|
1 # This patch is Solaris-specific and thus has not been contributed upstream. |
|
2 |
|
3 --- sendmail-8.14.9/cf/README~ 2014-05-16 13:40:15.000000000 -0700 |
|
4 +++ sendmail-8.14.9/cf/README 2014-12-04 12:36:34.759814094 -0800 |
|
5 @@ -4,12 +4,10 @@ |
|
6 This document describes the sendmail configuration files. It |
|
7 explains how to create a sendmail.cf file for use with sendmail. |
|
8 It also describes how to set options for sendmail which are explained |
|
9 -in the Sendmail Installation and Operation guide (doc/op/op.me). |
|
10 - |
|
11 -To get started, you may want to look at tcpproto.mc (for TCP-only |
|
12 -sites) and clientproto.mc (for clusters of clients using a single |
|
13 -mail host), or the generic-*.mc files as operating system-specific |
|
14 -examples. |
|
15 +in the Sendmail Installation and Operation guide, which can be found |
|
16 +on-line at http://www.sendmail.org/%7Eca/email/doc8.12/op.html . |
|
17 +Recall this URL throughout this document when references to |
|
18 +doc/op/op.* are made. |
|
19 |
|
20 Table of Content: |
|
21 |
|
22 @@ -30,7 +28,6 @@ |
|
23 ANTI-SPAM CONFIGURATION CONTROL |
|
24 CONNECTION CONTROL |
|
25 STARTTLS |
|
26 -SMTP AUTHENTICATION |
|
27 ADDING NEW MAILERS OR RULESETS |
|
28 ADDING NEW MAIL FILTERS |
|
29 QUEUE GROUP DEFINITIONS |
|
30 @@ -61,7 +58,7 @@ |
|
31 Alternatively, you can simply: |
|
32 |
|
33 cd ${CFDIR}/cf |
|
34 - ./Build config.cf |
|
35 + /usr/bin/make config.cf |
|
36 |
|
37 where ${CFDIR} is the root of the cf directory and config.mc is the |
|
38 name of your configuration file. If you are running a version of M4 |
|
39 @@ -149,14 +146,6 @@ |
|
40 a define(`PROCMAIL_MAILER_PATH', ...) should be done before |
|
41 FEATURE(`local_procmail'). |
|
42 |
|
43 -******************************************************************* |
|
44 -*** BE SURE YOU CUSTOMIZE THESE FILES! They have some *** |
|
45 -*** Berkeley-specific assumptions built in, such as the name *** |
|
46 -*** of their UUCP-relay. You'll want to create your own *** |
|
47 -*** domain description, and use that in place of *** |
|
48 -*** domain/Berkeley.EDU.m4. *** |
|
49 -******************************************************************* |
|
50 - |
|
51 |
|
52 +----------------------------+ |
|
53 | A BRIEF INTRODUCTION TO M4 | |
|
54 @@ -197,20 +186,6 @@ |
|
55 messages; in the worst case it might be ok to change the value |
|
56 directly in the generated .cf file, which however is not advised. |
|
57 |
|
58 - |
|
59 -Notice: |
|
60 -------- |
|
61 - |
|
62 -This package requires a post-V7 version of m4; if you are running the |
|
63 -4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or |
|
64 -BSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works. |
|
65 -Unfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a |
|
66 -Net/2 or GNU version. GNU m4 is available from |
|
67 -ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version). |
|
68 -EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU |
|
69 -m4 on this platform. |
|
70 - |
|
71 - |
|
72 +----------------+ |
|
73 | FILE LOCATIONS | |
|
74 +----------------+ |
|
75 @@ -319,8 +294,7 @@ |
|
76 corresponding queue file types as explained in |
|
77 doc/op/op.me. See also QUEUE GROUP DEFINITIONS. |
|
78 MSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing |
|
79 - queue files for the MSP (Mail Submission Program, |
|
80 - see sendmail/SECURITY). |
|
81 + queue files for the MSP (Mail Submission Program). |
|
82 STATUS_FILE [/etc/mail/statistics] The file containing status |
|
83 information. |
|
84 LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail. |
|
85 @@ -350,17 +324,6 @@ |
|
86 LOCAL_SHELL_DIR [$z:/] The directory search path in which the |
|
87 shell should run. |
|
88 LOCAL_MAILER_QGRP [undefined] The queue group for the local mailer. |
|
89 -USENET_MAILER_PATH [/usr/lib/news/inews] The name of the program |
|
90 - used to submit news. |
|
91 -USENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer. |
|
92 -USENET_MAILER_ARGS [-m -h -n] The command line arguments for the |
|
93 - usenet mailer. NOTE: Some versions of inews |
|
94 - (such as those shipped with newer versions of INN) |
|
