MirOS Manual: 08.sendmailop(SMM)


                                   SENDMAILTM

                        INSTALLATION AND OPERATION GUIDE

                                  Eric Allman
                                 Claus Assmann
                              Gregory Neil Shapiro
                                Proofpoint, Inc.

                                 Version 8.759

                           For Sendmail Version 8.14

               SendmailTM implements a  general  purpose  internetwork
          mail routing facility under the UNIX(R) operating system. It
          is not tied to any one transport protocol  --  its  function
          may  be likened to a crossbar switch, relaying messages from
          one domain into another. In the process, it can do a limited
          amount  of  message header editing to put the message into a
          format that is appropriate for the receiving domain. All  of
          this is done under the control of a configuration file.

               Due to the requirements of  flexibility  for  sendmail,
          the  configuration  file  can  seem somewhat unapproachable.
          However, there are only a few basic configurations for  most
          sites, for which standard configuration files have been sup-
          plied. Most other configurations can be built  by  adjusting
          an existing configuration file incrementally.

               Sendmail is based on RFC  821  (Simple  Mail  Transport
          Protocol),  RFC  822 (Internet Mail Headers Format), RFC 974
          (MX routing), RFC 1123  (Internet  Host  Requirements),  RFC
          1413 (Identification server), RFC 1652 (SMTP 8BITMIME Exten-
          sion), RFC 1869 (SMTP Service Extensions),  RFC  1870  (SMTP
          SIZE  Extension),  RFC  1891 (SMTP Delivery Status Notifica-
          tions), RFC 1892 (Multipart/Report), RFC 1893 (Enhanced Mail
          System  Status  Codes),  RFC 1894 (Delivery Status Notifica-
          tions), RFC 1985 (SMTP Service Extension for Remote  Message
          Queue Starting), RFC 2033 (Local Message Transmission Proto-
          col),  RFC  2034  (SMTP  Service  Extension  for   Returning
          ____________________
             DISCLAIMER: This documentation is under modification.
             Sendmail is a trademark of  Proofpoint,  Inc.  US  Patent
          Numbers 6865671, 6986037.

          SMM:08-2           Sendmail Installation and Operation Guide

          Sendmail Installation and Operation Guide           SMM:08-3

          Enhanced Error Codes), RFC 2045 (MIME),  RFC  2476  (Message
          Submission),  RFC  2487  (SMTP  Service Extension for Secure
          SMTP over TLS), RFC 2554 (SMTP Service Extension for Authen-
          tication),  RFC  2821  (Simple  Mail Transfer Protocol), RFC
          2822 (Internet Message Format), RFC 2852  (Deliver  By  SMTP
          Service Extension), and RFC 2920 (SMTP Service Extension for
          Command Pipelining). However, since sendmail is designed  to
          work in a wider world, in many cases it can be configured to
          exceed these protocols. These cases are described herein.

               Although sendmail is intended to run without  the  need
          for monitoring, it has a number of features that may be used
          to monitor  or  adjust  the  operation  under  unusual  cir-
          cumstances. These features are described.

               Section one  describes  how  to  do  a  basic  sendmail
          installation.  Section  two explains the day-to-day informa-
          tion you should know to maintain your mail  system.  If  you
          have  a  relatively  normal  site, these two sections should
          contain sufficient information for you to  install  sendmail
          and  keep  it happy. Section three has information regarding
          the command line  arguments.  Section  four  describes  some
          parameters that may be safely tweaked. Section five contains
          the nitty-gritty information about the  configuration  file.
          This  section  is  for  masochists and people who must write
          their own configuration file. Section six  describes  confi-
          guration  that  can  be done at compile time. The appendixes
          give a  brief  but  detailed  explanation  of  a  number  of
          features not described in the rest of the paper.

          Sendmail Installation and Operation Guide           SMM:08-7

          1. BASIC INSTALLATION

                  There are two basic steps  to  installing  sendmail.
             First,  you  have  to  compile and install the binary. If
             sendmail has already been ported to your operating system
             that  should be simple. Second, you must build a run-time
             configuration file. This is a file  that  sendmail  reads
             when  it  starts  up  that describes the mailers it knows
             about, how to parse addresses, how to rewrite the message
             header, and the settings of various options. Although the
             configuration file can be quite complex, a  configuration
             can  usually  be  built  using  an M4-based configuration
             language. Assuming you have the standard sendmail distri-
             bution, see cf/README for further information.

                  The remainder of  this  section  will  describe  the
             installation  of sendmail assuming you can use one of the
             existing configurations and that the  standard  installa-
             tion  parameters  are acceptable. All pathnames and exam-
             ples are given from the root  of  the  sendmail  subtree,
             normally  /usr/src/usr.sbin/sendmail on 4.4BSD-based sys-
             tems.

                  Continue with the next section if you  need/want  to
             compile  sendmail  yourself. If you have a running binary
             already on your system, you should probably skip to  sec-
             tion 1.2.

             1.1. Compiling Sendmail

                     All sendmail source is in the sendmail  subdirec-
                tory.  To  compile  sendmail,  "cd"  into the sendmail
                directory and type

                    ./Build

                This will leave the binary in an  appropriately  named
                subdirectory,  e.g., obj.BSD-OS.2.1.i386. It works for
                multiple object versions  compiled  out  of  the  same
                directory.

                1.1.1. Tweaking the Build Invocation

                        You can give parameters on the Build  command.
                   In  most  cases  these are only used when the obj.*
                   directory  is  first  created.  To   restart   from
                   scratch, use -c. These commands include:

                   -L libdirs
                        A list of directories to search for libraries.

                   -I incdirs
                        A list of directories to  search  for  include

          SMM:08-8           Sendmail Installation and Operation Guide

                        files.

                   -E envar=value
                        Set an environment variable  to  an  indicated
                        value before compiling.

                   -c   Create a new obj.* tree before running.

                   -f siteconfig
                        Read the indicated site configuration file. If
                        this   parameter   is   not  specified,  Build
                        includes      all      of      the       files
                        $BUILDTOOLS/Site/site.$oscf.m4             and
                        $BUILDTOOLS/Site/site.config.m4, where $BUILD-
                        TOOLS is normally ../devtools and $oscf is the
                        same name as used on the obj.* directory.  See
                        below for a description of the site configura-
                        tion file.

                   -S   Skip  auto-configuration.  Build  will   avoid
                        auto-detecting  libraries  if this is set. All
                        libraries and map definitions must  be  speci-
                        fied in the site configuration file.

                   Most other parameters are passed to the  make  pro-
                   gram; for details see $BUILDTOOLS/README.

                1.1.2. Creating a Site Configuration File

                        (This section is not yet  complete.  For  now,
                   see  the  file  devtools/README  for  details.) See
                   sendmail/README for various compilation flags  that
                   can be set.

                1.1.3. Tweaking the Makefile

                        Sendmail supports two  different  formats  for
                   the  local  (on disk) version of databases, notably
                   the aliases database. At least one of these  should
                   be defined if at all possible.

                   NDBM      The  ``new  DBM''  format,  available  on
                             nearly all systems around today. This was
                             the preferred format prior to 4.4BSD.  It
                             allows  such  complex  things as multiple
                             databases and closing  a  currently  open
                             database.

                   NEWDB     The Berkeley  DB  package.  If  you  have
                             this,  use  it.  It  allows long records,
                             multiple open databases,  real  in-memory
                             caching,  and  so  forth.  You can define
                             this in conjunction with NDBM; if you do,

          Sendmail Installation and Operation Guide           SMM:08-9

                             old  alias databases are read, but when a
                             new database is created  it  will  be  in
                             NEWDB  format.  As  a  nasty hack, if you
                             have NEWDB, NDBM, and NIS defined, and if
                             the  alias  file  name  includes the sub-
                             string "/yp/", sendmail will create  both
                             new  and  old  versions of the alias file
                             during  a  newalias  command.   This   is
                             required  because  the  Sun NIS/YP system
                             reads the DBM version of the alias  file.
                             It's ugly as sin, but it works.

                   If neither of these are defined, sendmail reads the
                   alias  file  into  memory on every invocation. This
                   can be slow and should be avoided. There  are  also
                   several methods for remote database access:

                   LDAP      Lightweight Directory Access Protocol.

                   NIS       Sun's Network Information Services (form-
                             erly YP).

                   NISPLUS   Sun's NIS+ services.

                   NETINFO   NeXT's NetInfo service.

                   HESIOD    Hesiod service (from Athena).

                   Other compilation  flags  are  set  in  conf.h  and
                   should be predefined for you unless you are porting
                   to  a  new  environment.  For  more   options   see
                   sendmail/README.

                1.1.4. Compilation and installation

                        After making the  local  system  configuration
                   described  above, You should be able to compile and
                   install the system. The script "Build" is the  best
                   approach on most systems:

                       ./Build

                   This will use uname(1) to create a custom  Makefile
                   for your environment.

                        If you are installing in the standard  places,
                   you should be able to install using

                       ./Build install

                   This should install the  binary  in  /usr/sbin  and
                   create    links    from   /usr/bin/newaliases   and
                   /usr/bin/mailq  to  /usr/sbin/sendmail.   On   most

          SMM:08-10          Sendmail Installation and Operation Guide

                   systems  it will also format and install man pages.
                   Notice: as of version 8.12 sendmail will no  longer
                   be  installed  set-user-ID  root by default. If you
                   really want to use the old method, you can  specify
                   it as target:

                       ./Build install-set-user-id

             1.2. Configuration Files

                     Sendmail cannot operate without  a  configuration
                file.  The  configuration  defines  the  mail delivery
                mechanisms understood at  this  site,  how  to  access
                them, how to forward email to remote mail systems, and
                a number of tuning parameters. This configuration file
                is detailed in the later portion of this document.

                     The sendmail configuration  can  be  daunting  at
                first.  The  world is complex, and the mail configura-
                tion reflects that. The distribution includes  an  m4-
                based  configuration  package  that hides a lot of the
                complexity. See cf/README for details.

                     Our configuration files are processed  by  m4  to
                facilitate  local  customization;  the directory cf of
                the  sendmail  distribution  directory  contains   the
                source  files.  This  directory  contains several sub-
                directories:

                cf        Both  site-dependent  and   site-independent
                          descriptions  of hosts. These can be literal
                          host  names  (e.g.,  "ucbvax.mc")  when  the
                          hosts  are gateways or more general descrip-
                          tions (such as  "generic-solaris2.mc"  as  a
                          general  description  of  an  SMTP-connected
                          host running Solaris 2.x. Files  ending  .mc
                          (``M4   Configuration'')   are   the   input
                          descriptions;   the   output   is   in   the
                          corresponding  .cf  file. The general struc-
                          ture of these files is described below.

                domain    Site-dependent subdomain descriptions. These
                          are  tied to the way your organization wants
                          to    do    addressing.     For     example,
                          domain/CS.Berkeley.EDU.m4 is our description
                          for hosts in the CS.Berkeley.EDU  subdomain.
                          These  are  referenced  using  the DOMAIN m4
                          macro in the .mc file.

                feature   Definitions of specific features  that  some
                          particular  host  in  your  site might want.
                          These are referenced using  the  FEATURE  m4

          Sendmail Installation and Operation Guide          SMM:08-11

                          macro.  An  example  feature  is use_cw_file
                          (which   tells   sendmail   to    read    an
                          /etc/mail/local-host-names  file  on startup
                          to find the set of local names).

                hack      Local hacks, referenced using  the  HACK  m4
                          macro. Try to avoid these. The point of hav-
                          ing them here is to make it clear that  they
                          smell.

                m4        Site-independent m4(1)  include  files  that
                          have information common to all configuration
                          files.  This  can  be  thought   of   as   a
                          "#include" directory.

                mailer    Definitions of mailers, referenced using the
                          MAILER  m4  macro. The mailer types that are
                          known in this distribution are  fax,  local,
                          smtp,  uucp,  and  usenet.  For  example, to
                          include support for the UUCP-based  mailers,
                          use "MAILER(uucp)".

                ostype    Definitions  describing  various   operating
                          system environments (such as the location of
                          support files). These are  referenced  using
                          the OSTYPE m4 macro.

                sh        Shell files used by the  m4  build  process.
                          You shouldn't have to mess with these.

                siteconfig
                          Local UUCP  connectivity  information.  This
                          directory   has   been   supplanted  by  the
                          mailertable feature; any new  configurations
                          should  use  that  feature  to  do UUCP (and
                          other) routing. The use of this directory is
                          deprecated.

                     If you are in a new domain (e.g., a company), you
                will probably want to create a cf/domain file for your
                domain. This consists primarily of  relay  definitions
                and  features you want enabled site-wide: for example,
                Berkeley's domain definition defines relays for BitNET
                and  UUCP.  These are specific to Berkeley, and should
                be fully-qualified internet-style domain names. Please
                check  to  make  certain  they are reasonable for your
                domain.

                     Subdomains at Berkeley are  also  represented  in
                the  cf/domain  directory.  For  example,  the  domain
                CS.Berkeley.EDU is  the  Computer  Science  subdomain,
                EECS.Berkeley.EDU  is  the  Electrical Engineering and
                Computer Sciences subdomain, and  S2K.Berkeley.EDU  is

          SMM:08-12          Sendmail Installation and Operation Guide

                the  Sequoia 2000 subdomain. You will probably have to
                add an entry to this directory to be  appropriate  for
                your domain.

                     You will have to use or create .mc files  in  the
                cf/cf subdirectory for your hosts. This is detailed in
                the cf/README file.

             1.3. Details of Installation Files

                     This subsection describes the files that comprise
                the sendmail installation.

                1.3.1. /usr/sbin/sendmail

                        The  binary  for  sendmail   is   located   in
                   /usr/sbin[1]. It should be  set-group-ID  smmsp  as
                   described  in  sendmail/SECURITY. For security rea-
                   sons, /, /usr, and /usr/sbin  should  be  owned  by
                   root, mode 0755[2].

                1.3.2. /etc/mail/sendmail.cf

                        This is the main configuration file for  send-
                   mail[3]. This is one of the  two  non-library  file
                   names  compiled  into  sendmail[4],  the  other  is
                   /etc/mail/submit.cf.

                        The configuration  file  is  normally  created
                   using  the  distribution  files described above. If
                   you have a particularly unusual  system  configura-
                   tion  you may need to create a special version. The
          ____________________
             [1]This is usually /usr/sbin on 4.4BSD and newer systems;
          many  systems  install it in /usr/lib. I understand it is in
          /usr/ucblib on System V Release 4.
             [2]Some  vendors  ship  them owned by bin; this creates a
          security hole that is not actually related to sendmail. Oth-
          er important directories that should have restrictive owner-
          ships and permissions are /bin, /usr/bin,  /etc,  /etc/mail,
          /usr/etc, /lib, and /usr/lib.
             [3]Actually, the pathname varies depending on the operat-
          ing system; /etc/mail is the preferred directory. Some older
          systems  install  it  in /usr/lib/sendmail.cf, and I've also
          seen it in /usr/ucblib. If you want to move this  file,  add
          -D_PATH_SENDMAILCF=\"/file/name\" to the flags passed to the
          C compiler. Moving this file is not recommended: other  pro-
          grams and scripts know of this location.
             [4]The system libraries can  reference  other  files;  in
          particular,  system  library subroutines that sendmail calls
          probably reference /etc/passwd and /etc/resolv.conf.

          Sendmail Installation and Operation Guide          SMM:08-13

                   format of this file is detailed in  later  sections
                   of this document.

                1.3.3. /etc/mail/submit.cf

                        This is the configuration  file  for  sendmail
                   when  it  is  used  for initial mail submission, in
                   which case it is also called ``Mail Submission Pro-
                   gram'' (MSP) in contrast to ``Mail Transfer Agent''
                   (MTA). Starting with version  8.12,  sendmail  uses
                   one  of  two different configuration files based on
                   its operation mode (or the new -A option). For ini-
                   tial  mail  submission, i.e., if one of the options
                   -bm (default), -bs, or -t is  specified,  submit.cf
                   is   used  (if  available),  for  other  operations
                   sendmail.cf  is  used.  Details  can  be  found  in
                   sendmail/SECURITY.  submit.cf is shipped with send-
                   mail (in cf/cf/) and is installed  by  default.  If
                   changes to the configuration need to be made, start
                   with cf/cf/submit.mc and follow the instruction  in
                   cf/README.

                1.3.4. /usr/bin/newaliases

                        The newaliases command should just be  a  link
                   to sendmail:

                       rm -f /usr/bin/newaliases
                       ln -s /usr/sbin/sendmail /usr/bin/newaliases

                   This can be installed in whatever search  path  you
                   prefer for your system.

                1.3.5. /usr/bin/hoststat

                        The hoststat command should just be a link  to
                   sendmail,  in a fashion similar to newaliases. This
                   command lists the status of the last mail  transac-
                   tion  with  all  remote  hosts.   The  -v flag will
                   prevent the status display from being truncated. It
                   functions  only when the HostStatusDirectory option
                   is set.

                1.3.6. /usr/bin/purgestat

                        This command is also a link  to  sendmail.  It
                   flushes  expired  (Timeout.hoststatus)  information
                   that is stored in the HostStatusDirectory tree.

                1.3.7. /var/spool/mqueue

                        The  directory  /var/spool/mqueue  should   be
                   created  to  hold  the  mail  queue. This directory

          SMM:08-14          Sendmail Installation and Operation Guide

                   should be mode 0700 and owned by root.

                        The actual path of this directory  is  defined
                   by  the  QueueDirectory  option  of the sendmail.cf
                   file. To use multiple queues, supply a value ending
                   with       an      asterisk.      For      example,
                   /var/spool/mqueue/qd* will use all  of  the  direc-
                   tories  or  symbolic links to directories beginning
                   with `qd'  in  /var/spool/mqueue  as  queue  direc-
                   tories. Do not change the queue directory structure
                   while sendmail is running.

                        If these directories  have  subdirectories  or
                   symbolic links to directories named `qf', `df', and
                   `xf', then these will be  used  for  the  different
                   queue  file  types.  That  is,  the  data files are
                   stored in the  `df'  subdirectory,  the  transcript
                   files  are stored in the `xf' subdirectory, and all
                   others are stored in the `qf' subdirectory.

                        If shared memory support is compiled in, send-
                   mail  stores  the  available  diskspace in a shared
                   memory segment to make the values readily available
                   to  all children without incurring system overhead.
                   In this case, only the  daemon  updates  the  data;
                   i.e., the sendmail daemon creates the shared memory
                   segment and deletes it if it is terminated. To  use
                   this, sendmail must have been compiled with support
                   for shared memory (-DSM_CONF_SHM)  and  the  option
                   SharedMemoryKey must be set. Notice: do not use the
                   same key for sendmail  invocations  with  different
                   queue directories or different queue group declara-
                   tions. Access to shared memory is not controlled by
                   locks, i.e., there is a race condition when data in
                   the shared memory is updated. However, since opera-
                   tion  of  sendmail does not rely on the data in the
                   shared memory, this does not  negatively  influence
                   the behavior.

                1.3.8. /var/spool/clientmqueue

                        The directory  /var/spool/clientmqueue  should
                   be  created  to hold the mail queue. This directory
                   should be mode 0770 and owned by user smmsp,  group
                   smmsp.

                        The actual path of this directory  is  defined
                   by the QueueDirectory option of the submit.cf file.

                1.3.9. /var/spool/mqueue/.hoststat

                        This is a typical value  for  the  HostStatus-
                   Directory option, containing one file per host that

          Sendmail Installation and Operation Guide          SMM:08-15

                   this sendmail has chatted with recently. It is nor-
                   mally a subdirectory of mqueue.

                1.3.10. /etc/mail/aliases*

                        The    system    aliases    are    held     in
                   "/etc/mail/aliases".   A   sample   is   given   in
                   "sendmail/aliases"  which  includes  some   aliases
                   which must be defined:

                       cp sendmail/aliases /etc/mail/aliases
                       edit /etc/mail/aliases

                   You should extend this file with any  aliases  that
                   are apropos to your system.

                        Normally sendmail looks at a database  version
                   of      the     files,     stored     either     in
                   "/etc/mail/aliases.dir" and "/etc/mail/aliases.pag"
                   or  "/etc/mail/aliases.db" depending on which data-
                   base package you are using. The actual path of this
                   file  is  defined  in  the  AliasFile option of the
                   sendmail.cf file.

                        The permissions of  the  alias  file  and  the
                   database  versions  should be 0640 to prevent local
                   denial of service attacks as explained in  the  top
                   level  README  in the sendmail distribution. If the
                   permissions  0640  are  used,  be  sure  that  only
                   trusted users belong to the group assigned to those
                   files.  Otherwise, files should not even  be  group
                   readable.

                1.3.11. /etc/rc or /etc/init.d/sendmail

                        It will be necessary to start up the  sendmail
                   daemon  when  your system reboots. This daemon per-
                   forms two functions: it listens on the SMTP  socket
                   for connections (to receive mail from a remote sys-
                   tem) and it processes  the  queue  periodically  to
                   insure that mail gets delivered when hosts come up.

                        If  necessary,  add  the  following  lines  to
                   "/etc/rc"  (or  "/etc/rc.local"  as appropriate) in
                   the area where it is starting up the daemons  on  a
                   BSD-base  system,  or on a System-V-based system in
                   one    of    the    startup    files,     typically
                   "/etc/init.d/sendmail":

          SMM:08-16          Sendmail Installation and Operation Guide

                       if [ -f /usr/sbin/sendmail -a -f /etc/mail/sendmail.cf ]; then
                               (cd /var/spool/mqueue; rm -f xf*)
                               /usr/sbin/sendmail -bd -q30m &
                               echo -n ' sendmail' >/dev/console
                       fi

                   The "cd" and "rm" commands insure  that  all  tran-
                   script  files  have  been removed; extraneous tran-
                   script files may be left around if the system  goes
                   down  in  the  middle  of processing a message. The
                   line that actually invokes sendmail has two  flags:
                   "-bd"  causes  it  to  listen on the SMTP port, and
                   "-q30m" causes it to run the queue every half hour.

                        Some people use a more complex startup script,
                   removing  zero  length  qf/hf/Qf files and df files
                   for which there is no qf/hf/Qf file. Note  this  is
                   not  advisable.  For  example,  see Figure 1 for an
                   example of a complex script which does  this  clean
                   up.

                1.3.12. /etc/mail/helpfile

                        This is the help file used by  the  SMTP  HELP
                   command.     It     should     be    copied    from
                   "sendmail/helpfile":

                       cp sendmail/helpfile /etc/mail/helpfile

                   The actual path of this  file  is  defined  in  the
                   HelpFile option of the sendmail.cf file.

                1.3.13. /etc/mail/statistics

                        If you wish to collect statistics  about  your
                   mail   traffic,   you   should   create   the  file
                   "/etc/mail/statistics":

                       cp /dev/null /etc/mail/statistics
                       chmod 0600 /etc/mail/statistics

                   This file does not grow. It  is  printed  with  the
                   program "mailstats/mailstats.c." The actual path of
                   this file  is  defined  in  the  S  option  of  the
                   sendmail.cf file.

                1.3.14. /usr/bin/mailq

                        If sendmail is invoked  as  "mailq,"  it  will
                   simulate  the  -bp  flag (i.e., sendmail will print
                   the contents of the mail queue;  see  below).  This
                   should be a link to /usr/sbin/sendmail.

          Sendmail Installation and Operation Guide          SMM:08-17

          ____________________________________________________________

          #!/bin/sh
          # remove zero length qf/hf/Qf files
          for qffile in qf* hf* Qf*
          do
                  if [ -r $qffile ]
                  then
                          if [ ! -s $qffile ]
                          then
                                  echo -n " <zero: $qffile>" > /dev/console
                                  rm -f $qffile
                          fi
                  fi
          done
          # rename tf files to be qf if the qf does not exist
          for tffile in tf*
          do
                  qffile=`echo $tffile | sed 's/t/q/'`
                  if [ -r $tffile -a ! -f $qffile ]
                  then
                          echo -n " <recovering: $tffile>" > /dev/console
                          mv $tffile $qffile
                  else
                          if [ -f $tffile ]
                          then
                                  echo -n " <extra: $tffile>" > /dev/console
                                  rm -f $tffile
                          fi
                  fi
          done
          # remove df files with no corresponding qf/hf/Qf files
          for dffile in df*
          do
                  qffile=`echo $dffile | sed 's/d/q/'`
                  hffile=`echo $dffile | sed 's/d/h/'`
                  Qffile=`echo $dffile | sed 's/d/Q/'`
                  if [ -r $dffile -a ! -f $qffile -a ! -f $hffile -a ! -f $Qffile ]
                  then
                          echo -n " <incomplete: $dffile>" > /dev/console
                          mv $dffile `echo $dffile | sed 's/d/D/'`
                  fi
          done
          # announce files that have been saved during disaster recovery
          for xffile in [A-Z]f*
          do
                  if [ -f $xffile ]
                  then
                          echo -n " <panic: $xffile>" > /dev/console
                  fi
          done

          SMM:08-18          Sendmail Installation and Operation Guide

                      Figure 1 - A complex startup script
          ____________________________________________________________

                1.3.15. sendmail.pid

                        sendmail stores its current pid  in  the  file
                   specified   by   the  PidFile  option  (default  is
                   _PATH_SENDMAILPID).  sendmail   uses   TempFileMode
                   (which defaults to 0600) as the permissions of that
                   file to prevent local denial of service attacks  as
                   explained  in  the top level README in the sendmail
                   distribution. If the file already exists,  then  it
                   might   be  necessary  to  change  the  permissions
                   accordingly, e.g.,

                       chmod 0600 /var/run/sendmail.pid

                   Note that as of version 8.13, this file is unlinked
                   when  sendmail exits. As a result of this change, a
                   script such as the following, which may have worked
                   prior to 8.13, will no longer work:

                       # stop & start sendmail
                       PIDFILE=/var/run/sendmail.pid
                       kill `head -1 $PIDFILE`
                       `tail -1 $PIDFILE`

                   because it assumes  that  the  pidfile  will  still
                   exist  even  after  killing the process to which it
                   refers. Below is a script which will work correctly
                   on both newer and older versions:

                       # stop & start sendmail
                       PIDFILE=/var/run/sendmail.pid
                       pid=`head -1 $PIDFILE`
                       cmd=`tail -1 $PIDFILE`
                       kill $pid
                       $cmd

                   This is just an example script, it does not perform
                   any  error checks, e.g., whether the pidfile exists
                   at all.

                1.3.16. Map Files

                        To prevent local denial of service attacks  as
                   explained  in  the top level README in the sendmail
                   distribution, the permissions of map files  created
                   by  makemap should be 0640. The use of 0640 implies
                   that  only  trusted  users  belong  to  the   group
                   assigned  to  those  files.  If those files already
                   exist, then it might be  necessary  to  change  the

          Sendmail Installation and Operation Guide          SMM:08-19

                   permissions accordingly, e.g.,

                       cd /etc/mail
                       chmod 0640 *.db *.pag *.dir

          2. NORMAL OPERATIONS

             2.1. The System Log

                     The system log is  supported  by  the  syslogd(8)
                program.  All  messages from sendmail are logged under
                the LOG_MAIL facility[5].

                2.1.1. Format

                        Each line in the  system  log  consists  of  a
                   timestamp,  the  name of the machine that generated
                   it (for logging  from  several  machines  over  the
                   local  area  network),  the word "sendmail:", and a
                   message[6].  Most  messages  are  a   sequence   of
                   name=value pairs.

                        The two most common lines are  logged  when  a
                   message is processed. The first logs the receipt of
                   a message; there will be exactly one of  these  per
                   message.  Some fields may be omitted if they do not
                   contain interesting information. Fields are:

                   from      The envelope sender address.

                   size      The size of the message in bytes.

                   class     The class (i.e., numeric  precedence)  of
                             the message.

                   pri       The initial message  priority  (used  for
                             queue sorting).

                   nrcpts    The number  of  envelope  recipients  for
                             this message (after aliasing and forward-
                             ing).

                   msgid     The message id of the message  (from  the
                             header).

          ____________________
             [5]Except on Ultrix, which does not support facilities in
          the syslog.
             [6]This format may  vary  slightly  if  your  vendor  has
          changed the syntax.

          SMM:08-20          Sendmail Installation and Operation Guide

                   bodytype  The message body type (7BIT or 8BITMIME),
                             as determined from the envelope.

                   proto     The protocol used to receive this message
                             (e.g., ESMTP or UUCP)

                   daemon    The daemon name  from  the  DaemonPortOp-
                             tions setting.

                   relay     The machine from which it was received.

                   There is also one line logged per delivery  attempt
                   (so there can be several per message if delivery is
                   deferred or there are multiple recipients).  Fields
                   are:

                   to        A comma-separated list of the  recipients
                             to this mailer.

                   ctladdr   The ``controlling user'',  that  is,  the
                             name of the user whose credentials we use
                             for delivery.

                   delay     The total delay  between  the  time  this
                             message  was  received  and  the  current
                             delivery attempt.

                   xdelay    The  amount  of  time  needed   in   this
                             delivery  attempt (normally indicative of
                             the speed of the connection).

                   mailer    The name of the mailer used to deliver to
                             this recipient.

                   relay     The  name  of  the  host  that   actually
                             accepted (or rejected) this recipient.

                   dsn       The enhanced error  code  (RFC  2034)  if
                             available.

                   stat      The delivery status.

                   Not all fields are present  in  all  messages;  for
                   example,  the relay is usually not listed for local
                   deliveries.

                2.1.2. Levels

                        If  you  have  syslogd(8)  or  an   equivalent
                   installed, you will be able to do logging. There is
                   a large amount of information that can  be  logged.
                   The  log  is arranged as a succession of levels. At
                   the lowest level only extremely strange  situations

          Sendmail Installation and Operation Guide          SMM:08-21

                   are  logged.  At  the  highest level, even the most
                   mundane and uninteresting events are  recorded  for
                   posterity.  As  a  convention, log levels under ten
                   are considered generally "useful;" log levels above
                   64 are reserved for debugging purposes. Levels from
                   11-64 are reserved  for  verbose  information  that
                   some sites might want.

                        A complete description of the  log  levels  is
                   given in section ``Log Level''.

             2.2. Dumping State

                     You can ask sendmail to log a dump  of  the  open
                files and the connection cache by sending it a SIGUSR1
                signal. The results are logged at LOG_DEBUG priority.

             2.3. The Mail Queues

                     Mail messages may either be delivered immediately
                or  be  held  for  later  delivery.  Held messages are
                placed into a holding directory called a mail queue.

                     A mail message may be queued for these reasons:

                 + If a mail message is temporarily undeliverable,  it
                   is  queued  and delivery is attempted later. If the
                   message is addressed to multiple recipients, it  is
                   queued  only  for those recipients to whom delivery
                   is not immediately possible.
                 + If the SuperSafe option is set to  true,  all  mail
                   messages are queued while delivery is attempted.
                 + If the DeliveryMode option is set to queue-only  or
                   defer,   all  mail  is  queued,  and  no  immediate
                   delivery is attempted.
                 + If the load average becomes higher than  the  value
                   of  the  QueueLA  option  and  the  QueueFactor (q)
                   option divided by the  difference  in  the  current
                   load  average  and  the  QueueLA option plus one is
                   less than the priority of the message, messages are
                   queued rather than immediately delivered.
                 + One or more addresses are marked as  expensive  and
                   delivery  is  postponed until the next queue run or
                   one or more address are marked as held  via  mailer
                   which uses the hold mailer flag.
                 + The mail message has been marked as quarantined via
                   a mail filter or rulesets.

                2.3.1. Queue Groups and Queue Directories

                        There are one or more mail queues.  Each  mail
                   queue  belongs  to a queue group. There is always a
                   default  queue  group  that  is  called  ``mqueue''

          SMM:08-22          Sendmail Installation and Operation Guide

                   (which  is where messages go by default unless oth-
                   erwise specified).  The  directory  or  directories
                   which  comprise  the default queue group are speci-
                   fied by the QueueDirectory option. There  are  zero
                   or  more  additional  named  queue  groups declared
                   using the Q command in the configuration file.

                        By default, a queued message is placed in  the
                   queue  group associated with the first recipient in
                   the recipient list. A recipient address  is  mapped
                   to  a  queue group as follows. First, if there is a
                   ruleset called ``queuegroup'', and if this  ruleset
                   maps  the  address to a queue group name, then that
                   queue group is chosen. That is,  the  argument  for
                   the ruleset is the recipient address and the result
                   should be $# followed by the name of a queue group.
                   Otherwise,   if  the  mailer  associated  with  the
                   address specifies a queue group,  then  that  queue
                   group is chosen. Otherwise, the default queue group
                   is chosen.

                        A message with  multiple  recipients  will  be
                   split  if  different queue groups are chosen by the
                   mapping of recipients to queue groups.

                        When a message is placed in a queue group, and
                   the queue group has more than one queue, a queue is
                   selected randomly.

                        If  a  message  with  multiple  recipients  is
                   placed into a queue group with the 'r' option (max-
                   imum number of recipients per  message)  set  to  a
                   positive  value  N,  and  if  there are more than N
                   recipients in the message, then the message will be
                   split into multiple messages, each of which have at
                   most N recipients.

                        Notice: if multiple queue groups are used,  do
                   not move queue files around, e.g., into a different
                   queue directory. This may have  weird  effects  and
                   can cause mail not to be delivered. Queue files and
                   directories should be treated as opaque and  should
                   not be manipulated directly.

                2.3.2. Queue Runs

                        sendmail has two different ways to process the
                   queue(s).  The  first one is to start queue runners
                   after certain intervals (``normal'' queue runners),
                   the  second  one  is to keep queue runner processes
                   around  (``persistent''  queue  runners).  How   to
                   select  either  of  these types is discussed in the
                   appendix ``COMMAND LINE FLAGS''.  Persistent  queue

          Sendmail Installation and Operation Guide          SMM:08-23

                   runners  have  the  advantage that no new processes
                   need to be spawned at certain intervals; they  just
                   sleep  for  a  specified time after they finished a
                   queue run. Another advantage  of  persistent  queue
                   runners  is  that  only  one process belonging to a
                   workgroup (a workgroup is a set  of  queue  groups)
                   collects the data for a queue run and then multiple
                   queue runner may go ahead using that data. This can
                   significantly reduce the disk I/O necessary to read
                   the queue files compared to starting multiple queue
                   runners  directly. Their disadvantage is that a new
                   queue run is only started after all  queue  runners
                   belonging  to a group finished their tasks. In case
                   one of the queue runners tries delivery to  a  slow
                   recipient  site at the end of a queue run, the next
                   queue run may be substantially delayed. In  general
                   this should be smoothed out due to the distribution
                   of those slow jobs, however, for sites  with  small
                   number  of queue entries this might introduce noti-
                   cable delays. In general, persistent queue  runners
                   are only useful for sites with big queues.

                2.3.3. Manual Intervention

                        Under normal conditions the mail queue will be
                   processed transparently. However, you may find that
                   manual intervention  is  sometimes  necessary.  For
                   example,  if  a  major host is down for a period of
                   time the queue may become clogged.  Although  send-
                   mail  ought  to  recover  gracefully  when the host
                   comes up, you may find performance unacceptably bad
                   in the meantime. In that case you want to check the
                   content of the queue and manipulate it as explained
                   in the next two sections.

                2.3.4. Printing the queue

                        The contents of the queue(s)  can  be  printed
                   using  the  mailq command (or by specifying the -bp
                   flag to sendmail):

                       mailq

                   This will produce a listing of the queue id's,  the
                   size  of  the message, the date the message entered
                   the queue, and the sender and recipients. If shared
                   memory  support is compiled in, the flag -bP can be
                   used  to  print  the  number  of  entries  in   the
                   queue(s), provided a process updates the data. How-
                   ever, as explained earlier,  the  output  might  be
                   slightly  wrong,  since access to the shared memory
                   is not locked. For  example,  ``unknown  number  of
                   entries'' might be shown. The internal counters are

          SMM:08-24          Sendmail Installation and Operation Guide

                   updated after each queue run to the  correct  value
                   again.

                2.3.5. Forcing the queue

                        Sendmail should run the queue automatically at
                   intervals.  When  using multiple queues, a separate
                   process will by default be created to run  each  of
                   the  queues  unless the queue run is initiated by a
                   user with the verbose flag.  The  algorithm  is  to
                   read  and  sort  the  queue, and then to attempt to
                   process all jobs in order. When it attempts to  run
                   the job, sendmail first checks to see if the job is
                   locked. If so, it ignores the job.

                        There is no attempt to insure  that  only  one
                   queue  processor exists at any time, since there is
                   no guarantee that a job cannot take forever to pro-
                   cess  (however, sendmail does include heuristics to
                   try to abort jobs that are taking absurd amounts of
                   time;  technically,  this  violates RFC 821, but is
                   blessed by RFC 1123). Due to the locking algorithm,
                   it  is  impossible for one job to freeze the entire
                   queue. However, an uncooperative recipient host  or
                   a  program recipient that never returns can accumu-
                   late many processes in your system.  Unfortunately,
                   there is no completely general way to solve this.

                        In some cases, you may find that a major  host
                   going down for a couple of days may create a prohi-
                   bitively large queue. This will result in  sendmail
                   spending  an  inordinate amount of time sorting the
                   queue. This situation can be fixed  by  moving  the
                   queue  to  a  temporary  place  and  creating a new
                   queue. The old queue can  be  run  later  when  the
                   offending host returns to service.

                        To do this,  it  is  acceptable  to  move  the
                   entire queue directory:

                       cd /var/spool
                       mv mqueue omqueue; mkdir mqueue; chmod 0700 mqueue

                   You should then kill the existing daemon (since  it
                   will  still  be  processing in the old queue direc-
                   tory) and create a new daemon.

                        To run the old mail queue, issue the following
                   command:

                       /usr/sbin/sendmail -C /etc/mail/queue.cf -q

                   The -C flag specifies  an  alternate  configuration

          Sendmail Installation and Operation Guide          SMM:08-25

                   file queue.cf which should refer to the moved queue
                   directory

                       O QueueDirectory=/var/spool/omqueue

                   and the -q flag says to just run every job  in  the
                   queue.  You can also specify the moved queue direc-
                   tory on the command line

                       /usr/sbin/sendmail -oQ/var/spool/omqueue -q

                   but this requires that you do not have queue groups
                   in  the  configuration  file, because those are not
                   subdirectories of the moved directory. See the sec-
                   tion about ``Queue Group Declaration'' for details;
                   you most likely need a different configuration file
                   to  correctly  deal  with  this problem. However, a
                   proper configuration of queue groups  should  avoid
                   filling  up queue directories, so you shouldn't run
                   into this problem. If you have  a  tendency  toward
                   voyeurism, you can use the -v flag to watch what is
                   going on.

                        When the queue is  finally  emptied,  you  can
                   remove the directory:

                       rmdir /var/spool/omqueue

                2.3.6. Quarantined Queue Items

                        It is possible to "quarantine" mail  messages,
                   otherwise  known  as  envelopes.  Envelopes  (queue
                   files) are stored but not considered  for  delivery
                   or  display  unless  the  "quarantine" state of the
                   envelope  is  undone  or  delivery  or  display  of
                   quarantined  items  is  requested. Quarantined mes-
                   sages are tagged by using a different name for  the
                   queue file, 'hf' instead of 'qf', and by adding the
                   quarantine reason to the queue file.

                        Delivery or display of quarantined  items  can
                   be  requested  using  the  -qQ  flag to sendmail or
                   mailq. Additionally, messages already in the  queue
                   can  be  quarantined or unquarantined using the new
                   -Q flag to sendmail. For example,

                       sendmail -Qreason -q[!][I|R|S][matchstring]

                   Quarantines the normal  queue  items  matching  the
                   criteria specified by the -q[!][I|R|S][matchstring]
                   using the reason given on the -Q flag. Likewise,

          SMM:08-26          Sendmail Installation and Operation Guide

                       sendmail -qQ -Q[reason] -q[!][I|R|S|Q][matchstring]

                   Change the quarantine reason  for  the  quarantined
                   items  matching  the  criteria  specified  by the -
                   q[!][I|R|S|Q][matchstring] using the  reason  given
                   on the -Q flag. If there is no reason,
                    unquarantine the matching items and make them nor-
                   mal queue items. Note that the -qQ flag tells send-
                   mail to operate on  quarantined  items  instead  of
                   normal items.

             2.4. Disk Based Connection Information

                     Sendmail stores a  large  amount  of  information
                about  each  remote  system  it  has  connected  to in
                memory. It is possible to preserve some of this infor-
                mation  on disk as well, by using the HostStatusDirec-
                tory option, so that it may be shared between  several
                invocations of sendmail. This allows mail to be queued
                immediately or skipped during a queue run if there has
                been  a  recent  failure  in  connecting  to  a remote
                machine. Note: information about a  remote  system  is
                stored  in  a file whose pathname consists of the com-
                ponents of the hostname in reverse order. For example,
                the  information  for  host.example.com  is  stored in
                com./example./host. For  top-level  domains  like  com
                this can create a large number of subdirectories which
                on some filesystems can exhaust some limits. Moreover,
                the performance of lookups in directory with thousands
                of  entries  can  be  fairly  slow  depending  on  the
                filesystem implementation.

