Options for the HACKs for check_* in sendmail 8.8
Last Update 2003-02-22
Content:
Options
|
Format of Maps
|
Comments
|
Warning
Introduction
The
HACKs
for
the
check_*
rulesets in
sendmail 8.8
have several options,
which are listed and explained here.
Only the HACKs
check_mail3.m4
,
check_rcpt4.m4
and
check_relay3.m4
are considered here,
other versions should not be used anyway.
(1998-01-01)
The rules have been rewritten and restructured.
The rulesets
junk
and
junkIP
have been moved to a separate file:
junk.m4.
There is also a first attempt to create generic rulesets
for these:
DomainMap
and
IPMap
which get the name of a map as parameter.
The
check_*
rulesets will be subsequently rewritten
to make use of them.
Next, a list of options is given with a short explanation.
Based on the
8.9.0 release notes,
a short comment is added to those options which
are available directly as
FEATUREs
in
sendmail 8.9.0.
-
_ACCEPT_SOME_
-
accept some addresses without checking them
Optional parameter:
type and location of the map,
default:
_CHECK_MAP_TYPE_ -o -a@ACCEPT /etc/mail/accept
-
used by:
check_mail3.m4
-
(part of sendmail 8.9)
-
ALIAS_1
-
can be used in conjuction with
_CHECK_LOCALUSER_
to define another alias files, e.g.,
nisplus -m -a@LOCALUSER mail_aliases.org_dir
-
used by:
check_mail3.m4
(introduced in version 3.9.6, 1998-02-15).
-
(thanks to: Geoff Gibbs)
-
_ALLOW_NOT_FQHN_
-
allow not fully qualified hostnames in
MAIL FROM
-
used by:
check_mail3.m4
(introduced in version 3.9.4, 1998-01-25).
-
(suggested by: Didier Lamballais)
-
(part of sendmail 8.9)
-
_ALLOW_SOME_
-
creates a `backdoor': it allows relaying also
based on the envelope from address (given in MAIL FROM:).
Optional parameter: type and location of the
map,
default
_CHECK_MAP_TYPE_ -a@ALLOWED /etc/mail/allow
-
used by:
check_rcpt4.m4
not recommended, use only if really required.
-
(part of sendmail 8.9, but with restricted functionality
;
same functionality is available
with additional rules.
)
-
_CHECK_ALL_RCPTS_
-
further extended version
of
_CHECK_RCPT_USER_
(which must be defined, too):
check all recipient addresses against
forbrcpt
map.
-
used by:
check_rcpt4.m4
(introduced in version 3.1.8, 1998-03-22).
-
(Suggested by: Jack Snodgrass)
-
(part of sendmail 8.9)
-
_CHECK_FROM_
-
perform validity check of
FROM
address:
it must
- be enclosed in brackets,
- have an @,
- have no dot at the end.
-
used by:
check_mail3.m4
-
(a similiar feature is available in sendmail 8.9)
-
_CHECK_FULL_FROM_
-
match the
FROM
address
against the
junk
database
in full.
This allows to catch addresses like
<@some.relay:lamer@spammer.com>
-
used by:
check_mail3.m4
(introduced in version 3.8.7, 1997-12-30).
-
(part of sendmail 8.9)
-
_CHECK_HELO_
-
check
HELO ($s)
against
junk
map;
prepend
_MARK_HELO_
(default:
HELO)
(so the map entry
can be
HELO@spammers.site
or just
spammers.site)
-
used by:
check_mail3.m4
(introduced in version 3.9.8, 1998-04-06).
-
(Suggested by: Harlan Stenn)
-
_CHECK_IP_IN_MAIL_
-
check
${client_addr}
against
junk
map; append
_MARK_NET_
(default:
:net)
(so the map entry can be
IP.AD.DR.ESS:net
or just
IP.AD.DR.ESS)
-
used by:
check_mail3.m4
-
_CHECK_LOCALADDR_
-
if the connecting host has a
client_addr
within the
LocalIP
range,
the domain part of the address must be one of those given in the map,
default:
_CHECK_MAP_TYPE_ -o -m -a. /etc/mail/AllowedDomains
Warnings:
this does not work if your users
forward
their mail to external sites;
LocalIP
must be defined.
