JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Managing sendmail Services in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Mail Services (Overview)

2.  Mail Services (Tasks)

3.  Mail Services (Reference)

Oracle Solaris Version of sendmail

Flags Used and Not Used to Compile sendmail

MILTER, Mail Filter API for sendmail

Alternative sendmail Commands

Versions of the Configuration File

Software and Hardware Components of Mail Services

Software Components

Mail User Agent

Mail Transfer Agent

Local Delivery Agent

Mailers and sendmail

Simple Mail Transfer Protocol (SMTP) Mailers

UNIX-to-UNIX Copy Program (UUCP) Mailers

Mail Addresses

Domains and Subdomains

Name Service Domain Name and Mail Domain Name

Typical Format for Mail Addresses

Route-Independent Mail Addresses

Mailbox Files

Mail Aliases

Hardware Components

Mail Host

Mail Server

Mail Client

Mail Gateway

Mail Service Programs and Files

Enhancement for vacation Utility

Contents of the /usr/bin Directory

Contents of the /etc/mail Directory

Contents of the /etc/mail/cf Directory

Contents of the /usr/lib Directory

Other Files Used for Mail Services

Interactions of Mail Programs

sendmail Program

sendmail and Its Rerouting Mechanisms

sendmail Features

sendmail Configuration File

Mail Alias Files

.mailrc Aliases

/etc/mail/aliases File

NIS aliases Map

.forward Files

Situations to Avoid

Controls for .forward files

.forward.hostname File

.forward+detail File

/etc/default/sendmail File

Mail Addresses and Mail Routing

Interactions of sendmail With Name Services

sendmail.cf and Mail Domains

sendmail and Name Services

Mail Domains and Name Service Domains

Requirements for Name Services

Interactions of NIS and sendmail

Interactions of sendmail With NIS and DNS

Changes in Version 8.14 of sendmail

Changes in Version 8.13 of sendmail

Support for Running SMTP With TLS in Version 8.13 of sendmail

Configuration File Options for Running SMTP With TLS

Macros for Running SMTP With TLS

Rule Sets for Running SMTP With TLS

Security Considerations Related to Running SMTP With TLS

Additional Command-Line Options in Version 8.13 of sendmail

Additional and Revised Configuration File Options in Version 8.13 of sendmail

Additional and Revised FEATURE() Declarations in Version 8.13 of sendmail

Changes From Version 8.12 of sendmail

Support for TCP Wrappers From Version 8.12 of sendmail

submit.cf Configuration File From Version 8.12 of sendmail

Functions That Distinguish sendmail.cf From submit.cf

Functional Changes From Version 8.12 of sendmail

Additional or Deprecated Command-Line Options From Version 8.12 of sendmail

Additional Arguments for the PidFile and ProcessTitlePrefix Options From Version 8.12 of sendmail

Additional Defined Macros From Version 8.12 of sendmail

Additional Macros From Version 8.12 of sendmail

Additional MAX Macros From Version 8.12 of sendmail

Additional and Revised m4 Configuration Macros From Version 8.12 of sendmail

Changes to the FEATURE() Declaration From Version 8.12 of sendmail

Changes to the MAILER() Declaration From Version 8.12 of sendmail

Additional Delivery Agent Flags From Version 8.12 of sendmail

Additional Equates for Delivery Agents From Version 8.12 of sendmail

Additional Queue Features From Version 8.12 of sendmail

Changes for LDAP From Version 8.12 of sendmail

Change to the Built-In Mailer From Version 8.12 of sendmail

Additional Rule Sets From Version 8.12 of sendmail

Changes to Files From Version 8.12 of sendmail

sendmail Version 8.12 and IPv6 Addresses in Configuration

Index

Changes in Version 8.13 of sendmail

Although this version of sendmail provides many new features, the FallBackSmartHost option is the most significant addition. Because of this option you no longer need to use main.cf and subsidiary.cf. The main.cf file was used in environments that supported MX records. The subsidiary.cf file was used in environments without a fully operative DNS. In such environments a smart host was used instead of MX records. The FallBackSmartHost option provides unified configuration. It operates like an MX record of last possible preference for all environments. To ensure that mail gets delivered to clients, this option, if enabled, provides a well-connected (or smart) host that serves as a backup (or failover) for MX records that fail.

For more information about version 8.13, see the following sections:

Additionally, SMTP can run with Transport Layer Security (TLS). See the following description.

Support for Running SMTP With TLS in Version 8.13 of sendmail

Communications between SMTP servers and clients are not usually controlled or trusted on either end. This lack of security might allow a third party to monitor and even alter a communication between a server and a client. SMTP can use Transport Layer Security (TLS) in version 8.13 of sendmail to resolve this problem. This extended service to SMTP servers and clients provides the following:


Note - The implementation of TLS is based on the Secure Sockets Layer (SSL) protocol.


STARTTLS is the SMTP keyword that initiates a secure SMTP connection by using TLS. This secure connection might be between two servers or between a server and a client. A secure connection is defined as follows:

When the client issues the STARTTLS command, the server responds with one of the following:

The 220 response requires the client to start the TLS negotiation. The 501 response notes that the client incorrectly issued the STARTTLS command. STARTTLS is issued with no parameters. The 454 response necessitates that the client apply rule set values to determine whether to accept or maintain the connection.