                     Additionally  enabling  SingleThreadDelivery  has
                the  added effect of single-threading mail delivery to
                a destination. This can be quite helpful if the remote
                machine is running an SMTP server that is easily over-
                loaded or cannot accept more than a single  connection
                at a time, but can cause some messages to be punted to
                a future queue run. It also applies to all  hosts,  so
                setting this because you have one machine on site that
                runs some software that is easily  overrun  can  cause
                mail  to other hosts to be slowed down. If this option
                is set, you  probably  want  to  set  the  MinQueueAge
                option  as  well  and run the queue fairly frequently;
                this way jobs that are skipped because  another  send-
                mail  is  talking to the same host will be tried again
                quickly rather than being delayed for a long time.

                     The disk based host information is  stored  in  a
                subdirectory    of   the   mqueue   directory   called

          Sendmail Installation and Operation Guide          SMM:08-27

                .hoststat[7]. Removing this  directory  and  its  sub-
                directories  has  an  effect  similar to the purgestat
                command and is  completely  safe.  However,  purgestat
                only  removes  expired  (Timeout.hoststatus) data. The
                information in these directories can be  perused  with
                the  hoststat  command,  which  will indicate the host
                name, the last access, and the status of that  access.
                An  asterisk  in the left most column indicates that a
                sendmail process currently has  the  host  locked  for
                mail delivery.

                     The disk based connection information is  treated
                the  same  way  as memory based connection information
                for the purpose of timeouts. By  default,  information
                about  host failures is valid for 30 minutes. This can
                be adjusted with the Timeout.hoststatus option.

                     The connection information stored on disk may  be
                expired  at  any time with the purgestat command or by
                invoking sendmail with the -bH switch. The  connection
                information may be viewed with the hoststat command or
                by invoking sendmail with the -bh switch.

             2.5. The Service Switch

                     The implementation  of  certain  system  services
                such as host and user name lookup is controlled by the
                service switch. If the host operating system  supports
                such  a  switch, and sendmail knows about it, sendmail
                will use the native version. Ultrix, Solaris, and  DEC
                OSF/1 are examples of such systems[8].

                     If the underlying operating system does not  sup-
                port  a  service  switch (e.g., SunOS 4.X, HP-UX, BSD)
                then sendmail will provide a stub implementation.  The
                ServiceSwitchFile  option points to the name of a file
                that has the service definitions. Each  line  has  the
                name  of a service and the possible implementations of
                that service. For example, the file:

                    hosts   dns files nis
                    aliases files nis

                will ask sendmail to look for hosts in the Domain Name
                System first. If the requested host name is not found,
          ____________________
             [7]This is the usual value of the HostStatusDirectory op-
          tion;  it  can,  of  course,  go  anywhere  you like in your
          filesystem.
             [8]HP-UX  10  has  service  switch support, but since the
          APIs are apparently not available in the libraries  sendmail
          does not use the native service switch in this release.

          SMM:08-28          Sendmail Installation and Operation Guide

                it tries local files, and if that fails it tries  NIS.
                Similarly,  when  looking  for aliases it will try the
                local files first followed by NIS.

                     Notice: since sendmail must access MX records for
                correct operation, it will use DNS if it is configured
                in the ServiceSwitchFile file. Hence an entry like

                    hosts   files dns

                will not avoid DNS lookups even if a host can be found
                in /etc/hosts.

                     Service switches are not  completely  integrated.
                For  example,  despite  the  fact  that the host entry
                listed in the above example specifies to look in  NIS,
                on  SunOS  this won't happen because the system imple-
                mentation of gethostbyname(3) doesn't understand this.

             2.6. The Alias Database

                     After recipient addresses are read from the  SMTP
                connection  or command line they are parsed by ruleset
                0, which must resolve to  a  {mailer,  host,  address}
                triple.  If  the  flags selected by the mailer include
                the A (aliasable) flag, the address part of the triple
                is  looked up as the key (i.e., the left hand side) in
                the alias database. If there is a match,  the  address
                is  deleted  from  the send queue and all addresses on
                the right hand side of the alias are added in place of
                the  alias  that was found. This is a recursive opera-
                tion, so aliases found in the right hand side  of  the
                alias are similarly expanded.

                     The alias database exists in two forms. One is  a
                text  form,  maintained in the file /etc/mail/aliases.
                The aliases are of the form

                    name: name1, name2, ...

                Only local names may be aliased; e.g.,

                    eric@prep.ai.MIT.EDU: eric@CS.Berkeley.EDU

                will  not  have  the   desired   effect   (except   on
                prep.ai.MIT.EDU, and they probably don't want  me)[9].
                Aliases  may be continued by starting any continuation
          ____________________
             [9]Actually, any mailer that has the `A' mailer flag  set
          will  permit aliasing; this is normally limited to the local
          mailer.

          Sendmail Installation and Operation Guide          SMM:08-29

                lines with a space or a tab or by putting a  backslash
                directly  before  the  newline.  Blank lines and lines
                beginning with a sharp sign ("#") are comments.

                     The second form is processed by  the  ndbm(3)[10]
                or  the  Berkeley DB library. This form is in the file
                /etc/mail/aliases.db    (if    using     NEWDB)     or
                /etc/mail/aliases.dir  and  /etc/mail/aliases.pag  (if
                using NDBM). This is the form that  sendmail  actually
                uses  to  resolve  aliases.  This technique is used to
                improve performance.

                     The control of search order is  actually  set  by
                the service switch. Essentially, the entry

                    O AliasFile=switch:aliases

                is always added as the first alias  entry;  also,  the
                first  alias  file name without a class (e.g., without
                "nis:" on the front) will be used as the name  of  the
                file  for a ``files'' entry in the aliases switch. For
                example, if the configuration file contains

                    O AliasFile=/etc/mail/aliases

                and the service switch contains

                    aliases nis files nisplus

                then aliases will first be searched in the  NIS  data-
                base,  then  in  /etc/mail/aliases,  then  in the NIS+
                database.

                     You can also use NIS-based alias files. For exam-
                ple, the specification:

                    O AliasFile=/etc/mail/aliases
                    O AliasFile=nis:mail.aliases@my.nis.domain

                will first search the /etc/mail/aliases file and  then
                the map named "mail.aliases" in "my.nis.domain". Warn-
                ing: if you build your own NIS-based alias  files,  be
                sure to provide the -l flag to makedbm(8) to map upper
                case letters in the keys  to  lower  case;  otherwise,
                aliases  with  upper case letters in their names won't
                match incoming addresses.

                     Additional flags can be  added  after  the  colon
                exactly like a K line - for example:
          ____________________
             [10]The gdbm package does not work.

          SMM:08-30          Sendmail Installation and Operation Guide

                    O AliasFile=nis:-N mail.aliases@my.nis.domain

                will search the appropriate NIS map and always include
                null bytes in the key. Also:

                    O AliasFile=nis:-f mail.aliases@my.nis.domain

                will prevent sendmail from downcasing the  key  before
                the alias lookup.

                2.6.1. Rebuilding the alias database

                        The hash or dbm version of the database may be
                   rebuilt explicitly by executing the command

                       newaliases

                   This is equivalent to giving sendmail the -bi flag:

                       /usr/sbin/sendmail -bi

                        If you have multiple aliases databases  speci-
                   fied,  the -bi flag rebuilds all the database types
                   it understands (for example, it  can  rebuild  NDBM
                   databases but not NIS databases).

                2.6.2. Potential problems

                        There are a number of problems that can  occur
                   with  the  alias  database.  They all result from a
                   sendmail process accessing the DBM version while it
                   is  only partially built. This can happen under two
                   circumstances: One process  accesses  the  database
                   while another process is rebuilding it, or the pro-
                   cess rebuilding the database  dies  (due  to  being
                   killed  or  a  system  crash) before completing the
                   rebuild.

                        Sendmail  has  three  techniques  to  try   to
                   relieve  these  problems.  First, it ignores inter-
                   rupts while rebuilding the  database;  this  avoids
                   the problem of someone aborting the process leaving
                   a partially rebuilt database. Second, it locks  the
                   database  source file during the rebuild - but that
                   may not work over NFS or if the file is unwritable.
                   Third,  at  the end of the rebuild it adds an alias
                   of the form

                       @: @

                   (which is not normally legal). Before sendmail will
                   access  the database, it checks to insure that this

          Sendmail Installation and Operation Guide          SMM:08-31

                   entry exists[11].

                2.6.3. List owners

                        If an error occurs on  sending  to  a  certain
                   address,  say  "x", sendmail will look for an alias
                   of the form "owner-x" to receive the  errors.  This
                   is  typically  useful  for a mailing list where the
                   submitter of the  list  has  no  control  over  the
                   maintenance  of  the  list itself; in this case the
                   list maintainer would be the owner of the list. For
                   example:

                       unix-wizards: eric@ucbarpa, wnj@monet, nosuchuser,
                               sam@matisse
                       owner-unix-wizards: unix-wizards-request
                       unix-wizards-request: eric@ucbarpa

                   would cause "eric@ucbarpa" to get  the  error  that
                   will  occur  when someone sends to unix-wizards due
                   to the inclusion of "nosuchuser" on the list.

                        List owners also  cause  the  envelope  sender
                   address  to  be modified. The contents of the owner
                   alias are used if they point to a single user, oth-
                   erwise  the  name  of the alias itself is used. For
                   this reason, and to obey Internet conventions,  the
                   "owner-"  address normally points at the "-request"
                   address; this causes messages to go  out  with  the
                   typical   Internet   convention  of  using  ``list-
                   request'' as the return address.

             2.7. User Information Database

                     This option is deprecated, use virtusertable  and
                genericstable  instead  as  explained in cf/README. If
                you have a version of sendmail with the user  informa-
                tion  database compiled in, and you have specified one
                or more databases using the U  option,  the  databases
                will  be searched for a user:maildrop entry. If found,
                the mail will be sent to the specified address.

             2.8. Per-User Forwarding (.forward Files)

                     As an alternative to the alias database, any user
                may  put a file with the name ".forward" in his or her
                home  directory.  If  this   file   exists,   sendmail
                redirects  mail for that user to the list of addresses
          ____________________
             [11]The AliasWait option is required in the configuration
          for this action to occur. This should normally be specified.

          SMM:08-32          Sendmail Installation and Operation Guide

                listed in the .forward file.  Note  that  aliases  are
                fully  expanded  before  forward files are referenced.
                For example, if the home directory for user "mckusick"
                has a .forward file with contents:

                    mckusick@ernie
                    kirk@calder

                then  any  mail  arriving  for  "mckusick"   will   be
                redirected to the specified accounts.

                     Actually,  the  configuration  file   defines   a
                sequence  of  filenames  to check. By default, this is
                the user's .forward file, but can  be  defined  to  be
                more  generally  using  the ForwardPath option. If you
                change this, you will have to inform your user base of
                the  change; .forward is pretty well incorporated into
                the collective subconscious.

             2.9. Special Header Lines

                     Several header lines have special interpretations
                defined   by   the  configuration  file.  Others  have
                interpretations built into  sendmail  that  cannot  be
                changed without changing the code. These built-ins are
                described here.

                2.9.1. Errors-To:

                        If errors occur  anywhere  during  processing,
                   this  header will cause error messages to go to the
                   listed addresses.  This  is  intended  for  mailing
                   lists.

                        The Errors-To: header was created in  the  bad
                   old  days  when UUCP didn't understand the distinc-
                   tion between an envelope and a header; this  was  a
                   hack  to  provide  what should now be passed as the
                   envelope sender address. It should go away.  It  is
                   only used if the UseErrorsTo option is set.

                        The Errors-To: header is officially deprecated
                   and will go away in a future release.

                2.9.2. Apparently-To:

                        RFC 822 requires at least one recipient  field
                   (To:,  Cc:,  or  Bcc:  line) in every message. If a
                   message comes in with no recipients listed  in  the
                   message  then sendmail will adjust the header based
                   on the "NoRecipientAction" option. One of the  pos-
                   sible  actions is to add an "Apparently-To:" header
                   line for any recipients it is aware of.

          Sendmail Installation and Operation Guide          SMM:08-33

                        The Apparently-To: header is non-standard  and
                   is both deprecated and strongly discouraged.

                2.9.3. Precedence

                        The Precedence: header can be used as a  crude
                   control  of  message  priority.  It tweaks the sort
                   order in the queue and can be configured to  change
                   the  message  timeout  values.  The precedence of a
                   message also controls how delivery status notifica-
                   tions (DSNs) are processed for that message.

             2.10. IDENT Protocol Support

                     Sendmail supports the IDENT protocol  as  defined
                in  RFC 1413. Note that the RFC states a client should
                wait at least 30 seconds for a response.  The  default
                Timeout.ident  is 5 seconds as many sites have adopted
                the practice of dropping IDENT queries. This has  lead
                to  delays  processing  mail.  Although  this enhances
                identification of the author of an  email  message  by
                doing  a  ``call  back''  to the originating system to
                include the owner of a particular  TCP  connection  in
                the  audit  trail  it is in no sense perfect; a deter-
                mined forger can easily spoof the IDENT protocol.  The
                following description is excerpted from RFC 1413:

                     6.  Security Considerations

                     The information returned by this protocol  is  at
                     most  as  trustworthy as the host providing it OR
                     the organization operating the host.   For  exam-
                     ple,  a PC in an open lab has few if any controls
                     on it to prevent a user from having this protocol
                     return  any identifier the user wants.  Likewise,
                     if the host has been compromised the  information
                     returned may be completely erroneous and mislead-
                     ing.

                     The Identification Protocol is not intended as an
                     authorization  or  access  control  protocol.  At
                     best, it provides some additional auditing infor-
                     mation  with  respect  to  TCP  connections.   At
                     worst, it can provide misleading,  incorrect,  or
                     maliciously incorrect information.

                     The use of the information returned by this  pro-
                     tocol   for   other  than  auditing  is  strongly
                     discouraged.  Specifically, using  Identification
                     Protocol information to make access control deci-
                     sions - either as the primary  method  (i.e.,  no
                     other  checks)  or as an adjunct to other methods
                     may  result  in  a  weakening  of   normal   host

          SMM:08-34          Sendmail Installation and Operation Guide

                     security.

                     An Identification server may  reveal  information
                     about users, entities, objects or processes which
                     might normally be considered private.   An  Iden-
                     tification  server  provides  service  which is a
                     rough analog of the CallerID services provided by
                     some phone companies and many of the same privacy
                     considerations and arguments that  apply  to  the
                     CallerID service apply to Identification.  If you
                     wouldn't run a "finger"  server  due  to  privacy
                     considerations  you may not want to run this pro-
                     tocol.

                In some cases your system may not work  properly  with
                IDENT  support  due to a bug in the TCP/IP implementa-
                tion. The symptoms will be that  for  some  hosts  the
                SMTP  connection will be closed almost immediately. If
                this is true or if you do not want to use  IDENT,  you
                should  set  the IDENT timeout to zero; this will dis-
                able the IDENT protocol.

          3. ARGUMENTS

                  The  complete  list  of  arguments  to  sendmail  is
             described  in  detail in Appendix A. Some important argu-
             ments are described here.

             3.1. Queue Interval

                     The amount of time between forking a  process  to
                run  through  the  queue is defined by the -q flag. If
                you run with delivery mode set to i or b this  can  be
                relatively  large, since it will only be relevant when
                a host that was down comes back up. If you  run  in  q
                mode  it  should be relatively short, since it defines
                the maximum amount of time that a message may  sit  in
                the queue. (See also the MinQueueAge option.)

                     RFC 1123 section 5.3.1.1  says  that  this  value
                should  be at least 30 minutes (although that probably
                doesn't make sense if you use ``queue-only'' mode).

                     Notice: the meaning of the interval time  depends
                on  whether  normal  queue runners or persistent queue
                runners are used. For  the  former,  it  is  the  time
                between  subsequent  starts  of  a  queue run. For the
                latter, it is the time sendmail  waits  after  a  per-
                sistent  queue  runner  has finished its work to start
                the next one. Hence for persistent queue runners  this
                interval  should  be  very low, typically no more than
                two minutes.

          Sendmail Installation and Operation Guide          SMM:08-35

             3.2. Daemon Mode

                     If you allow incoming mail over  an  IPC  connec-
                tion, you should have a daemon running. This should be
                set by your /etc/rc file using the -bd flag.  The  -bd
                flag and the -q flag may be combined in one call:

                    /usr/sbin/sendmail -bd -q30m

                     An alternative approach  is  to  invoke  sendmail
                from  inetd(8)  (use the -bs -Am flags to ask sendmail
                to speak SMTP on its standard input and output and  to
                run  as  MTA). This works and allows you to wrap send-
                mail in a TCP wrapper program, but may be a bit slower
                since  the  configuration  file  has  to be re-read on
                every message that comes in. If you do this, you still
                need to have a sendmail running to flush the queue:

                    /usr/sbin/sendmail -q30m

             3.3. Forcing the Queue

                     In some cases you may find  that  the  queue  has
                gotten  clogged for some reason. You can force a queue
                run using the -q flag (with no value).  It  is  enter-
                taining to use the -v flag (verbose) when this is done
                to watch what happens:

                    /usr/sbin/sendmail -q -v

                     You can also limit the jobs to those with a  par-
                ticular  queue  identifier, recipient, sender, quaran-
                tine reason, or queue group using  one  of  the  queue
                modifiers.  For  example,  "-qRberkeley" restricts the
                queue run to jobs  that  have  the  string  "berkeley"
                somewhere  in  one  of  the recipient addresses. Simi-
                larly,  "-qSstring"  limits  the  run  to   particular
                senders,  "-qIstring"  limits  it  to particular queue
                identifiers, and "-qQstring" limits it  to  particular
                quarantined  reasons  and only operated on quarantined
                queue items, and "-qGstring" limits it to a particular
                queue group. The named queue group will be run even if
                it is set to have 0 runners. You may also place  an  !
                before  the I or R or S or Q to indicate that jobs are
                limited to not including a particular  queue  identif-
                ier,  recipient  or sender. For example, "-q!Rseattle"
                limits the queue run to jobs  that  do  not  have  the
                string  "seattle"  somewhere  in  one of the recipient
                addresses. Should you need to terminate the queue jobs
                currently  active  then a SIGTERM to the parent of the

          SMM:08-36          Sendmail Installation and Operation Guide

                process (or processes) will cleanly stop the jobs.

             3.4. Debugging

                     There are a fairly large number  of  debug  flags
                built  into  sendmail.  Each debug flag has a category
                and a level.  Higher  levels  increase  the  level  of
                debugging activity; in most cases, this means to print
                out more information. The convention  is  that  levels
                greater  than  nine are "absurd," i.e., they print out
                so much information that you wouldn't normally want to
                see them except for debugging that particular piece of
                code.

                     You should never run a production sendmail server
                in  debug mode. Many of the debug flags will result in
                debug output being sent over the SMTP  channel  unless
                the  option  -D  is  used. This will confuse many mail
                programs. However, for testing  purposes,  it  can  be
                useful  when  sending  mail manually via telnet to the
                port you are using while debugging.

                     A debug category is either an integer,  like  42,
                or  a  name,  like  ANSI.  You  can specify a range of
                numeric debug categories using the syntax  17-42.  You
                can  specify  a  set of named debug categories using a
                glob pattern like "sm_trace_*". At present,  only  "*"
                and "?" are supported in these glob patterns.

                     Debug flags are set using the -d option; the syn-
                tax is:

                    debug-flag:        -d debug-list
                    debug-list:        debug-option [ , debug-option ]*
                    debug-option:      debug-categories [ . debug-level ]
                    debug-categories:  integer | integer - integer | category-pattern
                    category-pattern:  [a-zA-Z_*?][a-zA-Z0-9_*?]*
                    debug-level:       integer

                where spaces are for reading ease only. For example,

                    -d12               Set category 12 to level 1
                    -d12.3             Set category 12 to level 3
                    -d3-17             Set categories 3 through 17 to level 1
                    -d3-17.4           Set categories 3 through 17 to level 4
                    -dANSI             Set category ANSI to level 1
                    -dsm_trace_*.3     Set all named categories matching sm_trace_* to level 3

                For a complete list of the available debug  flags  you
                will  have to look at the code and the TRACEFLAGS file
                in the sendmail distribution (they are too dynamic  to
                keep  this  document  up to date). For a list of named
                debug categories in the sendmail binary, use

          Sendmail Installation and Operation Guide          SMM:08-37

                    ident /usr/sbin/sendmail | grep Debug

             3.5. Changing the Values of Options

                     Options can be overridden using the -o or -O com-
                mand line flags. For example,

                    /usr/sbin/sendmail -oT2m

                sets the T (timeout) option to two  minutes  for  this
                run  only;  the  equivalent line using the long option
                name is

                    /usr/sbin/sendmail -OTimeout.queuereturn=2m

                     Some options have security implications. Sendmail
                allows  you  to  set  these, but relinquishes its set-
                user-ID or set-group-ID permissions thereafter[12].

             3.6. Trying a Different Configuration File

                     An alternative configuration file can  be  speci-
                fied using the -C flag; for example,

                    /usr/sbin/sendmail -Ctest.cf -oQ/tmp/mqueue

                uses the configuration file  test.cf  instead  of  the
                default  /etc/mail/sendmail.cf.  If the -C flag has no
                value it defaults to sendmail.cf in the current direc-
                tory.

                     Sendmail gives up  set-user-ID  root  permissions
                (if  it  has been installed set-user-ID root) when you
                use this flag, so it is common to use a publicly writ-
                able  directory  (such as /tmp) as the queue directory
                (QueueDirectory or Q option) while testing.

             3.7. Logging Traffic

                     Many SMTP implementations do not fully  implement
                the  protocol.  For  example,  some  personal computer
                based SMTPs do not understand  continuation  lines  in
                reply  codes.  These can be very hard to trace. If you
                suspect such a problem, you can  set  traffic  logging
          ____________________
             [12]That is, it sets its effective uid to the  real  uid;
          thus,  if  you are executing as root, as from root's crontab
          file or during system  startup  the  root  permissions  will
          still be honored.

          SMM:08-38          Sendmail Installation and Operation Guide

                using the -X flag. For example,

                    /usr/sbin/sendmail -X /tmp/traffic -bd

                will log all traffic in the file /tmp/traffic.

                     This logs a lot of data very quickly  and  should
                NEVER be used during normal operations. After starting
                up such a daemon, force the errant  implementation  to
                send  a  message  to your host. All message traffic in
                and out  of  sendmail,  including  the  incoming  SMTP
                traffic, will be logged in this file.

             3.8. Testing Configuration Files

                     When you build a configuration table, you can  do
                a  certain  amount of testing using the "test mode" of
                sendmail. For example, you could invoke sendmail as:

                    sendmail -bt -Ctest.cf

                which would read the configuration file "test.cf"  and
                enter  test mode. In this mode, you enter lines of the
                form:

                    rwset address

                where rwset is the rewriting set you want to  use  and
                address  is  an address to apply the set to. Test mode
                shows you the steps it takes as it  proceeds,  finally
                showing you the address it ends up with. You may use a
                comma separated list of rwsets for sequential applica-
                tion of rules to an input. For example:

                    3,1,21,4 monet:bollard

                first   applies   ruleset   three   to    the    input
                "monet:bollard."  Ruleset  one  is then applied to the
                output  of  ruleset  three,  followed   similarly   by
                rulesets twenty-one and four.

                     If you need more detail, you  can  also  use  the
                "-d21" flag to turn on more debugging. For example,

                    sendmail -bt -d21.99

                turns on an incredible amount of information; a single
                word  address  is  probably going to print out several
                pages worth of information.

                     You should be warned  that  internally,  sendmail
                applies  ruleset  3 to all addresses. In test mode you
                will have to do  that  manually.  For  example,  older

          Sendmail Installation and Operation Guide          SMM:08-39

                versions allowed you to use

                    0 bruce@broadcast.sony.com

                This version requires that you use:

                    3,0 bruce@broadcast.sony.com

                     As of version 8.7, some other syntaxes are avail-
                able in test mode:

                .Dxvalue  defines macro x to have the indicated value.
                          This is useful when debugging rules that use
                          the $&x syntax.

                .Ccvalue  adds the indicated value to class c.

                =Sruleset dumps the contents of the indicated ruleset.

                -ddebug-spec
                          is equivalent to the command-line flag.

                Version 8.9 introduced more features:

                ?         shows a help message.

                =M        display the known mailers.

                $m        print the value of macro m.

                $=c       print the contents of class c.

                /mx host  returns the MX records for `host'.

                /parse address
                          parse  address,  returning  the   value   of
                          crackaddr, and the parsed address.

                /try mailer addr
                          rewrite address into the form it  will  have
                          when presented to the indicated mailer.

                /tryflags flags
                          set flags used by parsing.  The flags can be
                          `H'  for Header or `E' for Envelope, and `S'
                          for Sender or `R' for Recipient.  These  can
                          be  combined,  `HR'  sets  flags  for header
                          recipients.

                /canon hostname
                          try to canonify hostname.

          SMM:08-40          Sendmail Installation and Operation Guide

                /map mapname key
                          look up `key' in the indicated `mapname'.

                /quit     quit address test mode.

             3.9. Persistent Host Status Information

                     When HostStatusDirectory is enabled,  information
                about  the  status  of hosts is maintained on disk and
                can thus be shared between different instantiations of
                sendmail.  The status of the last connection with each
                remote host may be viewed with the command:

                    sendmail -bh

                This information may be flushed with the command:

                    sendmail -bH

                Flushing  the  information   prevents   new   sendmail
                processes from loading it, but does not prevent exist-
                ing processes from using the status  information  that
                they already have.

          4. TUNING

                  There are a number of configuration  parameters  you
             may want to change, depending on the requirements of your
             site. Most of these are set using an option in the confi-
             guration    file.    For    example,    the    line    "O
             Timeout.queuereturn=5d" sets option "Timeout.queuereturn"
             to the value "5d" (five days).

                  Most of these options have appropriate defaults  for
             most  sites.  However,  sites having very high mail loads
             may find they need to tune them as appropriate for  their
             mail  load.  In  particular,  sites  experiencing a large
             number of small messages, many of which are delivered  to
             many  recipients,  may  find that they need to adjust the
             parameters dealing with queue priorities.

                  All versions of sendmail prior  to  8.7  had  single
             character  option  names.  As  of  8.7, options have long
             (multi-character names). Although  old  short  names  are
             still  accepted,  most  new  options  do  not  have short
             equivalents.

                  This section only describes the options you are most
             likely to want to tweak; read section 5 for more details.

          Sendmail Installation and Operation Guide          SMM:08-41

             4.1. Timeouts

                     All time intervals are set using a scaled syntax.
                For  example,  "10m"  represents  ten minutes, whereas
                "2h30m" represents two and a half hours. The full  set
                of scales is:

                    s   seconds
                    m   minutes
                    h   hours
                    d   days
                    w   weeks

                4.1.1. Queue interval

                        The argument to  the  -q  flag  specifies  how
                   often a sub-daemon will run the queue. This is typ-
                   ically set to between fifteen minutes and one hour.
                   If  not  set, or set to zero, the queue will not be
                   run automatically. RFC 1123 section 5.3.1.1  recom-
                   mends  that this be at least 30 minutes. Should you
                   need to terminate the queue jobs  currently  active
                   then  a  SIGTERM  to  the parent of the process (or
                   processes) will cleanly stop the jobs.

                4.1.2. Read timeouts

                        Timeouts     all     have     option     names
                   "Timeout.suboption".  Most  of  these  control SMTP
                   operations.  The   recognized   suboptions,   their
                   default  values,  and the minimum values allowed by
                   RFC 2821  section  4.5.3.2  (or  RFC  1123  section
                   5.3.2) are:

                   connect   The time to wait for an  SMTP  connection
                             to  open (the connect(2) system call) [0,
                             unspecified]. If zero,  uses  the  kernel
                             default.  In  no  case  can  this  option
                             extend the timeout longer than the kernel
                             provides,  but it can shorten it. This is
                             to get around  kernels  that  provide  an
                             absurdly   long  connection  timeout  (90
                             minutes in one case).

                   iconnect  The same as connect,  except  it  applies
                             only to the initial attempt to connect to
                             a host for a given message  [0,  unspeci-
                             fied]. The concept is that this should be
                             very short (a few  seconds);  hosts  that
                             are  well  connected  and responsive will
                             thus be serviced immediately. Hosts  that
                             are   slow   will   not   hold  up  other

          SMM:08-42          Sendmail Installation and Operation Guide

                             deliveries  in   the   initial   delivery
                             attempt.

                   aconnect  [0,  unspecified]  The  overall   timeout
                             waiting  for  all connection for a single
                             delivery attempt to  succeed.  If  0,  no
                             overall  limit  is  applied.  This can be
                             used to restrict the total amount of time
                             trying  to connect to a long list of host
                             that could accept an e-mail for the reci-
                             pient.  This  timeout  does  not apply to
                             FallbackMXhost,  i.e.,  if  the  time  is
                             exhausted,  the  FallbackMXhost  is tried
                             next.

                   initial   The wait for  the  initial  220  greeting
                             message [5m, 5m].

                   helo      The wait for a reply from a HELO or  EHLO
                             command   [5m,   unspecified].  This  may
                             require  a  host  name  lookup,  so  five
                             minutes is probably a reasonable minimum.

                   mail-     The wait for a reply from a MAIL  command
                             [10m, 5m].

                   rcpt-     The wait for a reply from a RCPT  command
                             [1h,  5m]. This should be long because it
                             could be pointing at a list that takes  a
                             long time to expand (see below).

                   datainit- The wait for a reply from a DATA  command
                             [5m, 2m].

                   datablock-=
                             The wait for reading a data  block  (that
                             is,  the  body of the message). [1h, 3m].
                             This  should  be  long  because  it  also
                             applies to programs piping input to send-
                             mail which have no guarantee  of  prompt-
                             ness.

                   datafinal-
                             The wait for a reply from  the  dot  ter-
                             minating a message. [1h, 10m]. If this is
                             shorter than the time actually needed for
                             the  receiver  to  deliver  the  message,
                             duplicates will  be  generated.  This  is
                             discussed in RFC 1047.

                   rset      The wait for a reply from a RSET  command
                             [5m, unspecified].

          Sendmail Installation and Operation Guide          SMM:08-43

                   quit      The wait for a reply from a QUIT  command
                             [2m, unspecified].

                   misc      The wait for a reply  from  miscellaneous
                             (but  short)  commands  such as NOOP (no-
                             operation)  and  VERB  (go  into  verbose
                             mode). [2m, unspecified].

                   command-= In server SMTP,  the  time  to  wait  for
                             another command. [1h, 5m].

                   ident=    The timeout waiting for  a  reply  to  an
                             IDENT query [5s[13], unspecified].

                   lhlo      The wait for a reply to an LMTP LHLO com-
                             mand [2m, unspecified].

                   auth      The timeout for a reply in an  SMTP  AUTH
                             dialogue [10m, unspecified].

                   starttls  The  timeout  for  a  reply  to  an  SMTP
                             STARTTLS  command  and  the TLS handshake
                             [1h, unspecified].

                   fileopen= The  timeout  for  opening  .forward  and
                             :include: files [60s, none].

                   control=  The timeout for a complete control socket
                             transaction to complete [2m, none].

                   hoststatus=
                             How long status information about a  host
                             (e.g.,  host  down) will be cached before
                             it is  considered  stale  [30m,  unspeci-
                             fied].

                   resolver.retrans=
                             The resolver's retransmission time inter-
                             val  (in  seconds)  [varies].  Sets  both
                             Timeout.resolver.retrans.first        and
                             Timeout.resolver.retrans.normal.

                   resolver.retrans.first=
                             The resolver's retransmission time inter-
                             val (in seconds) for the first attempt to
                             deliver a message [varies].

          ____________________
             [13]On some systems the default is zero to turn the  pro-
          tocol off entirely.

          SMM:08-44          Sendmail Installation and Operation Guide

                   resolver.retrans.normal=
                             The resolver's retransmission time inter-
                             val (in seconds) for all resolver lookups
                             except   the   first   delivery   attempt
                             [varies].

                   resolver.retry=
                             The  number  of  times  to  retransmit  a
                             resolver       query.      Sets      both
                             Timeout.resolver.retry.first          and
                             Timeout.resolver.retry.normal [varies].

                   resolver.retry.first=
                             The  number  of  times  to  retransmit  a
                             resolver  query  for the first attempt to
                             deliver a message [varies].

                   resolver.retry.normal=
                             The  number  of  times  to  retransmit  a
                             resolver query for all resolver lookups
                              except  the   first   delivery   attempt
                             [varies].

                   For compatibility with old configuration files,  if
                   no  suboption is specified, all the timeouts marked
                   with an asterick  (-)  are  set  to  the  indicated
                   value.  All  but those marked with a pound sign (=)
                   apply to client SMTP.

                        For example, the lines:

                       O Timeout.command=25m
                       O Timeout.datablock=3h

                   sets the server SMTP command timeout to 25  minutes
                   and the input data block timeout to three hours.

                4.1.3. Message timeouts

                        After sitting in the queue for a few days,  an
                   undeliverable  message  will  time  out. This is to
                   insure that at least the sender  is  aware  of  the
                   inability  to  send a message. The timeout is typi-
                   cally set to five days. It is sometimes  considered
                   convenient  to  also  send a warning message if the
                   message is in the queue longer  than  a  few  hours
                   (assuming  you  normally have good connectivity; if
                   your messages normally took several hours  to  send
                   you wouldn't want to do this because it wouldn't be
                   an unusual event). These timeouts are set using the
                   Timeout.queuereturn  and  Timeout.queuewarn options
                   in the configuration file (previously both were set
                   using the T option).

          Sendmail Installation and Operation Guide          SMM:08-45

                        If the message is submitted using  the  NOTIFY
                   SMTP  extension, warning messages will only be sent
                   if NOTIFY=DELAY is specified. The  queuereturn  and
                   queuewarn  timeouts can be further qualified with a
                   tag based on the Precedence: field in the  message;
                   they must be one of "urgent" (indicating a positive
                   non-zero precedence), "normal" (indicating  a  zero
                   precedence),  or  "non-urgent" (indicating negative
                   precedences).      For       example,       setting
                   "Timeout.queuewarn.urgent=1h"   sets   the  warning
                   timeout for urgent messages only to one  hour.  The
                   default if no precedence is indicated is to set the
                   timeout for all precedences. If the message  has  a
                   normal  (default)  precedence  and it is a delivery
                   status notification (DSN),  Timeout.queuereturn.dsn
                   and  Timeout.queuewarn.dsn  can  be used to give an
                   alternative warn and  return  time  for  DSNs.  The
                   value  "now" can be used for -O Timeout.queuereturn
                   to return entries immediately during a  queue  run,
                   e.g.,  to bounce messages independent of their time
                   in the queue.

                        Since these options are global, and since  you
                   cannot  know a priori how long another host outside
                   your domain will be down, a  five  day  timeout  is
                   recommended.  This  allows  a  recipient to fix the
                   problem even if it occurs at  the  beginning  of  a
                   long  weekend.  RFC  1123 section 5.3.1.1 says that
                   this parameter should be ``at least 4-5 days''.

                        The Timeout.queuewarn value can be piggybacked
                   on  the T option by indicating a time after which a
                   warning message should be sent;  the  two  timeouts
                   are separated by a slash. For example, the line

                       OT5d/4h

                   causes email to fail after five days, but a warning
                   message  will be sent after four hours. This should
                   be large enough that the  message  will  have  been
                   tried several times.

             4.2. Forking During Queue Runs

                     By setting the ForkEachJob (Y)  option,  sendmail
                will fork before each individual message while running
                the queue. This option was used with earlier  releases
                to  prevent  sendmail  from consuming large amounts of
                memory. It should no longer be necessary with sendmail
                8.12.  If  the ForkEachJob option is not set, sendmail
                will keep track of hosts that are down during a  queue
                run, which can improve performance dramatically.

          SMM:08-46          Sendmail Installation and Operation Guide

                     If the ForkEachJob option is set, sendmail cannot
                use connection caching.

             4.3. Queue Priorities

                     Every message is assigned a priority when  it  is
                first instantiated, consisting of the message size (in
                bytes) offset by the message class  (which  is  deter-
                mined  from  the  Precedence:  header) times the "work
                class factor" and the number of recipients  times  the
                "work recipient factor." The priority is used to order
                the queue. Higher numbers for the priority  mean  that
                the  message  will be processed later when running the
                queue.

                     The message size is included so that  large  mes-
                sages  are  penalized  relative to small messages. The
                message class allows users  to  send  "high  priority"
                messages  by  including a "Precedence:" field in their
                message; the value of this field is looked up in the P
                lines  of  the configuration file. Since the number of
                recipients  affects  the  amount  of  load  a  message
                presents to the system, this is also included into the
                priority.

                     The recipient and class factors can be set in the
                configuration  file  using the RecipientFactor (y) and
                ClassFactor (z) options respectively. They default  to
                30000  (for  the  recipient  factor) and 1800 (for the
                class factor). The initial priority is:

               pri=msgsize-(classxClassFactor)+(nrcptxRecipientFactor)

                (Remember, higher values for this  parameter  actually
                mean  that  the  job will be treated with lower prior-
                ity.)

                     The priority of a job can also be  adjusted  each
                time it is processed (that is, each time an attempt is
                made to deliver it) using the "work time factor,"  set
                by  the  RetryFactor  (Z) option. This is added to the
                priority, so it normally decreases the  precedence  of
                the  job,  on  the  grounds that jobs that have failed
                many times will tend to fail again in the future.  The
                RetryFactor option defaults to 90000.

             4.4. Load Limiting

                     Sendmail can be asked to queue (but not  deliver)
                mail  if  the  system load average gets too high using
                the QueueLA (x) option. When the load average  exceeds
                the  value of the QueueLA option, the delivery mode is
                set to q (queue only) if the  QueueFactor  (q)  option

          Sendmail Installation and Operation Guide          SMM:08-47

                divided  by the difference in the current load average
                and the QueueLA option  plus  one  is  less  than  the
                priority  of  the  message  -  that is, the message is
                queued iff:
                                       __u__u__F__c__o__r
                                   pri>LA-QueueLA+1
                The QueueFactor option defaults  to  600000,  so  each
                point  of load average is worth 600000 priority points
                (as described above).

                     For  drastic  cases,  the  RefuseLA  (X)   option
                defines  a  load average at which sendmail will refuse
                to accept network connections. Locally generated mail,
                i.e.,  mail which is not submitted via SMTP (including
                incoming UUCP mail), is still  accepted.  Notice  that
                the  MSP  submits  mail to the MTA via SMTP, and hence
                mail will be queued in the  client  queue  in  such  a
                case. Therefore it is necessary to run the client mail
                queue periodically.

             4.5. Resource Limits

                     Sendmail  has  several  parameters   to   control
                resource usage. Besides those mentionted in the previ-
                ous section, there  are  at  least  MaxDaemonChildren,
                ConnectionRateThrottle,  MaxQueueChildren, and MaxRun-
                nersPerQueue. The latter two limit the number of send-
                mail  processes  that  operate on the queue. These are
                discussed in the section ``Queue Group  Declaration''.
                The  former  two  can  be  used to limit the number of
                incoming connections. Their appropriate values  depend
                on  the  host operating system and the hardware, e.g.,
                amount of memory. In many situations it might be  use-
                ful to set limits to prevent to have too many sendmail
                processes, however, these  limits  can  be  abused  to
                mount a denial of service attack. For example, if Max-
                DaemonChildren=10 then an attacker needs to open  only
                10  SMTP  sessions  to the server, leave them idle for
                most of the time, and  no  more  connections  will  be
                accepted. If this option is set then the timeouts used
                in a SMTP session should be lowered from their default
                values  to  their  minimum  values as specified in RFC
                2821 and listed in section 4.1.2.

             4.6. Measures against Denial of Service Attacks

                     Sendmail has some built-in measures against  sim-
                ple  denial  of service (DoS) attacks. The SMTP server
                by default slows down if too  many  bad  commands  are
                issued  or  if  some  commands  are repeated too often
                within a session. Details can be found in  the  source
                file  sendmail/srvrsmtp.c  by  looking  for  the macro

          SMM:08-48          Sendmail Installation and Operation Guide

                definitions of MAXBADCOMMANDS,  MAXNOOPCOMMANDS,  MAX-
                HELOCOMMANDS, MAXVRFYCOMMANDS, and MAXETRNCOMMANDS. If
                an  SMTP  command  is  issued  more  often  than   the
                corresponding  MAXcmdCOMMANDS value, then the response
                is delayed exponentially, starting with a  sleep  time
                of  one  second,  up  to a maximum of four minutes (as
                defined by MAXTIMEOUT). If the  option  MaxDaemonChil-
                dren  is  set  to a value greater than zero, then this
                could make a DoS attack even worse since  it  keeps  a
                connection  open  longer  than  necessary. Therefore a
                connection is terminated with a 421 SMTP reply code if
                the  number  of commands exceeds the limit by a factor
                of two and MAXBADCOMMANDS is set to  a  value  greater
                than zero (the default is 25).

             4.7. Delivery Mode

                     There are a number of delivery modes  that  send-
                mail  can operate in, set by the DeliveryMode (d) con-
                figuration option. These  modes  specify  how  quickly
                mail will be delivered. Legal modes are:

                    i   deliver interactively (synchronously)
                    b   deliver in background (asynchronously)
                    q   queue only (don't deliver)
                    d   defer delivery attempts (don't deliver)

                There are tradeoffs. Mode "i"  gives  the  sender  the
                quickest  feedback, but may slow down some mailers and
                is hardly ever necessary. Mode "b"  delivers  promptly
                but can cause large numbers of processes if you have a
                mailer that takes a long time to  deliver  a  message.
                Mode "q" minimizes the load on your machine, but means
                that delivery may be  delayed  for  up  to  the  queue
                interval.  Mode  "d"  is  identical to mode "q" except
                that it also prevents lookups in maps including the -D
                flag  from  working during the initial queue phase; it
                is intended for ``dial on  demand''  sites  where  DNS
                lookups  might cost real money. Some simple error mes-
                sages (e.g., host unknown during  the  SMTP  protocol)
                will be delayed using this mode. Mode "b" is the usual
                default.