Andy Harper
wrote a
very complete and highly configurable set
of
check_
rulesets
which
use a configuration map
to deal with this problem.
-
used by:
check_mail3.m4
(introduced in version 3.8.8, 1997-12-31).
-
_CHECK_LOCALPART_
-
check local part of
FROM
address against
keys in the
junk
database.
Useful for entries like:
FREE.STEALTH.MAILER@ "571 go away spammer."
-
used by:
check_mail3.m4
(introduced in version 3.9.5, 1998-02-06).
-
(part of sendmail 8.9)
-
_CHECK_LOCALSUBDOMAINS_
-
only available in conjunction with
_CHECK_LOCALADDR_
,
it will allow subdomains of allowed domains too.
-
used by:
check_mail3.m4
(introduced in version 3.8.8, 1997-12-31).
-
_CHECK_LOCALUSER_
-
activate the check whether the local address of the
sender
appears in passwd or aliases,
i.e.,
if a mail is sent with the local domain attached
(@$=w), then the local part of it must appear
in passwd or aliases.
This denies at least sending with not-existing usernames etc.
Of course it does not disable to send mails with other names
or faked addresses.
Warning:
if you have multiple alias files,
you have to specify all but the first again.
For example:
you have
define(`ALIAS_FILE',`/etc/aliases,/etc/maj-aliases,/etc/list-aliases')dnl
then you have to add this:
define(`ALIAS_FILE1',`/etc/maj-aliases')dnl
define(`ALIAS_FILE2',`/etc/list-aliases')dnl
(this has been changed on 1997-12-23).
Multiple alias files may cause a warning with some
m4
versions:
../hack/check_mail3.m4:47: m4: Warning: Excess arguments to built-in `define' ignored
Geoff Gibbs
pointed out that
nisplus
in Solaris 2.x (5 and 6 at least)
requires a line like this:
Kchkalias1 nisplus -m -a@LOCALUSER mail_aliases.org_dir
This can be now
defined
in the
normal version.
-
used by:
check_mail3.m4
recommended
-
_CHECK_MAIL_IN_RCPT_
-
defines
Scheckmail
instead of
Scheck_mail
in
all supplied
check_mail*.m4
versions
and calls
checkmail
after
check_rcpt.
This option is only useful in connection with
_SPAM_FRIENDS_
or
_MAP_SPAM_FRIENDS_
.
-
used by:
check_rcpt4.m4
-
This option has a
bug.
-
_CHECK_MAILx_
-
(x in 1,2,3)
add three hooks
Schk_mailx
into the
check_mail
ruleset.
- at the start
- after calling S3
- at the end
-
used by:
check_mail3.m4
(introduced in version 3.9.5, 1998-01-31).
-
(suggested by: Andy Harper)
-
_CHECK_MAP_TYPE_
-
define the map type (default:
dbm
)
for all maps used.
-
used by:
all check_*.m4 versions which use maps.
-
_CHECK_RCPT_USER_
-
Check whether the recipient address
is allowed to receive mail.
This can be used to deny mail to local addresses.
Optional parameter:
type and location of the map,
default:
_CHECK_MAP_TYPE_ -a@FORBIDDEN /etc/mail/forbrcpt
The RHS of the map may either be
FORBIDDEN
or an error message text.
-
used by:
check_rcpt4.m4
(introduced in version 3.1.0, 1997-12-29).
-
(part of sendmail 8.9)
-
_CHECK_RELAY_IN_RCPT_
-
does the same
as
_CHECK_MAIL_IN_RCPT_
for
check_relay.
-
used by:
check_rcpt4.m4
-
_CHECK_TOPLEVEL_
-
allows also the specification of top level domains as spammers/junk.
Default is to check only up to the second level.
-
used by:
check_mail3.m4
-
_CLASS_W_TOO_
-
use class w too if
_RELAYTO_MAP_
is defined.