95 - use different flags. Double check the defaults |
|
96 - against the inews man page. |
|
97 -USENET_MAILER_MAX [undefined] The maximum size of messages that will |
|
98 - be accepted by the usenet mailer. |
|
99 -USENET_MAILER_QGRP [undefined] The queue group for the usenet mailer. |
|
100 SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default |
|
101 flags are `mDFMuX' for all SMTP-based mailers; the |
|
102 "esmtp" mailer adds `a'; "smtp8" adds `8'; and |
|
103 @@ -413,17 +376,6 @@ |
|
104 the UUCP mailers and which are converted to MIME will |
|
105 be labeled with this character set. |
|
106 UUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers. |
|
107 -FAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to |
|
108 - submit FAX messages. |
|
109 -FAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX |
|
110 - mailer. |
|
111 -FAX_MAILER_MAX [100000] The maximum size message accepted for |
|
112 - transmission by FAX. |
|
113 -POP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer. |
|
114 -POP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq |
|
115 - are always added. |
|
116 -POP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer. |
|
117 -POP_MAILER_QGRP [undefined] The queue group for the pop mailer. |
|
118 PROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail |
|
119 program. This is also used by |
|
120 FEATURE(`local_procmail'). |
|
121 @@ -438,60 +390,9 @@ |
|
122 PROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that |
|
123 will be accepted by the procmail mailer. |
|
124 PROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer. |
|
125 -MAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer. |
|
126 -MAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer. |
|
127 -MAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11 |
|
128 - mailer. |
|
129 -MAIL11_MAILER_QGRP [undefined] The queue group for the mail11 mailer. |
|
130 -PH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery |
|
131 - program. |
|
132 -PH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM |
|
133 - are always set. |
|
134 -PH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer. |
|
135 -PH_MAILER_QGRP [undefined] The queue group for the ph mailer. |
|
136 -CYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The |
|
137 - flags lsDFMnPq are always included. |
|
138 -CYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver |
|
139 - cyrus mail. |
|
140 -CYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed |
|
141 - to deliver cyrus mail. |
|
142 -CYRUS_MAILER_MAX [undefined] If set, the maximum size message that |
|
143 - will be accepted by the cyrus mailer. |
|
144 -CYRUS_MAILER_USER [cyrus:mail] The user and group to become when |
|
145 - running the cyrus mailer. |
|
146 -CYRUS_MAILER_QGRP [undefined] The queue group for the cyrus mailer. |
|
147 -CYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer. |
|
148 - The flags lsDFMnP are always included. |
|
149 -CYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed |
|
150 - to deliver cyrusbb mail. |
|
151 -CYRUSV2_MAILER_FLAGS [A@/:|m] The flags used by the cyrusv2 mailer. The |
|
152 - flags lsDFMnqXz are always included. |
|
153 -CYRUSV2_MAILER_MAXMSGS [undefined] If defined, the maximum number of |
|
154 - messages to deliver in a single connection for the |
|
155 - cyrusv2 mailer. |
|
156 -CYRUSV2_MAILER_MAXRCPTS [undefined] If defined, the maximum number of |
|
157 - recipients to deliver in a single connection for the |
|
158 - cyrusv2 mailer. |
|
159 -CYRUSV2_MAILER_ARGS [FILE /var/imap/socket/lmtp] The arguments passed |
|
160 - to the cyrusv2 mailer. This can be used to |
|
161 - change the name of the Unix domain socket, or |
|
162 - to switch to delivery via TCP (e.g., `TCP $h lmtp') |
|
163 -CYRUSV2_MAILER_QGRP [undefined] The queue group for the cyrusv2 mailer. |
|
164 -CYRUSV2_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data |
|
165 - that ARRIVE from an address that resolves to one the |
|
166 - Cyrus mailer and which are converted to MIME will |
|
167 - be labeled with this character set. |
|
168 confEBINDIR [/usr/libexec] The directory for executables. |
|
169 Currently used for FEATURE(`local_lmtp') and |
|
170 FEATURE(`smrsh'). |
