This section contains information about changes in version 8.12 of sendmail.
TCP wrappers provide a way of implementing access controls by checking the address of a host requesting a particular network service against an access control list (ACL). Requests are granted or denied accordingly. Besides providing this access control mechanism, TCP wrappers also log host requests for network services, which is a useful monitoring function. Examples of network services that might be placed under access control include ftpd.
Starting with version 8.12, sendmail enabled the use of TCP wrappers. This check does not bypass other security measures but rather validates the source of a network request before the request is granted. See the hosts_access(5) man page.
For information about ACLs, see Using Access Control Lists to Protect UFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.4.
Starting with version 8.12, sendmail included an additional configuration file, /etc/mail/submit.cf. This file, submit.cf, is used to run sendmail in mail-submission program mode instead of daemon mode. Mail-submission program mode, unlike daemon mode, does not require root privilege, so this method provides better security.
Note the following information for submit.cf:
sendmail uses submit.cf to run in mail-submission program (MSP) mode, which submits email messages and can be started by programs such as mailx as well as by users. Refer to the descriptions of the –Ac option and the –Am option in the sendmail(8) man page.
submit.cf is used in the following operating modes:
–bm, the default operating mode
–bs, which uses standard input to run SMTP
–bt, the test mode that is used to resolve addresses
When using submit.cf, sendmail does not run as an SMTP daemon.
When using submit.cf, sendmail uses /var/spool/clientmqueue, the client-only mail queue, which holds messages that were not delivered to the sendmail daemon. Messages in the client-only queue are delivered by the client daemon, which is really acting as a client queue runner.
By default, sendmail uses submit.cf periodically to run the MSP queue (otherwise known as the client-only queue), /var/spool/clientmqueue.
/usr/lib/sendmail -Ac -q15m
Note the following:
submit.cf is provided automatically.
submit.cf does not require any planning or preliminary procedures prior to Oracle Solaris installation.
Unless you specify a configuration file, sendmail automatically uses submit.cf as required. Basically, sendmail knows which tasks are appropriate for submit.cf and which tasks are appropriate for sendmail.cf.
The sendmail.cf configuration file is for the daemon mode. When using this file, sendmail is acting as a mail transfer agent (MTA), which is started by root.
/usr/lib/sendmail -L sm-mta -bd -q1h
Other distinguishing functions for sendmail.cf include the following:
By default, sendmail.cf accepts SMTP connections on ports 25 and 587.
By default, sendmail.cf runs the main queue, /var/spool/mqueue.
With the addition of submit.cf, the following functional changes have occurred:
Starting with version 8.12 of sendmail, only root can run the mail queue. For further details, refer to the changes that are described in the mailq(1) man page. For new task information, refer to Administering the Mail Queue Directories.
The mail-submission program mode runs without root privilege, which might prevent sendmail from having access to certain files (such as the .forward files). Therefore, the –bv option for sendmail could provide misleading output. No workaround is available.
Prior to sendmail version 8.12, not running sendmail in daemon mode would prevent the delivery only of inbound mail. Starting with sendmail version 8.12, not running the sendmail daemon with the default configuration also prevents the delivery of outbound mail. The client queue runner (also known as the mail submission program) must be able to submit mail to the daemon on the local SMTP port. If the client queue runner tries to open an SMTP session with the local host and the daemon is not listening on the SMTP port, the mail remains in the queue. The default configuration does run a daemon, so this problem does not occur if you are using the default configuration. However, if you have disabled your daemon, refer to How to Manage Mail Delivery by Using an Alternate Configuration of sendmail.cf for a way to resolve this problem.
The following list describes additional or deprecated command-line options for sendmail. For other command-line options, see the sendmail(8) man page.
Indicates that you want to use the configuration file, submit.cf, even if the operation mode does not indicate an initial mail submission. For more information about submit.cf, refer to submit.cf Configuration File in Version 8.12 of sendmail.
Indicates that you want to use the configuration file, sendmail.cf, even if the operation mode indicates an initial mail submission. For more information, refer to submit.cf Configuration File in Version 8.12 of sendmail.