-
used by:
check_rcpt4.m4
(introduced in version: 3.1.4, 1998-01-08)
-
(suggested by: Joerg Schumacher)
(default in sendmail 8.9)
-
_DNSRELAYOVERRIDE_IP_
-
allows to override
_DNSRELAY_
for some IP addresses.
Optional parameter:
type and location of the map,
default:
_CHECK_MAP_TYPE_
-o -m -a@MATCH /etc/mail/dnsrelovrip
-
used by:
check_mail3.m4
(introduced in version 3.9.5, 1998-02-03).
-
(suggested by: Vivek Khera)
-
(part of sendmail 8.9)
-
_DNSRELAY_
-
check whether client_name resolved to a host name
or an IP address,
temporarily refuse the mail if it is an IP address.
-
used by:
check_mail3.m4
not recommended, may cause problems with some relay hosts
-
_DNSVALID_
-
perform a
DNS lookup
on the domain part of the envelope from address,
temporarily refuse the mail if there is no A, MX, or CNAME record.
-
used by:
check_mail3.m4
recommended
-
(part of
sendmail 8.9)
-
_ERR_MSG_DOM_
-
Error message text for banned domains, default:
"501 This domain is banned, contact your local admin."
See
below
for a
warning.
-
used by:
check_mail3.m4
-
_ERR_MSG_HOST_
-
Error message text for hostname matches, default:
"550 access from your hostname denied."
-
used by:
check_relay3.m4
-
_ERR_MSG_IP_
-
Error message text for IP address matches, default:
"550 access from your IP address denied."
-
used by:
check_relay3.m4
-
_ERR_MSG_REGEX_
-
Error message text for
matches against regexp,
default:
"501 spam address, go away."
-
used by:
check_mail3.m4
-
_ERR_MSG_RELAY_
-
Error message text for denied relay attempts, default:
550 we do not relay $&f
-
used by:
check_rcpt4.m4
(introduced in version 3.1.1, 1997-12-31)
-
_ERR_MSG_URRH_
-
Error message for
unresolvable relay host names.
Default:
"451 unresolvable relay host name [" $`'2 "]; check your reverse-IP configuration."
-
used by:
check_mail3.m4
(introduced in version 3.9.9, 1998-04-28).
-
(Suggested by: Harlan Stenn)
-
_ERR_MSG_USER_
-
Error message text for banned users, default:
"501 You are banned, contact your local admin."
Warning:
if you use a comma, double quote the text, e.g.,
define(`_ERR_MSG_USER_',``"501 You are banned, see URL for more information."'')
-
used by:
check_mail3.m4
-
_IP_LOOKUP_
-
do a reverse IP lookup if the FROM address is given
as
user@[A.B.C.D]
-
used by:
check_mail3.m4
recommended
-
_ISMX_
-
option to use the
patch
(local copy)
from
Miquel van Smoorenburg
to find out for which machines your mailserver is secondary MX
and therefore should be allowed to receive mail through this server.
-
used by:
check_rcpt4.m4
-
(part of sendmail 8.9)
-
_JUNK_IP_RULES_
-
checks IP address of client in
check_mail
against
junk
map
-
used by:
check_mail3.m4
(introduced in version: 3.9.0, 1998-01-01)
-
(thanks to: Peter Seebach)
-
_JUNK_MAP_LOC_
-
define location of the
junk
map
(so it's easier to place the map into another location
without repeating map type and options)
-
used by:
junk.m4
(introduced in version 1.0.8, 1998-07-05).
-
(Thanks to: Brad Knowles)
-
_LOCAL_IP_MAP_
-
use a map instead of a class for
LocalIP,
default:
_CHECK_MAP_TYPE_
-a@MATCH /etc/mail/localIP
-
used by:
check_rcpt4.m4
(introduced in version 3.1.5, 1998-01-18).
-
(suggested by: Jeff Wasilko)
-
(part of sendmail 8.9)
-
if the RHS of the map is
NO
, relaying will be denied.
