Quoted-Printable to include those that don't map cleanly between ASCII and EBCDIC. Useful if you have IBM mainframes on site.

5

If no aliases are found for this address, pass the address through ruleset 5 for possible alternate resolution. This is intended to forward the mail to an alternate delivery spot.

6

Strip headers to seven bits.

7

Strip all output to seven bits. This is the default if the L flag is set. Note that clearing this option is not sufficient to get full eight bit data passed through sendmail. If the 7 option is set, this is essentially always set, since the eighth bit was stripped on input. Note that this option will only impact messages that didn't have 8→7 bit MIME conversions performed.

8

If set, it is acceptable to send eight bit data to this mailer; the usual attempt to do 8→7 bit MIME conversions will be bypassed.

9

If set, do limited 7→8 bit MIME conversions. These conversions are limited to text/plain data.

:

Check addresses to see if they begin ``:include:''; if they do, convert them to the ``*include*'' mailer.

|

Check addresses to see if they begin with a `|'; if they do, convert them to the ``prog'' mailer.

/

Check addresses to see if they begin with a `/'; if they do, convert them to the ``*file*'' mailer.

@

Look up addresses in the user database.

%

Do not attempt delivery on initial recipient of a message or on queue runs unless the queued message is selected using one of the -qI/-qR/-qS queue run modifiers or an ETRN request.

Configuration files prior to level 6 assume the `A', `w', `5', `:', `|', `/', and `@' options on the mailer named ``local .''

The mailer with the special name ``error'' can be used to generate a user error. The (optional) host field is an exit status to be returned, and the user field is a message to be printed. The exit status may be numeric or one of the values USAGE, NOUSER, NOHOST, UNAVAILABLE, SOFTWARE, TEMPFAIL, PROTOCOL, or CONFIG to return the corresponding EX_ exit code, or an enhanced error code as described in RFC 1893 (Enhanced Mail System Status Codes). For example, the entry:

   $#error $@ NOHOST $: Host unknown in this domain

The mailer with the special name discard causes any mail sent to it to be discarded but otherwise treated as though it were successfully delivered. This mailer can not be used in ruleset 0, only in the various address checking rulesets.

The mailer named ``local'' must be defined in every configuration file. This is used to deliver local mail, and is treated specially in several ways. Additionally, three other mailers named ``prog'', ``*file*'', and ``*include*'' may be defined to tune the delivery of messages to programs, files, and :include: lists respectively. They default to:

   Mprog, P=/bin/sh, F=lsoDq9, T=DNS/RFC822/X-Unix, A=sh -c $u
   M*file*, P=[FILE], F=lsDFMPEouq9, T=DNS/RFC822/X-Unix, A=FILE $u
   M*include*, P=/dev/null, F=su, A=INCLUDE $u

The Sender and Recipient rewriting sets may either be a simple ruleset id or may be two ids separated by a slash; if so, the first rewriting set is applied to envelope addresses and the second is applied to headers.

The Directory is actually a colon-separated path of directories to try. For example, the definition ``D=$z:/'' first tries to execute in the recipient's home directory; if that is not available, it tries to execute in the root of the filesystem. This is intended to be used only on the ``prog'' mailer, because some shells (such as csh) refuse to execute if they cannot read the home directory. Because the queue directory is not normally readable by normal users csh scripts as recipients can fail.

The Userid specifies the default user and group id to run as, overriding the DefaultUser option (q.v.). If the S mailer flag is also specified, this user and group will be set as the effective uid and gid for the process. This may be given as user:group to set both the user and group id; either may be an integer or a symbolic name to be looked up in the passwd and group files respectively. If only a symbolic user name is specified, the group id in the passwd file for that user is used as the group id.

The Charset field is used when converting a message to MIME; this is the character set used in the Content-Type: header. If this is not set, the DefaultCharset option is used, and if that is not set, the value ``unknown-8bit'' is used.

The Type= field sets the type information used in MIME error messages as defined by RFC 1894. It is actually three values separated by slashes: the MTA-type (that is, the description of how hosts are named), the address type (the description of e-mail addresses), and the diagnostic type (the description of error diagnostic codes). Each of these must be a registered value or begin with ``X-.'' The default is ``dns/rfc822/smtp''.

The m= field specifies the maximum number of messages to attempt to deliver on a single SMTP or LMTP connection.

The /= field specifies a new root directory for the mailer. The path is macro expanded and then passed to the ``chroot'' system call. The root directory is changed before the Directory field is consulted or the uid is changed.

The Wait= field specifies the maximum time to wait for the mailer to return after sending all data to it. This applies to mailers that have been forked by sendmail.

H--define header

The format of the header lines that sendmail inserts into the message are defined by the H line. The syntax of this line is one of the following:

Hhname: htemplate
H[?mflags?]hname: htemplate
H[?${macro}]hname: htemplate

Continuation lines in this spec are reflected directly into the outgoing message. The htemplate is macro-expanded before insertion into the message. If the mflags (surrounded by question marks) are specified, at least one of the specified flags must be stated in the mailer definition for this header to be automatically output. If a ${macro} (surrounded by question marks) is specified, the header will be automatically output if the macro is set. The macro may be set using any of the normal methods, including using the macro storage map in a ruleset. If one of these headers is in the input it is reflected to the output regardless of these flags or macros.

Some headers have special semantics that will be described later.

A secondary syntax allows validation of headers as they are being read. To enable validation, use:

HHeader:$>Ruleset
HHeader:$>+Ruleset

The indicated Ruleset is called for the specified Header, and can return $#error to reject the message or $#discard to discard the message (as with the other check_ * rulesets). The header is treated as a structured field, that is, comments (in parentheses) are deleted before processing, unless the second form $>+ is used.

For example, the configuration lines:

   HMessage-Id: $>CheckMessageId
   

   SCheckMessageId
   R< $+ @ $+  >	$@ OK
   R$*		$#error $: Illegal Message-Id header

   Message-Id: <>
   Message-Id: some text
   Message-Id: <legal text@domain> extra crud

or

H*:$>+Ruleset

O--set option

There are a number of global options that can be set from a configuration file. Options are represented by full words; some are also representable as single characters for backwards compatibility. The syntax of this line is:

O option=value

This sets option option to be value. Note that there must be a space between the letter `O' and the name of the option. An older version is:

Oovalue

where the option o is a single character. Depending on the option, value may be a string, an integer, a boolean (with legal values ``t,'' ``T,'' ``f,'' or ``F''; the default is TRUE), or a time interval.

The options supported (with the old, one character names in brackets) are:

AliasFile=spec, spec, ...

[A] Specify possible alias file(s). Each spec should be in the format ``class:file'' where class: is optional and defaults to ``implicit''. Depending on how sendmail is compiled, valid classes are ``implicit'' (search through a compiled-in list of alias file types, for back compatibility), ``hash'' (if NEWDB is specified), ``dbm'' (if NDBM is specified), ``stab'' (internal symbol table - not normally used unless you have no other database lookup), or ``nis'' (if NIS is specified). If a list of spec s are provided, sendmail searches them in order.

AliasWait=timeout

[a] If set, wait up to timeout (units default to minutes) for an ``@:@'' entry to exist in the alias database before starting up. If it does not appear in the timeout interval rebuild the database (if the AutoRebuildAliases option is also set) or issue a warning.

AllowBogusHELO

[no short name] If set, allow HELO SMTP commands that don't include a host name. Setting this violates RFC 1123 section 5.2.5, but is necessary to interoperate with several SMTP clients. If there is a value, it is still checked for legitimacy.

AuthMechanisms

[no short name] List of authentication mechanisms for AUTH (separated by spaces). The advertised list of authentication mechanisms will be the intersection of this list and the list of available mechanisms as determined by the Cyrus SASL library.

AuthOptions

[no short name] When to use the AUTH= parameter for the MAIL FROM command;

A Only when authentication succeeded.

The default is to try whenever SMTP AUTH is available.

AutoRebuildAliases

[D] If set, rebuild the alias database if necessary and possible. The rebuild will happen the next time an alias is looked up. If this option is not set, sendmail will never rebuild the alias database unless explicitly requested using -bi.

