System Administration Guide: Network Services

Changes From Version 8.12 of sendmail

This section contains information about the following topics.

Support for TCP Wrappers From Version 8.12 of sendmail

TCP wrappers provide a way of implementing access controls by checking the address of a host requesting a particular network service against an access control list (ACL). Requests are granted or denied, accordingly. Besides providing this access control mechanism, TCP wrappers also log host requests for network services, which is a useful monitoring function. Examples of network services that might be placed under access control include rlogind, telnetd, and ftpd.

Starting with version 8.12, sendmail enables the use of TCP wrappers. This check does not bypass other security measures. By enabling TCP wrappers in sendmail, a check has been added to validate the source of a network request before the request is granted. See the hosts_access(4) man page.


Note –

Support for TCP wrappers in inetd(1M) and sshd(1M) started with the Solaris 9 release.


For information about ACLs, see Using Access Control Lists to Protect UFS Files in System Administration Guide: Security Services.

submit.cf Configuration File From Version 8.12 of sendmail

Starting with version 8.12, sendmail includes an additional configuration file, /etc/mail/submit.cf. This file, submit.cf, is used to run sendmail in mail-submission program mode instead of daemon mode. Mail-submission program mode, unlike daemon mode, does not require root privilege, so this new paradigm provides better security.

See the following list of functions for submit.cf:

Note the following:

Functions That Distinguish sendmail.cf From submit.cf

The sendmail.cf configuration file is for the daemon mode. When using this file, sendmail is acting as a mail transfer agent (MTA), which is started by root.


/usr/lib/sendmail -L sm-mta -bd -q1h

See the following list of other distinguishing functions for sendmail.cf:

Functional Changes From Version 8.12 of sendmail

With the addition of submit.cf, the following functional changes have occurred:

Additional or Deprecated Command-Line Options From Version 8.12 of sendmail

The following table describes additional or deprecated command-line options for sendmail. Other command-line options are described in the sendmail(1M) man page.

Table 14–19 Additional or Deprecated Command-Line Options From Version 8.12 of sendmail

Option 

Description 

-Ac

Indicates that you want to use the configuration file, submit.cf, even if the operation mode does not indicate an initial mail submission. For more information about submit.cf, refer to submit.cf Configuration File From Version 8.12 of sendmail.

-Am

Indicates that you want to use the configuration file, sendmail.cf, even if the operation mode indicates an initial mail submission. For more information, refer to submit.cf Configuration File From Version 8.12 of sendmail.

-bP

Indicates that you are printing the number of entries in each queue. 

-G

Indicates that the message that is being submitted from the command line is for relaying, not for initial submission. The message is rejected if the addresses are not fully qualified. No canonicalization is done. As is noted in the Release Notes that are part of the sendmail distribution on ftp://ftp.sendmail.org, improperly formed messages might be rejected in future releases.

-L tag

Sets the identifier that is used for syslog messages to the supplied tag.

-q[!]I substring

Processes only jobs that contain this substring of one of the recipients. When ! is added, the option processes only jobs that do not have this substring of one of the recipients.

-q[!]R substring

Processes only jobs that contain this substring of the queue ID. When ! is added, the option processes only jobs that do not have this substring of the queue ID.

-q[!]S substring

Processes only jobs that contain this substring of the sender. When ! is added, the option processes only jobs that do not have this substring of the sender.

-qf

Processes saved messages in the queue once, without using the fork system call, and runs the process in the foreground. Refer to the fork(2) man page.

-qGname

Processes only the messages in the name queue group.

-qptime

Processes saved messages in the queue at a specific interval of time with a single child that is forked for each queue. The child sleeps between queue runs. This new option is similar to the -qtime, which periodically forks a child to process the queue.

-U

As is noted in the Release Notes that are part of the sendmail distribution on ftp://ftp.sendmail.org, this option is not available as of version 8.12. Mail user agents should use the -G argument.

