diff options
Diffstat (limited to 'contrib/sendmail/cf/README')
-rw-r--r-- | contrib/sendmail/cf/README | 157 |
1 files changed, 134 insertions, 23 deletions
diff --git a/contrib/sendmail/cf/README b/contrib/sendmail/cf/README index fce316e..81689ad 100644 --- a/contrib/sendmail/cf/README +++ b/contrib/sendmail/cf/README @@ -397,6 +397,9 @@ SMTP_MAILER_CHARSET [undefined] If defined, messages containing 8-bit data that ARRIVE from an address that resolves to one of the SMTP mailers and which are converted to MIME will be labeled with this character set. +SMTP_MAILER_LL [990] The maximum line length for SMTP mailers + (except the relay mailer). +RELAY_MAILER_LL [2040] The maximum line length for the relay mailer. UUCP_MAILER_PATH [/usr/bin/uux] The program used to send UUCP mail. UUCP_MAILER_FLAGS [undefined] Flags added to UUCP mailer. Default flags are `DFMhuU' (and `m' for uucp-new mailer, @@ -1031,12 +1034,6 @@ ldap_routing Implement LDAP-based e-mail recipient routing according to See the LDAP ROUTING section below for more information. -nodns If you aren't running DNS at your site (for example, - you are UUCP-only connected). It's hard to consider - this a "feature", but hey, it had to go somewhere. - Actually, as of 8.7 this is a no-op -- remove "dns" from - the hosts service switch entry instead. - nullclient This is a special case -- it creates a configuration file containing nothing but support for forwarding all mail to a central hub via a local SMTP-based network. The argument @@ -1241,12 +1238,15 @@ use_client_ptr If this feature is enabled then check_relay will override versions when delay_checks was not in use. See doc/op/op.* about check_relay, {client_name}, and {client_ptr}. -dnsbl Turns on rejection of hosts found in an DNS based rejection - list. The first is used as the domain in which blocked - hosts are listed. A second argument can be used to change - the default error message. Without that second argument, - the error message will be +dnsbl Turns on rejection, discarding, or quarantining of hosts + found in a DNS based list. The first argument is used as + the domain in which blocked hosts are listed. A second + argument can be used to change the default error message, + or select one of the operations `discard' and `quarantine'. + Without that second argument, the error message will be + Rejected: IP-ADDRESS listed at SERVER + where IP-ADDRESS and SERVER are replaced by the appropriate information. By default, temporary lookup failures are ignored. This behavior can be changed by specifying a @@ -1485,6 +1485,81 @@ greet_pause Adds the greet_pause ruleset which enables open proxy R$* $: $&{daemon_flags} R$* a $* $# 0 +block_bad_helo Reject messages from SMTP clients which provide a HELO/EHLO + argument which is either unqualified, or is one of our own + names (i.e., the server name instead of the client name). + This check is performed at RCPT stage and disabled for the + following cases: + - authenticated sessions, + - connections from IP addresses in class $={R}. + Currently access_db lookups can not be used to + (selectively) disable this test, moreover, + FEATURE(`delay_checks') + is required. + +require_rdns Reject mail from connecting SMTP clients without proper + rDNS (reverse DNS), functional gethostbyaddr() resolution. + Note: this feature will cause false positives, i.e., there + are legitimate MTAs that do not have proper DNS entries. + Rejecting mails from those MTAs is a local policy decision. + + The basic policy is to reject message with a 5xx error if + the IP address fails to resolve. However, if this is a + temporary failure, a 4xx temporary failure is returned. + If the look-up succeeds, but returns an apparently forged + value, this is treated as a temporary failure with a 4xx + error code. + + EXCEPTIONS: + + Exceptions based on access entries are discussed below. + Any IP address matched using $=R (the "relay-domains" file) + is excepted from the rules. Since we have explicitly + allowed relaying for this host, based on IP address, we + ignore the rDNS failure. + + The philosophical assumption here is that most users do + not control their rDNS. They should be able to send mail + through their ISP, whether or not they have valid rDNS. + The class $=R, roughly speaking, contains those IP addresses + and address ranges for which we are the ISP, or are acting + as if the ISP. + + If `delay_checks' is in effect (recommended), then any + sender who has authenticated is also excepted from the + restrictions. This happens because the rules produced by + this FEATURE() will not be applied to authenticated senders + (assuming `delay_checks'). + + ACCESS MAP ENTRIES: + + Entries such as + Connect:1.2.3.4 OK + Connect:1.2 RELAY + will whitelist IP address 1.2.3.4, so that the rDNS + blocking does apply to that IP address + + Entries such as + Connect:1.2.3.4 REJECT + will have the effect of forcing a temporary failure for + that address to be treated as a permanent failure. + +badmx Reject envelope sender addresses (MAIL) whose domain part + resolves to a "bad" MX record. By default these are + MX records which resolve to A records that match the + regular expression: + + ^(127\.|10\.