---

NOTE: There is a potential for a denial of service attack if this is set. This option is deprecated and will be removed from a future version.

---

BlankSub=c

[B] Set the blank substitution character to c. Unquoted spaces in addresses are replaced by this character. Defaults to space (that is, no change is made).

CACERTPath

[no short name] Path to directory with certificates of CAs.

CACERTFile

[no short name] File containing one CA certificate.

CheckAliases

[n] Validate the RHS of aliases when rebuilding the alias database.

CheckpointInterval=N

[C] Checkpoints the queue every N (default 10) addresses sent. If your system crashes during delivery to a large list, this prevents retransmission to any but the last N recipients.

ClassFactor=fact

[z] The indicated factor is multiplied by the message class (determined by the Precedence: field in the user header and the P lines in the configuration file) and subtracted from the priority. Thus, messages with a higher Priority: will be favored. Defaults to 1800.

ClientCertFile

[no short name] File containing the certificate of the client, that is, this certificate is used when sendmail acts as client.

ClientPortOptions=options

[O] Set client SMTP options. The options are key=value pairs separated by commas. Known keys are:

 Port         Name/number of source port for connection (defaults to any free port)
 Addr         Address mask (defaults INADDR_ANY)
 Family       Address family (defaults to INET)
 SndBufSize   Size of TCP send buffer
 RcvBufSize   Size of TCP receive buffer
 Modifier     Options (flags) for the daemon

The Address mask may be a numeric address in dot notation or a network name. Modifier can be the following character:

h use name of interface for HELO command

If ``h'' is set, the name corresponding to the outgoing interface address (whether chosen via the Connection parameter or the default) is used for the HELO/EHLO command.

ClientKeyFile

[no short name] File containing the private key belonging to the client certificate.

ColonOkInAddr

[no short name] If set, colons are acceptable in e-mail addresses (for example, ``host:user ).'' If not set, colons indicate the beginning of a RFC 822 group construct ``"groupname: member1, member2, ... memberN;" ).'' Doubled colons are always acceptable ``nodename::user )'' and proper route-addr nesting is understood ``<@relay:user@host> ).'' Furthermore, this option defaults on if the configuration version level is less than 6 (for back compatibility). However, it must be off for full compatibility with RFC 822.

ConnectionCacheSize=N

[k] The maximum number of open connections that will be cached at a time. The default is one. This delays closing the current connection until either this invocation of sendmail needs to connect to another host or it terminates. Setting it to zero defaults to the old behavior, that is, connections are closed immediately. Since this consumes file descriptors, the connection cache should be kept small: 4 is probably a practical maximum.

ConnectionCacheTimeout=timeout

[K] The maximum amount of time a cached connection will be permitted to idle without activity. If this time is exceeded, the connection is immediately closed. This value should be small (on the order of ten minutes). Before sendmail uses a cached connection, it always sends a RSET command to check the connection; if this fails, it reopens the connection. This keeps your end from failing if the other end times out. The point of this option is to be a good network neighbor and avoid using up excessive resources on the other end. The default is five minutes.

ConnectOnlyTo=address

[no short name] This can be used to override the connection address (for testing purposes).

ConnectionRateThrottle=N

[no short name] If set to a positive value, allow no more than N incoming daemon connections in a one second period. This is intended to flatten out peaks and allow the load average checking to cut in. Defaults to zero (no limits).

ControlSocketName=name

[no short name] Name of the control socket for daemon management. A running sendmail daemon can be controlled through this named socket. Available commands are: help, restart, shutdown, and status. The status command returns the current number of daemon children, the maximum number of daemon children, the free disk space (in blocks) of the queue directory, and the load average of the machine expressed as an integer. If not set, no control socket will be available.

DHParameters

File with DH parameters for STARTTLS. This is only required if DSA/DH is used.

DaemonPortOptions=options

[O] Set server SMTP options. Each instance of DaemonPortOptions leads to an additional incoming socket. The options are key=value pairs. Known keys are:

 Name         User-definable name for the daemon (defaults to "Daemon#")
 Port         Name/number of listening port (defaults to "smtp")
 Addr         Address mask (defaults INADDR_ANY)
 Family       Address family (defaults to INET)
 Listen       Size of listen queue (defaults to 10)
 Modifier     Options (flags) for the daemon
 SndBufSize   Size of TCP send buffer
 RcvBufSize   Size of TCP receive buffer

The Name field is used for error messages and logging. The Addr ess mask may be a numeric address in dot notation or a network name. The Family key defaults to INET (IPv4). Modifier can be a sequence (without any delimiters) of the following characters:

 a   always require authentication
 b   bind to interface through which mail has been received
 c   perform hostname canonification (.cf)
 f   require fully qualified hostname (.cf)
 u   allow unqualified addresses (.cf)
 C   don't perform hostname canonification
 E   disallow ETRN (see RFC 2476)

That is, one way to specify a message submission agent (MSA) that always requires authentication is:

O DaemonPortOptions=Name=MSA, Port=587, M=Ea

The modifiers that are marked with "(.cf)" have only effect in the standard configuration file, in which they are available via ${daemon_flags}. The flags ``c'' and ``C'' can change the default for hostname canonification in the sendmail.cf file. The modifier ``f'' disallows addresses of the form user@host unless they are submitted directly. The flag ``u'' allows unqualified sender addresses. ``b'' forces sendmail to bind to the interface through which the e-mail has been received for the outgoing connection.

---

WARNING: Use ``b'' only if outgoing mail can be routed through the incoming connection's interface to its destination. No attempt is made to catch problems due to a misconfiguration of this parameter, use it only for virtual hosting where each virtual interface can connect to every possible location. This will also override possible settings via ClientPortOptions. sendmail will listen on a new socket for each occurrence of the DaemonPortOptions option in a configuration file.

---

DefaultAuthInfo

[no short name] Filename that contains default authentication information for outgoing connections. This file must contain the user id, the authorization id, the password (plain text), and the realm to use on separate lines and must be readable by root (or the trusted user) only. If no realm is specified, $j is used.

DefaultCharSet=charset

[no short name] When a message that has 8-bit characters but is not in MIME format is converted to MIME (see the EightBitMode option) a character set must be included in the Content-Type: header. This character set is normally set from the Charset= field of the mailer descriptor. If that is not set, the value of this option is used. If this option is not set, the value ``unknown-8bit'' is used.

DataFileBufferSize=threshold

[no short name] Set the threshold,, in bytes, before a memory-based queue data file becomes disk-based. The default is 4096 bytes.

DeadLetterDrop=file

[no short name] Defines the location of the system-wide dead.letter file, formerly hardcoded to /usr/tmp/dead.letter. If this option is not set (the default), sendmail will not attempt to save to a system-wide dead.letter file in the event it cannot bounce the mail to the user or postmaster. Instead, it will rename the qf file as it has in the past when the dead.letter file could not be opened.

DefaultUser=user:group

[u] Set the default userid for mailers to user:group.. If group is omitted and user is a user name (as opposed to a numeric user id) the default group listed in the /etc/passwd file for that user is used as the default group. Both user and group can be numeric. Mailers without the S flag in the mailer definition will run as this user. Defaults to 1:1. The value can also be given as a symbolic user name. (The old g option has been combined into the DefaultUser option).

DeliveryMode=x

[d] Deliver in mode x.. Legal modes are:

 i   Deliver interactively (synchronously)
 b   Deliver in background (asynchronously)
 q   Just queue the message (deliver during queue run)
 d   Defer delivery and all map lookups (deliver during queue run)

Defaults to ``b'' if no option is specified, ``i'' if it is specified but given no argument (that is, ``Od'' is equivalent to ``Odi''). The -v command line flag sets this to i..

DialDelay=sleeptime

[no short name] Dial-on-demand network connections can see timeouts if a connection is opened before the call is set up. If this is set to an interval and a connection times out on the first connection being attempted sendmail will sleep for this amount of time and try again. This should give your system time to establish the connection to your service provider. Units default to seconds, so ``DialDelay=5'' uses a five second delay. Defaults to zero (no retry).