Additional Arguments for the PidFile and ProcessTitlePrefix Options From Version 8.12 of sendmail

The following table describes additional macro-processed arguments for the PidFile and ProcessTitlePrefix options. For more information about these options, see the sendmail(1M) man page.

Table 14–20 Arguments for the PidFile and ProcessTitlePrefix Options

Macro 

Description 

${daemon_addr}

Provides daemon address (for example, 0.0.0.0) 

${daemon_family}

Provides daemon family (for example, inet, and inet6)

${daemon_info}

Provides daemon information (for example, SMTP+queueing@00:30:00) 

${daemon_name}

Provides daemon name (for example, MSA) 

${daemon_port}

Provides daemon port (for example, 25) 

${queue_interval}

Provides queue run interval (for example, 00:30:00) 

Additional Defined Macros From Version 8.12 of sendmail

The following table describes additional macros that are reserved for use by the sendmail program. The macros' values are assigned internally. For more information, refer to the sendmail(1M) man page.

Table 14–21 Additional Defined Macros for sendmail

Macro 

Description 

${addr_type}

Identifies the current address as an envelope sender or a recipient address. 

${client_resolve}

Holds the result of the resolve call for ${client_name}: OK, FAIL, FORGED, or TEMP.

${deliveryMode}

Specifies the current delivery mode sendmail is using instead of the value of the DeliveryMode option.

${dsn_notify}, ${dsn_envid}, ${dsn_ret}

Holds the corresponding DSN parameter values. 

${if_addr}

Provides the interface's address for the incoming connection if the interface does not belong to the loopback net. This macro is especially useful for virtual hosting. 

${if_addr_out}, ${if_name_out}, ${if_family_out}

Avoids the reuse of ${if_addr}. Holds the following values respectively:

The address of the interface for the outgoing connection 

The host name of the interface for the outgoing connection 

The family of the interface for the outgoing connection 

${if_name}

Provides the interface's host name for the incoming connection and is especially useful for virtual hosting.  

${load_avg}

Checks and reports the current average number of jobs in the run queue. 

${msg_size}

Holds the value of the message size (SIZE=parameter) in an ESMTP dialogue before the message has been collected. Thereafter, the macro holds the message size as computed by sendmail and is used in check_compat. For information about check_compat, refer to Table 14–25.

${nrcpts}

Holds the number of validated recipients. 

${ntries}

Holds the number of delivery attempts. 

${rcpt_mailer}, ${rcpt_host}, ${rcpt_addr}, ${mail_mailer}, ${mail_host}, ${mail_addr}

Holds the results of parsing the RCPT and MAIL arguments, which is the resolved right-hand side (RHS) triplet from the mail delivery agent ($#mailer), the host ($@host), and the user ($:addr).

Additional Macros From Version 8.12 of sendmail

In this section, you can find a table that describes the additional macros that are used to build the sendmail configuration file.

Table 14–22 Additional Macros Used to Build the sendmail Configuration File

Macro 

Description 

LOCAL_MAILER_EOL

Overrides the default end-of-line string for the local mailer. 

LOCAL_MAILER_FLAGS

Adds Return-Path: header by default.

MAIL_SETTINGS_DIR

Contains the path (including the trailing slash) for the mail settings directory. 

MODIFY_MAILER_FLAGS

Improves the *_MAILER_FLAGS. This macro sets, adds, or deletes flags.

RELAY_MAILER_FLAGS

Defines additional flags for the relay mailer. 

Additional MAX Macros From Version 8.12 of sendmail

Use the following macros to configure the maximum number of commands that can be received before sendmail slows its delivery. You can set these MAX macros at compile time. The maximum values in the following table also represent the current default values.

Table 14–23 Additional MAX Macros

Macro 

Maximum Value 

Commands Checked by Each Macro 

MAXBADCOMMANDS

25 

Unknown commands 

MAXNOOPCOMMANDS

20 

NOOP, VERB, ONEX, XUSR

MAXHELOCOMMANDS

HELO, EHLO

MAXVRFYCOMMANDS

VRFY, EXPN

MAXETRNCOMMANDS

ETRN


Note –

You can disable a macro's check by setting the macro's value to zero.


