| | |
| | | # This patch is Solaris-specific and thus has not been contributed upstream. |
| | | |
| | | --- sendmail-8.17.1/cf/README 2021-06-09 10:27:53.000000000 +0000 |
| | | +++ sendmail-8.17.1/cf/README.new 2022-02-01 10:41:18.120722024 +0000 |
| | | --- sendmail-8.18.1/cf/README 2024-01-31 07:38:32.000000000 +0100 |
| | | +++ sendmail-8.18.1/cf/README.new 2024-03-06 18:47:12.042203400 +0100 |
| | | @@ -4,12 +4,10 @@ |
| | | This document describes the sendmail configuration files. It |
| | | explains how to create a sendmail.cf file for use with sendmail. |
| | |
| | | |
| | | Table of Content: |
| | | |
| | | @@ -30,7 +28,6 @@ |
| | | @@ -20,8 +18,6 @@ |
| | | DOMAINS |
| | | MAILERS |
| | | FEATURES |
| | | -HACKS |
| | | -SITE CONFIGURATION |
| | | USING UUCP MAILERS |
| | | TWEAKING RULESETS |
| | | MASQUERADING AND RELAYING |
| | | @@ -30,7 +26,6 @@ |
| | | ANTI-SPAM CONFIGURATION CONTROL |
| | | CONNECTION CONTROL |
| | | STARTTLS |
| | |
| | | ADDING NEW MAILERS OR RULESETS |
| | | ADDING NEW MAIL FILTERS |
| | | QUEUE GROUP DEFINITIONS |
| | | @@ -61,7 +58,7 @@ |
| | | @@ -61,7 +56,7 @@ |
| | | Alternatively, you can simply: |
| | | |
| | | cd ${CFDIR}/cf |
| | |
| | | |
| | | where ${CFDIR} is the root of the cf directory and config.mc is the |
| | | name of your configuration file. If you are running a version of M4 |
| | | @@ -149,14 +146,6 @@ |
| | | @@ -149,14 +144,6 @@ |
| | | a define(`PROCMAIL_MAILER_PATH', ...) should be done before |
| | | FEATURE(`local_procmail'). |
| | | |
| | |
| | | |
| | | Note: |
| | | Some rulesets, features, and options are only useful if the sendmail |
| | | @@ -218,19 +207,6 @@ |
| | | @@ -218,19 +205,6 @@ |
| | | directly in the generated .cf file, which however is not advised. |
| | | |
| | | |
| | |
| | | +----------------+ |
| | | | FILE LOCATIONS | |
| | | +----------------+ |
| | | @@ -339,8 +315,7 @@ |
| | | @@ -339,8 +313,7 @@ |
| | | corresponding queue file types as explained in |
| | | doc/op/op.me. See also QUEUE GROUP DEFINITIONS. |
| | | MSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing |
| | |
| | | STATUS_FILE [/etc/mail/statistics] The file containing status |
| | | information. |
| | | LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. |
| | | @@ -370,17 +345,6 @@ |
| | | @@ -370,17 +343,6 @@ |
| | | LOCAL_SHELL_DIR [$z:/] The directory search path in which the |
| | | shell should run. |
| | | LOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. |
| | |
| | | SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default |
| | | flags are `mDFMuX' for all SMTP-based mailers; the |
| | | "esmtp" mailer adds `a'; "smtp8" adds `8'; and |
| | | @@ -437,17 +401,6 @@ |
| | | @@ -437,17 +399,6 @@ |
| | | the UUCP mailers and which are converted to MIME will |
| | | be labeled with this character set. |
| | | UUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. |
| | |
| | | PROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail |
| | | program. This is also used by |
| | | FEATURE(`local_procmail'). |
| | | @@ -462,60 +415,9 @@ |
| | | @@ -462,60 +413,9 @@ |
| | | PROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that |
| | | will be accepted by the procmail mailer. |
| | | PROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. |
| | |
| | | LOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. |
| | | |
| | | Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: |
| | | @@ -633,18 +535,6 @@ |
| | | @@ -633,18 +533,6 @@ |
| | | See the section below describing UUCP mailers in more |
| | | detail. |
| | | |
| | |
| | | procmail An interface to procmail (does not come with sendmail). |
| | | This is designed to be used in mailertables. For example, |
| | | a common question is "how do I forward all mail for a given |
| | | @@ -667,37 +557,6 @@ |
| | | @@ -667,37 +555,6 @@ |
| | | Of course there are other ways to solve this particular |
| | | problem, e.g., a catch-all entry in a virtusertable. |
| | | |
| | |
| | | The local mailer accepts addresses of the form "user+detail", where |
| | | the "+detail" is not used for mailbox matching but is available |
| | | to certain local mail programs (in particular, see |
| | | @@ -1418,12 +1277,6 @@ |
