# This patch is Solaris-specific and thus has not been contributed upstream.

--- sendmail-8.14.9/cf/README~	2014-05-16 13:40:15.000000000 -0700

+++ sendmail-8.14.9/cf/README	2014-12-04 12:36:34.759814094 -0800

@@ -4,12 +4,10 @@

 This document describes the sendmail configuration files.  It

 explains how to create a sendmail.cf file for use with sendmail.

 It also describes how to set options for sendmail which are explained

-in the Sendmail Installation and Operation guide (doc/op/op.me).

-

-To get started, you may want to look at tcpproto.mc (for TCP-only

-sites) and clientproto.mc (for clusters of clients using a single

-mail host), or the generic-*.mc files as operating system-specific

-examples.

+in the Sendmail Installation and Operation guide, which can be found

+on-line at http://www.sendmail.org/%7Eca/email/doc8.12/op.html .

+Recall this URL throughout this document when references to

+doc/op/op.* are made.

 Table of Content:

@@ -30,7 +28,6 @@

 ANTI-SPAM CONFIGURATION CONTROL

 CONNECTION CONTROL

 STARTTLS

-SMTP AUTHENTICATION

 ADDING NEW MAILERS OR RULESETS

 ADDING NEW MAIL FILTERS

 QUEUE GROUP DEFINITIONS

@@ -61,7 +58,7 @@

 Alternatively, you can simply:

 	cd ${CFDIR}/cf

-	./Build config.cf

+	/usr/bin/make config.cf

 where ${CFDIR} is the root of the cf directory and config.mc is the

 name of your configuration file.  If you are running a version of M4

@@ -149,14 +146,6 @@

 a define(`PROCMAIL_MAILER_PATH', ...) should be done before

 FEATURE(`local_procmail').

-*******************************************************************

-***  BE SURE YOU CUSTOMIZE THESE FILES!  They have some		***

-***  Berkeley-specific assumptions built in, such as the name	***

-***  of their UUCP-relay.  You'll want to create your own	***

-***  domain description, and use that in place of		***

-***  domain/Berkeley.EDU.m4.					***

-*******************************************************************

-

 +----------------------------+

 | A BRIEF INTRODUCTION TO M4 |

@@ -197,20 +186,6 @@

 messages; in the worst case it might be ok to change the value

 directly in the generated .cf file, which however is not advised.

-

-Notice:

--------

-

-This package requires a post-V7 version of m4; if you are running the

-4.2bsd, SysV.2, or 7th Edition version.  SunOS's /usr/5bin/m4 or

-BSD-Net/2's m4 both work.  GNU m4 version 1.1 or later also works.

-Unfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a

-Net/2 or GNU version.  GNU m4 is available from

-ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version).

-EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine).  Use GNU

-m4 on this platform.

-

-

 +----------------+

 | FILE LOCATIONS |

 +----------------+

@@ -319,8 +294,7 @@

 			corresponding queue file types as explained in

 			doc/op/op.me.  See also QUEUE GROUP DEFINITIONS.

 MSP_QUEUE_DIR		[/var/spool/clientmqueue] The directory containing

-			queue files for the MSP (Mail Submission Program,

-			see sendmail/SECURITY).

+			queue files for the MSP (Mail Submission Program).

 STATUS_FILE		[/etc/mail/statistics] The file containing status

 			information.

 LOCAL_MAILER_PATH	[/bin/mail] The program used to deliver local mail.

@@ -350,17 +324,6 @@

 LOCAL_SHELL_DIR		[$z:/] The directory search path in which the

 			shell should run.

 LOCAL_MAILER_QGRP	[undefined] The queue group for the local mailer.

-USENET_MAILER_PATH	[/usr/lib/news/inews] The name of the program

-			used to submit news.

-USENET_MAILER_FLAGS	[rsDFMmn] The mailer flags for the usenet mailer.

-USENET_MAILER_ARGS	[-m -h -n] The command line arguments for the

-			usenet mailer.  NOTE: Some versions of inews

-			(such as those shipped with newer versions of INN)

-			use different flags.  Double check the defaults

-			against the inews man page.