DontBlameSendmail=option,option,...

[no short name] In order to avoid possible cracking attempts caused by world- and group-writable files and directories, sendmail does paranoid checking when opening most of its support files. If for some reason you absolutely must run with, for example, a group-writable /etc directory, then you will have to turn off this checking (at the cost of making your system more vulnerable to attack). The arguments are individual options that turn off checking:

Safe
AssumeSafeChown
ClassFileInUnsafeDirPath
DontWarnForwardFileInUnsafeDirPath
ErrorHeaderInUnsafeDirPath
FileDeliveryToHardLink
FileDeliveryToSymLink
ForwardFileInUnsafeDirPath
ForwardFileInUnsafeDirPathSafe
ForwardFileIngroupWritableDirPath
GroupWritableAliasFile
GroupWritableDirPathSafe
GroupWritableForwardFileSafe
GroupWritableIncludeFileSafe
HelpFileinUnsafeDirPath
IncludeFileInUnsafeDirPath
IncludeFileInUnsafeDirPathSafe
IncludeFileIngroupWritableDirPath
InsufficientEntropy
LinkedAliasFileInWritableDir
LinkedClassFileInWritableDir
LinkedForwardFileInWritableDir
LinkedIncludeFileInWritableDir
LinkedMapInWritableDir
LinkedServiceSwitchFileInWritableDir
MapInUnsafeDirPath
NonRootSafeAddr
RunProgramInUnsafeDirPath
RunWritableProgram
TrustStickyBit
WorldWritableAliasFile
WriteMapToHardLink
WriteMapToSymLink
WriteStatsToHardLink
WriteStatsToSymLink

Safe is the default. The details of these flags are described above. Use of this option is not recommended.

DontExpandCnames

[no short name] The standards say that all host addresses used in a mail message must be fully canonical. For example, if your host is named ``Cruft.Foo.ORG'' and also has an alias of ``FTP.Foo.ORG'', the former name must be used at all times. This is enforced during host name canonification ($[ ... $] lookups). If this option is set, the protocols are ignored and the ``wrong'' thing is done. However, the IETF is moving toward changing this standard, so the behavior may become acceptable. Please note that hosts downstream may still rewrite the address to be the true canonical name however.

DontInitGroups

[no short name] If set, sendmail will avoid using the initgroups call. If you are running NIS, this causes a sequential scan of the groups.byname map, which can cause your NIS server to be badly overloaded in a large domain. The cost of this is that the only group found for users will be their primary group (the one in the password file), which will make file access permissions somewhat more restrictive. Has no effect on systems that don't have group lists.

DontProbeInterfaces

[no short name] sendmail normally finds the names of all interfaces active on your machine when it starts up and adds their name to the $=w class of known host aliases. If you have a large number of virtual interfaces or if your DNS inverse lookups are slow this can be time consuming. This option turns off that probing. However, you will need to be certain to include all variant names in the $=w class by some other mechanism.

DontPruneRoutes

[R] Normally, sendmail tries to eliminate any unnecessary explicit routes when sending an error message (as discussed in RFC 1123 § 5.2.6). For example, when sending an error message to

   <@known1,@known2,@known3:user@unknown>

sendmail will strip off the ``@known1,@known2'' in order to make the route as direct as possible. However, if the R option is set, this will be disabled, and the mail will be sent to the first address in the route, even if later addresses are known. This may be useful if you are caught behind a firewall.

DoubleBounceAddress=error-address

[no short name] If an error occurs when sending an error message, send the error report (termed a ``double bounce'' because it is an error bounce that occurs when trying to send another error bounce ) to the indicated address. The address is macro expanded at the time of delivery. If not set, defaults to ``postmaster''.

EightBitMode=action

[8] Set handling of eight-bit data. There are two kinds of eight-bit data: that declared as such using the BODY=8BITMIME ESMTP declaration or the -B8BITMIME command line flag, and undeclared 8-bit data, that is, input that just happens to be eight bits. There are three basic operations that can happen: undeclared 8-bit data can be automatically converted to 8BITMIME, undeclared 8-bit data can be passed as-is without conversion to MIME (``just send 8''), and declared 8-bit data can be converted to 7-bits for transmission to a non-8BITMIME mailer. The possible actions are:

     s	Reject undeclared 8-bit data (``strict'')
     m	Convert undeclared 8-bit data to MIME (``mime'')
     p	Pass undeclared 8-bit data (``pass'')

In all cases properly declared 8BITMIME data will be converted to 7BIT as needed.

ErrorHeader=file-or-message

[E] Prepend error messages with the indicated message. If it begins with a slash, it is assumed to be the pathname of a file containing a message (this is the recommended setting). Otherwise, it is a literal message. The error file might contain the name, email address, and/or phone number of a local postmaster who could provide assistance to end users. If the option is missing or null, or if it names a file which does not exist or which is not readable, no message is printed.

ErrorMode=x

[e] Dispose of errors using mode x. The values for x are:

 p   Print error messages (default)
 q   No messages, just give exit status
 m   Mail back errors
 w   Write back errors (mail if user not logged in)
 e   Mail back errors and give zero exit stat always

FallbackMXhost=fallbackhost

[V] If specified, the fallbackhost acts like a very low priority MX on every host. This is intended to be used by sites with poor network connectivity. Messages which are undeliverable due to temporary address failures (for example, DNS failure) also go to the FallBackMX host.

ForkEachJob

[Y] If set, deliver each job that is run from the queue in a separate process. Use this option if you are short of memory, since the default tends to consume considerable amounts of memory while the queue is being processed.

ForwardPath=path

[J] Set the path for searching for users' .forward files. The default is ``$z/.forward''. Some sites that use the automounter may prefer to change this to ``/var/forward/$u'' to search a file with the same name as the user in a system directory. It can also be set to a sequence of paths separated by colons; sendmail stops at the first file it can successfully and safely open. For example, ``/var/forward/$u:$z/.forward'' will search first in /var/forward/username and then in ~username.forward (but only if the first file does not exist).

HelpFile=file

[H] Specify the help file for SMTP. If no file name is specified, "helpfile" is used.

HoldExpensive

[c] If an outgoing mailer is marked as being expensive, don't connect immediately. This requires that queueing be compiled in, since it will depend on a queue run process to actually send the mail.

HostsFile=path

[no short name] The path to the hosts database, normally ``/etc/hosts .'' This option is only consulted when sendmail is canonifying addresses, and then only when ``files'' is in the ``hosts'' service switch entry. In particular, this file is never used when looking up host addresses; that is under the control of the system gethostbyname(SLIB) routine.

HostStatusDirectory=path

[no short name] The location of the long term host status information. When set, information about the status of hosts (for example, host down or not accepting connections) will be shared between all sendmail processes; normally, this information is only held within a single queue run. This option requires a connection cache of at least 1 to function. If the option begins with a leading `/', it is an absolute pathname; otherwise, it is relative to the mail queue directory. A suggested value for sites desiring persistent host status is ``.hoststat'' (that is, a subdirectory of the queue directory).

IgnoreDots

[i] Ignore dots in incoming messages. This is always disabled (that is, dots are always accepted) when reading SMTP mail.

LDAPDefaultSpec=spec

[no short name] Sets a default map specification for LDAP maps. The value should only contain LDAP specific settings such as ``"-h host -p port -d bindDN" .'' The settings will be used for all LDAP maps unless the individual map specification overrides a setting. This option should be set before any LDAP maps are defined.

LogLevel=n

[L] Set the log level to n . Defaults to 9.

Mxvalue

[no long version] Set the macro x to value . This is intended only for use from the command line. The -M flag is preferred.

MatchGECOS

[G] Allow fuzzy matching on the GECOS field. If this flag is set, and the usual user name lookups fail (that is, there is no alias with this name and a getpwnam fails), sequentially search the password file for a matching entry in the GECOS field. This also requires that MATCHGECOS be turned on during compilation. This option is not recommended.