|
171 -QPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer. |
|
172 -QPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver |
|
173 - qpage mail. |
|
174 -QPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed |
|
175 - to deliver qpage mail. |
|
176 -QPAGE_MAILER_MAX [4096] If set, the maximum size message that |
|
177 - will be accepted by the qpage mailer. |
|
178 -QPAGE_MAILER_QGRP [undefined] The queue group for the qpage mailer. |
|
179 LOCAL_PROG_QGRP [undefined] The queue group for the prog mailer. |
|
180 |
|
181 Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS: |
|
182 @@ -609,18 +510,6 @@ |
|
183 See the section below describing UUCP mailers in more |
|
184 detail. |
|
185 |
|
186 -usenet Usenet (network news) delivery. If this is specified, |
|
187 - an extra rule is added to ruleset 0 that forwards all |
|
188 - local email for users named ``group.usenet'' to the |
|
189 - ``inews'' program. Note that this works for all groups, |
|
190 - and may be considered a security problem. |
|
191 - |
|
192 -fax Facsimile transmission. This is experimental and based |
|
193 - on Sam Leffler's HylaFAX software. For more information, |
|
194 - see http://www.hylafax.org/. |
|
195 - |
|
196 -pop Post Office Protocol. |
|
197 - |
|
198 procmail An interface to procmail (does not come with sendmail). |
|
199 This is designed to be used in mailertables. For example, |
|
200 a common question is "how do I forward all mail for a given |
|
201 @@ -643,37 +532,6 @@ |
|
202 Of course there are other ways to solve this particular |
|
203 problem, e.g., a catch-all entry in a virtusertable. |
|
204 |
|
205 -mail11 The DECnet mail11 mailer, useful only if you have the mail11 |
|
206 - program from gatekeeper.dec.com:/pub/DEC/gwtools (and |
|
207 - DECnet, of course). This is for Phase IV DECnet support; |
|
208 - if you have Phase V at your site you may have additional |
|
209 - problems. |
|
210 - |
|
211 -phquery The phquery program. This is somewhat counterintuitively |
|
212 - referenced as the "ph" mailer internally. It can be used |
|
213 - to do CCSO name server lookups. The phquery program, which |
|
214 - this mailer uses, is distributed with the ph client. |
|
215 - |
|
216 -cyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to |
|
217 - a local cyrus user. this mailer can make use of the |
|
218 - "[email protected]" syntax (see |
|
219 - FEATURE(`preserve_local_plus_detail')); it will deliver the |
|
220 - mail to the user's "detail" mailbox if the mailbox's ACL |
|
221 - permits. The cyrusbb mailer delivers to a system-wide |
|
222 - cyrus mailbox if the mailbox's ACL permits. The cyrus |
|
223 - mailer must be defined after the local mailer. |
|
224 - |
|
225 -cyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to |
|
226 - local cyrus users via LMTP. This mailer can make use of the |
|
227 - "[email protected]" syntax (see |
|
228 - FEATURE(`preserve_local_plus_detail')); it will deliver the |
|
229 - mail to the user's "detail" mailbox if the mailbox's ACL |
|
230 - permits. The cyrusv2 mailer must be defined after the |
|
231 - local mailer. |
|
232 - |
|
233 -qpage A mailer for QuickPage, a pager interface. See |
|
234 - http://www.qpage.org/ for further information. |
|
235 - |
|
236 The local mailer accepts addresses of the form "user+detail", where |
|
237 the "+detail" is not used for mailbox matching but is available |
|
238 to certain local mail programs (in particular, see |
|
239 @@ -1379,12 +1237,6 @@ |
|
240 user@site for relaying. This feature changes that |
|
241 behavior. It should not be needed for most installations. |
|
242 |
|
243 -authinfo Provide a separate map for client side authentication |
|
244 - information. See SMTP AUTHENTICATION for details. |
|
245 - By default, the authinfo database specification is: |
|
246 - |
|
247 - hash /etc/mail/authinfo |
|
248 - |
|
249 preserve_luser_host |
|
250 Preserve the name of the recipient host if LUSER_RELAY is |
|
251 used. Without this option, the domain part of the |
|
252 @@ -1421,7 +1273,7 @@ |
|
253 FEATURE and introduce new settings via DAEMON_OPTIONS(). |
|
254 |
|
255 msp Defines config file for Message Submission Program. |
|
256 - See sendmail/SECURITY for details and cf/cf/submit.mc how |
|
257 + See cf/submit.mc for how |
|
258 to use it. An optional argument can be used to override |
|
259 the default of `[localhost]' to use as host to send all |
|
260 e-mails to. Note that MX records will be used if the |
|
261 @@ -1565,78 +1417,6 @@ |
|
262 has been compiled with the options MAP_REGEX and |
|
263 DNSMAP. |
|
264 |
|
265 -+-------+ |
|
266 -| HACKS | |
|
267 -+-------+ |
|
268 - |
|
269 -Some things just can't be called features. To make this clear, |
|
270 -they go in the hack subdirectory and are referenced using the HACK |
|
271 -macro. These will tend to be site-dependent. The release |
|
272 -includes the Berkeley-dependent "cssubdomain" hack (that makes |
|
273 -sendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU; |
|
274 -this is intended as a short-term aid while moving hosts into |
|
275 -subdomains. |
|
276 - |
|
277 - |
|
278 -+--------------------+ |
|
279 -| SITE CONFIGURATION | |
|
280 -+--------------------+ |
|
281 - |
|
282 - ***************************************************** |
|
283 - * This section is really obsolete, and is preserved * |
|
284 - * only for back compatibility. You should plan on * |
|
285 - * using mailertables for new installations. In * |
|
286 - * particular, it doesn't work for the newer forms * |
|
287 - * of UUCP mailers, such as uucp-uudom. * |
|
288 - ***************************************************** |
|
289 - |
|
290 -Complex sites will need more local configuration information, such as |
|
291 -lists of UUCP hosts they speak with directly. This can get a bit more |
|
292 -tricky. For an example of a "complex" site, see cf/ucbvax.mc. |
|
293 - |
|
294 -The SITECONFIG macro allows you to indirectly reference site-dependent |
|
295 -configuration information stored in the siteconfig subdirectory. For |
|
296 -example, the line |
|
297 - |
|
298 - SITECONFIG(`uucp.ucbvax', `ucbvax', `U') |
|
299 - |
|
300 -reads the file uucp.ucbvax for local connection information. The |
|
301 -second parameter is the local name (in this case just "ucbvax" since |
|
302 -it is locally connected, and hence a UUCP hostname). The third |
|
303 -parameter is the name of both a macro to store the local name (in |
|
304 -this case, {U}) and the name of the class (e.g., {U}) in which to store |
|
305 -the host information read from the file. Another SITECONFIG line reads |
|
306 - |
|
307 - SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W') |
|
308 - |
|
309 -This says that the file uucp.ucbarpa contains the list of UUCP sites |
|
310 -connected to ucbarpa.Berkeley.EDU. Class {W} will be used to |
|
311 -store this list, and $W is defined to be ucbarpa.Berkeley.EDU, that |
|
312 -is, the name of the relay to which the hosts listed in uucp.ucbarpa |
|
313 -are connected. [The machine ucbarpa is gone now, but this |
|
314 -out-of-date configuration file has been left around to demonstrate |
|
315 -how you might do this.] |
|
316 - |
|
317 -Note that the case of SITECONFIG with a third parameter of ``U'' is |
|
318 -special; the second parameter is assumed to be the UUCP name of the |
|
319 -local site, rather than the name of a remote site, and the UUCP name |
|
320 -is entered into class {w} (the list of local hostnames) as $U.UUCP. |
|
321 - |
|
322 -The siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing |
|
323 -more than a sequence of SITE macros describing connectivity. For |
|
324 -example: |
|
325 - |
|
326 - SITE(`cnmat') |
|
327 - SITE(`sgi olympus') |
|
328 - |
|
329 -The second example demonstrates that you can use two names on the |
|
330 -same line; these are usually aliases for the same host (or are at |
|
331 -least in the same company). |
|
332 - |
|
333 -The macro LOCAL_UUCP can be used to add rules into the generated |
|
334 -cf file at the place where MAILER(`uucp') inserts its rules. This |
|
335 -should only be used if really necessary. |
|
336 - |
|
337 +--------------------+ |
|
338 | USING UUCP MAILERS | |
|
339 +--------------------+ |
|
340 @@ -2424,7 +2204,7 @@ |
|
341 map entries. This feature allows spammers to abuse your mail server |
|
342 by specifying a return address that you enabled in your access file. |
|
343 This may be harder to figure out for spammers, but it should not |
|
344 -be used unless necessary. Instead use SMTP AUTH or STARTTLS to |
|
345 +be used unless necessary. Instead use STARTTLS to |
|
346 allow relaying for roaming users. |
|
347 |
|
348 |
|
349 @@ -2890,8 +2670,7 @@ |
|
350 tokenization. It might be simpler to use a regex map and apply it |
|
351 to $&{currHeader}. |
|
352 2. There are no default rulesets coming with this distribution of |
|
353 -sendmail. You can write your own, can search the WWW for examples, |
|
354 -or take a look at cf/cf/knecht.mc. |
|
355 +sendmail. You can write your own or search the WWW for examples. |
|
356 3. When using a default ruleset for headers, the name of the header |
|
357 currently being checked can be found in the $&{hdr_name} macro. |
|
358 |
|
359 @@ -3192,101 +2971,6 @@ |
|
360 (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}) |
|
361 |
|
362 |
|
363 -+---------------------+ |
|
364 -| SMTP AUTHENTICATION | |
|
365 -+---------------------+ |
|
366 - |
|
367 -The macros ${auth_authen}, ${auth_author}, and ${auth_type} can be |
|
368 -used in anti-relay rulesets to allow relaying for those users that |
|
369 -authenticated themselves. A very simple example is: |
|
370 - |
|
371 -SLocal_check_rcpt |
|
372 -R$* $: $&{auth_type} |
|
373 -R$+ $# OK |
|
374 - |
|
375 -which checks whether a user has successfully authenticated using |
|
376 -any available mechanism. Depending on the setup of the Cyrus SASL |
|
377 -library, more sophisticated rulesets might be required, e.g., |
|
378 - |
|
379 -SLocal_check_rcpt |
|
380 -R$* $: $&{auth_type} $| $&{auth_authen} |
|
381 -RDIGEST-MD5 $| $+@$=w $# OK |
|
382 - |
|
383 -to allow relaying for users that authenticated using DIGEST-MD5 |
|
384 -and have an identity in the local domains. |
|
385 - |
|
386 -The ruleset trust_auth is used to determine whether a given AUTH= |
|
387 -parameter (that is passed to this ruleset) should be trusted. This |
|
388 -ruleset may make use of the other ${auth_*} macros. Only if the |
|
389 -ruleset resolves to the error mailer, the AUTH= parameter is not |
|
390 -trusted. A user supplied ruleset Local_trust_auth can be written |
|
391 -to modify the default behavior, which only trust the AUTH= |
|
392 -parameter if it is identical to the authenticated user. |
|
393 - |
|
394 -Per default, relaying is allowed for any user who authenticated |
|
395 -via a "trusted" mechanism, i.e., one that is defined via |
|
396 -TRUST_AUTH_MECH(`list of mechanisms') |
|
397 -For example: |
|
398 -TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5') |
|
399 - |
|
400 -If the selected mechanism provides a security layer the number of |
|
401 -bits used for the key of the symmetric cipher is stored in the |
|
402 -macro ${auth_ssf}. |
|
403 - |
|
404 -Providing SMTP AUTH Data when sendmail acts as Client |
|
405 ------------------------------------------------------ |
|
406 - |
|
407 -If sendmail acts as client, it needs some information how to |
|
408 -authenticate against another MTA. This information can be provided |
|
409 -by the ruleset authinfo or by the option DefaultAuthInfo. The |
|
410 -authinfo ruleset looks up {server_name} using the tag AuthInfo: in |
|
411 -the access map. If no entry is found, {server_addr} is looked up |
|
412 -in the same way and finally just the tag AuthInfo: to provide |
|
413 -default values. Note: searches for domain parts or IP nets are |
|
414 -only performed if the access map is used; if the authinfo feature |
|
415 -is used then only up to three lookups are performed (two exact |
|
416 -matches, one default). |
|
417 - |
|
418 -Note: If your daemon does client authentication when sending, and |
|
419 -if it uses either PLAIN or LOGIN authentication, then you *must* |
|
420 -prevent ordinary users from seeing verbose output. Do NOT install |
|
421 -sendmail set-user-ID. Use PrivacyOptions to turn off verbose output |
|
422 -("goaway" works for this). |
|
423 - |
|
424 -Notice: the default configuration file causes the option DefaultAuthInfo |
|
425 -to fail since the ruleset authinfo is in the .cf file. If you really |
|
426 -want to use DefaultAuthInfo (it is deprecated) then you have to |
|
427 -remove the ruleset. |
|
428 - |
|
429 -The RHS for an AuthInfo: entry in the access map should consists of a |
|
430 -list of tokens, each of which has the form: "TDstring" (including |
|
431 -the quotes). T is a tag which describes the item, D is a delimiter, |
|
432 -either ':' for simple text or '=' for a base64 encoded string. |
|
433 -Valid values for the tag are: |
|
434 - |
|
435 - U user (authorization) id |
|
436 - I authentication id |
|
437 - P password |
|
438 - R realm |
|
439 - M list of mechanisms delimited by spaces |
|
440 - |
|
441 -Example entries are: |
|
442 - |
|
443 -AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5" |
|
444 -AuthInfo:host.more.dom "U:user" "P=c2VjcmV0" |
|
445 - |
|
446 -User id or authentication id must exist as well as the password. All |
|
447 -other entries have default values. If one of user or authentication |
|
448 -id is missing, the existing value is used for the missing item. |
|
449 -If "R:" is not specified, realm defaults to $j. The list of mechanisms |
|
450 -defaults to those specified by AuthMechanisms. |
|
451 - |
|
452 -Since this map contains sensitive information, either the access |
|
453 -map must be unreadable by everyone but root (or the trusted user) |
|
454 -or FEATURE(`authinfo') must be used which provides a separate map. |
|
455 -Notice: It is not checked whether the map is actually |
|
456 -group/world-unreadable, this is left to the user. |
|
457 - |
|
458 +--------------------------------+ |
|
459 | ADDING NEW MAILERS OR RULESETS | |
|
460 +--------------------------------+ |
|
461 @@ -3612,8 +3296,6 @@ |
|
462 This list is shown in four columns: the name you define, the default |
|
463 value for that definition, the option or macro that is affected |
|
464 (either Ox for an option or Dx for a macro), and a brief description. |
|
465 -Greater detail of the semantics can be found in the Installation |
|
466 -and Operations Guide. |
|
467 |
|
468 Some options are likely to be deprecated in future versions -- that is, |
|
469 the option is only included to provide back-compatibility. These are |
|
470 @@ -3837,8 +3519,6 @@ |
|
471 (e.g., :include: file) to be opened. |
|
472 confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response |
|
473 to an LMTP LHLO command. |
|
474 -confTO_AUTH Timeout.auth [10m] The timeout waiting for a |
|
475 - response in an AUTH dialogue. |
|
476 confTO_STARTTLS Timeout.starttls |
|
477 [1h] The timeout waiting for a |
|
478 response to an SMTP STARTTLS command. |
|
479 @@ -4197,46 +3877,6 @@ |
|
480 memory-buffered transcript (xf) |
|
481 file before a disk-based file is |
|
482 used. |
|
483 -confAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5 |
|
484 - CRAM-MD5] List of authentication |
|
485 - mechanisms for AUTH (separated by |
|
486 - spaces). The advertised list of |
|
487 - authentication mechanisms will be the |
|
488 - intersection of this list and the list |
|
489 - of available mechanisms as determined |
|
490 - by the Cyrus SASL library. |
|
491 -confAUTH_REALM AuthRealm [undefined] The authentication realm |
|
492 - that is passed to the Cyrus SASL |
|
493 - library. If no realm is specified, |
|
494 - $j is used. |
|
495 -confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains |
|
496 - authentication information for |
|
497 - outgoing connections. This file must |
|
498 - contain the user id, the authorization |
|
499 - id, the password (plain text), the |
|
500 - realm to use, and the list of |
|
501 - mechanisms to try, each on a separate |
|
502 - line and must be readable by root (or |
|
503 - the trusted user) only. If no realm |
|
504 - is specified, $j is used. If no |
|
505 - mechanisms are given in the file, |
|
506 - AuthMechanisms is used. Notice: this |
|
507 - option is deprecated and will be |
|
508 - removed in future versions; it doesn't |
|
509 - work for the MSP since it can't read |
|
510 - the file. Use the authinfo ruleset |
|
511 - instead. See also the section SMTP |
|
512 - AUTHENTICATION. |
|
513 -confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A' |
|
514 - then the AUTH= parameter for the |
|
515 - MAIL FROM command is only issued |
