SENDMAIL Q/A
 

1) /usr/lib/sendmail -d0.4 -bt < /dev/null
    which shows you how sendmail thinks about your host.

2)sendmail supports several map types. The main types are:

hash/btree
     requries the compile flag -DNEWDB. This is the new Berkeley DB package.
     If your system does not have this pre-installed, or the version
     installed is not version 2.0 or greater (e.g., is Berkeley DB 1.85 or
     1.86), get the current version from http://www.sleepycat.com/.
dbm
     requries the compile flag -DNDBM. This is the older NDBM
     implementation.

3)Which sendmail version do I run?

To find out which version of sendmail is installed on your system, you can try the following
commands:

sendmail -d0.5 -bv root
should tell you its version and some basic settings.

telnet localhost 25
sendmail should greet you with its welcome message and tell you the version of its binary and config
file. Enter QUIT to leave this mode.

4)I can't send mail to users whose accounts have upper case letters?

First: Don't use uppercase letters...: man 5 passwd:

     username       is the user's login name.   This  field  con-
                    tains  no  uppercase characters, and must not
                    be more than eight characters in length.

If you really need it, set the flag 'u' in

Mlocal,..F=..u..
             ^

in sendmail.cf

u   Upper case should be preserved in user  names  for
    this mailer.

If you use procmail as local mailer, make sure you define NO_USER_TO_LOWERCASE_HACK (in
config.h ?).

5)Cannot alias non-local names

If you get the error: name: cannot alias non-local names when running newaliases (or
sendmail -bi ), there are several possibilities to check:

   1.Does

     sendmail -bt
     > 3,0 name

     resolve to the local mailer?
   2.Make sure you have the flag F=A for Mlocal in your sendmail.cf . (This applies to
     sendmail 8.8 ).

6)Config error: mail loops back to myself

You are still getting this message:

        553 relay.domain.net config error: mail loops back to myself
        554 <user@domain.net>... Local configuration error
How can I solve this problem? There are two possibilities:

   1.You have asked mail to the domain (e.g., dom.ain) to be forwarded to a specific host (in this
     case, relay.dom.ain) by using an MX record, but the relay machine doesn't recognize itself
     as dom.ain. Add dom.ain to /etc/sendmail.cw (if you are using
     FEATURE(use_cw_file)) or add

     Cwdom.ain

     to your configuration file.
   2.Another possibility is that relay.dom.ain should send this to another host mail.dom.ain
     which really handles the mail for dom.ain. If this host is reachable by SMTP you should
     create an MX record with the best (lowest) priority pointing to mail.dom.ain. Make sure
     that relay.dom.ain really knows it is relay.dom.ain! If you setup the MX records, you
     must use the correct name for relay.dom.ain.
     If mail.dom.ain is reachable by some other mail transport protocol (UUCP) or it is not
     directly reachable from the outside, you may have a look at the feature mailertable. E.g., use
     in your .mc configuration file something like

     FEATURE(mailertable,`dbm -o /etc/mailertable')

     (or another database type, see makemap(8)) and add a line like the following to the
     mailertable:

     dom.ain smtp:[mail.dom.ain]

     The square brackets ([ ]) tell sendmail to ignore MX records for mail.dom.ain.

Two more hints: An MX record shouldn't point to a CNAME, it will most probably cause you a lot
of trouble. (And currently it violates RFC 974 ).
And from src/READ_ME :
WILDCARD MX RECORDS ARE A BAD IDEA! The only situation in which they work reliably
is if you have two versions of DNS, one in the real world which has a wildcard pointing to your
firewall, and a completely different version of the database internally that does not include wildcard
MX records that match your domain. ANYTHING ELSE WILL GIVE YOU HEADACHES!

IMPORTANT: Be sure you kill and restart the sendmail daemon after you change the configuration
file (for ANY change in the configuration, not just this one):

                kill `head -1 /etc/sendmail.pid`
                sh -c "`tail -1 /etc/sendmail.pid`"

NOTA BENE: kill -1 does not work!

and both hints didn't solve your problem?

So here is another hint what might be wrong: You use a

LOCAL_RULE_0

in your sendmail.mc (which is S98 in sendmail.cf)? This rule is evaluated before the local recognition
of S0 happens. So if you use some rule here, which (by accident) also matches your local host but
doesn't resolve to local, you have a problem. Try to debug that address and see where it fails (where
it gets resolved to another mailer than local).

7)How to route all mail to a single user?

Sometimes you want to route all mail for a domain to a single user. You can do this by a rule like
this:

R$+ < @ the.domain. >           $#local $: the-user                     all to one user

This usually goes into ruleset 0.

8)How to route mail to unknown users to one account?

sendmail 8 has a feature to route all mail which ends up a local on the system but isn't a valid account
(or alias), to another system (the so-called LUSER_RELAY ), see cf/README (from 8.8). However,
this feature is disrecommended, since it can break ``working'' addresses if you introduce new local
users.

If you want to route all mail to unknown users to one account (instead of giving the standard error
reply), you can put in your .mc file the following:

define(`LUSER_RELAY',`local:someuser@your.domain')

or look in your sendmail.cf for these lines and remove the hash in front of them:

Kuser user -m -a<>
DLlocal:someuser@your.domain

R< > $+                 $: < $L . > $( user $1 $)       look up user
R< $* > $+ <> $*        $: < > $2 $3                    found; strip $L
R< $* . > $+            $: < $1 > $2                    strip extra dot

Something similar can be accomplished for virtual domains.

9)How do I queue mail for another domain?

Your system mailserver.my.domain should act as a backup mailserver for
mailserver.client.domain. The client wants to receive mail for the address
user@client.domain. This requires:

   1.MX Records:

     client.domain.          IN MX 10 mailserver.client.domain.
     client.domain.          IN MX 10 mailserver.my.domain.
     mailserver.client.domain.               IN MX 10 mailserver.client.domain.
     mailserver.client.domain.               IN MX 10 mailserver.my.domain.

     The last two records are there "just in case".
     Make sure you use the real names of all systems. mailserver.my.domain must know its
     own name, otherwise you'll get the famous mail loops back to myself error.
   2.On your system: do nothing unless you have anti-relay rules installed (which you really should
     have!). In this case, add client.domain to the required files. Don't add client.domain
     or mailserver.client.domain to class w on your system!
   3.sendmail on your system will try to deliver mail during queue runs, however, the client may
     trigger delivery by using the ETRN command.

10)Class w contains all local addresses

sendmail 8.8 includes all local addresses into class w to avoid the well-known config error: mail loops
back to myself . If this is not intended, there's an undocumented compile-time-option,
-D_FFR_DONT_PROBE_INTERFACES_OPTION which enables the option O
DontProbeInterfaces in your sendmail.cf . Set it to True to keep sendmail from adding all
local addresses to class w.

11)How do I refuse e-mail from unwanted domains (users)?

Using rules with sendmail 8.8 or 8.9

sendmail 8.8 has some new rulesets to check who can use your machine as a mail gateway. Using
check_* in sendmail 8.8 gives an overview how to use these rulesets, 8.9 has standard FEATUREs
to this effect.

Using rules with sendmail 8.x

If you have sendmail 8.x (with x < 8), you can do the following to refuse mails from unwanted
domains/hosts: Put into ruleset 98 something like: (this is LOCAL_RULE_0 in your .mc file)

R$* < @$*$=K . > $*             $#error $@ 5.7.1 $: "This domain is banned."
R$* < @$*$=K > $*               $#error $@ 5.7.1 $: "This domain is banned."

And define a class K by:

FK/etc/banned.domains

In this file, you should put the names of the banned domains, e.g.,

cyberpromo.com
quantcom.com
savetrees.com

If you want to specify the user(s) too, you have to replace the first $* with the name or a match for a
class.