MaxAliasRecursion=N

[no short name] The maximum depth of alias recursion (default: 10).

MaxDaemonChildren=N

[no short name] If set, sendmail will refuse connections when it has more than N children processing incoming mail or automatic queue runs. This does not limit the number of outgoing connections. If not set, there is no limit to the number of children -- that is, the system load averaging controls this.

MaxHeadersLength=N

[no short name] The maximum length of the sum of all headers. This can be used to prevent a denial of service attack. The default is no limit.

MaxHopCount=N

[h] The maximum hop count. Messages that have been processed more than N times are assumed to be in a loop and are rejected. Defaults to 25.

MaxMessageSize=N

[no short name] Specify the maximum message size to be advertised in the ESMTP EHLO response. Messages larger than this will be rejected.

MaxMimeHeaderLength=N[/M]

[no short name] Sets the maximum length of certain MIME header field values to N characters. For some of these headers which take parameters, the maximum length of each parameter is set to M if specified. If /M is not specified, one half of N will be used. By default, these values are 0, meaning no checks are done.

MaxQueueRunSize=N

[no short name] The maximum number of jobs that will be processed in a single queue run. If not set, there is no limit on the size. If you have very large queues or a very short queue run interval this could be unstable. However, since the first N jobs in queue directory order are run (rather than the N highest priority jobs) this should be set as high as possible to avoid ``losing'' jobs that happen to fall late in the queue directory.

MaxRecipientsPerMessage=N

[no short name] The maximum number of recipients that will be accepted per message in an SMTP transaction. Note: setting this too low can interfere with sending mail from MUAs that use SMTP for initial submission. If not set, there is no limit on the number of recipients per envelope.

MeToo

[m] Send to me too, even if I am in an alias expansion. This option is deprecated and will be removed from a future version.

MinFreeBlocks=N

[b] Insist on at least N blocks free on the filesystem that holds the queue files before accepting email via SMTP. If there is insufficient space sendmail gives a 452 response to the MAIL command. This invites the sender to try again later.

MinQueueAge=age

[no short name] Don't process any queued jobs that have been in the queue less than the indicated time interval. This is intended to allow you to get responsiveness by processing the queue fairly frequently without thrashing your system by trying jobs too often. The default units are minutes.

MustQuoteChars=s

[no short name] Sets the list of characters that must be quoted if used in a full name that is in the phrase part of a ``phrase <address>'' syntax. The default is ``´.''. The characters ``@,;:\()[]'' are always added to this list.

NoRecipientAction

[no short name] The action to take when you receive a message that has no valid recipient headers (To:, Cc:, Bcc:, or Apparently-To: -- the last included for back compatibility with old sendmail. It can be None to pass the message on unmodified, which violates the protocol, Add-To to add a To: header with any recipients it can find in the envelope (which might expose Bcc: recipients), Add-Apparently-To to add an Apparently-To: header (this is only for back-compatibility and is officially deprecated), Add-To-Undisclosed to add a header ``"To: undisclosed-recipients:;"'' to make the header legal without disclosing anything, or Add-Bcc to add an empty Bcc: header.

OldStyleHeaders

[o] Assume that the headers may be in old format, that is, spaces delimit names. This actually turns on an adaptive algorithm: if any recipient address contains a comma, parenthesis, or angle bracket, it will be assumed that commas already exist. If this flag is not on, only commas delimit names. Headers are always output with commas between the names. Defaults to off.

OperatorChars=charlist

[$o macro] The list of characters that are considered to be ``operators ,'' that is, characters that delimit tokens. All operator characters are tokens by themselves; sequences of non-operator characters are also tokens. White space characters separate tokens but are not tokens themselves -- for example, ``AAA.BBB'' has three tokens, but ``"AAA BBB"'' has two. If not set, OperatorChars defaults to ``.:@[] ;'' additionally, the characters ``()<>,;'' are always operators. Note that OperatorChars must be set in the configuration file before any rulesets.

PidFile=filename

[no short name] Filename of the pid file. (default is _PATH_SENDMAILPID). The filename is macro-expanded before it is opened.

PostmasterCopy=postmaster

[P] If set, copies of error messages will be sent to the named postmaster . Only the header of the failed message is sent. Errors resulting from messages with a negative precedence will not be sent. Since most errors are user problems, this is probably not a good idea on large sites, and arguably contains all sorts of privacy violations, but it seems to be popular with certain operating systems vendors. The address is macro expanded at the time of delivery. Defaults to no postmaster copies.

PrivacyOptions=opt,opt,...

[p] Set the privacy options. ``Privacy'' is really a misnomer; many of these are just a way of insisting on stricter adherence to the SMTP protocol. The opt ions can be selected from:

 public          Allow open access
 needmailhelo    Insist on HELO or EHLO command before MAIL
 needexpnhelo    Insist on HELO or EHLO command before EXPN
 noexpn          Disallow EXPN entirely, implies noverb.
 needvrfyhelo    Insist on HELO or EHLO command before VRFY
 novrfy          Disallow VRFY entirely
 noetrn          Disallow ETRN entirely
 noverb          Disallow VERB entirely
 restrictmailq   Restrict mailq command
 restrictqrun    Restrict -q command line flag
 noreceipts      Don't return success DSNs
 nobodyreturn    Don't return the body of a message with DSNs
 goaway          Disallow essentially all SMTP status queries
 authwarnings    Put X-Authentication-Warning: headers in messages

The ``goaway'' pseudo-flag sets all flags except ``noreceipts,'' ``restrictmailq,'' ``restrictqrun,'' ``noetrn,'' and ``nobodyreturn .'' If mailq is restricted, only people in the same group as the queue directory can print the queue. If queue runs are restricted, only root and the owner of the queue directory can run the queue. Authentication Warnings add warnings about various conditions that may indicate attempts to spoof the mail system, such as using an non-standard queue directory.

ProcessTitlePrefix=string

[no short name] Prefix the process title shown on 'ps' listings with string . The string will be macro processed.

QueueDirectory=dir

[Q] Use the named dir as the queue directory. To use multiple queues, supply a value ending with an asterisk. For example, /var/spool/mqueue/q* will use all of the directories or symbolic links to directories beginning with q in /var/spool/mqueue as queue directories. Do not change the queue directory structure while sendmail is running.

QueueFactor=factor

[q] Use factor as the multiplier in the map function to decide when to just queue up jobs rather than run them. This value is divided by the difference between the current load average and the load average limit (QueueLA option) to determine the maximum message priority that will be sent. Defaults to 600000.

QueueLA=LA

[x] When the system load average exceeds LA , just queue messages (that is, don't try to send them). Defaults to 8 multiplied by the number of processors online on the system (if that can be determined).

QueueSortOrder=algorithm

[no short name] Sets the algorithm used for sorting the queue. Only the first character of the value is used. Legal values are ``host'' (to order by the name of the first host name of the first recipient), ``filename'' (to order by the name of the queue file name), ``time'' (to order by the submission time), and ``priority'' (to order by message priority). Host ordering makes better use of the connection cache, but may tend to process low priority messages that go to a single host over high priority messages that go to several hosts; it probably shouldn't be used on slow network links. Filename ordering saves the overhead of reading all of the queued items before starting the queue run. Time ordering is almost always a bad idea, since it allows large, bulk mail to go out before smaller, personal mail, but may have applicability on some hosts with very fast connections. Priority ordering is the default.

QueueTimeout=timeout

[T] A synonym for ``Timeout.queuereturn .'' Use that form instead of the ``QueueTimeout'' form.

RandFile

[no short name] Name of file containing random data or the name of the Unix socket if EGD is used. A (required) prefix "egd:" or "file:" specifies the type. STARTTLS requires this filename if the compile flag HASURANDOM is not set (see sendmail/README).

