Options for the HACKs for check_* in sendmail 8.8

Last Update 2003-02-22
Content: Options | Format of Maps | Comments | Warning

Introduction

The HACKs for the check_* rulesets in sendmail 8.8 have several options, which are listed and explained here.

Only the HACKs check_mail3.m4 , check_rcpt4.m4 and check_relay3.m4 are considered here, other versions should not be used anyway.

(1998-01-01) The rules have been rewritten and restructured. The rulesets junk and junkIP have been moved to a separate file: junk.m4. There is also a first attempt to create generic rulesets for these: DomainMap and IPMap which get the name of a map as parameter. The check_* rulesets will be subsequently rewritten to make use of them.

List of Options

Next, a list of options is given with a short explanation. Based on the 8.9.0 release notes, a short comment is added to those options which are available directly as FEATUREs in sendmail 8.9.0.
_ACCEPT_SOME_
accept some addresses without checking them
Optional parameter: type and location of the map, default:
_CHECK_MAP_TYPE_ -o -a@ACCEPT /etc/mail/accept
used by: check_mail3.m4
(part of sendmail 8.9)
ALIAS_1
can be used in conjuction with _CHECK_LOCALUSER_ to define another alias files, e.g.,
nisplus -m -a@LOCALUSER mail_aliases.org_dir
used by: check_mail3.m4 (introduced in version 3.9.6, 1998-02-15).
(thanks to: Geoff Gibbs)
_ALLOW_NOT_FQHN_
allow not fully qualified hostnames in MAIL FROM
used by: check_mail3.m4 (introduced in version 3.9.4, 1998-01-25).
(suggested by: Didier Lamballais)
(part of sendmail 8.9)
_ALLOW_SOME_
creates a `backdoor': it allows relaying also based on the envelope from address (given in MAIL FROM:).
Optional parameter: type and location of the map, default
_CHECK_MAP_TYPE_ -a@ALLOWED /etc/mail/allow
used by: check_rcpt4.m4
not recommended, use only if really required.
(part of sendmail 8.9, but with restricted functionality ; same functionality is available with additional rules. )
_CHECK_ALL_RCPTS_
further extended version of _CHECK_RCPT_USER_ (which must be defined, too): check all recipient addresses against forbrcpt map.
used by: check_rcpt4.m4 (introduced in version 3.1.8, 1998-03-22).
(Suggested by: Jack Snodgrass)
(part of sendmail 8.9)
_CHECK_FROM_
perform validity check of FROM address: it must
used by: check_mail3.m4
(a similiar feature is available in sendmail 8.9)
_CHECK_FULL_FROM_
match the FROM address against the junk database in full. This allows to catch addresses like <@some.relay:lamer@spammer.com>
used by: check_mail3.m4 (introduced in version 3.8.7, 1997-12-30).
(part of sendmail 8.9)
_CHECK_HELO_
check HELO ($s) against junk map; prepend _MARK_HELO_ (default: HELO) (so the map entry can be HELO@spammers.site or just spammers.site)
used by: check_mail3.m4 (introduced in version 3.9.8, 1998-04-06).
(Suggested by: Harlan Stenn)
_CHECK_IP_IN_MAIL_
check ${client_addr} against junk map; append _MARK_NET_ (default: :net) (so the map entry can be IP.AD.DR.ESS:net or just IP.AD.DR.ESS)
used by: check_mail3.m4
_CHECK_LOCALADDR_
if the connecting host has a client_addr within the LocalIP range, the domain part of the address must be one of those given in the map, default:
_CHECK_MAP_TYPE_ -o -m -a. /etc/mail/AllowedDomains
Warnings: this does not work if your users forward their mail to external sites; LocalIP must be defined. Andy Harper wrote a very complete and highly configurable set of check_ rulesets which use a configuration map to deal with this problem.
used by: check_mail3.m4 (introduced in version 3.8.8, 1997-12-31).
_CHECK_LOCALPART_
check local part of FROM address against keys in the junk database. Useful for entries like:
FREE.STEALTH.MAILER@ "571 go away spammer."
used by: check_mail3.m4 (introduced in version 3.9.5, 1998-02-06).
(part of sendmail 8.9)
_CHECK_LOCALSUBDOMAINS_
only available in conjunction with _CHECK_LOCALADDR_ , it will allow subdomains of allowed domains too.
used by: check_mail3.m4 (introduced in version 3.8.8, 1997-12-31).
_CHECK_LOCALUSER_
activate the check whether the local address of the sender appears in passwd or aliases, i.e., if a mail is sent with the local domain attached (@$=w), then the local part of it must appear in passwd or aliases. This denies at least sending with not-existing usernames etc. Of course it does not disable to send mails with other names or faked addresses.
