# This patch is Solaris-specific and thus has not been contributed upstream.
--- sendmail-8.15.1.30/cf/README.~1~ 2015-05-22 06:42:27.000000000 -0700
+++ sendmail-8.15.1.30/cf/README 2015-05-23 15:44:42.381819318 -0700
@@ -4,12 +4,10 @@
This document describes the sendmail configuration files. It
explains how to create a sendmail.cf file for use with sendmail.
It also describes how to set options for sendmail which are explained
-in the Sendmail Installation and Operation guide (doc/op/op.me).
-
-To get started, you may want to look at tcpproto.mc (for TCP-only
-sites) and clientproto.mc (for clusters of clients using a single
-mail host), or the generic-*.mc files as operating system-specific
-examples.
+in the Sendmail Installation and Operation guide, which can be found
+on-line at http://www.sendmail.org/%7Eca/email/doc8.12/op.html .
+Recall this URL throughout this document when references to
+doc/op/op.* are made.
Table of Content:
@@ -30,7 +28,6 @@
ANTI-SPAM CONFIGURATION CONTROL
CONNECTION CONTROL
STARTTLS
-SMTP AUTHENTICATION
ADDING NEW MAILERS OR RULESETS
ADDING NEW MAIL FILTERS
QUEUE GROUP DEFINITIONS
@@ -61,7 +58,7 @@
Alternatively, you can simply:
cd ${CFDIR}/cf
- ./Build config.cf
+ /usr/bin/make config.cf
where ${CFDIR} is the root of the cf directory and config.mc is the
name of your configuration file. If you are running a version of M4
@@ -149,14 +146,6 @@
a define(`PROCMAIL_MAILER_PATH', ...) should be done before
FEATURE(`local_procmail').
-*******************************************************************
-*** BE SURE YOU CUSTOMIZE THESE FILES! They have some ***
-*** Berkeley-specific assumptions built in, such as the name ***
-*** of their UUCP-relay. You'll want to create your own ***
-*** domain description, and use that in place of ***
-*** domain/Berkeley.EDU.m4. ***
-*******************************************************************
-
Note:
Some rulesets, features, and options are only useful if the sendmail
@@ -217,20 +206,6 @@
messages; in the worst case it might be ok to change the value
directly in the generated .cf file, which however is not advised.
-
-Notice:
--------
-
-This package requires a post-V7 version of m4; if you are running the
-4.2bsd, SysV.2, or 7th Edition version. SunOS's /usr/5bin/m4 or
-BSD-Net/2's m4 both work. GNU m4 version 1.1 or later also works.
-Unfortunately, the M4 on BSDI 1.0 doesn't work -- you'll have to use a
-Net/2 or GNU version. GNU m4 is available from
-ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.tar.gz (check for the latest version).
-EXCEPTIONS: DEC's m4 on Digital UNIX 4.x is broken (3.x is fine). Use GNU
-m4 on this platform.
-
-
+----------------+
| FILE LOCATIONS |
+----------------+
@@ -339,8 +314,7 @@
corresponding queue file types as explained in
doc/op/op.me. See also QUEUE GROUP DEFINITIONS.
MSP_QUEUE_DIR [/var/spool/clientmqueue] The directory containing
- queue files for the MSP (Mail Submission Program,
- see sendmail/SECURITY).
+ queue files for the MSP (Mail Submission Program).
STATUS_FILE [/etc/mail/statistics] The file containing status
information.
LOCAL_MAILER_PATH [/bin/mail] The program used to deliver local mail.
@@ -370,17 +344,6 @@
LOCAL_SHELL_DIR [$z:/] The directory search path in which the
shell should run.
LOCAL_MAILER_QGRP [undefined] The queue group for the local mailer.
-USENET_MAILER_PATH [/usr/lib/news/inews] The name of the program
- used to submit news.
-USENET_MAILER_FLAGS [rsDFMmn] The mailer flags for the usenet mailer.
-USENET_MAILER_ARGS [-m -h -n] The command line arguments for the
- usenet mailer. NOTE: Some versions of inews
- (such as those shipped with newer versions of INN)
- use different flags. Double check the defaults
- against the inews man page.
-USENET_MAILER_MAX [undefined] The maximum size of messages that will
- be accepted by the usenet mailer.
-USENET_MAILER_QGRP [undefined] The queue group for the usenet mailer.