| | | @@ -1420,12 +1277,6 @@ |
| | | user@site for relaying. This feature changes that |
| | | behavior. It should not be needed for most installations. |
| | | |
| | |
| | | preserve_luser_host |
| | | Preserve the name of the recipient host if LUSER_RELAY is |
| | | used. Without this option, the domain part of the |
| | | @@ -1460,7 +1313,7 @@ |
| | | @@ -1462,7 +1313,7 @@ |
| | | FEATURE and introduce new settings via DAEMON_OPTIONS(). |
| | | |
| | | msp Defines config file for Message Submission Program. |
| | |
| | | to use it. An optional argument can be used to override |
| | | the default of `[localhost]' to use as host to send all |
| | | e-mails to. Note that MX records will be used if the |
| | | @@ -2475,7 +2256,7 @@ |
| | | map entries. This feature allows spammers to abuse your mail server |
| | | by specifying a return address that you enabled in your access file. |
| | | This may be harder to figure out for spammers, but it should not |
| | | -be used unless necessary. Instead use SMTP AUTH or STARTTLS to |
| | | +be used unless necessary. Instead use STARTTLS to |
| | | allow relaying for roaming users. |
| | | |
| | | |
| | | @@ -2943,8 +2724,7 @@ |
| | | tokenization. It might be simpler to use a regex map and apply it |
| | | to $&{currHeader}. |
| | | 2. There are no default rulesets coming with this distribution of |
| | | -sendmail. You can write your own, can search the WWW for examples, |
| | | -or take a look at cf/cf/knecht.mc. |
| | | +sendmail. You can write your own or search the WWW for examples. |
| | | 3. When using a default ruleset for headers, the name of the header |
| | | currently being checked can be found in the $&{hdr_name} macro. |
| | | |
| | | @@ -3701,8 +3386,6 @@ |
| | | This list is shown in four columns: the name you define, the default |
| | | value for that definition, the option or macro that is affected |
| | | (either Ox for an option or Dx for a macro), and a brief description. |
| | | -Greater detail of the semantics can be found in the Installation |
| | | -and Operations Guide. |
| | | |
| | | Some options are likely to be deprecated in future versions -- that is, |
| | | the option is only included to provide back-compatibility. These are |
| | | @@ -3932,8 +3615,6 @@ |
| | | (e.g., :include: file) to be opened. |
| | | confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response |
| | | to an LMTP LHLO command. |
| | | -confTO_AUTH Timeout.auth [10m] The timeout waiting for a |
| | | - response in an AUTH dialogue. |
| | | confTO_STARTTLS Timeout.starttls |
| | | [1h] The timeout waiting for a |
| | | response to an SMTP STARTTLS command. |
| | | @@ -4303,46 +3984,6 @@ |
| | | memory-buffered transcript (xf) |
| | | file before a disk-based file is |
| | | used. |
| | | -confAUTH_MECHANISMS AuthMechanisms [EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 |
| | | - CRAM-MD5] List of authentication |
| | | - mechanisms for AUTH (separated by |
| | | - spaces). The advertised list of |
| | | - authentication mechanisms will be the |
| | | - intersection of this list and the list |
| | | - of available mechanisms as determined |
| | | - by the Cyrus SASL library. |
| | | -confAUTH_REALM AuthRealm [undefined] The authentication realm |
| | | - that is passed to the Cyrus SASL |
| | | - library. If no realm is specified, |
| | | - $j is used. See KNOWNBUGS. |
| | | -confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains |
| | | - authentication information for |
| | | - outgoing connections. This file must |
| | | - contain the user id, the authorization |
| | | - id, the password (plain text), the |
| | | - realm to use, and the list of |
| | | - mechanisms to try, each on a separate |
| | | - line and must be readable by root (or |
| | | - the trusted user) only. If no realm |
| | | - is specified, $j is used. If no |
| | | - mechanisms are given in the file, |
| | | - AuthMechanisms is used. Notice: this |
| | | - option is deprecated and will be |
| | | - removed in future versions; it doesn't |
| | | - work for the MSP since it can't read |
| | | - the file. Use the authinfo ruleset |
| | | - instead. See also the section SMTP |