Indicates that you are printing the number of entries in each queue.
Indicates that the message that is being submitted from the command line is for relaying, not for initial submission. The message is rejected if the addresses are not fully qualified. No canonification is done.
Sets the identifier that is used for syslog messages to the supplied tag.
Processes only jobs that contain this substring of one of the recipients. To process only jobs that do not have this substring of one of the recipients, add the ! character.
Processes only jobs that contain this substring of the queue ID. To process only jobs that do not have this substring of the queue ID, add the ! character.
Processes only jobs that contain this substring of the sender. To process only jobs that do not have this substring of the sender, add the ! character.
Processes saved messages in the queue once, without using the fork system call, and runs the process in the foreground. Refer to the fork(2) man page.
Processes saved messages in the queue at a specific interval of time with a single child that is forked for each queue. The child sleeps between queue runs. This new option is similar to the –qtime, which periodically forks a child to process the queue.
As is noted in the Release Notes that are part of the sendmail distribution.
The following list describes additional macro-processed arguments for the –PidFile and –ProcessTitlePrefix options. For more information about these options, see the sendmail(8) man page.
Provides daemon address (for example, 0.0.0.0)
Provides daemon family (for example, inet, and inet6)
Provides daemon information (for example, SMTP+queueing@00:30:00)
Provides daemon name (for example, MSA)
Provides daemon port (for example, 25)
Provides queue run interval (for example, 00:30:00)
The following additional macros are reserved for use by the sendmail program. The macro values are assigned internally. For more information, refer to the sendmail(8) man page.
Identifies the current address as an envelope sender or a recipient address.
Holds the result of the resolve call for ${client_name}: OK, FAIL, FORGED, or TEMP.
Specifies the current delivery mode that sendmail is using instead of the value of the –DeliveryMode option.
Holds the corresponding DSN parameter values.
Provides the interface's address for the incoming connection if the interface does not belong to the loopback net. This macro is especially useful for virtual hosting.
Avoids the reuse of ${if_addr}. Holds the following values respectively:
The address of the interface for the outgoing connection
The family of the interface for the outgoing connection
The host name of the interface for the outgoing connection
Provides the interface's host name for the incoming connection and is especially useful for virtual hosting.
Checks and reports the current average number of jobs in the run queue.
Holds the value of the message size (SIZE=parameter) in an ESMTP dialogue before the message has been collected. Thereafter, the macro holds the message size as computed by sendmail and is used in check_compat.
Holds the number of validated recipients.
Holds the number of delivery attempts.
Holds the results of parsing the RCPT and MAIL arguments, which is the resolved right-hand side (RHS) triplet from the mail delivery agent ($#mailer), the host ($@host), and the user ($:addr).
The following additional macros are used to build the sendmail configuration file:
Overrides the default end-of-line string for the local mailer.
Adds Return-Path: header by default.
Contains the path (including the trailing slash) for the mail settings directory.
Improves the *_MAILER_FLAGS. This macro sets, adds, or deletes flags.
Defines additional flags for the relay mailer.
Use the following macros to configure the maximum number of commands that can be received before sendmail slows its delivery. You can set these MAX macros at compile time. The maximum values in the following table also represent the current default values.
|
The following is a list of additional and revised m4 configuration macros for sendmail:
For details, refer to Changes to the FEATURE Declaration in Version 8.12 of sendmail.
A new macro that defines hosts or subdomains that cannot be masqueraded.
This macro can now be used for bracketed addresses, such as user@[host].
When these macros are used, include $={VirtHost} in $=R. $=R is the set of host names that are allowed to relay.
Use the following syntax to declare these macros.
symbolic-name(`value')
If you need to build a new sendmail.cf file, refer to Changing the sendmail Configuration.
This section lists the specific changes to the FEATURE() declarations. The following changes are supported:
Enables you to look for a key in the access map that consists of the sender address and the recipient address. This FEATURE() is delimited by the following string, <@>. sender@sdomain<@>recipient@rdomain is an example.
Argument: String.