Using tcp_wrappers

Another possibility is to use tcp_wrappers. There is a patch available for sendmail 8.7.x, which
incorporates the functionality directly into sendmail. Using this approach, you can define the access
to your sendmail daemon based on the rules available for tcp_wrappers .

sendmail 8.8 supports this without a patch, just use -DTCPWRAPPERS=1 for compilation and add the
appropriate library -lwrap . There is a patch for a problem with sendmail 8.8.8 which passes
incorrect data to the library routines. A patch can be found in ftp://ftp.win.tue.nl/pub/security/.
Thanks to Lou Rinaldi for pointing this out.

Using checkcompat()

A third possibility is to use the checkcompat() routine. Kyle Jones proposed the following patch.
It is intended to disallow all non-local e-mail traffic through your host. Use at your own risk.

12)Unsafe map file /etc/mail/aliases

With the latest sendmail release many people get an error message like:

unsafe map file /etc/mail/aliases

(or another map). There may be several reasons for this, the most common is that the permissions of
the directories leading to the alias file are incorrect. It must be:

drwxr-xr-x 12 root     staff        3072 Nov 20 10:47 /etc/
drwxr-xr-x  4 root     staff        1024 Dec 21 16:40 /etc/mail/

i.e., the directory must be owned by root and not writable by the group or the rest of the world.
The alias file itself must have similar permissions. Moreover, if you have a db map, you may try to
touch the resulting map (file.db) and call makemap or newaliases thereafter.

See the release notes for further details. /usr/lib/sendmail -bi -d44.4 gives some debug
output for the alias map.

13)Allowing controlled SMTP relaying in Sendmail 8.9

As of sendmail version 8.9, forwarding of SMTP messages is not permitted by default. For example,
if you are on site A.COM, you will not accept mail from B.NET destined for C.ORG without special
arrangements. These instructions assume that you are using the M4 technique for creating your
sendmail.cf files; if you are not, you are on your own.

The simplest approach is to list the domains you are willing to relay in the file
/etc/mail/relay-domains. Anything listed in this file will be accepted for relaying. N.B.:
Sendmail must be restarted after this file is modified.

For more precise tuning, several FEATUREs have been added to control relaying:

     FEATURE(relay_hosts_only). Normally domains are listed in
     /etc/mail/relay-domains; any hosts in those domains match. With this feature, each host
     in a domain must be listed.
     FEATURE(relay_entire_domain). Setting this feature allows relaying of all hosts within
     your domain. For example, on the host gateway.A.COM, this feature allows mail to or from
     any host in the A.COM domain. More precisely, this relays any host listed in the $=m class. This
     is equivalent to listing the name of the domain in /etc/mail/relay-domains.
     FEATURE(access_db). This enables the hash database /etc/mail/access to enable or
     disable access from individual domains (or hosts, if FEATURE(relay_hosts_only) is set).
     The database format is described below.
     FEATURE(blacklist_recipients). If set, this feature looks up recipients as well as
     senders in the access database.
     FEATURE(rbl). Enables rejection of mail based on the Realtime Blackhole List maintained at
     maps.vix.com.
     FEATURE(accept_unqualified_senders). Normally, sendmail will not accept mail from
     a sender without a domain attached -- for example, user instead of user@B.NET. This
     feature allows such users.
     FEATURE(accept_unresolvable_domains). Normally, sendmail will refuse to accept mail
     that has a return address with a domain that cannot be resolved using the regular host lookups
     (a technique commonly used by spammers). This feature permits acceptance of such
     addresses. Unresolvable domains can be selectively accepted using the access database.
     FEATURE(relay_based_on_MX). Setting this feature permits relaying for any domain that is
     directed to your host.

Several other features are probably a bad idea, unless you are inside a firewall, because they make
your system vulnerable to abuse by spammers:

     FEATURE(relay_local_from). This feature allows relaying if the message claims to
     originate at your domain. Since forging this address is trivial, this is probably a bad idea.
     FEATURE(loose_relay_check). This turns off checking for explicit routing through your
     host, such as target%C.ORG@A.COM.
     FEATURE(promiscuous_relay). If you really want to forward all the spam on the net, this
     will turn off all checking for relaying.

The Access Database

The access database (normally in /etc/mail/access) allows a mail administrator to
administratively allow access to the mail server by individual domains. Each database entry consists
of a domain name or network number as the key and an action as the value.

Keys can be a fully or partly qualified host or domain name such as
host.subdomain.domain.com, subdomain.domain.com, or domain.com. The last two forms
match any host or subdomain under the specified domain. (If FEATURE(relay_hosts_only) is
set, only the first form works.) Keys can also be a network address or subnetwork, e.g.,
205.199.2.250, 205.199.2, or 205.199. The latter two forms match any host in the indicated
subnetwork. Lastly, keys can be user@host.domain to reject mail from a specific user.

Values can be REJECT to refuse connections from this host, DISCARD to accept the message but
silently discard it (the sender will think it has been accepted), OK to allow access (overriding other
built-in checks), RELAY to allow access including relaying SMTP through your machine, or an
arbitrary message to reject the mail with the customized message.

For example, a database might contain:

cyberpromo.com  REJECT
sendmail.org    RELAY
spam@buyme.com  550 Spammers shan't see sunlight here

to reject all mail from any host in the cyberpromo.com domain, allow any relaying to or from any
host in the sendmail.org domain, and reject mail from spam@buyme.com with a specific message.

14)Dont Blame Sendmail and Enhanced File Security

Beginning with version 8.9.0, sendmail has tightened the rules used for opening files. Sendmail now
checks the modes and ownership of the files and the directory path leading up to that file to prevent
users from taking advantage of overly permissive modes on directories and files.

During your migration to sendmail 8.9, you will need to fix up any permissions which would be
considered unsafe such as non-root owned directories containing maps or group writable directories
and files. In general, directories which sendmail reads from should be owned by root unless the
RunAsUser option is set. There are exceptions to this rule such as user .forward files.

You may have to tweak your environment to make it safer for sendmail to run. If you find that some
of the safeties in sendmail are too restrictive for your environment, they can be turned off by setting
the option DontBlameSendmail. The option is appropriately named as sendmail is not to be
blamed for problems resulting from unsafe permissions on directories and files.

Checking your system for these unsafe files is simply a matter of performing a few commands to see
if they report any problems. For example, if rebuilding the aliases file with:

# newaliases -v

gives messages such as:

WARNING: writable directory /etc
WARNING: writable directory /usr/spool/mqueue

then the directories listed have inappropriate write permissions and should be secured to avoid
various possible security attacks. Although somewhat verbose, a good test to make sure sendmail is
satisfied with the permissions on your database maps, class files, and aliases file is the command:

# sendmail -v -d44.4 -bv postmaster

This will output the file safety checks as they are done and the results of each one.

The biggest surprise is likely to come from .forward and :include: files in unsafe directory paths
(directory paths which are group or world writable). This is no longer allowed. This would mean that
if user joe's home directory was writable by group staff, sendmail would not use his .forward file.
This behavior can be altered, at the possible expense of system security, by setting the
DontBlameSendmail option. For example, to allow forward files in group writable directories:

O DontBlameSendmail=forwardfileingroupwritabledirpath

Or to allow them in both group and world writable directories:

O DontBlameSendmail=forwardfileinunsafedirpath

Items from these unsafe .forward and :include: files will be marked as unsafe addresses -- the
items can not be deliveries to files or programs. This behavior can also be altered via
DontBlameSendmail:

O DontBlameSendmail=forwardfileinunsafedirpath,
forwardfileinunsafedirpathsafe

The first flag allows the forward file to be read, the second allows the items in the file to be marked
as safe for file and program delivery.

Other files affected by this strengthened security include class files (i.e. Fw /etc/sendmail.cw),
persistent host status files, and the files specified by the ErrorHeader and HelpFile options.
Similar DontBlameSendmail flags are available for these files.
 
