HP-UX Mailing Services Administrator`s Guide

HP-UX Mailing Services Administrator`s Guide
HP-UX Mailing Services Administrator’s
Guide
HP-UX 11i v2, HP-UX 11i v3
HP Part Number: B2355-91064
Published: February 2007
Edition: 3
Legal Notices
© Copyright 2004–2007 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and
12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are
licensed to the U.S. Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set
forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additionaly warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
UNIX is a registered trademark of The Open Group.
Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other
countries.
Copyright Notice
© Copyright 2004-2007 Hewlett-Packard Development Company L.P
Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under
the copyright laws.
© Copyright 1979, 1980, 1983, 1985-93 Regents of the University of California This software is based in part on the Fourth Berkeley
Software Distribution under license from the Regents of the University of California
© Copyright 1980, 1984, 1986 Novell, Inc
© Copyright 1986-1992 Sun Microsystems, Inc
© Copyright 1985-86, 1988 Massachusetts Institute of Technology
© Copyright 1989-93 The Open Software Foundation, Inc.
© Copyright 1986 Digital Equipment Corporation.
© Copyright 1990 Motorola, Inc.
© Copyright 1990, 1991, 1992 Cornell University
© Copyright 1989-1991 The University of Maryland
© Copyright 1988 Carnegie Mellon University
Table of Contents
About This Document...................................................................................................................13
New and Changed Information in This Edition........................................................................13
Intended Audience................................................................................................................13
HP-UX Release Name and Release Identifier...........................................................................14
Publishing History.................................................................................................................14
Document Organization.........................................................................................................14
Related Information...............................................................................................................15
Typographical Conventions....................................................................................................15
HP Welcomes Your Comments...............................................................................................16
1 Mailing Services Overview........................................................................................................17
The elm Utility.......................................................................................................................18
How elm Works...............................................................................................................18
The elm Configuration File................................................................................................18
The mailx Utility....................................................................................................................19
The mail/rmail Utility.............................................................................................................21
The Sendmail Utility..............................................................................................................22
Message Structure............................................................................................................23
How Sendmail Collects Messages......................................................................................24
How Sendmail Routes Messages........................................................................................24
Default Routing Configuration.....................................................................................26
Local Addresses:....................................................................................................26
UUCP Addresses:..................................................................................................26
SMTP Addresses:...................................................................................................27
Mixed Addresses:..................................................................................................27
Mail Exchanger (MX) Records......................................................................................27
MX Failures:..........................................................................................................29
Defining Queue Groups....................................................................................................29
The Default Queue Group............................................................................................29
The Q Configuration Command...................................................................................30
Using queuegroups Through the access Database..........................................................31
Queue Group Limitations............................................................................................31
Connection Caching....................................................................................................31
How Sendmail Improves Mail Queue Performance.............................................................32
Default Client/Server Operation........................................................................................33
How Sendmail Handles Errors..........................................................................................34
How Sendmail Handles Permanent Failures.................................................................34
How Sendmail Handles Temporary Failures.................................................................35
Table of Contents
3
2 Configuring and Administering Sendmail....................................................................................37
Configuring Sendmail............................................................................................................37
Configuring Sendmail on a Standalone System...................................................................38
Configuring Sendmail on a Mail Server..............................................................................39
Configuring Sendmail on a Mail Client..............................................................................39
Verifying your Sendmail Installation..................................................................................41
Sending Mail to a Local User........................................................................................41
Using UUCP Addressing to Send Mail to a Remote User...............................................41
Using SMTP Transport to Send Mail to a Remote User...................................................42
Modifying the Default Sendmail Configuration File.................................................................43
The Sendmail Configuration File.......................................................................................43
Restarting Sendmail..........................................................................................................44
Sendmail Configuration Options.......................................................................................44
Maximum message size (option MaxMessageSize)........................................................45
Forwarding Nondomain Mail to a Gateway..................................................................45
Setting Mail Header Lengths........................................................................................45
Limiting Message Recipients........................................................................................45
Timeout.*....................................................................................................................45
DataFileBufferSize.......................................................................................................46
FallBackSmartHost......................................................................................................46
The FastSplit Option....................................................................................................47
XscriptFileBufferSize...................................................................................................48
MaxAliasRecursion.....................................................................................................48
PidFile........................................................................................................................48
ProcessTitlePrefix........................................................................................................48
TrustedUser................................................................................................................48
MaxMimeHeaderLength..............................................................................................48
DeadLetterDrop..........................................................................................................49
Socket Maps................................................................................................................49
DNS Maps..................................................................................................................50
The /usr/newconfig/etc/mail/cf/cf/gen_cf Script.............................................................52
Options Configured Using the /usr/newconfig/etc/mail/cf/cf/gen_cf Script......................54
Relay On...............................................................................................................54
Relay OFF.............................................................................................................54
Relay Entire Domain..............................................................................................54
Relay based on MX................................................................................................55
Relay hosts only.....................................................................................................55
Access db..............................................................................................................55
Relay local from.....................................................................................................56
Blacklist recipients.................................................................................................56
Accept unresolvable domains.................................................................................56
Accept unqualified senders ....................................................................................57
Realtime Blackhole List..........................................................................................57
Loose relay check...................................................................................................57
4
Table of Contents
Promiscuous Relay.................................................................................................57
No Default MSA....................................................................................................57
DNS Blackhole List................................................................................................57
Relay mail from.....................................................................................................58
Delay checks..........................................................................................................58
Ldap Routing........................................................................................................58
Milertable..............................................................................................................58
Genericstable.........................................................................................................58
Virtusertable..........................................................................................................58
Domaintable..........................................................................................................59
Send only..............................................................................................................59
Receive only..........................................................................................................59
Creating Sendmail Aliases......................................................................................................59
Adding Aliases to the Sendmail Alias Database..................................................................60
Configuring Owners for Mailing Lists..........................................................................62
Avoiding Alias Loops..................................................................................................63
Creating a Postmaster Alias.........................................................................................64
Verifying Your Sendmail Aliases........................................................................................64
Managing Sendmail Aliases with NIS................................................................................64
Modifying your NIS Aliases Database..........................................................................65
Rewriting the From Line on Outgoing Mail........................................................................65
Forwarding Your Own Mail with a .forward File................................................................65
Creating Domain-Specific Aliasing Using Virtual Hosting........................................................66
Sendmail and the LDAP Protocol............................................................................................67
Enabling Address Lookups Using LDAP............................................................................68
LDAP-Based Routing........................................................................................................68
LDAP Recursion and URL Support....................................................................................70
IPv6 Support.........................................................................................................................71
Security.................................................................................................................................72
Using the Sendmail Restricted Shell Program.....................................................................73
Turning Off Standard Security Checks...............................................................................73
Disabling Privacy Options...........................................................................................75
Enabling SMTP Authentication Based on RFC 2554.............................................................75
SMTP Pipelining.........................................................................................................76
Support for Deliver By SMTP Extension (RFC 2852).......................................................77
Support for RFC 1413 (Identification Protocol)....................................................................77
Enabling identd on the Sendmail Server.......................................................................77
Disabling identd on the Remote Client..........................................................................78
Disabling identd from the Sendmail Server...................................................................78
Support for Secured Mail Transaction Using STARTTLS......................................................78
Cyrus SASL v2 Support....................................................................................................80
How SASL Works........................................................................................................80
The PLAIN Mechanism and sasl_checkpass() Call....................................................80
Application Configuration......................................................................................80
Table of Contents
5
Configuring Cyrus SASL v2 in Sendmail......................................................................81
Configuring Sendmail to Reject Unsolicited Mail.....................................................................81
Message Quarantining......................................................................................................82
Support for Mail Filter (MILTER) APIs...............................................................................82
Enhanced DNS Black Hole List Option...............................................................................83
Enabling Anti-Spamming Security Features.......................................................................83
Running the gen_cf Script............................................................................................84
Using the Access Database to Allow or Reject Mail Messages..............................................84
Access Database Format..............................................................................................84
Creating the Access Database Text File..........................................................................85
Creating Finer Spam Control Using Tags......................................................................85
Creating the Database Map..........................................................................................86
Enabling Anti-Spamming Relay Features...........................................................................86
Promiscuous Relay: Relaying from Any Host to Any Host.............................................86
Relay Entire Domain: Relaying from Any Host in the Domain........................................86
Relay Hosts Only: Relaying from Hosts Only................................................................87
Relaying Based on MX Records....................................................................................87
Relay from Local.........................................................................................................87
Check Loose Relay......................................................................................................87
Validating Senders............................................................................................................87
Accept Unresolvable Domains.....................................................................................88
Accept Unqualified Senders.........................................................................................88
Blacklist Recipients......................................................................................................88
Realtime Blackhole List................................................................................................88
Checking Headers............................................................................................................89
Discard Mailer............................................................................................................89
Regular Expressions....................................................................................................89
Defining Hosts Allowed to Relay: Class R.....................................................................90
Queue Changes...........................................................................................................90
Spam Control Using the Message Submission Agent (RFC 2476)..........................................90
Sendmail Validation..........................................................................................................91
Turning Off Virtual Interfaces.................................................................................................91
Troubleshooting Sendmail......................................................................................................92
Keeping the Aliases Database Up to Date...........................................................................92
Updating your NIS Aliases Database............................................................................92
Verifying Address Resolution and Aliasing........................................................................92
Verifying Message Delivery...............................................................................................93
Contacting the Sendmail Daemon to Verify Connectivity....................................................94
Setting Your Domain Name...............................................................................................95
Attempting to Start Multiple Sendmail Daemons................................................................95
Configuring and Reading the Sendmail Log.......................................................................95
Setting Log Levels.......................................................................................................96
Understanding syslog Entries......................................................................................97
Storing Off Old Sendmail Log Files..............................................................................98
6
Table of Contents
Printing and Reading the Mail Queue................................................................................98
Files in the Mail Queue................................................................................................99
Queue Changes..............................................................................................................101
Changes to Sendmail Files and Databases.........................................................................101
The mailstats Utility...................................................................................................101
The newaliases Utility................................................................................................102
How to Resolve Warning Messages When You Send Mail.............................................102
Index........................................................................................................................................105
Table of Contents
7
8
List of Figures
1-1
1-2
Flow of Mail Through Sendmail.................................................................................25
Sendmail Client-Server Operation..............................................................................33
9
10
List of Tables
1-1
1-2
1-3
1-4
2-1
2-2
2-3
2-4
2-5
2-6
2-7
2-8
MTA and MUAs Supported on HP-UX 11i v2 and HP-UX 11i v3..............................17
Time Zones Supported by mailx.................................................................................20
How Sendmail Resolves Addresses with Mixed Operators.......................................27
Q Configuration Command Equates...........................................................................30
The —R Values in the dns Database Map...................................................................51
The dns Database-Map Type K Command Switches..................................................51
Mailing List Options....................................................................................................61
Option Values for DontBlameSendmail......................................................................74
Access Database Format..............................................................................................84
Access Database Text File Example.............................................................................85
Sendmail Logging Levels............................................................................................96
Lines in Queue-Control Files.....................................................................................100
11
12
About This Document
This document describes the Mailing Services implemented in the HP-UX 11i v2 and
HP-UX 11i v3 operating systems.
It is one of the documents available for the Internet Services suite of products. For a
list of other Internet Services documents, see “Related Information” (page 15). These
documents replace the document Installing and Administering Internet Services
(B2355-90685), which was shipped with releases prior to the HP-UX 11i v2 operating
system.
New and Changed Information in This Edition
Following are the new and changed information in this document:
•
•
Updated “The Sendmail Utility” (page 22)
Added the following sections:
— “Defining Queue Groups” (page 29)
— “FallBackSmartHost” (page 46)
— “The FastSplit Option” (page 47)
— “Socket Maps” (page 49)
— “DNS Maps” (page 50)
— “The /usr/newconfig/etc/mail/cf/cf/gen_cf Script” (page 52)
— “LDAP Recursion and URL Support” (page 70)
— “SMTP Pipelining” (page 76)
— “Support for Deliver By SMTP Extension (RFC 2852)” (page 77)
— “Support for Secured Mail Transaction Using STARTTLS” (page 78)
— “Cyrus SASL v2 Support” (page 80)
Intended Audience
This manual is intended for system and network administrators responsible for
configuring and maintaining the Internet Services software on the HP-UX 11i v2 or
HP-UX 11i v3 operating system. Administrators are expected to have knowledge of
operating system concepts, commands, and the various routing protocols. It is also
helpful to have knowledge of Transmission Control Protocol/Internet Protocol (TCP/IP)
networking concepts and network configuration. This manual is not a TCP/IP tutorial.
New and Changed Information in This Edition
13
HP-UX Release Name and Release Identifier
Each HP-UX 11i release has an associated release name and release identifier. The
uname(1) command with the -r option returns the release identifier. The following
table lists the releases available for HP-UX 11i.
Release Identifier
Release Name
Supported Processor Architecture
B.11.11
HP-UX 11i v1
PA-RISC
B.11.20
HP-UX 11i v1.5
Intel® Itanium® Processor Family
B.11.22
HP-UX 11i v1.6
Intel Itanium Processor Family
B.11.23
HP-UX 11i v2.0
Intel Itanium Processor
FamilyPA-RISC
B.11.31
HP-UX 11i v3
Intel Itanium Processor
FamilyPA-RISC
Publishing History
The following table lists the publishing details of this document for various HP-UX
releases.
Document Manufacturing Part
Number
Operating System Supported
Publication Date
B2355-90776
11i v2
September 2004
5991-0707
11i v1, 11i v2
February 2005
5991–6611
11i v1, 11i v2
July 2006
B2355-91064
11i v2, 11i v3
February 2007
Document Organization
The HP-UX Mailing Services Administrator’s Guide is organized as follows:
Chapter 1
Chapter 2
14
Mailing Services Overview Provides an overview of the Mail User
Agents and the Mail Transport Agent implementations in the HP-UX
11i v2 and HP-UX 11i v3 operating systems.
Configuring and Administering Sendmail Describes the various steps
involved in configuring Sendmail. This section also provides a brief
description of how Sendmail works, the Sendmail configuration file,
Sendmail restricted shell (smrsh), and some troubleshooting measures
for Sendmail.
About This Document
Related Information
For more information about the Internet Services suite of products, see the following
documents:
• HP-UX Internet Services Administrator’s Guide at:
http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services
•
HP-UX Routing Services Administrator’s Guide at:
http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services
•
HP-UX IP Address and Client Management Administrator’s Guide at:
http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services
•
HP-UX Remote Access Services Administrator’s Guide at:
http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services
•
HP-UX ramD Administrator’s Guide at:
http://docs.hp.com/en/netcom.html#Routing
•
Request for Comments (RFC) at:
http://www.ietf.org/rfc.html
•
Other Documents
For detailed technical and conceptual information about BIND, as well as
information about planning a BIND hierarchy and using Sendmail with BIND,
HP recommends that you read Paul Albitz and Cricket Liu, 2001. DNS and BIND.
O'Reilly and Associates, Inc.
For more technical and conceptual information about Sendmail, HP recommends
that you read Bryan Costales and Eric Allman, 2001. Sendmail, 3rd Edition, O'Reilly
and Associates, Inc.
Sendmail 8.13 Companion by Bryan Costales.
The O'Reilly books are available at:
http://www.ora.com
Typographical Conventions
This document uses the following typographic conventions:
An HP-UX manpage. In this example, audit is the name and 5 is the
audit(5)
section in the HP-UX Reference. On the web and on the Instant
Information CD, it may be a link to the manpage itself. From the
HP-UX command line, you can enter “man audit” or “man 5
audit” to view the manpage. See man (1).
Book Title
The title of a book. On the web and on the Instant Information CD,
it may be a link to the book itself.
Related Information
15
ComputerOut
Command
$
#
daemon
Variable
[]
{}
(Ctrl+A)
Bold
...
|
Text displayed by the computer.
A command name or qualified command phrase, daemon, file, or
option name.
The system prompt for the Bourne, Korn, and POSIX shells.
The superuser prompt.
Courier font type indicates daemons, files, commands, manpages,
and option names.
The name of a variable that you may replace in a command or
function or information in a display that represents several possible
values.
The contents are optional in formats and command descriptions. If
the contents are a list separated by |, you can choose one of the items.
The contents are required in formats and command description. If
the contents are a list separated by |, you must choose one of the
items.
This symbol indicates that you hold down the first named key while
pressing the key or mouse button that follows the plus.
The defined use of an important word or phrase.
The preceding element can be repeated an arbitrary number of times.
Separates items in a list of choices.
HP Welcomes Your Comments
HP welcomes your comments concerning this document. We are committed to providing
documentation that meets your needs. Send your comments or suggestions to:
netinfo_feedback@cup.hp.com
Include the document title, manufacturing part number, and any comment or error
found in this document. Also, include what we did right, so we can incorporate it into
other documents.
16
About This Document
1 Mailing Services Overview
Mailers are a set of UNIX® commands that provide command-line interfaces for users
to send and receive messages over the network. These interfaces, which are generally
referred to as Mail User Agents (MUA), communicate with a Mail Transport Agent
(MTA) to send mail messages to the appropriate destination, and receive messages
destined to the end user’s mailbox.
An MUA is a program that allows users to compose and read electronic mail messages.
The MUA provides an interface between the user and the MTA. An outgoing mail is
eventually delivered to an MTA for delivery, and the incoming messages are collected
from the MTA.
An MTA is a program that is responsible for delivering electronic mail messages. Upon
receiving a message from an MUA or another MTA, an MTA stores the message locally,
analyzes the recipients, and either delivers the message (for local addresses) or forwards
the message to another MTA for routing. In either case, the MTA can edit and add to
the message headers.
HP-UX systems use the Sendmail MTA and the elm, mail, and mailx MUAs.
Table 1-1 lists the MTA and MUAs that HP-UX 11i v2 and HP-UX 11i v3 supports.
Table 1-1 MTA and MUAs Supported on HP-UX 11i v2 and HP-UX 11i v3
MTA/MUA
Description
elm
elm is the electronic mail processing system for UNIX. It is designed as an MUA
to run with Sendmail to send or receive messages. The most significant difference
between elm and other mail systems is that it is screen-oriented.
mail/rmail
mail/rmail is a customized HP program used to send remote or local mail. It is
primarily used by Sendmail for local mail delivery.
mailx
mailx is an interactive message processing system that provides a comfortable
and flexible environment for sending and receiving messages electronically.
Sendmail
Sendmail sends a message to one or more recipients or addresses, routing the
message over appropriate networks.
This chapter discusses the following topics:
•
•
•
•
elm
mailx
mail/rmail
sendmail
17
CAUTION: Do not use two separate mail programs simultaneously to access the same
mail file. This may cause unpredictable results.
The elm Utility
The elm utility is based on the public domain elm program. An electronic mail for
UNIX, elm is a Mail User Agent (MUA) system designed to run with Sendmail or with
any other UNIX MTA configured on your system.
The elm program is a screen-oriented mail processing system that includes the following
features:
•
•
•
An industry-wide MIME standard for nontext mails
A special forms message and form reply mechanism
An easy-to-use alias system for individuals and groups
elm operates in three principal modes:
•
•
•
Interactive mode – Executes as an interactive mail interface program.
Message mode – Sends a single interactive message to a list of mail addresses –
from the command prompt.
File mode – Sends a file or command output to a list of mail addresses from the
command line or by using redirection.
When elm operates in any of these modes, elm honors the values set in the
$HOME/.elm/elmrc initialization file, elm alias database, and the system elm alias
database.
How elm Works
elm’s screen-oriented mail processing interface displays all the options necessary to
send and compose messages on the screen. You can select the most appropriate option
based on your requirement.
When invoked, elm first displays the main or message menu. elm reads customized
variables from the $HOME/.elm/elmrc file to initialize the parameters. The main
menu displays index entries for the messages in your inbox or selected mail folder.
Among other options, you can read, print, reply to, and forward these messages, as
well as initiate new mail messages to other users. Some commands use a series of
prompts to complete their action. You can use the Ctrl-D keys to cancel their operations.
For a detailed description of all the commands used to edit and send mail messages,
type man 1M elm at the HP-UX prompt.
The elm Configuration File
The elm configuration file, $HOME/.elm/elmrc, defines the initial values for the elm
configuration variables. You can create the configuration file by choosing the o option
18
Mailing Services Overview
(the options menu) in the main menu, which displays a list of all the elm configuration
variables. Choose the appropriate option in the options menu to modify the
configuration variable.
When invoked, elm reads the customized variables from the $HOME/.elm/elmrc file
to initialize the parameters.
The following types of configuration variables are available in the elm configuration
file:
•
String – String variables have the following form:
string-name = string-value
•
Numeric – Numeric variables have the following form:
numeric_variable- name = numeric value
•
Boolean – Boolean variables have the following form:
boolean-name = ON
and
boolean-name = OFF
Some examples of elm variables follow:
N>ames only : OFF
U>ser level : Beginning User
The $HOME/.elm/elmrc file can contain any combination of the string, numeric, and
Boolean variables.
For a detailed description of the numeric, string and boolean variables, type man 1
elm at the HP-UX prompt.
The mailx Utility
mailx is an interactive message processing system. It provides a flexible environment
for sending and receiving messages electronically. mailx provides commands to save,
delete, and reply to messages.