Warning: if you have multiple alias files, you have to specify all but the first again. For example: you have
define(`ALIAS_FILE',`/etc/aliases,/etc/maj-aliases,/etc/list-aliases')dnl
then you have to add this:
define(`ALIAS_FILE1',`/etc/maj-aliases')dnl
define(`ALIAS_FILE2',`/etc/list-aliases')dnl
(this has been changed on 1997-12-23).
Multiple alias files may cause a warning with some m4 versions: ../hack/check_mail3.m4:47: m4: Warning: Excess arguments to built-in `define' ignored
Geoff Gibbs pointed out that nisplus in Solaris 2.x (5 and 6 at least) requires a line like this:
Kchkalias1 nisplus -m -a@LOCALUSER mail_aliases.org_dir
This can be now defined in the normal version.
used by: check_mail3.m4
recommended
_CHECK_MAIL_IN_RCPT_
defines Scheckmail instead of Scheck_mail in all supplied check_mail*.m4 versions and calls checkmail after check_rcpt. This option is only useful in connection with _SPAM_FRIENDS_ or _MAP_SPAM_FRIENDS_ .
used by: check_rcpt4.m4
This option has a bug.
_CHECK_MAILx_
(x in 1,2,3) add three hooks Schk_mailx into the check_mail ruleset.
  1. at the start
  2. after calling S3
  3. at the end
used by: check_mail3.m4 (introduced in version 3.9.5, 1998-01-31).
(suggested by: Andy Harper)
_CHECK_MAP_TYPE_
define the map type (default: dbm ) for all maps used.
used by: all check_*.m4 versions which use maps.
_CHECK_RCPT_USER_
Check whether the recipient address is allowed to receive mail. This can be used to deny mail to local addresses.
Optional parameter: type and location of the map, default:
_CHECK_MAP_TYPE_ -a@FORBIDDEN /etc/mail/forbrcpt
The RHS of the map may either be FORBIDDEN or an error message text.
used by: check_rcpt4.m4 (introduced in version 3.1.0, 1997-12-29).
(part of sendmail 8.9)
_CHECK_RELAY_IN_RCPT_
does the same as _CHECK_MAIL_IN_RCPT_ for check_relay.
used by: check_rcpt4.m4
_CHECK_TOPLEVEL_
allows also the specification of top level domains as spammers/junk. Default is to check only up to the second level.
used by: check_mail3.m4
_CLASS_W_TOO_
use class w too if _RELAYTO_MAP_ is defined.
used by: check_rcpt4.m4 (introduced in version: 3.1.4, 1998-01-08)
(suggested by: Joerg Schumacher)
(default in sendmail 8.9)
_DNSRELAYOVERRIDE_IP_
allows to override _DNSRELAY_ for some IP addresses. Optional parameter: type and location of the map, default:
_CHECK_MAP_TYPE_ -o -m -a@MATCH /etc/mail/dnsrelovrip
used by: check_mail3.m4 (introduced in version 3.9.5, 1998-02-03).
(suggested by: Vivek Khera)
(part of sendmail 8.9)
_DNSRELAY_
check whether client_name resolved to a host name or an IP address, temporarily refuse the mail if it is an IP address.
used by: check_mail3.m4
not recommended, may cause problems with some relay hosts
_DNSVALID_
perform a DNS lookup on the domain part of the envelope from address, temporarily refuse the mail if there is no A, MX, or CNAME record.
used by: check_mail3.m4
recommended
(part of sendmail 8.9)
_ERR_MSG_DOM_
Error message text for banned domains, default: "501 This domain is banned, contact your local admin." See below for a warning.
used by: check_mail3.m4
_ERR_MSG_HOST_
Error message text for hostname matches, default: "550 access from your hostname denied."
used by: check_relay3.m4
_ERR_MSG_IP_
Error message text for IP address matches, default: "550 access from your IP address denied."
used by: check_relay3.m4
_ERR_MSG_REGEX_
Error message text for matches against regexp, default: "501 spam address, go away."
used by: check_mail3.m4
_ERR_MSG_RELAY_
Error message text for denied relay attempts, default: 550 we do not relay $&f
used by: check_rcpt4.m4 (introduced in version 3.1.1, 1997-12-31)
_ERR_MSG_URRH_
Error message for unresolvable relay host names. Default: "451 unresolvable relay host name [" $`'2 "]; check your reverse-IP configuration."
used by: check_mail3.m4 (introduced in version 3.9.9, 1998-04-28).
(Suggested by: Harlan Stenn)
_ERR_MSG_USER_
Error message text for banned users, default: "501 You are banned, contact your local admin."
Warning: if you use a comma, double quote the text, e.g., define(`_ERR_MSG_USER_',``"501 You are banned, see URL for more information."'')
used by: check_mail3.m4
_IP_LOOKUP_