-USENET_MAILER_MAX	[undefined] The maximum size of messages that will

-			be accepted by the usenet mailer.

-USENET_MAILER_QGRP	[undefined] The queue group for the usenet mailer.

 SMTP_MAILER_FLAGS	[undefined] Flags added to SMTP mailer.  Default

 			flags are `mDFMuX' for all SMTP-based mailers; the

 			"esmtp" mailer adds `a'; "smtp8" adds `8'; and

@@ -413,17 +376,6 @@

 			the UUCP mailers and which are converted to MIME will

 			be labeled with this character set.

 UUCP_MAILER_QGRP	[undefined] The queue group for the UUCP mailers.

-FAX_MAILER_PATH		[/usr/local/lib/fax/mailfax] The program used to

-			submit FAX messages.

-FAX_MAILER_ARGS		[mailfax $u $h $f] The arguments passed to the FAX

-			mailer.

-FAX_MAILER_MAX		[100000] The maximum size message accepted for

-			transmission by FAX.

-POP_MAILER_PATH		[/usr/lib/mh/spop] The pathname of the POP mailer.

-POP_MAILER_FLAGS	[Penu] Flags added to POP mailer.  Flags lsDFMq

-			are always added.

-POP_MAILER_ARGS		[pop $u] The arguments passed to the POP mailer.

-POP_MAILER_QGRP		[undefined] The queue group for the pop mailer.

 PROCMAIL_MAILER_PATH	[/usr/local/bin/procmail] The path to the procmail

 			program.  This is also used by

 			FEATURE(`local_procmail').

@@ -438,60 +390,9 @@

 PROCMAIL_MAILER_MAX	[undefined] If set, the maximum size message that

 			will be accepted by the procmail mailer.

 PROCMAIL_MAILER_QGRP	[undefined] The queue group for the procmail mailer.

-MAIL11_MAILER_PATH	[/usr/etc/mail11] The path to the mail11 mailer.

-MAIL11_MAILER_FLAGS	[nsFx] Flags for the mail11 mailer.

-MAIL11_MAILER_ARGS	[mail11 $g $x $h $u] Arguments passed to the mail11

-			mailer.

-MAIL11_MAILER_QGRP	[undefined] The queue group for the mail11 mailer.

-PH_MAILER_PATH		[/usr/local/etc/phquery] The path to the phquery

-			program.

-PH_MAILER_FLAGS		[ehmu] Flags for the phquery mailer.  Flags nrDFM

-			are always set.

-PH_MAILER_ARGS		[phquery -- $u] -- arguments to the phquery mailer.

-PH_MAILER_QGRP		[undefined] The queue group for the ph mailer.

-CYRUS_MAILER_FLAGS	[Ah5@/:|] The flags used by the cyrus mailer.  The

-			flags lsDFMnPq are always included.

-CYRUS_MAILER_PATH	[/usr/cyrus/bin/deliver] The program used to deliver

-			cyrus mail.

-CYRUS_MAILER_ARGS	[deliver -e -m $h -- $u] The arguments passed

-			to deliver cyrus mail.

-CYRUS_MAILER_MAX	[undefined] If set, the maximum size message that

-			will be accepted by the cyrus mailer.

-CYRUS_MAILER_USER	[cyrus:mail] The user and group to become when

-			running the cyrus mailer.

-CYRUS_MAILER_QGRP	[undefined] The queue group for the cyrus mailer.

-CYRUS_BB_MAILER_FLAGS	[u] The flags used by the cyrusbb mailer.

-			The flags lsDFMnP are always included.

-CYRUS_BB_MAILER_ARGS	[deliver -e -m $u] The arguments passed

-			to deliver cyrusbb mail.

-CYRUSV2_MAILER_FLAGS	[A@/:|m] The flags used by the cyrusv2 mailer.  The

-			flags lsDFMnqXz are always included.