You can use mailx to edit, review, and modify messages. By default, incoming mail
is stored in a standard file called a system mailbox, unless you specify an alternate
mailbox file using the -f option. As incoming messages are read from the system
mailbox, they are marked to be moved to a secondary file for storage. When you exit
from mailx, these marked messages are moved to the secondary storage file. Hence
The mailx Utility
19
these messages are not displayed the next time mailx is invoked. Messages remain in
this file until removed explicitly.
During startup, mailx reads commands from a system-wide file,
/usr/share/lib/mailx.rc, to initialize certain parameters. It then uses the
personalized variables available in the user-specific startup file, $HOME/mailrc. When
you invoke mailx, a header summary of all the messages is displayed, followed by a
prompt indicating that mailx can accept regular options. Each message is assigned
with a sequential number, and the first message is always marked by a > in the header
summary.
mailx operates in command mode when you read mail and in input mode when you
send mail. The behavior of mailx is governed by a set of environment variables, flags,
and valued parameters that you can enable and disable using the set and unset
options.
mailx provides a list of options, environment variables, and tilde escape commands.
You can use tilde escape commands only in input mode by beginning a line with the
tilde escape character (~). Environment variables are internal mailx program variables,
and can be imported from the execution environment.
mailx provides native language support (NLS) for processing mails in different
languages. To enable NLS support for a language, the respective language definition
must exist in the HP-UX system. In an NLS environment, mailx depends on the time
zone information defined in the mail header to display the date and time information.
Table 1-2 lists the time zones currently supported by mailx.
Table 1-2 Time Zones Supported by mailx
20
nst
ast
adt
est
edt
cst
cdt
mst
mdt
pst
pdt
yst
ydt
hst
hdt
gmt
bst
eet
eest
met
mest
wet
west
jst
aest
aesst
acst
acsst
awst
acdt
at
bt
btt
Cat
cct
cest
cet
ckt
clst
clt
cot
cut
ect
emt
fst
gst
gt
hfe
ict
ist
it
kdt
kst
lst
mdt
mpt
msd
msk
mt
mut
pmt
pnt
sst
tmt
tst
ut
wst
aedt
aft
ahdt
ahst
akdt
akst
amst
amt
anast
anat
art
azost
azst
azt
badt
bat
bdst
bdt
bet
bnt
bort
bot
bra
chadt
chast
chst
cxt
davt
ddut
dnt
dst
easst
east
eat
egst
egt
fdt
fjst
fjt
fkst
fkt
fwt
galt
gamt
gest
get
gft
gilt
gyt
haa
Mailing Services Overview
Table 1-2 Time Zones Supported by mailx (continued)
hac
hae
hap
har
hat
hay
hfh
hg
hkt
hna
hnc
hne
hnp
hnr
hnt
hny
hoe
idle
idlw
idt
iot
irdt
irkst
irkt
irst
irt
javt
jayt
jt
kgst
kgt
kost
krast
krat
lhdt
lhst
ligt
lint
lkt
magst
magt
mal
mart
mat
mawt
med
medst
mesz
mewt
mex
mez
mht
mmt
msks
mvt
myt
nct
ndt
nft
nor
novst
novt
npt
nrt
nsut
nt
nut
nzdt
nzst
nzt
oesz
oez
omsst
omst
pet
petst
pett
pgt
phot
pht
pkt
pmdt
pont
pwt
pyst
pyt
r1t
r2t
ret
rok
sadt
sast
sbt
sct
set
sgt
srt
swt
tft
tha
that
tjt
tkt
tot
trut
tuc
tvt
ulast
ulat
usz1
usz1s
usz18
usz3
usz3s
usz4
usz4s
usz5
usz5s
usz6
usz6s
usz7
usz7s
usz8
usz8s
usz9
usz9s
utc
utz
uyt
uz10
uz11s
uz12s
uzt
vet
vlast
vlat
vtz
vut
wakt
wast
wat
wesz
wez
wft
wgst
wgt
wib
wita
wit
wtz
wut
yakst
yakt
yapt
yekst
yekt
azot
gz
NOTE: mailx displays an incorrect date if it reads an email message with the time
zone information that is not listed in Table 1-2.
For more information about mailx, type man 1M mailx at the HP-UX prompt.
The mail/rmail Utility
You can use mail, the mail user agent to compose and send messages to users. The
mail command, when used without arguments, displays all the messages, with the
last received message displayed first. For each message, mail prints a ? prompt, and
reads a line from the standard input to determine the disposition of the message. mail
exits automatically when the last message is displayed. It provides a set of command-line
options to alter the messages being printed.
You can use the command mail -e to check for new mail messages. You can also edit
the mailfile to alter the functioning of mail. For example, you can include the
The mail/rmail Utility
21
following line in mailfile to forward all mail addressed to the owner to a given
machine or person:
Forward to <person>
This is used especially for forwarding mail to a given machine in a multiple-machine
environment. The Forward option requires read-write group permission and mail
group ID in the mailfile.
Unlike mail, you can use rmail only to send messages. UUCP uses rmail as a security
precaution.
For more information on mail and rmail, type man 1M mail at the HP-UX prompt.
The Sendmail Utility
Sendmail acts as a post office, to which all messages can be submitted for routing.
Sendmail interprets both Internet (that is, user @domain) and UUCP (that is, host
!user) styles of addressing. The Sendmail configuration file controls how the addresses
are interpreted. Sendmail can rewrite message addresses to conform to standards on
many common target networks. Sendmail 8.13.3 for HP-UX 11i v3 is an HP
implementation of publicly available Sendmail 8.13.3. HP provides support for the
features documented in this chapter and in the sendmail (1M) manpage.
When Sendmail starts in the daemon mode, it listens both on the normal port 25 for
incoming SMTP connections and on port 587 for the local submission of mail messages.
The latter is a Mail Submission Agent (MSA) (RFC 2476) and requires that Mail User
Agents (MUAs) be explicitly coded to use port 587 for local submission of mail directly
to the Sendmail daemon.
When Sendmail is executed independently or invoked from an MUA to process the
locally submitted mail, it acts as an Mail Submission Program (MSP). MSP accepts and
processes the submitted mail messages as a non-superuser and queues them separately.
After processing, MSP delivers the submitted mail messages to the Sendmail MTA
daemon, using the SMTP protocol through port 25. The /etc/mail/submit.cf file
assumes that the Sendmail MTA daemon is running on the local host. The
/etc/mail/sendmail.cf file is the default configuration file for the Sendmail MTA
daemon. The /etc/mail/submit.cf file is the default configuration file for the
Sendmail MSP daemon. You can use the
/usr/newconfig/etc/mail/cf/cf/gen_cf script to generate the
/etc/mail/sendmail.cf and /etc/mail/submit.cf files. For more information
on the /usr/newconfig/etc/mail/cf/cf/gen_cf script, see “The
/usr/newconfig/etc/mail/cf/cf/gen_cf Script” (page 52).
When the Sendmail MTA daemon starts, an additional Sendmail MSP queue-processing
daemon also starts by default. The MSP queue daemon does not listen on any socket.
It only periodically scans the MSP mail queues for any mail messages accepted by MSP
that is not forwarded to the Sendmail MTA daemon.
22
Mailing Services Overview
For more technical and conceptual information about Sendmail, HP recommends that
you read Bryan Costales and Eric Allman, 2001. Sendmail, 3rd Edition, O'Reilly and
Associates, Inc. You can also refer to the Sendmail 8.13 Companion by Bryan Costales.
For information about using Sendmail with BIND, HP recommends that you read DNS
and BIND, by Paul Albitz and Cricket Liu, also published by O’Reilly and Associates,
Inc.
You can get information about the O’Reilly books (availability, how to order them, and
so on) by visiting the O’Reilly website:
http://www.oreily.com
You also can visit the website for Sendmail:
http://www.sendmail.org
NOTE:
All referrences of the term Sendmail in this document refer to Sendmail 8.13.3.
This section discusses the following topics:
•
•
•
•
•
•
•
“Message Structure” (page 23)
“How Sendmail Collects Messages” (page 24)
“How Sendmail Routes Messages” (page 24)
“Defining Queue Groups” (page 29)
“How Sendmail Improves Mail Queue Performance” (page 32)
“Default Client/Server Operation” (page 33)
“How Sendmail Handles Errors” (page 34)
Message Structure
A message has three parts: an envelope, a message header, and a message body.
The envelope consists of the sender address, recipient address, and routing information
shared by programs that create, route, and deliver the message. It is usually not seen
directly by either the sender or the recipients of the message.
The message header consists of a series of standard text lines used to incorporate
address, routing, date, and other information into the message. Header lines may be
part of the original message and may also be added or modified by the various mail
programs that process the message. Header lines may or may not be used by these
programs as envelope information.
By default, the first blank line in the message terminates the message header. Everything
that follows is the message body and is passed uninterpreted from the sender to the
recipient.
The Sendmail Utility
23
How Sendmail Collects Messages
Sendmail receives messages through any of the following methods:
•
•
•
A user agent calls Sendmail to route a piece of mail. User agents supported by HP
for use with Sendmail are elm, mail, and mailx.
A Sendmail daemon or other mail program calls Sendmail to route a piece of mail
received from the network or the mail queue.
A user invokes Sendmail directly from the command line.
How Sendmail Routes Messages
Sendmail routes messages as follows:
1.
2.
3.
Rewrites the recipient and sender addresses given to it, to comply with the
standards of the target network.
If necessary, adds lines to the message header to enable the recipient to reply.
Passes the mail to one of the several specialized delivery agents for delivery.
Figure 1-1 outlines the flow of messages through Sendmail.
After Sendmail collects a message, it routes the message to each of the specified recipient
addresses. In order to route a message to a particular address, Sendmail must resolve
that address to a {delivery agent, host, user} triple. This resolution is based on
the rules defined in the Sendmail configuration file, /etc/mail/sendmail.cf.
Sendmail invokes a separate delivery agent for each host to which messages are being
routed. Some delivery agents can accept multiple users in a given invocation. Others
must be invoked separately for each recipient. Delivery agents that HP supports for
use with Sendmail include SMTP, UUCP, X.400, and OpenMail.
To invoke a delivery agent, Sendmail constructs a command line according to a template
in the configuration file. If the delivery agent is specified as IPC, Sendmail does not
invoke an external delivery agent. Instead, Sendmail opens a TCP/IP connection to the
SMTP server on the specified host and transmits the message using SMTP.
24
Mailing Services Overview
Figure 1-1 Flow of Mail Through Sendmail
The Sendmail Utility
25
If an address resolves to the local mailer, Sendmail looks up the address in its alias
database and expands it appropriately if it is found. The aliasing facility or a user’s
.forward file can be used to route mail to programs and to files. (Sendmail does not
mail directly to programs or files.) Mail to programs is normally piped to the prog
mailer (/usr/bin/sh -c), which executes the command specified in the alias or
.forward file definition. (You can restrict the programs that can be run through the
aliases or .forward files. See “Security” (page 72) for more information.) Mail to
a file is directly appended to the file by Sendmail if certain conditions of ownership
and permission are met.
After expanding all the aliases, Sendmail routes mail that is addressed to a local user
to the local mailer (/usr/bin/rmail), which deposits the message in the user’s
mailbox.
Default Routing Configuration
The installed configuration file, if unmodified, routes mail depending on the syntax of
the recipient addresses as described in the following sections.
Local Addresses:
The following forms are recognized as local addresses and are delivered locally:
user
user@localhost
user@localhost.localdomain
user@alias
user@alias.localdomain
user@[local_host’s_internet_address]
localhost!user
localhost!localhost!user
user@localhost.uucp
UUCP Addresses:
Addresses of the following forms are recognized as UUCP addresses, where host is
not the local host name:
host!user
host!host!user
user@host.uucp
If your host has a direct UUCP connection to the next host in the path, the mail is
delivered to that host through UUCP. If not, the message is returned with an error. The
supplied configuration file provides detailed instructions for arranging to relay such
mail through hosts to which you can connect.
26
Mailing Services Overview
SMTP Addresses:
RFC 2822-style addresses in any of the following forms, where host is not the local
host name, are routed by SMTP over TCP/IP:
user@host
user@host.domain
<@host,@host2,@host3:user@host4>
user@[remote_host’s_internet_address]
If the name server is in use, Sendmail requests mail exchanger (MX) records for the
remote host. If there are any, it attempts to deliver the mail to each of them, in the order
of preference, until delivery succeeds.
Otherwise, Sendmail connects directly to the recipient host and delivers the message.
Mixed Addresses:
The supplied configuration file interprets address operators with the following
precedence:
@, !, %
This means that recipient addresses using mixtures of these operators are resolved as
shown in Table 1-3.
Table 1-3 How Sendmail Resolves Addresses with Mixed Operators
Address
Mailer
Host
User
Recipient
user%hostA@hostB
TCP
hostB
user%hostA@hostB user@hostA
user!hostA@hostB
TCP
hostB
hostA!user@hostB hostA!user
hostA!user%hostB
UUCP
hostA
user@hostB
user@hostB
Mail Exchanger (MX) Records
The BIND name server, if it is in use on your host, provides MX records. These can be
used to notify Sendmail that mail for a particular host can be relayed by another host,
if the addressed host is temporarily down or otherwise inaccessible. For information
on creating MX records, see HP-UX IP Address and Client Management Guide at:
http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services
MX records are used only if a message address resolves to an IPC mailer (that is, one
that uses SMTP over sockets to perform delivery). Instead of attempting to connect
directly to the recipient host, Sendmail first queries the name server, if it is running,
for MX records for that host. If the name server returns any answer, Sendmail sorts them
in preference order, highest preference (lowest number) first. If the local host appears
in the list, the local host and any MX hosts with lower preference (higher numbers) are
removed from the list. If any MX hosts remain, Sendmail then tries to connect to each
The Sendmail Utility
27
MX host in the list in order, and it delivers the message to the first MX host to which it
successfully connects. If that MX host is not the final destination for the message, it is
expected that the host will relay the message to its final destination.
If Sendmail tries all the MX hosts in the list and fails, the message is returned to the
sender with an error message. If you want Sendmail to try to connect to the host to
which the message is addressed, uncomment the following line in the
/etc/mail/sendmail.cf file:
TryNullMXList
Sendmail then tries to connect to the host to which the message is addressed, if any of
the following conditions occur:
•
•
•
The name server returns no MX records.
The name server is not running.
The local host is the highest preference mail exchanger in the list.
At log level 11 and above, Sendmail logs in the system log the name and Internet
address of the MX host (if any) to which it delivered (or attempted to deliver) a message.
MX records are used for two main purposes:
•
•
To arrange one host backup by receiving mail for the host when it is down
To arrange the mail addressed to remote networks be relayed through the
appropriate gateways
In the following example, the name server serving the domain paf.edu has the
following MX records configured to provide backup for host bling:
;name
bling
ttl
class
IN
IN
IN
MX
MX
MX
MX
preference
0
20
30
mail exchanger
bling.paf.edu.
wheo.paf.edu.
munch.pag.edu.
Normally, mail for bling will go directly to bling. However, if bling is down, or if
the sending host cannot connect to bling, Sendmail will route mail for bling to wheo.
If wheo is also down or unreachable, Sendmail will route the mail to munch. Naturally,
for this to be useful, wheo and munch must be able to route mail to bling.
Assuming that the host and its mail exchangers see the same MX data from the name
server, each host that has MX records should have an MX record for itself, and the
preference on its own record should be the highest (that is, the lowest number) in the
list.
The following example relays messages through a gateway:
;name
*.nz.
28
ttl
class
MX
preference
mail exchanger
IN
MX
0
gw.dcc.nz.
Mailing Services Overview
Messages addressed to hosts in the nz domain are relayed to the host gw.dcc.nz. HP
recommends that you seek permission from the administrators of hosts not under your
own control before relaying mail through them.
MX Failures:
Several possible failures are associated with MX configuration:
•
The name server query for MX records fails.
The query fails because no MX records exist for the target host or because the name
server is not running. You can set the TryNullMXList option in the
/etc/mail/sendmail.cf file if you want Sendmail to always try to connect to
the host to which the message is addressed.
If the query fails temporarily (that is, h_errno is set to TRY_AGAIN) the message
is queued. The possible values of h_errno are documented in the header file
/usr/include/netdb.h.
•
Connection attempts to the hosts in the MX list all fail.
Sendmail reports the failure attempting to connect to the last MX host (that is, the
highest preference value) in the list that it tried. For example, with mail exchangers
configured as in the paf.edu example earlier, if the attempts to connect to bling
and wheo result in temporary failures, but the attempt to connect to munch fails
permanently, the message is returned as an error. If the attempts to connect to
bling and wheo result in permanent failures, but the attempt to connect to munch
fails temporarily, the message is queued.
•
A host cannot deliver a message to another host for which it is a mail exchanger.
This failure is handled as a normal delivery failure, either by the mail exchanger
host or by the host sending to the mail exchanger.
Defining Queue Groups
You can define queue groups according to the selected criteria, and process each group
with custom settings. The rule sets then select the queue group to which the recipient
of a message must belong.
You can use the -q command-line option to specify which queue to display.
The Default Queue Group
Sendmail offers a method to define multiple queue directories and a method to group
them by function or speciality. Sendmail contains a special queue group called mqueue,
for compatibility with older versions of Sendmail. This is the default queue group. It
inherits all the properties of all the -q commands and all the queue options.
When you declare additional queue groups, they inherit all their properties from the
default group, unless you override a particular property with a specific equate. Table 1-4
The Sendmail Utility
29
describes the equates and the command-line arguments or options the queue groups
can override.
Table 1-4 Q Configuration Command Equates
Equate
Overrides Command-Line
Switch/Option
Description
Flags= (F=)
-qf
Specifies fork queue runs.
Interval= (I=)
-qInterval
Specifies the interval between queue runs.
Jobs=(J=)
MaxQueueRunSize
Specifies the maximum number of
envelopes per queue run.
Nice=(N=)
NiceQueueRun
Specifies how to renice(3) the queue run.
Path=(P=)
QueueDirectory
Specifies the queue directory or
directories.
recipients=(r=)
MaxRecipientsPerMessage
Specifies the maximum recipients per
envelope.
Runners=(R=)
MaxRunnersPerQueue
Specifies the maximum queue processors
per queue group.
The Q Configuration Command
You can define queue groups using the Q configuration command, which specifies the
name of the queue group and the sequence of equates. Following is the syntax for the
Q command:
Qgroupname, equates
You must not insert a space between Q and the groupname. You can optionally specify
the equates. However, if they are present, they must follow the name
of the queue group and must be separated with a comma or a
whitespace, or both.
The equates are formed by selecting one of the keywords shown in the first column of
Table 1-4, and by following the keyword with an equal sign and the value you want
to assign to that key letter. Sendmail reads only the first letter. Therefore, you can use
the shorthand shown in parenthesis in Table 1-4. The first letter is case sensitive, that
is, R and r are different.
For example, the following commands declare a queue directory (the Patch= and P=),
and a queue processing interval of 10 minutes (the Interval= and I=):
Qslowmail, Path=/disk1/mail/slowqueues, Interval=10m
Qslowmail, P=/disk1/mail/slowqueues, I=10m
30
Mailing Services Overview
Using queuegroups Through the access Database
To select queue groups easily based on recipient addresses or recipient domains, you
must use the gen_cf main menu option to use the queue group feature.
After enabling the queuegroup feature, you must add lines such as the following to
the source file for your access database:
QGRP:slow-poke.com
QGRP:root@notify.com
QGRP:your.domain
slowgroup
fastgroup
localgroup
Queue Group Limitations
You can define the default queue group (mqueue) using the options and the command
line. If the Q configuration command does not have an equate, the queue group inherits
the property defined by the default queue group. Following are the default queue
group properties:
•
•
•
•
•
•
•
•
DeliveryMode option
FastSplit option
MaxQueueChildren option
MinQueueAge option
-qI,-qR, and -qS command-line switches
QueueFactor, QueueLA, RefuseLA and RecipientFactor options
QueueFileMode option
Timeout, queuereturn and Timeout.queuewarn options
These properties do not have equivalent equates. All queue groups inherit these
properties. You cannot override these properties with a queue-group equate.
Connection Caching
While processing a queue in the IPC and LPC connections, Sendmail retains the last
few open connections in open state to avoid startup and shutdown costs.
While attempting to open a connection, Sendmail searches the cache. If Sendmail finds
an open connection, it sends an RSET command to probe whether the open connection
is still active. If this fails, it is not considered an error; instead, the connection is closed
and re-opened.
The following parameters control the connection cache:
•
The ConnectionCacheSize (k) option defines the number of simultaneous open
connections that are permitted. If this option is set to 0 (zero), connections are
closed as quickly as possible. This value limits the amount of system resources
that Sendmail uses during queue runs. The default value is one. You must set this
The Sendmail Utility
31
•
value according to your system size. Do not set ConnectionCacheSize to a
value greater than 4.
The ConnectionCacheTimeout(K) option specifies the maximum time that
any cached connection is permitted to remain idle. When the idle time exceeds
this value, the connection is closed. This number must be small (less than 10
minutes) to prevent Sendmail from using too many resources from other hosts.