                     If you run in mode "q" (queue only), "d" (defer),
                or  "b"  (deliver  in  background)  sendmail  will not
                expand aliases and follow .forward files upon  initial
                receipt  of  the  mail. This speeds up the response to
                RCPT commands. Mode "i" should not be used by the SMTP
                server.

          Sendmail Installation and Operation Guide          SMM:08-49

             4.8. Log Level

                     The level of logging can be set for sendmail. The
                default  using a standard configuration table is level
                9. The levels are as follows:

                0    Minimal logging.

                1    Serious system failures  and  potential  security
                     problems.

                2    Lost communications (network problems) and proto-
                     col failures.

                3    Other  serious  failures,  malformed   addresses,
                     transient   forward/include   errors,  connection
                     timeouts.

                4    Minor failures, out of date alias databases, con-
                     nection rejections via check_ rulesets.

                5    Message collection statistics.

                6    Creation of error messages, VRFY  and  EXPN  com-
                     mands.

                7    Delivery failures (host or user unknown, etc.).

                8    Successful   deliveries   and   alias    database
                     rebuilds.

                9    Messages being deferred  (due  to  a  host  being
                     down, etc.).

                10   Database expansion (alias,  forward,  and  userdb
                     lookups) and authentication information.

                11   NIS errors and end of job processing.

                12   Logs all SMTP connections.

                13   Log bad user shells, files with improper  permis-
                     sions, and other questionable situations.

                14   Logs refused connections.

                15   Log all incoming and outgoing SMTP commands.

                20   Logs attempts to run locked  queue  files.  These
                     are not errors, but can be useful to note if your
                     queue appears to be clogged.

          SMM:08-50          Sendmail Installation and Operation Guide

                30   Lost  locks  (only  if  using  lockf  instead  of
                     flock).

                Additionally,  values  above  64  are   reserved   for
                extremely  verbose  debugging  output.  No normal site
                would ever set these.

             4.9. File Modes

                     The modes used for files  depend  on  what  func-
                tionality  you  want  and  the  level  of security you
                require. In many cases sendmail does careful  checking
                of  the  modes  of  files  and  directories  to  avoid
                accidental compromise; if you want to make it possible
                to  have  group-writable support files you may need to
                use the DontBlameSendmail option to turn off  some  of
                these checks.

                4.9.1. To suid or not to suid?

                        Sendmail is no longer installed set-user-ID to
                   root.  sendmail/SECURITY  explains how to configure
                   and install sendmail without  set-user-ID  to  root
                   but set-group-ID which is the default configuration
                   starting with 8.12.

                        The daemon usually runs as root, unless  other
                   measures  are taken. At the point where sendmail is
                   about to exec(2) a mailer, it checks to see if  the
                   userid  is zero (root); if so, it resets the userid
                   and groupid to a default (set by the U=  equate  in
                   the   mailer   line;   if  that  is  not  set,  the
                   DefaultUser option is used). This can be overridden
                   by  setting  the  S  flag to the mailer for mailers
                   that are trusted and must be called as  root.  How-
                   ever,   this  will  cause  mail  processing  to  be
                   accounted (using sa(8)) to root rather than to  the
                   user sending the mail.

                        A  middle  ground  is  to  set  the  RunAsUser
                   option.  This  causes  sendmail to become the indi-
                   cated user as soon as it has done the startup  that
                   requires  root  privileges  (primarily, opening the
                   SMTP socket).  If  you  use  RunAsUser,  the  queue
                   directory  (normally  /var/spool/mqueue)  should be
                   owned by that user, and  all  files  and  databases
                   (including   user   .forward  files,  alias  files,
                   :include: files, and external  databases)  must  be
                   readable  by  that  user. Also, since sendmail will
                   not be able to change its uid, delivery to programs
                   or files will be marked as unsafe, e.g., undeliver-
                   able, in .forward, aliases,  and  :include:  files.
                   Administrators  can  override  this  by setting the

          Sendmail Installation and Operation Guide          SMM:08-51

                   DontBlameSendmail option to  the  setting  NonRoot-
                   SafeAddr.  RunAsUser  is  probably  best suited for
                   firewall configurations  that  don't  have  regular
                   user  logins.  If  the  option  is used on a system
                   which  performs  local  delivery,  then  the  local
                   delivery  agent  must  have  the proper permissions
                   (i.e., usually set-user-ID root) since it  will  be
                   invoked by the RunAsUser, not by root.

                4.9.2. Turning off security checks

                        Sendmail is very particular about the modes of
                   files  that  it  reads  or  writes. For example, by
                   default it will refuse to read most files that  are
                   group  writable on the grounds that they might have
                   been tampered with by someone other than the owner;
                   it will even refuse to read files in group writable
                   directories. Also, sendmail will refuse to create a
                   new  aliases  database in an unsafe directory.  You
                   can get around this by manually creating the  data-
                   base  file as a trusted user ahead of time and then
                   rebuilding the aliases database with newaliases.

                        If you are quite sure that your  configuration
                   is  safe and you want sendmail to avoid these secu-
                   rity checks, you can turn off certain checks  using
                   the DontBlameSendmail option. This option takes one
                   or more names that disable checks. In the  descrip-
                   tions  that  follow,  "unsafe  directory"  means  a
                   directory that is writable by anyone other than the
                   owner. The values are:

                   Safe No special handling.

                   AssumeSafeChown
                        Assume that the  chown  system  call  is  res-
                        tricted  to  root. Since some versions of UNIX
                        permit regular users to give away their  files
                        to  other  users on some filesystems, sendmail
                        often cannot assume  that  a  given  file  was
                        created  by the owner, particularly when it is
                        in a writable directory. You can set this flag
                        if  you  know that file giveaway is restricted
                        on your system.

                   ClassFileInUnsafeDirPath
                        When reading class files (using the F line  in
                        the  configuration file), allow files that are
                        in unsafe directories.

                   DontWarnForwardFileInUnsafeDirPath
                        Prevent logging of unsafe directory path warn-
                        ings for non-existent forward files.

          SMM:08-52          Sendmail Installation and Operation Guide

                   ErrorHeaderInUnsafeDirPath
                        Allow the file named in the ErrorHeader option
                        to be in an unsafe directory.

                   FileDeliveryToHardLink
                        Allow delivery to files that are hard links.

                   FileDeliveryToSymLink
                        Allow delivery  to  files  that  are  symbolic
                        links.

                   ForwardFileInGroupWritableDirPath
                        Allow .forward files in group writable  direc-
                        tories.

                   ForwardFileInUnsafeDirPath
                        Allow .forward files in unsafe directories.

                   ForwardFileInUnsafeDirPathSafe
                        Allow a .forward file that  is  in  an  unsafe
                        directory to include references to program and
                        files.

                   GroupReadableKeyFile
                        Accept a group-readable key file for STARTTLS.

                   GroupReadableSASLDBFile
                        Accept a group-readable  Cyrus  SASL  password
                        file.

                   GroupWritableAliasFile
                        Allow group-writable alias files.

                   GroupWritableDirPathSafe
                        Change the definition of "unsafe directory" to
                        consider   group-writable  directories  to  be
                        safe. World-writable  directories  are  always
                        unsafe.

                   GroupWritableForwardFile
                        Allow group writable .forward files.

                   GroupWritableForwardFileSafe
                        Accept group-writable .forward files  as  safe
                        for program and file delivery.

                   GroupWritableIncludeFile
                        Allow group wriable :include: files.

                   GroupWritableIncludeFileSafe
                        Accept group-writable :include: files as  safe
                        for program and file delivery.

          Sendmail Installation and Operation Guide          SMM:08-53

                   GroupWritableSASLDBFile
                        Accept a group-writable  Cyrus  SASL  password
                        file.

                   HelpFileInUnsafeDirPath
                        Allow the file named in the HelpFile option to
                        be in an unsafe directory.

                   IncludeFileInGroupWritableDirPath
                        Allow :include: files in group writable direc-
                        tories.

                   IncludeFileInUnsafeDirPath
                        Allow :include: files in unsafe directories.

                   IncludeFileInUnsafeDirPathSafe
                        Allow a :include: file that is  in  an  unsafe
                        directory to include references to program and
                        files.

                   InsufficientEntropy
                        Try to use  STARTTLS  even  if  the  PRNG  for
                        OpenSSL  is  not  properly  seeded despite the
                        security problems.

                   LinkedAliasFileInWritableDir
                        Allow an alias file that is a link in a  writ-
                        able directory.

                   LinkedClassFileInWritableDir
                        Allow class files that are links  in  writable
                        directories.

                   LinkedForwardFileInWritableDir
                        Allow .forward files that are links  in  writ-
                        able directories.

                   LinkedIncludeFileInWritableDir
                        Allow :include: files that are links in  writ-
                        able directories.

                   LinkedMapInWritableDir
                        Allow map files that  are  links  in  writable
                        directories.   This  includes  alias  database
                        files.

                   LinkedServiceSwitchFileInWritableDir
                        Allow the service switch file  to  be  a  link
                        even if the directory is writable.

                   MapInUnsafeDirPath
                        Allow maps (e.g., hash, btree, and dbm  files)
                        in  unsafe  directories.  This  includes alias

          SMM:08-54          Sendmail Installation and Operation Guide

                        database files.

                   NonRootSafeAddr
                        Do not mark file  and  program  deliveries  as
                        unsafe  if  sendmail  is not running with root
                        privileges.

                   RunProgramInUnsafeDirPath
                        Run programs that are in writable  directories
                        without logging a warning.

                   RunWritableProgram
                        Run programs that are group- or world-writable
                        without logging a warning.

                   TrustStickyBit
                        Allow group or world writable  directories  if
                        the sticky bit is set on the directory. Do not
                        set this on systems which  do  not  honor  the
                        sticky bit on directories.

                   WorldWritableAliasFile
                        Accept world-writable alias files.

                   WorldWritableForwardfile
                        Allow world writable .forward files.

                   WorldWritableIncludefile
                        Allow world wriable :include: files.

                   WriteMapToHardLink
                        Allow writes to maps that are hard links.

                   WriteMapToSymLink
                        Allow writes to maps that are symbolic links.

                   WriteStatsToHardLink
                        Allow the status file to be a hard link.

                   WriteStatsToSymLink
                        Allow the status file to be a symbolic link.

             4.10. Connection Caching

                     When processing the queue, sendmail will  try  to
                keep  the  last  few  open  connections  open to avoid
                startup and shutdown costs. This only applies  to  IPC
                and LPC connections.

                     When trying to open a  connection  the  cache  is
                first  searched. If an open connection is found, it is
                probed to see if it is still active by sending a  RSET
                command.  It  is  not an error if this fails; instead,

          Sendmail Installation and Operation Guide          SMM:08-55

                the connection is closed and reopened.

                     Two parameters control the connection cache.  The
                ConnectionCacheSize  (k)  option defines the number of
                simultaneous open connections that will be  permitted.
                If  it  is  set to zero, connections will be closed as
                quickly as possible. The default is one.  This  should
                be  set  as  appropriate for your system size; it will
                limit the amount of  system  resources  that  sendmail
                will use during queue runs. Never set this higher than
                4.

                     The ConnectionCacheTimeout (K)  option  specifies
                the  maximum  time  that any cached connection will be
                permitted to idle. When the  idle  time  exceeds  this
                value  the connection is closed. This number should be
                small (under ten minutes) to prevent you from grabbing
                too  many  resources  from other hosts. The default is
                five minutes.

             4.11. Name Server Access

                     Control of host address lookups  is  set  by  the
                hosts  service  entry  in your service switch file. If
                you are on a system that has built-in  service  switch
                support  (e.g.,  Ultrix,  Solaris,  or DEC OSF/1) then
                your system is probably configured  properly  already.
                Otherwise,    sendmail    will    consult   the   file
                /etc/mail/service.switch,  which  should  be  created.
                Sendmail  only  uses  two  entries: hosts and aliases,
                although system routines may use other services  (not-
                ably  the  passwd  service  for  user  name lookups by
                getpwname).

                     However, some systems (such as SunOS 4.X) will do
                DNS  lookups  regardless of the setting of the service
                switch  entry.  In  particular,  the  system   routine
                gethostbyname(3)  is  used  to look up host names, and
                many vendor versions try some combination of DNS, NIS,
                and  file  lookup  in  /etc/hosts without consulting a
                service switch. Sendmail  makes  no  attempt  to  work
                around  this  problem, and the DNS lookup will be done
                anyway. If you do not have a nameserver configured  at
                all,  such as at a UUCP-only site, sendmail will get a
                "connection refused" message when it tries to  connect
                to  the name server. If the hosts switch entry has the
                service "dns" listed somewhere in the  list,  sendmail
                will  interpret  this  to mean a temporary failure and
                will queue the mail for later  processing;  otherwise,
                it ignores the name server data.

                     The same technique is used to decide  whether  to
                do  MX  lookups. If you want MX support, you must have

          SMM:08-56          Sendmail Installation and Operation Guide

                "dns" listed as a service in the hosts switch entry.

                     The ResolverOptions  (I)  option  allows  you  to
                tweak  name  server  options. The command line takes a
                series of flags as documented in resolver(3) (with the
                leading  "RES_"  deleted).  Each can be preceded by an
                optional `+' or `-'. For example, the line

                    O ResolverOptions=+AAONLY -DNSRCH

                turns on  the  AAONLY  (accept  authoritative  answers
                only)  and  turns  off  the  DNSRCH (search the domain
                path) options. Most resolver libraries default DNSRCH,
                DEFNAMES,  and RECURSE flags on and all others off. If
                NETINET6  is  enabled,  most  libraries   default   to
                USE_INET6  as  well.  You  can  also include "HasWild-
                cardMX" to specify that there is a wildcard MX  record
                matching  your domain; this turns off MX matching when
                canonifying names, which  can  lead  to  inappropriate
                canonifications. Use "WorkAroundBrokenAAAA" when faced
                with a broken nameserver that returns SERVFAIL (a tem-
                porary  failure) on T_AAAA (IPv6) lookups during host-
                name canonification. Notice: it might be necessary  to
                apply the same (or similar) options to submit.cf too.

                     Version level 1 configurations (see  the  section
                about ``Configuration Version Level'') turn DNSRCH and
                DEFNAMES off when doing delivery  lookups,  but  leave
                them on everywhere else. Version 8 of sendmail ignores
                them when doing canonification lookups (that is,  when
                using  $[  ... $]), and always does the search. If you
                don't want to do automatic name extension, don't  call
                $[ ... $].

                     The search rules for $[ ... $] are somewhat  dif-
                ferent  than usual. If the name being looked up has at
                least one dot, it always  tries  the  unmodified  name
                first.  If  that  fails,  it  tries the reduced search
                path, and lastly tries the unmodified name  (but  only
                for  names  without a dot, since names with a dot have
                already  been  tried).  This  allows  names  such   as
                ``utc.CS''  to match the site in Czechoslovakia rather
                than the site in your local Computer  Science  depart-
                ment.  It  also  prefers  A  and CNAME records over MX
                records -- that is, if it finds an MX record it  makes
                note of it, but keeps looking. This way, if you have a
                wildcard MX record matching your domain, it  will  not
                assume that all names match.

                     To completely turn off all name server access  on
                systems  without service switch support (such as SunOS
                4.X) you will have to  recompile  with  -DNAMED_BIND=0
                and  remove  -lresolv from the list of libraries to be

          Sendmail Installation and Operation Guide          SMM:08-57

                searched when linking.

             4.12. Moving the Per-User Forward Files

                     Some sites mount each user's home directory  from
                a  local  disk  on  their  workstation,  so that local
                access is fast. However, the result is  that  .forward
                file  lookups  from a central mail server are slow. In
                some cases, mail can even  be  delivered  on  machines
                inappropriately  because  of a file server being down.
                The performance can be especially bad if you  run  the
                automounter.

                     The ForwardPath (J) option allows you  to  set  a
                path  of  forward  files. For example, the config file
                line

                    O ForwardPath=/var/forward/$u:$z/.forward.$w

                would first look for a file with the same name as  the
                user's login in /var/forward; if that is not found (or
                is inaccessible) the file ``.forward.machinename''  in
                the  user's  home  directory is searched. A truly per-
                verse site could also search by sender  by  using  $r,
                $s, or $f.

                     If you create a directory such  as  /var/forward,
                it should be mode 1777 (that is, the sticky bit should
                be set). Users should create the files mode 0644. Note
                that  you  must use the ForwardFileInUnsafeDirPath and
                ForwardFileInUnsafeDirPathSafe    flags    with    the
                DontBlameSendmail  option  to allow forward files in a
                world writable directory. This might also be used as a
                denial  of  service attack (users could create forward
                files for other users); a better approach might be  to
                create  /var/forward  mode 0755 and create empty files
                for each user, owned by that user, mode 0644.  If  you
                do  this,  you don't have to set the DontBlameSendmail
                options indicated above.

             4.13. Free Space

                     On systems that have one of the system  calls  in
                the  statfs(2)  family  (including statvfs and ustat),
                you can specify a minimum number of free blocks on the
                queue  filesystem  using the MinFreeBlocks (b) option.
                If there are fewer than the indicated number of blocks
                free  on  the filesystem on which the queue is mounted
                the SMTP server will reject mail with  the  452  error
                code. This invites the SMTP client to try again later.

                     Beware of setting this option too  high;  it  can
                cause  rejection  of  email  when  that  mail would be

          SMM:08-58          Sendmail Installation and Operation Guide

                processed without difficulty.

             4.14. Maximum Message Size

                     To avoid overflowing your  system  with  a  large
                message,  the  MaxMessageSize option can be set to set
                an absolute limit on the size of any one message. This
                will  be  advertised in the ESMTP dialogue and checked
                during message collection.

             4.15. Privacy Flags

                     The PrivacyOptions (p) option allows you  to  set
                certain  ``privacy''  flags.  Actually,  many  of them
                don't give you any extra privacy, rather just  insist-
                ing  that  client  SMTP  servers  use the HELO command
                before using certain commands or adding extra  headers
                to indicate possible spoof attempts.

                     The option takes a  series  of  flag  names;  the
                final  privacy is the inclusive or of those flags. For
                example:

                    O PrivacyOptions=needmailhelo, noexpn

                insists that the HELO or EHLO command be used before a
                MAIL  command  is  accepted and disables the EXPN com-
                mand.

                     The flags are detailed in section 5.6.

             4.16. Send to Me Too

                     Beginning with version 8.10, sendmail includes by
                default  the (envelope) sender in any list expansions.
                For example, if "matt" sends to a list  that  contains
                "matt" as one of the members he will get a copy of the
                message. If the MeToo option is set to FALSE  (in  the
                configuration  file  or  via  the  command line), this
                behavior is changed, i.e., the  (envelope)  sender  is
                excluded in list expansions.

          5. THE WHOLE SCOOP ON THE CONFIGURATION FILE

                  This section describes  the  configuration  file  in
             detail.

                  There is one point that should be made clear immedi-
             ately:  the  syntax of the configuration file is designed
             to be reasonably easy to parse, since this is done  every
             time  sendmail starts up, rather than easy for a human to
             read or write. The configuration file should be generated
             via  the  method described in cf/README, it should not be

          Sendmail Installation and Operation Guide          SMM:08-59

             edited directly  unless  someone  is  familiar  with  the
             internals of the syntax described here and it is not pos-
             sible to achieve  the  desired  result  via  the  default
             method.

                  The configuration file is organized as a  series  of
             lines,  each  of  which  begins  with  a single character
             defining the semantics for the rest of  the  line.  Lines
             beginning  with  a  space or a tab are continuation lines
             (although the semantics are  not  well  defined  in  many
             places).  Blank  lines  and  lines beginning with a sharp
             symbol (`#') are comments.

             5.1. R and S -- Rewriting Rules

                     The core of address  parsing  are  the  rewriting
                rules.  These  are an ordered production system. Send-
                mail scans through the set of rewriting rules  looking
                for  a  match on the left hand side (LHS) of the rule.
                When a rule matches, the address is  replaced  by  the
                right hand side (RHS) of the rule.

                     There are several sets of rewriting  rules.  Some
                of  the  rewriting  sets  are used internally and must
                have specific semantics. Other rewriting sets  do  not
                have  specifically  assigned  semantics,  and  may  be
                referenced by  the  mailer  definitions  or  by  other
                rewriting sets.

                     The syntax of these two commands are:

                    Sn

                Sets the current ruleset being collected to n. If  you
                begin  a  ruleset more than once it appends to the old
                definition.

                    Rlhs rhs comments

                The fields must be separated by at least one tab char-
                acter; there may be embedded spaces in the fields. The
                lhs is a pattern that is applied to the input.  If  it
                matches,  the  input is rewritten to the rhs. The com-
                ments are ignored.

                     Macro expansions of the  form  $x  are  performed
                when  the  configuration file is read. A literal $ can
                be included using $$. Expansions of the form  $&x  are
                performed  at  run  time using a somewhat less general
                algorithm.  This  is  intended  only  for  referencing
                internally  defined macros such as $h that are changed
                at runtime.

          SMM:08-60          Sendmail Installation and Operation Guide

                5.1.1. The left hand side

                        The left hand side of rewriting rules contains
                   a   pattern.   Normal   words  are  simply  matched
                   directly. Metasyntax is introduced using  a  dollar
                   sign. The metasymbols are:

                       $*   Match zero or more tokens
                       $+   Match one or more tokens
                       $-   Match exactly one token
                       $=x  Match any phrase in class x
                       $~x  Match any word not in class x

                   If any of these match, they  are  assigned  to  the
                   symbol  $n  for replacement on the right hand side,
                   where n is the index in the LHS.  For  example,  if
                   the LHS:

                       $-:$+

                   is applied to the input:

                       UCBARPA:eric

                   the rule will match, and the values passed  to  the
                   RHS will be:

                       $1  UCBARPA
                       $2  eric

                        Additionally, the LHS can include $@ to  match
                   zero  tokens. This is not bound to a $n on the RHS,
                   and is normally only used when it stands  alone  in
                   order to match the null input.

                5.1.2. The right hand side

                        When the left hand side of  a  rewriting  rule
                   matches,  the  input is deleted and replaced by the
                   right hand side. Tokens are  copied  directly  from
                   the  RHS  unless  they  begin  with  a dollar sign.
                   Metasymbols are:

                       $n         Substitute indefinite token n from LHS
                       $[name$]   Canonicalize name
                       $(map key $@arguments $:default $)
                                  Generalized keyed mapping function
                       $>n        "Call" ruleset n
                       $#mailer   Resolve to mailer
                       $@host     Specify host
                       $:user     Specify user

          Sendmail Installation and Operation Guide          SMM:08-61

                        The $n syntax  substitutes  the  corresponding
                   value  from  a  $+,  $-, $*, $=, or $~ match on the
                   LHS. It may be used anywhere.

                        A host name enclosed  between  $[  and  $]  is
                   looked  up  in the host database(s) and replaced by
                   the  canonical  name[14].  For  example,  "$[ftp$]"
                   might      become     "ftp.CS.Berkeley.EDU"     and
                   "$[[128.32.130.2]$]"          would          become
                   "vangogh.CS.Berkeley.EDU."  Sendmail recognizes its
                   numeric IP address without calling the name  server
                   and replaces it with its canonical name.

                        The $( ... $) syntax is a more general form of
                   lookup;  it uses a named map instead of an implicit
                   map. If no lookup is found, the  indicated  default
                   is  inserted;  if  no  default  is specified and no
                   lookup matches, the value is  left  unchanged.  The
                   arguments are passed to the map for possible use.

                        The $>n syntax causes  the  remainder  of  the
                   line  to be substituted as usual and then passed as
                   the argument to  ruleset  n.  The  final  value  of
                   ruleset  n  then  becomes the substitution for this
                   rule. The $> syntax expands  everything  after  the
                   ruleset  name  to the end of the replacement string
                   and then passes that as the initial  input  to  the
                   ruleset. Recursive calls are allowed. For example,

                       $>0 $>3 $1

                   expands $1, passes that  to  ruleset  3,  and  then
                   passes the result of ruleset 3 to ruleset 0.

                        The $# syntax should only be used  in  ruleset
                   zero,  a  subroutine  of  ruleset zero, or rulesets
                   that return decisions (e.g., check_rcpt). It causes
                   evaluation of the ruleset to terminate immediately,
                   and signals to sendmail that the address  has  com-
                   pletely resolved. The complete syntax for ruleset 0
                   is:

                       $#mailer $@host $:user

                   This specifies the  {mailer,  host,  user}  3-tuple
                   necessary  to  direct  the  mailer. Note: the third
                   element ( user ) is often also called address part.
                   If  the  mailer  is  local  the  host  part  may be
          ____________________
             [14]This is  actually  completely  equivalent  to  $(host
          hostname$). In particular, a $: default can be used.

          SMM:08-62          Sendmail Installation and Operation Guide

                   omitted[15]. The mailer must be a single word,  but
                   the  host and user may be multi-part. If the mailer
                   is the built-in IPC  mailer,  the  host  may  be  a
                   colon-separated  list of hosts that are searched in
                   order for the first working address  (exactly  like
                   MX  records).  The  user  is later rewritten by the
                   mailer-specific envelope rewriting set and assigned
                   to  the  $u macro. As a special case, if the mailer
                   specified has the F=@ flag specified and the  first
                   character  of  the  $:  value  is  "@",  the "@" is
                   stripped off, and a flag  is  set  in  the  address
                   descriptor that causes sendmail to not do ruleset 5
                   processing.

                        Normally, a rule that matches is retried, that
                   is,  the  rule loops until it fails. A RHS may also
                   be preceded  by  a  $@  or  a  $:  to  change  this
                   behavior.  A $@ prefix causes the ruleset to return
                   with the remainder of the RHS as the  value.  A  $:
                   prefix  causes  the  rule to terminate immediately,
                   but the ruleset to continue; this can  be  used  to
                   avoid  continued  application of a rule. The prefix
                   is stripped before continuing.

                        The $@ and $: prefixes may precede a $>  spec;
                   for example:

                       R$+     $: $>7 $1

                   matches anything, passes that to ruleset seven, and
                   continues; the $: is necessary to avoid an infinite
                   loop.

                        Substitution occurs in  the  order  described,
                   that  is,  parameters from the LHS are substituted,
                   hostnames  are  canonicalized,  "subroutines"   are
                   called, and finally $#, $@, and $: are processed.

                5.1.3. Semantics of rewriting rule sets

                        There  are  six  rewriting  sets   that   have
                   specific  semantics.  Five  of these are related as
                   depicted by figure 1.

                        Ruleset three should  turn  the  address  into
                   "canonical  form."  This form should have the basic
          ____________________
             [15]You may want to use it for special "per user"  exten-
          sions.  For  example,  in the address "jgm+foo@CMU.EDU"; the
          "+foo" part is not part of the user name, and is  passed  to
          the local mailer for local use.

          Sendmail Installation and Operation Guide          SMM:08-63

          ____________________________________________________________

                              +---+
                           -->| 0 |-->resolved address
                          /   +---+
                         /            +---+   +---+
                        /        ---->| 1 |-->| S |--
                 +---+ / +---+  /     +---+   +---+  \    +---+
          addr-->| 3 |-->| D |--                      --->| 4 |-->msg
                 +---+   +---+  \     +---+   +---+  /    +---+
                                  --->| 2 |-->| R |--
                                      +---+   +---+

                      Figure 1 -- Rewriting set semantics
                    D -- sender domain addition
                    S -- mailer-specific sender rewriting
                    R -- mailer-specific recipient rewriting
          ____________________________________________________________

                   syntax:

                       local-part@host-domain-spec

                   Ruleset three is applied by sendmail  before  doing
                   anything with any address.

                        If no "@" sign is specified,  then  the  host-
                   domain-spec  may  be appended (box "D" in Figure 1)
                   from the sender address (if the C flag  is  set  in
                   the  mailer definition corresponding to the sending
                   mailer).

                        Ruleset zero is applied after ruleset three to
                   addresses  that are going to actually specify reci-
                   pients.  It  must  resolve  to  a  {mailer,   host,
                   address}  triple. The mailer must be defined in the
                   mailer definitions from the configuration file. The
                   host  is  defined  into the $h macro for use in the
                   argv expansion of  the  specified  mailer.  Notice:
                   since the envelope sender address will be used if a
                   delivery status notification must be send, i.e., is
                   may  specify  a  recipient,  it is also run through
                   ruleset zero. If ruleset zero returns  a  temporary
                   error  4xy  then  delivery is deferred. This can be
                   used to temporarily disable delivery,  e.g.,  based
                   on the time of the day or other varying parameters.
                   It should not be used to quarantine e-mails.

                        Rulesets one and two are applied to all sender
                   and  recipient  addresses  respectively.  They  are
                   applied before  any  specification  in  the  mailer

          SMM:08-64          Sendmail Installation and Operation Guide

                   definition. They must never resolve.

                        Ruleset four is applied to  all  addresses  in
                   the  message.  It  is  typically  used to translate
                   internal to external form.

                        In addition, ruleset 5 is applied to all local
                   addresses  (specifically,  those  that resolve to a
                   mailer with the `F=5' flag set) that  do  not  have
                   aliases.  This  allows a last minute hook for local
                   names.

                5.1.4. Ruleset hooks

                        A few extra rulesets are  defined  as  "hooks"
                   that  can  be defined to get special features. They
                   are all named rulesets.  The  "check_*"  forms  all
                   give  accept/reject  status; falling off the end or
                   returning normally is an accept, and  resolving  to
                   $#error  is a reject or quarantine. Quarantining is
                   chosen by specifying quarantine in the second  part
                   of the mailer triplet:

                       $#error $@ quarantine $: Reason for quarantine

                   Many of these  can  also  resolve  to  the  special
                   mailer  name $#discard; this accepts the message as
                   though it were  successful  but  then  discards  it
                   without  delivery.  Note,  this  mailer  cannot  be
                   chosen as a mailer in ruleset 0. Note also that all
                   "check_*"  rulesets  have  to  deal  with temporary
                   failures, especially for map  lookups,  themselves,
                   i.e.,  they should return a temporary error code or
                   at least they should  make  a  proper  decision  in
                   those cases.

                   5.1.4.1. check_relay

                           The check_relay ruleset is called  after  a
                      connection  is accepted by the daemon. It is not
                      called when sendmail is started  using  the  -bs
                      option. It is passed

                          client.host.name $| client.host.address

                      where $| is a metacharacter separating  the  two
                      parts.  This ruleset can reject connections from
                      various locations. Note that it only checks  the
                      connecting  SMTP client IP address and hostname.
                      It does not check for third party message relay-
                      ing. The check_rcpt ruleset discussed below usu-
                      ally does third party message relay checking.

          Sendmail Installation and Operation Guide          SMM:08-65

                   5.1.4.2. check_mail

                           The check_mail ruleset is passed  the  user
                      name  parameter of the SMTP MAIL command. It can
                      accept or reject the address.

                   5.1.4.3. check_rcpt

                           The check_rcpt ruleset is passed  the  user
                      name  parameter of the SMTP RCPT command. It can
                      accept or reject the address.

                   5.1.4.4. check_data

                           The check_data ruleset is called after  the
                      SMTP  DATA  command, its parameter is the number
                      of recipients. It can accept or reject the  com-
                      mand.

                   5.1.4.5. check_compat

                           The check_compat ruleset is passed

                          sender-address $| recipient-address

                      where  $|  is  a  metacharacter  separating  the
                      addresses. It can accept or reject mail transfer
                      between  these  two  addresses  much  like   the
                      checkcompat()   function.   Note:   while  other
                      check_* rulesets are  invoked  during  the  SMTP
                      mail   receiption   stage  (i.e.,  in  the  SMTP
                      server), check_compat is invoked during the mail
                      delivery stage.

                   5.1.4.6. check_eoh

                           The check_eoh ruleset is passed

                          number-of-headers $| size-of-headers

                      where  $|  is  a  metacharacter  separating  the
                      numbers. These numbers can be used for size com-
                      parisons with the  arith  map.  The  ruleset  is
                      triggered  after  all  of  the headers have been
                      read. It can be used  to  correlate  information
                      gathered  from  those  headers  using  the macro
                      storage map. One possible use is to check for  a
                      missing header. For example:

          SMM:08-66          Sendmail Installation and Operation Guide

                          Kstorage macro
                          HMessage-Id: $>CheckMessageId

                          SCheckMessageId
                          # Record the presence of the header
                          R$*            $: $(storage {MessageIdCheck} $@ OK $) $1
                          R< $+ @ $+ >   $@ OK
                          R$*            $#error $: 553 Header Error

                          Scheck_eoh
                          # Check the macro
                          R$*            $: < $&{MessageIdCheck} >
                          # Clear the macro for the next message
                          R$*            $: $(storage {MessageIdCheck} $) $1
                          # Has a Message-Id: header
                          R< $+ >        $@ OK
                          # Allow missing Message-Id: from local mail
                          R$*            $: < $&{client_name} >
                          R< >           $@ OK
                          R< $=w >       $@ OK
                          # Otherwise, reject the mail
                          R$*            $#error $: 553 Header Error

                      Keep in mind the Message-Id:  header  is  not  a
                      required  header  and  is  not a guaranteed spam
                      indicator. This ruleset is an example and should
                      probably not be used in production.

                   5.1.4.7. check_eom

                           The check_eom ruleset is called  after  the
                      end  of  a message, its parameter is the message
                      size. It can accept or reject the message.

                   5.1.4.8. check_etrn

                           The check_etrn ruleset is passed the param-
                      eter  of the SMTP ETRN command. It can accept or
                      reject the command.

                   5.1.4.9. check_expn

                           The check_expn ruleset is passed  the  user
                      name  parameter of the SMTP EXPN command. It can
                      accept or reject the address.

                   5.1.4.10. check_vrfy

                           The check_vrfy ruleset is passed  the  user
                      name  parameter of the SMTP VRFY command. It can
                      accept or reject the command.

          Sendmail Installation and Operation Guide          SMM:08-67

                   5.1.4.11. trust_auth

                           The trust_auth ruleset is passed the  AUTH=
                      parameter  of  the SMTP MAIL command. It is used
                      to  determine  whether  this  value  should   be
                      trusted.  In  order  to  make this decision, the
                      ruleset may make use of  the  various  ${auth_*}
                      macros.  If  the  ruleset  does  resolve  to the
                      "error"  mailer  the  AUTH=  parameter  is   not
                      trusted  and  hence  not  passed  on to the next
                      relay.

                   5.1.4.12. tls_client

                           The tls_client ruleset is called when send-
                      mail  acts  as  server, after a STARTTLS command
                      has been issued, and from check_mail. The param-
                      eter  is  the value of ${verify} and STARTTLS or
                      MAIL, respectively. If the ruleset does  resolve
                      to  the  "error"  mailer,  the appropriate error
                      code is returned to the client.

                   5.1.4.13. tls_server

                           The tls_server ruleset is called when send-
                      mail  acts  as  client  after a STARTTLS command
                      (should) have been issued. The parameter is  the
                      value  of ${verify}. If the ruleset does resolve
                      to the "error" mailer, the connection is aborted
                      (treated  as non-deliverable with a permanent or
                      temporary error).

                   5.1.4.14. tls_rcpt

                           The tls_rcpt ruleset is  called  each  time
                      before  a RCPT TO command is sent. The parameter
                      is the current recipient. If  the  ruleset  does
                      resolve  to the "error" mailer, the RCPT TO com-
                      mand is suppressed (treated  as  non-deliverable
                      with  a  permanent  or  temporary  error).  This
                      ruleset allows to require encryption or  verifi-
                      cation  of  the recipient's MTA even if the mail
                      is somehow redirected to another host. For exam-
                      ple,  sending  mail  to luke@endmail.org may get
                      redirected to a host named death.star and  hence
                      the tls_server ruleset won't apply. By introduc-
                      ing  per  recipient  restrictions  such  attacks
                      (e.g., via DNS spoofing) can be made impossible.
                      See cf/README how this ruleset can be used.

          SMM:08-68          Sendmail Installation and Operation Guide

                   5.1.4.15. srv_features

                           The srv_features ruleset is called with the
                      connecting client's host name when a client con-
                      nects to sendmail. This ruleset should return $#
                      followed by a list of options (single characters
                      delimited by white space). If the  return  value
                      starts   with   anything  else  it  is  silently
                      ignored. Generally upper  case  characters  turn
                      off  a  feature while lower case characters turn
                      it on. Option `S' causes the server not to offer
                      STARTTLS,  which  is  useful  to  interact  with
                      MTAs/MUAs that have broken STARTTLS  implementa-
                      tions  by  simply not offering it. `V' turns off
                      the request for a client certificate during  the
                      TLS handshake. Options `A' and `P' suppress SMTP
                      AUTH and PIPELINING, respectively.  `c'  is  the
                      equivalent  to  AuthOptions=p,  i.e., it doesn't
                      permit mechanisms susceptible to simple  passive
                      attack  (e.g.,  PLAIN, LOGIN), unless a security
                      layer is active. Option `l' requires  SMTP  AUTH
                      for a connection. Options 'B', 'D', 'E', and 'X'
                      suppress SMTP VERB, DSN, ETRN, and EXPN, respec-
                      tively.

                          A        Do not offer AUTH
                          a        Offer AUTH (default)
                          B        Do not offer VERB
                          b        Offer VERB (default)
                          C        Do not require security layer for
                                   plaintext AUTH (default)
                          c        Require security layer for plaintext AUTH
                          D        Do not offer DSN
                          d        Offer DSN (default)
                          E        Do not offer ETRN
                          e        Offer ETRN (default)
                          L        Do not require AUTH (default)
                          l        Require AUTH
                          P        Do not offer PIPELINING
                          p        Offer PIPELINING (default)
                          S        Do not offer STARTTLS
                          s        Offer STARTTLS (default)
                          V        Do not request a client certificate
                          v        Request a client certificate (default)
                          X        Do not offer EXPN
                          x        Offer EXPN (default)

                      Note: the entries marked  as  ``(default)''  may
                      require  that  some configuration has been made,
                      e.g., SMTP AUTH is only  available  if  properly
                      configured.   Moreover,   many  options  can  be
                      changed on a global basis via other settings  as
                      explained    in   this   document,   e.g.,   via

          Sendmail Installation and Operation Guide          SMM:08-69

                      DaemonPortOptions.

                           The ruleset may return `$#temp' to indicate
                      that  there  is  a temporary problem determining
                      the correct features, e.g., if a map is unavail-
                      able.  In  that  case,  the SMTP server issues a
                      temporary failure and does not accept email.

                   5.1.4.16. try_tls

                           The try_tls ruleset is called when sendmail
                      connects  to  another  MTA.  If the ruleset does
                      resolve to the "error" mailer, sendmail does not
                      try STARTTLS even if it is offered. This is use-
                      ful to  interact  with  MTAs  that  have  broken
                      STARTTLS implementations by simply not using it.

                   5.1.4.17. authinfo

                           The authinfo ruleset is called  when  send-
                      mail  tries  to  authenticate to another MTA. It
                      should return $# followed by a  list  of  tokens
                      that are used for SMTP AUTH. If the return value
                      starts  with  anything  else  it   is   silently
                      ignored.  Each  token  is a tagged string of the
                      form: "TDstring" (including the quotes), where

                          T        Tag which describes the item
                          D        Delimiter: ':' simple text follows
                                   '=' string is base64 encoded
                          string   Value of the item

                      Valid values for the tag are:

                          U        user (authorization) id
                          I        authentication id
                          P        password
                          R        realm
                          M        list of mechanisms delimited by spaces

                      If this ruleset is defined, the  option  Defaul-
                      tAuthInfo  is  ignored (even if the ruleset does
                      not return a ``useful'' result).

                   5.1.4.18. queuegroup

                           The queuegroup ruleset is  used  to  map  a
                      recipient  address  to  a  queue group name. The
                      input for the ruleset is a recipient address  as
                      specified  by the SMTP RCPT command. The ruleset
                      should return $# followed by the name of a queue
                      group.  If the return value starts with anything
                      else it is silently  ignored.  See  the  section

          SMM:08-70          Sendmail Installation and Operation Guide

                      about ``Queue Groups and Queue Directories'' for
                      further information.

                   5.1.4.19. greet_pause

                           The greet_pause ruleset is used to  specify
                      the  amount  of time to pause before sending the
                      initial SMTP 220 greeting.  If  any  traffic  is
                      received  during  that pause, an SMTP 554 rejec-
                      tion response is given instead of the 220 greet-
                      ing  and  all  SMTP commands are rejected during
                      that connection. This helps protect  sites  from
                      open  proxies  and  SMTP  slammers.  The ruleset
                      should return $# followed by the number of  mil-
                      liseconds (thousandths of a second) to pause. If
                      the return value starts with anything else or is
                      not a number, it is silently ignored. Note: this
                      ruleset is not invoked (and hence the feature is
                      disabled)  when  the  smtps  (SMTP  over SSL) is
                      used, i.e., the s modifier is set for the daemon
                      via  DaemonPortOptions, because in this case the
                      SSL handshake is performed before  the  greeting
                      is sent.