ResolverOptions=options

[I] Set resolver options. Values can be set using + flag and cleared using - flag; the flag s can be ``debug ,'' ``aaonly ,'' ``usevc ,'' ``primary ,'' ``igntc ,'' ``recurse ,'' ``defnames ,'' ``stayopen ,'' or ``dnsrch .'' The string ``HasWildcardMX'' (without a + or - ) can be specified to turn off matching against MX records when doing name canonifications. N.B. Prior to 8.7, this option indicated that the name server be responding in order to accept addresses. This has been replaced by checking to see if the ``dns'' method is listed in the service switch entry for the ``hosts'' service.

RrtImpliesDsn

[R] If this option is set, a ``Return-Receipt-To:'' header causes the request of a DSN, which is sent to the envelope sender as required by RFC1891, not to the address given in the header.

RunAsUser=user

[no short name] The user parameter may be a user name (looked up in /etc/passwd ) or a numeric user id; either form can have ``":group"'' attached (where group can be numeric or symbolic). If set to a non-zero (non-root) value, sendmail will change to this user id shortly after startup. (When running as a daemon, it changes to this user after accepting a connection but before reading any SMTP commands.) This avoids a certain class of security problems. However, this means that all ``.forward'' and ``:include:'' files must be readable by the indicated user and all files to be written must be writable by user Also, all file and program deliveries will be marked unsafe unless the option DontBlameSendmail=NonRootAddrSafe is set, in which case the delivery will be done as user . It is also incompatible with the SafeFileEnvironment option. In other words, it may not actually add much to security on an average system, and may in fact detract from security (because other file permissions must be loosened). However, it should be useful on firewalls and other places where users don't have accounts and the aliases file is well constrained.

RecipientFactor=fact

[y] The indicated factor is added to the priority (thus lowering the priority of the job) for each recipient, that is, this value penalizes jobs with large numbers of recipients. Defaults to 30000.

RefuseLA=LA

[X] When the system load average exceeds LA , refuse incoming SMTP connections. Defaults to 12 multiplied by the number of processors online on the system (if that can be determined).

RetryFactor=fact

[Z] The factor is added to the priority every time a job is processed. Thus, each time a job is processed, its priority will be decreased by the indicated value. In most environments this should be positive, since hosts that are down are all too often down for a long time. Defaults to 90000.

SafeFileEnvironment=dir

[no short name] If this option is set, sendmail will do a chroot call into the indicated directory before doing any file writes. If the file name specified by the user begins with dir , that partial path name will be stripped off before writing, so (for example) if the SafeFileEnvironment variable is set to ``/safe'' then aliases of ``/safe/logs/file'' and ``/logs/file'' actually indicate the same file. Additionally, if this option is set, sendmail refuses to deliver to symbolic links.

SaveFromLine

[f] Save Unix-style ``From'' lines at the front of headers. Normally they are assumed redundant and discarded.

SendMimeErrors

[j] If set, send error messages in MIME format (see RFC2045 and RFC1344 for details). If disabled, sendmail will not return the DSN keyword in response to an EHLO and will not do Delivery Status Notification processing as described in RFC1891.

ServerCertFile

[no short name] File containing the certificate of the server, that is, this certificate is used when sendmail acts as server.

ServerKeyFile

[no short name] File containing the private key belonging to the server certificate.

ServiceSwitchFile=filename

[no short name] If your host operating system has a service switch abstraction, that service will be consulted and this option is ignored. Otherwise, this is the name of a file that provides the list of methods used to implement particular services. The syntax is a series of lines, each of which is a sequence of words. The first word is the service name, and following words are service types. The services that sendmail consults directly are ``aliases'' and ``hosts.'' Service types can be ``dns ,'' ``nis ,'' ``nisplus ,'' or ``files'' (with the caveat that the appropriate support must be compiled in before the service can be referenced). If ServiceSwitchFile is not specified, it defaults to /etc/mail/service.switch. If that file does not exist, the default switch is:

   aliases	files
   hosts	dns nis files

SevenBitInput

[7] Strip input to seven bits for compatibility with old systems. This shouldn't be necessary.

SingleLineFromHeader

[no short name] If set, From: lines that have embedded newlines are unwrapped onto one line. This is to get around a botch in Lotus Notes that apparently cannot understand legally wrapped RFC822 headers.

SingleThreadDelivery

[no short name] If set, a client machine will never try to open two SMTP connections to a single server machine at the same time, even in different processes. That is, if another sendmail is already talking to some host a new sendmail will not open another connection. This property is of mixed value; although this reduces the load on the other machine, it can cause mail to be delayed (for example, if one sendmail is delivering a huge message, other sendmails won't be able to send even small messages). Also, it requires another file descriptor (for the lock file) per connection, so you may have to reduce the ConnectionCacheSize option to avoid running out of per-process file descriptors. Requires the HostStatusDirectory option.

SmtpGreetingMessage=message

[$e macro] The message printed when the SMTP server starts up. Defaults to ``"$j Sendmail $v ready at $b".''

StatusFile=file

[S] Log summary statistics in the named file. If no file name is specified, "statistics" is used. If not set, no summary statistics are saved. This file does not grow in size. It can be printed using the mailstats (8) program.

SuperSafe

[s] Be super-safe when running things, that is, always instantiate the queue file, even if you are going to attempt immediate delivery. sendmail always instantiates the queue file before returning control to the client under any circumstances. This should really always be set.

TempFileMode=mode

[F] The file mode for queue files. It is interpreted in octal by default. Defaults to 0600.

Timeout.type=timeout

[r; subsumes old T option as well] Set timeout values. For more information, see ``Altering read timeouts'' and ``Altering message timeouts''.

TimeZoneSpec=tzinfo

[t] Set the local time zone info to tzinfo - for example, ``PST8PDT.'' Actually, if this is not set, the TZ environment variable is cleared (so the system default is used); if set but null, the user's TZ variable is used, and if set and non-null the TZ variable is set to this value.

TrustedUser=user

[no short name] The user parameter may be a user name (looked up in /etc/passwd ) or a numeric user id. Trusted user for file ownership and starting the daemon. If set, generated alias databases and the control socket (if configured) will automatically be owned by this user.

TryNullMXList

[w] If this system is the ``best'' (that is, lowest preference) MX for a given host, its configuration rules should normally detect this situation and treat that condition specially by forwarding the mail to a UUCP feed, treating it as local, or whatever. However, in some cases (such as Internet firewalls) you may want to try to connect directly to that host as though it had no MX records at all. Setting this option causes sendmail to try this. The downside is that errors in your configuration are likely to be diagnosed as ``host unknown'' or ``message timed out'' instead of something more meaningful. This option is disrecommended.

UnixFromLine=fromline

[$l macro] Defines the format used when sendmail must add a UNIX-style From_ line (that is, a line beginning ``From<space>user ).'' Defaults to ``"From $g $d".'' Don't change this unless your system uses a different UNIX mailbox format (very unlikely).

UnsafeGroupWrites

[no short name] If set, :include: and .forward files that are group writable are considered ``unsafe''; that is, they cannot reference programs or write directly to files. World writable :include: and .forward files are always unsafe.

UseErrorsTo

[l] If there is an ``Errors-To:'' header, send error messages to the addresses listed there. They normally go to the envelope sender. Use of this option causes sendmail to violate RFC 1123. This option is disrecommended and deprecated.

UserDatabaseSpec=udbspec

[U] The user database specification.

Verbose

[v] Run in verbose mode. If this is set, sendmail adjusts options HoldExpensive (old c ) and DeliveryMode (old d ) so that all mail is delivered completely in a single job so that you can see the entire delivery process. Option Verbose should never be set in the configuration file; it is intended for command line use only.

XscriptFileBufferSize=threshold

[no short name] Set the threshold , in bytes, before a memory-based queue transcript file becomes disk-based. The default is 4096 bytes.

P--precedence definitions

Values for the ``Precedence:'' field may be defined using the P control line. The syntax of this field is:

Pname=num

When the name is found in a ``Precedence:'' field, the message class is set to num. Higher numbers mean higher precedence. Numbers below zero have the special property that if an error occurs during processing, the body of the message will not be returned; this is expected to be used for ``bulk'' mail such as through mailing lists. The default precedence is zero. An example list of precedences is:

   Pfirst-class=0
   Pspecial-delivery=100
   Plist=-30
   Pbulk=-60
   Pjunk=-100

V--configuration version level

To provide compatibility with old configuration files, the V line has been added to define some very basic semantics of the configuration file. These are not intended to be long term supports; rather, they describe compatibility features which will probably be removed in future releases.