do a reverse IP lookup if the FROM address is given as user@[A.B.C.D]
used by: check_mail3.m4
recommended
_ISMX_
option to use the patch (local copy) from Miquel van Smoorenburg to find out for which machines your mailserver is secondary MX and therefore should be allowed to receive mail through this server.
used by: check_rcpt4.m4
(part of sendmail 8.9)
_JUNK_IP_RULES_
checks IP address of client in check_mail against junk map
used by: check_mail3.m4 (introduced in version: 3.9.0, 1998-01-01)
(thanks to: Peter Seebach)
_JUNK_MAP_LOC_
define location of the junk map (so it's easier to place the map into another location without repeating map type and options)
used by: junk.m4 (introduced in version 1.0.8, 1998-07-05).
(Thanks to: Brad Knowles)
_LOCAL_IP_MAP_
use a map instead of a class for LocalIP, default:
_CHECK_MAP_TYPE_ -a@MATCH /etc/mail/localIP
used by: check_rcpt4.m4 (introduced in version 3.1.5, 1998-01-18).
(suggested by: Jeff Wasilko)
(part of sendmail 8.9)
if the RHS of the map is NO, relaying will be denied. This is useful for disallowing subnets or hosts, e.g.,
134.245		OK
134.245.99.100	NO
(introduced in version 3.1.9, 1998-04-17)
(Suggested by: Chris Thomas)
_MAPS_RBL_
Each check_mail version was able to make use of Paul Vixie's RBL. It can have an argument which is taken as address for the lookup. Default:
rbl.maps.vix.com (don't use this, it's dead!) If you change it, you probably want to define _MAPS_RBL_URL_ too, which denotes the URL for the error message.
used by: check_mail3.m4
(part of sendmail 8.9)
_MAPS_RBL_2_
can be used to refer to another DNS based blacklist and _MAPS_RBL_URL_2_ should be defined as some URL pointing to an explanation.
used by: check_mail3.m4 (introduced in version 3.9.12, 1998-08-22).
_USE_RELAY_MAILERTABLE_
use mailertable too to allow relaying to those systems. Optional parameter: location of the map,
/etc/mailertable
used by: check_rcpt4.m4 (introduced in version 3.1.9, 1998-06-07).
(Thanks to: Rudolf Weber)
_MAP_SPAM_FRIENDS_
may be used instead of the plain text files for _SPAM_FRIENDS_ . Default value for the map is:
_CHECK_MAP_TYPE_ -a@SPAMFRIEND /etc/mail/spam_friends Another may be used as parameter for the define (don't forget -a@SPAMFRIEND ). The RHS of the map is ignored.
used by: check_rcpt4.m4
_MARK_
use :net , :dom , and :loc as marker to distinguish between IP addresses/nets, hostnames/domains, and local parts of addresses for lookups in the maps junk rblover*.
If this option is not set: use @ as marker for the local part of an address for lookups in the junk map.
used by: check_mail3.m4 , junk.m4 (introduced in version 3.9.6/1.0.4, 1998-02-22).
(suggested by: Jan Krüger)
Rationale: since the junk map places all kind of entries into one database, there are some cases where the entries might be applied to the wrong key. For example, if someone misconfigures a MUA/MTA to use addresses of the form user@A.B.C.D (where A.B.C.D is an IP number) and you want to ban this address, you would have to add A.B.C.D to the junk map. However, this would also block accesses from that IP address (if you have enabled the option or the ruleset check_relay ).
_MD2NAME_
used instead of _DNSRELAY_ to change to mailer-daemon mails <> into <$n@${client_name}>
used by: check_mail3.m4 (introduced in version: 3.9.3, 1998-01-13)
(suggested by: Jan Krüger)
_NO_CANONIFY_
check also for $={RelayTo} (without trailing dot). Useful for FEATURE(nocanonify) and O DeliveryMode=deferred or other situations, where no DNS lookups are performed.
used by: check_rcpt4.m4 (introduced in version 3.1.8, 1998-03-16).
_NO_SUB_W_
can be used in combination with HACK(use_names) to switch off the allowance of subdomains of class w for outgoing relaying.
used by: check_rcpt4.m4 (introduced in version: 3.1.4, 1998-01-08)
(suggested by: Brian Candler)
_POPAUTH_
enables support for authentification via POP as implemented by Neil Harkins and John Levine. Optional parameter: type and location of the map, default:
_CHECK_MAP_TYPE_ -o -m -a@MATCH /etc/mail/popauth
Jeff Wasilko, who proposed the option _LOCAL_IP_MAP_ pointed out that this can be used instead of _POPAUTH_ by specifying:
LOCAL_CONFIG
KLocalNets btree -m -a@MATCH /etc/mail/LocalNets.db  
KRoamHosts btree -m -a@MATCH /etc/mail/RoamHosts.db  