                5.1.5. IPC mailers

                        Some special processing occurs if the  ruleset
                   zero  resolves  to an IPC mailer (that is, a mailer
                   that has "[IPC]" listed as the Path in the M confi-
                   guration  line. The host name passed after "$@" has
                   MX expansion performed  if  not  delivering  via  a
                   named socket; this looks the name up in DNS to find
                   alternate delivery sites.

                        The host name can also be provided as a dotted
                   quad  or  an  IPv6  address in square brackets; for
                   example:

                       [128.32.149.78]

                   or

                       [IPv6:2002:c0a8:51d2::23f4]

                   This causes direct conversion of the numeric  value
                   to an IP host address.

                        The host name passed in  after  the  "$@"  may
                   also  be  a  colon-separated list of hosts. Each is
                   separately MX expanded and  the  results  are  con-
                   catenated  to  make (essentially) one long MX list.
                   The intent here is to create "fake" MX records that
                   are  not  published  in  DNS  for  private internal

          Sendmail Installation and Operation Guide          SMM:08-71

                   networks.

                        As a final special case, the host name can  be
                   passed in as a text string in square brackets:

                       [ucbvax.berkeley.edu]

                   This form avoids the  MX  mapping.  N.B.:  This  is
                   intended  only for situations where you have a net-
                   work firewall or other host that  will  do  special
                   processing  for  all  your  mail,  so  that your MX
                   record points to a gateway  machine;  this  machine
                   could  then  do  direct delivery to machines within
                   your local domain. Use  of  this  feature  directly
                   violates  RFC  1123 section 5.3.5: it should not be
                   used lightly.

             5.2. D -- Define Macro

                     Macros are named with a single character or  with
                a word in {braces}. The names ``x'' and ``{x}'' denote
                the same macro for every single character ``x''.  Sin-
                gle  character  names  may be selected from the entire
                ASCII set, but user-defined macros should be  selected
                from  the  set  of upper case letters only. Lower case
                letters and special symbols are used internally.  Long
                names beginning with a lower case letter or a punctua-
                tion character are reserved for use  by  sendmail,  so
                user-defined  long  macro  names  should begin with an
                upper case letter.

                     The syntax for macro definitions is:

                    Dxval

                where x is the name of the macro (which may be a  sin-
                gle  character  or  a  word  in braces) and val is the
                value it should have. There should be no spaces  given
                that do not actually belong in the macro value.

                     Macros are interpolated using the  construct  $x,
                where  x  is the name of the macro to be interpolated.
                This interpolation is done when the configuration file
                is  read, except in M lines. The special construct $&x
                can be used in R lines to get deferred interpolation.

                     Conditionals can be specified using the syntax:

                    $?x text1 $| text2 $.

                This interpolates text1 if the macro  $x  is  set  and
                non-null,  and text2 otherwise. The "else" ($|) clause
                may be omitted.

          SMM:08-72          Sendmail Installation and Operation Guide

                     The following  macros  are  defined  and/or  used
                internally  by  sendmail for interpolation into argv's
                for mailers or for other contexts. The ones  marked  -
                are information passed  into  sendmail[16],  the  ones
                marked  =  are  information  passed both in and out of
                sendmail, and the unmarked macros are  passed  out  of
                sendmail  but are not otherwise used internally. These
                macros are:

                $a   The origination date in RFC 822 format.  This  is
                     extracted from the Date: line.

                $b   The current date in RFC 822 format.

                $c   The hop count. This is a count of the  number  of
                     Received:  lines plus the value of the -h command
                     line flag.

                $d   The current date in UNIX (ctime) format.

                $e-  (Obsolete;   use    SmtpGreetingMessage    option
                     instead.) The SMTP entry message. This is printed
                     out when SMTP starts up. The first word  must  be
                     the $j macro as specified by RFC 821. Defaults to
                     "$j Sendmail $v ready at $b". Commonly  redefined
                     to  include  the  configuration  version  number,
                     e.g., "$j Sendmail $v/$Z ready at $b"

                $f   The envelope sender (from) address.

                $g   The sender address relative to the recipient. For
                     example,  if  $f is "foo", $g will be "host!foo",
                     "foo@host.domain", or whatever is appropriate for
                     the receiving mailer.

                $h   The recipient host. This is set in ruleset 0 from
                     the $@ field of a parsed address.

                $i   The queue id, e.g., "f344MXxp018717".

                $j=  The "official" domain name for this site. This is
                     fully  qualified if the full qualification can be
                     found. It must be redefined to be the fully qual-
                     ified  domain  name if your system is not config-
                     ured so that information can  find  it  automati-
                     cally.

          ____________________
             [16]As of version 8.6, all of these macros  have  reason-
          able  defaults.  Previous versions required that they be de-
          fined.

          Sendmail Installation and Operation Guide          SMM:08-73

                $k   The UUCP node name (from the uname system call).

                $l-  (Obsolete; use UnixFromLine option instead.)  The
                     format  of  the  UNIX  from line. Unless you have
                     changed the UNIX mailbox format, you  should  not
                     change the default, which is "From $g $d".

                $m   The domain part of the gethostname return  value.
                     Under  normal  circumstances, $j is equivalent to
                     $w.$m.

                $n-  The name of  the  daemon  (for  error  messages).
                     Defaults to "MAILER-DAEMON".

                $o-  (Obsolete: use OperatorChars option instead.) The
                     set  of "operators" in addresses. A list of char-
                     acters which will be considered tokens and  which
                     will  separate  tokens  when  doing  parsing. For
                     example, if "@" were in the $o  macro,  then  the
                     input  "a@b"  would  be  scanned as three tokens:
                     "a," "@," and "b." Defaults to ".:@[]", which  is
                     the  minimum set necessary to do RFC 822 parsing;
                     a richer set of operators  is  ".:%@!/[]",  which
                     adds  support  for  UUCP,  the  %-hack, and X.400
                     addresses.

                $p   Sendmail's process id.

                $q-  Default format of sender address.  The  $q  macro
                     specifies  how an address should appear in a mes-
                     sage when it is defaulted. Defaults to "<$g>". It
                     is commonly redefined to be "$?x$x <$g>$|$g$." or
                     "$g$?x ($x)$.", corresponding  to  the  following
                     two formats:

                         Eric Allman <eric@CS.Berkeley.EDU>
                         eric@CS.Berkeley.EDU (Eric Allman)

                     Sendmail properly quotes names that have  special
                     characters if the first form is used.

                $r   Protocol used to receive the  message.  Set  from
                     the  -p  command  line flag or by the SMTP server
                     code.

                $s   Sender's host name. Set from the -p command  line
                     flag or by the SMTP server code (in which case it
                     is set to the EHLO/HELO parameter).

                $t   A numeric representation of the current  time  in
                     the  format YYYYMMDDHHmm (4 digit year 1900-9999,
                     2 digit month 01-12, 2 digit day 01-31,  2  digit
                     hours 00-23, 2 digit minutes 00-59).

          SMM:08-74          Sendmail Installation and Operation Guide

                $u   The recipient user.

                $v   The version number of the sendmail binary.

                $w=  The hostname of this site. This is the root  name
                     of this host (but see below for caveats).

                $x   The full name of the sender.

                $z   The home directory of the recipient.

                $_   The   validated   sender   address.   See    also
                     ${client_resolve}.

                ${addr_type}
                     The type of the address which is currently  being
                     rewritten.  This macro contains up to three char-
                     acters, the  first  is  either  `e'  or  `h'  for
                     envelope/header  address,  the second is a space,
                     and  the  third  is  either  `s'   or   `r'   for
                     sender/recipient address.

                ${alg_bits}
                     The maximum keylength (in bits) of the  symmetric
                     encryption  algorithm  used for a TLS connection.
                     This may be less than  the  effective  keylength,
                     which  is  stored in ${cipher_bits}, for ``export
                     controlled'' algorithms.

                ${auth_authen}
                     The client's authentication credentials as deter-
                     mined by authentication (only set if successful).
                     The format depends  on  the  mechanism  used,  it
                     might  be  just `user', or `user@realm', or some-
                     thing similar (SMTP AUTH only).

                ${auth_author}
                     The authorization identity, i.e. the AUTH= param-
                     eter of the SMTP MAIL command if supplied.

                ${auth_type}
                     The mechanism used for SMTP authentication  (only
                     set if successful).

                ${auth_ssf}
                     The keylength (in bits) of the symmetric  encryp-
                     tion  algorithm  used for the security layer of a
                     SASL mechanism.

                ${bodytype}
                     The message body  type  (7BIT  or  8BITMIME),  as
                     determined from the envelope.

          Sendmail Installation and Operation Guide          SMM:08-75

                ${cert_issuer}
                     The DN (distinguished name) of the  CA  (certifi-
                     cate  authority) that signed the presented certi-
                     ficate (the cert issuer) (STARTTLS only).

                ${cert_md5}
                     The  MD5  hash  of  the   presented   certificate
                     (STARTTLS only).

                ${cert_subject}
                     The DN of the presented certificate  (called  the
                     cert subject) (STARTTLS only).

                ${cipher}
                     The cipher suite used for the  connection,  e.g.,
                     EDH-DSS-DES-CBC3-SHA,  EDH-RSA-DES-CBC-SHA,  DES-
                     CBC-MD5, DES-CBC3-SHA (STARTTLS only).

                ${cipher_bits}
                     The effective keylength (in  bits)  of  the  sym-
                     metric  encryption  algorithm used for a TLS con-
                     nection.

                ${client_addr}
                     The IP address of the SMTP client. IPv6 addresses
                     are  tagged  with  "IPv6:"  before  the  address.
                     Defined in the SMTP server only.

                ${client_connections}
                     The number of open connections in the SMTP server
                     for the client IP address.

                ${client_flags}
                     The flags specified  by  the  Modifier=  part  of
                     ClientPortOptions  where flags are separated from
                     each other by spaces and  upper  case  flags  are
                     doubled. That is, Modifier=hA will be represented
                     as "h AA" in ${client_flags}, which  is  required
                     for testing the flags in rulesets.

                ${client_name}
                     The host name of the SMTP client. This may be the
                     client's  bracketed  IP  address  in  the  form [
                     nnn.nnn.nnn.nnn    ]    for    IPv4     and     [
                     IPv6:nnnn:...:nnnn  ] for IPv6 if the client's IP
                     address is not resolvable, or if it is resolvable
                     but  the  IP  address  of  the  resolved hostname
                     doesn't match the original IP address. Defined in
                     the SMTP server only. See also ${client_resolve}.

                ${client_port}
                     The port number of the SMTP  client.  Defined  in
                     the SMTP server only.

          SMM:08-76          Sendmail Installation and Operation Guide

                ${client_ptr}
                     The result of the PTR lookup for  the  client  IP
                     address. Note: this is the same as ${client_name}
                     if and only if ${client_resolve} is  OK.  Defined
                     in the SMTP server only.

                ${client_rate}
                     The number of incoming connections for the client
                     IP  address  over  the time interval specified by
                     ConnectionRateWindowSize.

                ${client_resolve}
                     Holds  the  result  of  the  resolve   call   for
                     ${client_name}. Possible values are:

                         OK        resolved successfully
                         FAIL      permanent lookup failure
                         FORGED    forward lookup doesn't match reverse lookup
                         TEMP      temporary lookup failure

                     Defined in the SMTP server  only.  sendmail  per-
                     forms  a hostname lookup on the IP address of the
                     connecting client. Next the IP addresses of  that
                     hostname  are looked up. If the client IP address
                     does not appear in that list, then  the  hostname
                     is  maybe  forged. This is reflected as the value
                     FORGED for ${client_resolve} and it also shows up
                     in $_ as "(may be forged)".

                ${cn_issuer}
                     The CN (common name) of the CA  that  signed  the
                     presented  certificate  (STARTTLS only). Note: if
                     the CN cannot be extracted properly  it  will  be
                     replaced  by  one  of  these strings based on the
                     encountered error:

                         BadCertificateContainsNULCN contains a NUL character
                         BadCertificateTooLong    CN is too long
                         BadCertificateUnknown    CN could not be extracted

                     In the last case, some other  (unspecific)  error
                     occurred.

                ${cn_subject}
                     The CN (common name) of the presented certificate
                     (STARTTLS  only).  See  ${cn_issuer} for possible
                     replacements.

                ${currHeader}
                     Header value as quoted string (possibly truncated
                     to  MAXNAME).  This  macro  is  only available in
                     header check rulesets.

          Sendmail Installation and Operation Guide          SMM:08-77

                ${daemon_addr}
                     The IP address the daemon  is  listening  on  for
                     connections.

                ${daemon_family}
                     The network family if  the  daemon  is  accepting
                     network   connections.  Possible  values  include
                     "inet", "inet6", "iso", "ns", "x.25"

                ${daemon_flags}
                     The flags for the  daemon  as  specified  by  the
                     Modifier=  part  of DaemonPortOptions whereby the
                     flags are separated from each  other  by  spaces,
                     and  upper  case  flags  are  doubled.  That  is,
                     Modifier=Ea will be  represented  as  "EE  a"  in
                     ${daemon_flags},  which  is  required for testing
                     the flags in rulesets.

                ${daemon_info}
                     Some information about a daemon as a text string.
                     For example, "SMTP+queueing@00:30:00".

                ${daemon_name}
                     The name of  the  daemon  from  DaemonPortOptions
                     Name=  suboption.  If  this suboption is not set,
                     "Daemon#", where # is the daemon number, is used.

                ${daemon_port}
                     The port the daemon is accepting  connection  on.
                     Unless  DaemonPortOptions  is set, this will most
                     likely be "25".

                ${deliveryMode}
                     The current delivery mode sendmail is  using.  It
                     is initially set to the value of the DeliveryMode
                     option.

                ${envid}
                     The envelope  id  parameter  (ENVID=)  passed  to
                     sendmail as part of the envelope.

                ${hdrlen}
                     The length of the header value which is stored in
                     ${currHeader}  (before  possible  truncation). If
                     this value is greater than or  equal  to  MAXNAME
                     the header has been truncated.

                ${hdr_name}
                     The name  of  the  header  field  for  which  the
                     current  header  check  ruleset  has been called.
                     This is useful for a default header check ruleset
                     to  get the name of the header; the macro is only
                     available in header check rulesets.

          SMM:08-78          Sendmail Installation and Operation Guide

                ${if_addr}
                     The IP address of the interface  of  an  incoming
                     connection unless it is in the loopback net. IPv6
                     addresses are  tagged  with  "IPv6:"  before  the
                     address.

                ${if_addr_out}
                     The IP address of the interface  of  an  outgoing
                     connection unless it is in the loopback net. IPv6
                     addresses are  tagged  with  "IPv6:"  before  the
                     address.

                ${if_family}
                     The IP family of the  interface  of  an  incoming
                     connection unless it is in the loopback net.

                ${if_family_out}
                     The IP family of the  interface  of  an  outgoing
                     connection unless it is in the loopback net.

                ${if_name}
                     The hostname associated with the interface of  an
                     incoming  connection.  This macro can be used for
                     SmtpGreetingMessage  and  HReceived  for  virtual
                     hosting. For example:

                         O SmtpGreetingMessage=$?{if_name}${if_name}$|$j$. MTA

                ${if_name_out}
                     The name of the interface of an outgoing  connec-
                     tion.

                ${load_avg}
                     The current load average.

                ${mail_addr}
                     The address part of the resolved  triple  of  the
                     address  given for the SMTP MAIL command. Defined
                     in the SMTP server only.

                ${mail_host}
                     The host from the resolved triple of the  address
                     given  for  the SMTP MAIL command. Defined in the
                     SMTP server only.

                ${mail_mailer}
                     The  mailer  from  the  resolved  triple  of  the
                     address  given for the SMTP MAIL command. Defined
                     in the SMTP server only.

                ${msg_id}
                     The value of the Message-Id: header.

          Sendmail Installation and Operation Guide          SMM:08-79

                ${msg_size}
                     The value of the SIZE= parameter,  i.e.,  usually
                     the  size  of the message (in an ESMTP dialogue),
                     before the message has been collected, thereafter
                     the message size as computed by sendmail (and can
                     be used in check_compat).

                ${nbadrcpts}
                     The number of bad recipients for  a  single  mes-
                     sage.

                ${nrcpts}
                     The number of validated recipients for  a  single
                     message. Note: since recipient validation happens
                     after check_rcpt has been called,  the  value  in
                     this  ruleset  is  one  less  than  what might be
                     expected.

                ${ntries}
                     The number of delivery attempts.

                ${opMode}
                     The current operation mode (from the -b flag).

                ${quarantine}
                     The quarantine reason for the envelope, if it  is
                     quarantined.

                ${queue_interval}
                     The queue run interval given by the -q flag.  For
                     example,  -q30m  would  set  ${queue_interval} to
                     "00:30:00".

                ${rcpt_addr}
                     The address part of the resolved  triple  of  the
                     address  given for the SMTP RCPT command. Defined
                     in the SMTP server only after a RCPT command.

                ${rcpt_host}
                     The host from the resolved triple of the  address
                     given  for  the SMTP RCPT command. Defined in the
                     SMTP server only after a RCPT command.

                ${rcpt_mailer}
                     The  mailer  from  the  resolved  triple  of  the
                     address  given for the SMTP RCPT command. Defined
                     in the SMTP server only after a RCPT command.

                ${server_addr}
                     The address of the server of the current outgoing
                     SMTP  connection.  For LMTP delivery the macro is
                     set to the name of the mailer.

          SMM:08-80          Sendmail Installation and Operation Guide

                ${server_name}
                     The name of the server of  the  current  outgoing
                     SMTP or LMTP connection.

                ${time}
                     The output of the  time(3)  function,  i.e.,  the
                     number  of  seconds  since  0 hours, 0 minutes, 0
                     seconds, January 1, 1970,  Coordinated  Universal
                     Time (UTC).

                ${tls_version}
                     The TLS/SSL  version  used  for  the  connection,
                     e.g., TLSv1, SSLv3, SSLv2; defined after STARTTLS
                     has been used.

                ${total_rate}
                     The total number of incoming connections over the
                     time  interval  specified  by  ConnectionRateWin-
                     dowSize.

                ${verify}
                     The result of the verification of  the  presented
                     cert;  only  defined after STARTTLS has been used
                     (or attempted). Possible values are:

                         OK           verification succeeded.
                         NO           no cert presented.
                         NOT          no cert requested.
                         FAIL         cert presented but could not be verified,
                                      e.g., the signing CA is missing.
                         NONE         STARTTLS has not been performed.
                         TEMP         temporary error occurred.
                         PROTOCOL     some protocol error occurred
                                      at the ESMTP level (not TLS).
                         SOFTWARE     STARTTLS handshake failed,
                                      which is a fatal error for this session,
                                      the e-mail will be queued.

                     There are three types of dates that can be  used.
                The  $a and $b macros are in RFC 822 format; $a is the
                time as extracted from the "Date:" line of the message
                (if  there  was  one),  and $b is the current date and
                time (used for postmarks). If no "Date:" line is found
                in the incoming message, $a is set to the current time
                also. The $d macro is equivalent to the  $b  macro  in
                UNIX (ctime) format.

                     The macros $w, $j, and $m are set to the identity
                of  this host. Sendmail tries to find the fully quali-
                fied name of the host if at all possible; it does this
                by  calling gethostname(2) to get the current hostname
                and then passing that  to  gethostbyname(3)  which  is

          Sendmail Installation and Operation Guide          SMM:08-81

                supposed  to return the canonical version of that host
                name.[17] Assuming this is successful, $j  is  set  to
                the  fully  qualified name and $m is set to the domain
                part of the name (everything after the first dot). The
                $w  macro  is set to the first word (everything before
                the first dot) if you have a level 5 or higher  confi-
                guration  file; otherwise, it is set to the same value
                as $j. If the canonification is not successful, it  is
                imperative  that  the  config file set $j to the fully
                qualified domain name[18].

                     The $f macro is the id of the  sender  as  origi-
                nally  determined; when mailing to a specific host the
                $g macro is set to the address of the sender  relative
                to   the   recipient.   For  example,  if  I  send  to
                "bollard@matisse.CS.Berkeley.EDU"  from  the   machine
                "vangogh.CS.Berkeley.EDU"  the $f macro will be "eric"
                and       the       $g       macro       will       be
                "eric@vangogh.CS.Berkeley.EDU."

                     The $x macro is set  to  the  full  name  of  the
                sender. This can be determined in several ways. It can
                be passed as flag to sendmail. It can  be  defined  in
                the NAME environment variable. The third choice is the
                value of the "Full-Name:" line in  the  header  if  it
                exists,  and the fourth choice is the comment field of
                a "From:" line. If all of these fail, and if the  mes-
                sage  is  being  originated  locally, the full name is
                looked up in the /etc/passwd file.

                     When sending, the $h, $u, and $z macros  get  set
                to  the  host,  user, and home directory (if local) of
                the recipient. The first two are set from the  $@  and
                $: part of the rewriting rules, respectively.

                     The $p and $t macros are used  to  create  unique
                strings  (e.g.,  for  the "Message-Id:" field). The $i
                macro is set to the queue id on this host; if put into
                the  timestamp  line  it  can  be extremely useful for
                tracking messages. The $v macro is set to be the  ver-
                sion  number  of  sendmail;  this  is  normally put in
                timestamps and has been proven  extremely  useful  for
                debugging.

          ____________________
             [17]For example, on some systems gethostname might return
          "foo"  which  would  be  mapped to "foo.bar.com" by gethost-
          byname.
             [18]Older versions of sendmail didn't  pre-define  $j  at
          all, so up until 8.6, config files always had to define $j.

          SMM:08-82          Sendmail Installation and Operation Guide

                     The $c field is set to the "hop count," i.e., the
                number  of times this message has been processed. This
                can be determined by the -h flag on the  command  line
                or by counting the timestamps in the message.

                     The $r and $s fields are set to the protocol used
                to communicate with sendmail and the sending hostname.
                They can be set together using  the  -p  command  line
                flag or separately using the -M or -oM flags.

                     The $_ is set to a validated sender host name. If
                the  sender  is  running  an  RFC 1413 compliant IDENT
                server and the receiver has the IDENT protocol  turned
                on, it will include the user name on that host.

                     The    ${client_name},    ${client_addr},     and
                ${client_port}  macros  are  set to the name, address,
                and port number of the SMTP  client  who  is  invoking
                sendmail as a server. These can be used in the check_*
                rulesets (using the $& deferred  evaluation  form,  of
                course!).

             5.3. C and F -- Define Classes

                     Classes of phrases may be defined to match on the
                left hand side of rewriting rules, where a "phrase" is
                a sequence of characters that does not  contain  space
                characters. For example a class of all local names for
                this site might be created so that attempts to send to
                oneself can be eliminated. These can either be defined
                directly in the configuration file  or  read  in  from
                another  file. Classes are named as a single letter or
                a word in {braces}. Class names beginning  with  lower
                case  letters  and special characters are reserved for
                system use. Classes defined in  config  files  may  be
                given  names  from  the  set of upper case letters for
                short names or beginning with an upper case letter for
                long names.

                     The syntax is:

                    Ccphrase1 phrase2...
                    Fcfile
                    Fc|program
                    Fc[mapkey]@mapclass:mapspec

                The first form defines the class c to match any of the
                named  words.  If phrase1 or phrase2 is another class,
                e.g., $=S, the contents of class S are added to  class
                c.  It  is  permissible  to  split them among multiple
                lines; for example, the two forms:

                    CHmonet ucbmonet

          Sendmail Installation and Operation Guide          SMM:08-83

                and

                    CHmonet
                    CHucbmonet

                are equivalent. The ``F'' forms read the  elements  of
                the  class  c  from  the  named  file, program, or map
                specification. Each element  should  be  listed  on  a
                separate line. To specify an optional file, use ``-o''
                between the class name and the file name, e.g.,

                    Fc -o /path/to/file

                If the file can't be used, sendmail will not  complain
                but  silently  ignore  it.  The  map form should be an
                optional map key, an at sign, and a map class followed
                by the specification for that map. Examples include:

                    F{VirtHosts}@ldap:-k (&(objectClass=virtHosts)(host=*)) -v host
                    F{MyClass}foo@hash:/etc/mail/classes

                will fill the class $={VirtHosts}  from  an  LDAP  map
                lookup and $={MyClass} from a hash database map lookup
                of the foo. There is also a built-in schema  that  can
                be accessed by only specifying:

                    F{ClassName}@LDAP

                This will tell sendmail to use the default schema:

                    -k (&(objectClass=sendmailMTAClass)
                         (sendmailMTAClassName=ClassName)
                         (|(sendmailMTACluster=${sendmailMTACluster})
                           (sendmailMTAHost=$j)))
                    -v sendmailMTAClassValue

                Note that the lookup is only  done  when  sendmail  is
                initially started.

                     Elements of classes  can  be  accessed  in  rules
                using  $=  or  $~. The $~ (match entries not in class)
                only matches a single word; multi-word entries in  the
                class are ignored in this context.

                     Some classes have internal meaning to sendmail:

                $=e  contains the Content-Transfer-Encodings that  can
                     be  8->7 bit encoded. It is predefined to contain
                     "7bit", "8bit", and "binary".

                $=k  set to be the same as $k, that is, the UUCP  node
                     name.

          SMM:08-84          Sendmail Installation and Operation Guide

                $=m  set to the set of domains by which this  host  is
                     known, initially just $m.

                $=n  can be set to the set of MIME body types that can
                     never  be eight to seven bit encoded. It defaults
                     to "multipart/signed". Message types  "message/*"
                     and  "multipart/*"  are  never  encoded directly.
                     Multipart  messages  are  always  handled  recur-
                     sively.  The  handling  of message/* messages are
                     controlled by class $=s.

                $=q  A set of Content-Types that will never be encoded
                     as  base64 (if they have to be encoded, they will
                     be encoded as quoted-printable). It can have pri-
                     mary  types (e.g., "text") or full types (such as
                     "text/plain").

                $=s  contains the set of subtypes of message that  can
                     be  treated  recursively.  By default it contains
                     only "rfc822". Other "message/*" types cannot  be
                     8->7  bit  encoded. If a message containing eight
                     bit data is sent to a seven bit  host,  and  that
                     message  cannot  be  encoded  into seven bits, it
                     will be stripped to 7 bits.

                $=t  set to the set of trusted users by the  T  confi-
                     guration  line. If you want to read trusted users
                     from a file, use Ft/file/name.

                $=w  set to be the set of all names this host is known
                     by. This can be used to match local hostnames.

                $={persistentMacros}
                     set to the macros that  should  be  saved  across
                     queue  runs.  Care  should  be  taken when adding
                     macro names to this class.

                     Sendmail can be  compiled  to  allow  a  scanf(3)
                string  on  the  F  line.  This lets you do simplistic
                parsing of text files. For example, to  read  all  the
                user  names  in  your  system  /etc/passwd file into a
                class, use

                    FL/etc/passwd %[^:]

                which reads every line up to the first colon.

             5.4. M -- Define Mailer

                     Programs and interfaces to mailers are defined in
                this line. The format is:

                    Mname, {field=value}*

          Sendmail Installation and Operation Guide          SMM:08-85

                where name is the name of the mailer (used  internally
                only)  and the "field=name" pairs define attributes of
                the mailer. Fields are:

                    Path      The pathname of the mailer
                    Flags     Special flags for this mailer
                    Sender    Rewriting set(s) for sender addresses
                    Recipient Rewriting set(s) for recipient addresses
                    recipientsMaximum number of recipients per connection
                    Argv      An argument vector to pass to this mailer
                    Eol       The end-of-line string for this mailer
                    Maxsize   The maximum message length to this mailer
                    maxmessagesThe maximum message deliveries per connection
                    Linelimit The maximum line length in the message body
                    Directory The working directory for the mailer
                    Userid    The default user and group id to run as
                    Nice      The nice(2) increment for the mailer
                    Charset   The default character set for 8-bit characters
                    Type      Type information for DSN diagnostics
                    Wait      The maximum time to wait for the mailer
                    QueuegroupThe default queue group for the mailer
                    /         The root directory for the mailer

                Only the first character of the field name is  checked
                (it's case-sensitive).

                     The following flags may  be  set  in  the  mailer
                description.  Any  other  flags  may be used freely to
                conditionally assign headers to messages destined  for
                particular mailers. Flags marked with - are not inter-
                preted by the sendmail binary; these are  the  conven-
                tionally used to correlate to the flags portion of the
                H line. Flags marked with = apply to the  mailers  for
                the  sender  address  rather  than the usual recipient
                mailers.

                a   Run Extended SMTP  (ESMTP)  protocol  (defined  in
                    RFCs  1869, 1652, and 1870). This flag defaults on
                    if the SMTP greeting  message  includes  the  word
                    "ESMTP".

                A   Look up the user (address) part  of  the  resolved
                    mailer  triple,  in  the  alias database. Normally
                    this is only set for local mailers.

                b   Force a blank line on the end of a  message.  This
                    is intended to work around some stupid versions of
                    /bin/mail that require a blank line,  but  do  not
                    provide  it  themselves.  It would not normally be
                    used on network mail.

                B   Strip leading backslashes (\) off of the  address;
                    this  is  a  subset  of the functionality of the s

          SMM:08-86          Sendmail Installation and Operation Guide

                    flag.

                c   Do not include comments in addresses. This  should
                    only  be  used if you have to work around a remote
                    mailer that gets confused by comments. This strips
                    addresses   of  the  form  "Phrase  <address>"  or
                    "address (Comment)" down to just "address".

                C=  If mail is received from a mailer with  this  flag
                    set,  any addresses in the header that do not have
                    an at sign ("@") after being rewritten by  ruleset
                    three  will  have  the  "@domain"  clause from the
                    sender envelope address  tacked  on.  This  allows
                    mail with headers of the form:

                        From: usera@hosta
                        To: userb@hostb, userc

                    to be rewritten as:

                        From: usera@hosta
                        To: userb@hostb, userc@hosta

                    automatically. However,  it  doesn't  really  work
                    reliably.

                d   Do not include angle brackets around route-address
                    syntax  addresses.  This is useful on mailers that
                    are going to pass addresses to a shell that  might
                    interpret  angle brackets as I/O redirection. How-
                    ever, it does  not  protect  against  other  shell
                    metacharacters.  Therefore, passing addresses to a
                    shell should not be considered secure.

                D-  This mailer wants a "Date:" header line.

                e   This mailer is expensive to connect to, so try  to
                    avoid  connecting  normally; any necessary connec-
                    tion will occur  during  a  queue  run.  See  also
                    option HoldExpensive.

                E   Escape lines beginning with "From " in the message
                    with a `>' sign.

                f   The mailer wants a -f from flag, but only if  this
                    is  a  network forward operation (i.e., the mailer
                    will give an error if the executing user does  not
                    have special permissions).

                F-  This mailer wants a "From:" header line.

                g   Normally,  sendmail  sends  internally   generated
                    email (e.g., error messages) using the null return

          Sendmail Installation and Operation Guide          SMM:08-87

                    address as required by  RFC  1123.  However,  some
                    mailers  don't  accept  a  null return address. If
                    necessary, you can set the g flag to prevent send-
                    mail  from  obeying  the standards; error messages
                    will be sent as from the MAILER-DAEMON  (actually,
                    the value of the $n macro).

                h   Upper case should be preserved in host names  (the
                    $@  portion  of  the  mailer triplet resolved from
                    ruleset 0) for this mailer.

                i   Do User  Database  rewriting  on  envelope  sender
                    address.

                I   This mailer will be speaking SMTP to another send-
                    mail  --  as  such  it  can  use  special protocol
                    features. This flag should not be used except  for
                    debugging  purposes  because  it uses VERB as SMTP
                    command.

                j   Do User Database rewriting on recipients  as  well
                    as senders.

                k   Normally when sendmail  connects  to  a  host  via
                    SMTP,  it  checks  to  make  sure  that this isn't
                    accidently the same host name as might  happen  if
                    sendmail  is  misconfigured or if a long-haul net-
                    work interface is set in loopback mode. This  flag
                    disables  the  loopback  check.  It should only be
                    used under very unusual circumstances.

                K   Currently unimplemented. Reserved for chunking.

                l   This mailer is local (i.e., final delivery will be
                    performed).

                L   Limit the line lengths as specified  in  RFC  821.
                    This  deprecated  option should be replaced by the
                    L= mail declaration. For historic reasons,  the  L
                    flag also sets the 7 flag.

                m   This mailer can send to multiple users on the same
                    host in one transaction. When a $u macro occurs in
                    the argv part of the mailer definition, that field
                    will  be  repeated as necessary for all qualifying
                    users. Removing this  flag  can  defeat  duplicate
                    supression  on  a remote site as each recipient is
                    sent in a separate transaction.

                M-  This mailer wants a "Message-Id:" header line.

                n   Do not insert a  UNIX-style  "From"  line  on  the
                    front of the message.

          SMM:08-88          Sendmail Installation and Operation Guide

                o   Always run as the owner of the recipient  mailbox.
                    Normally  sendmail  runs as the sender for locally
                    generated mail or as "daemon" (actually, the  user
                    specified in the u option) when delivering network
                    mail. The normal  behavior  is  required  by  most
                    local  mailers,  which will not allow the envelope
                    sender address to be set unless the mailer is run-
                    ning as daemon. This flag is ignored if the S flag
                    is set.

                p   Use the route-addr style reverse-path in the  SMTP
                    "MAIL  FROM:"  command rather than just the return
                    address; although this is required in RFC 821 sec-
                    tion  3.1, many hosts do not process reverse-paths
                    properly. Reverse-paths are officially discouraged
                    by RFC 1123.

                P-  This mailer wants a "Return-Path:" line.

                q   When an address that resolves to  this  mailer  is
                    verified   (SMTP   VRFY   command),  generate  250
                    responses instead  of  252  responses.  This  will
                    imply that the address is local.

                r   Same as f, but sends a -r flag.

                R   Open SMTP connections from a "secure" port. Secure
                    ports  aren't  (secure,  that  is)  except on UNIX
                    machines, so it is unclear  that  this  adds  any-
                    thing. sendmail must be running as root to be able
                    to use this flag.

                s   Strip quote  characters  ("  and  \)  off  of  the
                    address before calling the mailer.

                S   Don't reset the userid before calling the  mailer.
                    This  would  be used in a secure environment where
                    sendmail ran as root. This could be used to  avoid
                    forged  addresses.  If the U= field is also speci-
                    fied, this flag causes the effective user id to be
                    set to that user.

                u   Upper case should be preserved in user  names  for
                    this  mailer.   Standards  require preservation of
                    case in the local part of  addresses,  except  for
                    those   address  for  which  your  system  accepts
                    responsibility. RFC 2142 provides a long  list  of
                    addresses which should be case insensitive. If you
                    use this flag, you may be violating RFC 2142. Note
                    that postmaster is always treated as a case insen-
                    sitive address regardless of this flag.

          Sendmail Installation and Operation Guide          SMM:08-89

                U   This mailer wants UUCP-style "From" lines with the
                    ugly "remote from <host>" on the end.

                w   The  user  must  have  a  valid  account  on  this
                    machine,  i.e., getpwnam must succeed. If not, the
                    mail is  bounced.  See  also  the  MailBoxDatabase
                    option.  This  is required to get ".forward" capa-
                    bility.

                W   Ignore long term host status information (see Sec-
                    tion "Persistent Host Status Information").

                x-  This mailer wants a "Full-Name:" header line.

                X   This mailer wants to use the hidden dot  algorithm
                    as  specified  in  RFC  821;  basically,  any line
                    beginning with  a  dot  will  have  an  extra  dot
                    prepended  (to be stripped at the other end). This
                    insures that lines in the message containing a dot
                    will not terminate the message prematurely.

                z   Run Local Mail Transfer  Protocol  (LMTP)  between
                    sendmail  and  the local mailer. This is a variant
                    on SMTP defined in RFC 2033 that  is  specifically
                    designed for delivery to a local mailbox.

                Z   Apply DialDelay (if set) to this mailer.

                0   Don't look  up  MX  records  for  hosts  sent  via
                    SMTP/LMTP. Do not apply FallbackMXhost either.

                1   Don't send null characters ('\0') to this mailer.

                2   Don't use ESMTP even if offered;  this  is  useful
                    for  broken  systems  that offer ESMTP but fail on
                    EHLO (without recovering when HELO is tried next).

                3   Extend the list of  characters  converted  to  =XX
                    notation  when  converting  to Quoted-Printable to
                    include those that don't map cleanly between ASCII
                    and  EBCDIC.  Useful if you have IBM mainframes on
                    site.

                5   If no aliases are found for this address, pass the
                    address  through  ruleset 5 for possible alternate
                    resolution. This is intended to forward  the  mail
                    to an alternate delivery spot.

                6   Strip headers to seven bits.

                7   Strip all  output  to  seven  bits.  This  is  the
                    default  if  the L flag is set. Note that clearing
                    this option is not sufficient to  get  full  eight

          SMM:08-90          Sendmail Installation and Operation Guide

                    bit  data passed through sendmail. If the 7 option
                    is set, this is essentially always set, since  the
                    eighth  bit  was stripped on input. Note that this
                    option will only impact messages that didn't  have
                    8->7 bit MIME conversions performed.

                8   If set, it is acceptable to send eight bit data to
                    this mailer; the usual attempt to do 8->7 bit MIME
                    conversions will be bypassed.

                9   If set, do  limited  7->8  bit  MIME  conversions.
                    These conversions are limited to text/plain data.

                :   Check addresses to see if they begin  ":include:";
                    if  they  do,  convert  them  to  the  "*include*"
                    mailer.

                |   Check addresses to see if they begin with  a  `|';
                    if they do, convert them to the "prog" mailer.

                /   Check addresses to see if they begin with  a  `/';
                    if they do, convert them to the "*file*" mailer.

                @   Look up addresses in the user database.

                %   Do not attempt delivery on initial  receipt  of  a
                    message or on queue runs unless the queued message
                    is selected using one of the -qI/-qR/-qS queue run
                    modifiers or an ETRN request.

                !   Disable an MH hack that drops  an  explicit  From:
                    header  if  it  is the same as what sendmail would
                    generate.

                     Configuration files prior to level 6  assume  the
                `A',  `w',  `5', `:', `|', `/', and `@' options on the
                mailer named "local".

                     The mailer with the special name "error"  can  be
                used  to  generate  a  user error. The (optional) host
                field is an exit status to be returned, and  the  user
                field  is a message to be printed. The exit status may
                be numeric or one of the values USAGE, NOUSER, NOHOST,
                UNAVAILABLE,  SOFTWARE,  TEMPFAIL, PROTOCOL, or CONFIG
                to return the  corresponding  EX_  exit  code,  or  an
                enhanced error code as described in RFC 1893, Enhanced
                Mail System Status Codes. For example, the entry:

                    $#error $@ NOHOST $: Host unknown in this domain

                on the RHS of a rule will cause the specified error to
                be  generated and the "Host unknown" exit status to be
                returned if the  LHS  matches.  This  mailer  is  only

          Sendmail Installation and Operation Guide          SMM:08-91

                functional  in  rulesets  0,  5, or one of the check_*
                rulesets. The host field can also contain the  special
                token  quarantine  which instructs sendmail to quaran-
                tine the current message.

                     The mailer with the special name "discard" causes
                any  mail  sent  to  it  to be discarded but otherwise
                treated as though it were successfully delivered. This
                mailer  cannot be used in ruleset 0, only in the vari-
                ous address checking rulesets.

                     The mailer named "local" must be defined in every
                configuration  file.  This  is  used  to deliver local
                mail, and is treated specially in several ways.  Addi-
                tionally,  three other mailers named "prog", "*file*",
                and "*include*" may be defined to tune the delivery of
                messages  to  programs,  files,  and  :include:  lists
                respectively. They default to:

                    Mprog, P=/bin/sh, F=lsoDq9, T=DNS/RFC822/X-Unix, A=sh -c $u
                    M*file*, P=[FILE], F=lsDFMPEouq9, T=DNS/RFC822/X-Unix, A=FILE $u
                    M*include*, P=/dev/null, F=su, A=INCLUDE $u

                     Builtin  pathnames  are  [FILE]  and  [IPC],  the
                former  is  used for delivery to files, the latter for
                delivery via interprocess communication.  For  mailers
                that  use  [IPC]  as pathname the argument vector (A=)
                must start with TCP or FILE for delivery via a TCP  or
                a Unix domain socket. If TCP is used, the second argu-
                ment must be the name of the host to contact.  Option-
                ally  a  third argument can be used to specify a port,
                the default is smtp (port 25). If FILE  is  used,  the
                second  argument  must  be the name of the Unix domain
                socket.

                     If the argument vector does not contain  $u  then
                sendmail will speak SMTP (or LMTP if the mailer flag z
                is specified) to the mailer.

                     If no Eol field is defined, then the  default  is
                "\r\n" for SMTP mailers and "\n" of others.

                     The  Sender  and  Recipient  rewriting  sets  may
                either  be  a  simple  ruleset  id  or  may be two ids
                separated by a slash; if so, the first  rewriting  set
                is  applied  to  envelope  addresses and the second is
                applied to headers. Setting any value to zero disables
                corresponding mailer-specific rewriting.

                     The Directory is actually a colon-separated  path
                of  directories  to  try.  For example, the definition
                "D=$z:/" first tries to  execute  in  the  recipient's

          SMM:08-92          Sendmail Installation and Operation Guide

                home  directory; if that is not available, it tries to
                execute  in  the  root  of  the  filesystem.  This  is
                intended  to  be used only on the "prog" mailer, since
                some shells (such as csh) refuse to  execute  if  they
                cannot  read  the  current  directory. Since the queue
                directory is not  normally  readable  by  unprivileged
                users csh scripts as recipients can fail.