| | | - AUTHENTICATION. |
| | | -confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' |
| | | - then the AUTH= parameter for the |
| | | - MAIL FROM command is only issued |
| | | - when authentication succeeded. |
| | | - See doc/op/op.me for more options |
| | | - and details. |
| | | -confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption |
| | | - strength for the security layer in |
| | | - SMTP AUTH (SASL). Default is |
| | | - essentially unlimited. |
| | | confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client |
| | | verification is performed, i.e., |
| | | the server doesn't ask for a |
| | | @@ -4413,7 +4054,7 @@ |
| | | [undefined] Defines {daemon_flags} |
| | | for direct submissions. |
| | | confUSE_MSP UseMSP [undefined] Use as mail submission |
| | | - program, see sendmail/SECURITY. |
| | | + program. |
| | | confDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By |
| | | SMTP Service Extension (RFC 2852). |
| | | confREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can |
| | | @@ -4559,8 +4200,7 @@ |
| | | | MESSAGE SUBMISSION PROGRAM | |
| | | +----------------------------+ |
| | | |
| | | -The purpose of the message submission program (MSP) is explained |
| | | -in sendmail/SECURITY. This section contains a list of caveats and |
| | | +This section contains a list of caveats and |
| | | a few hints how for those who want to tweak the default configuration |
| | | for it (which is installed as submit.cf). |
| | | |
| | | @@ -4575,13 +4215,10 @@ |
| | | of the default background mode. |
| | | - FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses |
| | | to the LOCAL_RELAY instead of the default relay. |
| | | -- confRAND_FILE if you use STARTTLS and sendmail is not compiled with |
| | | - the flag HASURANDOM. |
| | | |
| | | -The MSP performs hostname canonicalization by default. As also |
| | | -explained in sendmail/SECURITY, mail may end up for various DNS |
| | | -related reasons in the MSP queue. This problem can be minimized by |
| | | -using |
| | | +The MSP performs hostname canonicalization by default. Mail may end |
| | | +up for various DNS related reasons in the MSP queue. This problem |
| | | +can be minimized by using |
| | | |
| | | FEATURE(`nocanonify', `canonify_hosts') |
| | | define(`confDIRECT_SUBMISSION_MODIFIERS', `C') |
| | | @@ -4597,39 +4234,10 @@ |
| | | can cause security problems. |
| | | |
| | | Other things don't work well with the MSP and require tweaking or |
| | | -workarounds. For example, to allow for client authentication it |
| | | -is not just sufficient to provide a client certificate and the |
| | | -corresponding key, but it is also necessary to make the key group |
| | | -(smmsp) readable and tell sendmail not to complain about that, i.e., |
| | | - |
| | | - define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') |
| | | - |
| | | -If the MSP should actually use AUTH then the necessary data |
| | | -should be placed in a map as explained in SMTP AUTHENTICATION: |
| | | - |
| | | -FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') |
| | | - |
| | | -/etc/mail/msp-authinfo should contain an entry like: |
| | | - |
| | | - AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" |
| | | +workarounds. |
| | | |
| | | The file and the map created by makemap should be owned by smmsp, |
| | | -its group should be smmsp, and it should have mode 640. The database |
| | | -used by the MTA for AUTH must have a corresponding entry. |
| | | -Additionally the MTA must trust this authentication data so the AUTH= |
| | | -part will be relayed on to the next hop. This can be achieved by |
| | | -adding the following to your sendmail.mc file: |
| | | - |
| | | - LOCAL_RULESETS |
| | | - SLocal_trust_auth |
| | | - R$* $: $&{auth_authen} |
| | | - Rsmmsp $# OK |
| | | - |
| | | -Note: the authentication data can leak to local users who invoke |
| | | -the MSP with debug options or even with -v. For that reason either |
| | | -an authentication mechanism that does not show the password in the |
| | | -AUTH dialogue (e.g., DIGEST-MD5) or a different authentication |
| | | -method like STARTTLS should be used. |
| | | +its group should be smmsp, and it should have mode 640. |