SMTP_MAILER_FLAGS [undefined] Flags added to SMTP mailer. Default
flags are `mDFMuX' for all SMTP-based mailers; the
"esmtp" mailer adds `a'; "smtp8" adds `8'; and
@@ -437,17 +400,6 @@
the UUCP mailers and which are converted to MIME will
be labeled with this character set.
UUCP_MAILER_QGRP [undefined] The queue group for the UUCP mailers.
-FAX_MAILER_PATH [/usr/local/lib/fax/mailfax] The program used to
- submit FAX messages.
-FAX_MAILER_ARGS [mailfax $u $h $f] The arguments passed to the FAX
- mailer.
-FAX_MAILER_MAX [100000] The maximum size message accepted for
- transmission by FAX.
-POP_MAILER_PATH [/usr/lib/mh/spop] The pathname of the POP mailer.
-POP_MAILER_FLAGS [Penu] Flags added to POP mailer. Flags lsDFMq
- are always added.
-POP_MAILER_ARGS [pop $u] The arguments passed to the POP mailer.
-POP_MAILER_QGRP [undefined] The queue group for the pop mailer.
PROCMAIL_MAILER_PATH [/usr/local/bin/procmail] The path to the procmail
program. This is also used by
FEATURE(`local_procmail').
@@ -462,60 +414,9 @@
PROCMAIL_MAILER_MAX [undefined] If set, the maximum size message that
will be accepted by the procmail mailer.
PROCMAIL_MAILER_QGRP [undefined] The queue group for the procmail mailer.
-MAIL11_MAILER_PATH [/usr/etc/mail11] The path to the mail11 mailer.
-MAIL11_MAILER_FLAGS [nsFx] Flags for the mail11 mailer.
-MAIL11_MAILER_ARGS [mail11 $g $x $h $u] Arguments passed to the mail11
- mailer.
-MAIL11_MAILER_QGRP [undefined] The queue group for the mail11 mailer.
-PH_MAILER_PATH [/usr/local/etc/phquery] The path to the phquery
- program.
-PH_MAILER_FLAGS [ehmu] Flags for the phquery mailer. Flags nrDFM
- are always set.
-PH_MAILER_ARGS [phquery -- $u] -- arguments to the phquery mailer.
-PH_MAILER_QGRP [undefined] The queue group for the ph mailer.
-CYRUS_MAILER_FLAGS [Ah5@/:|] The flags used by the cyrus mailer. The
- flags lsDFMnPq are always included.
-CYRUS_MAILER_PATH [/usr/cyrus/bin/deliver] The program used to deliver
- cyrus mail.
-CYRUS_MAILER_ARGS [deliver -e -m $h -- $u] The arguments passed
- to deliver cyrus mail.
-CYRUS_MAILER_MAX [undefined] If set, the maximum size message that
- will be accepted by the cyrus mailer.
-CYRUS_MAILER_USER [cyrus:mail] The user and group to become when
- running the cyrus mailer.
-CYRUS_MAILER_QGRP [undefined] The queue group for the cyrus mailer.
-CYRUS_BB_MAILER_FLAGS [u] The flags used by the cyrusbb mailer.
- The flags lsDFMnP are always included.
-CYRUS_BB_MAILER_ARGS [deliver -e -m $u] The arguments passed
- to deliver cyrusbb mail.
-CYRUSV2_MAILER_FLAGS [A@/:|m] The flags used by the cyrusv2 mailer. The
- flags lsDFMnqXz are always included.
-CYRUSV2_MAILER_MAXMSGS [undefined] If defined, the maximum number of
- messages to deliver in a single connection for the
- cyrusv2 mailer.
-CYRUSV2_MAILER_MAXRCPTS [undefined] If defined, the maximum number of
- recipients to deliver in a single connection for the
- cyrusv2 mailer.
-CYRUSV2_MAILER_ARGS [FILE /var/imap/socket/lmtp] The arguments passed
- to the cyrusv2 mailer. This can be used to
- change the name of the Unix domain socket, or
- to switch to delivery via TCP (e.g., `TCP $h lmtp')
-CYRUSV2_MAILER_QGRP [undefined] The queue group for the cyrusv2 mailer.
-CYRUSV2_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data
- that ARRIVE from an address that resolves to one the
- Cyrus mailer and which are converted to MIME will
- be labeled with this character set.
confEBINDIR [/usr/libexec] The directory for executables.
Currently used for FEATURE(`local_lmtp') and
FEATURE(`smrsh').
-QPAGE_MAILER_FLAGS [mDFMs] The flags used by the qpage mailer.