Delays all checks. By using FEATURE(`delay_checks'), the rule sets check_mail and check_relay are not called when a client connects or issues a MAIL command respectively. Instead, these rule sets are called by the check_rcpt rule set. For details, refer to the /etc/mail/cf/README file.
Arguments: friend, which enables a spam-friend test, or hater, which enables a spam-hater test.
Enables you to check the return values for DNS lookups. Note that this FEATURE() enables you to specify the behavior of temporary lookup failures. You can include it multiple times.
Argument: A maximum of two arguments:
DNS server name
Rejection message
An enhanced version of dnsbl, which enables you to check the return values for DNS lookups. For more information, refer to /etc/mail/cf/README.
Argument: Domain name.
Can be used to apply genericstable to subdomains of $=G.
Argument: None.
Sets the delivery status notification (DSN) diagnostic-code type for the local mailer to the proper value of SMTP.
Argument: Path name of an LMTP-capable mailer. The default is mail.local, which is LMTP capable in this Oracle Solaris release.
Enables you to avoid masquerading for the local mailer.
Argument: None.
Can be used to look up the .domain in the access map.
Argument: None.
Now includes the following features.
Enables a list of domains, as specified by CANONIFY_DOMAIN or CANONIFY_DOMAIN_FILE, to be passed to the $[ and $] operators for canonification.
Enables addresses that have only a host name, such as <user@host>, to be canonified, if canonify_hosts is specified as its parameter.
Adds a trailing dot to addresses with more than one component.
Argument: canonify_hosts or nothing.
Changes sendmail's default setting from m4-generated configuration files to "listen" on several different ports, an implementation of RFC 2476.
Argument: None.
Determines whether to allow the ! token in the local part of an address.
Argument: reject, which does not allow the ! token, or nospecial, which does allow the ! token.
Now provides the full rule sets of a normal configuration, allowing you to perform antispam checks.
Argument: None.
Enables you to preserve the +detail portion of the address when sendmail passes the address to the local delivery agent.
Argument: None.
Enables you to preserve the name of the recipient host, if LUSER_RELAY is used.
Argument: None.
Enables you to select a queue group that is based on the full email address or on the domain of the recipient.
Argument: None.
Allows relaying if the mail sender is listed as a RELAY in the access map and is tagged with the From: header line. If the optional domain argument is given, the domain portion of the mail sender is also checked.
Argument: domain is an optional argument.
Can now be used to apply $={VirtHost}, a new class for matching virtusertable entries that can be populated by VIRTUSER_DOMAIN or VIRTUSER_DOMAIN_FILE.
FEATURE(`virtuser_entire_domain') can also apply the class $={VirtHost} to entire subdomains.
Argument: None.
To use the new and revised FEATURE names, use the following syntax.
FEATURE(`name', `argument')
If you need to build a new sendmail.cf file, refer to Changing the sendmail Configuration.
The following list describes FEATURE() declarations that are no longer supported and their replacements:
FEATURE(`dnsbl') and FEATURE(`enhdnsbl') replace this FEATURE(), which has been removed.
MASQUERADE_AS(`$S') replaces FEATURE(`remote_mode') in /etc/mail/cf/subsidiary.mc. $S is the SMART_HOST value in sendmail.cf.
The MAILER() declaration specifies support for delivery agents. To declare a delivery agent, use the following syntax:
MAILER(`symbolic-name')
Note the following changes:
The MAILER(`smtp') declaration now includes an additional mailer, dsmtp, which provides on-demand delivery by using the F=% mailer flag. The dsmtp mailer definition uses the new –DSMTP_MAILER_ARGS, which defaults to IPC $h.
Numbers for rule sets that are used by MAILERs have been removed. You now have no required order for listing your MAILERs except for MAILER(`uucp'), which must follow MAILER(`smtp') if uucp-dom and uucp-uudom are used.
For more information about mailers, refer to Mailers and sendmail. If you need to build a new sendmail.cf file, refer to Changing the sendmail Configuration.