-CYRUSV2_MAILER_MAXMSGS	[undefined] If defined, the maximum number of

-			messages to deliver in a single connection for the

-			cyrusv2 mailer.

-CYRUSV2_MAILER_MAXRCPTS	[undefined] If defined, the maximum number of

-			recipients to deliver in a single connection for the

-			cyrusv2 mailer.

-CYRUSV2_MAILER_ARGS	[FILE /var/imap/socket/lmtp] The arguments passed

-			to the cyrusv2 mailer.  This can be used to

-			change the name of the Unix domain socket, or

-			to switch to delivery via TCP (e.g., `TCP $h lmtp')

-CYRUSV2_MAILER_QGRP	[undefined] The queue group for the cyrusv2 mailer.

-CYRUSV2_MAILER_CHARSET	[undefined] If defined, messages containing 8-bit data

-			that ARRIVE from an address that resolves to one the

-			Cyrus mailer and which are converted to MIME will

-			be labeled with this character set.

 confEBINDIR		[/usr/libexec] The directory for executables.

 			Currently used for FEATURE(`local_lmtp') and

 			FEATURE(`smrsh').

-QPAGE_MAILER_FLAGS	[mDFMs] The flags used by the qpage mailer.

-QPAGE_MAILER_PATH	[/usr/local/bin/qpage] The program used to deliver

-			qpage mail.

-QPAGE_MAILER_ARGS	[qpage -l0 -m -P$u] The arguments passed

-			to deliver qpage mail.

-QPAGE_MAILER_MAX	[4096] If set, the maximum size message that

-			will be accepted by the qpage mailer.

-QPAGE_MAILER_QGRP	[undefined] The queue group for the qpage mailer.

 LOCAL_PROG_QGRP		[undefined] The queue group for the prog mailer.

 Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS:

@@ -609,18 +510,6 @@

 		See the section below describing UUCP mailers in more

 		detail.

-usenet		Usenet (network news) delivery.  If this is specified,

-		an extra rule is added to ruleset 0 that forwards all

-		local email for users named ``group.usenet'' to the

-		``inews'' program.  Note that this works for all groups,

-		and may be considered a security problem.

-

-fax		Facsimile transmission.  This is experimental and based

-		on Sam Leffler's HylaFAX software.  For more information,

-		see http://www.hylafax.org/.

-

-pop		Post Office Protocol.

-

 procmail	An interface to procmail (does not come with sendmail).

 		This is designed to be used in mailertables.  For example,

 		a common question is "how do I forward all mail for a given

@@ -643,37 +532,6 @@

 		Of course there are other ways to solve this particular

 		problem, e.g., a catch-all entry in a virtusertable.

-mail11		The DECnet mail11 mailer, useful only if you have the mail11

-		program from gatekeeper.dec.com:/pub/DEC/gwtools (and

-		DECnet, of course).  This is for Phase IV DECnet support;

-		if you have Phase V at your site you may have additional

-		problems.

-

-phquery		The phquery program.  This is somewhat counterintuitively

-		referenced as the "ph" mailer internally.  It can be used

-		to do CCSO name server lookups.  The phquery program, which

-		this mailer uses, is distributed with the ph client.

-

-cyrus		The cyrus and cyrusbb mailers.  The cyrus mailer delivers to

-		a local cyrus user.  this mailer can make use of the

-		"[email protected]" syntax (see

-		FEATURE(`preserve_local_plus_detail')); it will deliver the

-		mail to the user's "detail" mailbox if the mailbox's ACL

-		permits.  The cyrusbb mailer delivers to a system-wide

-		cyrus mailbox if the mailbox's ACL permits.  The cyrus

-		mailer must be defined after the local mailer.

-

-cyrusv2		The mailer for Cyrus v2.x.  The cyrusv2 mailer delivers to

-		local cyrus users via LMTP.  This mailer can make use of the

-		"[email protected]" syntax (see

-		FEATURE(`preserve_local_plus_detail')); it will deliver the

-		mail to the user's "detail" mailbox if the mailbox's ACL

-		permits.  The cyrusv2 mailer must be defined after the

-		local mailer.