Note that to maintain the Internet's SMTP infrastructure, publicly used servers must not require a TLS negotiation. However, a server that is used privately might require the client to perform a TLS negotiation. In such instances, the server returns this response:

530 Must issue a STARTTLS command first

The 530 response instructs the client to issue the STARTTLS command to establish a connection.

The server or client can refuse a connection if the level of authentication and privacy is not satisfactory. Alternately, because most SMTP connections are not secure, the server and client might maintain an unsecure connection. Whether to maintain or refuse a connection is determined by the configuration of the server and the client.

Support for running SMTP with TLS is not enabled by default. TLS is enabled when the SMTP client issues the STARTTLS command. Before the SMTP client can issue this command, you must set up the certificates that enable sendmail to use TLS. See How to Set SMTP to Use TLS. Note that this procedure includes defining new configuration file options and rebuilding your sendmail.cf file.

Configuration File Options for Running SMTP With TLS

The following table describes the configuration file options that are used to run SMTP with TLS. If you declare any of these options, use one of the following syntaxes:

Table 3-12 Configuration File Options for Running SMTP With TLS

Option
Description
CACertFile
m4 name: confCACERT

Argument: filename

Default value: undefined

Identifies the file that contains one CA certificate.

CACertPath
m4 name: confCACERT_PATH

Argument: path

Default value: undefined

Identifies the path to the directory that contains certificates of CAs.

ClientCertFile
m4 name: confCLIENT_CERT

Argument: filename

Default value: undefined

Identifies the file that contains the certificate of the client. Note that this certificate is used when sendmail acts as a client.

ClientKeyFile
m4 name: confCLIENT_KEY

Argument: filename

Default value: undefined

Identifies the file that contains the private key that belongs to the client certificate.

CRLFile
m4 name: confCRL

Argument: filename

Default value: undefined

Identifies the file that contains the certificate revocation status, which is used for X.509v3 authentication.

DHParameters
m4 name: confDH_PARAMETERS

Argument: filename

Default value: undefined

Identifies the file that contains the Diffie-Hellman (DH) parameters.

RandFile
m4 name: confRAND_FILE

Argument: file:filename or egd:UNIX socket

Default value: undefined

Uses the file: prefix to identify the file that contains random data or uses the egd: prefix to identify the UNIX socket. Note that because the Oracle Solaris OS supports the random number generator device, this option does not need to be specified. See the random(7D) man page.

ServerCertFile
m4 name: confSERVER_CERT

Argument: filename

Default value: undefined

Identifies the file that contains the server's certificate. This certificate is used when sendmail acts as a server.

Timeout.starttls
m4 name: confTO_STARTTLS

Argument: amount of time

Default value: 1h

Sets the amount of time the SMTP client waits for a response to the STARTTLS command.

TLSSrvOptions
m4 name: confTLS_SRV_OPTIONS

Argument: V

Default value: undefined

Determines whether the server asks for a certificate from the client. If this option is set to V, no client verification is performed.

For sendmail to support SMTP's use of TLS, the following options must be defined:

Other options are not required.

Macros for Running SMTP With TLS

The following table describes the macros that are used by the STARTTLS command.

Table 3-13 Macros for Running SMTP With TLS

Macro
Description
${cert_issuer}
Holds the distinguished name (DN) of the certification authority (CA), which is the certificate issuer.
${cert_subject}
Holds the DN of the certificate that is called the cert subject.
${cn_issuer}
Holds the common name (CN) of the CA, which is the cert issuer.
${cn_subject}
Holds the CN of the certificate that is called the cert subject.
${tls_version}
Holds the version of TLS that is used for the connection.
${cipher}
Holds a set of cryptographic algorithms (known as a cipher suite) that is used for the connection.
${cipher_bits}
Holds in bits the key length of the symmetric encryption algorithm that is used for the connection.
${verify}
Holds the result of the verification of the certificate that was presented. Possible values are as follows:
  • OK – The verification succeeded.

  • NO – No certificate was presented.

  • NOT – No certificate was requested.

  • FAIL – The certificate that was presented could not be verified.

  • NONESTARTTLS has not been performed.

  • TEMP – Temporary error occurred.

  • PROTOCOL – SMTP error occurred.

  • SOFTWARESTARTTLS handshake failed.

${server_name}
Holds the name of the server with the current outgoing SMTP connection.
${server_addr}
Holds the address of the server with the current outgoing SMTP connection.

Rule Sets for Running SMTP With TLS

The following table describes rule sets that determine whether an SMTP connection that uses TLS should be accepted, continued, or refused.