|
516 - when authentication succeeded. |
|
517 - See doc/op/op.me for more options |
|
518 - and details. |
|
519 -confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption |
|
520 - strength for the security layer in |
|
521 - SMTP AUTH (SASL). Default is |
|
522 - essentially unlimited. |
|
523 confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client |
|
524 verification is performed, i.e., |
|
525 the server doesn't ask for a |
|
526 @@ -4288,7 +3928,7 @@ |
|
527 [undefined] Defines {daemon_flags} |
|
528 for direct submissions. |
|
529 confUSE_MSP UseMSP [undefined] Use as mail submission |
|
530 - program, see sendmail/SECURITY. |
|
531 + program. |
|
532 confDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By |
|
533 SMTP Service Extension (RFC 2852). |
|
534 confREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can |
|
535 @@ -4434,8 +4074,7 @@ |
|
536 | MESSAGE SUBMISSION PROGRAM | |
|
537 +----------------------------+ |
|
538 |
|
539 -The purpose of the message submission program (MSP) is explained |
|
540 -in sendmail/SECURITY. This section contains a list of caveats and |
|
541 +This section contains a list of caveats and |
|
542 a few hints how for those who want to tweak the default configuration |
|
543 for it (which is installed as submit.cf). |
|
544 |
|
545 @@ -4450,13 +4089,10 @@ |
|
546 of the default background mode. |
|
547 - FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses |
|
548 to the LOCAL_RELAY instead of the default relay. |
|
549 -- confRAND_FILE if you use STARTTLS and sendmail is not compiled with |
|
550 - the flag HASURANDOM. |
|
551 |
|
552 -The MSP performs hostname canonicalization by default. As also |
|
553 -explained in sendmail/SECURITY, mail may end up for various DNS |
|
554 -related reasons in the MSP queue. This problem can be minimized by |
|
555 -using |
|
556 +The MSP performs hostname canonicalization by default. Mail may end |
|
557 +up for various DNS related reasons in the MSP queue. This problem |
|
558 +can be minimized by using |
|
559 |
|
560 FEATURE(`nocanonify', `canonify_hosts') |
|
561 define(`confDIRECT_SUBMISSION_MODIFIERS', `C') |
|
562 @@ -4472,39 +4108,10 @@ |
|
563 can cause security problems. |
|
564 |
|
565 Other things don't work well with the MSP and require tweaking or |
|
566 -workarounds. For example, to allow for client authentication it |
|
567 -is not just sufficient to provide a client certificate and the |
|
568 -corresponding key, but it is also necessary to make the key group |
|
569 -(smmsp) readable and tell sendmail not to complain about that, i.e., |
|
570 - |
|
571 - define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile') |
|
572 - |
|
573 -If the MSP should actually use AUTH then the necessary data |
|
574 -should be placed in a map as explained in SMTP AUTHENTICATION: |
|
575 - |
|
576 -FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo') |
|
577 - |
|
578 -/etc/mail/msp-authinfo should contain an entry like: |
|
579 - |
|
580 - AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5" |
|
581 +workarounds. |
|
582 |
|
583 The file and the map created by makemap should be owned by smmsp, |
|
584 -its group should be smmsp, and it should have mode 640. The database |
|
585 -used by the MTA for AUTH must have a corresponding entry. |
|
586 -Additionally the MTA must trust this authentication data so the AUTH= |
|
587 -part will be relayed on to the next hop. This can be achieved by |
|
588 -adding the following to your sendmail.mc file: |
|
589 - |
|
590 - LOCAL_RULESETS |
|
591 - SLocal_trust_auth |
|
592 - R$* $: $&{auth_authen} |
|
593 - Rsmmsp $# OK |
|
594 - |
|
595 -Note: the authentication data can leak to local users who invoke |
|
596 -the MSP with debug options or even with -v. For that reason either |
|
597 -an authentication mechanism that does not show the password in the |
|
598 -AUTH dialogue (e.g., DIGEST-MD5) or a different authentication |
|
599 -method like STARTTLS should be used. |
|
600 +its group should be smmsp, and it should have mode 640. |
|
601 |
|
602 feature/msp.m4 defines almost all settings for the MSP. Most of |
|
603 those should not be changed at all. Some of the features and options |