| | | |
| | | feature/msp.m4 defines almost all settings for the MSP. Most of |
| | | those should not be changed at all. Some of the features and options |
| | | --- sendmail-8.17.2/cf/README 2023-05-31 21:55:42.000000000 +0200 |
| | | +++ sendmail-8.17.2/cf/README.new 2023-10-13 18:04:44.902861539 +0200 |
| | | @@ -1617,79 +1617,6 @@ |
| | | For more information see doc/op/op.me. |
| | | |
| | | @@ -1624,79 +1475,6 @@ |
| | | respectively. For details, see the file and |
| | | the OpenSSL documentation. |
| | | |
| | | -+-------+ |
| | | -| HACKS | |
| | |
| | | +--------------------+ |
| | | | USING UUCP MAILERS | |
| | | +--------------------+ |
| | | @@ -3284,102 +3211,6 @@ |
| | | @@ -2484,7 +2262,7 @@ |
| | | map entries. This feature allows spammers to abuse your mail server |
| | | by specifying a return address that you enabled in your access file. |
| | | This may be harder to figure out for spammers, but it should not |
| | | -be used unless necessary. Instead use SMTP AUTH or STARTTLS to |
| | | +be used unless necessary. Instead use STARTTLS to |
| | | allow relaying for roaming users. |
| | | |
| | | |
| | | @@ -2952,8 +2730,7 @@ |
| | | tokenization. It might be simpler to use a regex map and apply it |
| | | to $&{currHeader}. |
| | | 2. There are no default rulesets coming with this distribution of |
| | | -sendmail. You can write your own, can search the WWW for examples, |
| | | -or take a look at cf/cf/knecht.mc. |
| | | +sendmail. You can write your own or search the WWW for examples. |
| | | 3. When using a default ruleset for headers, the name of the header |
| | | currently being checked can be found in the $&{hdr_name} macro. |
| | | |
| | | @@ -3291,102 +3068,6 @@ |
| | | (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) |
| | | |
| | | |
| | |
| | | +--------------------------------+ |
| | | | ADDING NEW MAILERS OR RULESETS | |
| | | +--------------------------------+ |
| | | @@ -3713,8 +3394,6 @@ |
| | | This list is shown in four columns: the name you define, the default |
| | | value for that definition, the option or macro that is affected |
| | | (either Ox for an option or Dx for a macro), and a brief description. |
| | | -Greater detail of the semantics can be found in the Installation |
| | | -and Operations Guide. |
| | | |
| | | Some options are likely to be deprecated in future versions -- that is, |
| | | the option is only included to provide back-compatibility. These are |
| | | @@ -3944,8 +3623,6 @@ |
| | | (e.g., :include: file) to be opened. |
| | | confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response |
| | | to an LMTP LHLO command. |
| | | -confTO_AUTH Timeout.auth [10m] The timeout waiting for a |
| | | - response in an AUTH dialogue. |
| | | confTO_STARTTLS Timeout.starttls |
| | | [1h] The timeout waiting for a |
| | | response to an SMTP STARTTLS command. |
| | | @@ -4315,46 +3992,6 @@ |
| | | memory-buffered transcript (xf) |
| | | file before a disk-based file is |
| | | used. |
| | | -confAUTH_MECHANISMS AuthMechanisms [EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 |
| | | - CRAM-MD5] List of authentication |
| | | - mechanisms for AUTH (separated by |
| | | - spaces). The advertised list of |
| | | - authentication mechanisms will be the |
| | | - intersection of this list and the list |
| | | - of available mechanisms as determined |
| | | - by the Cyrus SASL library. |
| | | -confAUTH_REALM AuthRealm [undefined] The authentication realm |
| | | - that is passed to the Cyrus SASL |
| | | - library. If no realm is specified, |
| | | - $j is used. See KNOWNBUGS. |
| | | -confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains |
| | | - authentication information for |
| | | - outgoing connections. This file must |
| | | - contain the user id, the authorization |
| | | - id, the password (plain text), the |
| | | - realm to use, and the list of |
| | | - mechanisms to try, each on a separate |
| | | - line and must be readable by root (or |
| | | - the trusted user) only. If no realm |
| | | - is specified, $j is used. If no |
| | | - mechanisms are given in the file, |
| | | - AuthMechanisms is used. Notice: this |