Table 3-14 Rule Sets for Running SMTP With TLS

Rule Set
Description
tls_server
Acting as a client, sendmail uses this rule set to determine whether the server is currently supported by TLS.
tls_client
Acting as a server, sendmail uses this rule set to determine whether the client is currently supported by TLS.
tls_rcpt
This rule set requires verification of the recipient's MTA. This recipient restriction makes attacks such as DNS spoofing impossible.
TLS_connection
This rule set checks the requirement that is specified by the RHS of the access map against the actual parameters of the current TLS connection.
try_tls
sendmail uses this rule set to determine the feasibility of using STARTTLS when connecting to another MTA. If the MTA cannot properly implement STARTTLS, then STARTTLS is not used.

For more information, see http://www.sendmail.org/m4/starttls.html.

Security Considerations Related to Running SMTP With TLS

As a standard mail protocol that defines mailers that run over the Internet, SMTP is not an end-to-end mechanism. Because of this protocol limitation, TLS security through SMTP does not include mail user agents. Mail user agents act as an interface between users and a mail transfer agent such as sendmail.

Also, mail might be routed through multiple servers. For complete SMTP security the entire chain of SMTP connections must have TLS support.

Finally, the level of negotiated authentication and privacy between each pair of servers or a client and server pair must be considered. For more information, see Authentication Services in Oracle Solaris 11.1 Administration: Security Services.

Additional Command-Line Options in Version 8.13 of sendmail

The following table describes additional command-line options that are available in version 8.13 of sendmail. Other command-line options are described in the sendmail(1M) man page.

Table 3-15 Command-Line Options Available in Version 8.13 of sendmail

Option
Description
-D logfile
Sends debugging output to the indicated logfile, instead of including this information with the standard output.
-q[!]Qsubstr
Specifies the processing of quarantined jobs that have this substr, which is a substring of the quarantine reason. See the description of the -Qreason option. If ! is added, this option processes quarantined jobs that do not have this substr.
-Qreason
Quarantines a normal queue item with this reason. If no reason is given, the quarantined queue item is unquarantined. This option works with the -q[!]Qsubstr option. The substr is a portion (or substring) of the reason.

Additional and Revised Configuration File Options in Version 8.13 of sendmail

The following table describes the added and revised configuration file options. If you declare any of these options, use one of the following syntaxes.

O OptionName=argument          # for the configuration file
-O OptionName=argument         # for the command line
define(`m4Name',argument)     # for m4 configuration

Table 3-16 Configuration File Options Available in Version 8.13 of sendmail

Option
Description
ConnectionRateWindowSize
m4 name: confCONNECTION_RATE_WINDOW_SIZE

Argument: number

Default value: 60

Sets the number of seconds for incoming connections to be maintained.

FallBackSmartHost
m4 name: confFALLBACK_SMARTHOST

Argument: hostname

To ensure that mail gets delivered to the clients, this option provides a well-connected host that serves as a backup (or failover) for MX records that fail.

InputMailFilters
m4 name: confINPUT_MAIL_FILTERS

Argument: filename

Lists the input mail filters for the sendmail daemon.

PidFile
m4 name: confPID_FILE

Argument: filename

Default value: /system/volatile/sendmail.pid

As in previous releases, the file name is macro-expanded before it is opened. Additionally, in version 8.13, the file is unlinked when sendmail exits.

QueueSortOrder
m4 name: confQUEUE_SORT_ORDER

Added argument: none

In version 8.13 none is used to specify no sorting order.

RejectLogInterval
m4 name: confREJECT_LOG_INTERVAL

Argument: period-of-time

Default value: 3h, which represents three hours.

When a daemon connection is refused for the period-of-time specified, the information is logged.

SuperSafe
m4 name: confSAFE_QUEUE

Short name: s

Added argument: postmilter

Default value: true

If postmilter is set, sendmail defers synchronizing the queue file until all milters have signaled acceptance of the message. For this argument to be useful, sendmail must be running as an SMTP server. Otherwise, postmilter operates as if you are using the true argument.

Additional and Revised FEATURE() Declarations in Version 8.13 of sendmail

The following table describes the added and revised FEATURE() declarations. This m4 macro uses the following syntax.

FEATURE(`name', `argument')

Table 3-17 FEATURE() Declarations Available in Version 8.13 of sendmail

Name of FEATURE()
Description
conncontrol
Works with the access_db rule set to check the number of incoming SMTP connections. For details, see /etc/mail/cf/README.
greet_pause
Adds the greet_pause rule set, which enables open proxy and SMTP slamming protection. For details, see /etc/mail/cf/README.
local_lmtp
The default argument continues to be mail.local, which is the LMTP-capable mailer in this Oracle Solaris release. However, in version 8.13, if a different LMTP-capable mailer is used, its path name can be specified as a second parameter and the arguments that are passed to the second parameter can be specified in the third parameter. For example:
FEATURE(`local_lmtp', `/usr/local/bin/lmtp', `lmtp')
mtamark
Provides experimental support for “Marking Mail Transfer Agents in Reverse DNS with TXT RRs” (MTAMark). For details, see /etc/mail/cf/README.
ratecontrol
Works with the access_db rule set to control connection rates for hosts. For details, see /etc/mail/cf/README.
use_client_ptr
If this FEATURE() is enabled, the rule set check_relay overrides its first argument with this argument, $&{client_ptr}.