                     The Userid specifies the default user  and  group
                id  to  run  as,  overriding  the  DefaultUser  option
                (q.v.). If the S mailer flag is also  specified,  this
                user  and  group  will be set as the effective uid and
                gid for the process. This may be given  as  user:group
                to  set  both  the user and group id; either may be an
                integer or a symbolic name to  be  looked  up  in  the
                passwd  and  group  files respectively. If only a sym-
                bolic user name is specified,  the  group  id  in  the
                passwd file for that user is used as the group id.

                     The Charset field is used when converting a  mes-
                sage  to  MIME;  this is the character set used in the
                Content-Type:  header.  If  this  is  not   set,   the
                DefaultCharset option is used, and if that is not set,
                the value "unknown-8bit" is used. WARNING: this  field
                applies  to  the  sender's mailer, not the recipient's
                mailer. For example, if the  envelope  sender  address
                lists  an  address  on the local network and the reci-
                pient is on an external  network,  the  character  set
                will be set from the Charset= field for the local net-
                work mailer, not that of the external network mailer.

                     The Type= field sets the type information used in
                MIME  error  messages  as  defined  by RFC 1894. It is
                actually three values separated by slashes:  the  MTA-
                type  (that  is,  the  description  of  how  hosts are
                named), the address type (the  description  of  e-mail
                addresses),  and  the diagnostic type (the description
                of error diagnostic codes). Each of these  must  be  a
                registered  value  or  begin with "X-". The default is
                "dns/rfc822/smtp".

                     The m= field specifies the maximum number of mes-
                sages  to  attempt to deliver on a single SMTP or LMTP
                connection. The default is infinite.

                     The r= field  specifies  the  maximum  number  of
                recipients to attempt to deliver in a single envelope.
                It defaults to 100.

                     The /= field specifies a new root  directory  for
                the  mailer.   The  path  is  macro  expanded and then
                passed to the "chroot" system call.  The  root  direc-
                tory   is   changed  before  the  Directory  field  is

          Sendmail Installation and Operation Guide          SMM:08-93

                consulted or the uid is changed.

                     The Wait= field specifies  the  maximum  time  to
                wait  for  the mailer to return after sending all data
                to it. This applies to mailers that have  been  forked
                by sendmail.

                     The Queuegroup= field specifies the default queue
                group  in  which  received mail should be queued. This
                can be overridden by other means as explained in  sec-
                tion ``Queue Groups and Queue Directories''.

             5.5. H -- Define Header

                     The format of  the  header  lines  that  sendmail
                inserts  into  the  message are defined by the H line.
                The syntax of this line is one of the following:

                    Hhname: htemplate

                    H[?mflags?]hname: htemplate

                    H[?${macro}?]hname: htemplate

                Continuation lines in this spec are reflected directly
                into  the  outgoing  message.  The htemplate is macro-
                expanded before insertion into  the  message.  If  the
                mflags  (surrounded  by question marks) are specified,
                at least one of the specified flags must be stated  in
                the  mailer definition for this header to be automati-
                cally output. If a ${macro}  (surrounded  by  question
                marks)  is specified, the header will be automatically
                output if the macro is set. The macro may be set using
                any  of  the normal methods, including using the macro
                storage map in a ruleset. If one of these  headers  is
                in  the input it is reflected to the output regardless
                of these flags or macros. Notice:  If  a  ${macro}  is
                used  to  set  a header, then it is useful to add that
                macro to class $={persistentMacros} which consists  of
                the macros that should be saved across queue runs.

                     Some headers have special semantics that will  be
                described later.

                     A secondary syntax allows validation  of  headers
                as they are being read. To enable validation, use:

                    HHeader: $>Ruleset
                    HHeader: $>+Ruleset

                The indicated Ruleset  is  called  for  the  specified

          SMM:08-94          Sendmail Installation and Operation Guide

                Header, and can return $#error to reject or quarantine
                the message or $#discard to discard  the  message  (as
                with the other check_* rulesets). The ruleset receives
                the header  field-body  as  argument,  i.e.,  not  the
                header  field-name;  see  also ${hdr_name} and ${curr-
                Header}. The header is treated as a structured  field,
                that  is,  text  in parentheses is deleted before pro-
                cessing, unless the second form  $>+  is  used.  Note:
                only  one  ruleset  can  be  associated with a header;
                sendmail will silently ignore multiple entries.

                     For example, the configuration lines:

                    HMessage-Id: $>CheckMessageId

                    SCheckMessageId
                    R< $+ @ $+  >$@ OK
                    R$*       $#error $: Illegal Message-Id header

                would refuse any message that had a Message-Id: header
                of any of the following forms:

                    Message-Id: <>
                    Message-Id: some text
                    Message-Id: <legal text@domain> extra crud

                A default ruleset that is  called  for  headers  which
                don't  have a specific ruleset defined for them can be
                specified by:

                    H*: $>Ruleset

                or

                    H*: $>+Ruleset

             5.6. O -- Set Option

                     There are a number of global options that can  be
                set from a configuration file. Options are represented
                by full words; some are also representable  as  single
                characters  for back compatibility. The syntax of this
                line is:

                    O  option=value

                This sets option option to be value. Note  that  there
                must be a space between the letter `O' and the name of
                the option. An older version is:

                    Oovalue

          Sendmail Installation and Operation Guide          SMM:08-95

                where the option o is a single character. Depending on
                the  option,  value  may  be  a  string, an integer, a
                boolean (with legal values "t", "T", "f", or "F";  the
                default is TRUE), or a time interval.

                     All filenames used in options should be  absolute
                paths,  i.e.,  starting  with  '/'. Relative filenames
                most likely cause surprises during  operation  (unless
                otherwise noted).

                     The options supported (with the old, one  charac-
                ter names in brackets) are:

                AliasFile=spec, spec, ...
                          [A] Specify  possible  alias  file(s).  Each
                          spec should be in the format ``class: info''
                          where class: is  optional  and  defaults  to
                          ``implicit''. Note that info is required for
                          all classes except "ldap".  For  the  "ldap"
                          class,  if  info is not specified, a default
                          info value is used as follows:

                              -k (&(objectClass=sendmailMTAAliasObject)
                                   (sendmailMTAAliasName=aliases)
                                   (|(sendmailMTACluster=${sendmailMTACluster})
                                     (sendmailMTAHost=$j))
                                   (sendmailMTAKey=%0))
                              -v sendmailMTAAliasValue

                          Depending on how sendmail is compiled, valid
                          classes  are  "implicit"  (search  through a
                          compiled-in list of alias  file  types,  for
                          back  compatibility),  "hash"  (if  NEWDB is
                          specified), "btree" (if NEWDB is specified),
                          "dbm" (if NDBM is specified), "stab" (inter-
                          nal symbol table -- not normally used unless
                          you   have   no   other   database  lookup),
                          "sequence" (use a sequence  of  maps  previ-
                          ously   declared),  "ldap"  (if  LDAPMAP  is
                          specified), or "nis" (if NIS is  specified).
                          If  a  list  of specs are provided, sendmail
                          searches them in order.

                AliasWait=timeout
                          [a]  If  set,  wait  up  to  timeout  (units
                          default  to  minutes)  for an "@:@" entry to
                          exist in the alias database before  starting
                          up.  If  it  does  not appear in the timeout
                          interval issue a warning.

                AllowBogusHELO
                          [no short name] If set, allow HELO SMTP com-
                          mands   that  don't  include  a  host  name.

          SMM:08-96          Sendmail Installation and Operation Guide

                          Setting  this  violates  RFC  1123   section
                          5.2.5, but is necessary to interoperate with
                          several SMTP clients. If there is  a  value,
                          it is still checked for legitimacy.

                AuthMaxBits=N
                          [no short name] Limit the maximum encryption
                          strength for the security layer in SMTP AUTH
                          (SASL). Default  is  essentially  unlimited.
                          This  allows  to turn off additional encryp-
                          tion in SASL if STARTTLS is already encrypt-
                          ing  the communication, because the existing
                          encryption strength is  taken  into  account
                          when  choosing an algorithm for the security
                          layer. For example, if STARTTLS is used  and
                          the  symmetric  cipher is 3DES, then the the
                          keylength (in bits) is  168.  Hence  setting
                          AuthMaxBits  to 168 will disable any encryp-
                          tion in SASL.

                AuthMechanisms
                          [no  short  name]  List  of   authentication
                          mechanisms  for  AUTH (separated by spaces).
                          The  advertised   list   of   authentication
                          mechanisms  will be the intersection of this
                          list and the list of available mechanisms as
                          determined  by  the  Cyrus  SASL library. If
                          STARTTLS is active, EXTERNAL will  be  added
                          to  this  list.  In  that case, the value of
                          {cert_subject} is used as authentication id.

                AuthOptions
                          [no short name] List  of  options  for  SMTP
                          AUTH  consisting  of  single characters with
                          intervening white space or commas.

          Sendmail Installation and Operation Guide          SMM:08-97

                              A   Use the AUTH= parameter for the MAIL FROM
                                  command only when authentication succeeded.
                                  This can be used as a workaround for broken
                                  MTAs that do not implement RFC 2554 correctly.
                              a   protection from active (non-dictionary) attacks
                                  during authentication exchange.
                              c   require mechanisms which pass client credentials,
                                  and allow mechanisms which can pass credentials
                                  to do so.
                              d   don't permit mechanisms susceptible to passive
                                  dictionary attack.
                              f   require forward secrecy between sessions
                                  (breaking one won't help break next).
                              m   require mechanisms which provide mutual authentication
                                  (only available if using Cyrus SASL v2 or later).
                              p   don't permit mechanisms susceptible to simple
                                  passive attack (e.g., PLAIN, LOGIN), unless a
                                  security layer is active.
                              y   don't permit mechanisms that allow anonymous login.

                          The first option applies to  sendmail  as  a
                          client, the others to a server. Example:

                              O AuthOptions=p,y

                          would disallow ANONYMOUS as  AUTH  mechanism
                          and  would  allow  PLAIN and LOGIN only if a
                          security layer (e.g., provided by  STARTTLS)
                          is  already  active.  The  options 'a', 'c',
                          'd', 'f', 'p', and 'y' refer  to  properties
                          of  the  selected  SASL mechanisms. Explana-
                          tions of these properties can  be  found  in
                          the Cyrus SASL documentation.

                AuthRealm [no short  name]  The  authentication  realm
                          that is passed to the Cyrus SASL library. If
                          no realm is specified, $j is used.

                BadRcptThrottle=N
                          [no short name] If  set  and  the  specified
                          number  of recipients in a single SMTP tran-
                          saction have been rejected,  sleep  for  one
                          second after each subsequent RCPT command in
                          that transaction.

                BlankSub=c
                          [B] Set the blank substitution character  to
                          c. Unquoted spaces in addresses are replaced
                          by this character. Defaults to space  (i.e.,
                          no change is made).

                CACertPath
                          [no  short  name]  Path  to  directory  with

          SMM:08-98          Sendmail Installation and Operation Guide

                          certificates  of  CAs. This directory direc-
                          tory must contain the hashes of each CA cer-
                          tificate as filenames (or as links to them).

                CACertFile
                          [no short name] File containing one or  more
                          CA  certificates; see section about STARTTLS
                          for more information.

                CheckAliases
                          [n]  Validate  the  RHS  of   aliases   when
                          rebuilding the alias database.

                CheckpointInterval=N
                          [C] Checkpoints the queue every  N  (default
                          10)  addresses  sent. If your system crashes
                          during  delivery  to  a  large  list,   this
                          prevents  retransmission to any but the last
                          N recipients.

                ClassFactor=fact
                          [z] The indicated factor  is  multiplied  by
                          the  message  class  (determined by the Pre-
                          cedence: field in the user header and the  P
                          lines  in  the  configuration file) and sub-
                          tracted from the  priority.  Thus,  messages
                          with  a  higher  Priority:  will be favored.
                          Defaults to 1800.

                ClientCertFile
                          [no short name] File containing the certifi-
                          cate  of  the client, i.e., this certificate
                          is used when sendmail acts  as  client  (for
                          STARTTLS).

                ClientKeyFile
                          [no short name] File containing the  private
                          key belonging to the client certificate (for
                          STARTTLS if sendmail runs as client).

                ClientPortOptions=options
                          [O] Set client SMTP options. The options are
                          key=value  pairs  separated by commas. Known
                          keys are:

                              Port      Name/number of source port for connection (defaults to any free port)
                              Addr      Address mask (defaults INADDR_ANY)
                              Family    Address family (defaults to INET)
                              SndBufSizeSize of TCP send buffer
                              RcvBufSizeSize of TCP receive buffer
                              Modifier  Options (flags) for the client

                          The Address mask may be a numeric address in

          Sendmail Installation and Operation Guide          SMM:08-99

                          IPv4  dot notation or IPv6 colon notation or
                          a network name. Note that if a network  name
                          is  specified,  only  the  first  IP address
                          returned for it will be used. This may cause
                          indeterminate  behavior  for  network  names
                          that resolve to multiple  addresses.  There-
                          fore,  use  of  an  address  is recommended.
                          Modifier can be the following character:

                              h         use name of interface for HELO command
                              A         don't use AUTH when sending e-mail
                              S         don't use STARTTLS when sending e-mail

                          If ``h'' is set, the name  corresponding  to
                          the   outgoing  interface  address  (whether
                          chosen via the Connection parameter  or  the
                          default)  is used for the HELO/EHLO command.
                          However, the name  must  not  start  with  a
                          square  bracket and it must contain at least
                          one dot. This is a simple test  whether  the
                          name  is not an IP address (in square brack-
                          ets) but a  qualified  hostname.  Note  that
                          multiple   ClientPortOptions   settings  are
                          allowed in order to give settings  for  each
                          protocol  family  (e.g., one for Family=inet
                          and one  for  Family=inet6).  A  restriction
                          placed  on  one family only affects outgoing
                          connections on that particular family.

                ColonOkInAddr
                          [no short name] If set, colons  are  accept-
                          able     in    e-mail    addresses    (e.g.,
                          "host:user"). If not  set,  colons  indicate
                          the  beginning  of a RFC 822 group construct
                          ("groupname:  member1,  member2,  ...   mem-
                          berN;").  Doubled  colons are always accept-
                          able ("nodename::user")  and  proper  route-
                          addr       nesting       is       understood
                          ("<@relay:user@host>").  Furthermore,   this
                          option defaults on if the configuration ver-
                          sion level is less than 6 (for back compati-
                          bility).  However,  it  must be off for full
                          compatibility with RFC 822.

                ConnectionCacheSize=N
                          [k] The maximum number of  open  connections
                          that  will  be cached at a time. The default
                          is one. This delays closing the current con-
                          nection  until  either  this  invocation  of
                          sendmail needs to connect to another host or
                          it  terminates.  Setting it to zero defaults
                          to the old behavior,  that  is,  connections
                          are  closed immediately. Since this consumes

          SMM:08-100         Sendmail Installation and Operation Guide

                          file  descriptors,  the   connection   cache
                          should  be kept small: 4 is probably a prac-
                          tical maximum.

                ConnectionCacheTimeout=timeout
                          [K] The maximum amount of time a cached con-
                          nection  will  be  permitted to idle without
                          activity. If this time is exceeded, the con-
                          nection  is  immediately  closed. This value
                          should  be  small  (on  the  order  of   ten
                          minutes). Before sendmail uses a cached con-
                          nection, it always sends a RSET  command  to
                          check the connection; if this fails, it reo-
                          pens the connection.  This  keeps  your  end
                          from failing if the other end times out. The
                          point of this option is to be a good network
                          neighbor   and   avoid  using  up  excessive
                          resources on the other end. The  default  is
                          five minutes.

                ConnectOnlyTo=address
                          [no short name] This can be used to override
                          the  connection  address  (for  testing pur-
                          poses).

                ConnectionRateThrottle=N
                          [no short name] If set to a positive  value,
                          allow no more than N incoming connections in
                          a one second  period  per  daemon.  This  is
                          intended  to flatten out peaks and allow the
                          load average checking to cut in. Defaults to
                          zero (no limits).

                ConnectionRateWindowSize=N
                          [no short name] Define  the  length  of  the
                          interval  for  which  the number of incoming
                          connections is maintained. The default is 60
                          seconds.

                ControlSocketName=name
                          [no short name] Name of the  control  socket
                          for  daemon  management.  A running sendmail
                          daemon can be controlled through this  named
                          socket. Available commands are: help, mstat,
                          restart, shutdown, and  status.  The  status
                          command returns the current number of daemon
                          children, the maximum number of daemon chil-
                          dren, the free disk space (in blocks) of the
                          queue directory, and the load average of the
                          machine expressed as an integer. If not set,
                          no control socket will be available. Solaris
                          and  pre-4.4BSD  kernel users should see the
                          note in sendmail/README .

          Sendmail Installation and Operation Guide         SMM:08-101

                CRLFile=name
                          [no short name] Name of file  that  contains
                          certificate  revocation  status,  useful for
                          X.509v3   authentication.    CRL    checking
                          requires  at  least  OpenSSL  version 0.9.7.
                          Note: if a CRLFile is specified but the file
                          is unusable, STARTTLS is disabled.

                DHParameters
                          Possible values are:

                              5         use precomputed 512 bit prime
                              1         generate 1024 bit prime
                              2         generate 2048 bit prime
                              none      do not use Diffie-Hellman
                              NAME      load prime from file

                          This is only required if a ciphersuite  con-
                          taining   DSA/DH   is   used.  If  ``5''  is
                          selected, then precomputed, fixed primes are
                          used.  This  is  the  default for the client
                          side. If ``1'' or ``2''  is  selected,  then
                          prime  values  are  computed during startup.
                          The server side default is ``1''. Note: this
                          operation  can  take a significant amount of
                          time on a slow  machine  (several  seconds),
                          but  it  is  only  done  once at startup. If
                          ``none'' is selected, then TLS  ciphersuites
                          containing  DSA/DH cannot be used. If a file
                          name is specified (which must be an absolute
                          path), then the primes are read from it.

                DaemonPortOptions=options
                          [O] Set server SMTP options.  Each  instance
                          of  DaemonPortOptions leads to an additional
                          incoming socket. The options  are  key=value
                          pairs. Known keys are:

                              Name      User-definable name for the daemon (defaults to "Daemon#")
                              Port      Name/number of listening port (defaults to "smtp")
                              Addr      Address mask (defaults INADDR_ANY)
                              Family    Address family (defaults to INET)
                              InputMailFiltersList of input mail filters for the daemon
                              Listen    Size of listen queue (defaults to 10)
                              Modifier  Options (flags) for the daemon
                              SndBufSizeSize of TCP send buffer
                              RcvBufSizeSize of TCP receive buffer
                              children  maximum number of children per daemon, see MaxDaemonChildren.
                              DeliveryModeDelivery mode per daemon, see DeliveryMode.
                              refuseLA  RefuseLA per daemon
                              delayLA   DelayLA per daemon
                              queueLA   QueueLA per daemon

          SMM:08-102         Sendmail Installation and Operation Guide

                          The Name key is used for error messages  and
                          logging.  The  Address mask may be a numeric
                          address in IPv4 dot notation or  IPv6  colon
                          notation  or  a network name. Note that if a
                          network name is specified, only the first IP
                          address  returned  for it will be used. This
                          may cause indeterminate behavior for network
                          names  that  resolve  to multiple addresses.
                          Therefore, use of an address is recommended.
                          The Family key defaults to INET (IPv4). IPv6
                          users who wish to also accept  IPv6  connec-
                          tions  should  add  additional  Family=inet6
                          DaemonPortOptions  lines.   The   InputMail-
                          Filters  key  overrides  the default list of
                          input mail filters listed in the  InputMail-
                          Filters   option.  If  multiple  input  mail
                          filters are required, they must be separated
                          by  semicolons (not commas). Modifier can be
                          a sequence (without any delimiters)  of  the
                          following characters:

                              a         always require authentication
                              b         bind to interface through which mail has been received
                              c         perform hostname canonification (.cf)
                              f         require fully qualified hostname (.cf)
                              s         Run smtps (SMTP over SSL) instead of smtp
                              u         allow unqualified addresses (.cf)
                              A         disable AUTH (overrides 'a' modifier)
                              C         don't perform hostname canonification
                              E         disallow ETRN (see RFC 2476)
                              O         optional; if opening the socket fails ignore it
                              S         don't offer STARTTLS

                          That is, one way to specify a  message  sub-
                          mission  agent  (MSA)  that  always requires
                          authentication is:

                              O DaemonPortOptions=Name=MSA, Port=587, M=Ea

                          The modifiers that are marked  with  "(.cf)"
                          have  only effect in the standard configura-
                          tion file, in which they are  available  via
                          ${daemon_flags}.  Notice:  Do  not  use  the
                          ``a'' modifier on a public  accessible  MTA!
                          It  should  only  be  used for a MSA that is
                          accessed by  authorized  users  for  initial
                          mail  submission. Users must authenticate to
                          use a MSA which has this option  turned  on.
                          The  flags  ``c''  and  ``C'' can change the
                          default for hostname canonification  in  the
                          sendmail.cf  file. See the relevant documen-
                          tation for FEATURE(nocanonify). The modifier
                          ``f''   disallows   addresses  of  the  form

          Sendmail Installation and Operation Guide         SMM:08-103

                          user@host   unless   they   are    submitted
                          directly.  The flag ``u'' allows unqualified
                          sender addresses, i.e., those without @host.
                          ``b''  forces sendmail to bind to the inter-
                          face  through  which  the  e-mail  has  been
                          received  for the outgoing connection. WARN-
                          ING: Use ``b'' only if outgoing mail can  be
                          routed  through  the  incoming  connection's
                          interface to its destination. No attempt  is
                          made  to  catch  problems due to a misconfi-
                          guration of this parameter, use it only  for
                          virtual hosting where each virtual interface
                          can connect to every possible location. This
                          will  also  override  possible  settings via
                          ClientPortOptions.   Note,   sendmail   will
                          listen on a new socket for each occurence of
                          the DaemonPortOptions option in a configura-
                          tion  file.  The modifier ``O'' causes send-
                          mail to ignore  a  socket  if  it  can't  be
                          opened.  This  applies  to failures from the
                          socket(2) and bind(2) calls.

                DefaultAuthInfo
                          [no  short  name]  Filename  that   contains
                          default  authentication information for out-
                          going connections. This  file  must  contain
                          the user id, the authorization id, the pass-
                          word (plain text), the realm and the list of
                          mechanisms to use on separate lines and must
                          be readable by root (or  the  trusted  user)
                          only.  If no realm is specified, $j is used.
                          If no mechanisms  are  specified,  the  list
                          given  by  AuthMechanisms  is  used. Notice:
                          this  option  is  deprecated  and  will   be
                          removed  in  future  versions.  Moreover, it
                          doesn't work for the MSP since it can't read
                          the  file (the file must not be group/world-
                          readable otherwise sendmail will  complain).
                          Use  the authinfo ruleset instead which pro-
                          vides more control over  the  usage  of  the
                          data anyway.

                DefaultCharSet=charset
                          [no short name] When a message that  has  8-
                          bit  characters but is not in MIME format is
                          converted  to  MIME  (see  the  EightBitMode
                          option)  a character set must be included in
                          the Content-Type: header. This character set
                          is  normally  set from the Charset= field of
                          the mailer descriptor. If that is  not  set,
                          the  value  of  this option is used. If this
                          option is not set, the value  "unknown-8bit"
                          is used.

          SMM:08-104         Sendmail Installation and Operation Guide

                DataFileBufferSize=threshold
                          [no short name] Set the threshold, in bytes,
                          before   a   memory-based  queue  data  file
                          becomes  disk-based.  The  default  is  4096
                          bytes.

                DeadLetterDrop=file
                          [no short name] Defines the location of  the
                          system-wide dead.letter file, formerly hard-
                          coded  to  /usr/tmp/dead.letter.   If   this
                          option  is  not  set (the default), sendmail
                          will not attempt to save  to  a  system-wide
                          dead.letter  file  in  the  event  it cannot
                          bounce the mail to the user  or  postmaster.
                          Instead,  it  will  rename the qf file as it
                          has in the past when  the  dead.letter  file
                          could not be opened.

                DefaultUser=user:group
                          [u] Set the default userid  for  mailers  to
                          user:group.  If group is omitted and user is
                          a user name (as opposed to  a  numeric  user
                          id)   the   default   group  listed  in  the
                          /etc/passwd file for that user  is  used  as
                          the  default  group. Both user and group may
                          be numeric. Mailers without the  S  flag  in
                          the mailer definition will run as this user.
                          Defaults to 1:1. The value can also be given
                          as a symbolic user name.[19]

                DelayLA=LA
                          [no short name] When the system load average
                          exceeds  LA,  sendmail  will  sleep  for one
                          second on  most  SMTP  commands  and  before
                          accepting connections.

                DeliverByMin=time
                          [0] Set minimum time  for  Deliver  By  SMTP
                          Service  Extension (RFC 2852). If 0, no time
                          is listed, if less than 0, the extension  is
                          not offered, if greater than 0, it is listed
                          as  minimum  time  for  the   EHLO   keyword
                          DELIVERBY.

                DeliveryMode=x
                          [d] Deliver in mode x. Legal modes are:

          ____________________
             [19]The old g option  has  been  combined  into  the  De-
          faultUser option.

          Sendmail Installation and Operation Guide         SMM:08-105

                              i   Deliver interactively (synchronously)
                              b   Deliver in background (asynchronously)
                              q   Just queue the message (deliver during queue run)
                              d   Defer delivery and all map lookups (deliver during queue run)

                          Defaults to ``b'' if no option is specified,
                          ``i''  if it is specified but given no argu-
                          ment  (i.e.,   ``Od''   is   equivalent   to
                          ``Odi''). The -v command line flag sets this
                          to i. Note: for internal reasons, ``i'' does
                          not  work  if  a milter is enabled which can
                          reject or delete recipients.  In  that  case
                          the mode will be changed to ``b''.

                DialDelay=sleeptime
                          [no short name] Dial-on-demand network  con-
                          nections can see timeouts if a connection is
                          opened before the call is set up. If this is
                          set  to  an  interval and a connection times
                          out on the first connection being  attempted
                          sendmail  will sleep for this amount of time
                          and try again. This should give your  system
                          time  to  establish  the  connection to your
                          service provider. Units default to  seconds,
                          so  "DialDelay=5"  uses a five second delay.
                          Defaults to zero (no retry). This delay only
                          applies  to  mailers  which  have the Z flag
                          set.

                DirectSubmissionModifiers=modifiers
                          Defines ${daemon_flags} for direct  (command
                          line)     submissions.     If    not    set,
                          ${daemon_flags} is  either  "CC  f"  if  the
                          option  -G  is used or "c u" otherwise. Note
                          that only the the "CC", "c",  "f",  and  "u"
                          flags are checked.

                DontBlameSendmail=option,option,...
                          [no short name] In order to  avoid  possible
                          cracking   attempts  caused  by  world-  and
                          group-writable files and directories,  send-
                          mail  does  paranoid  checking  when opening
                          most of its support files. If for some  rea-
                          son  you absolutely must run with, for exam-
                          ple, a group-writable /etc  directory,  then
                          you  will have to turn off this checking (at
                          the cost of making your system more  vulner-
                          able to attack). The possible arguments have
                          been described earlier. The details of these
                          flags  are  described  above.  Use  of  this
                          option is not recommended.

          SMM:08-106         Sendmail Installation and Operation Guide

                DontExpandCnames
                          [no short name] The standards say  that  all
                          host  addresses  used in a mail message must
                          be fully canonical.  For  example,  if  your
                          host  is  named "Cruft.Foo.ORG" and also has
                          an alias of "FTP.Foo.ORG", the  former  name
                          must  be used at all times. This is enforced
                          during host name canonification ($[  ...  $]
                          lookups).  If this option is set, the proto-
                          cols are ignored and the  "wrong"  thing  is
                          done.  However,  the  IETF  is moving toward
                          changing this standard, so the behavior  may
                          become  acceptable.  Please  note that hosts
                          downstream may still rewrite the address  to
                          be the true canonical name however.

                DontInitGroups
                          [no short name] If set, sendmail will  avoid
                          using  the  initgroups(3)  call.  If you are
                          running NIS, this causes a  sequential  scan
                          of  the  groups.byname  map, which can cause
                          your NIS server to be badly overloaded in  a
                          large  domain.  The cost of this is that the
                          only group found for  users  will  be  their
                          primary  group  (the  one  in  the  password
                          file), which will make file  access  permis-
                          sions  somewhat  more  restrictive.  Has  no
                          effect on  systems  that  don't  have  group
                          lists.

                DontProbeInterfaces
                          [no short name] Sendmail normally finds  the
                          names  of  all  interfaces  active  on  your
                          machine when it starts  up  and  adds  their
                          name to the $=w class of known host aliases.
                          If you have a large number of virtual inter-
                          faces  or  if  your  DNS inverse lookups are
                          slow this can be time consuming. This option
                          turns  off  that  probing. However, you will
                          need to be certain to  include  all  variant
                          names in the $=w class by some other mechan-
                          ism. If set to loopback, loopback interfaces
                          (e.g., lo0) will not be probed.

                DontPruneRoutes
                          [R] Normally, sendmail  tries  to  eliminate
                          any unnecessary explicit routes when sending
                          an error message (as discussed in RFC 1123 S
                          5.2.6).  For  example, when sending an error
                          message to

                              <@known1,@known2,@known3:user@unknown>

          Sendmail Installation and Operation Guide         SMM:08-107

                          sendmail     will     strip     off      the
                          "@known1,@known2" in order to make the route
                          as direct as possible.  However,  if  the  R
                          option  is  set,  this will be disabled, and
                          the mail will be sent to the  first  address
                          in  the  route,  even if later addresses are
                          known. This may be useful if you are  caught
                          behind a firewall.

                DoubleBounceAddress=error-address
                          [no short name]  If  an  error  occurs  when
                          sending  an  error  message,  send the error
                          report (termed a "double bounce" because  it
                          is an error "bounce" that occurs when trying
                          to send another error "bounce") to the indi-
                          cated address. The address is macro expanded
                          at  the  time  of  delivery.  If  not   set,
                          defaults to "postmaster". If set to an empty
                          string, double bounces are dropped.

                EightBitMode=action
                          [8] Set handling of  eight-bit  data.  There
                          are   two  kinds  of  eight-bit  data:  that
                          declared as  such  using  the  BODY=8BITMIME
                          ESMTP  declaration or the -B8BITMIME command
                          line flag, and undeclared 8-bit  data,  that
                          is,  input  that  just  happens  to be eight
                          bits. There are three basic operations  that
                          can  happen:  undeclared  8-bit  data can be
                          automatically converted to  8BITMIME,  unde-
                          clared   8-bit  data  can  be  passed  as-is
                          without  conversion  to  MIME  (``just  send
                          8''),  and  declared  8-bit data can be con-
                          verted to 7-bits for transmission to a  non-
                          8BITMIME mailer. The possible actions are:

                                s Reject undeclared 8-bit data (``strict'')
                                m Convert undeclared 8-bit data to MIME (``mime'')
                                p Pass undeclared 8-bit data (``pass'')

                          In all cases properly declared 8BITMIME data
                          will be converted to 7BIT as needed.

                ErrorHeader=file-or-message
                          [E] Prepend error messages  with  the  indi-
                          cated message. If it begins with a slash, it
                          is assumed to be the pathname of a file con-
                          taining  a  message (this is the recommended
                          setting). Otherwise, it is  a  literal  mes-
                          sage. The error file might contain the name,
                          email address,  and/or  phone  number  of  a
                          local  postmaster  who  could provide assis-
                          tance to end users. If the option is missing

          SMM:08-108         Sendmail Installation and Operation Guide

                          or  null,  or  if it names a file which does
                          not exist or which is not readable, no  mes-
                          sage is printed.

                ErrorMode=x
                          [e] Dispose of  errors  using  mode  x.  The
                          values for x are:

                              p   Print error messages (default)
                              q   No messages, just give exit status
                              m   Mail back errors
                              w   Write back errors (mail if user not logged in)
                              e   Mail back errors (when applicable) and give zero exit stat always

                          Note that the last mode, "e", is for Berknet
                          error  processing  and should not be used in
                          normal circumstances. Note, too,  that  mode
                          "q",   only  applies  to  errors  recognized
                          before   sendmail   forks   for   background
                          delivery.

                FallbackMXhost=fallbackhost
                          [V] If specified, the fallbackhost acts like
                          a  very  low  priority  MX on every host. MX
                          records will be looked  up  for  this  host,
                          unless  the  name  is  surrounded  by square
                          brackets. This is intended  to  be  used  by
                          sites  with  poor network connectivity. Mes-
                          sages which are undeliverable  due  to  tem-
                          porary  address failures (e.g., DNS failure)
                          also go to the FallbackMXhost.

                FallBackSmartHost=hostname
                          If specified, the FallBackSmartHost will  be
                          used  in  a last-ditch effort for each host.
                          This is intended to be used  by  sites  with
                          "fake  internal  DNS", e.g., a company whose
                          DNS accurately  reflects  the  world  inside
                          that company's domain but not outside.

                FastSplit [no short name] If set to  a  value  greater
                          than   zero   (the   default   is  one),  it
                          suppresses the MX lookups on addresses  when
                          they  are  initially  sorted,  i.e., for the
                          first delivery attempt. This usually results
                          in  faster  envelope splitting unless the MX
                          records are readily available in a local DNS
                          cache.  To  enforce initial sorting based on
                          MX records set FastSplit  to  zero.  If  the
                          mail  is submitted directly from the command
                          line, then the value also limits the  number
                          of  processes  to  deliver the envelopes; if
                          more envelopes are  created  they  are  only

          Sendmail Installation and Operation Guide         SMM:08-109

                          queued  up  and  must  be taken care of by a
                          queue  run.  Since  the  default  submission
                          method is via SMTP (either from a MUA or via
                          the MSP), the value of FastSplit  is  seldom
                          used  to  limit  the  number of processes to
                          deliver the envelopes.

                ForkEachJob
                          [Y] If set, deliver each  job  that  is  run
                          from the queue in a separate process.

                ForwardPath=path
                          [J] Set the path for  searching  for  users'
                          .forward     files.     The    default    is
                          "$z/.forward". Some sites that use the auto-
                          mounter   may   prefer  to  change  this  to
                          "/var/forward/$u" to search a file with  the
                          same name as the user in a system directory.
                          It can also be set to a  sequence  of  paths
                          separated  by  colons; sendmail stops at the
                          first file it can  successfully  and  safely
                          open.              For              example,
                          "/var/forward/$u:$z/.forward"  will   search
                          first  in  /var/forward/username and then in
                          ~username/.forward (but only  if  the  first
                          file does not exist).

                HeloName=name
                          [no short name] Set the name to be used  for
                          HELO/EHLO (instead of $j).

                HoldExpensive
                          [c] If an outgoing mailer is marked as being
                          expensive, don't connect immediately.

                HostsFile=path
                          [no short name] The path to the hosts  data-
                          base,  normally "/etc/hosts". This option is
                          only consulted when sendmail is  canonifying
                          addresses,  and then only when "files" is in
                          the "hosts" service switch entry. In partic-
                          ular,  this  file is never used when looking
                          up host addresses; that is under the control
                          of the system gethostbyname(3) routine.

                HostStatusDirectory=path
                          [no short name] The  location  of  the  long
                          term  host  status  information.  When  set,
                          information about the status of hosts (e.g.,
                          host down or not accepting connections) will
                          be shared between  all  sendmail  processes;
                          normally,  this  information  is  only  held
                          within  a  single  queue  run.  This  option

          SMM:08-110         Sendmail Installation and Operation Guide

                          requires a connection cache of at least 1 to
                          function. If the option begins with a  lead-
                          ing  `/', it is an absolute pathname; other-
                          wise, it  is  relative  to  the  mail  queue
                          directory.   A  suggested  value  for  sites
                          desiring   persistent   host    status    is
                          ".hoststat"  (i.e.,  a  subdirectory  of the
                          queue directory).

                IgnoreDots
                          [i] Ignore dots in incoming  messages.  This
                          is always disabled (that is, dots are always
                          accepted) when reading SMTP mail.

                InputMailFilters=name,name,...
                          A comma  separated  list  of  filters  which
                          determines which filters (see the "X -- Mail
                          Filter (Milter)  Definitions"  section)  and
                          the  invocation  sequence  are contacted for
                          incoming SMTP messages. If none are set,  no
                          filters will be contacted.

                LDAPDefaultSpec=spec
                          [no short name] Sets a default map  specifi-
                          cation  for LDAP maps. The value should only
                          contain LDAP specific settings such  as  "-h
                          host  -p  port -d bindDN". The settings will
                          be used for all LDAP maps unless the indivi-
                          dual  map specification overrides a setting.
                          This option should be set  before  any  LDAP
                          maps are defined.

                LogLevel=n
                          [L] Set the log level to n. Defaults to 9.

                Mxvalue   [no long version] Set the macro x to  value.
                          This  is intended only for use from the com-
                          mand line. The -M flag is preferred.

                MailboxDatabase
                          [no short  name]  Type  of  lookup  to  find
                          information  about local mailboxes, defaults
                          to ``pw'' which uses getpwnam.  Other  types
                          can  be  introduced  by  adding  them to the
                          source code, see libsm/mbdb.c for details.

                UseMSP    [no short name] Use as mail submission  pro-
                          gram, i.e., allow group writable queue files
                          if the group is the same as that of  a  set-
                          group-ID   sendmail  binary.  See  the  file
                          sendmail/SECURITY in the  distribution  tar-
                          ball.

          Sendmail Installation and Operation Guide         SMM:08-111

                MatchGECOS
                          [G] Allow fuzzy matching on the GECOS field.
                          If this flag is set, and the usual user name
                          lookups fail (that is,  there  is  no  alias
                          with   this  name  and  a  getpwnam  fails),
                          sequentially search the password file for  a
                          matching entry in the GECOS field. This also
                          requires that MATCHGECOS be turned on during
                          compilation. This option is not recommended.

                MaxAliasRecursion=N
                          [no short name] The maximum depth  of  alias
                          recursion (default: 10).

                MaxDaemonChildren=N
                          [no short name] If set, sendmail will refuse
                          connections when it has more than N children
                          processing incoming mail or automatic  queue
                          runs. This does not limit the number of out-
                          going connections. If the  default  Deliver-
                          yMode  (background)  is  used, then sendmail
                          may create an  almost  unlimited  number  of
                          children  (depending  on the number of tran-
                          sactions and the relative execution times of
                          mail  receiption  and mail delivery). If the
                          limit should be enforced,  then  a  Deliver-
                          yMode other than background must be used. If
                          not set, there is no limit to the number  of
                          children -- that is, the system load average
                          controls this.

                MaxHeadersLength=N
                          [no short name] The maximum  length  of  the
                          sum  of  all  headers.  This  can be used to
                          prevent a  denial  of  service  attack.  The
                          default is no limit.

                MaxHopCount=N
                          [h] The maximum  hop  count.  Messages  that
                          have  been  processed  more than N times are
                          assumed to be in a loop  and  are  rejected.
                          Defaults to 25.

                MaxMessageSize=N
                          [no short name] Specify the maximum  message
                          size  to  be  advertised  in  the ESMTP EHLO
                          response. Messages larger than this will  be
                          rejected.  If  set  to  a value greater than
                          zero, that value will be listed in the  SIZE
                          response,  otherwise  SIZE  is advertised in
                          the ESMTP EHLO response without a parameter.

          SMM:08-112         Sendmail Installation and Operation Guide

                MaxMimeHeaderLength=N[/M]
                          [no short name] Sets the maximum  length  of
                          certain  MIME header field values to N char-
                          acters. These MIME header fields are  deter-
                          mined  by  being  a  member of class {check-
                          MIMETextHeaders}, which  currently  contains
                          only  the  header  Content-Description.  For
                          some of these headers which take parameters,
                          the  maximum length of each parameter is set
                          to M if specified.  If /M is not  specified,
                          one  half  of  N  will  be used. By default,
                          these values  are  2048  and  1024,  respec-
                          tively.  To  allow  any length, a value of 0
                          can be specified.

                MaxNOOPCommands=N
                          Override the default of MAXNOOPCOMMANDS  for
                          the  number of useless commands, see Section
                          "Measures   against   Denial   of    Service
                          Attacks".

                MaxQueueChildren=N
                          [no short name] When set,  this  limits  the
                          number  of concurrent queue runner processes
                          to N. This helps to control  the  amount  of
                          system  resources  used  when processing the
                          queue.  When there are multiple queue groups
                          defined   and  the  total  number  of  queue
                          runners for these queue groups would  exceed
                          MaxQueueChildren  then the queue groups will
                          not all run concurrently. That is, some por-
                          tion  of  the  queue  groups  will  run con-
                          currently such  that  MaxQueueChildren  will
                          not  be  exceeded, while the remaining queue
                          groups will be run  later  (in  round  robin
                          order).  See also MaxRunnersPerQueue and the
                          section  Queue  Group  Declaration.  Notice:
                          sendmail  does  not  count  individual queue
                          runners, but only sets of processes that act
                          on  a  workgroup. Hence the actual number of
                          queue runners may be lower  than  the  limit
                          imposed     by     MaxQueueChildren.    This
                          discrepancy  can  be  large  if  some  queue
                          runners  have  to wait for a slow server and
                          if short intervals are used.