The default ConnectionCacheTimeout value is 5 minutes.
How Sendmail Improves Mail Queue Performance
Mail queue performance is impacted by the number of entries in the queue directories.
Multiple Queue Directories improves mail queue performance in Sendmail. This feature
facilitates the parallel processing of mail by spreading process loads across multiple
disks, thereby improving the queue performance. UNIX files take a long time to open
when entries in the directories exceed 100.
In order to use multiple directories, you must supply the QueueDirectory option in
the sendmail.cf file with a value ending with *.
For example, if you specify the following in the configuration file, all the directories or
links to directories that begin with g will be used:
O QueueDirectory=/var/spool/mqueue/g*
If there are five directories, g1, g2, g3, g4, and g5, Sendmail uses all five directories
when the Sendmail daemon is restarted. Mail is randomly assigned to the queue
directories. Do not change the queue directory structure when Sendmail is running.
You can flush individual mail queues by specifying the following on the command
line:
sendmail -q -O QueueDirectory=/var/spool/mqueue/g1
sendmail -q -O QueueDirectory=/var/spool/mqueue/g3
You can use the mailq command to display the mail queue, as shown in the following
example:
#mailq
/var/spool/mqueue/g1 is empty
/var/spool/mqueue/g2 (1 request)
--Q-ID--- -Size- --Q-Time-- ----------Sender/Recipient-gBJ2va
02544
5 Wed Dec 18 21:57
root root
/var/spool/mqueue/g2 is empty
/var/spool/mqueue/g3 is empty
Total Requests: 0
32
Mailing Services Overview
An efficient queue file-naming system is also being provided in this release. The
algorithm used to name files ensures that the names will be unique for 60 years. The
queued items can be moved between queues with ease.
Default Client/Server Operation
This section describes the operation of Sendmail servers and clients. Figure 1-2 shows
a Sendmail server called mailserv and a Sendmail client called mailclient in the
company.com domain. On mailclient, the SENDMAIL_SERVER_NAME in the
/etc/rc.config.d/mailservs file is set to mailserv.company.com. user1 is
a user on mailclient.
Figure 1-2 Sendmail Client-Server Operation
company.com Domain
mailserv
Local mail to and from
mailclient users
mailclient
Incoming remote mail to
user1@mailserv.company.com
Incoming remote mail
for user1@mailclient
Internet
Outgoing remote mail to
user1@mailserv.company.com
user1
Outgoing mail from user1 can be local mail that is intended for any user on
mailclient. Local mail is forwarded to mailserv; you specify this by setting the
DH macro entry in the /etc/mail/sendmail.cf file on mailclient. (The Sendmail
installation script sets the DH macro value to the host specified by
SENDMAIL_SERVER_NAME.) Outgoing mail that is not local is sent by mailclient to
the remote host using MX records. Because the DM macro entry in the
/etc/mail/sendmail.cf file on mailclient is set to mailserv.company.com,
mail from user1 appears to be from user1@mailserv.company.com.
Because mail sent to remote hosts from user1 is sent from
user1@mailserv.company.com, replies to user1’s messages are returned to
mailserv. On mailserv, when Sendmail receives mail for user1, it looks up user1
in the aliases database and redirects mail for user1 to user1@mailclient.
You can modify Sendmail server and client operations. Most modifications involve
changing or re-creating the /etc/mail/sendmail.cf file on the server or client
systems. For example, you can define the DM macro on a mail server system. You can
also modify the /etc/mail/sendmail.cf file so that the clients relay all outbound
mail to the server; this is described in “Modifying the Default Sendmail Configuration
File” (page 43).
The Sendmail Utility
33
How Sendmail Handles Errors
By default, Sendmail immediately reports to standard output any errors that occur
during the routing or delivery of a message. Sendmail distinguishes between temporary
failures and permanent failures.
Permanent failures are mail transactions that are unlikely to succeed without the
intervention of the sender or a system administrator. For example, mailing to an
unknown user is a permanent failure. A delivery failure of the local mailer because the
file system is full is also a permanent failure.
Temporary failures are mail transactions that might succeed if retried later. For example,
an error message connection refused displayed while attempting to connect to a
remote SMTP server is a temporary failure, since it probably means that the server is
temporarily not running on the remote host.
How Sendmail Handles Permanent Failures
Permanent failures include the following:
•
•
•
•
•
•
Temporary failures that have remained in the mail queue for the queue timeout
period (set with the Timeout.queuereturn option in the
/etc/mail/sendmail.cf file), which is normally five days.
Local recipient user unknown.
The recipient address cannot be resolved by the configuration file.
Permanent delivery agent (mailer) failures.
Inability to find an Internet address for a remote host.
A remote SMTP server reports an address is undeliverable during the SMTP
transaction.
In most cases, if message delivery fails permanently on a remote system, mail that
includes a transcript of the failed delivery attempt and the undelivered message is
returned to the sender. This transcript includes any standard error output from the
delivery agent that failed.
If Sendmail tries all MX hosts in its preference list and fails to deliver a message, the
message is returned to the sender with an error message. For more information, see
“Mail Exchanger (MX) Records” (page 27).
If delivery failed on an alias, and an owner is configured for that alias in the aliases
database, Sendmail returns the message and transcript to the alias owner.
If the message header contains an Errors-To: header line, Sendmail returns the
message and transcript to the address on the Errors-To: line instead of to the sender’s
address.
If the Postmaster Copy option (option P) is set to a valid address, Sendmail sends a
copy of the transcript and failed message (with the message body deleted) to the
Postmaster Copy address.
34
Mailing Services Overview
If the attempt to return the failed message itself fails, Sendmail returns the message
and transcript to the alias postmaster on the local system. The postmaster alias in
the default alias file (/usr/newconfig/etc/mail/aliases) resolves to root.
If Sendmail is unable to return the message to any of the addresses described previously,
as a last resort it appends the error transcript and returned message to the file
/var/tmp/dead.letter.
Finally, if this fails, Sendmail logs the failure and leaves the original failed message in
the mail queue so that a future queue-processing daemon will try to send it. If this fails,
an error message is returned again.
How Sendmail Handles Temporary Failures
Messages that fail temporarily are saved in the mail queue and retried later. By default,
the mail queue is stored in the directory /var/spool/mqueue. Sendmail saves the
message components in two files created in the mail queue directory. The message
body is saved in a data file, and the envelope information, the header lines, and the
name of the data file are saved in a queue control file.
Typically, the Sendmail daemon is run with the -q time_interval option, as in the
following example:
/usr/sbin/sendmail -bd -q30m
In this example, every 30 minutes, Sendmail processes any messages currently in the
queue.
While processing the queue, Sendmail first creates and sorts a list of the messages in
the queue. Sendmail reads the queue control file for each message to collect the
preprocessed envelope information, the header lines, and the name of the data file
containing the message body. Sendmail then processes the message just as it did when
it was originally collected.
If Sendmail detects, from the time stamp in a queued message, that the message has
been in the mail queue longer than the queue timeout, it returns the message to the
sender. The queue timeout is set with the Timeout.queuereturn option in the
/etc/mail/sendmail.cf file and, by default, is five days.
The Sendmail Utility
35
36
2 Configuring and Administering Sendmail
This chapter describes Sendmail, the Internet Services mail routing utility provided on
the HP-UX operating system. Sendmail relays incoming and outgoing mail messages
to the appropriate programs for delivery and further routing. Sendmail allows you to
send mail and to receive mail messages from other hosts on a local area network or
through a gateway.
This chapter contains the following sections:
•
•
•
•
•
•
•
•
•
“Configuring Sendmail” (page 37)
“Modifying the Default Sendmail Configuration File” (page 43)
“Creating Sendmail Aliases” (page 59)
“Creating Domain-Specific Aliasing Using Virtual Hosting” (page 66)
“Sendmail and the LDAP Protocol” (page 67)
“Security” (page 72)
“Configuring Sendmail to Reject Unsolicited Mail” (page 81)
“Turning Off Virtual Interfaces” (page 91)
“Troubleshooting Sendmail” (page 92)
NOTE: You cannot use the HP System Management Homepage (HP SMH) to install,
configure, or enable Sendmail on the HP-UX operating system.
Configuring Sendmail
Sendmail is packaged with the core HP-UX operating system. When you install the
operating system, Sendmail is automatically installed on your system. The necessary
files required for Sendmail operation are created or modified on your system. The
Sendmail configuration file supplied with the operating system, sendmail.cf, will
work without modifications for most installations.
Therefore, you only need to perform a few tasks to configure Sendmail:
• Set up Sendmail servers to run with NFS.
• Configure and start Sendmail clients.
• Verify that Sendmail is running properly.
This section discusses the following topics:
•
•
•
•
“Configuring Sendmail on a Standalone System” (page 38)
“Configuring Sendmail on a Mail Server” (page 39)
“Configuring Sendmail on a Mail Client” (page 39)
“Verifying your Sendmail Installation” (page 41)
Configuring Sendmail
37
NOTE: HP recommends that you use Sendmail with the BIND name server. The
BIND name server must have a mail exchanger (MX) record for every host in every
domain that it serves. For more information on how Sendmail uses MX records, see
“Mail Exchanger (MX) Records” (page 27).
Configuring Sendmail on a Standalone System
When Sendmail is installed, it is automatically configured to send and receive mail
messages for users on the local system only. The standalone system processes all
outbound mail and establishes connections to the message destination host or to the
MX hosts. Because the Sendmail daemon is invoked automatically when a system is
rebooted, no system files need to be modified.
The installation script makes the following configuration changes:
•
•
Sets the SENDMAIL_SERVER variable in the /etc/rc.config.d/mailservs
file to 1. This ensures that the Sendmail daemon is started whenever you reboot
your system or run the Sendmail startup script.
Creates /etc/mail/sendmail.cf and /etc/mail/aliases files with default
configurations. These files are created with root as the owner and other as the
group. The permission for /etc/mail/aliases and /etc/mail/sendmail.cf
is set to 0640 and 0444, respectively.
NOTE: If the /etc/mail/sendmail.cf file already exists, the existing file is
saved to /etc/mail/#sendmail. If the /etc/mail/aliases file already exists,
the Sendmail installation script does not recreate the aliases file.
•
Creates the /etc/mail/sendmail.cw file that contains the host name and the
fully qualified host name for the system. For example, the system dog in the domain
hp.com contains the following entries in the sendmail.cw file:
dog
dog.hp.com
•
Finally, the installation script issues the following command to run the Sendmail
startup script:
/sbin/init.d/sendmail start
The Sendmail startup script generates the aliases database from the
/etc/mail/aliases source file. The generated database is located in the
/etc/mail/aliases.db file.
38
Configuring and Administering Sendmail
The Sendmail startup script then invokes the Sendmail daemon by issuing the
following command:
/usr/sbin/sendmail
-bd
-q30m
By using the -q30m option, Sendmail processes the mail queue every 30 minutes.
For more information about Sendmail’s command line options, type man 1M
sendmail at the HP-UX prompt.
Configuring Sendmail on a Mail Server
This section describes how to configure a system to allow users on other (client) systems
to use Sendmail.
The mail server receives mail for local users and for the users on client systems. Users
on client systems mount the mail directory from the server and read or access mail
over an NFS link. For more information on how Sendmail clients and servers work,
see “Default Client/Server Operation” (page 33).
The Sendmail installation script performs the configuration changes that are described
in “Configuring Sendmail on a Standalone System” (page 38). To set up the system as
an NFS server and allow the Sendmail clients to read and write to the /var/mail
directory, do the following:
1.
2.
3.
Ensure that all mail users have accounts on the mail server and that their user IDs
and group IDs on the mail server are the same as on the client machines. (This step
is not necessary if you are using NIS and your mail server is in the same NIS
domain as the clients.)
Use a text editor to set the NFS_SERVER variable to 1 in the
/etc/rc.config.d/nfsconf file.
Use a text editor to add the following line to the /etc/exports file:
/var/mail
-access=client1,client2, ...
where each mail client is listed in the access list. If the /etc/exports file does
not exist, you must create it.
4.
Issue the following command to run the NFS startup script:
/sbin/init.d/nfs.server
start
For more information on NFS, see NIS Administrator's Guide, at the URL
http://docs.hp.com/en/netcom.html.
Configuring Sendmail on a Mail Client
Sendmail clients do not receive mail on their local system, but receive mail on the mail
server. User mail directories reside on the server, and users read their mail over an
Configuring Sendmail
39
NFS link. By default, a Sendmail client forwards to the server any local mail (a user
address destined for the client system) and sends nonlocal mail directly to the
destination system or MX host. An outgoing mail message appears to originate from
the server, so replies are sent back to the server. For more information on how Sendmail
clients and servers work, see “Default Client/Server Operation” (page 33). Sendmail
clients can be diskless systems.
To configure a Sendmail client system, do the following:
1.
2.
3.
4.
Use a text editor to set the SENDMAIL_SERVER variable to 0 in the
/etc/rc.config.d/mailservs file. This ensures that the Sendmail daemon
will not be started when you reboot your system or run the Sendmail startup script.
Set the SENDMAIL_SERVER_NAME variable in the
/etc/rc.config.d/mailservs file to the host name or to the IP address of
the mail server you will use (the machine that will run the Sendmail daemon).
Set the NFS_CLIENT variable to 1 in the /etc/rc.config.d/nfsconf file.
Add the following line in the /etc/fstab file:
servername:/var/mail
/var/mail
nfs
0
0
where servername is the name configured in the SENDMAIL_SERVER_NAME
variable in /etc/rc.config.d/mailservs. If the /etc/fstab file does not
exist, you must create it.
5.
Issue the following command to run the Sendmail startup script:
/sbin/init.d/sendmail start
6.
Issue the following command to run the NFS startup script:
/sbin/init.d/nfs.client start
The Sendmail startup script assumes that this system will use the host specified by the
SENDMAIL_SERVER_NAME variable as the mail hub. The script also assumes that mail
sent from this system appears to be from the host specified by the
SENDMAIL_SERVER_NAME variable (this feature may previously have been known as
site hiding). The script therefore modifies the macros DM (for masquerade) and DH (for
mail hub) in the system’s /etc/mail/sendmail.cf file to use the host specified by
the SENDMAIL_SERVER_NAME variable. If the DM and DH macros have been defined
previously, the startup script does not modify them.
The client system now forwards local mail to the mail server and forwards other mail
directly to remote systems. To configure the client system to relay all mail to the mail
server for delivery, see “Modifying the Default Sendmail Configuration File” (page 43).
The NFS startup script mounts the /var/mail directory from the mail server to your
system.
40
Configuring and Administering Sendmail
Verifying your Sendmail Installation
This section provides information on how to verify your Sendmail installation. It
discusses the following topics:
•
•
•
“Sending Mail to a Local User” (page 41)
“Using UUCP Addressing to Send Mail to a Remote User” (page 41) (if you are
using UUCP Addressing)
“Using SMTP Transport to Send Mail to a Remote User” (page 42) (if you are using
SMTP Addressing)
Sending Mail to a Local User
To check your local mailer or user agent, send a mail message to a local user (for
example, joe) on your system:
date
|
mailx
-s
"Local sendmail Test"
joe
This must result in a message similar to the following being sent to user joe:
From joe Wed Aug 6 09:18 MDT 2002
Received: by node2; Wed, 6 Aug 02 09:18:53 mdt
Date: Wed, 6 Aug 02 09:18:53 mdt
From: Joe User <joe>
Return-Path: <joe>
To: joe
Subject: Local sendmail Test
Wed Aug 6 09:18:49 MDT 2002
An entry in your /var/adm/syslog/mail.log file must have been logged for the
local message transaction. See “Configuring and Reading the Sendmail Log” (page 95)
for more information.
Using UUCP Addressing to Send Mail to a Remote User
If you are using UUCP addressing, you can verify your Sendmail installation by sending
a mail message to a remote user with UUCP transport by using a host !user address,
where host is a system to which your local host has a direct UUCP connection. (The
uuname command lists the UUCP names of known systems. Type man 1 uuname at
the HP-UX prompt for more information.)
To verify both inbound and outbound UUCP connections, mail the message in a loop,
using the syntax remote_host !my_host !user. For example, if you execute the
following command:
date | mailx -s “UUCP Test” node1!node2!joe
and node2 is your local host, you must receive a message similar to this:
From node1!node2!joe Wed Aug 6 09:48 MDT 2003
Received: by node2; Wed, 6 Aug 02 09:48:09 mdt
Return-Path: <node1!node2!joe>
Configuring Sendmail
41
Received: from node1.UUCP; Wed, 6
Received: by node1; Wed, 6 Aug 02
Received: from node2.UUCP; Wed, 6
Received: by node2; Wed, 6 Aug 02
Date: Wed, 6 Aug 02 09:26:18 mdt
From: Joe User <node1!node2!joe>
To: node1!node2!joe
Subject: UUCP Test
Wed Aug
Aug 02 09:30:16
09:30:16 mdt
Aug 02 09:26:18
09:26:18 mdt
6 09:26:15 MDT 2002
An entry in your /var/adm/syslog/mail.log file must have been logged for the
UUCP mail transaction. See “Configuring and Reading the Sendmail Log” (page 95)
for more information.
NOTE: In this example, if you send a mail message to yourself and if the remote
system is running Sendmail, ensure that the MeToo option is set in the configuration
file on the remote system. The remote system’s configuration file must contain a line
beginning with O MeToo. If the remote host’s configuration file does not contain such
an entry, Sendmail on the remote host notices that the sender is the same as the recipient
and removes your address from the recipients’ list.
Using SMTP Transport to Send Mail to a Remote User
If you are using the SMTP Transport, you can verify your Sendmail installation by
sending a message to a remote user using a user @host address, where host is a
system that provides an SMTP server (for example, the Sendmail daemon).
To verify both inbound and outbound SMTP connections, mail the message in a loop,
using the syntax user %my_host @remote_host.
For example, if you try:
lx -s “Round Robin SMTP” joe%node2@node1
you must receive a message similar to the following:
From joe@node2 Wed Aug 6 14:22 MDT 2003
Received: from node1 by node2; Wed, 6 Aug 02 14:22:56
Return-Path: <joe@node2>
Received: from node2 by node1; Wed, 6 Aug 02 14:25:04
Received: by node2; Wed, 6 Aug 02 14:22:31 mdt
Date: Wed, 6 Aug 02 14:22:31 mdt
From: Joe User <joe@node2>
To: joe%node2@node1
Subject: Round Robin SMTP
Wed Aug
mdt
mdt
6 14:22:28 MDT 2002
An entry in your /var/adm/syslog/mail.log file must have been logged for the
SMTP mail transaction. See “Configuring and Reading the Sendmail Log” (page 95)
for more information.
42
Configuring and Administering Sendmail
NOTE: In this example, if you send a mail message to yourself and if the remote
system is running Sendmail, ensure that the MeToo option is set in the configuration
file on the remote system. The remote system’s configuration file must contain a line
beginning with O MeToo. If the remote host’s configuration file does not contain such
an entry, Sendmail on the remote host notices that the sender is the same as the recipient
and removes your address from the recipients’ list.
Modifying the Default Sendmail Configuration File
The Sendmail configuration file that is supplied with HP-UX works correctly for most
Sendmail configurations, so you probably do not need to modify the configuration file.
However, certain modifications to the file are supported. This section describes examples
of modifications that you may want to make. The configuration file also contains
instructions for making the supported modifications.
This section discusses the following topics:
•
•
•
“The Sendmail Configuration File” (page 43)
“Restarting Sendmail” (page 44)
“Sendmail Configuration Options” (page 44)
CAUTION: HP supports the default configuration file and all the modifications
described in it. If you make any changes other than the ones described in the default
configuration file, HP cannot support your configuration.
The Sendmail Configuration File
The Sendmail configuration file, /etc/mail/sendmail.cf, performs the following
functions:
•
•
•
•
•
Defines certain names and formats, such as the name of the sender for error
messages (MAILER-DAEMON), the banner displayed by the SMTP server on startup,
and the default header field formats.
Sets values of operational parameters, such as timeout values and logging level.
Specifies how mail will be routed. In other words, it specifies how recipient
addresses are to be interpreted.
Defines the delivery agents (mailers) to be used for delivering the mail.
Specifies how Sendmail must rewrite addresses in the header, if necessary, so that
the message address can be understood by the receiving host. The address rewriting
process is controlled by sets of address rewriting rules called rulesets.
The default configuration file, sendmail.cf, is located in the
/usr/newconfig/etc/mail/sendmail.cfdirectory, and is installed in the
/etc/mail/sendmail.cf directory.
Modifying the Default Sendmail Configuration File
43
HP recommends that you leave a copy of the configuration file in the /usr/newconfig
directory unmodified, in case you need to reinstall the default configuration settings.
To modify the configuration settings in the /etc/mail/sendmail.cf file, perform
the following steps:
1.
The gen_cf UNIX shell script is installed in the
/usr/newconfig/etc/mail/cf/cf directory. You cannot copy this script to
a different directory and execute it, because it uses the macros defined in the
/usr/newconfig/etc/mail/cf directory to generate the sendmail.cf file.
This script provides many options that enable a specific ruleset. The *.m4 files
defined in the /usr/newconfig/etc/mail/cf directory are the input files for
this script. You can specify the output file, and later incorporate site-specific changes
(if any) in the output file.