Mlocal, P=/usr/lib/mail.local, F=lsDFMAw5:/|@qSXfmnz9, S=10/30, R=20/40, Mprog, P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, Msmtp, P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990, Mesmtp, P=[IPC], F=mDFMuXa, S=11/31, R=21, E=\r\n, L=990, Msmtp8, P=[IPC], F=mDFMuX8, S=11/31, R=21, E=\r\n, L=990, Mrelay, P=[IPC], F=mDFMuXa8, S=11/31, R=61, E=\r\n, L=2040,
The following additional delivery agent flags are not set by default. These single-character flags are Boolean. You can set or unset a flag by including or excluding it in the F= statement of your configuration file, as shown in the preceding example.
Mailers that use this flag do not attempt delivery to the initial recipient of a message or to queue runs unless the queued message is selected by using an ETRN request or one of the following queue options: –qI, –qR, or –qS.
Disables the ability of the mailer to send null characters (for example, \0).
Disables the use of ESMTP and requires that SMTP be used instead.
Enables mailers to strip headers to 7 bit.
Use the following syntax to append new equates or new arguments to the equates that already exist in the configuration file:
Magent-name, equate, equate, ...
The following example includes the new W= equate. This equate specifies the maximum time to wait for the mailer to return after all data has been sent.
Msmtp, P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990, W=2m
The following example shows how to modify the definition of a value for m4 configuration. This example places a limit of 1000 on the number of messages that are delivered per connection on an smtp mailer.
define(`SMTP_MAILER_MAXMSGS', `1000')
If you need to build a new sendmail.cf file, refer to Changing the sendmail Configuration.
Additional equates for the M delivery-agent definition command are as follows:
Specifies a directory to apply chroot() to before the mailer program is executed
Argument: Path to a directory
Limits the number of messages that are delivered per connection on an smtp, local, or relay mailer
Argument: Any of the following m4 values that have previously been defined with the define() routine:
–SMTP_MAILER_MAXMSGS, for the smtp mailer
–LOCAL_MAILER_MAXMSGS, for the local mailer
–RELAY_MAILER_MAXMSGS, for the relay mailer
Specifies the maximum time to wait for the return of the mailer after all data has been sent
Argument: An increment of time
Additional queue features in version 8.12 are as follows:
This release supports multiple queue directories. To use multiple queues, supply a –QueueDirectory option value in the configuration file that ends with an asterisk (*), as shown in the following example.
O QueueDirectory=/var/spool/mqueue/q*
The option value, /var/spool/mqueue/q*, uses all of the directories (or symbolic links to directories) that begin with "q" as queue directories. Do not change the queue directory structure while sendmail is running. Queue runs create a separate process for running each queue unless the verbose flag (–v) is used on a nondaemon queue run. The new items are randomly assigned to a queue.
The new queue file-naming system uses file names that are guaranteed to be unique for 60 years. This system allows queue IDs to be assigned without complex file-system locking and simplifies the movement of queued items between queues.
Starting with version 8.12, only root can run the mail queue. For further details, refer to the changes that are described in the mailq(1) man page. For new task information, refer to Administering the Mail Queue Directories.
To accommodate envelope splitting, queue file names are now 15-characters long, rather than 14-characters long. File systems with a 14-character name limit are no longer supported.
For task information, refer to Administering the Mail Queue Directories.
The changes in the use of the Lightweight Directory Access Protocol (LDAP) in version 8.12 of sendmail are as follows:
LDAPROUTE_EQUIVALENT() and LDAPROUTE_EQUIVALENT_FILE() enable you to specify equivalent host names, which are replaced by the masquerade domain name for LDAP routing lookups. For more information, refer to /etc/mail/cf/README.
As noted in the Release Notes that are in https://web.archive.org/web/20161028174456/http://sendmail.com/sm/open_source/docs/. The LDAPX map has been renamed to LDAP. Use the following syntax for LDAP:
Kldap ldap options
This release supports the return of multiple values for a single LDAP lookup. Place the values to be returned in a comma-separated string with the –v option, as shown in the following example:
Kldap ldap -v"mail,more-mail"
If no LDAP attributes are specified in an LDAP map declaration, all attributes that are found in the match are returned.