|0\.0\.0\.0) + + This default regular expression can be overridden by + specifying an argument, e.g., + + FEATURE(`badmx', `^127\.0\.0\.1') + + Note: this feature requires that the sendmail binary + has been compiled with the options MAP_REGEX and + DNSMAP. + +-------+ | HACKS | +-------+ @@ -2426,10 +2501,15 @@ definition for the database; for example FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map') Notice: If a second argument is specified it must contain the option -`-T<TMPF>' as shown above. The optional third and fourth parameters -may be `skip' or `lookupdotdomain'. The former enables SKIP as -value part (see below), the latter is another way to enable the -feature of the same name (see above). +`-T<TMPF>' as shown above. The optional parameters may be + + `skip' enables SKIP as value part (see below). + `lookupdotdomain' another way to enable the feature of the + same name (see above). + `relaytofulladdress' enable entries of the form + To:user@example.com RELAY + to allow relaying to just a specific + e-mail address instead of an entire domain. Remember, since /etc/mail/access is a database, after creating the text file as described below, you must use makemap to create the database @@ -2497,7 +2577,8 @@ The value part of the map can contain: name is unresolvable. "Accept" does not mean "relay", but at most acceptance for local recipients. That is, OK allows less than RELAY. - RELAY Accept mail addressed to the indicated domain or + RELAY Accept mail addressed to the indicated domain + (or address if `relaytofulladdress' is set) or received from the indicated domain for relaying through your SMTP server. RELAY also serves as an implicit OK for the other checks. @@ -2628,7 +2709,7 @@ maintained in DNS. To use such a database, specify FEATURE(`dnsbl', `dnsbl.example.com') This will cause sendmail to reject mail from any site listed in the -DNS based blacklist. You must select an DNSB based blacklist domain +DNS based blacklist. You must select a DNS based blacklist domain to check by specifying an argument to the FEATURE. The default error message is @@ -2636,10 +2717,18 @@ error message is where IP-ADDRESS and SERVER are replaced by the appropriate information. A second argument can be used to specify a different -text. By default, temporary lookup failures are ignored and hence -cause the connection not to be rejected by the DNS based rejection -list. This behavior can be changed by specifying a third argument, -which must be either `t' or a full error message. For example: +text or action. For example, + + FEATURE(`dnsbl', `dnsbl.example.com', `quarantine') + +would quarantine the message if the client IP address is listed +at `dnsbl.example.com'. + +By default, temporary lookup failures are ignored +and hence cause the connection not to be rejected by the DNS based +rejection list. This behavior can be changed by specifying a third +argument, which must be either `t' or a full error message. For +example: FEATURE(`dnsbl', `dnsbl.example.com', `', `"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"') @@ -4033,6 +4122,11 @@ confDOUBLE_BOUNCE_ADDRESS DoubleBounceAddress "double bounce" error message to this address. If it expands to an empty string, double bounces are dropped. +confSOFT_BOUNCE SoftBounce [False] If set, issue temporary errors + (4xy) instead of permanent errors + (5xy). This can be useful during + testing of a new configuration to + avoid erroneous bouncing of mails. confDEAD_LETTER_DROP DeadLetterDrop [undefined] Filename to save bounce messages which could not be returned to the user or sent to postmaster. @@ -4197,6 +4291,11 @@ confREQUIRES_DIR_FSYNC RequiresDirfsync [true] RequiresDirfsync can flag REQUIRES_DIR_FSYNC at runtime. See sendmail/README for details. confSHARED_MEMORY_KEY SharedMemoryKey [0] Key for shared memory. +confSHARED_MEMORY_KEY_FILE + SharedMemoryKeyFile + [undefined] File where the + automatically selected key for + shared memory is stored. confFAST_SPLIT FastSplit [1] If set to a value greater than zero, the initial MX lookups on addresses is suppressed when they @@ -4210,6 +4309,11 @@ confMAILBOX_DATABASE MailboxDatabase [pw] Type of lookup to find information about local mailboxes. confDEQUOTE_OPTS - [empty] Additional options for the dequote map. +confMAX_NOOP_COMMANDS MaxNOOPCommands [20] Maximum number of "useless" + commands before the SMTP server + will slow down responding. +confHELO_NAME HeloName If defined, use as name for EHLO/HELO + command (instead of $j). confINPUT_MAIL_FILTERS InputMailFilters A comma separated list of filters which determines which filters and @@ -4241,7 +4345,14 @@ confMILTER_MACROS_ENVRCPT Milter.macros.envrcpt milters after RCPT TO command. confMILTER_MACROS_EOM Milter.macros.eom [{msg_id}] Macros to transmit to - milters after DATA command. + milters after the terminating + DATA '.' is received. +confMILTER_MACROS_EOH Milter.macros.eoh + Macros to transmit to milters + after the end of headers. +confMILTER_MACROS_DATA Milter.macros.data + Macros to transmit to milters + after DATA command is received. See also the description of OSTYPE for some parameters that can be @@ -4588,4 +4699,4 @@ M4 DIVERSIONS 8 DNS based blacklists 9 special local rulesets (1 and 2) -$Revision: 8.706 $, Last updated $Date: 2006/04/18 22:31:06 $ +$Revision: 8.722 $, Last updated $Date: 2007/04/03 21:26:58 $ |