``Old'' configuration files are defined as version level one.

Version level two files make the following changes:

• Host name canonification ($[ ... $]) appends a dot if the name is recognized; this gives the configuration file a way of finding out if anything matched. (Actually, this just initializes the ``host'' map with the -a flag--you can reset it to anything you prefer by declaring the map explicitly.) Default host name extension is consistent throughout processing; version level one configurations turned off domain extension (that is, adding the local domain name) during certain points in processing. Version level two configurations are expected to include a trailing dot to indicate that the name is already canonical.

• Local names that are not aliases are passed through a new distinguished ruleset five; this can be used to append a local relay. This behavior can be prevented by resolving the local name with an initial ``@''. That is, something that resolves to a local mailer and a user name of vikki will be passed through ruleset five, but a user name of @vikki will have the ``@'' stripped, will not be passed through ruleset five, but will otherwise be treated the same as the prior example. The expectation is that this might be used to implement a policy where mail sent to vikki was handled by a central hub, but mail sent to vikki@localhost was delivered directly.

Version level three files allow # initiated comments on all lines. Exceptions are backslash escaped # marks and the $# syntax.

Version level four configurations are completely equivalent to level three for historical reasons.

Version level five configuration files change the default definition of $w to be just the first component of the hostname.

Version level six configuration files change many of the local processing options (such as aliasing and matching the beginning of the address for `|' characters) to be mailer flags; this allows fine-grained control over the special local processing. Level six configuration files may also use long option names. The ColonOkInAddr option (to allow colons in the local-part of addresses) defaults on for lower numbered configuration files; the configuration file requires some additional intelligence to properly handle the RFC 822 group construct.

Version level seven configuration files used new option names to replace old macros ($e became SmtpGreetingMessage , $l became UnixFromLine , and $o became OperatorChars). Also, prior to version seven, the F=q flag (use 250 instead of 252 return value for SMTP VRFY commands) was assumed.

Version level eight configuration files allow $# on the left hand side of ruleset lines.

Version level nine configuration files allow parentheses in rulesets, that is, they are not treated as comments and hence removed.

The V line may have an optional /vendor to indicate that this configuration file uses modifications specific to a particular vendor. You can use ``/Berkeley'' to emphasize that this configuration file uses the Berkeley dialect of sendmail.

K--key file declaration

Special maps can be defined using the line:

Kmapname mapclass arguments

The mapname is the handle by which this map is referenced in the rewriting rules. The mapclass is the name of a type of map; these are compiled in to sendmail . The arguments are interpreted depending on the class; typically, there would be a single argument naming the file containing the map.

Maps are referenced using the syntax:

$( map key $@ arguments $: default $)

where either or both of the arguments or default portion may be omitted. The "$@ arguments" may appear more than once. The indicated key and arguments are passed to the appropriate mapping function. If it returns a value, it replaces the input. If it does not return a value and the default is specified, the default replaces the input. Otherwise, the input is unchanged.

The arguments are passed to the map for arbitrary use. Most map classes can interpolate these arguments into their values using the syntax ``%n'' (where n is a digit) to indicate the corresponding argument . Argument ``%0'' indicates the database key. For example, the rule

R$- ! $+ $: $(uucp $1 $@ $2 $: %1 @ %0 . UUCP $)

Looks up the UUCP name in a (user defined) UUCP map; if not found it turns it into ``.UUCP'' form. The database might contain records like:

decvax %1@%0.DEC.COM
research %1@%0.ATT.COM

Note that default clauses never do this mapping.

The built in map with both name and class ``host'' is the host name canonicalization lookup. Thus, the syntax:

$(host hostname$)

is equivalent to:

$[hostname$]

There are many defined classes.

dbm

Database lookups using the

ndbm
NS

library. sendmail must be compiled with NDBM defined.

btree

Database lookups using the btree interface to the Berkeley DB library. sendmail must be compiled with NEWDB defined.

hash

Database lookups using the hash interface to the Berkeley DB library. sendmail must be compiled with NEWDB defined.

nis

NIS lookups. sendmail must be compiled with NIS defined.

nisplus

NIS+ lookups. sendmail must be compiled with NISPLUS defined. The argument is the name of the table to use for lookups, and the -k and -v flags may be used to set the key and value columns respectively.

hesiod

Hesiod lookups. sendmail must be compiled with HESIOD defined.

ldap

LDAP X500 directory lookups. sendmail must be compiled with LDAPMAP defined. The map supports most of the standard arguments and most of the command line arguments of the ldapsearch program. Note that, by default, if a single query matches multiple values, only the first value will be returned unless the -z (value separator) map flag is set. Also, the -1 map flag will treat a multiple value return as if there were no matches.

netinfo

NeXT NetInfo lookups. sendmail must be compiled with NETINFO defined.

text

Text file lookups. The format of the text file is defined by the -k (key field number), -v (value field number), and -z (field delimiter) flags.

ph

PH query map. Contributed and supported by Mark Roth, roth@uiuc.edu. For more information, consult the web site ``http://www-wsg.cso.uiuc.edu/sendmail/sendmail-phmap/ .''

nsd

nsd map for IRIX 6.5 and later. Contributed and supported by Bob Mende of SGI, mende@sgi.com.

stab

Internal symbol table lookups. Used internally for aliasing.

implicit

Really should be called ``alias'' -- this is used to get the default lookups for alias files, and is the default if no class is specified for alias files.

user

Looks up users using getpwnam(S). The -v flag can be used to specify the name of the field to return (although this is normally used only to check the existence of a user).

host

Canonifies host domain names. Given a host name it calls the name server to find the canonical name for that host.

bestmx

Returns the best MX record for a host name given as the key. The current machine is always preferred - that is, if the current machine is one of the hosts listed as a lowest-preference MX record, then it will be guaranteed to be returned. This can be used to find out if this machine is the target for an MX record, and mail can be accepted on that basis. If the -z flag is given, then all MX names are returned, separated by the given delimiter.

sequence

The arguments on the `K' line are a list of maps; the resulting map searches the argument maps in order until it finds a match for the indicated key. For example, if the key definition is:

Kmap1 ...
Kmap2 ...
Kseqmap sequence map1 map2

then a lookup against ``seqmap'' first does a lookup in map1. If that is found, it returns immediately. Otherwise, the same key is used for map2.

syslog

the key is logged via syslogd (8). The lookup returns the empty string.

switch

Much like the ``sequence'' map except that the order of maps is determined by the service switch. The argument is the name of the service to be looked up; the values from the service switch are appended to the map name to create new map names. For example, consider the key definition:

Kali switch aliases

together with the service switch entry:

aliases nis files

This causes a query against the map ``ali'' to search maps named ``ali.nis'' and ``ali.files'' in that order.

dequote

Strip double quotes (") from a name. It does not strip backslashes, and will not strip quotes if the resulting string would contain unscannable syntax (that is, basic errors like unbalanced angle brackets; more sophisticated errors such as unknown hosts are not checked). The intent is for use when trying to accept mail from systems such as DECnet that routinely quote odd syntax such as

"49ers::ubell"

A typical usage is probably something like:

Kdequote dequote

...

R$- $: $(dequote $1 $)
R$- $+ $: $>3 $1 $2

Care must be taken to prevent unexpected results; for example,

"|someprogram < input > output"

will have quotes stripped, but the result is probably not what you had in mind. Fortunately these cases are rare.

regex

The map definition on the K line contains a regular expression. Any key input is compared to that expression using the POSIX regular expressions routines regcomp(), regerr(), and regexec(). Refer to the documentation for those routines for more information about the regular expression matching. No rewriting of the key is done if the -m flag is used. Without it, the key is discarded or if -s if used, it is substituted by the substring matches, delimited by $| or the string specified with the the -d flag. The flags available for the map are

-n not
-f case sensitive
-b basic regular expressions
(default is extended)
-s substring match
-d set the delimiter used for -s
-a append string to key
-m match only, do not
replace/discard value
-D perform no lookup in deferred delivery mode.