Run the script gen_cf from the HP-UX prompt. A list of options that enable a
specific ruleset is displayed.
2.
Choose the appropriate option. See “Sendmail Configuration Options” (page 44)
for a description of options.
An updated configuration file,sendmail.cf.gen, is generated in the directory
/usr/newconfig/etc/mail/cf/cf.
3.
Copy or move the sendmail.cf.gen file to /etc/mail directory as
sendmail.cf. After copying the sendmail.cf.gen file to the /etc/mail
directory, you can make certain site-specific modifications to the sendmail.cf file.
If you do not wish to generate the sendmail.cf file using the gen_cf script, you can
directly make modifications to the /etc/mail/sendmail.cf file.
Restarting Sendmail
Issue the following commands, on a standalone system or on the mail server, to restart
Sendmail:
•
/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start
You must restart Sendmail if changes are made to any of the following:
•
•
The Sendmail configuration file, /etc/mail/sendmail.cf.
The UUCP configuration, as reflected in the output of the uuname command.
Sendmail Configuration Options
This section describes Sendmail configuration options.
44
Configuring and Administering Sendmail
Maximum message size (option MaxMessageSize)
This option restricts the maximum message (in bytes) that sendmail will accept from
a remote system. If a message larger that this limit is originated form the local system,
the message will be truncated to the limit.
To enable this feature uncomment the line:
O MaxMessageSize=100000
Forwarding Nondomain Mail to a Gateway
Mail that is being sent to a domain other than the sender’s domain can be forwarded
to a mail gateway. To have nondomain mail forwarded to a mail gateway, edit the DS
line in the /etc/mail/sendmail.cf file to specify the host name of the mail gateway:
DSmailgw.hp.com
Setting Mail Header Lengths
You can set a limit for the mail header. The maximum header length by default is 32768.
To change the mail header length:
1.
2.
Open the sendmail.cf file.
Set the value of the option MaxHeadersLength=n, where n is the maximum
number of lines allowed in the mail header.
If a mail header exceeds the maximum value, the following error message is displayed
to the sender:
552 Headers too larger #MaxHeadersLength
Limiting Message Recipients
By default, the maximum number of recipients is 100. You can limit the number of
users allowed to receive a single mail message. This helps to prevent the flow of spam
on the mail server.
•
In the sendmail.cf file, set the value of MaxRecipientsPerMessage=n, where
n is the maximum number of recipients allowed for a single mail message.
After a message has been sent to the maximum number of recipients allowed, Sendmail
sends the error message 452 Too many recipients to the sender of the message.
This will work only when all the recipients of the mail message have their mailboxes
on the same machine.
Timeout.*
•
You can set the total time spent in satisfying a socket control request using the
Timeout.control option. The default setting for this option is:
Modifying the Default Sendmail Configuration File
45
#O Timeout.control=2m
•
You can set the resolver’s transmission time interval (in seconds) using the
Timeout.resolver.retrans option. This option sets the
Timeout.resolver.retrans.first, which sets the resolver’s transmission
time interval (in seconds) for the first attempt to deliver a message. It also sets the
Timeout.resolver.retrans.normal option. The default setting for this option
is:
#O Timeout.resolver.retrans=5s
#O Timeout.resolver.retrans.first=5s
#O Timeout.resolver.retrans.normal=5s
•
You can set the frequency of resolver query retransmission using the
Timeout.resolver.retrans.normal option. This option sets the
Timeout.resolver.retry.first option for the first attempt to deliver a
message. It also sets the Timeout.resolver.retry.normal option for all
resolver lookups except for the first delivery attempt. The default setting for this
option is:
#O Timeout.resolver.retry=4
#O Timeout.resolver.retry.first=4
#O Timeout.resolver.retry.normal=4
DataFileBufferSize
Use this option to control the maximum size of a memory-buffered data (df) file before
using a disk-based file. The default setting for this option is:
#O DataFileBufferSize=4096
FallBackSmartHost
When Sendmail attempts to connect to a remote host for mail transfer, it checks the
identity of the remote host. It also looks up the MX records and calls the res_search()
BIND library routine, to discover all MX records for the host. If Sendmail does not find
the MX records, it tries to deliver the message to a single original host, which is a central
mail hub to which the mail can be forwarded. If this fails, Sendmail attempts to deliver
the mail to the host listed in the FallbackMXHost option.
Following is the format of the FallbackMXHost option:
46
Configuring and Administering Sendmail
FallbackMXhost=fallbackhost
The FallbackMXhost option works only if Sendmail can look up the host name of
the recipient. If it does not find the host name, the FallbackMXhost is not useful. In
such situations, Sendmail uses the FallBackSmartHost option.
The FallBackSmartHost option specifies the name of an MX record that Sendmail
must use as the last resort if the MX records are not available to identify the remote
host. This option is given a low priority so that Sendmail tries to connect to it only if
all other attempts to connect to the remote host fail.
Following is the format for the FallBackSmartHost option:
FallBackSmartHost=hostname
Where: hostname specifies the canonical name to which the host falls back.
The mail message forwarded to that host name fails if hostname is an empty string
or is the name of a nonexistent host. You can also use macros to represent the hostname.
Sendmail expands these macros before connecting to the remote host. If the hostname
that you specify for the FallBackSmartHost option exists in the $=w class, Sendmail
silently ignores the hostname.
The FallBackSmartHost option is also useful for unreliable FallbackMXhost
servers. When a FallbackMXhost server goes down, Sendmail uses the
FallBackSmartHost option to sustain the flow of mail messages.
You must be careful while using the FallBackSmartHost option, because Sendmail
can relinquish its special privileges if you specify this option from the command line.
The FastSplit Option
You can use the FastSplit option to suppress MX lookups before splitting an envelope
and also to limit the number of envelopes that can be delivered on the initial attempt.
Following is the syntax for the FastSplit option:
-OFastSplit=num
Where: num is of type numeric.
If num is a negative non-numeric value or zero, Sendmail enforces initial sorting based
on the MX records.
If num is set to a value greater than zero, the initial MX lookups on addresses are
suppressed during sorting. This can result in faster envelope splitting. If the mail is
submitted directly from the command line, the value also limits the number of processes
that deliver the envelopes.
When Sendmail expands an alias, such as when using aliases to send a mail to a mailing
list, it sorts the list of new recipients by host. Normally, the list of hosts is sorted by
MX records rather than by the host name. After sorting, Sendmail splits the new
MX-sorted list into multiple envelopes.
Modifying the Default Sendmail Configuration File
47
Each new envelope contains fewer envelope recipients. Normally, all the envelopes
are delivered in parallel for delivery efficiency.
XscriptFileBufferSize
Use this option to control the maximum size of a memory-buffered (xf) transcript before
using a disk-based file. The default setting for this option is:
#O XscriptFileBufferSize=4096
MaxAliasRecursion
You can specify the maximum depth of an alias recursion in the sendmail.cf file
using this option. The default setting for this option is:
#O MaxAliasRecursion=10
PidFile
You can define the location of the ProcessId (Pid) file using this option. The default
setting for this option is:
#O PidFile=/etc/mail/sendmail.pid
/etc/mail/sendmail.pid is taken as the default file if this option is not set. If you
choose a directory other than /etc/mail for the pid file, ensure that the directory
has the same write permissions as those of /etc/mail.
ProcessTitlePrefix
You can specify the prefix string for the process title shown in the ps listings using
this option. By default, this option is commented. For example, if you set this option
in thesendmail.cf file as:
O ProcessTitlePrefix=HPUX_Sendmail-8.11.1
the command ps -ef | grep sendmail | grep -v grep displays sendmail:
accepting connections in the output.
TrustedUser
You can use this option to specify a user who can own important files instead of root.
This option necessitates fchown. The default setting for this option is:
#O TrustedUser=root
MaxMimeHeaderLength
You can set the size of the MIME headers and parameters within those headers using
this option. You can also use this to protect Mail User Agents (MUA) from buffer
48
Configuring and Administering Sendmail
overflow attacks. The default setting for this option is unlimited, as shown in the
following example:
#O MaxMimeHeaderLength=0/0
DeadLetterDrop
Use this option to specify the location of the system-wide dead.letter file, which
was formerly hardcoded to/var/tmp/dead.letter. The default setting for this
option in this version is:
O DeadLetterDrop=/var/tmp/dead.letter
Sendmail does not save mail anywhere if this option is not set.
Socket Maps
Sendmail contains socket map to query the maps through the TCP/IP sockets.
The socket map uses a simple request or reply protocol over TCP or the UNIX domain
sockets to query an external server, which can be a third party or a self-coded program.
Neither the requests nor the replies end with a carriage return (CR) or line feed (LF).
Both the requests and the replies are text-based and are encoded as net strings. A string
"hello there" is represented as follows:
11:hello there
The request consists of the database map name and the lookup key, separated by a
space character, as follows:
<mapname> ‘ ’ <key>
The server responds with the following status indicator and the result (if any):
<status> ‘ ’ <result>
The status indicator is one of the following upper case words:
OK
NOTFOUND
TEMP
TIMEOUT
PERM
Specifies that the key is found and the result contains the looked-up
value.
Specifies that the key is not found and the result is empty.
Specifies that a temporary failure occurred.
Specifies that a timeout occurred on the server side.
Specifies that a permanent failure occurred.
If the status is TEMP, TIMEOUT, or PERM, the result field contains an explanatory error
message.
Following are examples of the error messages in the result field:
Modifying the Default Sendmail Configuration File
49
•
For a successful lookup:
31:OK resolved.address@example.com
•
When the key is not found:
8:NOTFOUND
•
When a failure occurs:
55:TEMP this text explains that we had a temporary failure
The socket map uses the following syntax to specify the remote endpoint:
Xname {, field=value }*
Where: name is the name of the filter and the field=name pairs define the attributes
of the filter.
Following are the field types:
Socket
Flags
Timeouts
Specifies the socket specification.
Specifies the special flags for a filter.
Specifies timeouts for a filter.
Sendmail checks only the first character of the field name for the field type. The field
name is case sensitive.
Following are the different socket specifications:
S=inet:port@host
S=inet6:port@host
S=local:path
The first two specifications describe an IPv4 or IPv6 socket listening on a certain port
at a given host or IP address. The last specification describes a named socket on the
file system at the given path.
Following is an example of a socket map that specifies a remote endpoint:
KmySocketMap socket inet:12345@127.0.0.1
If multiple socket maps define the same remote endpoint, they share a single connection
to this endpoint.
DNS Maps
The dns map is an internal database map to perform DNS lookups. You can use the
following K configuration command to declare the dns map:
Kdnslookup dns -Rlookup-type
Where: dnslookup specifies the name of the map that uses DNS.
The dns-type database map is primarily used for dnsbl and endnsbl features.
50
Configuring and Administering Sendmail
You must include the -R switch, which specifies the DNS resource record type, to
lookup in the dns map declaration.
Sendmail supports the following types of resource records: A, AAAA, AFSDB, CNAME,
MX, NS, PTR, SRV, and TXT. A map lookup returns only one record. For certain types
of records, such as MX records, the return value can be a random element of the list
because of the randomizing in the DNS resolver.
Table 2-1 describes the different -R values in the dns database map.
Table 2-1 The —R Values in the dns Database Map
-R Value
Description
A
Returns the IPv4 address records for the host (RFC 1035)
AAAA
Returns the IPv6 address records for the host (RFC 1886)
AFSDB
Returns an AFS server resource record (RFC 1183)
CNAME
Returns the canonical name for the host (RFC 1035)
MX
Returns the best MX record for the host (RFC 1035)
NS
Returns a name server record (RFC 1035)
PTR
Returns the host name that corresponds to an IP record (RFC 1035)
SRV
Returns the port to use for a service (RFC 2782)
TXT
Returns general (human-readable) information (RFC 1035)
Table 2-2 lists the switches that you can use to make efficient use of the dns
database-map.
Table 2-2 The dns Database-Map Type K Command Switches
Switch
Description
-A
Appends values for duplicate keys.
-a
Appends tag on successful match.
-d
Denotes the res_search()_res.retry interval.
-f
Informs Sendmail not to fold keys to lowercase.
-m
Suppresses replacement on match.
-N
Appends a null byte to all keys.
-O
Specifies Sendmail not to add a null byte.
-o
Specifies an optional database map.
-q
Informs Sendmail not to strip quotes from the key.
Modifying the Default Sendmail Configuration File
51
Table 2-2 The dns Database-Map Type K Command Switches (continued)
Switch
Description
-R
Specifies the record type to look up.
-r
Denotes the rs_search()_res.retries limit.
-T
Denotes the suffix to append on temporary failure.
-t
Informs Sendmail to ignore temporary errors.
The /usr/newconfig/etc/mail/cf/cf/gen_cf Script
Following are the main menu options in the
/usr/newconfig/etc/mail/cf/cf/gen_cf script:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
General Features
Relay Options
Anti-Spamming Options
Security Options
Generate sendmail.cf
Generate submit.cf
Verify permissions for the sendmail files
Correct permissions for the sendmail files
Create User and Queue for MSP
Help
You can select the relevant option to display the submenu options. This section
discussion the main menu options in detail:
Following are the submenu options in the “General Features” option:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
52
Delay checks
No default MSA
LDAP Routing
Mailertable
Genericstable
Domaintable
Virtusertable
Send only
Receive only
Queue Groups
Accept unresolvable domains
Accept unqualified senders
Configuring and Administering Sendmail
You can select the relevant submenu option to set the appropriate options in the
/usr/newconfig/etc/mail/cf/cf/sendmail.cf.gen file.
Following are the submenu options in the “Relay Options” option:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Relay ON
Relay OFF [Default Sendmail.cf ]
Relay entire domain
Relay based on MX
Relay hosts only
Relay local from
Loose relay check
Promiscuous relay
Relay mail from
You can select the relevant submenu option to set the appropriate relay options in the
/usr/newconfig/etc/mail/cf/cf/sendmail.cf.gen file.
Following are the submenu options in the “Anti Spamming Options” option:
1.
2.
3.
4.
5.
6.
Access DB
Blacklist Recipients
RBL
DNSBL
Enhanced DNSBL
Milter: Modify (Add/Remove/List) filters
You can select the relevant submenu option to set the appropriate anti-spamming
options in the /usr/newconfig/etc/mail/cf/cf/sendmail.cf.gen file.
Following are the submenu options in the “Security Options” option:
1.
2.
Smrsh
STARTTLS
You can select the relevant submenu option to set the appropriate security options in
the /usr/newconfig/etc/mail/cf/cf/sendmail.cf.gen file.
The “Generate sendmail.cf” menu option generates the sendmail.cf.gen file in the
/usr/newconfig/etc/mail/cf/cf directory. You must copy the
/usr/newconfig/etc/mail/cf/cf/sendmail.cf.gen file as the
/etc/mail/sendmail.cf file.
The “Generate submit.cf” menu option generates the submit.cf.gen file in the
/usr/newconfig/etc/mail/cf/cf directory. You must copy the
/usr/newconfig/etc/mail/cf/cf/submit.cf.gen file as the
/etc/mail/submit.cf file.
Modifying the Default Sendmail Configuration File
53
The “Verify permissions for the sendmail files” menu option verifies the permission
of the Sendmail files. You can use the gen_cf script to verify the permissions of the
Sendmail files.
The “Correct permissions for the sendmail files” menu option corrects the permissions
of the Sendmail files. You can use the gen_cf script to verify the permissions of the
Sendmail files.
The “Create User and Queue for MSP” menu option creates a user and queue for MSP.
NOTE: For more information on the gen_cf submenu options, you can select the
“10. Help” main menu option.
Options Configured Using the /usr/newconfig/etc/mail/cf/cf/gen_cf Script
Following are the options that you can configure in Sendmail using the
/usr/newconfig/etc/mail/cf/cf/gen_cf script:
NOTE: When you create a new sendmail.cf file using the gen_cf script, the new
configuration file does not contain any change that you have added directly to the
sendmail.cf file. You must reapply any such change to the newly created
configuration file. Therefore, HP recommends that you take backup of the configuration
file that contains your changes, in case you want to run the gen_cf script again to
generate the configuration file again.
Relay On
This option is equivalent to selecting the following
/usr/newconfig/etc/mail/cf/cf/gen_cf script options while generating the
/usr/newconfig/etc/mail/cf/cf/sendmail.cf.gen file:
•
•
•
Accept unresolvable domains
Accept unqualified senders
Promiscuous relay
Relay OFF
This option generates a sendmail.cf file which is identical to the default
sendmail.cf available in the /usr/newconfig/etc/mail/ directory.
If this option is used with mutually exclusive options, this option does not turn OFF
the relay. The other options take precedence over the RELAY OFF option.
Relay Entire Domain
Setting this option, will allow any host in your domain as defined by the m class macro
($=m) to relay. By default, only hosts listed as RELAY in the access db file will be allowed
to relay.
54
Configuring and Administering Sendmail
Relay based on MX
Setting this option, will turn ON the ability to allow relaying based on the MX records
of the host portion of an incoming recipient; that is, if an MX record for host foo.com
points to your site, you will accept and relay mail addressed to foo.com.
Relay hosts only
This option changes the behavior of the access database and class R macro to lookup
individual host names only. By default, names that are listed as RELAY in the access
database file and the class R ($=R) macro are domain names, and not host names.
Access db
The access database (db) is a user-defined file to decide the domains from which you
want to receive or reject mail messages. The entries in the access db file are either
domain names, IP addresses, hosts names, or e-mail addresses. Every line of the access
db file has a key and a value pair.
The key can be an IP address, a domain name, a hostname, or an e-mail address. The
value part of the database can contain the following values:
OK
RELAY
REJECT
DISCARD
### any text
Accepts mail even if other rules in the running ruleset reject it. For
example, if the domain name is unresolvable.
Accepts mail addressed to the indicated domain or received from
the indicated domain for relaying through your SMTP server.
RELAY also serves as an implicit OK for the other checks.
Rejects the sender or recipient with a general purpose message.
Discards the message completely using the $#discard mailer.
This value works only for sender addresses (that is, it indicates
that you must discard anything received from the indicated
domain).
### specifies an RFC 821-compliant error code and any text
specifies is a message to return for the command.
The default access db file is /etc/mail/access. You have to make a direct
modification to /etc/mail/sendmail.cf if you want to use a non-standard access
database filename.
Modifying the Default Sendmail Configuration File
55
NOTE: Because /etc/mail/access is a database, after creating the text file, you
must use the following makemap command to create the database map.
makemap dbm /etc/mail/access < /etc/mail/access
For more information on the makemap utility, type man 1M makemap at the HP-UX
prompt.
Relay local from
This option allow Sendmail to relay mail messages when the sender of the mail message
is a valid user on that machine. Consider a valid user abc on host 1. A user cbz on
host 2 can connect to host 1 as user abc and send mail to another user xyz on host 3.
This means that host 1 is now acting as a local relay agent.
You must enable this option only if absolutely necessary because it opens a window
for spammers. Specifically, spammers can send mail to your mail server that claims to
be from your domain (either directly or through a routed address), and you can then
go ahead and relay it out to arbitrary hosts on the Internet.
Blacklist recipients
This feature enables Sendmail to block incoming mail messages destined to certain
recipient user names, host names, or addresses. This feature also restricts you from
sending mail messages to addresses with an error message or REJECT value in the
access database file. For example, if you have the following entries in the access database
file:
badlocaluser
550 Mailbox disabled for this username
host.mydomain.com
550 That host does not accept mail
user@otherhost.mydomain.com
550 Mailbox disabled for this recipient
These entries prevent a recipient of badlocaluser@mydomain.com, any user at
host.mydomain.com, and the single address user@otherhost.mydomain.com
from receiving mail.
spammer@aol.com
cyberspammer.com
REJECT
REJECT
The entries in the access db file indicate that Sendmail cannot send mail messages to
spammer@aol.com or to the domain cyberspammer.com.
Accept unresolvable domains
Setting this option, allows Sendmail to accept all those MAIL FROM: parameters that
are not fully qualified, that is, if the host portion of the argument to MAIL FROM:
command cannot be located in the host name service (for example, DNS).
56
Configuring and Administering Sendmail
Accept unqualified senders
This option allows Sendmail to accept all those MAIL FROM: parameters where the
mail address of the sender does not include a domain name. Normally, MAIL FROM:
commands in the SMTP session are refused if the connection is a network and the
sender address does not include a domain name.
Realtime Blackhole List
Setting this option, turns ON the rejection of hosts found in the Realtime Blackhole
List. The default list is maintained on the server $def_rbl. This option has now been
deprecated.
Loose relay check
This option turns off the default behavior of rechecking all those recipients using the
% addressing. For example, if the recipient address is user%site@othersite, the
default behavior without the loose_relay_check option is that Sendmail will check if
any othersite is an allowed relay host specified in either class R macro or the access db
file. If a site is an allowed relay host, the check_rcpt ruleset strips @othersite and
checks user@site for relaying. Sendmail does not recheckif this option is set to ON.
This option is not required for most installations.
Promiscuous Relay
This option allows your mail server to relay any received mails. You must be careful
before enabling this option.