This version of sendmail prevents commas in quoted key and value strings in the specifications of the LDAP alias file from dividing a single entry into multiple entries.
This version of sendmail has a new option for LDAP maps. The option –Vseparator enables you to specify a separator so that a lookup can return both an attribute and a value that are separated by the relevant separator.
In addition to using the %s token to parse an LDAP filter specification, you can use the new token, %0, to encode the key buffer. The %0 token applies a literal meaning to LDAP special characters.
The following example shows how these tokens differ for a "*" lookup.
|
Additional LDAP map flags include:
Requires a single match to be returned. If more than one match is returned, the results are the equivalent of no records being found.
Sets the LDAP alias dereference option.
Limits the number of matches to return.
As of version 8.12 of sendmail, the old [TCP] built-in mailer is no longer available. Use the P=[IPC] built-in mailer instead. The interprocess communications ([IPC]) built-in mailer now enables delivery to a UNIX domain socket on systems that support it. You can use this mailer with LMTP delivery agents that listen on a named socket. This mailer might resemble the following example:
Mexecmail, P=[IPC], F=lsDFMmnqSXzA5@/:|, E=\r\n, S=10, R=20/40, T=DNS/RFC822/X-Unix, A=FILE /system/volatile/lmtpd
The first mailer argument in the [IPC] mailer is now checked for a legitimate value. Possible values for the first mailer argument include:
Use for UNIX domain socket delivery
Use for TCP/IP connections
No longer available as a first mailer argument
The following additional rule sets are available in version 8.12 of sendmail:
Correlates information that is gathered between headers and checks for missing headers. This rule set is used with the macro storage map and is called after all of the headers have been collected.
Additional rule set features in version 8.12 of sendmail are as follows:
Numbered rule sets are also named, but the rule sets can still be accessed by their numbers.
The H header configuration file command allows for a default rule set to be specified for header checks. This rule set is called only if the individual header has not been assigned its own rule set.
Comments in rule sets (that is, text within parentheses) are not removed if the configuration file version is 9 or greater. For example, the following rule matches the input token (1), but does not match the input token.
R$+ (1) $@ 1
sendmail accepts the SMTP RSET command even when it rejects commands because of TCP wrappers or the check_relay rule set.
You receive a warning if you set the –OperatorChars option multiple times. Also, do not set –OperatorChars after the rule sets are defined.
The name of the rule set, as well as its lines, are ignored if an invalid rule set is declared. The rule set lines are not added to S0.
Note the following changes to files in version 8.12 of sendmail:
To support a read-only /usr file system, the contents of the /usr/lib/mail directory has been moved to the /etc/mail/cf directory. For details, refer to Contents of the /etc/mail/cf Directory. Note, however, that the shell scripts /usr/lib/mail/sh/check-hostname and /usr/lib/mail/sh/check-permissions are now in the /usr/sbin directory. See Additional Directories and Files Used for Mail Services. For backward compatibility, symbolic links point to each file's new location.
The new name for /usr/lib/mail/cf/main-v7sun.mc is /etc/mail/cf/cf/main.mc.
The new name for /usr/lib/mail/cf/subsidiary-v7sun.mc is /etc/mail/cf/cf/subsidiary.mc.
The helpfile is now located in /etc/mail/helpfile. The old name (/etc/mail/sendmail.hf) has a symbolic link that points to the new name.
The trusted-users file is now located in /etc/mail/trusted-users. During an upgrade, if the old name (/etc/mail/sendmail.ct) is detected but not the new name, a hard link from the old name to the new name is created. Otherwise, no change is made. The default content is root.
The local-host-names file is now located in /etc/mail/local-host-names. During an upgrade, if the old name (/etc/mail/sendmail.cw) is detected but not the new name, a hard link from the old name to the new name is created. Otherwise, no change is made. The default content is zero length.
Starting with version 8.12 of sendmail, IPv6 addresses that are used in configuration should be prefixed with the IPv6: tag to identify the address properly. If you are not identifying an IPv6 address, a prefix tag is not used.