The -s flag can include an optional parameter which can be used to select the substrings in the result of the lookup. For example,

-s1,3,4

Note: to match a $ in a string, $$ must be used. If the pattern contains spaces, they must be replaced with the blank substitution character, unless it is space itself.

program

The arguments on the K line are the pathname to a program and any initial parameters to be passed. When the map is called, the key is added to the initial parameters and the program is invoked as the default user/group id. The first line of standard output is returned as the value of the lookup. This has many potential security problems, and has terrible performance; it should be used only when absolutely necessary.

macro

Set or clear a macro value. To set a macro, pass the value as the first argument in the map lookup. To clear a macro, do not pass an argument in the map lookup. The map always returns the empty string. Example of typical usage include:

Kstorage macro

...

# set macro ${MyMacro} to the ruleset match
R$+ $: $(storage {MyMacro} $@ $1 $) $1
# set macro ${MyMacro} to an empty string
R$* $: $(storage {MyMacro} $@ $) $1
# clear macro ${MyMacro}
R$- $: $(storage {MyMacro} $) $1

arith

Perform simple arithmetic operations. The operation is given as key, currently +, -, *, /, l (for less than), and = are supported. The two operands are given as arguments. The lookup returns the result of the computation, that is TRUE or FALSE for comparisons, integer values otherwise. All options which are possible for maps are ignored. A simple example is:

Kcomp arith

...

Scheck_etrn
R$* $: $(comp l $@ $&{load_avg} $@ 7 $) $1
RFALSE $# error ...

Most of these accept as arguments the same optional flags and a filename (or a mapname for NIS; the filename is the root of the database path, so that ``.db'' or some other extension appropriate for the database type will be added to get the actual database name).

Known flags are:

-o

Indicates that this map is optional - that is, if it cannot be opened, no error is produced, and sendmail will behave as if the map existed but was empty.

-N, -O

If neither -N or -O are specified, sendmail uses an adaptive algorithm to decide whether or not to look for null bytes on the end of keys. It starts by trying both; if it finds any key with a null byte it never tries again without a null byte and vice versa. If -N is specified it never tries without a null byte and if -O is specified it never tries with a null byte. Setting one of these can speed matches but are never necessary. If both -N and -O are specified, sendmail will never try any matches at all -- that is, everything will appear to fail.

-ax

Append the string x on successful matches. For example, the default host map appends a dot on successful matches.

-Tx

Append the string x on temporary failures. For example, x would be appended if a DNS lookup returned ``server failed'' or an NIS lookup could not locate a server. See also the -t flag.

-f

Do not fold upper to lower case before looking up the key.

-m

Match only (without replacing the value). If you only care about the existence of a key and not the value (as you might when searching the NIS map ``hosts.byname'' for example), this flag prevents the map from substituting the value. However, the -a argument is still appended on a match, and the default is still taken if the match fails.

-kkeycol

The key column name (for NIS+) or number (for text lookups). For LDAP maps this is an LDAP filter string in which %s is replaced with the literal contents of the lookup key and %0 is replaced with the LDAP escaped contents of the lookup key according to RFC2254.

-vvalcol

The value column name (for NIS+) or number (for text lookups). For LDAP maps this is the name of one or more attributes to be returned; multiple attributes can be separated by commas. If not specified, all attributes found in the match will be returned.

-zdelim

The column delimiter (for text lookups). It can be a single character or one of the special strings ``\n'' or ``\t'' to indicate newline or tab respectively. If omitted entirely, the column separator is any sequence of white space. For LDAP maps this is the separator character to combine multiple values into a single return string. If not set, the LDAP lookup will only return the first match found.

-t

Normally, when a map attempts to do a lookup and the server fails (e.g., sendmail couldn't contact any name server; this is not the same as an entry not being found in the map), the message being processed is queued for future processing. The -t flag turns off this behavior, letting the temporary failure (server down) act as though it were a permanent failure (entry not found). It is particularly useful for DNS lookups, where someone else's misconfigured name server can cause problems on your machine. However, care must be taken to ensure that you don't bounce mail that would be resolved correctly if you tried again. A common strategy is to forward such mail to another, possibly better connected, mail server.

-D

Perform no lookup in deferred delivery mode. This flag is set by default for the host map.

-Sspacesub

The character to use to replace space characters after a successful map lookup (esp. useful for regex and syslog maps).

-sspacesub

For the dequote map only, the character to use to replace space characters after a successful dequote.

-q

Don't dequote the key before lookup.

-Llevel

For the syslog map only, it specifies the level to use for the syslog call.

-A

When rebuilding an alias file, the -A flag causes duplicate entries in the text version to be merged. For example, two entries:

list: user1, user2
list: user3

would be treated as though it were the single entry

list: user1, user2, user3

in the presence of the -A flag.

The following additional flags are present in the ldap map only:

-R

Do not auto chase referrals. sendmail must be compiled with -DLDAP_REFERRALS to use this flag.

-n

Retrieve attribute names only.

-rderef

Set the alias dereference option to one of never, always, search, or find.

-sscope

Set search scope to one of base, one (one level), or sub (subtree).

-hhost

LDAP server hostname.

-bbase

LDAP search base.

-pport

LDAP service port.

-ltimelimit

Time limit for LDAP queries.

-Zsizelimit

Size (number of matches) limit for LDAP queries.

-ddistinguished_name

The distinguished name to use to login to the LDAP server.

-Mmethod

The method to authenticate to the LDAP server. Should be one of LDAP_AUTH_NONE, LDAP_AUTH_SIMPLE, or LDAP_AUTH_KRBV4.

-Ppasswordfile

The file containing the secret key for the LDAP_AUTH_SIMPLE authentication method or the name of the Kerberos ticket file for LDAP_AUTH_KRBV4.,

-1

Force LDAP searches to only succeed if a single match is found. If multiple values are found, the search is treated as if no match was found.

The dbm map appends the strings ``.pag'' and ``.dir'' to the given filename; the hash and btree maps append ``.db .'' For example, the map specification

Kuucp dbm -o -N /etc/mail/uucpmap

specifies an optional map named ``uucp'' of class ``dbm ;'' it always has null bytes at the end of every string, and the data is located in /etc/mail/uucpmap.{dir,pag}.

The program makemap(ADMN) can be used to build any of the three database-oriented maps. It takes the following flags:

-f

Do not fold upper to lower case in the map.

-N

Include null bytes in keys.

-o

Append to an existing (old) file.

-r

Allow replacement of existing keys; normally, re-inserting an existing key is an error.

-v

Print what is happening.

New classes can be added in the routine setupmaps in file conf.c.

Building a configuration file from scratch

Building a configuration file from scratch is an extremely difficult job. Fortunately, it is almost never necessary to do so; nearly every situation that may come up can be resolved by changing an existing configuration file. In any case, it is critical that you understand what you are trying to do and come up with a design plan for the configuration file. This section is intended to explain the real purpose of a configuration file and to give you some ideas as to what your design plan might be.

Do not even consider writing your own configuration file without carefully studying RFC 821, RFC 822, and RFC 1123. You should also read RFC 976 if you are doing UUCP exchange.

Purpose of the configuration file

The configuration file has three major purposes. The first and simplest is to set up the environment for sendmail. This involves setting the options, defining a few critical macros, and so on. Because these are described in other sections, we will not go into more detail here.

The second purpose is to rewrite addresses in the message. This should typically be done in two phases. The first phase maps addresses in any format into a canonical form. This should be done in ruleset three. The second phase maps this canonical form into the syntax appropriate for the receiving mailer.

The sendmail program performs this second phase in the following three subphases: Rulesets one and two are applied to all sender and recipient addresses, respectively. After this, you can specify per-mailer rulesets for both sender and recipient addresses. This allows mailer-specific customization. Finally, ruleset four is applied to do any default conversion to external form.

