--- sendmail-8.18.1/cf/README 2024-01-31 07:38:32.000000000 +0100 +++ sendmail-8.18.1/cf/README.new 2024-03-06 18:47:12.042203400 +0100 @@ -4,12 +4,10 @@ This document describes the sendmail configuration files. It explains how to create a sendmail.cf file for use with sendmail. It also describes how to set options for sendmail which are explained -in the Sendmail Installation and Operation guide (doc/op/op.me). - -To get started, you may want to look at tcpproto.mc (for TCP-only -sites) and clientproto.mc (for clusters of clients using a single -mail host), or the generic-*.mc files as operating system-specific -examples. +in the Sendmail Installation and Operation guide, which can be found +on-line at http://www.sendmail.org/%7Eca/email/doc8.12/op.html . +Recall this URL throughout this document when references to +doc/op/op.* are made. Table of Content: @@ -20,8 +18,6 @@ DOMAINS MAILERS FEATURES -HACKS -SITE CONFIGURATION USING UUCP MAILERS TWEAKING RULESETS MASQUERADING AND RELAYING @@ -30,7 +26,6 @@ ANTI-SPAM CONFIGURATION CONTROL CONNECTION CONTROL STARTTLS -SMTP AUTHENTICATION ADDING NEW MAILERS OR RULESETS ADDING NEW MAIL FILTERS QUEUE GROUP DEFINITIONS @@ -61,7 +56,7 @@ Alternatively, you can simply: cd ${CFDIR}/cf - ./Build config.cf + /usr/bin/make config.cf where ${CFDIR} is the root of the cf directory and config.mc is the name of your configuration file. If you are running a version of M4 @@ -149,14 +144,6 @@ a define(`PROCMAIL_MAILER_PATH', ...) should be done before FEATURE(`local_procmail'). -******************************************************************* -*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** -*** Berkeley-specific assumptions built in, such as the name *** -*** of their UUCP-relay. You'll want to create your own *** -*** domain description, and use that in place of *** -*** domain/Berkeley.EDU.m4. *** -******************************************************************* - Note: Some rulesets, features, and options are only useful if the sendmail @@ -218,19 +205,6 @@ directly in the generated .cf file, which however is not advised. -Notice: -------- - -This package requires a post-V7 version of m4; if you are running the -4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or -BSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works. -Unfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a -Net/2 or GNU version. GNU m4 is available from -ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version). -EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU -m4 on this platform. - - +----------------+ | FILE LOCATIONS | +----------------+ @@ -339,8 +313,7 @@ corresponding queue file types as explained in doc/op/op.me. See also QUEUE GROUP DEFINITIONS. MSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing - queue files for the MSP (Mail Submission Program, - see sendmail/SECURITY). + queue files for the MSP (Mail Submission Program). STATUS_FILE [/etc/mail/statistics] The file containing status information. LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. @@ -370,17 +343,6 @@ LOCAL_SHELL_DIR [$z:/] The directory search path in which the shell should run. LOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. -USENET_MAILER_PATH [/usr/lib/news/inews] The name of the program - used to submit news. -USENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. -USENET_MAILER_ARGS [-m -h -n] The command line arguments for the - usenet mailer. NOTE: Some versions of inews - (such as those shipped with newer versions of INN) - use different flags. Double check the defaults - against the inews man page. -USENET_MAILER_MAX [undefined] The maximum size of messages that will - be accepted by the usenet mailer. -USENET_MAILER_QGRP [undefined] The queue group for the usenet mailer. SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default flags are `mDFMuX' for all SMTP-based mailers; the "esmtp" mailer adds `a'; "smtp8" adds `8'; and @@ -437,17 +399,6 @@ the UUCP mailers and which are converted to MIME will be labeled with this character set. UUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. -FAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to - submit FAX messages. -FAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX - mailer. -FAX_MAILER_MAX [100000] The maximum size message accepted for - transmission by FAX. -POP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer. -POP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq - are always added. -POP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer. -POP_MAILER_QGRP [undefined] The queue group for the pop mailer. PROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail program. This is also used by FEATURE(`local_procmail'). @@ -462,60 +413,9 @@ PROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that will be accepted by the procmail mailer. PROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. -MAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer. -MAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer. -MAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11 - mailer. -MAIL11_MAILER_QGRP [undefined] The queue group for the mail11 mailer. -PH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery - program. -PH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM - are always set. -PH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer. -PH_MAILER_QGRP [undefined] The queue group for the ph mailer. -CYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The - flags lsDFMnPq are always included. -CYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver - cyrus mail. -CYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed - to deliver cyrus mail. -CYRUS_MAILER_MAX [undefined] If set, the maximum size message that - will be accepted by the cyrus mailer. -CYRUS_MAILER_USER [cyrus:mail] The user and group to become when - running the cyrus mailer. -CYRUS_MAILER_QGRP [undefined] The queue group for the cyrus mailer. -CYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer. - The flags lsDFMnP are always included. -CYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed - to deliver cyrusbb mail. -CYRUSV2_MAILER_FLAGS [A@/:|m] The flags used by the cyrusv2 mailer. The - flags lsDFMnqXz are always included. -CYRUSV2_MAILER_MAXMSGS [undefined] If defined, the maximum number of - messages to deliver in a single connection for the - cyrusv2 mailer. -CYRUSV2_MAILER_MAXRCPTS [undefined] If defined, the maximum number of - recipients to deliver in a single connection for the - cyrusv2 mailer. -CYRUSV2_MAILER_ARGS [FILE /var/imap/socket/lmtp] The arguments passed - to the cyrusv2 mailer. This can be used to - change the name of the Unix domain socket, or - to switch to delivery via TCP (e.g., `TCP $h lmtp') -CYRUSV2_MAILER_QGRP [undefined] The queue group for the cyrusv2 mailer. -CYRUSV2_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data - that ARRIVE from an address that resolves to one the - Cyrus mailer and which are converted to MIME will - be labeled with this character set. confEBINDIR [/usr/libexec] The directory for executables. Currently used for FEATURE(`local_lmtp') and FEATURE(`smrsh'). -QPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer. -QPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver - qpage mail. -QPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed - to deliver qpage mail. -QPAGE_MAILER_MAX [4096] If set, the maximum size message that - will be accepted by the qpage mailer. -QPAGE_MAILER_QGRP [undefined] The queue group for the qpage mailer. LOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: @@ -633,18 +533,6 @@ See the section below describing UUCP mailers in more detail. -usenet Usenet (network news) delivery. If this is specified, - an extra rule is added to ruleset 0 that forwards all - local email for users named ``group.usenet'' to the - ``inews'' program. Note that this works for all groups, - and may be considered a security problem. - -fax Facsimile transmission. This is experimental and based - on Sam Leffler's HylaFAX software. For more information, - see http://www.hylafax.org/. - -pop Post Office Protocol. - procmail An interface to procmail (does not come with sendmail). This is designed to be used in mailertables. For example, a common question is "how do I forward all mail for a given @@ -667,37 +555,6 @@ Of course there are other ways to solve this particular problem, e.g., a catch-all entry in a virtusertable. -mail11 The DECnet mail11 mailer, useful only if you have the mail11 - program from gatekeeper.dec.com:/pub/DEC/gwtools (and - DECnet, of course). This is for Phase IV DECnet support; - if you have Phase V at your site you may have additional - problems. - -phquery The phquery program. This is somewhat counterintuitively - referenced as the "ph" mailer internally. It can be used - to do CCSO name server lookups. The phquery program, which - this mailer uses, is distributed with the ph client. - -cyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to - a local cyrus user. this mailer can make use of the - "user+detail@local.host" syntax (see - FEATURE(`preserve_local_plus_detail')); it will deliver the - mail to the user's "detail" mailbox if the mailbox's ACL - permits. The cyrusbb mailer delivers to a system-wide - cyrus mailbox if the mailbox's ACL permits. The cyrus - mailer must be defined after the local mailer. - -cyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to - local cyrus users via LMTP. This mailer can make use of the - "user+detail@local.host" syntax (see - FEATURE(`preserve_local_plus_detail')); it will deliver the - mail to the user's "detail" mailbox if the mailbox's ACL - permits. The cyrusv2 mailer must be defined after the - local mailer. - -qpage A mailer for QuickPage, a pager interface. See - http://www.qpage.org/ for further information. - The local mailer accepts addresses of the form "user+detail", where the "+detail" is not used for mailbox matching but is available to certain local mail programs (in particular, see @@ -1420,12 +1277,6 @@ user@site for relaying. This feature changes that behavior. It should not be needed for most installations. -authinfo Provide a separate map for client side authentication - information. See SMTP AUTHENTICATION for details. - By default, the authinfo database specification is: - - hash /etc/mail/authinfo - preserve_luser_host Preserve the name of the recipient host if LUSER_RELAY is used. Without this option, the domain part of the @@ -1462,7 +1313,7 @@ FEATURE and introduce new settings via DAEMON_OPTIONS(). msp Defines config file for Message Submission Program. - See sendmail/SECURITY for details and cf/cf/submit.mc how + See cf/submit.mc for how to use it. An optional argument can be used to override the default of `[localhost]' to use as host to send all e-mails to. Note that MX records will be used if the @@ -1624,79 +1475,6 @@ respectively. For details, see the file and the OpenSSL documentation. -+-------+ -| HACKS | -+-------+ - -Some things just can't be called features. To make this clear, -they go in the hack subdirectory and are referenced using the HACK -macro. These will tend to be site-dependent. The release -includes the Berkeley-dependent "cssubdomain" hack (that makes -sendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU; -this is intended as a short-term aid while moving hosts into -subdomains. - - -+--------------------+ -| SITE CONFIGURATION | -+--------------------+ - - ***************************************************** - * This section is really obsolete, and is preserved * - * only for back compatibility. You should plan on * - * using mailertables for new installations. In * - * particular, it doesn't work for the newer forms * - * of UUCP mailers, such as uucp-uudom. * - ***************************************************** - -Complex sites will need more local configuration information, such as -lists of UUCP hosts they speak with directly. This can get a bit more -tricky. For an example of a "complex" site, see cf/ucbvax.mc. - -The SITECONFIG macro allows you to indirectly reference site-dependent -configuration information stored in the siteconfig subdirectory. For -example, the line - - SITECONFIG(`uucp.ucbvax', `ucbvax', `U') - -reads the file uucp.ucbvax for local connection information. The -second parameter is the local name (in this case just "ucbvax" since -it is locally connected, and hence a UUCP hostname). The third -parameter is the name of both a macro to store the local name (in -this case, {U}) and the name of the class (e.g., {U}) in which to store -the host information read from the file. Another SITECONFIG line reads - - SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W') - -This says that the file uucp.ucbarpa contains the list of UUCP sites -connected to ucbarpa.Berkeley.EDU. Class {W} will be used to -store this list, and $W is defined to be ucbarpa.Berkeley.EDU, that -is, the name of the relay to which the hosts listed in uucp.ucbarpa -are connected. [The machine ucbarpa is gone now, but this -out-of-date configuration file has been left around to demonstrate -how you might do this.] - -Note that the case of SITECONFIG with a third parameter of ``U'' is -special; the second parameter is assumed to be the UUCP name of the -local site, rather than the name of a remote site, and the UUCP name -is entered into class {w} (the list of local hostnames) as $U.UUCP. - -The siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing -more than a sequence of SITE macros describing connectivity. For -example: - - SITE(`cnmat') - SITE(`sgi olympus') - -The second example demonstrates that you can use two names on the -same line; these are usually aliases for the same host (or are at -least in the same company). - -The macro LOCAL_UUCP can be used to add rules into the generated -cf file at the place where MAILER(`uucp') inserts its rules. This -should only be used if really necessary. - - +--------------------+ | USING UUCP MAILERS | +--------------------+ @@ -2484,7 +2262,7 @@ map entries. This feature allows spammers to abuse your mail server by specifying a return address that you enabled in your access file. This may be harder to figure out for spammers, but it should not -be used unless necessary. Instead use SMTP AUTH or STARTTLS to +be used unless necessary. Instead use STARTTLS to allow relaying for roaming users. @@ -2952,8 +2730,7 @@ tokenization. It might be simpler to use a regex map and apply it to $&{currHeader}. 2. There are no default rulesets coming with this distribution of -sendmail. You can write your own, can search the WWW for examples, -or take a look at cf/cf/knecht.mc. +sendmail. You can write your own or search the WWW for examples. 3. When using a default ruleset for headers, the name of the header currently being checked can be found in the $&{hdr_name} macro. @@ -3291,102 +3068,6 @@ (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) -+---------------------+ -| SMTP AUTHENTICATION | -+---------------------+ - -The macros ${auth_authen}, ${auth_author}, and ${auth_type} can be -used in anti-relay rulesets to allow relaying for those users that -authenticated themselves. A very simple example is: - -SLocal_check_rcpt -R$* $: $&{auth_type} -R$+ $# OK - -which checks whether a user has successfully authenticated using -any available mechanism. Depending on the setup of the Cyrus SASL -library, more sophisticated rulesets might be required, e.g., - -SLocal_check_rcpt -R$* $: $&{auth_type} $| $&{auth_authen} -RDIGEST-MD5 $| $+@$=w $# OK - -to allow relaying for users that authenticated using DIGEST-MD5 -and have an identity in the local domains. - -The ruleset trust_auth is used to determine whether a given AUTH= -parameter (that is passed to this ruleset) should be trusted. This -ruleset may make use of the other ${auth_*} macros. Only if the -ruleset resolves to the error mailer, the AUTH= parameter is not -trusted. A user supplied ruleset Local_trust_auth can be written -to modify the default behavior, which only trust the AUTH= -parameter if it is identical to the authenticated user. - -Per default, relaying is allowed for any user who authenticated -via a "trusted" mechanism, i.e., one that is defined via -TRUST_AUTH_MECH(`list of mechanisms') -For example: -TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5') - -If the selected mechanism provides a security layer the number of -bits used for the key of the symmetric cipher is stored in the -macro ${auth_ssf}. - -Providing SMTP AUTH Data when sendmail acts as Client ------------------------------------------------------ - -If sendmail acts as client, it needs some information how to -authenticate against another MTA. This information can be provided -by the ruleset authinfo or by the option DefaultAuthInfo. The -authinfo ruleset looks up {server_name} using the tag AuthInfo: in -the access map. If no entry is found, {server_addr} is looked up -in the same way and finally just the tag AuthInfo: to provide -default values. Note: searches for domain parts or IP nets are -only performed if the access map is used; if the authinfo feature -is used then only up to three lookups are performed (two exact -matches, one default). - -Note: If your daemon does client authentication when sending, and -if it uses either PLAIN or LOGIN authentication, then you *must* -prevent ordinary users from seeing verbose output. Do NOT install -sendmail set-user-ID. Use PrivacyOptions to turn off verbose output -("goaway" works for this). - -Notice: the default configuration file causes the option DefaultAuthInfo -to fail since the ruleset authinfo is in the .cf file. If you really -want to use DefaultAuthInfo (it is deprecated) then you have to -remove the ruleset. - -The RHS for an AuthInfo: entry in the access map should consists of a -list of tokens, each of which has the form: "TDstring" (including -the quotes). T is a tag which describes the item, D is a delimiter, -either ':' for simple text or '=' for a base64 encoded string. -Valid values for the tag are: - - U user (authorization) id - I authentication id - P password - R realm - M list of mechanisms delimited by spaces - -Example entries are: - -AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5" -AuthInfo:host.more.dom "U:user" "P=c2VjcmV0" - -User id or authentication id must exist as well as the password. All -other entries have default values. If one of user or authentication -id is missing, the existing value is used for the missing item. -If "R:" is not specified, realm defaults to $j. The list of mechanisms -defaults to those specified by AuthMechanisms. - -Since this map contains sensitive information, either the access -map must be unreadable by everyone but root (or the trusted user) -or FEATURE(`authinfo') must be used which provides a separate map. -Notice: It is not checked whether the map is actually -group/world-unreadable, this is left to the user. - - +--------------------------------+ | ADDING NEW MAILERS OR RULESETS | +--------------------------------+ @@ -3713,8 +3394,6 @@ This list is shown in four columns: the name you define, the default value for that definition, the option or macro that is affected (either Ox for an option or Dx for a macro), and a brief description. -Greater detail of the semantics can be found in the Installation -and Operations Guide. Some options are likely to be deprecated in future versions -- that is, the option is only included to provide back-compatibility. These are @@ -3944,8 +3623,6 @@ (e.g., :include: file) to be opened. confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response to an LMTP LHLO command. -confTO_AUTH Timeout.auth [10m] The timeout waiting for a - response in an AUTH dialogue. confTO_STARTTLS Timeout.starttls [1h] The timeout waiting for a response to an SMTP STARTTLS command. @@ -4315,46 +3992,6 @@ memory-buffered transcript (xf) file before a disk-based file is used. -confAUTH_MECHANISMS AuthMechanisms [EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 - CRAM-MD5] List of authentication - mechanisms for AUTH (separated by - spaces). The advertised list of - authentication mechanisms will be the - intersection of this list and the list - of available mechanisms as determined - by the Cyrus SASL library. -confAUTH_REALM AuthRealm [undefined] The authentication realm - that is passed to the Cyrus SASL - library. If no realm is specified, - $j is used. See KNOWNBUGS. -confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains - authentication information for - outgoing connections. This file must - contain the user id, the authorization - id, the password (plain text), the - realm to use, and the list of - mechanisms to try, each on a separate - line and must be readable by root (or - the trusted user) only. If no realm - is specified, $j is used. If no - mechanisms are given in the file, - AuthMechanisms is used. Notice: this - option is deprecated and will be - removed in future versions; it doesn't - work for the MSP since it can't read - the file. Use the authinfo ruleset - instead. See also the section SMTP - AUTHENTICATION. -confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' - then the AUTH= parameter for the - MAIL FROM command is only issued - when authentication succeeded. - See doc/op/op.me for more options - and details. -confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption - strength for the security layer in - SMTP AUTH (SASL). Default is - essentially unlimited. confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client verification is performed, i.e., the server doesn't ask for a @@ -4574,8 +4211,7 @@ | MESSAGE SUBMISSION PROGRAM | +----------------------------+ -The purpose of the message submission program (MSP) is explained -in sendmail/SECURITY. This section contains a list of caveats and +This section contains a list of caveats and a few hints how for those who want to tweak the default configuration for it (which is installed as submit.cf). @@ -4590,13 +4226,10 @@ of the default background mode. - FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses to the LOCAL_RELAY instead of the default relay. -- confRAND_FILE if you use STARTTLS and sendmail is not compiled with - the flag HASURANDOM. -The MSP performs hostname canonicalization by default. As also -explained in sendmail/SECURITY, mail may end up for various DNS -related reasons in the MSP queue. This problem can be minimized by -using +The MSP performs hostname canonicalization by default. Mail may end +up for various DNS related reasons in the MSP queue. This problem +can be minimized by using FEATURE(`nocanonify', `canonify_hosts') define(`confDIRECT_SUBMISSION_MODIFIERS', `C') @@ -4612,39 +4245,10 @@ can cause security problems. Other things don't work well with the MSP and require tweaking or -workarounds. For example, to allow for client authentication it -is not just sufficient to provide a client certificate and the -corresponding key, but it is also necessary to make the key group -(smmsp) readable and tell sendmail not to complain about that, i.e., - - define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') - -If the MSP should actually use AUTH then the necessary data -should be placed in a map as explained in SMTP AUTHENTICATION: - -FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') - -/etc/mail/msp-authinfo should contain an entry like: - - AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" +workarounds. The file and the map created by makemap should be owned by smmsp, -its group should be smmsp, and it should have mode 640. The database -used by the MTA for AUTH must have a corresponding entry. -Additionally the MTA must trust this authentication data so the AUTH= -part will be relayed on to the next hop. This can be achieved by -adding the following to your sendmail.mc file: - - LOCAL_RULESETS - SLocal_trust_auth - R$* $: $&{auth_authen} - Rsmmsp $# OK - -Note: the authentication data can leak to local users who invoke -the MSP with debug options or even with -v. For that reason either -an authentication mechanism that does not show the password in the -AUTH dialogue (e.g., DIGEST-MD5) or a different authentication -method like STARTTLS should be used. +its group should be smmsp, and it should have mode 640. feature/msp.m4 defines almost all settings for the MSP. Most of those should not be changed at all. Some of the features and options