define(`_LOCAL_IP_MAP_',`sequence LocalNets RoamHosts')
William R. Thomas sent me a single PERL script which does all of the work. Harlan Stenn sent me a modified version of this PERL script.
used by: check_rcpt4.m4 (introduced in version: 3.1.6, 1998-02-10)
_POPAUTH2_
sub-option to _POPAUTH_ removes the last octect of an IP address and performs a lookup against the popauth map.
used by: check_rcpt4.m4 (introduced in version 3.1.8, 1998-03-22).
(Thanks to: Colin Stearman)
_SPAM_FRIENDS_
allows you to use a file (default: /etc/mail/SpamFriends ) to specify (local) accounts which should get mail regardless of any checks (this makes only sense if you don't have check_relay and check_mail or you use _CHECK_MAIL_IN_RCPT_ .)
used by: check_rcpt4.m4
_SPAM_HATERS_
similar to _MAP_SPAM_FRIENDS_, just the inverse. Default map is:
_CHECK_MAP_TYPE_ -a@SPAMHATER /etc/mail/spam_haters
_CHECK_MAIL_IN_RCPT_
is required for this option
used by: check_rcpt4.m4 (introduced in version: 3.1.6, 1998-01-31)
(thanks to: Jan Krüger)
_RBLOVERRIDE_IP_
override _MAPS_RBL_ for IP addresses (nets) specified in the map
Optional parameter: type and location of the map, default:
_CHECK_MAP_TYPE_ -o -m -a@MATCH /etc/mail/rblovrip
used by: check_mail3.m4 (introduced in version: 3.9.2, 1998-01-04)
(part of sendmail 8.9)
_RBLOVERRIDE_LOCALIP_
override _MAPS_RBL_ for $={LocalIP}
used by: check_mail3.m4 (introduced in version 3.9.5, 1998-02-01).
(thanks to: Jan Krüger)
_RBLOVERRIDE_NAME_
override _MAPS_RBL_ for domains (hosts) specified in the map
Optional parameter: type and location of the map, default:
_CHECK_MAP_TYPE_ -o -m -a@MATCH /etc/mail/rbloverride
used by: check_mail3.m4 (introduced in version: 3.9.1, 1998-01-03)
Suggested by Larry Rosenman (Sr. System Administrator, CyberRamp Internet Services)
(part of sendmail 8.9)
_RELAYTO_MAP_
The optional argument (default: _CHECK_MAP_TYPE_ -a@RELAYTO /etc/mail/relayto ) defines a map of hosts (domains) (as they appear in the domain part of the envelope recipient!) which may receive mail relayed through your system. You can't use this in combination with HACK(use_relayto) or the UUCP additions (not yet).
used by: check_rcpt4.m4
(part of sendmail 8.9)
SM89
first attempt to make these rulesets usable sendmail 8.9 changes Scheck_* to SLocal_check_* and removes dequote calls
used by: check_mail3.m4 , check_rcpt4.m4 , check_relay3.m4 (introduced in 1998-03-21).
HACK(checkregex)
This is a hook for map-regex by Jan Krüger.
used by: check_mail3.m4
(part of sendmail 8.9)
HACK(use_ip)
specifies the IP addresses of systems which can send mail through your mailserver.
Optional parameter: type and location of the file, default /etc/mail/LocalIP .
The file contains IP addresses or nets, e.g.,
127.0.0.1
134.245
used by: check_rcpt4.m4
(part of sendmail 8.9)
Note: if you have an existing .cf file from somewhere, just
grep 'F{LocalIP}' sendmail.cf
to find the name of the file on your system.
HACK(use_names)
specifies the names of systems which can send mail through your mailserver.
Optional parameter: type and location of the file, default /etc/mail/LocalNames
The file contains host or domain names, e.g.,
localhost.informatik.uni-kiel.de
uni-kiel.de
used by: check_rcpt4.m4
(part of sendmail 8.9)
Note: if you have an existing .cf file from somewhere, just
grep 'F{LocalNames}' sendmail.cf
to find the name of the file on your system.
HACK(use_relayto)
specifies the names of systems (as they appear in the domain part of the envelope recipient!) which can receive mail via your mailserver
Optional parameter: name of file, default /etc/mail/RelayTo
The file contains host or domain names, e.g.,
rigel.informatik.uni-kiel.de
uni-kiel.de
cau.de
used by: check_rcpt4.m4
(part of sendmail 8.9)
Note: if you have an existing .cf file from somewhere, just
grep 'F{RelayTo}' sendmail.cf
to find the name of the file on your system.