                MaxQueueRunSize=N
                          [no short name] The maximum number  of  jobs
                          that  will  be  processed  in a single queue
                          run. If not set, there is no  limit  on  the
                          size.  If  you  have  very large queues or a
                          very short queue run interval this could  be
                          unstable. However, since the first N jobs in

          Sendmail Installation and Operation Guide         SMM:08-113

                          queue directory order are run  (rather  than
                          the  N highest priority jobs) this should be
                          set as high as possible  to  avoid  "losing"
                          jobs  that  happen to fall late in the queue
                          directory. Note: this option also  restricts
                          the number of entries printed by mailq. That
                          is, if MaxQueueRunSize is set to a  value  N
                          larger  than  zero,  then only N entries are
                          printed per queue group.

                MaxRecipientsPerMessage=N
                          [no short name] The maximum number of  reci-
                          pients  that will be accepted per message in
                          an SMTP transaction. Note: setting this  too
                          low  can  interfere  with  sending mail from
                          MUAs that use SMTP for  initial  submission.
                          If  not set, there is no limit on the number
                          of recipients per envelope.

                MaxRunnersPerQueue=N
                          [no short name] This sets the  default  max-
                          imum  number  of  queue  runners  for  queue
                          groups. Up to N queue runners will  work  in
                          parallel  on  a queue group's messages. This
                          is useful where the processing of a  message
                          in  the  queue might delay the processing of
                          subsequent messages. Such a delay may be the
                          result of non-erroneous situations such as a
                          low bandwidth connection. May be  overridden
                          on  a  per  queue group basis by setting the
                          Runners option; see the section Queue  Group
                          Declaration. The default is 1 when not set.

                MeToo     [m] Send to me too, even if I am in an alias
                          expansion.  This  option  is  deprecated and
                          will be removed from a future version.

                Milter    [no short  name]  This  option  has  several
                          sub(sub)options. The names of the suboptions
                          are separated by dots. At  the  first  level
                          the following options are available:

                              LogLevel   Log level for input mail filter actions, defaults to LogLevel.
                              macros     Specifies list of macro to transmit to filters.
                                         See list below.

                          The  ``macros''  option  has  the  following
                          suboptions  which  specify the list of macro
                          to transmit to milters after a certain event
                          occurred.

          SMM:08-114         Sendmail Installation and Operation Guide

                              connect   After session connection start
                              helo      After EHLO/HELO command
                              envfrom   After MAIL From command
                              envrcpt   After RCPT To command
                              data      After DATA command.
                              eoh       After DATA command and header
                              eom       After DATA command and terminating ``.''

                          By default the lists of  macros  are  empty.
                          Example:

                              O Milter.LogLevel=12
                              O Milter.macros.connect=j, _, {daemon_name}

                MinFreeBlocks=N
                          [b] Insist on at least N blocks free on  the
                          filesystem that holds the queue files before
                          accepting email via SMTP. If there is insuf-
                          ficient  space sendmail gives a 452 response
                          to the MAIL command. This invites the sender
                          to try again later.

                MinQueueAge=age
                          [no short name]  Don't  process  any  queued
                          jobs  that  have been in the queue less than
                          the  indicated  time   interval.   This   is
                          intended  to allow you to get responsiveness
                          by processing the  queue  fairly  frequently
                          without thrashing your system by trying jobs
                          too often. The default  units  are  minutes.
                          Note:  This option is ignored for queue runs
                          that select a subset  of  the  queue,  i.e.,
                          "-q[!][I|R|S|Q][string]"

                MustQuoteChars=s
                          [no short name] Sets the list of  characters
                          that  must  be quoted if used in a full name
                          that is in the phrase  part  of  a  ``phrase
                          <address>''  syntax.  The default is ``'.''.
                          The  characters  ``@,;:\()[]''  are   always
                          added to this list.

                NiceQueueRun
                          [no  short  name]  The  priority  of   queue
                          runners   (nice(3)).   This  value  must  be
                          greater or equal zero.

                NoRecipientAction
                          [no short name] The action to take when  you
                          receive  a  message  that has no valid reci-
                          pient   headers   (To:,   Cc:,   Bcc:,    or
                          Apparently-To:  - the last included for back

          Sendmail Installation and Operation Guide         SMM:08-115

                          compatibility with old sendmails). It can be
                          None  to  pass  the  message  on unmodified,
                          which violates the protocol, Add-To to add a
                          To:  header  with any recipients it can find
                          in the envelope  (which  might  expose  Bcc:
                          recipients),  Add-Apparently-To  to  add  an
                          Apparently-To:  header  (this  is  only  for
                          back-compatibility  and is officially depre-
                          cated), Add-To-Undisclosed to add  a  header
                          "To:  undisclosed-recipients:;"  to make the
                          header legal without disclosing anything, or
                          Add-Bcc to add an empty Bcc: header.

                OldStyleHeaders
                          [o] Assume that the headers may  be  in  old
                          format,  i.e.,  spaces  delimit  names. This
                          actually turns on an adaptive algorithm:  if
                          any  recipient  address  contains  a  comma,
                          parenthesis, or angle bracket,  it  will  be
                          assumed  that  commas already exist. If this
                          flag is not on, only commas  delimit  names.
                          Headers   are   always  output  with  commas
                          between the names. Defaults to off.

                OperatorChars=charlist
                          [$o macro] The list of characters  that  are
                          considered to be "operators", that is, char-
                          acters that  delimit  tokens.  All  operator
                          characters   are   tokens   by   themselves;
                          sequences  of  non-operator  characters  are
                          also tokens. White space characters separate
                          tokens but are not tokens themselves  -  for
                          example,  "AAA.BBB"  has  three  tokens, but
                          "AAA BBB" has two. If not set, OperatorChars
                          defaults to ".:@[]"; additionally, the char-
                          acters "()<>,;" are always  operators.  Note
                          that OperatorChars must be set in the confi-
                          guration file before any rulesets.

                PidFile=filename
                          [no short name] Filename of  the  pid  file.
                          (default is _PATH_SENDMAILPID). The filename
                          is macro-expanded before it is  opened,  and
                          unlinked when sendmail exits.

                PostmasterCopy=postmaster
                          [P] If set, copies of error messages will be
                          sent  to  the  named  postmaster.  Only  the
                          header of the failed message is sent. Errors
                          resulting from messages with a negative pre-
                          cedence will not be sent. Since most  errors
                          are  user  problems,  this is probably not a
                          good  idea  on  large  sites,  and  arguably

          SMM:08-116         Sendmail Installation and Operation Guide

                          contains  all  sorts  of privacy violations,
                          but it seems  to  be  popular  with  certain
                          operating  systems  vendors.  The address is
                          macro expanded  at  the  time  of  delivery.
                          Defaults to no postmaster copies.

                PrivacyOptions=opt,opt,...
                          [p] Set the privacy options. ``Privacy''  is
                          really  a misnomer; many of these are just a
                          way of insisting on  stricter  adherence  to
                          the   SMTP  protocol.  The  options  can  be
                          selected from:

                              public              Allow open access
                              needmailhelo        Insist on HELO or EHLO command before MAIL
                              needexpnhelo        Insist on HELO or EHLO command before EXPN
                              noexpn              Disallow EXPN entirely, implies noverb.
                              needvrfyhelo        Insist on HELO or EHLO command before VRFY
                              novrfy              Disallow VRFY entirely
                              noetrn              Disallow ETRN entirely
                              noverb              Disallow VERB entirely
                              restrictmailq       Restrict mailq command
                              restrictqrun        Restrict -q command line flag
                              restrictexpand      Restrict -bv and -v command line flags
                              noreceipts          Don't return success DSNs[20]
                              nobodyreturn        Don't return the body of a message with DSNs
                              goaway              Disallow essentially all SMTP status queries
                              authwarnings        Put X-Authentication-Warning: headers in messages
                                                  and log warnings
                              noactualrecipient   Don't put X-Actual-Recipient lines in DSNs
                                                  which reveal the actual account that addresses map to.

                          The  "goaway"  pseudo-flag  sets  all  flags
                          except  "noreceipts", "restrictmailq", "res-
                          trictqrun", "restrictexpand", "noetrn",  and
                          "nobodyreturn". If mailq is restricted, only
                          people in the same group as the queue direc-
                          tory  can print the queue. If queue runs are
                          restricted, only root and the owner  of  the
                          queue directory can run the queue. The "res-
                          trictexpand" pseudo-flag instructs  sendmail
                          to  drop  privileges  when the -bv option is
                          given by users who are neither root nor  the
                          TrustedUser  so  users  cannot  read private
                          aliases, forwards, or  :include:  files.  It
                          will   add   the  "NonRootSafeAddr"  to  the
                          "DontBlameSendmail"   option   to    prevent
                          misleading  unsafe address warnings. It also
          ____________________
             [20]N.B.: the noreceipts flag turns off support  for  RFC
          1891 (Delivery Status Notification).

          Sendmail Installation and Operation Guide         SMM:08-117

                          overrides  the  -v  (verbose)  command  line
                          option   to   prevent  information  leakage.
                          Authentication Warnings add  warnings  about
                          various   conditions   that   may   indicate
                          attempts to spoof the mail system,  such  as
                          using a non-standard queue directory.

                ProcessTitlePrefix=string
                          [no short name]  Prefix  the  process  title
                          shown  on  'ps'  listings  with  string. The
                          string will be macro processed.

                QueueDirectory=dir
                          [Q] The  QueueDirectory  option  serves  two
                          purposes.  First, it specifies the directory
                          or set  of  directories  that  comprise  the
                          default  queue  group.  Second, it specifies
                          the directory D which is the ancestor of all
                          queue  directories,  and which sendmail uses
                          as its current working directory. When send-
                          mail dumps core, it leaves its core files in
                          D. There are two cases. If dir ends with  an
                          asterisk  (eg,  /var/spool/mqueue/qd*), then
                          all of the directories or symbolic links  to
                          directories    beginning    with   `qd'   in
                          /var/spool/mqueue  will  be  used  as  queue
                          directories  of the default queue group, and
                          /var/spool/mqueue will be used as the  work-
                          ing  directory D. Otherwise, dir must name a
                          directory (usually  /var/spool/mqueue):  the
                          default  queue  group consists of the single
                          queue directory dir, and the working  direc-
                          tory  D  is set to dir. To define additional
                          groups of queue directories, use the  confi-
                          guration file `Q' command. Do not change the
                          queue directory structure while sendmail  is
                          running.

                QueueFactor=factor
                          [q] Use factor as the multiplier in the  map
                          function  to  decide  when  to just queue up
                          jobs rather than run  them.  This  value  is
                          divided   by   the  difference  between  the
                          current load average and  the  load  average
                          limit (QueueLA option) to determine the max-
                          imum message priority  that  will  be  sent.
                          Defaults to 600000.

                QueueLA=LA
                          [x] When the system load average exceeds  LA
                          and  the  QueueFactor  (q) option divided by
                          the difference in the current  load  average
                          and the QueueLA option plus one is less than

          SMM:08-118         Sendmail Installation and Operation Guide

                          the priority of the message, just queue mes-
                          sages   (i.e.,  don't  try  to  send  them).
                          Defaults to 8 multiplied by  the  number  of
                          processors online on the system (if that can
                          be determined).

                QueueFileMode=mode
                          [no  short  name]  Default  permissions  for
                          queue  files  (octal).  If not set, sendmail
                          uses 0600 unless its real and effective  uid
                          are different in which case it uses 0644.

                QueueSortOrder=algorithm
                          [no short name] Sets the algorithm used  for
                          sorting  the queue. Only the first character
                          of the  value  is  used.  Legal  values  are
                          "host"  (to  order  by the name of the first
                          host   name   of   the   first   recipient),
                          "filename"  (to  order  by  the  name of the
                          queue file name), "time" (to  order  by  the
                          submission/creation   time),   "random"  (to
                          order randomly), "modification" (to order by
                          the  modification time of the qf file (older
                          entries first)), "none" (to not order),  and
                          "priority"  (to  order by message priority).
                          Host ordering makes better use of  the  con-
                          nection  cache,  but may tend to process low
                          priority messages that go to a  single  host
                          over  high  priority  messages  that  go  to
                          several hosts; it probably shouldn't be used
                          on  slow network links. Filename and modifi-
                          cation time ordering saves the  overhead  of
                          reading  all  of  the  queued  items  before
                          starting the queue  run.  Creation  (submis-
                          sion)  time  ordering is almost always a bad
                          idea, since it allows large, bulk mail to go
                          out  before  smaller, personal mail, but may
                          have applicability on some hosts  with  very
                          fast   connections.   Random  is  useful  if
                          several queue runners are  started  by  hand
                          which try to drain the same queue since odds
                          are they will be working on different  parts
                          of the queue at the same time. Priority ord-
                          ering is the default.

                QueueTimeout=timeout
                          [T] A synonym for "Timeout.queuereturn". Use
                          that  form  instead  of  the  "QueueTimeout"
                          form.

                RandFile  [no short name] Name of file containing ran-
                          dom  data  or the name of the UNIX socket if
                          EGD is used. A (required) prefix  "egd:"  or

          Sendmail Installation and Operation Guide         SMM:08-119

                          "file:"   specifies   the   type.   STARTTLS
                          requires this filename if the  compile  flag
                          HASURANDOMDEV     is     not     set    (see
                          sendmail/README).

                ResolverOptions=options
                          [I] Set resolver options. Values can be  set
                          using  +flag  and  cleared  using -flag; the
                          flags can  be  "debug",  "aaonly",  "usevc",
                          "primary",  "igntc",  "recurse", "defnames",
                          "stayopen", "use_inet6",  or  "dnsrch".  The
                          string  "HasWildcardMX"  (without  a + or -)
                          can  be  specified  to  turn  off   matching
                          against MX records when doing name canonifi-
                          cations. The  string  "WorkAroundBrokenAAAA"
                          (without  a + or -) can be specified to work
                          around some broken nameservers which  return
                          SERVFAIL  (a  temporary  failure)  on T_AAAA
                          (IPv6) lookups. Notice: it might  be  neces-
                          sary  to apply the same (or similar) options
                          to submit.cf too.

                RequiresDirfsync
                          [no short name] This option can be  used  to
                          override     the     compile    time    flag
                          REQUIRES_DIR_FSYNC at runtime by setting  it
                          to  false.  If  the compile time flag is not
                          set, the option is ignored. The  flag  turns
                          on  support for file systems that require to
                          call fsync() for a directory  if  the  meta-
                          data  in it has been changed. This should be
                          turned on at least  for  older  versions  of
                          ReiserFS;  it  is  enabled  by  default  for
                          Linux. According to  some  information  this
                          flag is not needed anymore for kernel 2.4.16
                          and newer.

                RrtImpliesDsn
                          [R]  If  this  option  is  set,  a  "Return-
                          Receipt-To:"  header causes the request of a
                          DSN, which is sent to the envelope sender as
                          required  by  RFC  1891,  not to the address
                          given in the header.

                RunAsUser=user
                          [no short name] The user parameter may be  a
                          user  name  (looked  up in /etc/passwd) or a
                          numeric  user  id;  either  form  can   have
                          ":group"   attached   (where  group  can  be
                          numeric or symbolic). If set to  a  non-zero
                          (non-root)  value,  sendmail  will change to

          SMM:08-120         Sendmail Installation and Operation Guide

                          this user id shortly after startup[21]. This
                          avoids a certain class of security problems.
                          However, this means that all ".forward"  and
                          ":include:"  files  must  be readable by the
                          indicated user and all files to  be  written
                          must  be writable by user Also, all file and
                          program deliveries  will  be  marked  unsafe
                          unless               the              option
                          DontBlameSendmail=NonRootSafeAddr is set, in
                          which  case  the  delivery  will  be done as
                          user. It is also incompatible with the Safe-
                          FileEnvironment  option.  In other words, it
                          may not actually add much to security on  an
                          average system, and may in fact detract from
                          security  (because  other  file  permissions
                          must  be  loosened).  However,  it should be
                          useful on firewalls and other  places  where
                          users  don't  have  accounts and the aliases
                          file is well constrained.

                RecipientFactor=fact
                          [y] The indicated factor  is  added  to  the
                          priority  (thus lowering the priority of the
                          job) for each recipient,  i.e.,  this  value
                          penalizes  jobs  with large numbers of reci-
                          pients. Defaults to 30000.

                RefuseLA=LA
                          [X] When the system load average exceeds LA,
                          refuse  incoming  SMTP connections. Defaults
                          to 12 multiplied by the number of processors
                          online  on the system (if that can be deter-
                          mined).

                RejectLogInterval=timeout
                          [no short name] Log interval  when  refusing
                          connections for this long (default: 3h).

                RetryFactor=fact
                          [Z] The factor  is  added  to  the  priority
                          every  time  a  job is processed. Thus, each
                          time a job is processed, its  priority  will
                          be decreased by the indicated value. In most
                          environments this should be positive,  since
                          hosts  that  are down are all too often down
                          for a long time. Defaults to 90000.

          ____________________
             [21]When running as a daemon, it  changes  to  this  user
          after  accepting  a  connection  but before reading any SMTP
          commands.

          Sendmail Installation and Operation Guide         SMM:08-121

                SafeFileEnvironment=dir
                          [no short name] If this option is set, send-
                          mail will do a chroot(2) call into the indi-
                          cated  directory  before  doing   any   file
                          writes.  If  the  file name specified by the
                          user begins with dir, that partial path name
                          will be stripped off before writing, so (for
                          example) if the SafeFileEnvironment variable
                          is   set   to   "/safe"   then   aliases  of
                          "/safe/logs/file" and "/logs/file"  actually
                          indicate  the  same  file.  Additionally, if
                          this option  is  set,  sendmail  refuses  to
                          deliver to symbolic links.

                SaveFromLine
                          [f] Save  UNIX-style  "From"  lines  at  the
                          front  of headers. Normally they are assumed
                          redundant and discarded.

                SendMimeErrors
                          [j] If set, send error messages in MIME for-
                          mat (see RFC 2045 and RFC 1344 for details).
                          If disabled, sendmail will  not  return  the
                          DSN  keyword in response to an EHLO and will
                          not do Delivery Status Notification process-
                          ing as described in RFC 1891.

                ServerCertFile
                          [no short name] File containing the certifi-
                          cate  of  the server, i.e., this certificate
                          is used when sendmail acts as  server  (used
                          for STARTTLS).

                ServerKeyFile
                          [no short name] File containing the  private
                          key  belonging  to  the  server  certificate
                          (used for STARTTLS).

                ServiceSwitchFile=filename
                          [no short name] If your host operating  sys-
                          tem  has a service switch abstraction (e.g.,
                          /etc/nsswitch.conf     on     Solaris     or
                          /etc/svc.conf  on Ultrix and DEC OSF/1) that
                          service will be consulted and this option is
                          ignored.  Otherwise,  this  is the name of a
                          file that provides the list of methods  used
                          to implement particular services. The syntax
                          is a series of lines, each  of  which  is  a
                          sequence  of  words.  The  first word is the
                          service name, and following words  are  ser-
                          vice  types. The services that sendmail con-
                          sults directly are  "aliases"  and  "hosts."
                          Service   types   can   be   "dns",   "nis",

          SMM:08-122         Sendmail Installation and Operation Guide

                          "nisplus", or "files" (with the caveat  that
                          the  appropriate support must be compiled in
                          before the service can  be  referenced).  If
                          ServiceSwitchFile   is   not  specified,  it
                          defaults  to  /etc/mail/service.switch.   If
                          that file does not exist, the default switch
                          is:

                              aliases             files
                              hosts               dns nis files

                          The         default         file          is
                          "/etc/mail/service.switch".

                SevenBitInput
                          [7] Strip input to seven bits  for  compati-
                          bility  with  old systems. This shouldn't be
                          necessary.

                SharedMemoryKey
                          [no short name] Key to use for shared memory
                          segment;  if  not  set (or 0), shared memory
                          will not be used. If set to -1 sendmail  can
                          select  a  key  itself  provided  that  also
                          SharedMemoryKeyFile is set. Requires support
                          for  shared memory to be compiled into send-
                          mail. If this option is  set,  sendmail  can
                          share some data between different instances.
                          For example, the  number  of  entries  in  a
                          queue  directory or the available space in a
                          file system. This allows for more  efficient
                          program  execution,  since  only one process
                          needs to update the  data  instead  of  each
                          individual  process  gathering the data each
                          time it is required.

                SharedMemoryKeyFile
                          [no short name] If SharedMemoryKey is set to
                          -1  then  the  automatically selected shared
                          memory key will be stored in  the  specified
                          file.

                SingleLineFromHeader
                          [no short name] If  set,  From:  lines  that
                          have  embedded  newlines  are unwrapped onto
                          one line. This is to get around a  botch  in
                          Lotus  Notes  that  apparently cannot under-
                          stand legally wrapped RFC 822 headers.

                SingleThreadDelivery
                          [no short name] If  set,  a  client  machine
                          will  never try to open two SMTP connections
                          to a single server machine at the same time,

          Sendmail Installation and Operation Guide         SMM:08-123

                          even  in  different  processes.  That is, if
                          another sendmail is already talking to  some
                          host  a  new  sendmail will not open another
                          connection. This property is of mixed value;
                          although  this reduces the load on the other
                          machine, it can cause  mail  to  be  delayed
                          (for  example, if one sendmail is delivering
                          a huge message,  other  sendmails  won't  be
                          able  to send even small messages). Also, it
                          requires another file  descriptor  (for  the
                          lock  file)  per connection, so you may have
                          to reduce the ConnectionCacheSize option  to
                          avoid   running   out  of  per-process  file
                          descriptors. Requires  the  HostStatusDirec-
                          tory option.

                SmtpGreetingMessage=message
                          [$e macro] The message printed when the SMTP
                          server  starts  up. Defaults to "$j Sendmail
                          $v ready at $b".

                SoftBounce
                          If set, issue temporary errors (4xy) instead
                          of  permanent errors (5xy). This can be use-
                          ful during testing of a new configuration to
                          avoid erroneous bouncing of mails.

                StatusFile=file
                          [S] Log  summary  statistics  in  the  named
                          file. If no file name is specified, "statis-
                          tics"  is  used.  If  not  set,  no  summary
                          statistics  are  saved.  This  file does not
                          grow in size. It can be  printed  using  the
                          mailstats(8) program.

                SuperSafe [s] This option can be set to  True,  False,
                          Interactive,  or PostMilter. If set to True,
                          sendmail will  be  super-safe  when  running
                          things,  i.e.,  always instantiate the queue
                          file, even  if  you  are  going  to  attempt
                          immediate  delivery. Sendmail always instan-
                          tiates the queue file before returning  con-
                          trol  to the client under any circumstances.
                          This should really always be  set  to  True.
                          The Interactive value has been introduced in
                          8.12  and  can   be   used   together   with
                          DeliveryMode=i.  It  skips some synchroniza-
                          tion calls which are effectively doubled  in
                          the  code  execution  path for this mode. If
                          set to PostMilter, sendmail defers synchron-
                          izing  the queue file until any milters have
                          signaled acceptance of  the  message.  Post-
                          Milter  is  useful  only  when  sendmail  is

          SMM:08-124         Sendmail Installation and Operation Guide

                          running as an  SMTP  server;  in  all  other
                          situations it acts the same as True.

                TLSSrvOptions
                          [no short name] List  of  options  for  SMTP
                          STARTTLS for the server consisting of single
                          characters with intervening white  space  or
                          commas.   The  flag  ``V''  disables  client
                          verification, and hence it is  not  possible
                          to  use  a  client certificate for relaying.
                          Currently there are no  other  flags  avail-
                          able.

                TempFileMode=mode
                          [F] The  file  mode  for  transcript  files,
                          files  to  which sendmail delivers directly,
                          files in the HostStatusDirectory,  and  Sta-
                          tusFile.  It  is  interpreted  in  octal  by
                          default. Defaults to 0600.

                Timeout.type=timeout
                          [r; subsumes  old  T  option  as  well]  Set
                          timeout  values.  For  more information, see
                          section 4.1.

                TimeZoneSpec=tzinfo
                          [t] Set the local time zone info  to  tzinfo
                          -- for example, "PST8PDT". Actually, if this
                          is not set, the TZ environment  variable  is
                          cleared  (so the system default is used); if
                          set but null,  the  user's  TZ  variable  is
                          used,  and  if set and non-null the TZ vari-
                          able is set to this value.

                TrustedUser=user
                          [no short name] The user parameter may be  a
                          user  name  (looked  up in /etc/passwd) or a
                          numeric user id. Trusted user for file  own-
                          ership  and  starting  the  daemon.  If set,
                          generated alias databases  and  the  control
                          socket (if configured) will automatically be
                          owned by this user.

                TryNullMXList
                          [w] If this system is the "best"  (that  is,
                          lowest  preference) MX for a given host, its
                          configuration rules should  normally  detect
                          this situation and treat that condition spe-
                          cially by forwarding  the  mail  to  a  UUCP
                          feed,  treating  it  as  local, or whatever.
                          However, in some  cases  (such  as  Internet
                          firewalls)  you  may  want to try to connect
                          directly to that host as though it had no MX

          Sendmail Installation and Operation Guide         SMM:08-125

                          records  at  all. Setting this option causes
                          sendmail to try this. The downside  is  that
                          errors  in  your configuration are likely to
                          be diagnosed as "host unknown"  or  "message
                          timed  out"  instead of something more mean-
                          ingful. This option is disrecommended.

                UnixFromLine=fromline
                          [$l macro]  Defines  the  format  used  when
                          sendmail  must  add  a UNIX-style From_ line
                          (that     is,     a      line      beginning
                          "From<space>user").  Defaults  to  "From  $g
                          $d". Don't change this  unless  your  system
                          uses  a  different UNIX mailbox format (very
                          unlikely).

                UnsafeGroupWrites
                          [no short name] If set (default),  :include:
                          and  .forward  files that are group writable
                          are considered "unsafe", that is, they  can-
                          not  reference programs or write directly to
                          files. World writable :include: and .forward
                          files   are   always   unsafe.   Note:   use
                          DontBlameSendmail instead;  this  option  is
                          deprecated.

                UseErrorsTo
                          [l] If there is an "Errors-To:" header, send
                          error   messages  to  the  addresses  listed
                          there. They  normally  go  to  the  envelope
                          sender.  Use  of this option causes sendmail
                          to  violate  RFC  1123.   This   option   is
                          disrecommended and deprecated.

                UserDatabaseSpec=udbspec
                          [U] The user database specification.

                Verbose   [v] Run in verbose mode.  If  this  is  set,
                          sendmail  adjusts options HoldExpensive (old
                          c) and DeliveryMode (old d) so that all mail
                          is  delivered  completely in a single job so
                          that you can see the  entire  delivery  pro-
                          cess.  Option Verbose should never be set in
                          the configuration file; it is  intended  for
                          command  line use only. Note that the use of
                          option  Verbose  can  cause   authentication
                          information  to  leak, if you use a sendmail
                          client to authenticate to a server.  If  the
                          authentication  mechanism  uses  plain  text
                          passwords (as with LOGIN or PLAIN), then the
                          password  could  be  compromised.  To  avoid
                          this, do not  install  sendmail  set-user-ID
                          root, and disable the VERB SMTP command with

          SMM:08-126         Sendmail Installation and Operation Guide

                          a suitable PrivacyOptions setting.

                XscriptFileBufferSize=threshold
                          [no short name] Set the threshold, in bytes,
                          before  a memory-based queue transcript file
                          becomes  disk-based.  The  default  is  4096
                          bytes.

                All options can be specified on the command line using
                the  -O  or  -o  flag, but most will cause sendmail to
                relinquish its set-user-ID  permissions.  The  options
                that will not cause this are SevenBitInput [7], Eight-
                BitMode  [8],  MinFreeBlocks  [b],  CheckpointInterval
                [C],  DeliveryMode [d], ErrorMode [e], IgnoreDots [i],
                SendMimeErrors [j], LogLevel [L], MeToo [m], OldStyle-
                Headers  [o],  PrivacyOptions [p], SuperSafe [s], Ver-
                bose [v], QueueSortOrder, MinQueueAge, DefaultCharSet,
                Dial  Delay,  NoRecipientAction,  ColonOkInAddr,  Max-
                QueueRunSize,   SingleLineFromHeader,   and   AllowBo-
                gusHELO.  Actually,  PrivacyOptions  [p]  given on the
                command line are added to those already  specified  in
                the sendmail.cf file, i.e., they can't be reset. Also,
                M (define macro) when defining the r or  s  macros  is
                also considered "safe".

             5.7. P -- Precedence Definitions

                     Values for the "Precedence:" field may be defined
                using the P control line. The syntax of this field is:

                    Pname=num

                When the name is found in a "Precedence:"  field,  the
                message  class  is  set  to  num.  Higher numbers mean
                higher precedence. Numbers less  than  zero  have  the
                special  property  that if an error occurs during pro-
                cessing the body of the message will not be  returned;
                this  is  expected  to be used for "bulk" mail such as
                through mailing lists. The default precedence is zero.
                For example, our list of precedences is:

                    Pfirst-class=0
                    Pspecial-delivery=100
                    Plist=-30
                    Pbulk=-60
                    Pjunk=-100

                People writing mailing list exploders  are  encouraged
                to  use "Precedence: list". Older versions of sendmail
                (which discarded all error returns for  negative  pre-
                cedences)  didn't  recognize  this  name,  giving it a
                default precedence of zero.  This  allows  list  main-
                tainers  to  see  error  returns  on  both old and new

          Sendmail Installation and Operation Guide         SMM:08-127

                versions of sendmail.

             5.8. V -- Configuration Version Level

                     To provide compatibility with  old  configuration
                files,  the  V line has been added to define some very
                basic semantics of the configuration file.  These  are
                not  intended  to  be long term supports; rather, they
                describe compatibility features which will probably be
                removed in future releases.

                     N.B.: these version levels  have  nothing  to  do
                with  the version number on the files. For example, as
                of this writing version 10 config files (specifically,
                8.10) used version level 9 configurations.

                     "Old" configuration files are defined as  version
                level  one. Version level two files make the following
                changes:

                 (1)   Host name canonification ($[ ... $]) appends  a
                       dot  if  the name is recognized; this gives the
                       config file a way of finding  out  if  anything
                       matched.  (Actually,  this just initializes the
                       "host" map with the "-a." flag -- you can reset
                       it  to anything you prefer by declaring the map
                       explicitly.)

                 (2)   Default  host  name  extension  is   consistent
                       throughout processing; version level one confi-
                       gurations turned off domain extension (that is,
                       adding  the  local  domain name) during certain
                       points in processing. Version level two  confi-
                       gurations  are  expected  to include a trailing
                       dot to indicate that the name is already canon-
                       ical.

                 (3)   Local names that are  not  aliases  are  passed
                       through  a new distinguished ruleset five; this
                       can be used  to  append  a  local  relay.  This
                       behavior  can  be  prevented  by  resolving the
                       local name with an initial `@'. That is,  some-
                       thing  that  resolves  to  a local mailer and a
                       user name of "vikki"  will  be  passed  through
                       ruleset  five, but a user name of "@vikki" will
                       have the  `@'  stripped,  will  not  be  passed
                       through  ruleset  five,  but  will otherwise be
                       treated the same  as  the  prior  example.  The
                       expectation  is  that  this  might  be  used to
                       implement a policy where mail sent  to  "vikki"
                       was  handled by a central hub, but mail sent to
                       "vikki@localhost" was delivered directly.

          SMM:08-128         Sendmail Installation and Operation Guide

                     Version level three files allow # initiated  com-
                ments on all lines. Exceptions are backslash escaped #
                marks and the $# syntax.

                     Version level four configurations are  completely
                equivalent to level three for historical reasons.

                     Version level five configuration files change the
                default  definition  of  $w  to be just the first com-
                ponent of the hostname.

                     Version level six configuration files change many
                of  the local processing options (such as aliasing and
                matching the beginning of the address for `|'  charac-
                ters)  to  be  mailer  flags; this allows fine-grained
                control over the special local processing.  Level  six
                configuration  files  may  also use long option names.
                The ColonOkInAddr  option  (to  allow  colons  in  the
                local-part  of  addresses)  defaults on for lower num-
                bered  configuration  files;  the  configuration  file
                requires some additional intelligence to properly han-
                dle the RFC 822 group construct.

                     Version level seven configuration files used  new
                option   names   to  replace  old  macros  ($e  became
                SmtpGreetingMessage, $l became  UnixFromLine,  and  $o
                became  OperatorChars.  Also,  prior to version seven,
                the F=q flag (use 250 instead of 252 return value  for
                SMTP VRFY commands) was assumed.

                     Version level eight configuration files allow  $#
                on the left hand side of ruleset lines.

                     Version  level  nine  configuration  files  allow
                parentheses  in rulesets, i.e. they are not treated as
                comments and hence removed.

                     Version level ten configuration files allow queue
                group definitions.

                     The V line may have an optional /vendor to  indi-
                cate  that  this configuration file uses modifications
                specific to  a  particular  vendor[22].  You  may  use
                "/Berkeley"  to emphasize that this configuration file
                uses the Berkeley dialect of sendmail.

          ____________________
             [22]And of course, vendors are encouraged  to  add  them-
          selves to the list of recognized vendors by editing the rou-
          tine  setvendor   in   conf.c.   Please   send   e-mail   to
          sendmail@Sendmail.ORG to register your vendor dialect.

          Sendmail Installation and Operation Guide         SMM:08-129

             5.9. K -- Key File Declaration

                     Special maps can be defined using the line:

                    Kmapname mapclass arguments

                The mapname is the handle by which this map is  refer-
                enced in the rewriting rules. The mapclass is the name
                of a type of map; these are compiled in  to  sendmail.
                The  arguments are interpreted depending on the class;
                typically, there would be a single argument naming the
                file containing the map.

                     Maps are referenced using the syntax:

                    $( map key $@ arguments $: default $)

                where either or both of the arguments or default  por-
                tion  may be omitted. The $@ arguments may appear more
                than once. The indicated key and arguments are  passed
                to  the  appropriate mapping function. If it returns a
                value, it replaces the input. If it does not return  a
                value  and  the  default  is  specified,  the  default
                replaces the input. Otherwise, the input is unchanged.

                     The arguments are passed to the map for arbitrary
                use.  Most map classes can interpolate these arguments
                into their values using the syntax "%n" (where n is  a
                digit)  to  indicate the corresponding argument. Argu-
                ment "%0" indicates the database key. For example, the
                rule

                    R$- ! $+       $: $(uucp $1 $@ $2 $: $2 @ $1 . UUCP $)

                Looks up the UUCP name in a (user defined)  UUCP  map;
                if  not found it turns it into ".UUCP" form. The data-
                base might contain records like:

                    decvax         %1@%0.DEC.COM
                    research       %1@%0.ATT.COM

                Note that default clauses never do this mapping.

                     The built-in map with both name and class  "host"
                is  the  host  name canonicalization lookup. Thus, the
                syntax:

                    $(host hostname$)

                is equivalent to:

                    $[hostname$]

          SMM:08-130         Sendmail Installation and Operation Guide

                     There are many defined classes.

                dbm       Database lookups using the ndbm(3)  library.
                          Sendmail must be compiled with NDBM defined.

                btree     Database lookups using the  btree  interface
                          to the Berkeley DB library. Sendmail must be
                          compiled with NEWDB defined.

                hash      Database lookups using the hash interface to
                          the  Berkeley  DB  library. Sendmail must be
                          compiled with NEWDB defined.

                nis       NIS lookups. Sendmail must be compiled  with
                          NIS defined.

                nisplus   NIS+ lookups. Sendmail must be compiled with
                          NISPLUS defined. The argument is the name of
                          the table to use for lookups, and the -k and
                          -v  flags  may  be  used  to set the key and
                          value columns respectively.

                hesiod    Hesiod lookups. Sendmail  must  be  compiled
                          with HESIOD defined.

                ldap      LDAP X500 directory lookups.  Sendmail  must
                          be  compiled  with  LDAPMAP defined. The map
                          supports most of the standard arguments  and
                          most  of  the  command line arguments of the
                          ldapsearch program. Note that,  by  default,
                          if  a  single query matches multiple values,
                          only the first value will be returned unless
                          the  -z  (value  separator) map flag is set.
                          Also, the -1 map flag will treat a  multiple
                          value return as if there were no matches.

                netinfo   NeXT NetInfo lookups. Sendmail must be  com-
                          piled with NETINFO defined.

                text      Text file lookups. The format  of  the  text
                          file   is  defined  by  the  -k  (key  field
                          number), -v (value  field  number),  and  -z
                          (field delimiter) flags.

                ph        PH query map. Contributed and  supported  by
                          Mark  Roth, roth@uiuc.edu. For more informa-
                          tion,  consult  the  web  site  "http://www-
                          dev.cites.uiuc.edu/sendmail/".

                nsd       nsd map for IRIX 6.5 and later.  Contributed
                          and   supported   by   Bob   Mende  of  SGI,
                          mende@sgi.com.

          Sendmail Installation and Operation Guide         SMM:08-131

                stab      Internal symbol table lookups.  Used  inter-
                          nally for aliasing.

                implicit  Really should be called "alias"  -  this  is
                          used  to  get  the default lookups for alias
                          files, and is the default  if  no  class  is
                          specified for alias files.

                user      Looks up users  using  getpwnam(3).  The  -v
                          flag  can be used to specify the name of the
                          field to return (although this  is  normally
                          used only to check the existence of a user).

                host      Canonifies host domain names. Given  a  host
                          name  it  calls  the name server to find the
                          canonical name for that host.

                bestmx    Returns the best MX record for a  host  name
                          given  as  the  key.  The current machine is
                          always preferred -- that is, if the  current
                          machine  is  one  of  the  hosts listed as a
                          lowest-preference MX record, then it will be
                          guaranteed  to be returned. This can be used
                          to find out if this machine  is  the  target
                          for  an  MX record, and mail can be accepted
                          on that basis. If the -z flag is given, then
                          all  MX names are returned, separated by the
                          given delimiter.

                dns       This map requires the option -R  to  specify
                          the  DNS resource record type to lookup. The
                          following  types  are  supported:  A,  AAAA,
                          AFSDB,  CNAME,  MX, NS, PTR, SRV, and TXT. A
                          map lookup  will  return  only  one  record.
                          Hence  for some types, e.g., MX records, the
                          return value might be a  random  element  of
                          the  list  due  to  randomizing  in  the DNS
                          resolver.

                sequence  The arguments on the `K' line are a list  of
                          maps;  the  resulting map searches the argu-
                          ment maps in order until it  finds  a  match
                          for  the  indicated key. For example, if the
                          key definition is:

                              Kmap1 ...
                              Kmap2 ...
                              Kseqmap sequence map1 map2

                          then a lookup against "seqmap" first does  a
                          lookup in map1. If that is found, it returns
                          immediately. Otherwise, the same key is used
                          for map2.

          SMM:08-132         Sendmail Installation and Operation Guide

                syslog    the key is logged via syslogd(8). The lookup
                          returns the empty string.

                switch    Much like the "sequence" map except that the
                          order  of  maps is determined by the service
                          switch. The argument is the name of the ser-
                          vice  to  be  looked up; the values from the
                          service switch are appended to the map  name
                          to  create  new map names. For example, con-
                          sider the key definition:

                              Kali switch aliases

                          together with the service switch entry:

                              aliases        nis files

                          This causes a query against the map "ali" to
                          search  maps named "ali.nis" and "ali.files"
                          in that order.

                dequote   Strip double quotes (") from a name. It does
                          not  strip  backslashes,  and will not strip
                          quotes if the resulting string would contain
                          unscannable  syntax  (that  is, basic errors
                          like unbalanced angle brackets; more sophis-
                          ticated errors such as unknown hosts are not
                          checked). The intent is for use when  trying
                          to  accept  mail from systems such as DECnet
                          that routinely quote odd syntax such as

                              "49ers::ubell"

                          A typical usage is probably something like:

                              Kdequote dequote

                              ...

                              R$-            $: $(dequote $1 $)
                              R$- $+         $: $>3 $1 $2

                          Care must be  taken  to  prevent  unexpected
                          results; for example,

                              "|someprogram < input > output"

                          will have quotes stripped, but the result is
                          probably  not  what  you  had  in mind. For-
                          tunately these cases are rare.

                regex     The map definition on the K line contains  a
                          regular   expression.   Any   key  input  is

          Sendmail Installation and Operation Guide         SMM:08-133

                          compared to that expression using the  POSIX
                          regular   expressions   routines  regcomp(),
                          regerr(), and regexec(). Refer to the  docu-
                          mentation for those routines for more infor-
                          mation about the regular  expression  match-
                          ing.  No rewriting of the key is done if the
                          -m flag is used.  Without  it,  the  key  is
                          discarded  or  if  -s if used, it is substi-
                          tuted by the substring matches, delimited by
                          $|  or  the string specified with the the -d
                          flag.  The flags available for the map are

                              -n  not
                              -f  case sensitive
                              -b  basic regular expressions (default is extended)
                              -s  substring match
                              -d  set the delimiter used for -s
                              -a  append string to key
                              -m  match only, do not replace/discard value
                              -D  perform no lookup in deferred delivery mode.