 

The DontBlameSendmail option takes one or more names that disable checks. In the descriptions
that follow, "unsafe directory" means a directory that is writable by anyone other than the owner.
The values are:

 Safe
                               No special handling.
 AssumeSafeChown
                               Assume that the chown system call is restricted to root.
                               Since some versions of UNIX permit regular users to give
                               away their files to other users on some filesystems,
                               sendmail often cannot assume that a given file was
                               created by the owner, particularly when it is in a writable
                               directory. You can set this flag if you know that file
                               giveaway is restricted on your system.
 ClassFileInUnsafeDirPath
                               When reading class files (using the F line in the
                               configuration file), allow files that are in unsafe directories.
 ErrorHeaderInUnsafeDirPath
                               Allow the file named in the ErrorHeader option to be in
                               an unsafe directory.
 GroupWritableDirPathSafe
                               Change the definition of "unsafe directory" to consider
                               group-writable directories to be safe. World-writable
                               directories are always unsafe.
 GroupWritableForwardFileSafe
                               Accept group-writable .forward files.
 GroupWritableIncludeFileSafe
                               Accept group-writable :include: files.
 GroupWritableAliasFile
                               Allow group-writable alias files.
 HelpFileInUnsafeDirPath
                               Allow the file named in the HelpFile option to be in an
                               unsafe directory.
 WorldWritableAliasFile
                               Accept world-writable alias files.
 ForwardFileInGroupWritableDirPath
                               Allow .forward files in group writable directories.
 IncludeFileInGroupWritableDirPath
                               Allow :include: files in group writable directories.
 ForwardFileInUnsafeDirPath
                               Allow .forward files in unsafe directories.
 IncludeFileInUnsafeDirPath
                               Allow :include: files in unsafe directories.
 ForwardFileInUnsafeDirPathSafe
                               Allow a .forward file that is in an unsafe directory to
                               include references to program and files.
 IncludeFileInUnsafeDirPathSafe
                               Allow a :include: file that is in an unsafe directory to
                               include references to program and files.
 MapInUnsafeDirPath
                               Allow maps (e.g., hash, btree, and dbm files) in unsafe
                               directories.
 LinkedAliasFileInWritableDir
                               Allow an alias file that is a link in a writable directory.
 LinkedClassFileInWritableDir
                               Allow class files that are links in writable directories.
 LinkedForwardFileInWritableDir
                               Allow .forward files that are links in writable directories.
 LinkedIncludeFileInWritableDir
                               Allow :include: files that are links in writable
                               directories.
 LinkedMapInWritableDir
                               Allow map files that are links in writable directories.
 LinkedServiceSwitchFileInWritableDir
                               Allow the service switch file to be a link even if the
                               directory is writable.
 FileDeliveryToHardLink
                               Allow delivery to files that are hard links.
 FileDeliveryToSymLink
                               Allow delivery to files that are symbolic links.
 RunProgramInUnsafeDirPath
                               Go ahead and run programs that are in writable
                               directories.
 RunWritableProgram
                               Go ahead and run programs that are group- or
                               world-writable.
 WriteMapToHardLink
                               Allow writes to maps that are hard links.
 WriteMapToSymLink
                               Allow writes to maps that are symbolic links.
 WriteStatsToHardLink
                               Allow the status file to be a hard link.
 WriteStatsToSymLink
                               Allow the status file to be a symbolic link.

15) FR-o /etc/mail/relay-domains
    class R (relay-domains) doesn't act on MAIL FROM, but
    on the address of the connecting system

16)Is there an already written FEATURE or HACK which allows me to ban a
    spam domain like hostmail.com yet allow certain users who have accounts
    on hostmail.com access?

Use
FEATURE(access_db)
and create an access map with entries like:

hostmail.com  REJECT
friend1@hostmail.com OK
another@hostmail.com OK
However, it doesn't really work :-(
You have to disable check_relay.
If you want to make use of this trick and you don't
need check_relay (see the docs for info about this
ruleset), you can disable it:

SLocal_check_relay
R$*  $@ $# OK
 

17)Anti Spam Again

Sendmail 8.8.x

For now I'll just link the spam rule I install on the linux boxes here at Infinex. It works great to the
best of my knowledge ( not much up there ;) ). Basicly you list which Network blocks are allowed
to send mail through you.. ie

127.0.0.1
207.113.220
10.2
207.201.8.22

and for domain names

localhost
infinex.com
subdomain.infinex.com

Here's a tiny modified version of the link above that is actually used at Infinex.
 

# please use the .m4 file, this file is not maintained!
LOCAL_CONFIG
F{LocalIP} /etc/spam/OkIPs
F{RelayTo} /etc/spam/OkDomains
LOCAL_RULESETS
Scheck_rcpt
# make sure you have TABs here, not BLANKs! sendmail will complain otherwise...
# first: get client addr
R$+                     $: $(dequote "" $&{client_addr} $) $| $1
R0 $| $*                $@ ok                   no client addr: directly invoked
R$={LocalIP}$* $| $*    $@ ok                   from here
# not local, check rcpt
R$* $| $*               $: $>3 $2
# remove local part, maybe repeatedly
R$+                     $:$>remove_local $1
# still something left?
R$*<@$+>$*              $#error $@ 5.7.1 $: 550 Sorry.. we do not allow relaying
Sremove_local
# remove RelayTo part (maybe repeatedly)
R$*<@$*$={RelayTo}.>$*  $>3 $1 $4
R$*<@$=w.>$*            $: $>remove_local $>3 $1 $3
R$*<@$*>$*              $@ $1<@$2>$3
# dequote local part
R$-                     $: $>3 $(dequote $1 $)
R$*<@$*>$*              $: $>remove_local $1<@$2>$3

If anyone knows if the above sendmail rule can still be relaied though email me!! please!! ;)..

Compile/Config Sendmail 8.9.0

The following should work for most Slackware boxes... other Distribs may vary..

The compile part should work for any linux box. The cf part is made to support virtual domains and
spam control.. SENDMAIL 8.9.0 DOES NOT SUPPORT DBM ANYMORE. Use "hash" instead
of "dbm".. hash is the default db type for everything now.. So far the "spam control"
[FEATURE(access_db)] checks From:, To:, some part of Recieved: fields.

download ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.0.tar.gz

# tar -zxf sendmail.8.9.0.tar.gz

# cd sendmail-8.9.0

# pico -w BuildTools/OS/Linux #add the following lines.

     define(`confLDOPTS', `-s')
     define(`confOPTIMIZE', `-m486 -O2')
 

# cd src

# Build

# cd ../cf/cf

# pico -w linux.mc

     divert(-1)
     #
     # Copyright (c) 1998 Sendmail, Inc.  All rights reserved.
     # Copyright (c) 1983 Eric P. Allman.  All rights reserved.
     # Copyright (c) 1988, 1993
     #       The Regents of the University of California.  All rights reserved.
     #
     # By using this file, you agree to the terms and conditions set
     # forth in the LICENSE file which can be found at the top level of
     # the sendmail distribution.
     #
     #
     #
     #  This is the prototype file for a configuration that supports nothing
     #  but basic SMTP connections via TCP.
     #
     #  You MUST change the `OSTYPE' macro to specify the operating system
     #  on which this will run; this will set the location of various
     #  support files for your operating system environment.  You MAY
     #  create a domain file in ../domain and reference it by adding a
     #  `DOMAIN' macro after the `OSTYPE' macro.  I recommend that you
     #  first copy this to another file name so that new sendmail releases
     #  will not trash your changes.
     #
     divert(0)dnl
     VERSIONID(`@(#)tcpproto.mc      8.10 (Berkeley) 5/19/98')
     define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')
     OSTYPE(linux)dnl
     DOMAIN(linuxrox.com)dnl
     FEATURE(nouucp)dnl
     FEATURE(local_procmail)dnl
     FEATURE(virtusertable, hash -o /etc/mail/virtusertable)dnl
     FEATURE(access_db)dnl
     MAILER(local)dnl
     MAILER(smtp)dnl

# pico -w ../domain/linuxrox.com.m4 # replace linuxrox.com with your own domain name.

     divert(-1)dnl
     #
     #  This file contains the global definitions for yourdomain.com
     #
     divert(0)dnl
     VERSIONID(`@(#)linuxrox.com.m4   1.0 (linuxrox.com) 06/01/98')
     FEATURE(use_cw_file)dnl

# m4 ../m4/cf.m4 linux.mc > /tmp/sendmail-8.9.0.cf

# cd ../..

# make install # this is install all the new sendmail programs

# cd /etc

# mv sendmail.cf sendmail-original.cf # just incase the new cf won't work we save the old which
will..

# cp /tmp/sendmail.cf sendmail-8.9.0.cf

# ln -s sendmail-8.9.0.cf sendmail.cf

# pico -w /etc/sendmail.cw #list all the domains hosted on you box

     linuxrox.com
     gman.infinex.com
     evilpeople.com

Any mail to a specific host on your box that is not listed will be REJECTED. The only exception is if
the host is a CNAME to the domain name.