The third purpose of the configuration file is to map addresses into the actual set of instructions necessary to get the message delivered. Ruleset zero must resolve to the internal form, which is in turn used as a pointer to a mailer descriptor. This describes the interface requirements of the mailer.

Relevant issues

The canonical form you use should almost certainly be as specified in the Internet standards documents RFC 819 and RFC 822. These RFCs can be ftp'd from ftp.ds.internic.net.

RFC 822

describes the format of the mail message itself. The sendmail program follows this RFC closely, to the extent that many of the standards described in this document cannot be changed without changing the code. In particular, the following characters have special interpretations:

< > ( ) " \

Any attempt to use these characters for other than their RFC 822 purpose in addresses is probably doomed to disaster.

RFC 819
describes the specifics of the domain-based addressing. This is touched on in RFC 822 as well. Essentially, each host is given a name that is a right-to-left dot-qualified pseudo-path from a distinguished root. The elements of the path need not be physical hosts; the domain is logical rather than physical. For example, atOcelot, one legal host might be a.CC.Ocelot.EDU; reading from right to left, EDU is a top level domain comprising educational institutions, Ocelot is a logical domain name, CC represents the Computer Center, (in this case a strictly logical entity), and ``a'' is a host in the Computer Center.

Beware when reading RFC 819 that there are a number of errors in it.

How to proceed

Once you have decided on a design plan for the new configuration file, it is worth examining existing configuration files to decide whether any of them are close enough for you to use major parts of them as a basis for your own configuration file. Even under the worst of conditions, there should be a large amount of material you can use.

The next step is to build ruleset three. This is the hardest part of the job. Beware of doing too much to the address in this ruleset, because anything you do reflects through to the message. In particular, stripping of local domains is best deferred, as this can leave you with addresses with no domain specifications at all. Because sendmail likes to append the sending domain to addresses with no domain, this can change the semantics of addresses. Also, try to avoid fully qualifying domains in this ruleset. Although technically legal, this can lead to unpleasantly and unnecessarily long addresses reflected into messages. The Ocelot configuration files define ruleset nine to qualify domain names and strip local domains. This is called from ruleset zero to get all addresses into a cleaner form.

Once you have ruleset three finished, the other rulesets should be relatively trivial. If you need hints, examine the supplied configuration files.

Testing the rewriting rules: the -bt flag

When you build a configuration file, you can do a certain amount of testing using the ``test mode'' of sendmail. For example, you could invoke sendmail as:

sendmail -bt -Ctest.cf

This reads the configuration file test.cf and enters test mode. In this mode, you enter lines of the form:

rwset address

Here rwset is the rewriting set you want to use and address is an address to which to apply the set. Test mode shows you the steps it takes as it proceeds, finally showing you the address with which it ends up. You may use a comma-separated list of rwsets for sequential application of rules to an input. For example:

3,1,21,4 monet:bollard

The first applies ruleset three to the input ``monet:bollard.'' Ruleset one is then applied to the output of ruleset three, followed similarly by rulesets 21 and 4.

If you need more detail, you can also use the -d21 flag to turn on more debugging. For example:

sendmail -bt -d21.99

This turns on a huge amount of information. A single-word address probably prints out several pages of information.

You should be warned that internally, sendmail applies ruleset 3 to all addresses. In this version of sendmail, you will have to do that manually. For example, older versions allowed you to use

0 bruce@broadcast.sony.com

This version requires that you use:

3,0 bruce@broadcast.sony.com

Building mailer descriptions

To add an outgoing mailer to your mail system, you must define the characteristics of the mailer.

Each mailer must have an internal name. This can be arbitrary, except that the names ``local'' and ``prog'' must be defined.

The pathname of the mailer must be given in the ``P'' field. If this mailer should be accessed via an IPC connection, use the string ``[IPC]'' instead.

The ``F'' field defines the mailer flags. You should specify an ``f'' or ``r'' flag to pass the name of the sender as a -f or -r flag, respectively. These flags are only passed if they were passed to sendmail, so that mailers that give errors under some circumstances can be placated. If the mailer does not produce many errors, you can just specify ``-f $g'' in the argv template. If the mailer must be called as root, the S flag should be given. This does not reset the user ID before calling the mailer. (sendmail must be running setuid to root for this to work.) If this mailer is local (that is, it performs final delivery rather than another network hop), the l flag should be given. Quote characters (backslashes and " marks) can be stripped from addresses if the s flag is specified. If this is not given, they are passed through. If the mailer is capable of sending to more than one user on the same host in a single transaction, the m flag should be stated. If this flag is on, then the argv template containing $u is repeated for each unique user on a given host. The e flag marks the mailer as being expensive, which causes sendmail to defer connection until a queue run. (The ``c'' configuration option must be given for this to be effective.)

An unusual case is the C flag. This flag applies to the mailer that the message is received from, rather than the mailer being sent to; if set, the domain specification of the sender (that is, the @host.domain part) is saved and is appended to any addresses in the message that do not already contain a domain specification. For example:

   From: eric@vango.CS.Berkeley.EDU
   To: wnj@monet.CS.Berkeley.EDU, mckusick

   From: eric@vango.CS.Berkeley.EDU
   To: wnj@monet.CS.Berkeley.EDU, mckusick@monet.CS.Berkeley.EDU

Other mailer flags are described in the section ``M--define mailer''.

The ``S'' and ``R'' fields in the mailer description are per-mailer rewriting sets to be applied to sender and recipient addresses, respectively. These are applied after the sending domain is appended and the general rewriting sets (numbers one and two) are applied, but before the output rewrite (ruleset four) is applied. A typical use is to append the current domain to addresses that do not already have a domain. For example:

   From: eric

   From: eric@vango.CS.Berkeley.EDU

   From: ucbvax!eric

The ``S'' and ``R'' fields can be specified as two numbers separated by a slash (for example, ``S=10/11''), meaning that all envelope addresses will be processed through ruleset 10 and all header addresses will be processed through ruleset 11. With only one number specified, both envelope and header rewriting sets are set to the indicated ruleset.

The ``E'' field defines the string to use as an end-of-line indication. A string containing only newline is the default. The usual backslash escapes (\r, \n, \f, \b) may be used.

Finally, an argv template is given as the ``A'' field. It may have embedded spaces. If there is no argv with a $u macro in it, sendmail speaks SMTP to the mailer. If the pathname for this mailer is [IPC], the argv should be:

IPC $h [ port ]

Here port is the optional port number to connect to.

For example:

Mlocal, P=/usr/bin/lmail, F=lsDFMmnPS S=10, R=20, A=lmail $u
Mether, P=[IPC], F=meC, S=11, R=21, A=IPC $h, M=100000, E=\r\n

These specifications specify a mailer to do local delivery and a mailer for Ethernet delivery. The first is called ``local''; it is located in the file /usr/bin/lmail, does local delivery, quotes should be stripped from addresses, and multiple users can be delivered at once; ruleset 10 should be applied to sender addresses in the message, and ruleset 20 should be applied to recipient addresses. The argv to send to a message is the word ``lmail,'' and words containing the name of the receiving user(s).

The second mailer is called ``ether''; it should be connected to via an IPC connection; it can handle multiple users at once; connections should be deferred; and any domain from the sender address should be appended to any receiver name without a domain. Sender addresses should be processed by ruleset 11 and recipient addresses by ruleset 21. There is a 100,000-byte limit on messages passed through this mailer.

For more about sendmail

The following reference manual pages provide additional information about SCO sendmail:

 ---------------------------------------------------------------
 Manual page        Description
 ---------------------------------------------------------------
 aliases(SFF)       aliases file for sendmail 
 lmail(ADMN)        handle local mail delivery from sendmail 
 mailaddr(ADMN)     mail addressing description
 mailstats(ADMN)    print statistics collected by sendmail 
 mconnect(ADMN)     connect to SMTP mail server socket
 rmail(ADMN)        handle remote mail received by UUCP
 sendmail(ADMN)     sendmail command information
 sendmail.cf(SFF)   sendmail configuration file