-QPAGE_MAILER_PATH [/usr/local/bin/qpage] The program used to deliver
- qpage mail.
-QPAGE_MAILER_ARGS [qpage -l0 -m -P$u] The arguments passed
- to deliver qpage mail.
-QPAGE_MAILER_MAX [4096] If set, the maximum size message that
- will be accepted by the qpage mailer.
-QPAGE_MAILER_QGRP [undefined] The queue group for the qpage mailer.
LOCAL_PROG_QGRP [undefined] The queue group for the prog mailer.
Note: to tweak Name_MAILER_FLAGS use the macro MODIFY_MAILER_FLAGS:
@@ -633,18 +534,6 @@
See the section below describing UUCP mailers in more
detail.
-usenet Usenet (network news) delivery. If this is specified,
- an extra rule is added to ruleset 0 that forwards all
- local email for users named ``group.usenet'' to the
- ``inews'' program. Note that this works for all groups,
- and may be considered a security problem.
-
-fax Facsimile transmission. This is experimental and based
- on Sam Leffler's HylaFAX software. For more information,
- see http://www.hylafax.org/.
-
-pop Post Office Protocol.
-
procmail An interface to procmail (does not come with sendmail).
This is designed to be used in mailertables. For example,
a common question is "how do I forward all mail for a given
@@ -667,37 +556,6 @@
Of course there are other ways to solve this particular
problem, e.g., a catch-all entry in a virtusertable.
-mail11 The DECnet mail11 mailer, useful only if you have the mail11
- program from gatekeeper.dec.com:/pub/DEC/gwtools (and
- DECnet, of course). This is for Phase IV DECnet support;
- if you have Phase V at your site you may have additional
- problems.
-
-phquery The phquery program. This is somewhat counterintuitively
- referenced as the "ph" mailer internally. It can be used
- to do CCSO name server lookups. The phquery program, which
- this mailer uses, is distributed with the ph client.
-
-cyrus The cyrus and cyrusbb mailers. The cyrus mailer delivers to
- a local cyrus user. this mailer can make use of the
- "[email protected]" syntax (see
- FEATURE(`preserve_local_plus_detail')); it will deliver the
- mail to the user's "detail" mailbox if the mailbox's ACL
- permits. The cyrusbb mailer delivers to a system-wide
- cyrus mailbox if the mailbox's ACL permits. The cyrus
- mailer must be defined after the local mailer.
-
-cyrusv2 The mailer for Cyrus v2.x. The cyrusv2 mailer delivers to
- local cyrus users via LMTP. This mailer can make use of the
- "[email protected]" syntax (see
- FEATURE(`preserve_local_plus_detail')); it will deliver the
- mail to the user's "detail" mailbox if the mailbox's ACL
- permits. The cyrusv2 mailer must be defined after the
- local mailer.
-
-qpage A mailer for QuickPage, a pager interface. See
- http://www.qpage.org/ for further information.
-
The local mailer accepts addresses of the form "user+detail", where
the "+detail" is not used for mailbox matching but is available
to certain local mail programs (in particular, see
@@ -1413,12 +1271,6 @@
user@site for relaying. This feature changes that
behavior. It should not be needed for most installations.
-authinfo Provide a separate map for client side authentication
- information. See SMTP AUTHENTICATION for details.
- By default, the authinfo database specification is:
-
- hash /etc/mail/authinfo
-
preserve_luser_host
Preserve the name of the recipient host if LUSER_RELAY is
used. Without this option, the domain part of the
@@ -1455,7 +1307,7 @@
FEATURE and introduce new settings via DAEMON_OPTIONS().
msp Defines config file for Message Submission Program.
- See sendmail/SECURITY for details and cf/cf/submit.mc how
+ See cf/submit.mc for how
to use it. An optional argument can be used to override
the default of `[localhost]' to use as host to send all
e-mails to. Note that MX records will be used if the
@@ -1603,78 +1455,6 @@
has been compiled with the options MAP_REGEX and
DNSMAP.
-+-------+
-| HACKS |
-+-------+
-
-Some things just can't be called features. To make this clear,
-they go in the hack subdirectory and are referenced using the HACK
-macro. These will tend to be site-dependent. The release
-includes the Berkeley-dependent "cssubdomain" hack (that makes
-sendmail accept local names in either Berkeley.EDU or CS.Berkeley.EDU;
-this is intended as a short-term aid while moving hosts into
-subdomains.