# kill -TERM `head -1 /var/run/sendmail.pid`

# /usr/sbin/sendmail -bd -q15m

 

All done with sendmail.. just "spam control" and virtual domains need to be modifed/configed..

# pico -w /etc/mail/virtusertable #Example of /etc/mail/virtusertable

     mp3@evilpeople.com              error:nouser Unknown user
     suggest@evilpeople.com          evilppl
     @evilpeople.com                 evilppl

     @mp3.evilpeople.com             error:nouser Unknown user

# makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable

mp3@evilpeople.com is an email address I don't want people email so people get a "550 Unknown
user" when they do try to email mp3@evilpeople.com. suggest@evilpeople.com really goes to the
local user called 'evilppl'. You can also redirect to a remote email address (ie.
username@hotmail.com).

To offer unlimited "unlimited aliases" just direct everything to as user on your system. For example.

     @domain.com                     username_on_system

Example of /etc/mail/access

     Friend@         550 Sorry FROM field invalid
     evilusername@evilplace.com         550 Spammer, Go away!!
     test.com        REJECT
     domain.com      550 Sorry, domain.com is not a valid domain.
     10.0.2.10       OK
     10.0.2          550 Your Netblock not allowed..

Pretty simple

   1.Friend@ - reject email address with Friend@
   2.evilusername@evilplace.com - rejects msg with "550 Spammer, Go away!!" err msg
   3.test.com - gets rejected with REJECT msg
   4.domain.com - sends a "550 Sorry, domain.com is not a valid domain." REJECT msg..
   5.10.0.2.10 - gets not error msg. Mail always accepted.
   6.10.0.2 - sends a "550 Your Netblock not allowed.." REJECT msg for any host with IP
     10.0.2 except 10.0.2.10

18)I need the m4 definition to relay all unmatched virtualusers to
    another machine:

LUSER_RELAY .  This option will cause all
local mail for which there is no corresponding user account to be sent to
the machine of your choice.

For example in M4 you would add this line:

define(`LUSER_RELAY', `other-smtphost.my.domain')dnl

19)How I can feed sendmail a subject field when using CGI
    in mail forms. In Perl, I can simply invoke sendmail with
    "system('/usr/local/sendmail $email < $somefile')" Is there a way to
    feed a variable like $subject to sendmail on the command line? Pardon my
    ignorance!!!!
 

  Use -s.  For example...

system("/usr/lib/sendmail -s '$subject' $email <$somefile");

20)SMTP connections from 127.0.0.1 only - How?
1.  Compile sendmail with the TCP wrappers library and use it to control
    from where sendmail will accept connections from.

 2.  Install a local packet filter to control what IP addresses may connect
     to which ports on the computer (on some OSes, such capability is included
     if you remake a kernel with that option enabled; on some other OSes,
     something like ip-filter may be usable).

3. Set "DaemonPortOptions=Addr=127.0.0.1" in sendmail.cf (or the necessary
   incantation in your .mc).

21)There are two reasons why sendmail is setuid root.

1. It reacts to system load by unbinding port 25 when the load is too
   high, and rebinding it when the load goes down again.
2. It changes uid to a specific user when executing programs for
   that user, in the case of program executing from a .forward file.
3. And, less important than these, sendmail needs to be root to be
   able to read each user's .forward file.

22)Why do only some hosts reject my email with the following response?
> Any advice on how to correct it will be greatly appreciated.
>
>    ----- Transcript of session follows -----
> ... while talking to pop.uunet.ca.:
>>>> HELO fres.GLFC.Forestry.CA.
> <<< 501 5.5.4 Invalid HELO parameter: "fres.GLFC.Forestry.CA."
 

  The HELO string identifies the calling system.  sendmail can check the name
  in a number of ways:

    * Does the IP address of the client reverse map into the same name?

    * Does it conform to the rules in RFC 1123. That is, is it a canonical
      name, is it a fully qualified name, must not end in trailing dot
      (see section 5.2.5 of rfc1123).

  Since the above clearly has a trailing dot, that's why it's invalid

23)Try the MaxMessageSize option, e.g. in your m4 file:

 define(`confMAX_MESSAGE_SIZE', `5000000')dnl

will set the limit to 5000000 bytes. See the KNOWNBUGS file that comes
with the source for some additional subtleties.

24)You can find your all In & out mails achives in the Exchange sever
directories .

driveletter : exchsrvr\imcdata\in\archive.
driveletter: exchsrvr\imcdata\out\archive.

It all in the text file format.

25)>sh: vacation not available for sendmail programs
>554 "|/usr/bin/vacation user"... Service unavailable

Sendmail may only execute certain programs (depends on the path of the
program) if "smrsh" is used as shell for those.

>From "man smrsh":

       Briefly,   smrsh   limits   programs   to   be   in   the
       directory /usr/adm/sm.bin,
       allowing the system administrator to choose the set of acceptable
       commands.  It also rejects any comma'd(carriageereturn),eor `0',
       `<',
       `>', `|', `;', `&', `$', `(', `)', `
       (newline) on the command line to prevent ``end run'' attacks.

       Initial pathnames on programs are stripped, so forwarding to
       ``/usr/ucb/vacation'', ``/usr/bin/vacation'',
       ``/home/server/mydir/bin/vacation'', and ``vacation'' all
       actually
       forward to ``/usr/adm/sm.bin/vacation''.
       System administrators should be conservative about populating
       /usr/adm/sm.bin.  Reasonable additions are vacation(1),
       procmail(1),
       and  the  like.   No matter how brow-beaten you may be, never
       include any shell or shell-like program (such as perl(1)) in
       the sm.bin directory.
       Note that this does not restrict the use of shell or perl scripts
       in the sm.bin directory (using the ``#!'' syntax); it simply
       disallows execution of arbitrary programs.

26)Another aliasing problem
    I'm having a strange problem with setting up aliases to send to
> : multiple addresses.  My aliases file works fine if I only list one
> : recipient that it should go to, but if I have, say:
> : allusers: user1, user2
> : for some reason the mail only gets sent to user2.  It is always the
> : last person in the list that receives it.  Has anyone else had this
>
> Have you tried leaving out the space after the comma, so :
> allusers: user1,user2

Unless something major is wrong this shouldn't change anything.
Sendmail strips out spaces...

Does it do this for *any* values of user1 and user2?  Does it do this
if user1 and user2 are foreign addresses?  Test it...

The reason I ask: If user1 and user2 end up equating to the same
address string (the samde character string for final delivery), only
one copy will be sent.  To give an example,  if user1 has this in his
..forward

"|procmail"

and user2 has the same in her .forward, only user1 will get mail sent
to this list. That's why you're instructed to put a comment or command
argument or somethhing to differentiate such things, for example

"|procmail #user1"

and

"|procmail #user2"

27)> Can anyone tell me how to stop sendmail adding a "content-type" header
> entry to messages that it receives without one ?