| | | - option is deprecated and will be |
| | | - removed in future versions; it doesn't |
| | | - work for the MSP since it can't read |
| | | - the file. Use the authinfo ruleset |
| | | - instead. See also the section SMTP |
| | | - AUTHENTICATION. |
| | | -confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' |
| | | - then the AUTH= parameter for the |
| | | - MAIL FROM command is only issued |
| | | - when authentication succeeded. |
| | | - See doc/op/op.me for more options |
| | | - and details. |
| | | -confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption |
| | | - strength for the security layer in |
| | | - SMTP AUTH (SASL). Default is |
| | | - essentially unlimited. |
| | | confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client |
| | | verification is performed, i.e., |
| | | the server doesn't ask for a |
| | | @@ -4574,8 +4211,7 @@ |
| | | | MESSAGE SUBMISSION PROGRAM | |
| | | +----------------------------+ |
| | | |
| | | -The purpose of the message submission program (MSP) is explained |
| | | -in sendmail/SECURITY. This section contains a list of caveats and |
| | | +This section contains a list of caveats and |
| | | a few hints how for those who want to tweak the default configuration |
| | | for it (which is installed as submit.cf). |
| | | |
| | | @@ -4590,13 +4226,10 @@ |
| | | of the default background mode. |
| | | - FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses |
| | | to the LOCAL_RELAY instead of the default relay. |
| | | -- confRAND_FILE if you use STARTTLS and sendmail is not compiled with |
| | | - the flag HASURANDOM. |
| | | |
| | | -The MSP performs hostname canonicalization by default. As also |
| | | -explained in sendmail/SECURITY, mail may end up for various DNS |
| | | -related reasons in the MSP queue. This problem can be minimized by |
| | | -using |
| | | +The MSP performs hostname canonicalization by default. Mail may end |
| | | +up for various DNS related reasons in the MSP queue. This problem |
| | | +can be minimized by using |
| | | |
| | | FEATURE(`nocanonify', `canonify_hosts') |
| | | define(`confDIRECT_SUBMISSION_MODIFIERS', `C') |
| | | @@ -4612,39 +4245,10 @@ |
| | | can cause security problems. |
| | | |
| | | Other things don't work well with the MSP and require tweaking or |
| | | -workarounds. For example, to allow for client authentication it |
| | | -is not just sufficient to provide a client certificate and the |
| | | -corresponding key, but it is also necessary to make the key group |
| | | -(smmsp) readable and tell sendmail not to complain about that, i.e., |
| | | - |
| | | - define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') |
| | | - |
| | | -If the MSP should actually use AUTH then the necessary data |
| | | -should be placed in a map as explained in SMTP AUTHENTICATION: |
| | | - |
| | | -FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') |
| | | - |
| | | -/etc/mail/msp-authinfo should contain an entry like: |
| | | - |
| | | - AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" |
| | | +workarounds. |
| | | |
| | | The file and the map created by makemap should be owned by smmsp, |
| | | -its group should be smmsp, and it should have mode 640. The database |
| | | -used by the MTA for AUTH must have a corresponding entry. |
| | | -Additionally the MTA must trust this authentication data so the AUTH= |
| | | -part will be relayed on to the next hop. This can be achieved by |
| | | -adding the following to your sendmail.mc file: |
| | | - |
| | | - LOCAL_RULESETS |
| | | - SLocal_trust_auth |
| | | - R$* $: $&{auth_authen} |
| | | - Rsmmsp $# OK |
| | | - |
| | | -Note: the authentication data can leak to local users who invoke |
| | | -the MSP with debug options or even with -v. For that reason either |
| | | -an authentication mechanism that does not show the password in the |
| | | -AUTH dialogue (e.g., DIGEST-MD5) or a different authentication |
| | | -method like STARTTLS should be used. |
| | | +its group should be smmsp, and it should have mode 640. |
| | | |
| | | feature/msp.m4 defines almost all settings for the MSP. Most of |
| | | those should not be changed at all. Some of the features and options |