No Default MSA
You can use this option to generate the configuration file without the
DaemonPortOptions option for the Message Submission Agent (MSA) daemon. If
you use this option, the sendmail.cf configuration file will not contain the following
line:
O DaemonPortOptions=Port=587, Name=MSA, M=E
DNS Blackhole List
The dnsbl option avoids the possible confusion between RealtimeBlackhole List
and other DNS-based Blacklist servers, such as ORBS. It takes the name of the Blacklist
server and also an optional rejection message as arguments.
You can include dnsbl multiple times in the sendmail.cf file, thereby allowing sites
to subscribe to multiple Blacklist servers. The Blacklist server verifies the IP address
of the incoming connection and rejects all the SMTP commands if the address is
blacklisted. An error message is also displayed.
Modifying the Default Sendmail Configuration File
57
Relay mail from
You can use this option to facilitate relaying through a user machine. The sender name,
which is listed as RELAY in the access map (tagged with From:), can be specified using
this option. The domain portion of the mail sender is also checked when the optional
argument domain is provided.
Delay checks
This option delays the anti-spam checks by Sendmail until it issues the SMTP
RCPTcommand. Mail from certain addresses that might have been blocked by other
anti-spam checks are received. In these cases, deferred checks are not done.
By using delay_checks, the rulesets check_mail and check_relay are not called
when a client connects or issues a MAIL command, respectively. Instead, those rulesets
are called by the check_rcpt ruleset; they are skipped if a sender has been
authenticated using a trusted mechanism, for example, one that is defined via the list
of AuthMechanisms. If check_mail returns an error, the RCPT TO command is
rejected with that error. If it returns some other result starting with $#, then
check_relay is skipped. If the sender address (or a part of it) is listed in the access
map and it has a RHS of OK or RELAY, then check_relay is skipped.
Ldap Routing
You can use this option to implement the LDAP-based email recipient routing. This
provides a method for rerouting addresses with a domain portion in class {LdapRoute}
either to a different mail host or to a different address.
For more information, see “LDAP-Based Routing” (page 68).
Milertable
This option includes a "mailer table" which can be used to override routing for particular
domains (which are not in local host names).
Genericstable
If the genericstable is enabled and GENERICS_DOMAIN or GENERICS_DOMAIN_FILE
is used, this feature will cause addresses to be searched in the map if their domain parts
are subdomains of elements in class {G}. For more information, see “Creating
Domain-Specific Aliasing Using Virtual Hosting” (page 66).
Virtusertable
If the virtusertable is enabled and VIRTUSER_DOMAIN or VIRTUSER_DOMAIN_FILE
is used, this feature will cause addresses to be searched in the map if their domain parts
are subdomains of elements in class {VirtHost}. For more information, see “Creating
Domain-Specific Aliasing Using Virtual Hosting” (page 66).
58
Configuring and Administering Sendmail
Domaintable
Include a "domain table" which can be used to provide domain name mapping. Use
of this should really be limited to your own domains. It may be useful if you change
names (for example, your company changes names from oldname.com to
newname.com).
Send only
This option generates a sendmail.cf file without the check_compat ruleset. You
can send mail messages, but you cannot receive them.
You must set the SENDMAIL_SENDONLY flag in /etc/rc.config.d/mailservs
file to 1 in order to use the send_only feature.
Receive only
This option generates asendmail.cf file with a new set of rules called check_compat.
You can receive mail messages, but you cannot send them. The following are added
in the /etc/rc.config.d/mailservs file:
• SENDMAIL_RECVONLY
You must set this flag to 1 in order to use the receive_only feature.
•
SENDMAIL_SENDONLY
You must set this flag to 1 in order to use the send_only feature.
NOTE: Sendmail depot installs the mailservs file in the directory
/usr/newconfig/etc/rc.config.d. You must manually move this file to
/etc/rc.config.d/ in order to use this feature.
The priorities for these flags are defined in the
/usr/newconfig/etc/rc.conig.d/mailservs file.
Creating Sendmail Aliases
The Sendmail aliases database stores mailing lists and mail aliases. You must create
the aliases database by adding aliases to the file /etc/mail/aliases and then by
running the /usr/sbin/newaliases command to generate the database from the
file. The generated alias database is stored in the file /etc/mail/aliases.db. The
Sendmail startup script also generates the aliases database when you reboot your
system.
Each user on your system can create a list of alternate mailing addresses in a .forward
file in the user’s home directory. The .forward file allows users to forward their own
mail to files or to other mailing addresses.
Creating Sendmail Aliases
59
This section discusses the following topics:
•
•
•
•
•
“Adding Aliases to the Sendmail Alias Database” (page 60)
“Verifying Your Sendmail Aliases” (page 64)
“Managing Sendmail Aliases with NIS” (page 64)
“Rewriting the From Line on Outgoing Mail” (page 65)
“Forwarding Your Own Mail with a .forward File” (page 65)
NOTE: A non-root user does not have access to the files or databases associated with
Sendmail namely: /etc/mail/aliases.*, /etc/mail/sendmail.st, and
/etc/mail/sendmail.
Adding Aliases to the Sendmail Alias Database
To add Sendmail aliases to the database, follow these steps:
1.
2.
If the file /etc/mail/aliases does not exist on your system, copy it from
/usr/newconfig/etc/mail/aliases to /etc/mail/aliases.
Use a text editor to edit the file. Each line is of the following form:
alias : mailing_list
where alias is the local address, local user name, or local alias, and
mailing_list is a comma-separated list of local user names or aliases, remote
addresses, file names, commands, or included files. Table 2-3 describes the options
that can be included in a mailing list.
3.
Issue the following command to regenerate the aliases database from the
/etc/mail/aliases file:
/usr/sbin/newaliases
This command creates the aliases database located in /etc/mail/aliases.
60
Configuring and Administering Sendmail
Table 2-3 Mailing List Options
Option
Description
user_name
Sendmail looks up the aliases database for the local user name unless
you put a backslash ( ) before the local user name. To prevent Sendmail
from performing unnecessary alias lookups, put backslashes before
local user names. For example:
local_users: amy, carrie, sandy, anne, david,
tony remote_users: mike,
denise mike: mike@chem.tech.edu
denise: bigvax!amlabs!denise
remote_address
The remote address syntax that Sendmail understands is configured
in the Sendmail configuration file and usually includes RFC 822 style
addressing (user@domain) and UUCP style addressing (host!user).
For example:
chess_club: mike@chem.tech.edu, marie@buffalo,
bigvax!amlabs!denise
filename
An absolute pathname on the local machine. Sendmail appends the
message to the file if the following conditions are true:
• The file exists, is not executable, and is writable by all.
• The directory where the file resides is readable and searchable by
all. Example:
public: /tmp/publicfile terminal: /dev/tty
Mail addressed to public is appended to /tmp/publicfile. Mail
addressed to terminal appears on the sender’s terminal.
Creating Sendmail Aliases
61
Table 2-3 Mailing List Options (continued)
Option
Description
"| command"
Sendmail pipes the message as standard input to the specified
command. The double quotes are required to protect the command
line from being interpreted by Sendmail. Commands must be listed
as full pathnames.
If stdout and stderr are not redirected, they are not printed to the
terminal, and they disappear. However, if a command returns a
nonzero exit status, its output to stderr becomes part of the Sendmail
error transcript.
The command is executed by the prog mailer defined in the
configuration file. In the configuration file supplied with HP-UX, the
prog mailer is configured as “sh -c”. For example:
prog: "| / usr /bin/cat | / usr /bin/sed
's/Z/z/g' > /tmp/outputfile"
Mail addressed to prog is saved in /tmp/outputfile with all capital
Z’s changed to lowercase z’s.
:include:filename
Any mail addressed to the alias is sent to all the recipients listed in the
included file. The file must be a full pathname. Nonroot users can
create :include files to maintain their mailing lists. An :include
file can contain anything that is specified in the right side of an alias
definition. Following is an example alias definition:
dogbreeders: :include:/users/andrea/dogbreeders
Following is an example :include file:
#file included in dogbreeders alias definition:
terriers@akc.ny.com, coonhounders@ukc.sc.com
An alias can be continued across multiple lines in the aliases file. Lines beginning with
blanks or tabs are continuation lines.
The aliases file can contain comment lines, which begin with the pound sign (#). Blank
lines in the aliases file are ignored.
NOTE: You cannot address messages directly to file names, command lines, or
:include files. Sendmail will deliver messages to these only if they appear in the right
side of an alias definition.
Configuring Owners for Mailing Lists
Sendmail enables you to configure an owner for a mailing list, because the sender of
a message often does not control the mailing list to which the message is addressed. If
Sendmail encounters an error while attempting to deliver a message to the members
62
Configuring and Administering Sendmail
of a mailing list, it looks for an alias of the form owner-mailing_list and sends the
error message to the owner. For example, if mike were responsible for maintaining
the chess_club mailing list, he could be configured as the owner:
chess_club:
mike@chem.tech.edu, marie@buffalo,
bigvax!amlabs!denise, margaret@hp.com
owner-chess_club:
mike@chem.tech.edu
Any errors that Sendmail encounters while trying to deliver mail to the members of
the chess_club mailing list would be reported to mike.
Avoiding Alias Loops
You must avoid creating aliasing loops. Loops can occur either locally or remotely. An
example of a local alias loop is as follows:
#Example of a local alias loop
first : second
second : first
While regenerating the alias database, the newaliases command does not notice a
loop like the one shown in the previous example. However, after the alias database is
generated, mail addressed to either first or second is not sent. If the recipients for
the message are only in the local alias loops, the message is returned with the error
message All recipients suppressed.
In the previous example, if mail is addressed to first, first expands to second,
which expands back to first. This causes Sendmail to remove first from the recipient
list as a duplicate.
# Example alias entry on host sage
dave : dave@basil
# Example alias entry on host basil
dave : dave@sage
The following is an example of a remote aliasing loop:
Creating Sendmail Aliases
63
Mail sent to dave at either host sage or host basil bounces between the two systems.
Sendmail adds a tracing header line (Received:) with each hop. When 26 tracing
header lines have been added, Sendmail recognizes the aliasing loop and aborts the
delivery with an error message.
Creating a Postmaster Alias
RFC 2822 requires that a postmaster alias be defined on every host. The postmaster is
the person in charge of handling problems with the mail system on that host. The
default aliases file supplied with the HP-UX operating system designates the postmaster
as root. You can change this alias to the appropriate user for your system.
Verifying Your Sendmail Aliases
After you have created a Sendmail alias and regenerated the aliases database, issue the
following command to verify the validity of your alias:
/usr/sbin/sendmail
-bv
-v
alias, alias, . . .
The -bv option causes Sendmail to verify the aliases without collecting or sending any
messages. Any errors in the specified aliases are logged to standard output.
You can use the HP expand_alias utility to expand an alias or mailing list as far as
possible. For more information on the expand_alias utility, type man 1M
expand_alias at the HP-UX prompt.
Managing Sendmail Aliases with NIS
You can manage the Sendmail aliases database through the Network Information
Service (NIS), which is one of the NFS Services. This service allows you to maintain an
aliases database on one server system. All other systems request alias information from
the server. In order to use NIS, you must set up an NIS domain and configure the
machines in your network as NIS servers and clients. For information about the NIS
aliases database, see NIS Administrator's Guide at:
http://docs.hp.com/en/netcom.html.
When you configure NIS on your network, it manages your Sendmail aliases by default,
so you do not have to make any changes to your NIS configuration.
Before you run the NIS ypinit script, ensure that the /etc/mail/aliases file on
the NIS master server contains all the Sendmail aliases that you want to make globally
available through NIS.
The Sendmail program uses the Name Service Switch to determine where to look for
Sendmail aliases.
64
Configuring and Administering Sendmail
Modifying your NIS Aliases Database
For information about the NIS aliases database, see NIS Administrator's Guide, at the
URL http://docs.hp.com/en/netcom.html.
Rewriting the From Line on Outgoing Mail
HP provides a method that allows the From line on a mail message to be rewritten.
This can be useful when a user’s login name does not clearly identify the user to
intended mail recipients. For example, mail sent by bkelley (mailname) can be
changed to read as Bob_Kelley (maildrop).
To rewrite From lines on an outgoing mail message, do the following:
1.
Create the file /etc/mail/userdb, which contains two entries for each mail
user. The entries must be in the following format:
bkelley:mailname
Bob_Kelley:maildrop
2.
Bob_Kelley
bkelley
Build the /etc/mail/userdb.db file with the makemap routine:
makemap btree /etc/mail/userdb.db < /etc/mail/userdb
3.
Uncomment the following line in the /etc/mail/sendmail.cf file:
UserDatabaseSpec=/etc/mail/userdb.db
4.
Add the i flag to all the mailer definitions, to enable UDB sender rewriting. For
example, change the mailer definition from
Mlocal, P=/usr/bin/rmail, F=lsDFMAw5:/|@m,
S=10/30, R=20/40, T=DNS/RFC822/X-Unix,
A=rmail -d $u
to
Mlocal, P=/usr/bin/rmail, F=lsDFMAw5:/|@mi,
S=10/30, R=20/40, T=DNS/RFC822/X-Unix,
A=rmail -d $u
5.
Uncomment the first rule in ruleset 94.
Forwarding Your Own Mail with a .forward File
You can redirect your own mail by creating a .forward file in your home directory.
If a .forward file exists in your home directory and is owned by you, Sendmail
redirects mail addressed to you to the addresses that the .forward file contains.
Creating Sendmail Aliases
65
A .forward file can contain anything that appears on the right side of an alias
definition, including programs and files. (See Table 2-3) The following is an example
of a .forward file owned by user alice on host chicago:
alice@miami, alice@toronto, alice,
mycrew
Mail sent to alice@chicago will be delivered to alice’s accounts on hosts miami
and toronto, and to her account on local host chicago. It will also be delivered to
all the recipients of the mailing list mycrew, which must be defined in the local aliases
database or in the :include file on host chicago.
The aliases database is read before a .forward file. The .forward file is read only if
the user’s name is not defined as an alias or if an alias expands to the user’s name.
Creating Domain-Specific Aliasing Using Virtual Hosting
Sendmail controls the /etc/mail/virtusertable database. This database provides
a domain-specific form of aliasing and also allows multiple domains to be hosted on
a single machine.
With this feature, users can have their own domain names and receive mail using these
domain names with a single host. You are required to obtain a new (available) domain
name and set up name servers for that domain. Then, you must configure MX records
for your new domain.
NOTE: Virtual hosting requires DNS to be set up. For information on setting up DNS,
see the IP Address and Client Management Administrator’s Guide, at the URL
http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services
The following steps describe how to set up virtual hosting:
1. Assume mydomain.com as the new domain name. If the mail server that serves
the new domain name has a full-time connection to the Internet, include the
following line in the db.domain file (domain is the domain name specified in the
file /etc/resolve.conf):
mydomain.com. IN MX 10 mymailserver.mydomain.com.
Otherwise, you must have another machine to queue mail for your domain. Include
the following lines in the db.domain file:
mydomain.com. IN MX 10 mymailserver.mydomain.com.
mydomain.com. IN MX 20 othermailserver.otherdomain.com.
66
Configuring and Administering Sendmail
Now you must set up Sendmail.
2.
Generate the sendmail.cf.gen file using the gen_cf utility with the
virtusertable option, and move this file to /etc/mail/sendmail.cf.
For more information on gen_cf, read the section “Modifying the Default Sendmail
Configuration File” (page 43).
3.
Create the virtual user table in the /etc/mail directory. A sample virtual user
table may look like the following:
joe@mydomain.com
jane@mydomain.com
@mydomain.com
jschmoe
jdoe@othercompany.com
jschmoe
In this example, the address joe@mydomain.com is mapped to the local user
jschmoe, jane@mydomain.com to the remote user jdoe@othercompany.com,
and any other address in mydomain.com is mapped to jschmoe.
4.
Build the virtual user table database file by running the makemap utility on the
command line as follows:
# makemap dbm /etc/mail/virtusertable < /etc/mail/virtusertable
To reverse map local users for outbound mails, you must generate the
sendmail.cf file with the genericstable option in addition to the
virtusertable option.
You must generate the generics table similar to the virtual user table, but with the
entries reversed.
Example:
jschmoe
5.
6.
joe@yourdomain.com
Add your domain name to the /etc/mail/sendmail.cw file.
Kill and restart Sendmail.
You can now receive mail at mydomain.com.
IMPORTANT: The virtual hosting feature provides better support for ISPs that
offer queuing services to dial-up customers because queue-runs no longer wait
for the dial-up server connection attempts to time out.
Sendmail and the LDAP Protocol
The Lightweight Directory Access Protocol (LDAP) enables servers to share static
information. Combining Sendmail and LDAP increases the speed and efficiency at
which network information is collected and displayed.
Sendmail and the LDAP Protocol
67
Sendmail supports the use of the LDAP protocol to look up addresses. The ldapx class,
which is a database, is used to look up items in the LDAP directory service. The
Sendmail configuration file contains the syntax required to enable the LDAP protocol
to perform address lookups.
Enabling Address Lookups Using LDAP
When you enable LDAP support, LDAP will look up login names, then return the
e-mail address for that user. To enable this, you must modify the sendmail.cf file.
The following steps describe how to enable address lookup using LDAP:
1.
2.
Open the sendmail.cf file.
Uncomment the following ruleset:
#R$+ < @ $+ > $: $: $(ldap $1 $:
3.
$1<@$2>$) ldap support
Uncomment the following line:
Kldap dapx -k”uid=%s” -v”mail” -htest.india.hp.com” -b”organization, c=US”
This enables the LDAP protocol to perform lookups. These lookups are defined entirely
by the switches specified. In the previous example, -k and -v are the switch options.
The -k switch defines how the map takes its input value and constructs the LDAP
search. The -v switch is the value that replaces the original string in the map. In most
cases, this will be an e-mail address. The -b switch is the directory in the LDAP tree
where searching begins. The -h switch is the space-separated string of servers that
support LDAP at your site.
NOTE: The LDAP-style options (-v and -h in the previous example) must be double
quoted and must follow immediately after the option. Do not leave spaces between
the option and the quote.
LDAP-Based Routing
You can use the LDAP protocol to implement LDAP-based rerouting. This provides a
method to reroute addresses with a domain portion in class {LDAPRoute} to either a
different mail host or a different address.
You can use the /usr/newconfig/etc/mail/cf/cf/gen_cf script to enable the
LDAP-based routing.
You can add the domains to the class {LDAPRoute}, as shown in the following
examples. Ensure that you set up a domain for LDAP routing. Assume that your domain
is yyy.com. Add the following line in the sendmail.cf file:
C{LDAPRoute}yyy.com
68
Configuring and Administering Sendmail
or
F{LDAPRoute}/etc/mail/ldap-domain-file
where /etc/mail/ldap-domain-file contains the domains.
The LDAPDefaultSpec option in the sendmail.cf file sets the default LDAP map
specification. You must set this up before defining LDAP maps. The settings are used
for all LDAP maps unless they are specified in the individual map specification (K
command). By default, it appears in the sendmail.cf file as follows:
O LDAPDefaultSpec=-h localhost
localhost can be replaced by your LDAP server name.
Following are the switches commonly used by most applications:
• -b – LDAP search base
Directory in the LDAP tree where the search begins. For example:
-b “o=hp.com”
•
-d – BindDN
The BindDN parameter used to specify the DN value for the LDAP bind request.
For example:
-d”cn=ldap://:389,dc=edat104,dc=atl,dc=hp,dc=com”
•
-h – LDAP servers
Space-separated string of servers that support LDAP at your site. For example:
-h “ldap1.hp.com ldap2.hp.com”
•
-p – Port numbers
Port numbers where LDAP service is available. For example:
-p 33333
•
-k – LDAP search string (key)
String that defines how an LDAP map takes its input value and initiates an LDAP
search. For example:
Sendmail and the LDAP Protocol
69
-k (&(ObjectClass=mailrecipient) (mail=%0))
•
-v – LDAP attribute
Value that replaces the origin string in the map. In most cases, this is the RFC822
e-mail address. For example:
-v mailroutingaddress
The LDAP maps are defined in the configuration file as follows:
Kldap -1 -v mailHost -k (&(objectClass=inetLocalMailRecipient) (mailLocalAddress=%0))
Kldapmra ldap -1 -v mailRoutingAddress -k (&(objectClass=inetLocalMailRecipient) (mailLocalAddress=%0))
mailLocalAddress is the RFC 2822-compliant e-mail address of the recipient.
mailHost is the fully qualified host name of the MTA that is the final SMTP destination
of the message to the recipient.
mailRoutingAddress is the RFC 822 address to be used when routing messages to
the SMTP MTA of the recipient.
LDAP Recursion and URL Support
Sendmail supports LDAP recursion based on the TYPEs provided as attribute
specifications in an LDAP map definition. This enables the LDAP queries to return a
new query, a DN, or an LDAP URL that is in turn queried.
LDAP recursion enables you to add TYPEs to the search attributes on an LDAP map
specification. Following is the syntax for the LDAP:
-v ATTRIBUTE[:TYPE[:OBJECTCLASS[ OBJECTCLASS ...]]]
Following are the various TYPEs:
NORMAL
DN
FILTER
URL
70
Specifies the attribute that you must add to the results string. This is the
default TYPE value.