Additional and Revised m4 Configuration Macros From Version 8.12 of sendmail

This section contains a table of additional and revised m4 configuration macros for sendmail. Use the following syntax to declare these macros.


symbolic-name(`value')

If you need to build a new sendmail.cf file, refer to Changing the sendmail Configuration in Chapter 13, Mail Services (Tasks).

Table 14–24 Additional and Revised m4 Configuration Macros for sendmail

m4 Macro

Description 

FEATURE()

For details, refer to Changes to the FEATURE() Declaration From Version 8.12 of sendmail.

LOCAL_DOMAIN()

This macro adds entries to class w ($=w).

MASQUERADE_EXCEPTION()

A new macro that defines hosts or subdomains that cannot be masqueraded. 

SMART_HOST()

This macro can now be used for bracketed addresses, such as user@[host].

VIRTUSER_DOMAIN() or VIRTUSER_DOMAIN_FILE()

When these macros are used, include $={VirtHost} in $=R. As a reminder, $=R is the set of host names that are allowed to relay.

Changes to the FEATURE() Declaration From Version 8.12 of sendmail

Refer to the following tables for information about the specific changes to the FEATURE() declarations.

To use the new and revised FEATURE names, use the following syntax.


FEATURE(`name', `argument')

If you need to build a new sendmail.cf file, refer to Changing the sendmail Configuration in Chapter 13, Mail Services (Tasks).

Table 14–25 Additional and Revised FEATURE() Declarations

Name of FEATURE()

Description 

compat_check

Argument: Refer to the example in the following paragraph. 

This new FEATURE() enables you to look for a key in the access map that consists of the sender address and the recipient address. This FEATURE() is delimited by the following string, <@>. sender@sdomain<@>recipient@rdomain is an example.

delay_checks

Argument: friend, which enables a spam-friend test, or hater, which enables a spam-hater test.

A new FEATURE() that delays all checks. By using FEATURE(`delay_checks'), the rule sets check_mail and check_relay are not called when a client connects or issues a MAIL command respectively. Instead, these rule sets are called by the check_rcpt rule set. For details, refer to the /etc/mail/cf/README file.

dnsbl

Argument: This FEATURE()accepts a maximum of two arguments:

  • DNS server name

  • Rejection message

A new FEATURE() that you can include multiple times to check the return values for DNS lookups. Note that this FEATURE() enables you to specify the behavior of temporary lookup failures.

enhdnsbl

Argument: domain name. 

A new FEATURE() that is an enhanced version of dnsbl, which enables you to check the return values for DNS lookups. For more information, refer to /etc/mail/cf/README.

generics_entire_domain

Argument: None. 

A new FEATURE() that you can also use to apply genericstable to subdomains of $=G.

ldap_routing

Argument: For details, refer to the “Release Notes” in http://www.sendmail.org.

A new FEATURE() that implements LDAP address routing.

local_lmtp

Argument: Path name of an LMTP-capable mailer. The default is mail.local, which is LMTP capable in this Solaris release.

A FEATURE() that now sets the delivery status notification (DSN) diagnostic-code type for the local mailer to the proper value of SMTP.

local_no_masquerade

Argument: None. 

A new FEATURE() that you can use to avoid masquerading for the local mailer.

lookupdotdomain

Argument: None. 

A new FEATURE() that you can also use to look up the .domain in the access map.

nocanonify

Argument: canonify_hosts or nothing.

A FEATURE() that now includes the following features.

Enables a list of domains, as specified by CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, to be passed to the $[ and $] operators for canonification.

Enables addresses that have only a host name, such as <user@host>, to be canonified, if canonify_hosts is specified as its parameter.

Adds a trailing dot to addresses with more than one component. 

no_default_msa

Argument: None. 

A new FEATURE() that turns off sendmail's default setting from m4–generated configuration files to “listen” on several different ports, an implementation of RFC 2476.

nouucp

Argument: reject, which does not allow the ! token, or nospecial, which does allow the ! token.