                          The -s flag can include an optional  parame-
                          ter  which  can  be  used to select the sub-
                          strings in the result of  the  lookup.   For
                          example,

                              -s1,3,4

                          Notes: to match a $ in a string, \$$ must be
                          used.  If  the pattern contains spaces, they
                          must be replaced with the blank substitution
                          character, unless it is space itself.

                program   The arguments on the K line are the pathname
                          to  a  program and any initial parameters to
                          be passed. When the map is called,  the  key
                          is  added  to the initial parameters and the
                          program is invoked as the default user/group
                          id.  The  first  line  of standard output is
                          returned as the value of  the  lookup.  This
                          has  many  potential  security problems, and
                          has terrible performance; it should be  used
                          only when absolutely necessary.

                macro     Set or clear a macro value. To set a  macro,
                          pass  the value as the first argument in the
                          map lookup. To clear a macro, do not pass an
                          argument  in  the map lookup. The map always
                          returns the empty string. Example of typical
                          usage include:

          SMM:08-134         Sendmail Installation and Operation Guide

                              Kstorage macro

                              ...

                              # set macro ${MyMacro} to the ruleset match
                              R$+ $: $(storage {MyMacro} $@ $1 $) $1
                              # set macro ${MyMacro} to an empty string
                              R$* $: $(storage {MyMacro} $@ $) $1
                              # clear macro ${MyMacro}
                              R$- $: $(storage {MyMacro} $) $1

                arith     Perform simple  arithmetic  operations.  The
                          operation  is  given as key, currently +, -,
                          *, /, %, |, & (bitwise OR, AND), l (for less
                          than),  =, and r (for random) are supported.
                          The two operands are given as arguments. The
                          lookup  returns  the  result of the computa-
                          tion, i.e., TRUE or FALSE  for  comparisons,
                          integer  values  otherwise.  The  r operator
                          returns a pseudo-random number  whose  value
                          lies  between  the  first and second operand
                          (which requires that the  first  operand  is
                          smaller  than the second). All options which
                          are possible for maps are ignored. A  simple
                          example is:

                              Kcomp arith

                              ...

                              Scheck_etrn
                              R$* $: $(comp l $@ $&{load_avg} $@ 7 $) $1
                              RFALSE$# error ...

                socket    The socket map uses a  simple  request/reply
                          protocol  over TCP or UNIX domain sockets to
                          query an external server. Both requests  and
                          replies  are  text based and encoded as net-
                          strings,  i.e.,  a  string   "hello   there"
                          becomes:

                              11:hello there,

                          Note: neither requests nor replies end  with
                          CRLF.

                          The request consists  of  the  database  map
                          name and the lookup key separated by a space
                          character:

          Sendmail Installation and Operation Guide         SMM:08-135

                              <mapname> ' ' <key>

                          The server responds with a status  indicator
                          and the result (if any):

                              <status> ' ' <result>

                          The status indicator specifies the result of
                          the  lookup  operation  itself and is one of
                          the following upper case words:

                              OK       the key was found, result contains the looked up value
                              NOTFOUND the key was not found, the result is empty
                              TEMP     a temporary failure occured
                              TIMEOUT  a timeout occured on the server side
                              PERM     a permanent failure occured

                          In case of errors (status TEMP,  TIMEOUT  or
                          PERM) the result field may contain an expla-
                          natory  message.  However,  the  explanatory
                          message is not used any further by sendmail.

                          Example replies:

                              31:OK resolved.address@example.com,

                              56:OK error:550 5.7.1 User does not accept mail from sender,

                          in case of successful lookups, or:

                              8:NOTFOUND,

                          in case the key was not found, or:

                              55:TEMP this text explains that we had a temporary failure,

                          in case of a temporary map lookup failure.

                          The socket  map  uses  the  same  syntax  as
                          milters  (see  Section  "X  --  Mail  Filter
                          (Milter) Definitions") to specify the remote
                          endpoint, e.g.,

                              Ksocket mySocketMap inet:12345@127.0.0.1

          SMM:08-136         Sendmail Installation and Operation Guide

                          If multiple  socket  maps  define  the  same
                          remote  endpoint,  they  will share a single
                          connection to this endpoint.

                     Most  of  these  accept  as  arguments  the  same
                optional  flags  and a filename (or a mapname for NIS;
                the filename is the root of the database path, so that
                ".db"  or  some  other  extension  appropriate for the
                database type will be added to get the actual database
                name). Known flags are:

                -o        Indicates that this map is optional --  that
                          is, if it cannot be opened, no error is pro-
                          duced, and sendmail will behave  as  if  the
                          map existed but was empty.

                -N, -O    If neither -N or -O are specified,  sendmail
                          uses an adaptive algorithm to decide whether
                          or not to look for null bytes on the end  of
                          keys.  It starts by trying both; if it finds
                          any key with a  null  byte  it  never  tries
                          again without a null byte and vice versa. If
                          -N is specified it  never  tries  without  a
                          null  byte  and  if -O is specified it never
                          tries with a null byte. Setting one of these
                          can  speed  matches but are never necessary.
                          If both -N and -O  are  specified,  sendmail
                          will never try any matches at all - that is,
                          everything will appear to fail.

                -ax       Append the string x on  successful  matches.
                          For  example, the default host map appends a
                          dot on successful matches.

                -Tx       Append the string x on  temporary  failures.
                          For  example,  x  would be appended if a DNS
                          lookup returned "server failed"  or  an  NIS
                          lookup  could  not locate a server. See also
                          the -t flag.

                -f        Do not fold upper to lower case before look-
                          ing up the key.

                -m        Match only (without replacing the value). If
                          you  only  care about the existence of a key
                          and not the value (as you might when search-
                          ing the NIS map "hosts.byname" for example),
                          this flag prevents the map from substituting
                          the value. However, The -a argument is still
                          appended on a  match,  and  the  default  is
                          still taken if the match fails.

          Sendmail Installation and Operation Guide         SMM:08-137

                -kkeycol  The key column name  (for  NIS+)  or  number
                          (for text lookups). For LDAP maps this is an
                          LDAP filter string in which %s  is  replaced
                          with  the literal contents of the lookup key
                          and %0 is replaced  with  the  LDAP  escaped
                          contents  of the lookup key according to RFC
                          2254. If  the  flag  -K  is  used,  then  %1
                          through   %9  are  replaced  with  the  LDAP
                          escaped contents of the arguments  specified
                          in the map lookup.

                -vvalcol  The value column name (for NIS+)  or  number
                          (for  text  lookups).  For LDAP maps this is
                          the name of one or  more  attributes  to  be
                          returned;   multiple   attributes   can   be
                          separated by commas. If not  specified,  all
                          attributes   found  in  the  match  will  be
                          returned. The  attributes  listed  can  also
                          include  a  type and one or more objectClass
                          values for matching as described in the LDAP
                          section.

                -zdelim   The column delimiter (for text lookups).  It
                          can be a single character or one of the spe-
                          cial strings "\n" or "\t" to  indicate  new-
                          line   or   tab   respectively.  If  omitted
                          entirely,  the  column  separator   is   any
                          sequence  of white space. For LDAP maps this
                          is the separator character to combine multi-
                          ple  values  into a single return string. If
                          not set, the LDAP lookup  will  only  return
                          the  first match found. For DNS maps this is
                          the separator character at which the  result
                          of a query is cut off if is too long.

                -t        Normally, when a map attempts to do a lookup
                          and   the   server   fails  (e.g.,  sendmail
                          couldn't contact any name  server;  this  is
                          not  the same as an entry not being found in
                          the map), the  message  being  processed  is
                          queued  for  future  processing. The -t flag
                          turns off this behavior,  letting  the  tem-
                          porary  failure  (server down) act as though
                          it  were  a  permanent  failure  (entry  not
                          found).  It  is  particularly useful for DNS
                          lookups, where someone else's  misconfigured
                          name  server  can  cause  problems  on  your
                          machine. However,  care  must  be  taken  to
                          ensure that you don't bounce mail that would
                          be resolved correctly if you tried again.  A
                          common  strategy  is to forward such mail to
                          another,  possibly  better  connected,  mail
                          server.

          SMM:08-138         Sendmail Installation and Operation Guide

                -D        Perform no lookup in deferred delivery mode.
                          This  flag  is  set  by default for the host
                          map.

                -Sspacesub
                          The character to use to replace space  char-
                          acters  after  a successful map lookup (esp.
                          useful for regex and syslog maps).

                -sspacesub
                          For the dequote map only, the  character  to
                          use to replace space characters after a suc-
                          cessful dequote.

                -q        Don't dequote the key before lookup.

                -Llevel   For the syslog map only,  it  specifies  the
                          level to use for the syslog call.

                -A        When rebuilding an alias file, the  -A  flag
                          causes duplicate entries in the text version
                          to be merged. For example, two entries:

                              list:    user1, user2
                              list:    user3

                          would be treated as though it were the  sin-
                          gle entry

                              list:    user1, user2, user3

                          in the presence of the -A flag.

                     Some additional flags are available for the  host
                and dns maps:

                -d        delay: specify the resolver's retransmission
                          time interval (in seconds).

                -r        retry:  specify  the  number  of  times   to
                          retransmit a resolver query.

                     The dns map has another flag:

                -B        basedomain: specify a domain that is  always
                          appended to queries.

                     The following additional flags are present in the
                ldap map only:

                -R        Do not auto chase referrals.  sendmail  must
                          be  compiled  with  -DLDAP_REFERRALS  to use
                          this flag.

          Sendmail Installation and Operation Guide         SMM:08-139

                -n        Retrieve attribute names only.

                -Vsep     Retrieve both attributes name and  value(s),
                          separated by sep.

                -rderef   Set the alias dereference option to  one  of
                          never, always, search, or find.

                -sscope   Set search scope to one of  base,  one  (one
                          level), or sub (subtree).

                -hhost    LDAP server hostname.  Some  LDAP  libraries
                          allow   you   to  specify  multiple,  space-
                          separated hosts for redundancy. In addition,
                          each  of the hosts listed can be followed by
                          a colon and a port number  to  override  the
                          default LDAP port.

                -pport    LDAP service port.

                -H LDAPURI
                          Use the specified LDAP URI instead of speci-
                          fying  the hostname and port separately with
                          the the -h and -p options shown  above.  For
                          example,

                              -h server.example.com -p 389 -b dc=example,dc=com

                          is equivalent to

                              -H ldap://server.example.com:389 -b dc=example,dc=com

                          If the LDAP library supports  it,  the  LDAP
                          URI  format  however  can  also request LDAP
                          over  SSL  by  using  ldaps://  instead   of
                          ldap://. For example:

                              O LDAPDefaultSpec=-H ldaps://ldap.example.com -b dc=example,dc=com

                          Similarly, if the LDAP library supports  it,
                          It can also be used to specify a UNIX domain
                          socket using ldapi://:

                              O LDAPDefaultSpec=-H ldapi://socketfile -b dc=example,dc=com

                -bbase    LDAP search base.

                -ltimelimit
                          Time limit for LDAP queries.

                -Zsizelimit
                          Size (number of matches) limit for  LDAP  or

          SMM:08-140         Sendmail Installation and Operation Guide

                          DNS queries.

                -ddistinguished_name
                          The distinguished name to use  to  login  to
                          the LDAP server.

                -Mmethod  The  method  to  authenticate  to  the  LDAP
                          server.  Should  be  one  of LDAP_AUTH_NONE,
                          LDAP_AUTH_SIMPLE, or LDAP_AUTH_KRBV4.

                -Ppasswordfile
                          The file containing the secret key  for  the
                          LDAP_AUTH_SIMPLE  authentication  method  or
                          the name of the  Kerberos  ticket  file  for
                          LDAP_AUTH_KRBV4.

                -1        Force LDAP searches to  only  succeed  if  a
                          single  match  is  found. If multiple values
                          are found, the search is treated  as  if  no
                          match was found.

                -wversion Set the LDAP API/protocol  version  to  use.
                          The  default  depends  on  the  LDAP  client
                          libraries in use. For  example,  -w  3  will
                          cause  sendmail  to use LDAPv3 when communi-
                          cating with the LDAP server.

                -K        Treat the LDAP search key as  multi-argument
                          and  replace  %1  through %9 in the key with
                          the LDAP  escaped  contents  of  the  lookup
                          arguments specified in the map lookup.

                     The dbm map appends the strings ".pag" and ".dir"
                to  the given filename; the hash and btree maps append
                ".db". For example, the map specification

                    Kuucp dbm -o -N /etc/mail/uucpmap

                specifies an optional map named "uucp" of class "dbm";
                it  always  has null bytes at the end of every string,
                and      the      data       is       located       in
                /etc/mail/uucpmap.{dir,pag}.

                     The program makemap(8) can be used to  build  any
                of the three database-oriented maps. It takes the fol-
                lowing flags:

                -f        Do not fold upper to lower case in the map.

                -N        Include null bytes in keys.

                -o        Append to an existing (old) file.

          Sendmail Installation and Operation Guide         SMM:08-141

                -r        Allow replacement  of  existing  keys;  nor-
                          mally,  re-inserting  an  existing key is an
                          error.

                -v        Print what is happening.

                The sendmail daemon does not have to be  restarted  to
                read the new maps as long as you change them in place;
                file locking is used so that the maps  won't  be  read
                while they are being updated.

                     New classes can be added in the routine setupmaps
                in file conf.c.

             5.10. Q -- Queue Group Declaration

                     In addition to the option  QueueDirectory,  queue
                groups  can be declared that define a (group of) queue
                directories under a common name. The syntax is as fol-
                lows:

                    Qname {, field=value}+

                where name is the symbolic name  of  the  queue  group
                under which it can be referenced in various places and
                the "field=value" pairs define attributes of the queue
                group.  The  name  must  only  consist of alphanumeric
                characters. Fields are:

                Flags     Flags for this queue group.

                Nice      The nice(2) increment for the  queue  group.
                          This value must be greater or equal zero.

                Interval  The time between two queue runs.

                Path      The queue directory of the group (required).

                Runners   The number of  parallel  runners  processing
                          the queue. Note that F=f must be set if this
                          value is greater than one.

                Jobs      The  maximum  number   of   jobs   (messages
                          delivered) per queue run.

                recipients
                          The  maximum  number   of   recipients   per
                          envelope.  Envelopes  with  more  than  this
                          number of recipients will be split into mul-
                          tiple envelopes in the same queue directory.
                          The default value 0 means no limit.

          SMM:08-142         Sendmail Installation and Operation Guide

                Only the first character of the field name is checked.

                     By default, a queue group named mqueue is defined
                that  uses  the  value of the QueueDirectory option as
                path. Notice: all paths that are used for queue groups
                must  be  subdirectories of QueueDirectory. Since they
                can be symbolic links, this isn't a real  restriction,
                If  QueueDirectory uses a wildcard, then the directory
                one level up  is  considered  the  ``base''  directory
                which  all  other queue directories must share. Please
                make sure that the queue directories do  not  overlap,
                e.g., do not specify

                    O QueueDirectory=/var/spool/mqueue/*
                    Qone, P=/var/spool/mqueue/dir1
                    Qtwo, P=/var/spool/mqueue/dir2

                because this also includes "dir1" and  "dir2"  in  the
                default queue group. However,

                    O QueueDirectory=/var/spool/mqueue/main*
                    Qone, P=/var/spool/mqueue/dir
                    Qtwo, P=/var/spool/mqueue/other*

                is a valid queue group specification.

                     Options listed in the ``Flags'' field can be used
                to  modify  the  behavior  of a queue group. The ``f''
                flag must be set if multiple queue  runners  are  sup-
                posed  to work on the entries in a queue group. Other-
                wise  sendmail  will  work  on  the  entries  strictly
                sequentially.

                     The ``Interval''  field  sets  the  time  between
                queue  runs.  If  no  queue group specific interval is
                set, then the parameter of the -q option from the com-
                mand line is used.

                     To control the  overall  number  of  concurrently
                active  queue  runners the option MaxQueueChildren can
                be set. This limits the number of processes  used  for
                running  the queues to MaxQueueChildren, though at any
                one time fewer processes may be active as a result  of
                queue options, completed queue runs, system load, etc.

                     The maximum number of queue runners for an  indi-
                vidual  queue  group can be controlled via the Runners
                option. If set to 0, entries in the queue will not  be
                processed,  which  is  useful  to ``quarantine'' queue
                files. The number of runners per queue group may  also
                be  set  with  the  option  MaxRunnersPerQueue,  which
                applies to queue groups that have no individual limit.
                That   is,   the   default   value   for   Runners  is

          Sendmail Installation and Operation Guide         SMM:08-143

                MaxRunnersPerQueue if set, otherwise 1.

                     The field Jobs describes the  maximum  number  of
                jobs  (messages delivered) per queue run, which is the
                queue group specific value of MaxQueueRunSize.

                     Notice: queue groups should be declared after all
                queue  related  options  have  been  set because queue
                groups take their defaults from those options.  If  an
                option  is  set  after  a queue group declaration, the
                values of options in the queue group are  set  to  the
                defaults  of  sendmail  unless  explicitly  set in the
                declaration.

                     Each envelope is assigned to a queue group  based
                on  the  algorithm described in section ``Queue Groups
                and Queue Directories''.

             5.11. X -- Mail Filter (Milter) Definitions

                     The sendmail Mail Filter API (Milter) is designed
                to  allow third-party programs access to mail messages
                as they are being processed in order to  filter  meta-
                information and content. They are declared in the con-
                figuration file as:

                    Xname {, field=value}*

                where name is the name of the filter (used  internally
                only)  and the "field=name" pairs define attributes of
                the filter. Also see the documentation for the  Input-
                MailFilters option for more information.

                     Fields are:

                    Socket    The socket specification
                    Flags     Special flags for this filter
                    Timeouts  Timeouts for this filter

                Only the first character of the field name is  checked
                (it's case-sensitive).

                     The socket specification is one of the  following
                forms:

                    S=inet: port @ host

                    S=inet6: port @ host

                    S=local: path

          SMM:08-144         Sendmail Installation and Operation Guide

                The first two describe an IPv4 or IPv6 socket  listen-
                ing  on  a certain port at a given host or IP address.
                The  final  form  describes  a  named  socket  on  the
                filesystem at the given path.

                     The following flags may  be  set  in  the  filter
                description.

                R   Reject connection if filter unavailable.

                T   Temporary fail connection if filter unavailable.

                     If neither F=R nor F=T is specified, the  message
                is passed through sendmail in case of filter errors as
                if the failing filters were not present.

                     The timeouts can be set  using  the  four  fields
                inside of the T= equate:

                C   Timeout for connecting to a filter. If set  to  0,
                    the system's connect() timeout will be used.

                S   Timeout for sending information from the MTA to  a
                    filter.

                R   Timeout for reading reply from the filter.

                E   Overall timeout between sending end-of-message  to
                    filter and waiting for the final acknowledgment.

                     Note the separator between each timeout field  is
                a   ';'.   The   default  values  (if  not  set)  are:
                T=C:5m;S:10s;R:10s;E:5m where s is seconds  and  m  is
                minutes.

                     Examples:

                    Xfilter1, S=local:/var/run/f1.sock, F=R
                    Xfilter2, S=inet6:999@localhost, F=T, T=S:1s;R:1s;E:5m
                    Xfilter3, S=inet:3333@localhost, T=C:2m

             5.12. The User Database

                     The user  database  is  deprecated  in  favor  of
                ``virtusertable''  and  ``genericstable'' as explained
                in the file cf/README. If you have a version of  send-
                mail  with  the user database package compiled in, the
                handling of sender and recipient  addresses  is  modi-
                fied.

                     The location of this database is controlled  with
                the UserDatabaseSpec option.

          Sendmail Installation and Operation Guide         SMM:08-145

                5.12.1. Structure of the user database

                        The database is a sorted (BTree-based)  struc-
                   ture. User records are stored with the key:

                       user-name:field-name

                   The  sorted  database  format  ensures  that   user
                   records are clustered together. Meta-information is
                   always stored with a leading colon.

                        Field names define both the syntax and  seman-
                   tics of the value. Defined fields include:

                   maildrop  The delivery address for this user. There
                             may be multiple values of this record. In
                             particular, mailing lists will  have  one
                             maildrop  record  for  each  user  on the
                             list.

                   mailname  The outgoing mailname for this user.  For
                             each  outgoing  name,  there should be an
                             appropriate maildrop record for that name
                             to    allow   return   mail.   See   also
                             :default:mailname.

                   mailsender
                             Changes any mail sent to this address  to
                             have  the indicated envelope sender. This
                             is intended for mailing lists,  and  will
                             normally  be  the  name of an appropriate
                             -request address. It is very  similar  to
                             the owner-list syntax in the alias file.

                   fullname  The full name of the user.

                   office-address
                             The office address for this user.

                   office-phone
                             The office phone number for this user.

                   office-fax
                             The office FAX number for this user.

                   home-address
                             The home address for this user.

                   home-phone
                             The home phone number for this user.

                   home-fax  The home FAX number for this user.

          SMM:08-146         Sendmail Installation and Operation Guide

                   project   A (short) description of the project this
                             person is affiliated with. In the Univer-
                             sity this is often just the name of their
                             graduate advisor.

                   plan      A pointer  to  a  file  from  which  plan
                             information can be gathered.

                        As of this writing, only a few of these fields
                   are  actually  being used by sendmail: maildrop and
                   mailname. A finger  program  that  uses  the  other
                   fields is planned.

                5.12.2. User database semantics

                        When the rewriting rules submit an address  to
                   the  local  mailer, the user name is passed through
                   the alias file. If no alias is  found  (or  if  the
                   alias  points  back  to the same address), the name
                   (with ":maildrop" appended) is then used as  a  key
                   in the user database. If no match occurs (or if the
                   maildrop points at the same address), forwarding is
                   tried.

                        If the first token of the user  name  returned
                   by  ruleset  0  is  an  "@" sign, the user database
                   lookup is skipped. The  intent  is  that  the  user
                   database  will act as a set of defaults for a clus-
                   ter (in our case, the Computer  Science  Division);
                   mail sent to a specific machine should ignore these
                   defaults.

                        When mail is sent, the  name  of  the  sending
                   user is looked up in the database. If that user has
                   a "mailname" record, the value of  that  record  is
                   used  as  their outgoing name. For example, I might
                   have a record:

                       eric:mailnameEric.Allman@CS.Berkeley.EDU

                   This would cause my outgoing mail  to  be  sent  as
                   Eric.Allman.

                        If a "maildrop" is found for the user, but  no
                   corresponding  "mailname" record exists, the record
                   ":default:mailname" is consulted. If present,  this
                   is  the  name of a host to override the local host.
                   For example,  in  our  case  we  would  set  it  to
                   "CS.Berkeley.EDU".  The effect is that anyone known
                   in the database gets their outgoing mail stamped as
                   "user@CS.Berkeley.EDU",  but  people  not listed in
                   the database use the local hostname.

          Sendmail Installation and Operation Guide         SMM:08-147

                5.12.3. Creating the database[23]

                        The user database is built from  a  text  file
                   using  the  makemap utility (in the distribution in
                   the makemap  subdirectory).  The  text  file  is  a
                   series  of  lines  corresponding to userdb records;
                   each line has a key and a value separated by  white
                   space.  The  key  is always in the format described
                   above -- for example:

                       eric:maildrop

                   This file is normally installed in a system  direc-
                   tory;    for    example,   it   might   be   called
                   /etc/mail/userdb. To make the database  version  of
                   the map, run the program:

                       makemap btree /etc/mail/userdb < /etc/mail/userdb

                   Then create a config file that uses this. For exam-
                   ple,  using  the  V8  M4 configuration, include the
                   following line in your .mc file:

                       define(`confUSERDB_SPEC', /etc/mail/userdb)

          6. OTHER CONFIGURATION

                  There are some configuration  changes  that  can  be
             made by recompiling sendmail. This section describes what
             changes can be made and what has to be modified  to  make
             them. In most cases this should be unnecessary unless you
             are porting sendmail to a new environment.

             6.1. Parameters in devtools/OS/$oscf

                     These parameters are  intended  to  describe  the
                compilation  environment,  not site policy, and should
                normally be defined in the operating system configura-
                tion file. This section needs a complete rewrite.

                NDBM      If set, the new version of the  DBM  library
                          that allows multiple databases will be used.
                          If neither NDBM nor NEWDB are  set,  a  much
                          less  efficient  method  of  alias lookup is
                          used.
          ____________________
             [23]These instructions are known to be incomplete.  Other
          features  are available which provide similar functionality,
          e.g., virtual hosting and mapping  local  addresses  into  a
          generic form as explained in cf/README.

          SMM:08-148         Sendmail Installation and Operation Guide

                NEWDB     If set, use the new  database  package  from
                          Berkeley (from 4.4BSD). This package is sub-
                          stantially faster than DBM or NDBM. If NEWDB
                          and  NDBM  are  both set, sendmail will read
                          DBM files, but will  create  and  use  NEWDB
                          files.

                NIS       Include support for  NIS.  If  set  together
                          with  both  NEWDB  and  NDBM,  sendmail will
                          create both DBM and NEWDB files if and  only
                          if  an  alias  file  includes  the substring
                          "/yp/" in the name.  This  is  intended  for
                          compatibility with Sun Microsystems' mkalias
                          program used on YP masters.

                NISPLUS   Compile in support for NIS+.

                NETINFO   Compile in support for  NetInfo  (NeXT  sta-
                          tions).

                LDAPMAP   Compile in support for  LDAP  X500  queries.
                          Requires  libldap and liblber from the Umich
                          LDAP  3.2  or  3.3  release  or   equivalent
                          libraries  for  other LDAP libraries such as
                          OpenLDAP.

                HESIOD    Compile in support for Hesiod.

                MAP_NSD   Compile in support for IRIX NSD lookups.

                MAP_REGEX Compile in support  for  regular  expression
                          matching.

                DNSMAP    Compile in support for DNS  map  lookups  in
                          the sendmail.cf file.

                PH_MAP    Compile in support for ph lookups.

                SASL      Compile in support for SASL, a required com-
                          ponent for SMTP Authentication support.

                STARTTLS  Compile in support for STARTTLS.

                EGD       Compile in support for the "Entropy  Gather-
                          ing  Daemon"  to  provide better random data
                          for TLS.

                TCPWRAPPERS
                          Compile in support for TCP Wrappers.

                _PATH_SENDMAILCF
                          The pathname of the sendmail.cf file.

          Sendmail Installation and Operation Guide         SMM:08-149

                _PATH_SENDMAILPID
                          The pathname of the sendmail.pid file.

                SM_CONF_SHM
                          Compile in support for  shared  memory,  see
                          section about "/var/spool/mqueue".

                MILTER    Compile in support for  contacting  external
                          mail filters built with the Milter API.

                     There are also several compilation flags to indi-
                cate the environment such as "_AIX3" and "_SCO_unix_".
                See the sendmail/README file for the latest  scoop  on
                these flags.

             6.2. Parameters in sendmail/conf.h

                     Parameters and compilation options are defined in
                conf.h.  Most  of  these need not normally be tweaked;
                common parameters are all in sendmail.cf. However, the
                sizes of certain primitive vectors, etc., are included
                in this file. The numbers following the parameters are
                their default value.

                     This document is not the best source of  informa-
                tion   for   compilation   flags   in   conf.h  -  see
                sendmail/README or sendmail/conf.h itself.

                MAXLINE [2048]
                            The maximum line length of any input line.
                            If  message  lines exceed this length they
                            will still be  processed  correctly;  how-
                            ever,  header  lines,  configuration  file
                            lines, alias lines, etc., must fit  within
                            this limit.

                MAXNAME [256]
                            The maximum length of any name, such as  a
                            host or a user name.

                MAXPV [256] The maximum number of  parameters  to  any
                            mailer.  This  limits  the number of reci-
                            pients that may be passed in one  transac-
                            tion.  It  can  be  set  to  any arbitrary
                            number above about 10, since sendmail will
                            break  up  a delivery into smaller batches
                            as needed. A higher number may reduce load
                            on your system, however.

                MAXQUEUEGROUPS [50]
                            The maximum number of queue groups.

          SMM:08-150         Sendmail Installation and Operation Guide

                MAXATOM [1000]
                            The maximum number of atoms (tokens) in  a
                            single  address.  For example, the address
                            "eric@CS.Berkeley.EDU" is seven atoms.

                MAXMAILERS [25]
                            The maximum number of mailers that may  be
                            defined  in  the  configuration file. This
                            value        is         defined         in
                            include/sendmail/sendmail.h.

                MAXRWSETS [200]
                            The maximum number of rewriting sets  that
                            may  be  defined.  The first half of these
                            are  reserved  for  numeric  specification
                            (e.g.,  ``S92''), while the upper half are
                            reserved   for    auto-numbering    (e.g.,
                            ``Sfoo'').  Thus,  with  a value of 200 an
                            attempt to use ``S99'' will  succeed,  but
                            ``S100'' will fail.

                MAXPRIORITIES [25]
                            The maximum number of values for the "Pre-
                            cedence:" field that may be defined (using
                            the P line in sendmail.cf).

                MAXUSERENVIRON [100]
                            The maximum number of items  in  the  user
                            environment  that will be passed to subor-
                            dinate mailers.

                MAXMXHOSTS [100]
                            The maximum number of MX records  we  will
                            accept for any single host.

                MAXMAPSTACK [12]
                            The maximum number of  maps  that  may  be
                            "stacked" in a sequence class map.

                MAXMIMEARGS [20]
                            The maximum number of arguments in a  MIME
                            Content-Type: header; additional arguments
                            will be ignored.

                MAXMIMENESTING [20]
                            The maximum depth to which  MIME  messages
                            may  be nested (that is, nested Message or
                            Multipart documents; this does  not  limit
                            the  number of components in a single Mul-
                            tipart document).

                MAXDAEMONS [10]
                            The maximum  number  of  sockets  sendmail

          Sendmail Installation and Operation Guide         SMM:08-151

                            will  open  for  accepting  connections on
                            different ports.

                MAXMACNAMELEN [25]
                            The maximum length of a macro name.

                A number of other  compilation  options  exist.  These
                specify  whether  or  not specific code should be com-
                piled in. Ones marked with - are 0/1 valued.

                NETINET-    If set, support for Internet protocol net-
                            working  is compiled in. Previous versions
                            of sendmail referred to  this  as  DAEMON;
                            this  old usage is now incorrect. Defaults
                            on; turn it off in the  Makefile  if  your
                            system doesn't support the Internet proto-
                            cols.

                NETINET6-   If set, support  for  IPv6  networking  is
                            compiled in. It must be separately enabled
                            by adding DaemonPortOptions settings.

                NETISO-     If set, support for ISO protocol  network-
                            ing  is compiled in (it may be appropriate
                            to #define this in the Makefile instead of
                            conf.h).

                NETUNIX-    If set, support for UNIX domain sockets is
                            compiled  in.  This  is  used  for control
                            socket support.

                LOG         If set, the syslog routine in use at  some
                            sites is used. This makes an informational
                            log record for each message processed, and
                            makes  a  higher  priority  log record for
                            internal system  errors.  STRONGLY  RECOM-
                            MENDED  -  if you want no logging, turn it
                            off in the configuration file.

                MATCHGECOS- Compile in the code to do  ``fuzzy  match-
                            ing''  on  the GECOS field in /etc/passwd.
                            This also  requires  that  the  MatchGECOS
                            option be turned on.

                NAMED_BIND- Compile in code to use the Berkeley Inter-
                            net  Name  Domain (BIND) server to resolve
                            TCP/IP host names.

                NOTUNIX     If you are using a non-UNIX  mail  format,
                            you  can set this flag to turn off special
                            processing of UNIX-style "From " lines.

          SMM:08-152         Sendmail Installation and Operation Guide

                USERDB-     Include  the  experimental  Berkeley  user
                            information  database package. This adds a
                            new level of local name expansion  between
                            aliasing  and forwarding. It also uses the
                            NEWDB package. This may change  in  future
                            releases.

                The following options are normally turned on  in  per-
                operating-system clauses in conf.h.

                IDENTPROTO- Compile in the IDENT protocol  as  defined
                            in RFC 1413. This defaults on for all sys-
                            tems except Ultrix, which  apparently  has
                            the  interesting  "feature"  that  when it
                            receives a "host unreachable"  message  it
                            closes  all open connections to that host.
                            Since some  firewall  gateways  send  this
                            error code when you access an unauthorized
                            port (such as 113, used by IDENT),  Ultrix
                            cannot receive email from such hosts.

                SYSTEM5     Set  all  of  the  compilation  parameters
                            appropriate for System V.

                HASFLOCK-   Use Berkeley-style flock instead of System
                            V  lockf  to  do  file locking. Due to the
                            highly unusual semantics of  locks  across
                            forks in lockf, this should always be used
                            if at all possible.

                HASINITGROUPS
                            Set this if  your  system  has  the  init-
                            groups()  call (if you have multiple group
                            support). This is the default  if  SYSTEM5
                            is not defined or if you are on HPUX.

                HASUNAME    Set this if you have the  uname(2)  system
                            call  (or  corresponding library routine).
                            Set by default if SYSTEM5 is set.

                HASGETDTABLESIZE
                            Set this if you have the  getdtablesize(2)
                            system call.

                HASWAITPID  Set this if  you  have  the  haswaitpid(2)
                            system call.

                FAST_PID_RECYCLE
                            Set this if your system can possibly reuse
                            the same pid in the same second of time.

                SFS_TYPE    The mechanism that can be used to get file
                            system  capacity  information.  The values

          Sendmail Installation and Operation Guide         SMM:08-153

                            can be one of SFS_USTAT (use the  ustat(2)
                            syscall), SFS_4ARGS (use the four argument
                            statfs(2) syscall), SFS_VFS (use  the  two
                            argument   statfs(2)   syscall   including
                            <sys/vfs.h>), SFS_MOUNT (use the two argu-
                            ment     statfs(2)    syscall    including
                            <sys/mount.h>), SFS_STATFS  (use  the  two
                            argument   statfs(2)   syscall   including
                            <sys/statfs.h>), SFS_STATVFS (use the  two
                            argument   statfs(2)   syscall   including
                            <sys/statvfs.h>), or SFS_NONE (no  way  to
                            get this information).

                LA_TYPE     The  load  average   type.   Details   are
                            described below.

                The are several built-in ways of  computing  the  load
                average.  Sendmail  tries to auto-configure them based
                on imperfect guesses; you can select one using the  cc
                option -DLA_TYPE=type, where type is:

                LA_INT      The kernel stores the load average in  the
                            kernel  as  an array of long integers. The
                            actual  values  are  scaled  by  a  factor
                            FSCALE (default 256).

                LA_SHORT    The kernel stores the load average in  the
                            kernel  as an array of short integers. The
                            actual  values  are  scaled  by  a  factor
                            FSCALE (default 256).

                LA_FLOAT    The kernel stores the load average in  the
                            kernel  as  an  array  of double precision
                            floats.

                LA_MACH     Use MACH-style load averages.

                LA_SUBR     Call the getloadavg  routine  to  get  the
                            load average as an array of doubles.

                LA_ZERO     Always return zero as  the  load  average.
                            This is the fallback case.

                If type LA_INT, LA_SHORT, or  LA_FLOAT  is  specified,
                you  may  also need to specify _PATH_UNIX (the path to
                your system binary) and LA_AVENRUN (the  name  of  the
                variable  containing  the  load average in the kernel;
                usually "_avenrun" or "avenrun").

             6.3. Configuration in sendmail/conf.c

                     The following changes can be made in conf.c.

          SMM:08-154         Sendmail Installation and Operation Guide

                6.3.1. Built-in Header Semantics

                        Not all header semantics are  defined  in  the
                   configuration  file.  Header lines that should only
                   be included by certain mailers (as  well  as  other
                   more  obscure  semantics)  must be specified in the
                   HdrInfo table in conf.c. This  table  contains  the
                   header name (which should be in all lower case) and
                   a set of header control  flags  (described  below),
                   The flags are:

                   H_ACHECK    Normally when the check is made to  see
                               if  a  header line is compatible with a
                               mailer, sendmail  will  not  delete  an
                               existing  line.  If  this  flag is set,
                               sendmail  will  delete  even   existing
                               header  lines.  That is, if this bit is
                               set and the mailer does not  have  flag
                               bits   set   that  intersect  with  the
                               required mailer  flags  in  the  header
                               definition  in  sendmail.cf, the header
                               line is always deleted.

                   H_EOH       If this header field is set,  treat  it
                               like a blank line, i.e., it will signal
                               the end of the header and the beginning
                               of the message text.

                   H_FORCE     Add  this  header  entry  even  if  one
                               existed  in  the  message  before. If a
                               header entry does  not  have  this  bit
                               set,  sendmail  will  not  add  another
                               header line if a header  line  of  this
                               name  already  existed. This would nor-
                               mally be used to stamp the  message  by
                               everyone who handled it.

                   H_TRACE     If set, this  is  a  timestamp  (trace)
                               field. If the number of trace fields in
                               a message exceeds a preset  amount  the
                               message  is  returned on the assumption
                               that it has an aliasing loop.

                   H_RCPT      If set, this field  contains  recipient
                               addresses.  This is used by the -t flag
                               to determine who to send to when it  is
                               collecting recipients from the message.

                   H_FROM      This flag  indicates  that  this  field
                               specifies  a sender. The order of these
                               fields in the HdrInfo  table  specifies
                               sendmail's  preference  for which field
                               to return error messages to.

          Sendmail Installation and Operation Guide         SMM:08-155

                   H_ERRORSTO  Addresses in this header should receive
                               error messages.

                   H_CTE       This  header  is  a   Content-Transfer-
                               Encoding header.

                   H_CTYPE     This header is a Content-Type header.

                   H_STRIPVAL  Strip the value from  the  header  (for
                               Bcc:).

                   Let's look at a sample HdrInfo specification:

                       struct hdrinfo                    HdrInfo[] =
                       {
                                /* originator fields, most to least significant  */
                           "resent-sender",              H_FROM,
                           "resent-from",                H_FROM,
                           "sender",                     H_FROM,
                           "from",                       H_FROM,
                           "full-name",                  H_ACHECK,
                           "errors-to",                  H_FROM|H_ERRORSTO,
                                /* destination fields */
                           "to",                         H_RCPT,
                           "resent-to",                  H_RCPT,
                           "cc",                         H_RCPT,
                           "bcc",                        H_RCPT|H_STRIPVAL,
                                /* message identification and control */
                           "message",                    H_EOH,
                           "text",                       H_EOH,
                                /* trace fields */
                           "received",                   H_TRACE|H_FORCE,
                                /* miscellaneous fields */
                           "content-transfer-encoding",  H_CTE,
                           "content-type",               H_CTYPE,

                           NULL,                         0,
                       };

                   This structure indicates that the  "To:",  "Resent-
                   To:",   and  "Cc:"  fields  all  specify  recipient
                   addresses. Any "Full-Name:" field will  be  deleted
                   unless  the  required mailer flag (indicated in the
                   configuration file) is  specified.  The  "Message:"
                   and "Text:" fields will terminate the header; these
                   are used by random dissenters  around  the  network
                   world.  The "Received:" field will always be added,
                   and can be used to trace messages.

                        There are a number of important  points  here.
                   First,  header  fields  are not added automatically
                   just because they are  in  the  HdrInfo  structure;
                   they must be specified in the configuration file in

          SMM:08-156         Sendmail Installation and Operation Guide

                   order to be added to the message. Any header fields
                   mentioned  in  the  configuration file but not men-
                   tioned in the HdrInfo structure have  default  pro-
                   cessing  performed;  that is, they are added unless
                   they were  in  the  message  already.  Second,  the
                   HdrInfo  structure  only specifies cliched process-
                   ing; certain headers are processed specially by  ad
                   hoc  code  regardless  of  the  status specified in
                   HdrInfo. For example,  the  "Sender:"  and  "From:"
                   fields are always scanned on ARPANET mail to deter-
                   mine the sender[24]; this is used  to  perform  the
                   "return   to  sender"  function.  The  "From:"  and
                   "Full-Name:" fields are used to determine the  full
                   name  of  the sender if possible; this is stored in
                   the macro $x and used in a number of ways.

                6.3.2. Restricting Use of Email

                        If it is necessary to restrict mail through  a
                   relay,  the  checkcompat  routine  can be modified.
                   This routine is called for every recipient address.
                   It  returns an exit status indicating the status of
                   the message. The status EX_OK accepts the  address,
                   EX_TEMPFAIL queues the message for a later try, and
                   other values (commonly EX_UNAVAILABLE)  reject  the
                   message.  It is up to checkcompat to print an error
                   message (using usrerr) if the message is  rejected.
                   For example, checkcompat could read:

          ____________________
             [24]Actually, this is no longer true in SMTP; this infor-
          mation  is contained in the envelope. The older ARPANET pro-
          tocols did not completely distinguish envelope from header.

          Sendmail Installation and Operation Guide         SMM:08-157

                       int
                       checkcompat(to, e)
                           register ADDRESS *to;
                           register ENVELOPE *e;
                       {
                           register STAB *s;

                           s = stab("private", ST_MAILER, ST_FIND);
                           if (s != NULL && e->e_from.q_mailer != LocalMailer &&
                               to->q_mailer == s->s_mailer)
                           {
                               usrerr("No private net mail allowed through this machine");
                               return (EX_UNAVAILABLE);
                           }
                           if (MsgSize > 50000 && bitnset(M_LOCALMAILER, to->q_mailer))
                           {
                               usrerr("Message too large for non-local delivery");
                               e->e_flags |= EF_NORETURN;
                               return (EX_UNAVAILABLE);
                           }
                           return (EX_OK);
                       }

                   This would reject messages greater than 50000 bytes
                   unless they were local. The EF_NORETURN flag can be
                   set in e->e_flags to suppress  the  return  of  the
                   actual body of the message in the error return. The
                   actual use of this routine is highly  dependent  on
                   the implementation, and use should be limited.

                6.3.3. New Database Map Classes

                        New key maps can be added by creating a  class
                   initialization  function  and  a  lookup  function.
                   These are then added to the routine setupmaps.