This is controlled using the "EightBitMode" option (or "8", for old cf
files.)  From the manual:

EightBitMode=action
          [8]  Set  handling of eight-bit data.  There
          are  two  kinds  of  eight-bit  data:   that
          declared  as  such  using  the BODY=8BITMIME
          ESMTP declaration or the -B8BITMIME  command
          line  flag,  and undeclared 8-bit data, that
          is, input that  just  happens  to  be  eight
          bits.  There are three basic operations that
          can happen: undeclared  8-bit  data  can  be
          automatically  converted  to 8BITMIME, unde­
          clared 8-bit data can be passed as-is  with­
          out  conversion  to  MIME (``just send 8''),
          and declared 8-bit data can be converted  to
          7-bits  for  transmission  to a non-8BITMIME
          mailer.  The possible actions are:

                s Reject undeclared 8-bit data (``strict'')
                m Convert undeclared 8-bit data to MIME (``mime'')
                p Pass undeclared 8-bit data (``pass'')

          In all cases properly declared 8BITMIME data
          will be converted to 7BIT as needed.

28) > Some of my users have complained that their email msg gets chopped up
> into separate lines, each line terminating with a '=' character. I don't
> believe it's a problem with sendmail.

It may be a configuration problem. If you use the esmtp mailer (the
default), if you try to send mail to a version of sendmail without ESMTP or
one configured not to accept 8BITMIME (an ESMTP extention), your sendmail
will convert all mails into Quoted Printable.

That means -- among other things -- that lines longer than 74 characters
(from memory) are truncated and '=\n' put at the end of the end to mark an
incomplete line.

If you want to disable QP encoding use the following in your .mc file:

define(`confSMTP_MAILER', `smtp8')dnl

before including

MAILER(smtp)
--

29)  is there a better programm to generate mail statistics than "mailstats"
> for solaris 2.5.1 or 2.6 on a sun?!

    There's a program written by Bryan Beecher called "smtpstats" which
analyzes syslog information.  See
ftp://ftp.his.com/pub/brad/sendmail/smtpstats.  It has a companion
called "popstats" (also from Bryan Beecher) at
ftp://ftp.his.com/pub/brad/sendmail/popstats.

30)If you just want to block access from a particular IP address, you could use
> >the "route" command to route anything destined for that IP address to an
> >unassigned IP address.  This is sort of a "trick" being used in an antispam script I
> >found called  "spamshield" by Kai Schlichting (kai@abest.com).  You end up doing something
> >like:
> >route add -host <spammer-IP> -gateway <unassigned-IP> -reject

31)> Is there a way to check is a host have a reverse DNS and if
>not block that host to send e-mail using the check_relay rule?

Yes.

> I'm using sendmail 8.8.7?

See my HACKs for an example, it's the option:

_DNSRELAY_
     check whether client_name resolved to a host name or an IP address,
     temporarily refuse the mail if it is an IP address.
     used by: check_mail3.m4
     not recommended, may cause problems with some relay hosts

http://www.informatik.uni-kiel.de/%7Eca/email/check.html
                ('%7E' is the required encoding for '~')

You can put those rules also in check_relay.

32)If you set the RunAsUser option in sendmail.cf, the /var/spool/mqueue
directory needs to be owned by the RunAsUser user. Otherwise, the
Sendmail docs say that it needs to be owned by root. FWIW, CERT
recommends that the permissions on /var/spool/mqueue be 0700. The
Sendmail book by Costales (with Allman) also recommends this and says
that /var should be 0755 and /var/spool should also be 0755, both owned
by root.

33)Using sendmail 8.9.1 is it possible to masquerade an entire domain
expect for a few specific hosts? I know you can use the EXPOSED_USERS
feature to expose certain users from the masquerade. But I have not been
able to find something similar for hostnames.

>Here is the relevant section of my .mc file:
>--
>MASQUERADE_AS(domain.com)
>FEATURE(masquerade_entire_domain)
>MASQUERADE_DOMAIN(domain.com)
>MASQUERADE_DOMAIN(domain2.com)
>MASQUERADE_DOMAIN(domain3.com)
>--
>I thought about using the limited_masquerade feature, but that would be
>a nightmare to maintain.
>
>I did find a post that some came up with to hack around this problem:
>http://x11.dejanews.com/getdoc.xp?AN=292419838&CONTEXT=901236509.1935737000&hitnum=0
>
>However, I'd like to have something that can be kept in an m4 file for
>future changes.
>
>Thanks!
 

I came up with the following local feature some time ago, which may
be close to what you want.  It will "collapse" the specified domains,
removing any host and sub-domain information from _all_ addresses (Note
that I do this in Ruleset 3).  This is different than MASQUERADE_AS
and friends, because it preserves the domain (ie, davburns@foo.cat.pdx.edu
becomes davburns@cat.pdx.edu, while davburns@bar.ee.pdx.edu becomes
davburns@ee.pdx.edu) instead of using $M.

-- feature/collapse.m4
define(`EXPOSE_HOSTS',`
C{exposed_hosts}$*')
define(`COLLAPSE_DOMAINS',`
C{collapsed_domains}$*
Cw$*')

LOCAL_RULE_3
R$*<$*>$*                       $: $>collapse $1<$2>$3  Try to collapse domains

LOCAL_RULESETS
Scollapse
R$=E<@$*>$*                             $@ $1<@$2>$3    Exposed user
R$*<@$={exposed_hosts}>$*               $@ $1<@$2>$3    Exposed host
R$*<@$*.$={collapsed_domains}>$*        $@ $1<@$3>$4    Collapse domain
---

I reference this from a domain file, but you could do a .mc like this:

---
DOMAIN(seas)dnl
MASQUERADE_AS(ee.pdx.edu)dnl
FEATURE(collapse)dnl
COLLAPSE_DOMAINS(ee.pdx.edu)dnl
COLLAPSE_DOMAINS(cat.pdx.edu)dnl
COLLAPSE_DOMAINS(seas.pdx.edu)dnl
EXPOSE_HOSTS(pager.cat.pdx.edu)dnl
EXPOSE_HOSTS(speak.cat.pdx.edu)dnl
EXPOSE_HOSTS(spew.ee.pdx.edu)dnl
EXPOSE_HOSTS(figaro.ee.pdx.edu)dnl
EXPOSED_USER(root)dnl
EXPOSED_USER(daemon)dnl
----

(The MASQUERADE_AS is used only for unqualified names like <davburns>.)

34)You may turn on aliasing for ANY mailer.

Just make sure that F=A flag is set for every
"official address" domain delivery agent.

after that it is simple :-)
/etc/aliases:
robert.reitenbach@tto.de: robert

Don't forget:
1) restart sendmail after making any changes to /etc/sendmail.cf
2) run newaliases after making changes in /etc/aliases.

35)Restricting Mail sizes
If you need only few sizes try the following:

Multiplicate your smtp mailer definition (/etc/sendmail.cf),
name them smtp1, smtp2, smpt3 ... .
Set max message size limit for every new mailer (M=XXX).
Use mailertable to specify mailer for domains e.g.

/etc/mailertable:
..  smtp:%1%0
domain1.dom smtp1:domain1.dom
domain2.dom smtp2:domain2.dom

single dot is for default

36) How can I make non local users alias
Set F=A flag for the apropriate delivery agent
/etc/aliases
usr@x.y.z: me

If mailer for x.y.z has F=A flag set you have what you want

37)I would like to allow only authorized people to use my mail
>server as relay. The best solution would be if i have not a account
>or a valid alias on the mail server the mail to outside will be
>rejected.

You may try my hacks, at least they should give you an
impression how to accomplish this task.
It's the option:

_CHECK_LOCALUSER_
     activate the check whether the local address of the sender appears in
     passwd or aliases, i.e., if a mail is sent with the local domain
     attached (@$=w), then the local part of it must appear in passwd or
     aliases. This denies at least sending with not-existing usernames etc.
     Of course it does not disable to send mails with other names or faked
     addresses.
     Warning: if you have multiple alias files, you have to specify all but
     the first again. For example: you have

     define(`ALIAS_FILE',`/etc/aliases,/etc/maj-aliases,/etc/list-aliases')dnl

     then you have to add this:

     define(`ALIAS_FILE1',`/etc/maj-aliases')dnl
     define(`ALIAS_FILE2',`/etc/list-aliases')dnl

     (this has been changed on 1997-12-23).
     Multiple alias files may cause a warning with some m4 versions:
     ../hack/check_mail3.m4:47: m4: Warning: Excess arguments to built-in
     `define' ignored
     Geoff Gibbs pointed out that nisplus in Solaris 2.x (5 and 6 at least)
     requires a line like this:

     Kchkalias1 nisplus -m -a@LOCALUSER mail_aliases.org_dir

     This can be now defined in the normal version.
     used by: check_mail3.m4
     recommended

38)>Most of these "roaming" users come in from a small number of small
>(size) domains. So, I thought that an interim solution would be to
>create an access db and just list the domains/ip addresses in there,
....

>And my access db file (at this point) looks like this:

>stephen@ourdomain.net             RELAY

>ourdomain.net                     RELAY

>At this point, I think I must be missing some fundamental thing about
>using the access db. But I don't know what? Can anyone help??

The access map entries for RELAY work only for the connection
information, not for MAIL FROM (the envelope sender).

So
>stephen@ourdomain.net             RELAY
won't help anything for relaying.

However, if
stephen@ourdomain.net
connects from a system within
ourdomain.net
then relaying should be allowed.
Does this work?
If it doesn't, see:
http://www.informatik.uni-kiel.de/%7Eca/email/chk-dbg.html

If you want to turn on relaying based on the envelope sender,
you need to add a small hack, e.g., from
http://www.informatik.uni-kiel.de/%7Eca/email/chk-89.html

39) have diald installed on my linux box that does ip masquerading. diald
> dials when a user wants to use the internet, but how can I have outgoing
> messages not trigger diald, but instead go somewhere and wait until
> diald connects for other reasons. (I'm trying to minimize unnecessary

Mark SMTP mailer as "Expensive" in your sendmail configuration. If you
use mc, just add

define(`SMTP_MAILER_FLAGS', `e')
 

You will also have to start sendmail daemon without a -q (queue)
parameter, just
"daemon sendmail -bd" in /etc/rc.d/init.d/sendmail script.

Then you can invoke sendmail (sendmail -q) from diald's ip-up script
every time the PPP link goes up.

40)How can I add subject to an e-mail
Put the subject in the "Email" file, followed by a blank line, like:

------------------------
Subject: An example of a subject line.

Blah blah, grommish grommish, rhubarb rhubarb.  Text text text...etc.
-----------------------------------

The blank line is important.  Sendmail will put that line in the headers as
the "subject."
 
41) can someone please tell me what the xdelay= means coming out of syslog.

According to my reading of the source code (for v8.8.8), it's the
elapsed time between when Sendmail started delivery attempts for
the message and when it successfully delivered the message to the
recipient listed in the to= field.

The delay= field shows the time elapsed from receipt of the message,
which can be longer than the xdelay if the message sat in the queue
for a while.  You'll often see differences in delay and xdelay when
the message has multiple recipients, or if the message was received
when the load average was high enough to make Sendmail queue the
message for later delivery.

42)Is there a way to keep outsiders from using the aliases I have created?
 

I implemented the following hack exactly for that purpose when our
internal distribution lists got hit by spam. I'm sure it could be
easily adapted to meet your needs.

Add the following to your m4 master configuration file:

#
LOCAL_CONFIG
Kprivate hash -o /etc/private.db
Kprivateok hash -o /etc/privateok.db
#
LOCAL_RULE_0
#
Scheck_rcpt
# check recipient. Let it through unless it's a private address
# (possibly with host or local domain attached to it)
R$*   $: $>3 $1
R$-   $: $(private $1 $: OK $)
ROK   $@ OK non-private @ local
R$* < @ $* $=m . > $* $: $(private $1 $: OK $)
R$* < @ $* > $*  $@ OK someone @ somewhere
ROK   $@ OK non-private @ here
# if private, check the sender (f macro). If the sender is local, let it
# through. The <@> and << >> hack is ugly, but I couldn't come up with a
# better way to treat user.something as a single token (any suggestions?)
RPRIVATE  $: $>3 $(dequote "" $&f $)
R$*   $: $1 <@>
R$* < @ $+ > $* < @ > $: $1 << @ $2 >> $3
R$+ < @ >  $@ OK sender @ here
R$* << @ $* >> $* $: $1 < @ $2 > $3
R$* < @ $* $=m . > $* $@ OK address @ domain
# not a local sender. Get the relay (client_name)...
R$* < @ $+ . > $* $: $1@$2 $| $>3 @ $(dequote "" $&{client_name} $)
# a particular sender through a valid relay is ok
R$+ $| $* < @ $+ . > $* $: $(privateok $3:$1 $: $1 $) $| $3
ROK $| $*  $@ OK relay: user@host
# anyone from a given host/domain from a valid relay is also ok
R$-@$+ $| $+  $: $2 $| $3
R$+ $| $+  $: $(privateok $2:@$1 $: notOK $)
ROK $*   $@ OK relay: @host
# the rest can go to hell
R$*   $#error $@ 5.7.1 $: "571 private address."

The private map's keys are the list of private addresses with value PRIVATE:

list1 PRIVATE
list2 PRIVATE

The privateok keys are of the form relay:sender or relay:@host with values
OK:

relay.at.some.where:someone@some.where.else OK
relay.at.some.where:@its.ok.too   OK

You can test the rules by invoking the test mode and predefining the
client_name and f macros with different combinations and then calling
the check_rcpt rule with the recipient's address.

43)What is the best way to keep a logfile of all emails that went through a mail relay machine
(header and body)?

sendmail -bd -X

44)How can I disable the DNS lookup on the sender's email address in
> sendmail in sendmail.cf (I don't use m4)?

You should use m4.

Anyway, find the lines in the rewriting rules that say $[...$] and delete
them.

ifdef(`_NO_CANONIFY_', `dnl', `dnl
# try UUCP traffic as a local address
R$* < @ $+ . UUCP > $*          $: $1 < @ $[ $2 $] . UUCP . > $3
R$* < @ $+ . . UUCP . > $*      $@ $1 < @ $2 . > $3')
')')
ifdef(`_NO_CANONIFY_', `dnl', `dnl
# pass to name server to make hostname canonical
R$* < @ $* $~P > $*             $: $1 < @ $[ $2 $3 $] > $4')

45)Is there a way (There always is but an easy one) to get sendmail to
 reject a message that's over say.. 30mb big?

If you have a fairly recent sendmail with an m4 configuration file you
can add the following to your sendmail.mc file and then regenerate the
sendmail.cf file:

For mail coming in via SMTP (limit to 10,000,000)

  define(`confMAX_MESSAGE_SIZE',  `10000000')dnl

For mail coming in via UUCP (you don't need this if you have only an SMTP
connection):

  define(`UUCP_MAX_SIZE',         `10000000')dnl

If you don't use an mc file you can edit the sendmail.cf file directly, the
relevant lines are:

  # maximum message size
  O MaxMessageSize=10000000

and for UUCP add M=10000000 to the mailer definitions.

46)...newaliases was run automatically by sendmail whenever needed.
 Is it possible to configure 8.9.1 as to restore this behavior?

Add the following line to your sendmail.mc file and regenerate sendmail.cf

  define(`confAUTO_REBUILD',     `True')dnl

You may want to read the file cf/README in the sendmail distribution for
information about this and other options you can define in sendmail.mc.

47)Is it possible to redefine - presumably by some extra parameter in a
>mailer definition -the port to which sendmail connects when performing delivery. i.e. make
>it different from port 25.

Yes, you can do this via the A= declaration - see e.g.
http://www.dejanews.com/getdoc.xp?AN=352619898

48)HTML mails with sendmail

Add 'MIME-Version: 1.0'  in ur sendmail.cf file.

49)Many users at our site use PC based mail programs to read and send
>mail. Some of them manage to enter incorrect From addresses into their
>configuration. I want to catch them already in the MAIL FROM command.

This is integrated in my HACKs for 8.8:

_CHECK_LOCALUSER_
     activate the check whether the local address of the sender appears in
     passwd or aliases, i.e., if a mail is sent with the local domain
     attached (@$=w), then the local part of it must appear in passwd or
     aliases. This denies at least sending with not-existing usernames etc.
     Of course it does not disable to send mails with other names or faked
     addresses.
     Warning: if you have multiple alias files, you have to specify all but
     the first again. For example: you have

     define(`ALIAS_FILE',`/etc/aliases,/etc/maj-aliases,/etc/list-aliases')dnl

     then you have to add this:

     define(`ALIAS_FILE1',`/etc/maj-aliases')dnl
     define(`ALIAS_FILE2',`/etc/list-aliases')dnl

     (this has been changed on 1997-12-23).
     Multiple alias files may cause a warning with some m4 versions:
     ../hack/check_mail3.m4:47: m4: Warning: Excess arguments to built-in
     `define' ignored
     Geoff Gibbs pointed out that nisplus in Solaris 2.x (5 and 6 at least)
     requires a line like this:

     Kchkalias1 nisplus -m -a@LOCALUSER mail_aliases.org_dir

     This can be now defined in the normal version.
     used by: check_mail3.m4
     recommended

http://www.informatik.uni-kiel.de/%7Eca/email/check.html
                ('%7E' is the required encoding for '~')

50)Yesterday I noticed that our server stopped receiving SMTP requests on port 25
>when the load on the machine reached 32. I was viewing the load through the
>perfmeter utility on Solaris. As soon as the load dropped below 32 it started
>recieving requests again.?

This is normal behaviour. Check the sendmail.cf, it has something similar
to:

# load average at which we just queue messages
Ox8

# load average at which we refuse connections
OX12
 

51)Took a while to notice it, since the other rulesets I swiped from Wolfgang's
} web page have been catching most of the spam (thanks Wolfgang!).  But it turns
} out that sendmail is making no use of the access map.  I ran sendmail -bt to
} see what it thought it was doing:
}
} > /map access.db friend@public.com
} Map named "access.db" not found
}
}Yes, I did makemap hash /etc/mail/access.db </etc/mail/access.  The
} line in the .mc file is FEATURE(access_db, `hash -o /etc/mail/access.db').
} Running 8.9.1 on RedHat 5.1.  It's all very annoying because I know after
} spending the last week searching the bat book and the expert web pages, one of
} you brains is going to say "Oh, you just need to do this," and it will work.

Actually, you've done everything correctly, except that the map is referred to
as just "access" internal to sendmail, not "access.db".

52) >Does ETRN use MX records?

ETRN in sendmail simply starts queueing for the domain
that is given as parameter, so the answer is: yes.

See the RELEASE_NOTES:
    Implement ESMTP ETRN command to flush the queue for a specific host.
        The command takes a host name; data for that host is
        immediately (and asynchronously) flushed.  Because this shares
        the -qR implementation, other hosts may be attempted, but
        there should be no security implications.  Implementation
        from John Beck of InReference, Inc.

or read RFC 1985.

53)       Can anyone comment on the protocol
 legality of MAIL FROM: <>, and what might break if
 it was not allowed?  Please CC: me in any
 responces.

    http://www.faqs.org/rfcs/rfc821.html

</section 3.6>

54)  I've been looking for some time for information on the ETRN command,
> and how to set it up within sendmail 8.9.x.
>
> I've looked on www.sendmail.org and can't seem to find any
> information. Can anyone direct me to a site that has either a FAQ or
> further info on how to set it up?

http://www.sendmail.org/faq/section3.html#3.23
http://www.sendmail.org/faq/section4.html#4.12
http://www.swinc.com/resource/exch_smtp.htm

55) Does anyone know where i can get a program that will strip email addresses
>from an html file.

Try visiting
http://www.senate.gov/~murkowski/commercialemail/EmailBillText.html and
reading very carefully.

56) want to run sendmail in a mode where it will only take messages, place
>them into the queue, and send them out, without attempting
>local delivery.  This is for a box that will only do relaying from
>a Lotus cc:Mail or Notes system.

I just did this for an Exchange server. (it just came up today as a
matter of fact!)

I used the following MC file (based on tcpproto.mc)

divert(0)dnl
VERSIONID(`@(#)odc-tcpproto.mc  8.10 (Ohio Dominican) 8/4/98')dnl
OSTYPE(linux)dnl
FEATURE(local_procmail,`/usr/bin/procmail')dnl
define(LUSER_RELAY,`exchange.odc.edu')dnl
define(MASQUERADE_AS,`odc.edu')dnl
FEATURE(relay_entire_domain)dnl
FEATURE(access_db)dnl
FEATURE(use_cw_file)dnl
MAILER(smtp)dnl
 

The LUSER_RELAY sent any mail that wasn't for a local user to my
Exchange server.  The access_db feature allowed me to choose what
hosts to allow relay (for outgoing mail from my exchange server).  The
use_cw_file feature allowed me to tell sendmail that mail for the
following domains (odc.edu, exchange.odc.edu) were local domains in
addition to the localhost domain (name of the sendmail box).

This probably isn't optimal; but it's working...

Good Luck!

Arron
 
57) >I would like to set a limit in the number of recipients that a message can
>reach (for anti-spamming considerations), but I haven't found any variable
>in sendmail.cf suitable for that.
>
>    I see in /var/log/syslog that the number of recipients (nrcpts) appear.

It's in sendmail 8.9.1, ftp://ftp.sendmail.org/pub/sendmail.

O MexRecipientsPerMessage or something like that. By the way, you should
use m4 and not edit sendmail.cf.

58)
> Is there any directory program for Linux so i can have the  same
> funcionality as in NT Exchange server with the adress book?
>
>
Yes.

You can load and compile the LDAP 3.3 server distribution, and create an
LDAP
database.

If you use a mail client like Outlook 98, and check the "check mail
addresses with this directory server" then it will query the LDAP server
and rewrite the e-mail address to the correct address, or give you a choice
of correct addresses.

If anyone wants detailed instructions on how to set this up, mail me at
tedm@toybox.placo.com

Ted

59)I've got a question with Sendmail 8.9.1 and mail relaying.
>*>
>*>I'm trying to set up relay protection based on the relay_local_from
>*>feature.  We provide e-mail services for a wide variety of customers
>*>unfortunately most of them relay mail off our server from a variety of
>*>other Internet providers.  I wanted to verify that the "mail from"
>*>address matched either a list of domains that would be approved "mail
>*>from" domains (not the domain their connection is coming from, but just
>*>the domain specified in the mail from header).
>*>
>*>I added the following two lines to the .mc file and created the .cf file
>*>
>*>for sendmail...
>*>
>*>FEATURE(relay_local_from)
>*>FEATURE(relay_entire_domain)
>*>
>*>I also have the following specified in the sendmail.cf file;
>*>
>*># Hosts that will permit relaying ($=R)
>*>FR-o /etc/mail/relay-domains
>*>
>*>and /etc/mail/relay-domains exists and lists all available mail domains.
>*>
>*>However, I still cannot relay mail from an authorized source email
>*>"domain"..
>*>
>*>Can anyone catch anything I'm doing incorrectly?
>*>
>*>Thanks in advance.
>*>
>*>

60)  in a quite complex environment I need to do some port redirection
> based on recipient domains. That means : if a mail is received on port
> 25, that is intended to go to firm.mx, it needs to be relayed through
> and sent to port xyz of a screening router, a mail heading to firm.es
> however should be sent out to the same router but with a different
> destination port.
>
> Any ideas ?
>

You could do this with a custom mailer and the mailertable.