-
-
-+--------------------+
-| SITE CONFIGURATION |
-+--------------------+
-
- *****************************************************
- * This section is really obsolete, and is preserved *
- * only for back compatibility. You should plan on *
- * using mailertables for new installations. In *
- * particular, it doesn't work for the newer forms *
- * of UUCP mailers, such as uucp-uudom. *
- *****************************************************
-
-Complex sites will need more local configuration information, such as
-lists of UUCP hosts they speak with directly. This can get a bit more
-tricky. For an example of a "complex" site, see cf/ucbvax.mc.
-
-The SITECONFIG macro allows you to indirectly reference site-dependent
-configuration information stored in the siteconfig subdirectory. For
-example, the line
-
- SITECONFIG(`uucp.ucbvax', `ucbvax', `U')
-
-reads the file uucp.ucbvax for local connection information. The
-second parameter is the local name (in this case just "ucbvax" since
-it is locally connected, and hence a UUCP hostname). The third
-parameter is the name of both a macro to store the local name (in
-this case, {U}) and the name of the class (e.g., {U}) in which to store
-the host information read from the file. Another SITECONFIG line reads
-
- SITECONFIG(`uucp.ucbarpa', `ucbarpa.Berkeley.EDU', `W')
-
-This says that the file uucp.ucbarpa contains the list of UUCP sites
-connected to ucbarpa.Berkeley.EDU. Class {W} will be used to
-store this list, and $W is defined to be ucbarpa.Berkeley.EDU, that
-is, the name of the relay to which the hosts listed in uucp.ucbarpa
-are connected. [The machine ucbarpa is gone now, but this
-out-of-date configuration file has been left around to demonstrate
-how you might do this.]
-
-Note that the case of SITECONFIG with a third parameter of ``U'' is
-special; the second parameter is assumed to be the UUCP name of the
-local site, rather than the name of a remote site, and the UUCP name
-is entered into class {w} (the list of local hostnames) as $U.UUCP.
-
-The siteconfig file (e.g., siteconfig/uucp.ucbvax.m4) contains nothing
-more than a sequence of SITE macros describing connectivity. For
-example:
-
- SITE(`cnmat')
- SITE(`sgi olympus')
-
-The second example demonstrates that you can use two names on the
-same line; these are usually aliases for the same host (or are at
-least in the same company).
-
-The macro LOCAL_UUCP can be used to add rules into the generated
-cf file at the place where MAILER(`uucp') inserts its rules. This
-should only be used if really necessary.
-
+--------------------+
| USING UUCP MAILERS |
+--------------------+
@@ -2462,7 +2242,7 @@
map entries. This feature allows spammers to abuse your mail server
by specifying a return address that you enabled in your access file.
This may be harder to figure out for spammers, but it should not
-be used unless necessary. Instead use SMTP AUTH or STARTTLS to
+be used unless necessary. Instead use STARTTLS to
allow relaying for roaming users.
@@ -2930,8 +2710,7 @@
tokenization. It might be simpler to use a regex map and apply it
to $&{currHeader}.
2. There are no default rulesets coming with this distribution of
-sendmail. You can write your own, can search the WWW for examples,
-or take a look at cf/cf/knecht.mc.
+sendmail. You can write your own or search the WWW for examples.
3. When using a default ruleset for headers, the name of the header
currently being checked can be found in the $&{hdr_name} macro.
@@ -3264,101 +3043,6 @@
(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})
-+---------------------+
-| SMTP AUTHENTICATION |
-+---------------------+
-
-The macros ${auth_authen}, ${auth_author}, and ${auth_type} can be
-used in anti-relay rulesets to allow relaying for those users that
-authenticated themselves. A very simple example is:
-
-SLocal_check_rcpt
-R$* $: $&{auth_type}
-R$+ $# OK
-
-which checks whether a user has successfully authenticated using
-any available mechanism. Depending on the setup of the Cyrus SASL
-library, more sophisticated rulesets might be required, e.g.,
-
-SLocal_check_rcpt
-R$* $: $&{auth_type} $| $&{auth_authen}
-RDIGEST-MD5 $| $+@$=w $# OK
-
-to allow relaying for users that authenticated using DIGEST-MD5
-and have an identity in the local domains.