-

-qpage		A mailer for QuickPage, a pager interface.  See

-		http://www.qpage.org/ for further information.

-

 The local mailer accepts addresses of the form "user+detail", where

 the "+detail" is not used for mailbox matching but is available

 to certain local mail programs (in particular, see

@@ -1379,12 +1237,6 @@

 		user@site for relaying.  This feature changes that

 		behavior.  It should not be needed for most installations.

-authinfo	Provide a separate map for client side authentication

-		information.  See SMTP AUTHENTICATION for details.

-		By default, the authinfo database specification is:

-

-			hash /etc/mail/authinfo

-

 preserve_luser_host

 		Preserve the name of the recipient host if LUSER_RELAY is

 		used.  Without this option, the domain part of the

@@ -1421,7 +1273,7 @@

 		FEATURE and introduce new settings via DAEMON_OPTIONS().

 msp		Defines config file for Message Submission Program.

-		See sendmail/SECURITY for details and cf/cf/submit.mc how

+		See cf/submit.mc for how

 		to use it.  An optional argument can be used to override

 		the default of `[localhost]' to use as host to send all

 		e-mails to.  Note that MX records will be used if the

@@ -1565,78 +1417,6 @@

 		has been compiled with the options MAP_REGEX and

 		DNSMAP.

-+-------+

-| HACKS |

-+-------+

-

-Some things just can't be called features.  To make this clear,

-they go in the hack subdirectory and are referenced using the HACK

-macro.  These will tend to be site-dependent.  The release

-includes the Berkeley-dependent "cssubdomain" hack (that makes

-sendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU;

-this is intended as a short-term aid while moving hosts into

-subdomains.

-

-

-+--------------------+

-| SITE CONFIGURATION |

-+--------------------+

-

-    *****************************************************

-    * This section is really obsolete, and is preserved	*

-    * only for back compatibility.  You should plan on	*

-    * using mailertables for new installations.  In	*

-    * particular, it doesn't work for the newer forms	*

-    * of UUCP mailers, such as uucp-uudom.		*

-    *****************************************************

-

-Complex sites will need more local configuration information, such as

-lists of UUCP hosts they speak with directly.  This can get a bit more

-tricky.  For an example of a "complex" site, see cf/ucbvax.mc.

-

-The SITECONFIG macro allows you to indirectly reference site-dependent

-configuration information stored in the siteconfig subdirectory.  For

-example, the line

-

-	SITECONFIG(`uucp.ucbvax', `ucbvax', `U')

-

-reads the file uucp.ucbvax for local connection information.  The

-second parameter is the local name (in this case just "ucbvax" since

-it is locally connected, and hence a UUCP hostname).  The third

-parameter is the name of both a macro to store the local name (in

-this case, {U}) and the name of the class (e.g., {U}) in which to store

-the host information read from the file.  Another SITECONFIG line reads

-

-	SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W')

-

-This says that the file uucp.ucbarpa contains the list of UUCP sites

-connected to ucbarpa.Berkeley.EDU.  Class {W} will be used to

-store this list, and $W is defined to be ucbarpa.Berkeley.EDU, that

-is, the name of the relay to which the hosts listed in uucp.ucbarpa

-are connected.  [The machine ucbarpa is gone now, but this

-out-of-date configuration file has been left around to demonstrate

-how you might do this.]

-

-Note that the case of SITECONFIG with a third parameter of ``U'' is

-special; the second parameter is assumed to be the UUCP name of the

-local site, rather than the name of a remote site, and the UUCP name

-is entered into class {w} (the list of local hostnames) as $U.UUCP.

-

-The siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing

-more than a sequence of SITE macros describing connectivity.  For

-example:

-

-	SITE(`cnmat')

-	SITE(`sgi olympus')

-

-The second example demonstrates that you can use two names on the

-same line; these are usually aliases for the same host (or are at

-least in the same company).

-

-The macro LOCAL_UUCP can be used to add rules into the generated

-cf file at the place where MAILER(`uucp') inserts its rules.  This

-should only be used if really necessary.

-

 +--------------------+

 | USING UUCP MAILERS |

 +--------------------+

@@ -2424,7 +2204,7 @@

 map entries.  This feature allows spammers to abuse your mail server

 by specifying a return address that you enabled in your access file.

 This may be harder to figure out for spammers, but it should not

-be used unless necessary.  Instead use SMTP AUTH or STARTTLS to

+be used unless necessary.  Instead use STARTTLS to

 allow relaying for roaming users.

@@ -2890,8 +2670,7 @@

 tokenization.  It might be simpler to use a regex map and apply it

 to $&{currHeader}.

 2. There are no default rulesets coming with this distribution of

-sendmail.  You can write your own, can search the WWW for examples,

-or take a look at cf/cf/knecht.mc.

+sendmail.  You can write your own or search the WWW for examples.

 3. When using a default ruleset for headers, the name of the header

 currently being checked can be found in the $&{hdr_name} macro.

@@ -3192,101 +2971,6 @@

 (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})

-+---------------------+

-| SMTP AUTHENTICATION |

-+---------------------+

-

-The macros ${auth_authen}, ${auth_author}, and ${auth_type} can be

-used in anti-relay rulesets to allow relaying for those users that

-authenticated themselves.  A very simple example is:

-

-SLocal_check_rcpt

-R$*		$: $&{auth_type}

-R$+		$# OK

-

-which checks whether a user has successfully authenticated using

-any available mechanism.  Depending on the setup of the Cyrus SASL

-library, more sophisticated rulesets might be required, e.g.,

-

-SLocal_check_rcpt

-R$*		$: $&{auth_type} $| $&{auth_authen}

-RDIGEST-MD5 $| $+@$=w	$# OK

-

-to allow relaying for users that authenticated using DIGEST-MD5

-and have an identity in the local domains.

-

-The ruleset trust_auth is used to determine whether a given AUTH=

-parameter (that is passed to this ruleset) should be trusted.  This

-ruleset may make use of the other ${auth_*} macros.  Only if the

-ruleset resolves to the error mailer, the AUTH= parameter is not

-trusted.  A user supplied ruleset Local_trust_auth can be written

-to modify the default behavior, which only trust the AUTH=

-parameter if it is identical to the authenticated user.

-

-Per default, relaying is allowed for any user who authenticated

-via a "trusted" mechanism, i.e., one that is defined via

-TRUST_AUTH_MECH(`list of mechanisms')

-For example:

-TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')

-

-If the selected mechanism provides a security layer the number of

-bits used for the key of the symmetric cipher is stored in the

-macro ${auth_ssf}.

-

-Providing SMTP AUTH Data when sendmail acts as Client

------------------------------------------------------

-

-If sendmail acts as client, it needs some information how to

-authenticate against another MTA.  This information can be provided

-by the ruleset authinfo or by the option DefaultAuthInfo.  The

-authinfo ruleset looks up {server_name} using the tag AuthInfo: in

-the access map.  If no entry is found, {server_addr} is looked up

-in the same way and finally just the tag AuthInfo: to provide

-default values.  Note: searches for domain parts or IP nets are

-only performed if the access map is used; if the authinfo feature

-is used then only up to three lookups are performed (two exact

-matches, one default).

-

-Note: If your daemon does client authentication when sending, and

-if it uses either PLAIN or LOGIN authentication, then you *must*

-prevent ordinary users from seeing verbose output.  Do NOT install

-sendmail set-user-ID.  Use PrivacyOptions to turn off verbose output

-("goaway" works for this).

-

-Notice: the default configuration file causes the option DefaultAuthInfo

-to fail since the ruleset authinfo is in the .cf file. If you really

-want to use DefaultAuthInfo (it is deprecated) then you have to

-remove the ruleset.

-

-The RHS for an AuthInfo: entry in the access map should consists of a

-list of tokens, each of which has the form: "TDstring" (including

-the quotes).  T is a tag which describes the item, D is a delimiter,

-either ':' for simple text or '=' for a base64 encoded string.

-Valid values for the tag are:

-

-	U	user (authorization) id

-	I	authentication id

-	P	password

-	R	realm

-	M	list of mechanisms delimited by spaces

-

-Example entries are:

-

-AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5"

-AuthInfo:host.more.dom "U:user" "P=c2VjcmV0"

-

-User id or authentication id must exist as well as the password.  All

-other entries have default values.  If one of user or authentication

-id is missing, the existing value is used for the missing item.

-If "R:" is not specified, realm defaults to $j.  The list of mechanisms

-defaults to those specified by AuthMechanisms.

-

-Since this map contains sensitive information, either the access

-map must be unreadable by everyone but root (or the trusted user)

-or FEATURE(`authinfo') must be used which provides a separate map.

-Notice: It is not checked whether the map is actually

-group/world-unreadable, this is left to the user.

-

 +--------------------------------+

 | ADDING NEW MAILERS OR RULESETS |

 +--------------------------------+

@@ -3612,8 +3296,6 @@

 This list is shown in four columns:  the name you define, the default

 value for that definition, the option or macro that is affected

 (either Ox for an option or Dx for a macro), and a brief description.

-Greater detail of the semantics can be found in the Installation

-and Operations Guide.

 Some options are likely to be deprecated in future versions -- that is,

 the option is only included to provide back-compatibility.  These are

@@ -3837,8 +3519,6 @@

 					(e.g., :include: file) to be opened.

 confTO_LHLO		Timeout.lhlo	[2m] The timeout waiting for a response

 					to an LMTP LHLO command.

-confTO_AUTH		Timeout.auth	[10m] The timeout waiting for a

-					response in an AUTH dialogue.

 confTO_STARTTLS		Timeout.starttls

 					[1h] The timeout waiting for a

 					response to an SMTP STARTTLS command.

@@ -4197,46 +3877,6 @@

 					memory-buffered transcript (xf)

 					file before a disk-based file is

 					used.

-confAUTH_MECHANISMS	AuthMechanisms	[GSSAPI KERBEROS_V4 DIGEST-MD5

-					CRAM-MD5] List of authentication

-					mechanisms for AUTH (separated by

-					spaces).  The advertised list of

-					authentication mechanisms will be the

-					intersection of this list and the list

-					of available mechanisms as determined

-					by the Cyrus SASL library.

-confAUTH_REALM		AuthRealm	[undefined] The authentication realm

-					that is passed to the Cyrus SASL

-					library.  If no realm is specified,

-					$j is used.

-confDEF_AUTH_INFO	DefaultAuthInfo	[undefined] Name of file that contains

-					authentication information for

-					outgoing connections.  This file must

-					contain the user id, the authorization

-					id, the password (plain text), the

-					realm to use, and the list of

-					mechanisms to try, each on a separate

-					line and must be readable by root (or

-					the trusted user) only.  If no realm

-					is specified, $j is used.  If no

-					mechanisms are given in the file,

-					AuthMechanisms is used.  Notice: this

-					option is deprecated and will be

-					removed in future versions; it doesn't

-					work for the MSP since it can't read

-					the file.  Use the authinfo ruleset

-					instead.  See also the section SMTP

-					AUTHENTICATION.

-confAUTH_OPTIONS	AuthOptions	[undefined] If this option is 'A'

-					then the AUTH= parameter for the

-					MAIL FROM command is only issued

-					when authentication succeeded.

-					See doc/op/op.me for more options

-					and details.

-confAUTH_MAX_BITS	AuthMaxBits	[INT_MAX] Limit the maximum encryption

-					strength for the security layer in

-					SMTP AUTH (SASL).  Default is

-					essentially unlimited.

 confTLS_SRV_OPTIONS	TLSSrvOptions	If this option is 'V' no client

 					verification is performed, i.e.,

 					the server doesn't ask for a

@@ -4288,7 +3928,7 @@

 					[undefined] Defines {daemon_flags}

 					for direct submissions.