This is useful for disallowing subnets or hosts, e.g.,
134.245 OK
134.245.99.100 NO
-
(introduced in version 3.1.9, 1998-04-17)
-
(Suggested by: Chris Thomas)
-
_MAPS_RBL_
-
Each
check_mail
version was able to make use of
Paul Vixie's RBL.
It can have an argument which is taken as address for the lookup.
Default:
rbl.maps.vix.com
(don't use this, it's dead!)
If you change it, you probably want to define
_MAPS_RBL_URL_ too, which denotes the URL for the
error message.
-
used by:
check_mail3.m4
-
(part of sendmail 8.9)
-
_MAPS_RBL_2_
-
can be used to refer to another
DNS based blacklist
and
_MAPS_RBL_URL_2_
should be defined as some URL pointing to an explanation.
-
used by:
check_mail3.m4
(introduced in version 3.9.12, 1998-08-22).
-
_USE_RELAY_MAILERTABLE_
-
use mailertable too to allow relaying to those systems.
Optional parameter:
location of the map,
/etc/mailertable
-
used by:
check_rcpt4.m4
(introduced in version 3.1.9, 1998-06-07).
-
(Thanks to: Rudolf Weber)
-
_MAP_SPAM_FRIENDS_
-
may be used instead of the plain text files for
_SPAM_FRIENDS_
.
Default value for the map is:
_CHECK_MAP_TYPE_ -a@SPAMFRIEND /etc/mail/spam_friends
Another may be used as parameter for the define
(don't forget
-a@SPAMFRIEND
).
The RHS of the map is ignored.
-
used by:
check_rcpt4.m4
-
_MARK_
-
use
:net
,
:dom
,
and
:loc
as marker to distinguish
between
IP addresses/nets,
hostnames/domains,
and
local parts of addresses
for lookups in the maps
junk
rblover*.
If this option
is not set: use
@
as marker for the local part of an address for lookups in the
junk
map.
-
used by:
check_mail3.m4
,
junk.m4
(introduced in version 3.9.6/1.0.4, 1998-02-22).
-
(suggested by: Jan Krüger)
-
Rationale:
since the
junk
map places all kind of entries into one database,
there are some cases where the entries might be applied
to the wrong key.
For example, if someone misconfigures a MUA/MTA
to use addresses of the form
user@A.B.C.D
(where
A.B.C.D
is an IP number)
and you want to ban this address,
you would have to add
A.B.C.D
to the
junk
map.
However, this would also block
accesses from that IP address
(if you have enabled the
option
or the
ruleset
check_relay
).
-
_MD2NAME_
-
used instead of
_DNSRELAY_
to change
to mailer-daemon mails
<>
into
<$n@${client_name}>
-
used by:
check_mail3.m4
(introduced in version: 3.9.3, 1998-01-13)
-
(suggested by: Jan Krüger)
-
_NO_CANONIFY_
-
check also for
$={RelayTo}
(without trailing dot).
Useful for
FEATURE(nocanonify)
and
O DeliveryMode=deferred
or other situations,
where no DNS lookups are performed.
-
used by:
check_rcpt4.m4
(introduced in version 3.1.8, 1998-03-16).
-
_NO_SUB_W_
-
can be used
in combination with
HACK(use_names)
to switch off the allowance of subdomains of class
w
for outgoing relaying.
-
used by:
check_rcpt4.m4
(introduced in version: 3.1.4, 1998-01-08)
-
(suggested by: Brian Candler)
-
_POPAUTH_
-
enables support for authentification via
POP
as
implemented by Neil Harkins
and
John Levine.
Optional parameter:
type and location of the map,
default:
_CHECK_MAP_TYPE_
-o -m -a@MATCH /etc/mail/popauth
-
Jeff Wasilko,
who proposed the option
_LOCAL_IP_MAP_
pointed out that this can be used instead of
_POPAUTH_
by specifying:
LOCAL_CONFIG
KLocalNets btree -m -a@MATCH /etc/mail/LocalNets.db
KRoamHosts btree -m -a@MATCH /etc/mail/RoamHosts.db
define(`_LOCAL_IP_MAP_',`sequence LocalNets RoamHosts')
William R. Thomas
sent me a
single PERL script
which does all of the work.