-
-The ruleset trust_auth is used to determine whether a given AUTH=
-parameter (that is passed to this ruleset) should be trusted. This
-ruleset may make use of the other ${auth_*} macros. Only if the
-ruleset resolves to the error mailer, the AUTH= parameter is not
-trusted. A user supplied ruleset Local_trust_auth can be written
-to modify the default behavior, which only trust the AUTH=
-parameter if it is identical to the authenticated user.
-
-Per default, relaying is allowed for any user who authenticated
-via a "trusted" mechanism, i.e., one that is defined via
-TRUST_AUTH_MECH(`list of mechanisms')
-For example:
-TRUST_AUTH_MECH(`KERBEROS_V4 DIGEST-MD5')
-
-If the selected mechanism provides a security layer the number of
-bits used for the key of the symmetric cipher is stored in the
-macro ${auth_ssf}.
-
-Providing SMTP AUTH Data when sendmail acts as Client
------------------------------------------------------
-
-If sendmail acts as client, it needs some information how to
-authenticate against another MTA. This information can be provided
-by the ruleset authinfo or by the option DefaultAuthInfo. The
-authinfo ruleset looks up {server_name} using the tag AuthInfo: in
-the access map. If no entry is found, {server_addr} is looked up
-in the same way and finally just the tag AuthInfo: to provide
-default values. Note: searches for domain parts or IP nets are
-only performed if the access map is used; if the authinfo feature
-is used then only up to three lookups are performed (two exact
-matches, one default).
-
-Note: If your daemon does client authentication when sending, and
-if it uses either PLAIN or LOGIN authentication, then you *must*
-prevent ordinary users from seeing verbose output. Do NOT install
-sendmail set-user-ID. Use PrivacyOptions to turn off verbose output
-("goaway" works for this).
-
-Notice: the default configuration file causes the option DefaultAuthInfo
-to fail since the ruleset authinfo is in the .cf file. If you really
-want to use DefaultAuthInfo (it is deprecated) then you have to
-remove the ruleset.
-
-The RHS for an AuthInfo: entry in the access map should consists of a
-list of tokens, each of which has the form: "TDstring" (including
-the quotes). T is a tag which describes the item, D is a delimiter,
-either ':' for simple text or '=' for a base64 encoded string.
-Valid values for the tag are:
-
- U user (authorization) id
- I authentication id
- P password
- R realm
- M list of mechanisms delimited by spaces
-
-Example entries are:
-
-AuthInfo:other.dom "U:user" "I:user" "P:secret" "R:other.dom" "M:DIGEST-MD5"
-AuthInfo:host.more.dom "U:user" "P=c2VjcmV0"
-
-User id or authentication id must exist as well as the password. All
-other entries have default values. If one of user or authentication
-id is missing, the existing value is used for the missing item.
-If "R:" is not specified, realm defaults to $j. The list of mechanisms
-defaults to those specified by AuthMechanisms.
-
-Since this map contains sensitive information, either the access
-map must be unreadable by everyone but root (or the trusted user)
-or FEATURE(`authinfo') must be used which provides a separate map.
-Notice: It is not checked whether the map is actually
-group/world-unreadable, this is left to the user.
-
+--------------------------------+
| ADDING NEW MAILERS OR RULESETS |
+--------------------------------+
@@ -3684,8 +3368,6 @@
This list is shown in four columns: the name you define, the default
value for that definition, the option or macro that is affected
(either Ox for an option or Dx for a macro), and a brief description.
-Greater detail of the semantics can be found in the Installation
-and Operations Guide.
Some options are likely to be deprecated in future versions -- that is,
the option is only included to provide back-compatibility. These are
@@ -3915,8 +3597,6 @@
(e.g., :include: file) to be opened.
confTO_LHLO Timeout.lhlo [2m] The timeout waiting for a response
to an LMTP LHLO command.
-confTO_AUTH Timeout.auth [10m] The timeout waiting for a
- response in an AUTH dialogue.
confTO_STARTTLS Timeout.starttls
[1h] The timeout waiting for a
response to an SMTP STARTTLS command.
@@ -4282,46 +3962,6 @@
memory-buffered transcript (xf)
file before a disk-based file is
used.
-confAUTH_MECHANISMS AuthMechanisms [GSSAPI KERBEROS_V4 DIGEST-MD5
- CRAM-MD5] List of authentication
- mechanisms for AUTH (separated by
- spaces). The advertised list of
- authentication mechanisms will be the
- intersection of this list and the list
- of available mechanisms as determined
- by the Cyrus SASL library.