A FEATURE() that determines whether to allow the ! token in the local part of an address.

nullclient

Argument: None. 

A FEATURE() that now provides the full rule sets of a normal configuration, allowing antispam checks to be performed.

preserve_local_plus_detail

Argument: None. 

A new FEATURE() that enables you to preserve the +detail portion of the address when sendmail passes the address to the local delivery agent.

preserve_luser_host

Argument: None. 

A new FEATURE() that enables you to preserve the name of the recipient host, if LUSER_RELAY is used.

queuegroup

Argument: None. 

A new FEATURE() that enables you to select a queue group that is based on the full email address or on the domain of the recipient.

relay_mail_from

Argument: The domain is an optional argument.

A new FEATURE() that allows relaying if the mail sender is listed as a RELAY in the access map and is tagged with the From: header line. If the optional domain argument is given, the domain portion of the mail sender is also checked.

virtuser_entire_domain

Argument: None. 

A FEATURE() that you can now use to apply $={VirtHost}, a new class for matching virtusertable entries that can be populated by VIRTUSER_DOMAIN or VIRTUSER_DOMAIN_FILE.

FEATURE(`virtuser_entire_domain') can also apply the class $={VirtHost} to entire subdomains.

The following FEATURE() declarations are no longer supported.

Table 14–26 Unsupported FEATURE() Declarations

Name of FEATURE()

Replacement 

rbl

FEATURE(`dnsbl') and FEATURE(`enhdnsbl') replace this FEATURE(), which has been removed.

remote_mode

MASQUERADE_AS(`$S') replaces FEATURE(`remote_mode') in /etc/mail/cf/subsidiary.mc. $S is the SMART_HOST value in sendmail.cf.

sun_reverse_alias_files

FEATURE(`genericstable').

sun_reverse_alias_nis

FEATURE(`genericstable').

sun_reverse_alias_nisplus

FEATURE(`genericstable').

Changes to the MAILER() Declaration From Version 8.12 of sendmail

The MAILER() declaration specifies support for delivery agents. To declare a delivery agent, use the following syntax.


MAILER(`symbolic-name')

Note the following changes.

For more information about mailers, refer to Mailers and sendmail. If you need to build a new sendmail.cf file, refer to Changing the sendmail Configuration in Chapter 13, Mail Services (Tasks).

Additional Delivery Agent Flags From Version 8.12 of sendmail

The following table describes additional delivery agent flags, which by default are not set. These single-character flags are Boolean. You can set or unset a flag by including or excluding it in the F= statement of your configuration file, as shown in the following example.


Mlocal,    P=/usr/lib/mail.local, F=lsDFMAw5:/|@qSXfmnz9, S=10/30, R=20/40,
Mprog,     P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/,
Msmtp,     P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990,
Mesmtp,    P=[IPC], F=mDFMuXa, S=11/31, R=21, E=\r\n, L=990,
Msmtp8,    P=[IPC], F=mDFMuX8, S=11/31, R=21, E=\r\n, L=990,
Mrelay,    P=[IPC], F=mDFMuXa8, S=11/31, R=61, E=\r\n, L=2040,
Table 14–27 Additional Mailer Flags

Flag 

Description 

%

Mailers that use this flag do not attempt delivery to the initial recipient of a message or to queue runs unless the queued message is selected by using an ETRN request or one of the following queue options: -qI, -qR, or -qS.

1

This flag disables the ability of the mailer to send null characters (for example, \0).

2

This flag disables the use of ESMTP and requires that SMTP be used instead. 

6

This flag enables mailers to strip headers to 7 bit. 

Additional Equates for Delivery Agents From Version 8.12 of sendmail

The following table describes additional equates that you can use with the M delivery-agent definition command. The following syntax shows you how to append new equates or new arguments to the equates that already exist in the configuration file.


Magent-name, equate, equate, ...

The following example includes the new W= equate. This equate specifies the maximum time to wait for the mailer to return after all data has been sent.


Msmtp, P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990, W=2m

When you modify the definition of a value for m4 configuration, use the syntax that is provided in the following example.


define(`SMTP_MAILER_MAXMSGS', `1000')

The preceding example places a limit of 1000 on the number of messages that are delivered per connection on an smtp mailer.

If you need to build a new sendmail.cf file, refer to Changing the sendmail Configuration in Chapter 13, Mail Services (Tasks).


Note –

Typically, you modify the equate definitions in the mailer directory only when you fine-tune.


Table 14–28 Additional Equates for Delivery Agents

Equate 

Description 

/=

Argument: Path to a directory 

Specifies a directory to apply chroot() to before the mailer program is executed

m=

Argument: Any of the following m4 values that have previously been defined with the define() routine

    SMTP_MAILER_MAXMSGS, for the smtp mailer


    LOCAL_MAILER_MAXMSGS, for the local mailer


    RELAY_MAILER_MAXMSGS, for the relay mailer


Limits the number of messages that are delivered per connection on an smtp, local, or relay mailer

W=

Argument: An increment of time 

Specifies the maximum time to wait for the return of the mailer after all data has been sent 

Additional Queue Features From Version 8.12 of sendmail

The following list provides details about additional queue features.

For task information, refer to Administering the Queue Directories (Task Map).

Changes for LDAP From Version 8.12 of sendmail

The following list describes changes in the use of the Lightweight Directory Access Protocol (LDAP) with sendmail.

The following example shows how these tokens differ for a “*” lookup.

Table 14–29 Comparison of Tokens

LDAP Map Specification 

Specification Equivalent 

Result 

-k"uid=%s"

-k"uid=*"

Matches any record with a user attribute 

-k"uid=%0"

-k"uid=\2A"

Matches a user with the name “*

The following table describes additional LDAP map flags.

Table 14–30 Additional LDAP Map Flags

Flag 

Description 

-1

Requires a single match to be returned. If more than one match is returned, the results are the equivalent of no records being found. 

-r never|always|search|find

Sets the LDAP alias dereference option. 

-Z size

Limits the number of matches to return. 

Change to the Built-In Mailer From Version 8.12 of sendmail

The old [TCP] built-in mailer is not available. Use the P=[IPC] built-in mailer instead. The interprocess communications ([IPC]) built-in mailer now enables delivery to a UNIX domain socket on systems that support it. You can use this mailer with LMTP delivery agents that listen on a named socket. An example mailer might resemble the following.


Mexecmail, P=[IPC], F=lsDFMmnqSXzA5@/:|, E=\r\n, 
S=10, R=20/40, T=DNS/RFC822/X-Unix, A=FILE /var/run/lmtpd

The first mailer argument in the [IPC] mailer is now checked for a legitimate value. The following table provides possible values for the first mailer argument.

Table 14–31 Possible Values for the First Mailer Argument

Value 

Description 

A=FILE

Use for UNIX domain socket delivery 

A=TCP

Use for TCP/IP connections 

A=IPC

Is no longer available as a first mailer argument 

Additional Rule Sets From Version 8.12 of sendmail

The following table lists the additional rule sets and describes what the rule sets do.

Table 14–32 New Rule Sets

Set 

Description 

check_eoh

Correlates information that is gathered between headers and checks for missing headers. This rule set is used with the macro storage map and is called after all of the headers have been collected.  

check_etrn

Uses the ETRN command (as check_rcpt uses RCPT).

check_expn

Uses the EXPN command (as check_rcpt uses RCPT).

check_vrfy

Uses the VRFY command (as check_rcpt uses RCPT).

The following list describes additional rule set features.

Changes to Files From Version 8.12 of sendmail

Note the following changes.

sendmail Version 8.12 and IPv6 Addresses in Configuration

Starting with version 8.12 of sendmail, IPv6 addresses that are used in configuration should be prefixed with the IPv6: tag to identify the address properly. If you are not identifying an IPv6 address, a prefix tag is not used.