Format of Maps

There are three kinds of maps:
  1. Maps with hostnames or domains as LHS. The format of the entries is
    some.domain	RHS
    another.domain	RHS
    
  2. Maps with e-mail addresses as LHS. The format of the entries is
    friend@other.domain	RHS
    me@another.domain	RHS
    foe@spammers.domain	RHS
    
  3. Maps with IP addresses or nets as LHS. The format of the entries is
    A	RHS
    A.B	RHS
    A.B.C	RHS
    A.B.C.D	RHS
    
In most cases the RHS doesn't matter, because the maps use the option -a@MATCH, i.e., @MATCH will be appended on a sucessful lookup. This is especially true if the option -m is used which means: match only (do not replace). However, the junk map requires as RHS either:
SPAMMER
for addresses of spammers.
JUNK
for domains.
"Error-Number Error Text"
for the specification of an (optional) error number and an error text.

For example, an entry may look like this:

domain.com	"501 domain.com is a dummy domain - check your configuration."
(which you should have in your map; proposed by Graeme Hewson.)
DSN::Error-Number Error Text
the DSN to return and the complete error text, e.g., 5.1.8::550 We don't like you. (Thanks to: Brad Knowles)

If the option _MARK_ is selected, the format of the maps slightly changes:

  1. Maps with hostnames or domains as LHS. The format of the entries is
    some.domain:dom	MATCHED
    another.domain:dom	MATCHED
    
    Maps for the local part of addresses look like this:
    Local:loc	"Error number and message"
    
  2. Maps with IP addresses or nets as LHS. The format of the entries is
    A:net	MATCHED
    A.B:net	MATCHED
    A.B.C:net	MATCHED
    A.B.C.D:net	MATCHED
    
If the option _MARK_ isn't defined, the map for the local part of addresses looks like this:
Local@	"Error number and message"

Some comments

A small note: some options (define) take an optional parameter (the name of a file, a map, etc). Most of the time, this requires to define the option as
define(`Name_of_Option',`1')
to get the default value. However, in the new release this:
define(`Name_of_Option')
is sufficient for all new options, e.g., _LOCAL_IP_MAP_.

Warnings

FEATURE(nocanonify)

A hint: nearly all of these rules require a working hostname canonicalization. They don't work if the FEATURE(nocanonify) is used in the .mc file, unless the option _NO_CANONIFY_ is enabled. According to a short test, this option also allows the anti-relay rules to work with the delivery mode deferred.

Combining Options

Not all combinations of options work as expected. This is especially true for _CHECK_MAIL_IN_RCPT_ which causes some funny effects: if a mail gets rejected due to an unwanted sender, the recipient address will be given first, because this check occurs during the RCPT TO: stage of the SMTP dialog. There were also some (small) bugs for this option, if it is used in combination with some others: _CHECK_RELAY_IN_RCPT_ and _ACCEPT_SOME_. This should be fixed since 1997-12-23.
[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.