-confAUTH_REALM AuthRealm [undefined] The authentication realm
- that is passed to the Cyrus SASL
- library. If no realm is specified,
- $j is used. See KNOWNBUGS.
-confDEF_AUTH_INFO DefaultAuthInfo [undefined] Name of file that contains
- authentication information for
- outgoing connections. This file must
- contain the user id, the authorization
- id, the password (plain text), the
- realm to use, and the list of
- mechanisms to try, each on a separate
- line and must be readable by root (or
- the trusted user) only. If no realm
- is specified, $j is used. If no
- mechanisms are given in the file,
- AuthMechanisms is used. Notice: this
- option is deprecated and will be
- removed in future versions; it doesn't
- work for the MSP since it can't read
- the file. Use the authinfo ruleset
- instead. See also the section SMTP
- AUTHENTICATION.
-confAUTH_OPTIONS AuthOptions [undefined] If this option is 'A'
- then the AUTH= parameter for the
- MAIL FROM command is only issued
- when authentication succeeded.
- See doc/op/op.me for more options
- and details.
-confAUTH_MAX_BITS AuthMaxBits [INT_MAX] Limit the maximum encryption
- strength for the security layer in
- SMTP AUTH (SASL). Default is
- essentially unlimited.
confTLS_SRV_OPTIONS TLSSrvOptions If this option is 'V' no client
verification is performed, i.e.,
the server doesn't ask for a
@@ -4386,7 +4026,7 @@
[undefined] Defines {daemon_flags}
for direct submissions.
confUSE_MSP UseMSP [undefined] Use as mail submission
- program, see sendmail/SECURITY.
+ program.
confDELIVER_BY_MIN DeliverByMin [0] Minimum time for Deliver By
SMTP Service Extension (RFC 2852).
confREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can
@@ -4532,8 +4172,7 @@
| MESSAGE SUBMISSION PROGRAM |
+----------------------------+
-The purpose of the message submission program (MSP) is explained
-in sendmail/SECURITY. This section contains a list of caveats and
+This section contains a list of caveats and
a few hints how for those who want to tweak the default configuration
for it (which is installed as submit.cf).
@@ -4548,13 +4187,10 @@
of the default background mode.
- FEATURE(stickyhost) and LOCAL_RELAY to send unqualified addresses
to the LOCAL_RELAY instead of the default relay.
-- confRAND_FILE if you use STARTTLS and sendmail is not compiled with
- the flag HASURANDOM.
-The MSP performs hostname canonicalization by default. As also
-explained in sendmail/SECURITY, mail may end up for various DNS
-related reasons in the MSP queue. This problem can be minimized by
-using
+The MSP performs hostname canonicalization by default. Mail may end
+up for various DNS related reasons in the MSP queue. This problem
+can be minimized by using
FEATURE(`nocanonify', `canonify_hosts')
define(`confDIRECT_SUBMISSION_MODIFIERS', `C')
@@ -4570,39 +4206,10 @@
can cause security problems.
Other things don't work well with the MSP and require tweaking or
-workarounds. For example, to allow for client authentication it
-is not just sufficient to provide a client certificate and the
-corresponding key, but it is also necessary to make the key group
-(smmsp) readable and tell sendmail not to complain about that, i.e.,
-
- define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')
-
-If the MSP should actually use AUTH then the necessary data
-should be placed in a map as explained in SMTP AUTHENTICATION:
-
-FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/msp-authinfo')
-
-/etc/mail/msp-authinfo should contain an entry like:
-
- AuthInfo:127.0.0.1 "U:smmsp" "P:secret" "M:DIGEST-MD5"
+workarounds.
The file and the map created by makemap should be owned by smmsp,
-its group should be smmsp, and it should have mode 640. The database
-used by the MTA for AUTH must have a corresponding entry.
-Additionally the MTA must trust this authentication data so the AUTH=
-part will be relayed on to the next hop. This can be achieved by
-adding the following to your sendmail.mc file:
-
- LOCAL_RULESETS
- SLocal_trust_auth
- R$* $: $&{auth_authen}
- Rsmmsp $# OK
-
-Note: the authentication data can leak to local users who invoke
-the MSP with debug options or even with -v. For that reason either
-an authentication mechanism that does not show the password in the
-AUTH dialogue (e.g., DIGEST-MD5) or a different authentication
-method like STARTTLS should be used.
+its group should be smmsp, and it should have mode 640.
feature/msp.m4 defines almost all settings for the MSP. Most of
those should not be changed at all. Some of the features and options