                        The initialization function is called as

                       xxx_map_init(MAP *map, char *args)

                   The map is an internal data structure. The args  is
                   a  pointer to the portion of the configuration file
                   line  following  the  map  class  name;  flags  and
                   filenames can be extracted from this line. The ini-
                   tialization function must return true  if  it  suc-
                   cessfully opened the map, false otherwise.

                        The lookup function is called as

                       xxx_map_lookup(MAP *map, char buf[], char **av, int *statp)

                   The map defines the map internally. The buf has the
                   input   key.  This  may  be  (and  often  is)  used

          SMM:08-158         Sendmail Installation and Operation Guide

                   destructively. The av is a list of arguments passed
                   in  from  the  rewrite  line.  The  lookup function
                   should return a pointer to the new  value.  If  the
                   map  lookup  fails, *statp should be set to an exit
                   status code; in particular, it  should  be  set  to
                   EX_TEMPFAIL  if  recovery is to be attempted by the
                   higher level code.

                6.3.4. Queueing Function

                        The routine shouldqueue is called to decide if
                   a  message  should  be  queued or processed immedi-
                   ately. Typically this compares the message priority
                   to the current load average. The default definition
                   is:

                       bool
                       shouldqueue(pri, ctime)
                           long pri;
                           time_t ctime;
                       {
                           if (CurrentLA < QueueLA)
                               return false;
                           return (pri > (QueueFactor / (CurrentLA - QueueLA + 1)));
                       }

                   If  the  current  load  average  (global   variable
                   CurrentLA,  which  is  set  before this function is
                   called) is less than the low threshold load average
                   (option  x,  variable QueueLA), shouldqueue returns
                   false immediately (that is, it should  not  queue).
                   If the current load average exceeds the high thres-
                   hold load average (option  X,  variable  RefuseLA),
                   shouldqueue returns true immediately. Otherwise, it
                   computes the function based on the  message  prior-
                   ity,  the  queue  factor (option q, global variable
                   QueueFactor), and the current  and  threshold  load
                   averages.

                        An implementation wishing to take  the  actual
                   age  of  the  message into account can also use the
                   ctime parameter, which is the time that the message
                   was  first submitted to sendmail. Note that the pri
                   parameter is already  weighted  by  the  number  of
                   times  the  message  has  been tried (although this
                   tends to lower the priority  of  the  message  with
                   time);  the  expectation is that the ctime would be
                   used as an "escape clause" to ensure that  messages
                   are eventually processed.

          Sendmail Installation and Operation Guide         SMM:08-159

                6.3.5. Refusing Incoming SMTP Connections

                        The function refuseconnections returns true if
                   incoming  SMTP  connections  should be refused. The
                   current implementation is based exclusively on  the
                   current  load  average  and the refuse load average
                   option (option X, global variable RefuseLA):

                       bool
                       refuseconnections()
                       {
                           return (RefuseLA > 0 && CurrentLA >= RefuseLA);
                       }

                   A more clever implementation  could  look  at  more
                   system resources.

                6.3.6. Load Average Computation

                        The routine getla  returns  the  current  load
                   average  (as  a  rounded integer). The distribution
                   includes several possible implementations.  If  you
                   are  porting  to  a new environment you may need to
                   add some new tweaks.[25]

             6.4. Configuration in sendmail/daemon.c

                     The file sendmail/daemon.c contains a  number  of
                routines  that  are  dependent on the local networking
                environment. The version supplied assumes you have BSD
                style sockets.

                     In previous releases,  we  recommended  that  you
                modify  the  routine maphostname if you wanted to gen-
                eralize $[ ... $] lookups. We now recommend  that  you
                create a new keyed map instead.

             6.5. LDAP

                     In this section we assume that sendmail has  been
                compiled with support for LDAP.

                6.5.1. LDAP Recursion

                        LDAP Recursion allows you to add types to  the
                   search attributes on an LDAP map specification. The
                   syntax is:

          ____________________
             [25]If    you    do,    please    send     updates     to
          sendmail@Sendmail.ORG.

          SMM:08-160         Sendmail Installation and Operation Guide

                   -v ATTRIBUTE[:TYPE[:OBJECTCLASS[|OBJECTCLASS|...]]]

                        The new TYPEs are:

                   NORMAL    This attribute type specifies the  attri-
                             bute  to  add to the results string. This
                             is the default.

                   DN        Any  matches  for  this   attribute   are
                             expected to have a value of a fully qual-
                             ified distinguished name.  sendmail  will
                             lookup  that  DN and apply the attributes
                             requested to the returned DN record.

                   FILTER    Any  matches  for  this   attribute   are
                             expected  to  have  a  value  of  an LDAP
                             search filter. sendmail  will  perform  a
                             lookup  with  the  same parameters as the
                             original search but replaces  the  search
                             filter with the one specified here.

                   URL       Any  matches  for  this   attribute   are
                             expected  to have a value of an LDAP URL.
                             sendmail will perform a  lookup  of  that
                             URL  and  use the results from the attri-
                             butes named in  that  URL.  Note  however
                             that the search is done using the current
                             LDAP connection, regardless  of  what  is
                             specified  as  the scheme, LDAP host, and
                             LDAP port in the LDAP URL.

                   Any untyped attributes are considered NORMAL attri-
                   butes as described above.

                        The optional OBJECTCLASS  (|  separated)  list
                   contains  the  objectClass  values  for  which that
                   attribute applies. If the list is given, the attri-
                   bute  named  will  only  be used if the LDAP record
                   being returned is a member of  that  object  class.
                   Note  that  if  these new value attribute TYPEs are
                   used in an AliasFile option setting, it  will  need
                   to  be  double  quoted  to  prevent  sendmail  from
                   misparsing the colons.

                        Note that LDAP recursion attributes  which  do
                   not ultimately point to an LDAP record are not con-
                   sidered an error.

                   6.5.1.1. Example

                           Since examples usually help  clarify,  here
                      is  an  example  which  uses all four of the new
                      types:

          Sendmail Installation and Operation Guide         SMM:08-161

                          O LDAPDefaultSpec=-h ldap.example.com -b dc=example,dc=com

                          Kexample ldap
                                   -z,
                                   -k (&(objectClass=sendmailMTAAliasObject)(sendmailMTAKey=%0))
                                   -v sendmailMTAAliasValue,mail:NORMAL:inetOrgPerson,
                                      uniqueMember:DN:groupOfUniqueNames,
                                      sendmailMTAAliasSearch:FILTER:sendmailMTAAliasObject,
                                      sendmailMTAAliasURL:URL:sendmailMTAAliasObject

                           That definition specifies that:

                       + Any value in a  sendmailMTAAliasValue  attri-
                         bute  will  be  added  to  the  result string
                         regardless of object class.
                       + The mail  attribute  will  be  added  to  the
                         result  string if the LDAP record is a member
                         of the inetOrgPerson object class.
                       + The uniqueMember  attribute  is  a  recursive
                         attribute,  used  only  in groupOfUniqueNames
                         records, and should contain an LDAP DN point-
                         ing  to  another LDAP record. The desire here
                         is to return the mail  attribute  from  those
                         DNs.
                       + The  sendmailMTAAliasSearch   attribute   and
                         sendmailMTAAliasURL  are  both  used  only if
                         referenced in a sendmailMTAAliasObject.  They
                         are  both recursive, the first for a new LDAP
                         search string and the latter for an LDAP URL.

             6.6. STARTTLS

                     In this section we assume that sendmail has  been
                compiled with support for STARTTLS. To properly under-
                stand the use of STARTTLS in sendmail, it is necessary
                to  understand at least some basics about X.509 certi-
                ficates and public key cryptography. This  information
                can  be  found in books about SSL/TLS or on WWW sites,
                e.g., "http://www.OpenSSL.org/".

                6.6.1. Certificates for STARTTLS

                        When acting as  a  server,  sendmail  requires
                   X.509 certificates to support STARTTLS: one as cer-
                   tificate  for  the   server   (ServerCertFile   and
                   corresponding  private  ServerKeyFile) at least one
                   root CA (CACertFile), i.e., a certificate  that  is
                   used  to  sign  other certificates, and a path to a
                   directory which contains  other  CAs  (CACertPath).
                   The  file  specified  via  CACertFile  can  contain
                   several certificates of CAs. The DNs of these  cer-
                   tificates  are  sent  to  the client during the TLS

          SMM:08-162         Sendmail Installation and Operation Guide

                   handshake (as part of  the  CertificateRequest)  as
                   the  list  of  acceptable CAs. However, do not list
                   too many root CAs in that file, otherwise  the  TLS
                   handshake may fail; e.g.,

                       error:14094417:SSL routines:SSL3_READ_BYTES:
                       sslv3 alert illegal parameter:s3_pkt.c:964:SSL alert number 47

                   You should probably put only the CA cert into  that
                   file that signed your own cert(s), or at least only
                   those you trust. The CACertPath directory must con-
                   tain the hashes of each CA certificate as filenames
                   (or as links to them). Symbolic links can  be  gen-
                   erated  with  the following two (Bourne) shell com-
                   mands:

                       C=FileName_of_CA_Certificate
                       ln -s $C `openssl x509 -noout -hash < $C`.0

                   A better way to do this is to use the c_rehash com-
                   mand  that  is  part  of  the  OpenSSL distribution
                   because  it  handles  subject  hash  collisions  by
                   incrementing  the  number  in  the  suffix  of  the
                   filename of the symbolic link, e.g., .0 to .1,  and
                   so  on.  An  X.509 certificate is also required for
                   authentication in client mode  (ClientCertFile  and
                   corresponding   private   ClientKeyFile),  however,
                   sendmail will always use STARTTLS when offered by a
                   server.  The  client and server certificates can be
                   identical. Certificates can be obtained from a cer-
                   tificate  authority  or  created  with  the help of
                   OpenSSL. The required format for  certificates  and
                   private keys is PEM. To allow for automatic startup
                   of   sendmail,   private    keys    (ServerKeyFile,
                   ClientKeyFile) must be stored unencrypted. The keys
                   are only protected by the permissions of  the  file
                   system.  Never  make  a  private key available to a
                   third party.

                6.6.2. PRNG for STARTTLS

                        STARTTLS  requires  a  strong  pseudo   random
                   number   generator   (PRNG)  to  operate  properly.
                   Depending on the TLS library you  use,  it  may  be
                   required  to  explicitly  initialize  the PRNG with
                   random data. OpenSSL makes use  of  /dev/urandom(4)
                   if  available (this corresponds to the compile flag
                   HASURANDOMDEV). On systems which lack this support,
                   a  random file must be specified in the sendmail.cf
                   file using the  option  RandFile.  It  is  strongly
                   advised  to  use the "Entropy Gathering Daemon" EGD
                   from Brian Warner on those systems to provide  use-
                   ful  random  data.  In  this case, sendmail must be

          Sendmail Installation and Operation Guide         SMM:08-163

                   compiled with the flag EGD, and the RandFile option
                   must   point   to   the   EGD  socket.  If  neither
                   /dev/urandom(4) nor EGD are available, you have  to
                   make  sure that useful random data is available all
                   the time in RandFile. If the file hasn't been modi-
                   fied  in  the last 10 minutes before it is supposed
                   to be used by sendmail the  content  is  considered
                   obsolete. One method for generating this file is:

                       openssl rand -out /etc/mail/randfile -rand /path/to/file:...256

                   See the OpenSSL documentation for more information.
                   In  this case, the PRNG for TLS is only seeded with
                   other random data if the  DontBlameSendmail  option
                   InsufficientEntropy is set. This is most likely not
                   sufficient for certain actions, e.g., generation of
                   (temporary) keys.

                        Please see the OpenSSL documentation or  other
                   sources for further information about certificates,
                   their creation and their usage, the importance of a
                   good PRNG, and other aspects of TLS.

             6.7. Encoding of STARTTLS and AUTH related Macros

                     Macros that contain  STARTTLS  and  AUTH  related
                data  which comes from outside sources, e.g., all mac-
                ros  containing  information  from  certificates,  are
                encoded  to  avoid problems with non-printable or spe-
                cial characters. The latter are '\',  '<',  '>',  '(',
                ')',  '"',  '+',  and ' '. All of these characters are
                replaced by their value in hexadecimal with a  leading
                '+'. For example:

                    /C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/
                    Email=darth+cert@endmail.org

                is encoded as:

                    /C=US/ST=California/O=endmail.org/OU=private/
                    CN=Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org

                (line breaks have been inserted for readability).  The
                macros   which   are  subject  to  this  encoding  are
                {cert_subject},      {cert_issuer},      {cn_subject},
                {cn_issuer},    as    well    as   {auth_authen}   and
                {auth_author}.

          7. ACKNOWLEDGEMENTS

                  I've worked on sendmail for  many  years,  and  many
             employers  have  been remarkably patient about letting me
             work on a large project that was not part of my  official

          SMM:08-164         Sendmail Installation and Operation Guide

             job.  This  includes  time  on  the INGRES Project at the
             University of California at Berkeley, at Britton Lee, and
             again on the Mammoth and Titan Projects at Berkeley.

                  Much of the second wave of improvements resulting in
             version  8.1  should be credited to Bryan Costales of the
             International Computer Science Institute. As he passed me
             drafts  of  his  book on sendmail I was inspired to start
             working on things again.  Bryan  was  also  available  to
             bounce ideas off of.

                  Gregory Neil Shapiro of Worcester Polytechnic Insti-
             tute  has  become  instrumental in all phases of sendmail
             support and development, and was largely responsible  for
             getting versions 8.8 and 8.9 out the door.

                  Many, many people contributed  chunks  of  code  and
             ideas  to  sendmail.  It has proven to be a group network
             effort. Version 8 in particular was a group project.  The
             following people and organizations made notable contribu-
             tions:

                 Claus Assmann
                 John Beck, Hewlett-Packard & Sun Microsystems
                 Keith Bostic, CSRG, University of California, Berkeley
                 Andrew Cheng, Sun Microsystems
                 Michael J. Corrigan, University of California, San Diego
                 Bryan Costales, International Computer Science Institute & InfoBeat
                 Par (Pell) Emanuelsson
                 Craig Everhart, Transarc Corporation
                 Per Hedeland, Ericsson
                 Tom Ivar Helbekkmo, Norwegian School of Economics
                 Kari Hurtta, Finnish Meteorological Institute
                 Allan E. Johannesen, WPI
                 Jonathan Kamens, OpenVision Technologies, Inc.
                 Takahiro Kanbe, Fuji Xerox Information Systems Co., Ltd.
                 Brian Kantor, University of California, San Diego
                 John Kennedy, Cal State University, Chico
                 Murray S. Kucherawy, HookUp Communication Corp.
                 Bruce Lilly, Sony U.S.
                 Karl London
                 Motonori Nakamura, Ritsumeikan University & Kyoto University
                 John Gardiner Myers, Carnegie Mellon University
                 Neil Rickert, Northern Illinois University
                 Gregory Neil Shapiro, WPI
                 Eric Schnoebelen, Convex Computer Corp.
                 Eric Wassenaar, National Institute for Nuclear and High Energy Physics, Amsterdam
                 Randall Winchester, University of Maryland
                 Christophe Wolfhugel, Pasteur Institute & Herve Schauer Consultants (Paris)
                 Exactis.com, Inc.

             I apologize for anyone I have omitted, misspelled, misat-
             tributed,  or  otherwise missed. At this point, I suspect

          Sendmail Installation and Operation Guide         SMM:08-165

             that at least a hundred people have contributed code, and
             many   more   have   contributed   ideas,  comments,  and
             encouragement.  I've  tried   to   list   them   in   the
             RELEASE_NOTES in the distribution directory. I appreciate
             their contribution as well.

                  Special thanks are reserved for Michael Corrigan and
             Christophe  Wolfhugel, who besides being wonderful guinea
             pigs and contributors have also consented to be added  to
             the  ``sendmail@Sendmail.ORG'' list and, by answering the
             bulk of the questions sent to that list, have freed me up
             to do other work.

                                    APPENDIX  A

                                COMMAND LINE FLAGS

               Arguments  must  be   presented   with   flags   before
          addresses. The flags are:

          -Ax       Select an alternative .cf  file  which  is  either
                    sendmail.cf  for  -Am  or  submit.cf  for  -Ac. By
                    default the .cf file is chosen based on the opera-
                    tion  mode.  For  -bm (default), -bs, and -t it is
                    submit.cf if it  exists,  for  all  others  it  is
                    sendmail.cf.

          -bx       Set operation mode to x. Operation modes are:

                        m   Deliver mail (default)
                        s   Speak SMTP on input side
                        a-  ``Arpanet'' mode (get envelope sender information from header)
                        d   Run as a daemon in background
                        D   Run as a daemon in foreground
                        t   Run in test mode
                        v   Just verify addresses, don't collect or deliver
                        i   Initialize the alias database
                        p   Print the mail queue
                        P   Print overview over the mail queue (requires shared memory)
                        h   Print the persistent host status database
                        H   Purge expired entries from the persistent host status database

          -Btype    Indicate body type.

          -Cfile    Use a different configuration file. Sendmail  runs
                    as  the invoking user (rather than root) when this
                    flag is specified.

          -D logfile
                    Send debugging output  to  the  indicated  logfile
                    instead of stdout.

          -dlevel   Set debugging level.

          -f addr   The envelope sender address is set to  addr.  This
                    address  may  also  be used in the From: header if
                    that header is missing during initial  submission.
          ____________________
             -Deprecated.

          SMM:08-166         Sendmail Installation and Operation Guide

          Sendmail Installation and Operation Guide         SMM:08-167

                    The envelope sender address is used as  the  reci-
                    pient  for  delivery  status notifications and may
                    also appear in a Return-Path: header.

          -F name   Sets the full name of this user to name.

          -G        When accepting  messages  via  the  command  line,
                    indicate that they are for relay (gateway) submis-
                    sion. sendmail may  complain  about  syntactically
                    invalid  messages,  e.g.,  unqualified host names,
                    rather than fixing them when  this  flag  is  set.
                    sendmail  will not do any canonicalization in this
                    mode.

          -h cnt    Sets the "hop count" to cnt. This  represents  the
                    number of times this message has been processed by
                    sendmail (to the extent that it  is  supported  by
                    the  underlying networks). Cnt is incremented dur-
                    ing  processing,  and   if   it   reaches   MAXHOP
                    (currently  25)  sendmail  throws away the message
                    with an error.

          -L tag    Sets the identifier used  for  syslog.  Note  that
                    this  identifier is set as early as possible. How-
                    ever, sendmail  may  be  used  if  problems  arise
                    before the command line arguments are processed.

          -n        Don't do aliasing or forwarding.

          -N notifications
                    Tag all addresses being sent as wanting the  indi-
                    cated  notifications,  which  consists of the word
                    "NEVER" or a comma-separated  list  of  "SUCCESS",
                    "FAILURE",  and  "DELAY"  for successful delivery,
                    failure, and a message that is stuck  in  a  queue
                    somewhere. The default is "FAILURE,DELAY".

          -r addr   An obsolete form of -f.

          -oxvalue  Set option x to the specified value. These options
                    are described in Section 5.6.

          -Ooption=value
                    Set option to the specified value (for  long  form
                    option names). These options are described in Sec-
                    tion 5.6.

          -Mxvalue  Set macro x to the specified value.

          -pprotocol
                    Set the sending protocol. Programs are  encouraged
                    to set this. The protocol field can be in the form
                    protocol:host to set both the sending protocol and

          SMM:08-168         Sendmail Installation and Operation Guide

                    sending host. For example, "-pUUCP:uunet" sets the
                    sending protocol to UUCP and the sending  host  to
                    uunet.  (Some existing programs use -oM to set the
                    r and s macros; this is equivalent to using -p.)

          -qtime    Try to process the queued up mail. If the time  is
                    given, a sendmail will start one or more processes
                    to run through the queue(s) at the specified  time
                    interval  to  deliver  queued  mail; otherwise, it
                    only runs once. Each of these processes acts on  a
                    workgroup. These processes are also known as work-
                    group processes or WGP's for short. Each workgroup
                    is  responsible  for controlling the processing of
                    one or more queues; workgroups help manage the use
                    of  system  resources  by sendmail. Each workgroup
                    may have one or more  children  concurrently  pro-
                    cessing  queues  depending  on the setting of Max-
                    QueueChildren.

          -qptime   Similar to -q with a time  argument,  except  that
                    instead  of  periodically  starting WGP's sendmail
                    starts persistent  WGP's  that  alternate  between
                    processing  queues and sleeping. The sleep time is
                    specified by the time argument; it defaults  to  1
                    second, except that a WGP always sleeps at least 5
                    seconds if their queues were empty in the previous
                    run.  Persistent  processes are managed by a queue
                    control process (QCP). The QCP is the parent  pro-
                    cess  of  the WGP's. Typically the QCP will be the
                    sendmail daemon (when started with -bd or -bD)  or
                    a  special  process  (named  Queue  control) (when
                    started without -bd or -bD). If a  persistent  WGP
                    ceases  to  be  active for some reason another WGP
                    will be started by the QCP for the same  workgroup
                    in  most  cases.  When  a  persistent WGP has core
                    dumped, the debug  flag  no_persistent_restart  is
                    set  or  the specific persistent WGP has been res-
                    tarted too many times already then  the  WGP  will
                    not  be started again and a message will be logged
                    to this  effect.  To  stop  (SIGTERM)  or  restart
                    (SIGHUP)  persistent  WGP's the appropriate signal
                    should be sent to the QCP. The QCP will  propagate
                    the  signal to all of the WGP's and if appropriate
                    restart the persistent WGP's.

          -qGname   Run the jobs in the queue group name once.

          -q[!]Xstring
                    Run the queue once, limiting  the  jobs  to  those
                    matching  Xstring.  The  key  letter X can be I to
                    limit based on queue identifier, R to limit  based
                    on  recipient, S to limit based on sender, or Q to
                    limit based on quarantine reason  for  quarantined

          Sendmail Installation and Operation Guide         SMM:08-169

                    jobs.  A  particular queued job is accepted if one
                    of the corresponding attributes contains the indi-
                    cated string. The optional ! character negates the
                    condition tested. Multiple -qX flags  are  permit-
                    ted,  with  items with the same key letter "or'ed"
                    together, and items  with  different  key  letters
                    "and'ed" together.

          -Q[reason]
                    Quarantine a normal queue  items  with  the  given
                    reason  or unquarantine quarantined queue items if
                    no reason is given. This should only be used  with
                    some  sort  of item matching using -q[!]Xstring as
                    described above.

          -R ret    What information you want returned if the  message
                    bounces;  ret  can  be  "HDRS" for headers only or
                    "FULL" for headers plus body. This  is  a  request
                    only;  the  other end is not required to honor the
                    parameter. If "HDRS" is  specified  local  bounces
                    also return only the headers.

          -t        Read the  header  for  "To:",  "Cc:",  and  "Bcc:"
                    lines, and send to everyone listed in those lists.
                    The "Bcc:" line will be  deleted  before  sending.
                    Any  addresses  in  the  argument  vector  will be
                    deleted from the send list.

          -V envid  The indicated envid is passed with the envelope of
                    the message and returned if the message bounces.

          -X logfile
                    Log all traffic in and  out  of  sendmail  in  the
                    indicated  logfile  for debugging mailer problems.
                    This produces a  lot  of  data  very  quickly  and
                    should be used sparingly.

               There are a number of options that may be specified  as
          primitive flags. These are the e, i, m, and v options. Also,
          the f option may be  specified  as  the  -s  flag.  The  DSN
          related  options  "-N",  "-R",  and  "-V" have no effects on
          sendmail running as daemon.

                                  APPENDIX  B

                               QUEUE FILE FORMATS

               This appendix describes the format of the queue  files.
          These  files  live  in a queue directory. The individual qf,
          hf, Qf, df, and xf files may be stored in separate qf/, df/,
          and  xf/  subdirectories  if  they  are present in the queue
          directory.

               All queue files have  the  name  ttYMDhmsNNppppp  where
          YMDhmsNNppppp  is  the  id  for this message and the tt is a
          type. The individual letters in the id are:

          Y    Encoded year

          M    Encoded month

          D    Encoded day

          h    Encoded hour

          m    Encoded minute

          s    Encoded second

          NN   Encoded envelope number

          ppppp
               At least five decimal digits of the process ID

               All files with the same id collectively define one mes-
          sage. Due to the use of memory-buffered files, some of these
          files may never appear on disk.

               The types are:

          qf   The queue control file. This file contains the informa-
               tion necessary to process the job.

          hf   The same as a queue control file, but for a quarantined
               queue job.

          df   The data file. The message body (excluding the  header)
               is  kept  in  this  file.  Sometimes the df file is not
               stored in the same directory as the qf  file;  in  this
               case, the qf file contains a `d' record which names the
               queue directory that contains the df file.

          SMM:08-170         Sendmail Installation and Operation Guide

          Sendmail Installation and Operation Guide         SMM:08-171

          tf   A temporary file. This is an image of the qf file  when
               it  is being rebuilt. It should be renamed to a qf file
               very quickly.

          xf   A transcript file, existing during the life of  a  ses-
               sion  showing  everything that happens during that ses-
               sion. Sometimes the xf file must be generated before  a
               queue  group  has  been  selected; in this case, the xf
               file will be stored in a directory of the default queue
               group.

          Qf   A ``lost'' queue control file. sendmail  renames  a  qf
               file to Qf if there is a severe (configuration) problem
               that  cannot  be  solved  without  human  intervention.
               Search  the logfile for the queue file id to figure out
               what happened. After you resolved the problem, you  can
               rename the Qf file to qf and send it again.

               The queue control file is structured  as  a  series  of
          lines  each  beginning  with a code letter. The lines are as
          follows:

          V    The version number of the queue file  format,  used  to
               allow new sendmail binaries to read queue files created
               by older versions. Defaults to version  zero.  Must  be
               the  first  line  of  the file if present. For 8.12 the
               version number is 6.

          A    The information given by the  AUTH=  parameter  of  the
               "MAIL  FROM:"  command  or  $f@$j  if sendmail has been
               called directly.

          H    A header definition. There may be any number  of  these
               lines. The order is important: they represent the order
               in the final message. These  use  the  same  syntax  as
               header definitions in the configuration file.

          C    The    controlling    address.    The     syntax     is
               "localuser:aliasname".  Recipient  addresses  following
               this line will be flagged so that  deliveries  will  be
               run  as the localuser (a user name from the /etc/passwd
               file); aliasname is the name of the alias that expanded
               to this address (used for printing messages).

          q    The quarantine reason for quarantined queue items.

          Q    The ``original recipient'',  specified  by  the  ORCPT=
               field  in  an  ESMTP  transaction. Used exclusively for
               Delivery Status Notifications. It applies only  to  the
               following `R' line.

          r    The ``final recipient'' used for Delivery Status Notif-
               ications. It applies only to the following `R' line.

          SMM:08-172         Sendmail Installation and Operation Guide

          R    A recipient address. This will normally  be  completely
               aliased, but is actually realiased when the job is pro-
               cessed. There will be one line for each recipient. Ver-
               sion 1 qf files also include a leading colon-terminated
               list of flags, which can be `S' to return a message  on
               successful  final  delivery, `F' to return a message on
               failure, `D' to return a  message  if  the  message  is
               delayed,  `B'  to  indicate  that  the  body  should be
               returned, `N' to suppress returning the body,  and  `P'
               to  declare  this  as  a  ``primary''  (command line or
               SMTP-session) address.

          S    The sender address. There may  only  be  one  of  these
               lines.

          T    The job creation time. This is used to compute when  to
               time out the job.

          P    The current message priority. This is used to order the
               queue. Higher numbers mean lower priorities. The prior-
               ity changes as the message sits in the queue. The  ini-
               tial priority depends on the message class and the size
               of the message.

          M    A message. This line is printed by the  mailq  command,
               and  is  generally used to store status information. It
               can contain any text.

          F    Flag bits, represented as one letter per flag.  Defined
               flag bits are r indicating that this is a response mes-
               sage and w indicating that a warning message  has  been
               sent  announcing  that the mail has been delayed. Other
               flag bits are: 8: the body contains  8bit  data,  b:  a
               Bcc:  header  should  be  removed,  d: the mail has RET
               parameters (see RFC 1894), n: the body of  the  message
               should  not  be  returned  in  case of an error, s: the
               envelope has been split.

          N    The total number of delivery attempts.

          K    The time (as seconds since January 1, 1970) of the last
               delivery attempt.

          d    If the df file is in a different directory than the  qf
               file,  then  a  `d'  record  is present, specifying the
               directory in which the df file resides.

          I    The i-number of the data file;  this  can  be  used  to
               recover your mail queue after a disastrous disk crash.

          $    A macro definition. The values of  certain  macros  are
               passed through to the queue run phase.

          Sendmail Installation and Operation Guide         SMM:08-173

          B    The body type. The remainder of  the  line  is  a  text
               string  defining  the body type. If this field is miss-
               ing, the body type is assumed to be "undefined" and  no
               special  processing  is  attempted.  Legal  values  are
               "7BIT" and "8BITMIME".

          Z    The original envelope id (from the ESMTP  transaction).
               For Deliver Status Notifications only.

               As an example, the following is a queue  file  sent  to
          "eric@mammoth.Berkeley.EDU"                              and
          "bostic@okeeffe.CS.Berkeley.EDU"[1]:

              V4
              T711358135
              K904446490
              N0
              P2100941
              $_eric@localhost
              ${daemon_flags}
              Seric
              Ceric:100:1000:sendmail@vangogh.CS.Berkeley.EDU
              RPFD:eric@mammoth.Berkeley.EDU
              RPFD:bostic@okeeffe.CS.Berkeley.EDU
              H?P?Return-path: <^g>
              H??Received: by vangogh.CS.Berkeley.EDU (5.108/2.7) id AAA06703;
                  Fri, 17 Jul 1992 00:28:55 -0700
              H??Received: from mail.CS.Berkeley.EDU by vangogh.CS.Berkeley.EDU (5.108/2.7)
                  id AAA06698; Fri, 17 Jul 1992 00:28:54 -0700
              H??Received: from [128.32.31.21] by mail.CS.Berkeley.EDU (5.96/2.5)
                  id AA22777; Fri, 17 Jul 1992 03:29:14 -0400
              H??Received: by foo.bar.baz.de (5.57/Ultrix3.0-C)
                  id AA22757; Fri, 17 Jul 1992 09:31:25 GMT
              H?F?From: eric@foo.bar.baz.de (Eric Allman)
              H?x?Full-name: Eric Allman
              H??Message-id: <9207170931.AA22757@foo.bar.baz.de>
              H??To: sendmail@vangogh.CS.Berkeley.EDU
              H??Subject: this is an example message

          This shows the person who sent the message,  the  submission
          time  (in seconds since January 1, 1970), the message prior-
          ity, the message class, the recipients, and the headers  for
          the message.

          ____________________
             [1]This example is contrived and probably inaccurate  for
          your environment. Glance over it to get an idea; nothing can
          replace looking at what your own system generates.

                                  APPENDIX  C

                            SUMMARY OF SUPPORT FILES

               This is a summary of the support  files  that  sendmail
          creates  or generates. Many of these can be changed by edit-
          ing the sendmail.cf file; check there  to  find  the  actual
          pathnames.

          /usr/sbin/sendmail
                    The binary of sendmail.

          /usr/bin/newaliases
                    A link to  /usr/sbin/sendmail;  causes  the  alias
                    database  to  be  rebuilt. Running this program is
                    completely equivalent to giving sendmail  the  -bi
                    flag.

          /usr/bin/mailq
                    Prints a listing of the mail queue.  This  program
                    is equivalent to using the -bp flag to sendmail.

          /etc/mail/sendmail.cf
                    The configuration file, in textual form.

          /etc/mail/helpfile
                    The SMTP help file.

          /etc/mail/statistics
                    A statistics file; need not be present.

          /etc/mail/sendmail.pid
                    Created in daemon mode; it contains the process id
                    of  the  current  SMTP  daemon. If you use this in
                    scripts; use ``head -1'' to  get  just  the  first
                    line;  the  second  line contains the command line
                    used to invoke the daemon, and later  versions  of
                    sendmail  may  add  more information to subsequent
                    lines.

          /etc/mail/aliases
                    The textual version of the alias file.

          /etc/mail/aliases.db
                    The alias file in hash(3) format.

          /etc/mail/aliases.{pag,dir}
                    The alias file in ndbm(3) format.

          SMM:08-174         Sendmail Installation and Operation Guide

          Sendmail Installation and Operation Guide         SMM:08-175

          /var/spool/mqueue
                    The directory in which the mail queue(s) and  tem-
                    porary files reside.

          /var/spool/mqueue/qf*
                    Control (queue) files for messages.

          /var/spool/mqueue/df*
                    Data files.

          /var/spool/mqueue/tf*
                    Temporary versions of the qf  files,  used  during
                    queue file rebuild.

          /var/spool/mqueue/xf*
                    A transcript of the current session.

          SMM:08-176         Sendmail Installation and Operation Guide

                           This page intentionally left blank;
                    replace it with a blank sheet for double-sided output.

          Sendmail Installation and Operation Guide           SMM:08-3

                                    TABLE OF CONTENTS

          1.  BASIC INSTALLATION ................................    7
             1.1.  Compiling Sendmail ...........................    7
                1.1.1.  Tweaking the Build Invocation ...........    7
                1.1.2.  Creating a Site Configuration File ......    8
                1.1.3.  Tweaking the Makefile ...................    8
                1.1.4.  Compilation and installation ............    9
             1.2.  Configuration Files ..........................   10
             1.3.  Details of Installation Files ................   12
                1.3.1.  /usr/sbin/sendmail ......................   12
                1.3.2.  /etc/mail/sendmail.cf ...................   12
                1.3.3.  /etc/mail/submit.cf .....................   13
                1.3.4.  /usr/bin/newaliases .....................   13
                1.3.5.  /usr/bin/hoststat .......................   13
                1.3.6.  /usr/bin/purgestat ......................   13
                1.3.7.  /var/spool/mqueue .......................   13
                1.3.8.  /var/spool/clientmqueue .................   14
                1.3.9.  /var/spool/mqueue/.hoststat .............   14
                1.3.10.  /etc/mail/aliases* .....................   15
                1.3.11.  /etc/rc or /etc/init.d/sendmail ........   15
                1.3.12.  /etc/mail/helpfile .....................   16
                1.3.13.  /etc/mail/statistics ...................   16
                1.3.14.  /usr/bin/mailq .........................   16
                1.3.15.  sendmail.pid ...........................   18
                1.3.16.  Map Files ..............................   18
          2.  NORMAL OPERATIONS .................................   19
             2.1.  The System Log ...............................   19
                2.1.1.  Format ..................................   19
                2.1.2.  Levels ..................................   20
             2.2.  Dumping State ................................   21
             2.3.  The Mail Queues ..............................   21
                2.3.1.  Queue Groups and Queue Directories ......   21
                2.3.2.  Queue Runs ..............................   22
                2.3.3.  Manual Intervention .....................   23
                2.3.4.  Printing the queue ......................   23
                2.3.5.  Forcing the queue .......................   24
                2.3.6.  Quarantined Queue Items .................   25
             2.4.  Disk Based Connection Information ............   26
             2.5.  The Service Switch ...........................   27
             2.6.  The Alias Database ...........................   28
                2.6.1.  Rebuilding the alias database ...........   30
                2.6.2.  Potential problems ......................   30
                2.6.3.  List owners .............................   31
             2.7.  User Information Database ....................   31
             2.8.  Per-User Forwarding (.forward Files) .........   31
             2.9.  Special Header Lines .........................   32
                2.9.1.  Errors-To: ..............................   32
                2.9.2.  Apparently-To: ..........................   32
                2.9.3.  Precedence ..............................   33
             2.10.  IDENT Protocol Support ......................   33
          3.  ARGUMENTS .........................................   34
             3.1.  Queue Interval ...............................   34

          SMM:08-4           Sendmail Installation and Operation Guide

             3.2.  Daemon Mode ..................................   35
             3.3.  Forcing the Queue ............................   35
             3.4.  Debugging ....................................   36
             3.5.  Changing the Values of Options ...............   37
             3.6.  Trying a Different Configuration File ........   37
             3.7.  Logging Traffic ..............................   37
             3.8.  Testing Configuration Files ..................   38
             3.9.  Persistent Host Status Information ...........   40
          4.  TUNING ............................................   40
             4.1.  Timeouts .....................................   41
                4.1.1.  Queue interval ..........................   41
                4.1.2.  Read timeouts ...........................   41
                4.1.3.  Message timeouts ........................   44
             4.2.  Forking During Queue Runs ....................   45
             4.3.  Queue Priorities .............................   46
             4.4.  Load Limiting ................................   46
             4.5.  Resource Limits ..............................   47
             4.6.  Measures against Denial of Service  Attacks
                .................................................   47
             4.7.  Delivery Mode ................................   48
             4.8.  Log Level ....................................   49
             4.9.  File Modes ...................................   50
                4.9.1.  To suid or not to suid? .................   50
                4.9.2.  Turning off security checks .............   51
             4.10.  Connection Caching ..........................   54
             4.11.  Name Server Access ..........................   55
             4.12.  Moving the Per-User Forward Files ...........   57
             4.13.  Free Space ..................................   57
             4.14.  Maximum Message Size ........................   58
             4.15.  Privacy Flags ...............................   58
             4.16.  Send to Me Too ..............................   58
          5.  THE WHOLE SCOOP ON THE CONFIGURATION FILE .........   58
             5.1.  R and S -- Rewriting Rules ...................   59
                5.1.1.  The left hand side ......................   60
                5.1.2.  The right hand side .....................   60
                5.1.3.  Semantics of rewriting rule sets ........   62
                5.1.4.  Ruleset hooks ...........................   64
                   5.1.4.1.  check_relay ........................   64
                   5.1.4.2.  check_mail .........................   65
                   5.1.4.3.  check_rcpt .........................   65
                   5.1.4.4.  check_data .........................   65
                   5.1.4.5.  check_compat .......................   65
                   5.1.4.6.  check_eoh ..........................   65
                   5.1.4.7.  check_eom ..........................   66
                   5.1.4.8.  check_etrn .........................   66
                   5.1.4.9.  check_expn .........................   66
                   5.1.4.10.  check_vrfy ........................   66
                   5.1.4.11.  trust_auth ........................   67
                   5.1.4.12.  tls_client ........................   67
                   5.1.4.13.  tls_server ........................   67
                   5.1.4.14.  tls_rcpt ..........................   67
                   5.1.4.15.  srv_features ......................   68
                   5.1.4.16.  try_tls ...........................   69

          Sendmail Installation and Operation Guide           SMM:08-5

                   5.1.4.17.  authinfo ..........................   69
                   5.1.4.18.  queuegroup ........................   69
                   5.1.4.19.  greet_pause .......................   70
                5.1.5.  IPC mailers .............................   70
             5.2.  D -- Define Macro ............................   71
             5.3.  C and F -- Define Classes ....................   82
             5.4.  M -- Define Mailer ...........................   84
             5.5.  H -- Define Header ...........................   93
             5.6.  O -- Set Option ..............................   94
             5.7.  P -- Precedence Definitions ..................  126
             5.8.  V -- Configuration Version Level .............  127
             5.9.  K -- Key File Declaration ....................  129
             5.10.  Q -- Queue Group Declaration ................  141
             5.11.  X -- Mail Filter (Milter) Definitions .......  143
             5.12.  The User Database ...........................  144
                5.12.1.  Structure of the user database .........  145
                5.12.2.  User database semantics ................  146
                5.12.3.  Creating the database[23] ..............  147
          6.  OTHER CONFIGURATION ...............................  147
             6.1.  Parameters in devtools/OS/$oscf ..............  147
             6.2.  Parameters in sendmail/conf.h ................  149
             6.3.  Configuration in sendmail/conf.c .............  153
                6.3.1.  Built-in Header Semantics ...............  154
                6.3.2.  Restricting Use of Email ................  156
                6.3.3.  New Database Map Classes ................  157
                6.3.4.  Queueing Function .......................  158
                6.3.5.  Refusing Incoming SMTP Connections ......  159
                6.3.6.  Load Average Computation ................  159
             6.4.  Configuration in sendmail/daemon.c ...........  159
             6.5.  LDAP .........................................  159
                6.5.1.  LDAP Recursion ..........................  159
                   6.5.1.1.  Example ............................  160
             6.6.  STARTTLS .....................................  161
                6.6.1.  Certificates for STARTTLS ...............  161
                6.6.2.  PRNG for STARTTLS .......................  162
             6.7.  Encoding of STARTTLS and AUTH related  Mac-
                ros .............................................  163
          7.  ACKNOWLEDGEMENTS ..................................  163
          Appendix A.  COMMAND LINE FLAGS .......................  166
          Appendix B.  QUEUE FILE FORMATS .......................  170
          Appendix C.  SUMMARY OF SUPPORT FILES .................  174

          SMM:08-6           Sendmail Installation and Operation Guide

                           This page intentionally left blank;
                    replace it with a blank sheet for double-sided output.

Generated on 2014-07-04 21:17:45 by $MirOS: src/scripts/roff2htm,v 1.79 2014/02/10 00:36:11 tg Exp $

These manual pages and other documentation are copyrighted by their respective writers; their source is available at our CVSweb, AnonCVS, and other mirrors. The rest is Copyright © 2002‒2014 The MirOS Project, Germany.
This product includes material provided by Thorsten Glaser.

This manual page’s HTML representation is supposed to be valid XHTML/1.1; if not, please send a bug report – diffs preferred.