Matches for this attribute are expected to have a value of a fully qualified
distinguished name. Sendmail looks up that DN and applies the attributes
requested to the returned DN record.
Matches for this attribute are expected to have a value of an LDAP search
filter. Sendmail looks up the same parameters as the original search, but
replaces the search filter with the one specified.
Matches for this attribute are expected to have a value of an LDAP URL.
Sendmail looks up that URL and uses the results from the attributes named
in that URL. However, Sendmail searches the URL using the current LDAP
connection, regardless of what is specified as the scheme, LDAP host, and
LDAP port in the LDAP URL.
Configuring and Administering Sendmail
Any untyped attributes are considered NORMAL attributes.
The optional OBJECTCLASS (separated with a |) list contains the objectClass values
for which that attribute applies. If the list is provided, the attribute named is used only
if the LDAP record being returned is a member of that object class. If these new value
attribute TYPEs are used in an AliasFile option setting, they must be within double
quotes. This prevents Sendmail from misparsing the colons.
LDAP recursion attributes that do not point to an LDAP record are not considered as
errors.
Following is an example of an LDAP recursion that uses all the new TYPEs:
O LDAPDefaultSpec=-h ldap.example.com -b dc=example,dc=com
Kexample ldap
-z,
-k(&(objectClass=sendmailMTAAliasObject)(sendmailMTAKey=%0))
-v sendmailMTAAliasValue,mail:NORMAL:inetOrgPerson,
uniqueMember:DN:groupOfUniqueNames,
sendmailMTAAliasSearch:FILTER:sendmailMTAAliasObject,
sendmailMTAAliasURL:URL:sendmailMTAAliasObject
This definition specifies the following:
•
•
•
•
Any value in a sendmailMTAAliasValue attribute is added to the result string
regardless of the object class.
The mail attribute is added to the result string if the LDAP record is a member of
the inetOrgPerson object class.
The uniqueMember attribute is a recursive attribute used only in
groupOfUniqueNames records, and must contain an LDAP DN pointing to
another LDAP record. The uniqueMember attribute returns the mail attribute
from the LDAP DNs.
The sendmailMTAAliasSearch and sendmailMTAAliasURL attributes are
used only if they are referenced in a sendmailMTAAliasObject. They are both
recursive; the first for a new LDAP search string and the second for an LDAP URL.
IPv6 Support
An option value inet6 is provided for the field Family in DaemonPortOptions to
enable IPv6 functionality.
To enable IPv6, set the DaemonPortOptions in the sendmail.cf configuration file
as follows:
O DaemonPortOptions=Port=smtp, Name=MTA, Family=inet6
This enables Sendmail to accept both IPv4 and IPv6 addresses.
IPv6 Support
71
Security
By default, Sendmail is a set-user-ID program. You can set it to a set-group-ID program
by creating a new user smmsp and by using the submit.cf configuration file. If
sendmail is called for initial delivery, you must use the submit.cf file with a fallback
of sendmail.cf as configuration file.
A Mail Submission Program (MSP) is another instance of Sendmail that is used for
initial mail submission. MSP uses the /etc/mail/submit.cf file as the configuration
file. Sendmail acts as an MSA or MTA depending on the operational mode.
The default configuration starting with Sendmail 8.13.3 uses one sendmail binary that
acts differently based on the operation mode and supplied options.
For security reasons, Sendmail must be a set-group-ID program to allow for queuing
mail in a group-writable directory. When Sendmail runs as a set-group-ID program,
the default group is smmsp and the group ID is 25.
The sendmail.cf configuration file is required for Sendmail to run as a server, and
submit.cf configuration file is required to run Sendmail as a mail submission program.
You must use the following permissions for the Sendmail configuration and default
queue files:
•
-r-xr-sr-x root smmsp ... /PATH/TO/sendmail
This entry denotes that the owner of Sendmail is root, the group is smmsp, and
the binary is set-group-ID.
•
drwxrwx--- smmsp smmsp ... /var/spool/clientmqueue
This denotes that the client mail queue is owned by smmsp with group smmsp and
is group writable. The client mail queue directory must be writable by smmsp. In
the submit.cf file, you also must set the UseMSP option, and you must set the
QueueFileMode option to 0660.
•
•
•
drwx------ root wheel ... /var/spool/mqueue
-r--r--r-- root wheel ... /etc/mail/sendmail.cf
-r--r--r-- root wheel ... /etc/mail/submit.cf
This section discusses administering Sendmail security options. It discusses the following
topics:
• “Using the Sendmail Restricted Shell Program” (page 73)
• “Turning Off Standard Security Checks” (page 73)
• “Enabling SMTP Authentication Based on RFC 2554” (page 75)
• “Support for RFC 1413 (Identification Protocol)” (page 77)
• “Support for Secured Mail Transaction Using STARTTLS” (page 78)
• “Cyrus SASL v2 Support” (page 80)
72
Configuring and Administering Sendmail
Using the Sendmail Restricted Shell Program
Sendmail allows the aliases file or a user’s .forward file to specify programs to be
run. These programs are by default invoked through /usr/bin/sh -c. The Sendmail
restricted shell (smrsh) program enables you to restrict the programs that can be run
through the aliases file or through a .forward file; only programs that are linked
to the /var/adm/sm.bin directory can be invoked.
To use the smrsh program, complete the following steps:
1.
In the /etc/mail/sendmail.cf file, comment the following lines by inserting
a pound sign (#) before each line:
# Mprog, P=/usr/bin/sh, F=lsDFMoeu, S=10/30, R=20/40, D=$z:/,
# T=X-Unix,
# A=sh -c $u
2.
In the /etc/mail/sendmail.cf file, uncomment the following lines by deleting
the pound sign (#) before each line:
Mprog, P=/usr/bin/smrsh, F=lsDFMoeu, S=10/30, R=20/40, D=$z:/,
T=X-Unix,
A=smrsh -c $u
3.
Create the directory /var/adm/sm.bin/ with root:bin ownership and 755
permissions. Place the binaries of the programs that you want to allow into this
directory. Typically, programs such as vacation, rmail, and AutoReply are
placed in this directory. (You can also specify hard links to the binaries.) Do not
place shells such as ksh, sh, csh, and perl in this directory because they have
too many security issues.
Turning Off Standard Security Checks
Sendmail has security checks that limit reading and writing to certain files in a directory.
These checks protect files that may reside in unsafe directories or that may be tampered
with by users other than the owner. You can turn these safety checks off by editing the
DontBlameSendmail option in the configuration file.
In the sendmail.cf file, change DontBlameSendmail=option value, where
option value is any of the options listed in Table 2-4. The default option value is
safe. After you change option value, the new value becomes the default value.
Security
73
Table 2-4 Option Values for DontBlameSendmail
74
Option Value
Description
safe
Allows the files only in a safe directory. All files
accessed by Sendmail must be safe.
AssumeSafeChown
Assumes that the chown system call is restricted to
root.
ClassFileInUnsafeDirPath
Allows class files that are in unsafe directories.
ErrorHeaderInUnsafeDirPath
Allows the file named in the ErrorHeader option
to be in an unsafe directory.
ForwardFileInGroupWritableDirPath
Allows .forward files in group-writable
directories.
GroupWrtableDirPathSafe
Considers group-writable directories to be safe.
Sendmail will read messages from group-writable
directories.
GroupWritableIncludeFileSafe
Accepts group-writable :include files
GroupWritableAliasFile
Allows group-writable alias files.
HelpFileinUnsafeDirPath
Allows Help file to be in unsafe directory.
IncludeFileInGroupWritableDirPath
Allows :include: files in group-writable
directories.
ForwardFileInUnsafeDirPath
Allows a .forward file that is in an unsafe
directory to include references to programs and
files.
IncludeFileInUnsafedirPathSafe
Allows an :include: file that is in an unsafe
directory to include references to programs and
files.
MapInUnsafeDirPath
Allows maps (for example, hash, btree, and dbm
files) in unsafe directories.
LinkedAliasFileInWritableDir
Allows an alias file that is a link in a writable
directory.
LinkedClassFileInWritableDir
Allows class files that are links in writable
directories.
LinkedForwardFileInWritableDir
Allows .forward files that are links in writable
directories.
LinkedIncludeFileInWritableDir
Allows :include: files that are links.
LinkedMapInWritableDir
Allows map files that are links in writable
directories.
LinkedServiceSwitchFileInWritableDir
Allows the service switch file to be a link even if the
directory is writable.
Configuring and Administering Sendmail
Table 2-4 Option Values for DontBlameSendmail (continued)
Option Value
Description
FileDeliveryToHardLink
Allows delivery to files that are hard links.
FileDeliveryToSymLink
Allows delivery to files that are symbolic links.
WriteMapToHardLink
Allows writes to maps that are hard links.
WriteMapToSymLink
Allows writes to maps that are symbolic links.
WriteStatsToHardLink
Allows the status file to be a hard link.
WritesStatsToSymLink
Allows the status file to be a symbolic link.
RunProgramInUnsafeDirPath
Allows Sendmail to run programs that are in
writable directories.
RunWritableProgram
Allows Sendmail to run programs that are groupor world-writable.
WorldWritableAliasFile
Accept world-writable alias files.
Disabling Privacy Options
You can now disable the ETRN and VERB privacy options by using the noetrn and
noverb flags:
•
PrivacyOptions=noetrn
The noetrn flag disables the SMTP ETRN command, enabling Sendmail to process
its queue in a synchronous mode.
•
PrivacyOptions=noverb
The noverb flag disables the SMTP VERB command, turning off verbose mode.
For more information on the different privacy options, see the Sendmail configuration
file /etc/mail/sendmail.cf.
Enabling SMTP Authentication Based on RFC 2554
A new option to set AUTH parameter in MAIL FROMcommand has been added in the
sendmail.cf file. By default, this appears as follows:
#O AuthOptions
Sendmail supports SMTP AUTHas defined in RFC 2554 (SMTP Service Extension for
Authentication), which is based on Simple Authentication and Security Layer – RFC
2222 (SASL). SMTP authentication provides a robust tool to control relaying with
maximum flexibility. SASL is mainly used for roaming users whose IP address and
Security
75
host name changes repeatedly. In this case, authorization is via a secret password,
which is client dependent.
The authentication protocol exchange consists of a series of server challenges (otherwise
known as a ready response) and client answers that are specific to the authentication
mechanism.
The AUTH parameter to the MAIL FROMcommand is set as follows:
MAIL FROM: from-addr AUTH=addr-spec
The addr-spec contains the identity that submitted the message to the delivery system.
If the server trusts the authenticated identity of the client to assert that the message
was originally submitted by the supplied addr-spec, then the server must supply
the same addr-spec in an AUTH parameter when relaying the message to any server
that supports the AUTH extension.
You can specify the list of authentication mechanisms for AUTH in the AuthMechanisms
option in the sendmail.cf file. By default, it appears in the sendmail.cf file as
follows:
#O AuthMechanisms=GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
If you set this option to A, the AUTH= parameter for theMAIL FROM command is issued
only when authentication succeeds.
DaemonPortOptions has a suboption called modifiers (M). The modifiers
suboption contains an authentication flag a, which instructs the daemon to authenticate
all its connections.
By default, it appears in the sendmail.cf file as:
#O DefaultAuthInfo=/etc/mail/default-auth-info
The DefaultAuthInfo option sets the file name, which by default contains the
authentication information for outgoing connections. It must contain the authorization
ID (userid), the authentication ID (authid), the password (plain text), and the realm
to use, each on a separate line. This information must be readable only by root (or by
the trusted user). If you do not specify a realm, $j is used.
SMTP Pipelining
This feature is an extension of the SMTP service. It enables a server to indicate the
extent to which it can accept multiple commands in a single TCP send operation. Using
a single TCP send operation for multiple commands improves the SMTP performance.
SMTP pipelining is an implementation of RFC 1854 (SMTP Service Extension for Command
Pipelining).
76
Configuring and Administering Sendmail
Support for Deliver By SMTP Extension (RFC 2852)
The Deliver By SMTP extension is a mechanism by which an SMTP client requests a
server to deliver the message within a specified period of time, while transmitting a
message to an SMTP server. A client that makes such a request also specifies the message
handling that must occur if the message cannot be delivered within the specified time
period. The options can be either to return the message as an undeliverable message
with no further processing or to issue a delayed delivery status notification (DSN).
Following is the declaration for the Delivery By SMTP extension in the Sendmail
configuration file:
#O DeliverByMin=0
A value of 0 (zero) indicates that the DeliverByMin option is disabled. You must not
consider this extension as a vehicle for requesting “priority” processing. A receiving
SMTP server can assign processing priority to a message transmitted with a Delivery
By request. The DeliverByMin option expresses the urgency of a message and provides
an additional degree of determinacy in its processing. The message can be withdrawn
if it is not delivered within the specified period of time.
This mechanism is used to prevent the delivery of a message beyond some future time
of significance to the sender or recipient, but not known by the MTAs handling the
message.
It can also be used to alert a sender about delivery delays. In this case, the sender can
mark a message so that if it is not delivered, for example within 30 minutes, a "delayed"
DSN is generated, but the delivery attempts continue nonetheless. Senders are allowed
to express a preference for receiving alerts.
Support for RFC 1413 (Identification Protocol)
identd is a server that implements the TCP/IP proposed standard IDENT user
identification protocol as specified in RFC 1413. identd listens on port 113 and operates
by looking up specific TCP/IP connections and returning the user owing the process
owning the connection.
Sendmail uses identd as an advisory mechanism to log the identity of the user name
and host name of the Sendmail client. identd may cause additional traffic for collecting
the user name, which may adversely affect the performance of Sendmail.
Enabling identd on the Sendmail Server
You can enable identd on the Sendmail server by uncommenting the following entry
in the /etc/mail/sendmail.cf file:
#O Timeout.ident=5s
By default, the identd timeout value is 5 seconds.
Security
77
You can disable identd to improve the performance of the system by commenting
out this entry. The following sections discuss disabling identd:
•
•
“Disabling identd on the Remote Client” (page 78)
“Disabling identd from the Sendmail Server” (page 78)
Disabling identd on the Remote Client
You must comment out the following line in the/etc/inetd.conf file in the client
system, by placing a pound sign (#) in the first column as follows:
#auth stream tcp wait bin /usr/lbin/identd identd
The previous command denotes an IPv4 enabled system. If the system is IPv6 enabled,
then you must comment out the following line:
#auth stream tcp6 wait bin /usr/lbin/identd identd
Then, execute the command inetd -c to restart the inetd daemon in the client
system, thereby forcing inetd to reread the inetd.conf file.
Disabling identd from the Sendmail Server
This is probably an easier way of disabling identd, because you need not be concerned
about the remote client having identd disabled. In the file /etc/mail/sendmail.cf
on the Sendmail server, modify the following entry:
#O Timeout.ident=5s
as
O Timeout.ident=0s
Now, you need to kill and restart Sendmail.
Support for Secured Mail Transaction Using STARTTLS
Start Transport Layer Security (STARTTLS) is the SMTP command to enable Secure
Socket Layer (SSL). Transport Layer Security (TLS) provides authentication
(identification), privacy, confidentiality, and integrity for securing a mail transaction.
TLS uses different STARTTLS algorithms for encryption, signing, and message
authentication.
The STARTTLS configuration uses the following variables:
UseTLS
78
Configuring and Administering Sendmail
Enables the TLS handshake in the SMTP
transaction. You can set this variable to either
True or False. Following is the option in the
sendmail.cf file:
# O UseTLS=False
CERT_DIR
Specifies the directory for storing Sendmail
certificates. Following is the option in the
sendmail.cf file:
# CA directory
O CACertPath=/etc/mail/certs/
CACERT_PATH
CACERT
SERVER_CERT and CLIENT_CERT
Specifies the path that stores the certificates of
all the Certificate Authorities known to the
Sendmail server.
Specifies the file containing the certificate of the
Certificate Authority that issued the certificate
to the Sendmail server.
Refers to the server and client certificate. These
variables indicate that the certificate of the server
is used when Sendmail is acting as a server, and
the certificate of the client is used when Sendmail
is acting as a client. Following is the option in
the sendmail.cf file:
# Server Cert
OServerCertFile=/etc/mail/certs/oldcert.pem
# Client Cert
OClientCertFile=/etc/mail/certs/oldcert.pem
SERVER_KEY and CLIENT_KEY
Specifies the private keys that correspond to the
certificates of the Sendmail server. Following is
the option in the sendmail.cf file:
# Server private key
O
ServerKeyFile=/etc/mail/certs/oldreq.pem
# Client private key
O
ClientKeyFile=/etc/mail/certs/oldreq.pem
You can use the /usr/newconfig/etc/mail/cf/cf/gen_cf script to generate
the sendmail.cf configuration file that supports the STARTTLS feature. The generated
configuration file contains all the STARTTLS options. However, these options contain
default values and are commented by default. The gen_cf script provides an option
to change the default values. If you change the default values for a particular option,
Security
79
the option is enabled or uncommented in the generated sendmail.cf configuration
file.
To use Sendmail with STARTTLS, you must install the OpenSSL software on your
system. The OpenSSL software is available at:
http://www.software.hp.com.
Cyrus SASL v2 Support
The Simple Authentication and Security Layer (SASL) is a generic mechanism that
enables protocols to accomplish authentication. Some notable applications that use
SASL include Sendmail and Cyrus imapd (Versions 1.6.0 and later).
Applications use the SASL library to instruct applications how to accomplish the SASL
protocol exchange. The SASL library also communicates the results.
SASL is only a framework, and specific SASL mechanisms govern the exact protocol
exchange. If there are n protocols and m different ways of authenticating, SASL attempts
to make the authentication simple so that only n plus m different specifications need
be written, instead of n times m different specifications. With the Cyrus SASL library,
the mechanisms need be written only once, and they work with all servers that use it.
How SASL Works
SASL is governed by a mechanism that the client and the server can choose to use and
the exact implementation of that mechanism. This section describes how such a
mechanism works in the Cyrus SASL implementation.
The PLAIN Mechanism and sasl_checkpass() Call
The PLAIN mechanism is not a secure method of authentication. You must use PLAIN
over an encrypted connection created by STARTTLS. The PLAIN mechanism works
by transmitting the following information to the server: user ID, an authentication
ID, and a password. The server determines whether this information is allowed. The
Cyrus SASL library uses different methods to verify the password and the authentication
ID.
Following is a sample Cyrus SASL configuration file:
srvtab: /var/app/srvtab
pwcheck_method: kerberos_v4
Application Configuration
Applications can specify how the SASL library must search configuration information.
For instance, Cyrus imapd reads its SASL options from its own configuration file,
/etc/imapd.conf, by prefixing all SASL options with sasl_: The SASL
pwcheck_method option can be set by changing sasl_pwcheck_option in the
/etc/imapd.conf file.
80
Configuring and Administering Sendmail
Configuring Cyrus SASL v2 in Sendmail
To configure Cyrus SASL v2 in Sendmail, you must change the default values for the
following options in the Sendmail configuration file:
C{TrustAuthMech}GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS PLAIN
# list of authentication mechanisms
O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 ANONYMOUS
PLAIN
# Authentication realm
#O AuthRealm
# default authentication information for outgoing connections
O DefaultAuthInfo=/etc/mail/default-auth-info
Configuring Sendmail to Reject Unsolicited Mail
You can set up Sendmail so that unsolicited or spam mail (mail sent to large number
of users) is not transmitted to or received by users on the network.
The first step in configuration is to enable the anti-spamming rulesets. You then edit
other configuration files to control mail transmission. This section describes how to:
• Accept or reject mail from particular senders
• Prevent your machine from being used as a relay machine
• Accept or reject connections from specific users’ host names based on domains or
IP addresses
• Enable or disable mail transfers from specific senders and recipient pairs
The anti-spamming features enable you to control the users who can send, receive, or
relay mail messages on the network. This section discusses the following topics:
•
•
•
•
•
•
•
•
•
•
“Message Quarantining” (page 82)
“Support for Mail Filter (MILTER) APIs” (page 82)
“Enhanced DNS Black Hole List Option” (page 83)
“Enabling Anti-Spamming Security Features” (page 83)
“Using the Access Database to Allow or Reject Mail Messages” (page 84)
“Enabling Anti-Spamming Relay Features” (page 86)
“Validating Senders” (page 87)
“Checking Headers” (page 89)
“Spam Control Using the Message Submission Agent (RFC 2476)” (page 90)
“Sendmail Validation” (page 91)
Sendmail supports the following anti-spamming features:
•
•
•
Supports message quarantining
Support mailer filter (MILTER) APIs for advanced and effective mail filtering
Provides enhanced DNS Black Hole List (EDNSBL) option
Configuring Sendmail to Reject Unsolicited Mail
81
The following sections discuss the anti-spamming features in detail.
Message Quarantining
Starting with Sendmail, you can quarantine mail messages (envelopes). Queue files or
envelopes are stored but not considered for delivery or display unless the “quarantine”
state of the envelope is undone, or delivery or display of the quarantined items is
requested.
Quarantined messages are tagged using the name hf for the queue file, instead of the
name qf for the queue file, and by adding the quarantine reason to the queue file.