Harlan Stenn
sent me
a modified version of this PERL script.
-
used by:
check_rcpt4.m4
(introduced in version: 3.1.6, 1998-02-10)
-
-
_POPAUTH2_
-
sub-option to
_POPAUTH_
removes the
last octect of an IP address and performs a lookup
against the
popauth
map.
-
used by:
check_rcpt4.m4
(introduced in version 3.1.8, 1998-03-22).
-
(Thanks to: Colin Stearman)
-
_SPAM_FRIENDS_
-
allows you to use a file (default:
/etc/mail/SpamFriends
)
to specify (local) accounts which
should get mail regardless of any checks
(this makes only sense if you
don't have
check_relay
and
check_mail
or you use
_CHECK_MAIL_IN_RCPT_
.)
-
used by:
check_rcpt4.m4
-
_SPAM_HATERS_
-
similar to
_MAP_SPAM_FRIENDS_,
just the inverse.
Default map is:
_CHECK_MAP_TYPE_
-a@SPAMHATER /etc/mail/spam_haters
_CHECK_MAIL_IN_RCPT_
is required for this option
-
used by:
check_rcpt4.m4
(introduced in version: 3.1.6, 1998-01-31)
-
(thanks to: Jan Krüger)
-
_RBLOVERRIDE_IP_
-
override
_MAPS_RBL_
for IP addresses (nets) specified in the map
Optional parameter:
type and location of the map,
default:
_CHECK_MAP_TYPE_ -o -m -a@MATCH /etc/mail/rblovrip
-
used by:
check_mail3.m4
(introduced in version: 3.9.2, 1998-01-04)
-
(part of sendmail 8.9)
-
_RBLOVERRIDE_LOCALIP_
-
override
_MAPS_RBL_
for
$={LocalIP}
-
used by:
check_mail3.m4
(introduced in version 3.9.5, 1998-02-01).
-
(thanks to: Jan Krüger)
-
_RBLOVERRIDE_NAME_
-
override
_MAPS_RBL_
for domains (hosts) specified in the map
Optional parameter:
type and location of the map,
default:
_CHECK_MAP_TYPE_ -o -m -a@MATCH /etc/mail/rbloverride
-
used by:
check_mail3.m4
(introduced in version: 3.9.1, 1998-01-03)
-
Suggested by Larry Rosenman (Sr. System Administrator, CyberRamp Internet Services)
-
(part of sendmail 8.9)
-
_RELAYTO_MAP_
-
The optional argument (default:
_CHECK_MAP_TYPE_ -a@RELAYTO /etc/mail/relayto
)
defines a
map of hosts (domains)
(as they appear in the domain part of the envelope recipient!)
which
may receive mail relayed through your system.
You can't use this in combination with
HACK(use_relayto)
or the UUCP additions (not yet).
-
used by:
check_rcpt4.m4
-
(part of sendmail 8.9)
-
SM89
-
first attempt to make these rulesets usable
sendmail 8.9
changes
Scheck_*
to
SLocal_check_*
and removes
dequote
calls
-
used by:
check_mail3.m4
,
check_rcpt4.m4
,
check_relay3.m4
(introduced in 1998-03-21).
-
HACK(checkregex)
-
This is a hook for
map-regex
by Jan Krüger.
-
used by:
check_mail3.m4
-
(part of sendmail 8.9)
-
HACK(use_ip)
-
specifies the IP addresses of systems which can
send mail
through your mailserver.
Optional parameter: type and location of the file, default
/etc/mail/LocalIP
.
-
The file contains IP addresses or nets, e.g.,
127.0.0.1
134.245
-
used by:
check_rcpt4.m4
-
(part of sendmail 8.9)
-
Note: if you have an existing .cf file from somewhere, just
grep 'F{LocalIP}' sendmail.cf
to find the name of the file on your system.
-
HACK(use_names)
-
specifies the names of systems which can
send mail
through your mailserver.
Optional parameter: type and location of the file, default
/etc/mail/LocalNames
-
The file contains host or domain names, e.g.,
localhost.informatik.uni-kiel.de
uni-kiel.de
-
used by:
check_rcpt4.m4
-
(part of sendmail 8.9)
-
Note: if you have an existing .cf file from somewhere, just
grep 'F{LocalNames}' sendmail.cf
to find the name of the file on your system.
-
HACK(use_relayto)
-
specifies the names of systems
(as they appear in the domain part of the envelope recipient!)
which can
receive mail
via your mailserver
Optional parameter:
name of file,
default
/etc/mail/RelayTo
-
The file contains host or domain names,
e.g.,
rigel.informatik.uni-kiel.de
uni-kiel.de
cau.de
-
used by:
check_rcpt4.m4
-
(part of sendmail 8.9)
-
Note: if you have an existing .cf file from somewhere, just
grep 'F{RelayTo}' sendmail.cf
to find the name of the file on your system.
There are three kinds of maps:
-
Maps with hostnames or domains as LHS.
The format of the entries is
some.domain RHS
another.domain RHS
-
Maps with e-mail addresses as LHS.
The format of the entries is
friend@other.domain RHS
me@another.domain RHS
foe@spammers.domain RHS
-
Maps with IP addresses or nets as
LHS.
The format of the entries is
A RHS
A.B RHS
A.B.C RHS
A.B.C.D RHS
In most cases the
RHS
doesn't matter,
because the maps use the option
-a@MATCH,
i.e.,
@MATCH
will be appended on a sucessful lookup.
This is especially true if the option
-m
is used which means:
match only (do not replace).
However, the
junk
map requires as
RHS
either:
-
SPAMMER
-
for
addresses of spammers.
-
JUNK
-
for
domains.
-
"Error-Number Error Text"
-
for
the specification of an
(optional)
error number
and an
error text.
For example, an entry may look like this:
domain.com "501 domain.com is a dummy domain - check your configuration."
(which you should have in your map; proposed by Graeme Hewson.)
-
DSN::Error-Number Error Text
-
the DSN to return and the complete error text, e.g.,
5.1.8::550 We don't like you.
(Thanks to: Brad Knowles)
If the option
_MARK_
is selected, the format of the maps slightly changes:
-
Maps with hostnames or domains as LHS.
The format of the entries is
some.domain:dom MATCHED
another.domain:dom MATCHED
Maps for the
local part
of addresses look like this:
Local:loc "Error number and message"
-
Maps with IP addresses or nets as LHS.
The format of the entries is
A:net MATCHED
A.B:net MATCHED
A.B.C:net MATCHED
A.B.C.D:net MATCHED
If the option
_MARK_
isn't defined, the map for the
local part
of addresses looks like this:
Local@ "Error number and message"
A small note: some options
(define)
take an optional parameter
(the name of a file, a map, etc).
Most of the time, this requires to define the option as
define(`Name_of_Option',`1')
to get the default value.
However, in the new release this:
define(`Name_of_Option')
is sufficient for all new options, e.g.,
_LOCAL_IP_MAP_.
A hint: nearly all of these rules require a working hostname canonicalization.
They don't work if the
FEATURE(nocanonify)
is used in the
.mc
file, unless the option
_NO_CANONIFY_
is enabled.
According to a short test, this option also allows the
anti-relay rules
to work with the delivery mode
deferred.
Not all combinations of options work as expected.
This is especially true for
_CHECK_MAIL_IN_RCPT_
which causes some funny effects:
if a mail gets rejected due to an unwanted sender,
the recipient address will be given first,
because this check occurs during the
RCPT TO:
stage of the SMTP dialog.
There were also some (small) bugs for this option,
if it is used in combination with some others:
_CHECK_RELAY_IN_RCPT_
and
_ACCEPT_SOME_.
This should be fixed since 1997-12-23.
[(links)]
[Hints]
[Avoiding UBE]
[cf/README]
[New]
Copyright ©
Claus Aßmann
Please send comments to:
<ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated
or incomplete.
Please
contact me
if you find an error.