Here is the mailer (in M4 format)
 MAILER_DEFINITIONS
 ##################################################################
 ###   SMTP to a specific port on a host mailer specification   ###
 ##################################################################
 Mportredirect,  P=[IPC], F=mDFMuXa, S=11/31, R=21/31, E=\r\n, L=990,
                T=DNS/RFC822/SMTP,
                A=IPC firewall.gadget.com $h
        ^^^^^^^^^^^^^^^^^^^

It is simply the esmtp mailer definition with a new name, portredirect, and
a modified A= line.  I have added a specific host between IPC and $h.  This
means that $h will be a port number rather than a host to connect to.

You would then add entries in the mailer table of the form:
 gadget.com portredirect:26

This would cause mail for user@gadget.com to be delivered to port 26 on host
firewall.gadget.com

If you want to connect to the local host remember to add the "k" mailer flag
to the F= field to disable the local loopback test.  If you do not do
this you will get the error message:
 554 MX list for gadget.com points back to gadget.gadget.com
 554 harker@gadget.com... Local configuration error

Hope this helps

RLH
 

Paul,

I alsop am a small ISP and we have many domains that we allow people
to relay to and from. In our case, we have this in our .cf file:

#
# This will deny relay spamming by checking entries in /etc/relayto
# and /etc/localip
#
F{LocalIP}      /etc/localip
F{RelayTo}      /etc/relayto
Scheck_rcpt
R$+                     $: $(dequote "" $&{client_addr} $) $| $1
R0 $| $*                $@ ok                   no client addr:
directly invoked
R$={LocalIP}$* $| $*    $@ ok                   from here
R$* $| $*               $: $>3 $2
R$*<@$*$={RelayTo}.>$*          $>3 $1 $4
R$*<@$+>$*              $#error $@ 5.7.1 $: 571 WebCC does not relay,
see http://www.webcc.net/aup.htm#
 

This checks two files on our system. The first is a list of domains we
will accept mail for. This is /etc/relayto and has one domain listed
on each line. (ex: webcc.net)

The other file is a list of IP blocks we will allow to relay to
domains outside of our network. For example, all of our dial-up IP
addresses are listed in this file in addition to some offsite servers
and clients that use other providers but send mail through us.

Hope this helps you out.
 

61) Is there a way to make virtusertable lookups faster?  We are already using
> sendmail 8.9.x and DB2 with a hash map but our virtusertable has grown
> very large.  We are already using dedicated MX mail servers in a dual
> round-robin DNS configuration.
>
> Would it be worth splitting up virtusertable into domain-specific maps and
> telling sendmail to look up a virtusertable map depending on the domain?
>
> I'd say we're already at 100,000 entries in virtusertable.
>

How do you know that the virtusertable is you bottle neck?  My guess is
that it is not.  From a posting I made today on a related subject:

    As a note, there is very little performance impact of large databases.
    Sendmail does not sequentially search the database, but instead uses
    the database's hash algorithm to find an index address.  It then checks
    that index address in the data file and returns the result.  If a null
    string is returned then sendmail knows that a match will not be found.
    If a string is returned, then sendmail uses this as the matching
    value.  If there is contention for the index address, then other stuff
    happens.  But this does not happen for a significant number of the
    index addresses.  The bottom line here is that most database (ndbm or
    db hash) queries take a single disk operation reguardless of
    database size.

So size of the database should not be a major issue.  Building a large
database does take longer, but the lookup time should remain the same.
Breaking the virtusertable up into multiple smaller tables would not
improve performance in my opinion.  I would expect that if anything, it
would decrease performance because of the extra database file opens and
closes.

If you are concerned about performance there are other areas that I would
look at:

Does each area of disk activity have its own private disk drive?
Disk heads are the first point of contention on a sendmail system.
 mqueue
 /var/log
 The OS itself, root, /usr, and swap
 /var/spool/mail
 poptemp   if it is a pop server
 .hoststat  if persistent host status is used
 /etc/mail  for database lookups

Do you have enough physical memory?
Being short of memory impacts disk I/O as you page and swap

If you are using narrow SCSI use either:
 2 disks per controller
 Upgrade to ultra wide SCSI with 4/8 disks per controller

Are you using RAID?
Stripe mqueue across all of the disks using the outer most cylinders.
 

All of the above is what I call "heuristic performance tuning" in that
I am simply using common sense and a knowledge of what sendmail does
to define some potential bottle necks.  Disks, controllers, and memory
are relatively cheap these days.  A little bit of reconfiguration can
go along way in improving performance.

If you want to get more esoteric here are some more things to think about:
More RAID, more spindles, more controllers, more cache, faster bus
 connection to the CPU backplain

What is the bus architecture of the server?
 If it is a PC you should be looking at 100 MHz PCI (and BX chip
  sets on the mother board, I think?)
 If it is Sun Ultra 1, 2, and 450 have better busses
  than Ultra 5, 10, 30, and ss 5, 10, and 20

If you are trying to speed up the database lookups you could move
them to a RAM disk and touch and rebuild the database(s) every time
the system reboots.

Put the mqueue directory on a battery backed up SCSI RAM disk
(expensive, but doable)

Put a prestoserv NFS accelerator before the mqueue, mail, poptemp,
 and hoststat partitions to speed up disk writes.

On the software side, one of the biggest improvements is to keep the number
of messages waiting to be delivered in the mqueue directory small.  Either:
 Paul Pomes re-mqueue.pl script in the contrib directory of the
  sendmail release
 Or my reque mailer that I cover in my class "Managing Internet Mail"

Another thing I have thought about is storing the "xf" temporary files
in a different location from the "qf" and "df" files.  This would allow
the "xf" file to be kept on a tempfs RAM disk partition (more memory).
The "xf" file is the most active set of files on a sendmail server.
One is created for each delivery attempt for each recipient host.  They
also are totally temporary.  If the server is rebooted or sendmail
restarted, the old "xf" files are never used again so the fact that the
tempfs goes away on a reboot is not a problem.

I am also posting this to comp.mail.sendmail to get more feedback.
Hey guys and gals, anything I missed, anything out to lunch?

Hope this helps

RLH

62)>Got a slight problem here with makemap and spam
>rules in /etc/mail/access.
>
>My setup is a Sparc 20 running Solaris 2.5.1 with
>sendmail 8.9.1a.
>
>After adding
>        FEATURE(relay_entire_domain)
>        FEATURE(access_db)
>all hell broke loose.
>
>When I try to fire up sendmail I get
>        readcf: map access: class hash not available
>

I had this too: reason is 1) a missing NEWDB -package and 2) after installing
it, I had do add -L/usr/local/lib and -I/usr/local/include. Now 'Build' could
find the libdb.a und the *.h files and everything was fine

63)I've allways wondered about this topic, and all I can find at newsgroups is
> just the same questions, without a good solution, Sorry if this question
> has allready been discussed , But I couldn't found any answers so far...
>
> here it goes:
>
> I need to restrict users mailbox, ie: 10 Mb per user, I heard quotas are not a
> good way to do this.
>
> Another thing I'd like to do is to restrict the maxium message size for smtp.
> at the sendmail.cf i've found the option to do this, but it applies for all
> local connections & connections comming from the internet, I'd like to set
> different values for each.. and if possible, restrict maxium message size per
> USER account. is this possible at all?

1) remove F=m flag from local delivery agent specification

2) replace local mailer program in sendmail.cf by your wrapper script
When mailbox size is ok it calls the original delivery agent.
When its too big it exits with the appropriate exit code chosen from
<sysexits.h>

Sample delivery agent script:
The Bat Book 2nd ed. chapter 24.3

64)Re: dbm map "alias0": unsafe map file /etc/aliases
]What does this error mean.

See the README file:

+-----------------------+
| DIRECTORY PERMISSIONS |
+-----------------------+

Sendmail often gets blamed for many problems that are actually the
result of other problems, such as overly permissive modes on directories.
For this reason, sendmail checks the modes on system directories and
files to determine if can have been trusted.  For sendmail to run
without complaining, you MUST execute the following command:

 chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
 chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
 
 

run sendmail -bi -d44.4 for more info.

65)
 

 
 
 

 

****************************************************************************************************