When you enter the following command, the quarantine reason is displayed in a new
line prefixed with QUARANTINE:
mailq -qQ
Where: the-qQ option specifies the quarantined queue items.
Quarantined messages run only when requested with the -qQ option. They do not run
on normal queue displays.
You can run and display restricted mail queues based on the quarantined reason using
the -qQtext option only if the quarantine reason contains the given text. Similarly,
the -q!Qtext runs or displays quarantined items that do not have the given text in
the quarantine reason.
You can use the -qQ flag option to request the delivery or display of quarantined
items. Additionally, you can quarantine or unquarantine messages, which are already
in the queue, using the -Q flag to Sendmail. For example, the following command
quarantines the normal queue items matching the criteria specified by the
-q[!][I R S G][matchstring] option, using the reason given in the -Q flag:
sendmail -Qreason -q[!][I R S G][matchstring]
Similarly, you can use the following command to change the quarantine reason for the
quarantined items matching the criteria specified by the
-q[!][I R S Q][matchstring] option using the reason given on the -Q flag:
sendmail -qQ -Q[reason] -q[!][I R S Q G][matchstring]
If you do not specify a reason, unquarantine the matching items and make them normal
queue items. The -qQ flag informs Sendmail to operate on quarantined items instead
of normal items.
A new error code for the $#error $@ quarantine $: reason, can be used to
quarantine message in check_* (except check_compat) and header check
rulesets. The $: of the mailer triplet is used for the quarantine reason.
Support for Mail Filter (MILTER) APIs
Beginning with Sendmail, you can use the Mail Filter (Milter) APIs to filter all inbound
messages through an external filter program. Milter is designed to enable third-party
82
Configuring and Administering Sendmail
programs to access mail messages as they are being processed, in order to filter meta
information and content. Milter is declared in the configuration file as:
Xname {, field=value}*
Where name is the name of the filter (used internally only) and the field=value pairs
define attributes of the filter.
Enhanced DNS Black Hole List Option
The enhanced DNS Black Hole List (EDNSBL) option is an enhanced version of the
dnsbl feature.
The dnsbl feature rejects mail from hosts in a DNS-based rejection list. The dnsbl
feature is used to enable the blocking of email from open relay sites, dialup sites, or
known spamming sites. This feature is included in the sendmail.cf configuration
file as:
# map for DNS based blacklist lookups
Kdnsbl dns -R A -T<TMP>
The enhanced dnsbl feature is a superset of the dnsbl feature. This feature is
represented in the sendmail.cf file as follows:
# map for enhanced DNS based blacklist lookups
Kenhdnsbl dns -R A -a. -T<TMP> -r5
You must use the /usr/newconfig/etc/mail/cf/cf/gen_cf script to include
the enhdnsbl feature in the sendmail.cf file. You must choose the “5: Enhanced
DNSBL” sub-menu option in the “3: Anti-Spamming Options” main menu option, and
regenerate the sendmail.cf file.
You can use the dns-type database map for the dnsbl and enhdnsbl features.
The enhancement consists of additional arguments, that is, one or more literal addresses
you expect returned when an address is rejected.
Compared to the dnsbl option, you can specify additional arguments (upto 5) to
specify the return values from lookups. Sendmail ignores temporary lookup failures
in the absence of a third argument, which must be either t or a full error message. By
default, any successful lookup generates an error. Otherwise, the result of the lookup
is compared with the supplied arguments, and an error is generated only if a lookup
matches.
Enabling Anti-Spamming Security Features
You must run the gen_cf script to turn on relaying, validating, and checking features.
The access database also allows you to control the message flow. See the section “Using
the Access Database to Allow or Reject Mail Messages” (page 84) for more information.
Configuring Sendmail to Reject Unsolicited Mail
83
Running the gen_cf Script
Follow these steps to run the gen_cf script:
1.
2.
Log in as root.
Go to the directory that contains the script:
cd /usr/newconfig/etc/mail/cf/cf/gen_cf
3.
4.
Run gen_cf.
A list of options is displayed. Select the appropriate option.
A message is displayed to inform you when the file is successfully built.
Using the Access Database to Allow or Reject Mail Messages
You can control the flow of mail messages coming in from certain domains. The Access
Database enables you to allow or reject mail from specific domains. By default, names
listed in the database as OK are domain names, not host names.
Following are the steps to allow or reject messages:
1.
2.
Create an access database text file.
Create a database map.
You must understand a few basic facts about the Access Database format and structure
before creating the Access Database file or database map.
Access Database Format
This section includes a few key points about the database and describes the format of
the database.
•
•
Every line of the access database file has a key and a value pair.
The value part of the database can be any of the values listed in Table 2-5.
The key can be an IP address, a domain name, a host name or an e-mail address.
Table 2-5 Access Database Format
84
Value
Description
OK
Accepts mail even if other rulesets rejects it. For example, if the domain
name is unresolvable.
RELAY
Accepts mail addressed to the specified domain or received from the
specified domain for relaying through your SMTP server. RELAY also serves
as an implicit OK for the other checks.
REJECT
Rejects the sender or recipient with a general-purpose message.
DISCARD
Discards the message completely using the $#discard mailer delivery agent.
This only works for sender addresses. That is, it indicates that you must
discard anything received from the specified domain.
Configuring and Administering Sendmail
Table 2-5 Access Database Format (continued)
Value
Description
### "any text"
Where ### is an RFC 821-compliant error code and “any text" is a message
to return for the command.
ERROR: ### “any text”
Same as stated for ### “any text”, but useful to mark error messages
ERROR:D.S.N:### “any
text”
Same as stated for ### “any text”. D.S.N is an RFC 1893-compliant error
code.
Creating the Access Database Text File
You must edit the Access Database text file manually. The default Access Database file
is /etc/mail/access. However, you can specify another file in the sendmail.cf
file.
Table 2-6 contains a sample access database file, /etc/mail/access.
Table 2-6 Access Database Text File Example
cyberspammer.com
550 We don’t accept mail from spammers
okay.cyberspammer.com
OK
128.32
RELAY
spammer@aol.com
REJECT
192.168.212
DISCARD
In the example Access Database text file, all mail messages from the
cyberspammer.com domain are rejected and the error message 550 We don’t
accept mail from spammers is displayed. All mail messages from
theokay.cyberspammer.com domain are accepted. Messages can be relayed through
128.32. All mail messages from spammer@aol.com are rejected. All mail messages
from the 192.168.212 domain are discarded.
Creating Finer Spam Control Using Tags
You can also tag entries in the access map based on their type. The following tags are
available:
•
•
•
Connect: connection information (${client_addr}, ${client_name})
From: sender
To: recipient
When the required item is looked up in a map, it is tried with the corresponding tag
in front, then without any tag (as fallback to enable backward compatibility). For
example:
From:spammer@some.dom
REJECT
Configuring Sendmail to Reject Unsolicited Mail
85
To:friend.domain
RELAY
Connect:friend.domain
OK
Connect.from.domain
RELAY
From:good@another.dom
From:another.dom
OK
REJECT
Creating the Database Map
After creating the Access Database text file, you must use the /usr/sbin/makemap
utility to create the database map. Type the following command to create the database:
makemap dbm /etc/mail/access < /etc/mail/access
The makemap utility takes /etc/mail/access file as input. It then stores the results
back into the /etc/mail/access.db file.
Enabling Anti-Spamming Relay Features
The gen_cf shell script distributed with Sendmail enables you to turn on one or more
of the following anti-spamming relay features:
•
•
•
•
•
•
Promiscuous Relay: Relaying from Any Host to Any Host
Relay Entire Domain: Relaying from Any Host in the Domain
Relay Hosts Only: Relaying from Hosts Only
Relaying Based on MX Records
Relay from Local
Check Loose Relay
Promiscuous Relay: Relaying from Any Host to Any Host
Promiscuous relay allows you to configure your site to allow mail relaying from any
one site to any other site. This feature is not enabled by default.
You can enable promiscuous relay by choosing it as an option when running thegen_cf
script distributed with Sendmail. When you enable this option, Sendmail does not
check for relaying. Spammers may then relay mail through your site.
Relay Entire Domain: Relaying from Any Host in the Domain
By default, only hosts listed as RELAY in the Access Database are allowed to relay
messages. The hosts must be defined in the m class ($=m) macro to relay. However, this
feature allows any host in your domain to relay mail messages.
86
Configuring and Administering Sendmail
Relay Hosts Only: Relaying from Hosts Only
By default, host names that are listed as RELAY in both the Access Database and the
class R ($=R) macro can relay messages. When using this feature, specify host names.
This feature enables Sendmail to look up individual host names and relay messages
to the host.
See “Checking Headers” (page 89) for information on using the R class.
Relaying Based on MX Records
This feature allows relaying based on the MX records of the host portion of an incoming
recipient. If an MX record for host foo.com points to your site, you will accept and
relay mail addressed to foo.com.
Relay from Local
With this feature, a sender who is a valid user on a particular host can relay messages
to other users on different hosts.
IMPORTANT: Use caution when using this feature. Using this feature opens a window
for spammers. Specifically, spammers can send mail to your mail server that claim to
be from your domain (either directly or via a routed address), and your machine will
relay it out to any hosts on the Internet.
Check Loose Relay
This feature turns off the default behavior, which rechecks all recipients using %
addressing. For example, if the recipient address is user%site@othersite, and
othersite is in class R macro, Sendmail strips the @othersite portion and rechecks
user@site for relaying.
Validating Senders
Sendmail provides a stringent check of mail message senders to ensure that they are
legitimate. Sendmail refuses mail if the MAIL FROM: parameter has an unresolvable
domain. You can work around this. If you want to continue accepting mail from such
domains, use the features described in this section. You can enable any of the following
features when you run the gen_cf script:
•
•
•
•
Accept Unresolvable Domains
Accept Unqualified Senders
Blacklist Recipients
Realtime Blackhole List
Configuring Sendmail to Reject Unsolicited Mail
87
Accept Unresolvable Domains
This feature enables Sendmail to accept all MAIL FROM: parameters that are not fully
qualified, for example, a mail message whose host part of the argument to the MAIL
FROM: parameter cannot be located in the host name service, such as DNS.
Accept Unqualified Senders
This feature allows you to accept all mail where the sender’s mail address does not
include a domain name.
Normally, the MAIL FROM: commands in the SMTP session are refused if the connection
is a network connection and the sender address does not include a domain name.
Blacklist Recipients
This feature enables Sendmail to block incoming mail messages destined for certain
recipient user names, host names, or addresses. This feature also restricts you from
sending mail messages to addresses with an error message or REJECT value in the
Access Database file.
Example 1
For example, given the following entries in the Access Database file:
badlocaluser
550 Mailbox disabled for this username
host.mydomain.com
550 That host does not accept mail
user@otherhost.mydomain.com
550 Mailbox disabled for this recipient
Recipient of badlocaluser@mydomain.com, any user at host.mydomain.com,
and the single address user@otherhost.mydomain.com will not receive mail.
Example 2
spammer@aol.com
cyberspammer.com
REJECT
REJECT
Mail cannot be sent to spammer@aol.com or to anyone at cyberspammer.com.
Realtime Blackhole List
This feature rejects hosts listed in the Realtime Blackhole List, which is found in the
Realtime Blackhole List server. The server is blackholes.mail-abuse.org.To use
this feature, you must add the following line to the DNS database:
1.5.5.192.blackholes.mail-abuse.org IN A 127.0.0.2
You can specify the Realtime Blackhole List servers in the sendmail.cf file.
88
Configuring and Administering Sendmail
Checking Headers
With header checking, you can reject mail messages based on the contents of their mail
headers. Sendmail provides the syntax for limited header syntax checking. A
configuration line of the form: HHeader: $>Ruleset causes the specified ruleset to
be invoked on the header when read. Following is an example of header checking:
Validity of a Message-ID: header
#LOCAL_RULESETS
HMessage-Id: $>CheckMessageId
SCheckMessageId
R< $+ @ $+ >
$@ OK
R$*
$#error $: 553 Header Error
If the previous lines are included in the sendmail.cf file, then all header messages
of the form Message-Id: will call the ruleset SCheckMessageID, which checks for
the validity of the Message-Id header.
Discard Mailer
Sendmail has defined a special internal delivery agent calleddiscard. You can use
this agent with the header-checking ruleset and check rulesets: check_mail,
check_rcpt, check_relay, or check_compat.
If any of the check rulesets (check_mail, check_rcpt, check_relay, or
check_compat) or the header-checking ruleset resolves a mail address to the
$#discard mailer, then all the SMTP commands are accepted, but the message is
discarded. If only one of message recipients address resolves to the $#discard mailer,
none of the recipients will receive the mail message.
Regular Expressions
You can use regular expressions with the new map class regex. Use the regex map
to see if an address matches a certain regular expression. By using such a map in a
check rulesets (check_mail, check_rcpt, check_relay, or check_compat), you
can block a certain range of addresses that would otherwise be considered valid.
For example, if you want to block all senders with all numeric user names, such as
2312343@bigisp.com, you would use SLocal_check_mail and the new regex
map:
#LOCAL_CONFIG
Kallnumbers regex -a@MATCH ^[0-9]+$
LOCAL_RULESETS
SLocal_check_mail
# check address against various regex checks
R$*
$: $>Parse0 $>3 $1
R$+ < @ bigisp.com. >48
$: $(allnumbers $1 $)
R@MATCH
$#error $:553 Header Error
Configuring Sendmail to Reject Unsolicited Mail
89
Defining Hosts Allowed to Relay: Class R
You can use the $=R macro to define the hosts that are allowed to relay. The default
file Sendmail uses to read values for the $=R macro is /etc/mail/relay-domains.
Queue Changes
This section describes miscellaneous enhancements to the queue option:
•
The queue option allows multiple -qI, -qR, or -qS queue run limiters.
For example, using Sendmail -qRfoo -qRbar will deliver mail to recipients
with foo or bar in their address.
•
•
The map flag -Tx appends x to lookups that return temporary failure. This is
similar to the -ax flag, which appends x to lookups that return success.
The QueueSortOrder option is case sensitive.
Spam Control Using the Message Submission Agent (RFC 2476)
Sendmail supports RFC 2476, a protocol for message submission. The anti-spam rulesets
have been enhanced to improve the anti-spam capabilities. The RFC proposes a new
standard for the Message Submission Agent (MSA). This is designed to replace the
more general-purpose Mail Transfer Agent (MTA) as the first service to which a Mail
User Agent (MUA) connects to deliver a mail message. The RFC also describes how
the usual protocols for SMTP service must be tightened up at the point where mail
enters the system, rather than being routed from one site to another. Sendmail also
serves as a powerful tool to authenticate and control mail messages.
By default, MSA is defined in the sendmail.cf file as:
O DaemonPortOptions=Name=MSA, Port=587, M=E
where Port 587 is reserved for e-mail message submission.
An MSA still uses the same rulesets for processing the message (and therefore still
allows message rejection via the check rulesets). In accordance with the RFC, the MSA
ensures that all domains in the envelope are fully qualified if the message is relayed
to another MTA. It also enforces the normal address syntax rules and log error messages.
In addition, you can request authentication before the messages are accepted by MSA
by using the M=a modifier in the DaemonPortOptions.
90
Configuring and Administering Sendmail
NOTE: You can turn off MSA in the sendmail.cf file using the option,
no_default_msa in the gen_cf script. For more information, see the
no_default_msa option in “Modifying the Default Sendmail Configuration File”
(page 43).
The XUSR SMTPcommand and the -U (initial user submission) command-line option
are deprecated. Mail user agents must use the MSA (Message Submission Agent) for
initial user message submission. XUSR may be removed in future releases. The next
release of Sendmail will assume that any message submitted from the command line
is an initial user submission and act accordingly.
Sendmail Validation
The check_compat ruleset compares all sender and receiver pairs before mail is
delivered. It validates the mail based on the results of the comparison. It checks to see
if host A can legally send a message to host B. check_compat is called for all mail
deliveries, not just SMTP transactions.
check_compat is used in the following situations:
•
•
•
A set of users who are restricted from sending mail messages to external domains
need to send mail messages to internal domains. Both the sender and recipient
addresses are checked to ensure that they are in the local domain.
A particular user needs to ensure that he or she does not receive mail messages
from a specific source.
A particular host needs to ensure that external senders do not use that host as a a
mail relay. The mail messages are screened based on the sender’s host name.
Turning Off Virtual Interfaces
You can disable the ability to include all the interface names in the $=w macro on
startup. Turning off virtual interfaces speeds up the startup process. However, if you
turn virtual interfaces off, mail sent to those addresses will bounce back to the sender.
To turn off virtual interfaces, do the following:
1.
2.
Open the sendmail.cf file.
Uncomment the line DontProbeInterfaces.
By default, virtual interfaces are included in the $=w macro, which is defined in the
sendmail.cf file. Sendmail searches for them during startup.
The host name is added to class w for the names of all interfaces unless the
DontProbeInterfaces option is set. This is useful for sending mail to hosts, which
have dynamically assigned names.
Turning Off Virtual Interfaces
91
Troubleshooting Sendmail
This section describes the following techniques for troubleshooting Sendmail:
•
•
•
•
•
•
•
•
•
“Keeping the Aliases Database Up to Date” (page 92)
“Verifying Address Resolution and Aliasing” (page 92)
“Verifying Message Delivery” (page 93)
“Contacting the Sendmail Daemon to Verify Connectivity” (page 94)
“Setting Your Domain Name” (page 95)
“Attempting to Start Multiple Sendmail Daemons” (page 95)
“Configuring and Reading the Sendmail Log” (page 95)
“Printing and Reading the Mail Queue” (page 98)
“Changes to Sendmail Files and Databases” (page 101)
You must log in as superuser to perform all Sendmail troubleshooting.
Keeping the Aliases Database Up to Date
You must rebuild the aliases database if you have made changes to the aliases text file.
You must restart Sendmail after you change the configuration file or the aliases database.
Issue the following commands, on a standalone system or on the mail server, to rebuild
the aliases database and restart Sendmail:
/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start
Updating your NIS Aliases Database
If you are using NIS to manage your aliases database, see NIS Administrator's Guide, at
the URL http://docs.hp.com/en/netcom.html.
Verifying Address Resolution and Aliasing
In order to deliver a message, Sendmail must first resolve the recipient addresses
appropriately. To determine how Sendmail would route mail to a particular address,
issue the following command:
/usr/sbin/sendmail
-bv
-v
-oL10
address [address...]
The -bv (verify mode) option causes Sendmail to verify addresses without collecting
or sending a message.
The -v (verbose) flag causes Sendmail to report alias expansion and duplicate
suppression.
The -oL10 (log level) option sets the log level to 10. At log level 10 and above,
sendmail -bv reports the mailer and host to which it resolves recipient addresses.
92
Configuring and Administering Sendmail
For hosts that resolve to IPC mailers, MX hosts are not reported when using verify mode,
because MX records are not collected until delivery is actually attempted.
If the address is not being resolved as you expect, you may have to modify one or more
of the following:
•
•
•
•
The Sendmail configuration file
The files or programs from which file classes are generated
The name server configuration
The UUCP configuration
More detailed information about how the configuration file is rewriting the recipient
addresses is provided by address test mode:
/usr/sbin/sendmail
-bt
Verifying Message Delivery
You can observe Sendmail’s interaction with the delivery agents by delivering the
message in verbose mode, as in the following example:
/usr/sbin/sendmail -v
myname@hp.com
Sendmail is now ready for you to type a message. After the message, type a period (.)
on an empty line to denote the end of the message, as in the following example:
This is only a test.
.
Sendmail responds with the following information:
myname@baby.com... Connecting to sys1.hp.com via esmtp...
220 sys1.baby.com ESMTP Sendmail 8.8.6 (PHNE_12345)/8.8.6 SMKit7.02;
Wed, 23 Oct 2002 18:44:21 +0530 (IST)
250-sys1.baby.com Hello root@inet.baby.com [15.70.178.1940,
pleased to meet you
>>MAIL From:<root@inet.baby.com> SIZE=21
250 <root@inet.baby.com>... Sender ok
>> RCPT To:<myname@baby.com>
250 <myname@baby.com>
>>DATA
354 Enter mail, end with “.” on a line by itself
>>>.
250 SAA24294 Message accepted for delivery
myname@baby.com... Sent (SAA24294 Message accepted for delivery)
Closing connection to sys1.baby.com
QUIT
221 sys1.baby.com closing connection.
Troubleshooting Sendmail
93
Sendmail has interfaces to three types of delivery agents. In verbose mode, Sendmail
reports its interactions with them as follows:
•
Mailers that use SMTP to a remote host over a TCP/IP connection (IPC mailers).
In verbose mode, Sendmail reports the name of the mailer used, each MX host (if
any) to which it tries to connect, and each Internet address it tries for each host.
When a connection succeeds, the SMTP transaction is reported in detail.
•
Mailers that run SMTP (locally) over pipes.
The name of the mailer used and the command line passed to exec() are reported.
Then the SMTP transaction is reported in detail. If the mailer returns an abnormal
error status, that is also reported.
•
Mailers that expect envelope information from the Sendmail command line and
expect message headers and message body from standard input.
The name of the mailer used and the command line passed to exec() are reported.
If the mailer returns an abnormal error status, that is also reported.
Contacting the Sendmail Daemon to Verify Connectivity
It is possible to contact the Sendmail daemon and other SMTP servers directly with
the following command:
telnet
host
25
Use this to determine whether an SMTP server is running on host. If not, your
connection attempt will return the message Connection refused.
After you establish a connection to the Sendmail daemon, you can use the SMTP vrfy
command to determine whether the server can route to a particular address. For
example:
telnet furschlugginer 25
220 furschlugginer.bftxp.edu ESMTP Sendmail 8.11.1/8.11.1; Wed, 28
Aug 2002 14:33:50 +0530 (IST)
vrfy istm@hp.com
250 2.1.5 <istm@hp.com>
vrfy blemph@morb.poot
554 5.1.1 blemph@morb.poot... User unknown
quit
221 2.0.0 furschlugginer.bftxp.edu closing connection
Connection closed by foreign host
Not all SMTP servers support the VRFY and EXPN commands.
94
Configuring and Administering Sendmail
Setting Your Domain Name
If Sendmail cannot resolve your domain name, you may see the following warning
message in your syslog file:
WARNING: local host name name is not qualified; fix $j in
config file
To resolve this problem, do one of the following:
•
Uncomment the following line in the /etc/mail/sendmail.cf file by deleting
the pound sign (#) at the beginning of the following line:
Dj$w.Foo.COM
Change Foo.COM to the name of your domain (for example, HP.COM).
•
Modify the /etc/hosts file, making sure that the fully qualified name of the
system is listed first. For example, the entry in the file must be 255.255.255.255
dog.hp.com dog and not 255.255.255.255 dog dog.hp.com.
Attempting to Start Multiple Sendmail Daemons
If you attempt to invoke Sendmail when a Sendmail daemon is already running, the
following message may be logged to the syslog file:
NO QUEUE: SYSERR (root) opendaemonsocket: daemon MTA: server
SMTP socket wedged: exiting
This message means that a Sendmail daemon is already running. You can use either
/sbin/init.d/sendmail stop or killsm to stop the running daemon.
Configuring and Reading the Sendmail Log
Sendmail logs its mail messages through the syslogd logging facility.
The syslogd configuration must write mail logging to the file
/var/adm/syslog/mail.log. You can do this by adding the following line in
/etc/syslog.conf:
mail.debug
/var/adm/syslog/mail.log
You can use the HP mtail utility to look at a specified number of the last lines of the
log file:
mtail 15
By default, mtail displays the last 20 lines of the log file. For more information on the
mtail utility, type man 1M mtail at the HP-UX prompt.
Troubleshooting Sendmail
95
For more information on configuring syslogd, see the HP-UX Internet Services
Administrator’s Guide
at:http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services.
Setting Log Levels
You can set the log level with the -oL option on the Sendmail command line or on the
OL line in the Sendmail configuration file. At the lowest level, no logging is done. At
the highest level, even the most mundane events are recorded. As a convention, log
levels 11 and lower are considered useful. Log levels above 11 are normally used only
for debugging purposes. We recommend that you configure syslogd to log mail
messages with a priority level of debug and higher. Sendmail’s behavior at each log
level is described in Table 2-7.
Table 2-7 Sendmail Logging Levels
96
Logging Level
Behavior
0
Minimal logging
1
Serious system failures and security problems logged at LOG_CRIT or LOG_ALERT.
2
Communication failures (for example, logs communications of protocol failures) logged
at LOG_CRIT
3
Malformed addresses logged at LOG_NOTICE. Transient forward or include errors
logged at LOG_ERROR. Connect timeouts logged at LOG_NOTICE.
4
Malformed qf filenames and minor errors logged at LOG_NOTICE. Old alias databases
logged at LONG_INFO. Connection rejections (through libwrap.a or one of the
check_rule sets) logged at LOG_NOTICE.
5
A record of each message received logged at LOG_INFO. Envelope cloning logged at
LOG_INFO.
6
SMTP VRFY attempts and messages returned to the original sender logged at
LOG_INFO. The ETRN and EXPN ESMTP commands logged at LOG_INFO.
7
Delivery failures, excluding mail deferred because of a lack of resource, logged at
LOG_INFO.
8
Successful deliveries logged at LOG_INFO. Alias database rebuilds logged at
LOG_NOTICE.
9
Mail deferred because of a lack of resource logged at LOG_INFO.
10
SMTP inbound connects logged at LOG_INFO. Each key is looked up in a database
and the result of each lookup, logged at LOG_INFO. TLS errors logged at LOG_WARNING.
AUTH= and STARTTLS errors logged at LOG_INFO. Milter connects and replies logged
at LOG_INFO.
11
All NIS errors logged at LOG_INFO. The end of processing (job deletion) logged at
LOG_INFO.
Configuring and Administering Sendmail
Table 2-7 Sendmail Logging Levels (continued)
12
SMTP outbound connections logged at LOG_INFO.
13
Logs bad user shells, world-writable files and other questionable situations.
14
Connection refusals logged at LOG_INFO. More STARTTLS information logged at
LOG_INFO.
15
All incoming and outgoing SMTP commands and their arguments logged at LOG_INFO.
20
Logs attempts to run locked queue files. These are not errors but this level is useful if
your queue appears to be clogged.
30
Denotes lost locks (only if you are using lockf instead of flock).
>64
Reserved for extremely verbose debugging output
Understanding syslog Entries
Sendmail logs the following:
•
•
•
Failures beyond its control (SYSERR).
Administrative activities (for example, rebuilding the aliases database, and killing
and restarting the daemon).
Events associated with mail transactions.
Log entries marked SYSERR indicate either system failures or configuration errors and
may require the attention of the system administrator.
Each system log entry for a mail transaction has a queue ID associated with it. All log
entries for the same input message have the same queue ID. Log level is normally set
to 10 in the configuration file. At this level, the following information is logged for each
delivery:
message-id=
from=
to=
If a message had a Message ID header line when it was input to
Sendmail, this is logged. Sendmail can also be configured to add a
Message ID header line if none is present. This ID uniquely
identifies a message and can be used to trace the progress of a
message through mail relays.
The sender of the message and the message size are logged.
The recipient of the message. One message may have multiple
recipients. Sendmail logs a separate entry for each separate delivery
attempt it makes, so multiple recipients on the same host may appear
on the same line, but multiple recipients on different hosts will
appear on different lines. The delivery status of the message (whether
message succeeded, failed, or was queued), the mailer, and the host
used are logged.
Troubleshooting Sendmail
97
Other details logged in the syslog file are time delay in delivering the message (delay=),
type of mailer used (mailer=), priority of the message, relay machine, and the status of
the message. Queued messages and SYSERRs are also logged.
Storing Off Old Sendmail Log Files
At typical logging levels, every piece of mail passing through Sendmail adds two or
three lines to the mail log. A script to manage the growth of the mail log could be run
nightly, at midnight, with an entry in root’s crontab file. Following is an example of
a crontab entry for a script called newsyslog:
0 0 * * * /var/adm/syslog/newsyslog
The following example shows what the script /var/adm/syslog/newsyslog might
contain. The script assumes that syslog is configured to direct mail logging to
/var/adm/syslog/mail.log.
#!/usr/bin/sh
#
# NEWSYSLOG: Save only the last week’s Sendmail logging.
cd /var/adm/syslog
#
mv mail.log.6 mail.log.7
mv mail.log.5 mail.log.6
mv mail.log.4 mail.log.5
mv mail.log.3 mail.log.4
mv mail.log.2 mail.log.3
mv mail.log.1 mail.log.2
cp mail.log
mail.log.1
kill -1 `cat /var/run/syslog.pid`
Printing and Reading the Mail Queue
You can print the current contents of the mail queue with the following command:
mailq
The output looks similar to this example:
/var/spool/mqueue (3 requests)
----Q-ID----- --Size--- -----Q-Time---- ----Sender/Recipient----h3TA9Bb29701
86
Wed Feb 9 07:08 janet
ess@vetmed.umd.edu
ebs@surv.ob.com
h3TAATe29713
1482
Tue Feb 15 7:05 carole
bja@edp.cloq.potlatch.com
vls@ee.cmu.edu
h3TABWB29731
10169
Tue Feb 15 8:10 chuck
hrm@per.stmarys.com
sys6!sysloc@njm
98
Configuring and Administering Sendmail
The first entry is a message with queue ID h3TA9Bb29701 and a size of 86 bytes. The
message arrived in the queue on Wednesday, February 9, at 7:08 a.m. The sender was
janet. She sent a message to the recipients ees@vetmed.umd.edu and
ebs@surv.ob.com. Sendmail has already attempted to route the message, but the
message remains in the queue because its SMTP connection was refused. This usually
means that the SMTP server is temporarily not running on the remote host, but it also
occurs if the remote host never runs an SMTP server. Sendmail attempts to deliver this
message the next time the mail queue is processed.
Two other messages in the queue are also routed for delivery the next time the mail
queue is processed.
If mailq is run in verbose mode (with the -v option), then when it prints the queue,
it will also show the priority of each queued message.
Files in the Mail Queue
The files that Sendmail creates in the mail queue all have names of the following format:
ymdhmsrXXXXX
where
y – Denotes the year
m – Denotes the month
d – Denotes the day
h – Denotes hour
m – Denotes minute,
s – Denotes second
r – Denotes a random number
XXXXX – Denotes a 5-digit number that is the process ID of the process creating the
queue entry.
A file whose name begins with df is a data file. The message body, excluding the
header, is kept in this file.
A file whose name begins with qf is a queue-control file, which contains the information
necessary to process the job.
A file whose name begins with xf is a transcript file. This file is normally empty while
a piece of mail is in the queue. If a failure occurs, a transcript of the failed mail
transaction is generated in this file.
The queue-control file (type qf) is structured as a series of lines, each beginning with
a letter that defines the content of the line. Lines in queue-control files are described
in Table 2-8.
Troubleshooting Sendmail
99
Table 2-8 Lines in Queue-Control Files
Initial Letter Content of Line
B
The message body type (either 7bit or 8bitmime).
C
The controlling user for message delivery. This line always precedes a recipient line (R)
that specifies the name of a file or program name. This line contains the user name that
Sendmail must run as when it is delivering a message into a file or a program’s stdin.
D
The name of the data file. There can be only one D line in the queue-control file.
E
An error address. If any such lines exist, they represent the addresses that must receive
error messages.
H
A header definition. There can be many H lines in the queue-control file. Header definitions
follow the header definition syntax in the configuration file.
P
The current message priority. This is used to order the queue. Higher numbers mean lower
priorities. The priority decreases (that is, the number grows) as the message sits in the
queue. The initial priority depends on the message precedence, the number of recipients,
and the size of the message.
M
A message. This line is printed by the mailq command and is generally used to store
status information (that is, the reason the message was queued). It can contain any text.
R
A recipient address. Normally this has already been completely aliased, but it is actually
re-aliased when the queue is processed. There is one line for each recipient.
S
The sender address. There can be only one sender address line.
T
The job creation time (in seconds since January, 1970). This is used to determine when to
time out the job.
The following example is a queue-control file named qfAA00186. The sender is david,
and the recipient is the local user carolyn. The current priority of the message is 17.
The job creation time, in seconds since January, 1970, is 515 961 566. The last seven lines
describe the header lines that appear on the message.
P17
T515961566
DdfAA00186
Sdavid
Rcarolyn
Hreceived: by lab; Thu, 8 May 86 12:39:26 mdt
Hdate: Thu, 8 May 86 12:39:26 mdt
Hfrom: David <david>
Hfull-name: David
Hreturn-path: <david>
Hmessage-id: <8605081839.AA00186@lab.HP>
Happarently-to: carolyn
100
Configuring and Administering Sendmail
Queue Changes
The following miscellaneous enhancements have been made to the queue option:
•
The queue option allows multiple -qI, -qR, or -qS queue run limiters.
For example, using Sendmail -qRfoo -qRbar will deliver mail to recipients
with foo or bar in their address.
•
•
The map flag -Tx appends x to lookups that return temporary failure. This is
similar to -ax flag, which appends x to lookups that return success.
The QueueSortOrder option is case sensitive.
Changes to Sendmail Files and Databases
Sendmail files and databases are stored in the/etc/mail directory. Sendmail utilities
access these files and databases for their operation. If you are logged in as a root user,
warning messages are displayed when you run any Sendmail utility that access these
files and databases. The warning messages are displayed only when the Sendmail files
and databases have incorrect permission for non-root users.
This section discusses the warning messages displayed when you execute the Sendmail
utilities mailstats and newaliases. This section also describes the warning messages
that appear when you send mail. Finally, this section provides information on how
you can resolve these warning messages.
NOTE:
The warning messages do not indicate any error in the syntax of the command.
The mailstats Utility
The mailstats utility enables you to collect the mail statistics stored in the
/etc/mail/sendmail.st file. If you run the mailstats utility with root user
permission, the following warning messages might appear:
#mailstats
warning: /etc/mail/sendmail.st has group read/write or world
read/write permission. This is unsafe
Statistics from Thu Dec 19 10:27:00 2002
M
msgsfr
bytes_from
msgsto
bytes_to
msgsrej
msgsdis
Mailer
0
0
0K
46
47K
0
0
prog
3
41
43K
56
57K
0
0
local
5
49
51K
34
34K
0
0
esmtp
=============================================================
Troubleshooting Sendmail
101
M
msgsfr
bytes_from
msgsto
bytes_to
msgsrej
msgsdis
T
90
94K
136
138K
0
0
C
90
136
Mailer
0
How to Resolve the Warning Messages
To resolve these warning messages, run the following command:
# chmod 600 /etc/mail/sendmail.st
Now, if you execute the mailstats utility, the warning messages do not appear.
The newaliases Utility
newaliases rebuilds the database for the mail aliases file. If you run the newaliases
utility with root user permission, the following warning messages might appear:
# newaliases
warning: /etc/mail/aliases has world read or write
permission. This is unsafe.
warning: /etc/mail/aliases.db has world read or write
permission. This is unsafe.
/etc/mail/aliases: 7 aliases, longest 9 bytes, 88 bytes total
How to Resolve the Warning Messages
To resolve the warning messages, run the following command:
# chmod 640 /etc/mail/aliases /etc/mail/aliases.db
Now, if you execute the newaliases utility, the warning messages do not appear.
How to Resolve Warning Messages When You Send Mail
Warning messages may appear when you send mail as a root user. Following is an
example statement:
#echo “Subject: Testing” | /usr/sbin/sendmail root
warning: /etc/mail/aliases has world read or write
permission. This is unsafe.
warning: /etc/mail/aliases.db has world read or write
permission. This is unsafe.
warning: /etc/mail/sendmail.st has group read/write or world
read/write permission. This is unsafe
Warning messages appear only for the files that have incorrect permission. To resolve
the warning messages, run the appropriate commands as described in the sections
“The mailstats Utility” (page 101) and “The newaliases Utility” (page 102).
102
Configuring and Administering Sendmail
Impact on Non-Root Users
With the change in permission, non-root users cannot access the files and databases
associated with Sendmail, and a Permission denied message appears when you
run any utility that access the Sendmail files and databases.
The following messages appear when you run the praliases and mailstats utilities:
$ praliases
praliases: /etc/mail/aliases: open: Permission denied
$ mailstats
mailstats: /etc/mail/sendmail.st: Permission denied
Troubleshooting Sendmail
103
104
Index
Symbols
E
.forward file, 59
/etc/exports, 39
elm Configuration File
$HOME/.elm/elmrc file, 18
configuration variables, 19
Boolean, 19
Numeric, 19
String, 19
elm Utility, 18
How elm Works, 18
Errors-To, in sendmail header, 34
/etc/rc.config.d/mailservs file
see mailservs file, 38
/etc/rc.config.d/nfsconf file
see nfsconf file, 39, 40
expand_alias utility, 64
A
access database
allow or reject mail, 84
creating, 85, 86
format of, 84
aliases database, 59
adding aliases to, 60
generating, 60
managing with NIS, 64, 92
testing, 64, 92
aliasing loops, 63
anti-spamming
relay, 86
security, 83
B
Black Hole List, 57, 88
C
check_compat, 59
configuration
sendmail, 43
configuration options
limiting message recipients, 45
setting header lengths, 45
configuring owners for mailing lists, 62
configuring sendmail
mail client, 39
mail server, 39
standalone system, 38
installation script, 38
D
DataFileBufferSize, 46
dead letter, sendmail, 35
DeadLetterDrop, 49
Default Client-Server Operation, 33
Default Routing Configuration, 26
Local Addresses, 26
Mixed Addresses, 27
SMTP, 27
UUCP Addresses, 26
delay_checks, 58
disabling identd
from sendmail server, 78
on remote client, 78
DontBlameSendmail, 73
F
File Mode, 18
H
Header checking, 89
I
Identification Protocol, 77
Interactive Mode, 18
IPv6 support for Sendmail, 71
L
LDAP, see Lightweight Directory Access Protocol, 67
ldap_routing, 58
Lightweight Directory Access Protocol, 67
enabling LDAP lookups, 68
routing, 68
switches, 69
local mail, 41
logging, 95
sendmail, 41, 42
M
Mail Exchanger Records, 27, 29, 38
mail header lengths
setting, 45
mail queue, 35
printing, 98
queue-control files, 99
Mail Transport Agent, see MTA, 17
Mail User Agent, see MUA, 17
mail/rmail Utility
Forward option, 22
105
mail, 21
mailfile, 21
rmail, 22
mailing list options
Sendmail, 60
mailq, 98
mailservs file, 40
mailstats, 101
mailstats Utility
impact on non-root users, 103
resolving the warning message, 102
mailx Utility
command mode, 20
input mode, 20
system-wide file, 20
tilde escape commands, 20
MaxAliasRecursion, 48
MaxMimeHeaderLength, 48
message components storage, 35
Message Mode, 18
message recipients
limiting, 45
Message Structure
envelope, 23
Message Submission Agent, 57
message URL http
//www.docs.hp.com/hpux/netcom/index.html#Internet%20Services,
15
MIME standard, 18
Mixed Addresses, 27
modifying NIS aliases database, 65
modifying sendmail configuration settings, 44
mqueue directory, 35
MSA
(see Message Submission Agent)
MTA, 17
mtail utility, 95
MUA, 17
multiple queue directories, 32
MX
see Mail Exchanger Records, 38, 40
MX Failures, 29
MX records, 40
possible failures, 29
relaying based on, 87
N
netdb.h, 29
newaliases, 102
newaliases Utility
impact on non-root users, 103
resolving the warning message, 102
NFS Services
with sendmail, 40
NFS_CLIENT variable, 40
NFS_SERVER variable, 39
nfsconf file, 39, 40
106
Index
NIS
with sendmail aliases, 64, 92
no_default_msa, 57
P
Permanent failures, 34
error handling, 34
PidFile, 48
postmaster alias, 64
ProcessTitlePrefix, 48
R
receive_only, 59
relay entire domain, 86
relay_mail_from, 58
relaying
based on MX records, 87
check loose, 87
from any host in domain, 86
from any host to any host, 86
from hosts only, 87
from local, 87
promiscuous relay, 86
rewriting the From line, 65
RFC 2554, 75
rmail, 26
S
security
disabling Sendmail privacy options, 75
disabling Sendmail security checks, 73
relaying capability, 86
send_only, 59
sendmail, 37
aliases, 59
collecting messages, 24
configuration file, 43
configuration options, 44
configuration settings, 44
configuring on different systems, 37
default client-server operation, 33
default routing configuration, 26
definition, 22
DH macro, 40
DM macro, 40
error handling, 34
expand_alias utility, 64
forwarding non-domain mail, 45
forwarding own mail, 65
improving mail queue performance, 32
installing on mail client, 40
installing on mail server, 39
installing on standalone system, 38
local mailing, 41
logging, 41, 42
mail queue, 35
mailing lists, 60
mailing to programs or files, 26
mailing to remote systems, 42
masquerading, 40
message structure, 23
mtail utility, 95
rewriting from line, 65
routing messages, 24
security options, 72
see also aliases database, 59
site hiding, 40
smrsh program, 73
startup script, 38
troubleshooting, 92
UUCP mailing, 41
validating senders, 87
validation, 91
verbose mode, 93
verifying installation, 41
sendmail logging, 95
sendmail.cf file
forwarding non-domain mail, 45
HP-supported changes, 43
sendmail.cw file, 38
SMH, see System Management Homepage, 37
smrsh program, 73
SMTP, 24, 27, 34, 42, 90, 94, 99
VRFY command, 94
SMTP Addresses, 27
SMTP Authentication, 75
SMTP Transport, 42
SYSERR, in sendmail, 97
System Management Homepage, 37
VRFY command, SMTP, 94
X
XscriptFileBufferSize, 48
Y
ypinit script, 64
T
Temporary failures, 34
error handling, 35
troubleshooting
sendmail, 92
TrustedUser, 48
U
/usr/bin/rmail, 26
/usr/include/netdb.h, 29
UUCP, 41
uuname, 41, 44
V
Validating senders, 87
/var/mail directory, 39, 40
/var/spool/mqueue directory, 35
verbose mode, sendmail, 93
verifying sendmail installation, 41
Virtual hosting, 66
setup, 66
Virtual Interfaces, 91
107
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising