.\" Copyright (c) 1983 Eric P. Allman
.\" Copyright (c) 1988 The Regents of the University of California.
.\" Redistribution and use in source and binary forms are permitted
.\" provided that the above copyright notice and this paragraph are
.\" duplicated in all such forms and that any documentation,
.\" advertising materials, and other materials related to such
.\" distribution and use acknowledge that the software was developed
.\" by the University of California, Berkeley. The name of the
.\" University may not be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\" @(#)intro.me 6.4 (Berkeley) 4/23/90
.\" pic -Pxx intro.me | ditroff -me -Pxx
.eh 'SMM:16-%''SENDMAIL \*- An Internetwork Mail Router'
.oh 'SENDMAIL \*- An Internetwork Mail Router''SMM:16-%'
SENDMAIL \*- An Internetwork Mail Router
University of California, Berkeley
Routing mail through a heterogenous internet presents many new
problems. Among the worst of these is that of address mapping.
Historically, this has been handled on an
this approach has become unmanageable as internets grow.
Sendmail acts a unified "post office" to which all mail can be
submitted. Address interpretation is controlled by a production
system, which can parse both domain-based addressing and old-style
The production system is powerful
enough to rewrite addresses in the message header to conform to the
standards of a number of common target networks, including old
(NCP/RFC733) Arpanet, new (TCP/RFC822) Arpanet, UUCP, and Phonenet.
Sendmail also implements an SMTP server, message
\(dgA considerable part of this work
was done while under the employ
at the University of California at Berkeley
implements a general internetwork mail routing facility,
featuring aliasing and forwarding,
automatic routing to network gateways,
and flexible configuration.
each node has an address,
and resources can be identified
with a host-resource pair;
the mail system can refer to users
using a host-username pair.
Host names and numbers have to be administered by a central authority,
but usernames can be assigned locally to each host.
multiple networks with different characterstics
the syntax and semantics of resource identification change.
Certain special cases can be handled trivially
providing network names that appear local to hosts
as with the Ethernet at Xerox PARC.
However, the general case is extremely complex.
some networks require point-to-point routing,
which simplifies the database update problem
since only adjacent hosts must be entered
while others use end-to-end addressing.
Some networks use a left-associative syntax
and others use a right-associative syntax,
causing ambiguity in mixed addresses.
Internet standards seek to eliminate these problems.
Initially, these proposed expanding the address pairs
{network, host, resource}
Network numbers must be universally agreed upon,
and hosts can be assigned locally
The user-level presentation was quickly expanded
comprised of a local resource identification
and a hierarchical domain specification
with a common static root.
separates the issue of physical versus logical addressing.
.q "eric@a.cc.berkeley.arpa"
describes only the logical
organization of the address space.
is intended to help bridge the gap
of networks that know nothing of each other
and the clean, tightly-coupled world
of unique network numbers.
It can accept old arbitrary address syntaxes,
resolving ambiguities using heuristics
specified by the system administrator,
as well as domain-based addressing.
It helps guide the conversion of message formats
between disparate networks.
is designed to assist a graceful transition
to consistent internetwork addressing schemes.
Section 1 discusses the design goals for
Section 2 gives an overview of the basic functions of the system.
details of usage are discussed.
to other internet mail routers,
Compatibility with the existing mail programs,
including Bell version 6 mail,
Reliability, in the sense of guaranteeing
that every message is correctly delivered
or at least brought to the attention of a human
no message should ever be completely lost.
This goal was considered essential
because of the emphasis on mail in our environment.
It has turned out to be one of the hardest goals to satisfy,
especially in the face of the many anomalous message formats
produced by various ARPANET sites.
certain sites generate improperly formated addresses,
causing error-message loops.
Some hosts use blanks in names,
UNIX mail programs that assume that an address
The semantics of some fields
are interpreted slightly differently
the obscure features of the ARPANET mail protocol
are difficult to support,
Existing software to do actual delivery
should be used whenever possible.
This goal derives as much from political and practical considerations
fairly complex environments,
connections to a single network type
(such as with multiple UUCP or Ether nets
This goal requires consideration of the contents of an address
in order to determine which gateway to use.
the ARPANET is bringing up the
TCP protocol to replace the old NCP protocol.
No host at Berkeley runs both TCP and NCP,
so it is necessary to look at the ARPANET host name
to determine whether to route mail to an NCP gateway
Configuration should not be compiled into the code.
A single compiled program should be able to run as is at any site
(barring such basic changes as the CPU type or the operating system).
We have found this seemingly unimportant goal
to be critical in real life.
Besides the simple problems that occur when any program gets recompiled
in a different environment,
with anything that they will be recompiling anyway.
must be able to let various groups maintain their own mailing lists,
and let individuals specify their own forwarding,
without modifying the system alias file.
Each user should be able to specify which mailer to execute
to process mail being delivered for him.
This feature allows users who are using specialized mailers
that use a different format to build their environment
without changing the system,
and facilitates specialized functions
Network traffic should be minimized
by batching addresses to a single host where possible,
without assistance from the user.
These goals motivated the architecture illustrated in figure 1.
SM: box "sendmail" wid 2i ht boxht
arrow from S.S1.s to 1/2 between SM.nw and SM.n
arrow from S.S3.s to 1/2 between SM.n and SM.ne
arrow from 1/2 between SM.sw and SM.s to M.M1.n
arrow from 1/2 between SM.s and SM.se to M.M3.n
+---------+ +---------+ +---------+
| sender1 | | sender2 | | sender3 |
+---------+ +---------+ +---------+
+----------+ + +----------+
+----------+ + +----------+
+---------+ +---------+ +---------+
| mailer1 | | mailer2 | | mailer3 |
+---------+ +---------+ +---------+
Figure 1 \*- Sendmail System Structure.
The user interacts with a mail generating and sending program.
When the mail is created,
which routes the message to the correct mailer(s).
Since some of the senders may be network servers
and some of the mailers may be network clients,
may be used as an internet mail gateway.
.sh 2 "System Organization"
neither interfaces with the user
nor does actual mail delivery.
generated by a user interface program (UIP)
edits the message as required by the destination network,
and calls appropriate mailers
to do mail delivery or queueing for network transmission\**.
\**except when mailing to a file,
does the delivery directly.
This discipline allows the insertion of new mailers
resembles the Message Processing Module (MPM)
.sh 2 "Interfaces to the Outside World"
can communicate with the outside world,
both in receiving and in sending mail.
These are using the conventional UNIX
argument vector/return status,
speaking SMTP over a pair of UNIX pipes,
and speaking SMTP over an interprocess(or) channel.
.sh 3 "Argument vector/exit status"
This technique is the standard UNIX method
for communicating with the process.
A list of recipients is sent in the argument vector,
and the message body is sent on the standard input.
Anything that the mailer prints
is simply collected and sent back to the sender
if there were any problems.
The exit status from the mailer is collected
after the message is sent,
and a diagnostic is printed if appropriate.
can be used to run an interactive lock-step interface
A subprocess is still created,
but no recipient addresses are passed to the mailer
Instead, they are passed one at a time
in commands sent to the processes standard input.
Anything appearing on the standard output
.sh 3 "SMTP over an IPC connection"
This technique is similar to the previous technique,
except that it uses a 4.2bsd IPC channel
This method is exceptionally flexible
in that the mailer need not reside
It is normally used to connect to a sendmail process
.sh 2 "Operational Description"
When a sender wants to send a message,
using one of the three methods described above.
operates in two distinct phases.
it collects and stores the message.
If there were errors during processing
creates and returns a new message describing the error
and/or returns an status code
.sh 3 "Argument processing and address parsing"
is called using one of the two subprocess techniques,
and option specifications are processed.
Recipient addresses are then collected,
either from the command line
and a list of recipients is created.
Aliases are expanded at this step,
As much validation as possible of the addresses
syntax is checked, and local addresses are verified,
but detailed checking of host names and addresses
is deferred until delivery.
Forwarding is also performed
as the local addresses are verified.
to the recipient list after parsing.
When a name is aliased or forwarded,
the old name is retained in the list,
and a flag is set that tells the delivery phase
to ignore this recipient.
This list is kept free from duplicates,
and duplicate messages deliverd to the same recipient,
as might occur if a person is in two groups.
.sh 3 "Message collection"
then collects the message.
The message should have a header at the beginning.
No formatting requirements are imposed on the message
except that they must be lines of text
(i.e., binary data is not allowed).
The header is parsed and stored in memory,
and the body of the message is saved
To simplify the program interface,
the message is collected even if no addresses were valid.
The message will be returned with an error.
For each unique mailer and host in the recipient list,
calls the appropriate mailer.
Each mailer invocation sends to all users receiving the message on one host.
Mailers that only accept one recipient at a time
The message is sent to the mailer
using one of the same three interfaces
used to submit a message to sendmail.
Each copy of the message is
prepended by a customized header.
The mailer status code is caught and checked,
and a suitable error message given as appropriate.
The exit code must conform to a system standard
.q "Service unavailable" )
.sh 3 "Queueing for retransmission"
If the mailer returned an status that
indicated that it might be able to handle the mail later,
will queue the mail and try again later.
If errors occur during processing,
returns the message to the sender for retransmission.
The letter can be mailed back
in the sender's home directory\**.
\**Obviously, if the site giving the error is not the originating
site, the only reasonable option is to mail back to the sender.
Also, there are many more error disposition options,
but they only effect the error message \*- the
function is always handled in one of these two ways.
.sh 2 "Message Header Editing"
Certain editing of the message header
Header lines can be inserted
under control of the configuration file.
Some lines can be merged;
line can be merged under certain circumstances.
.sh 2 "Configuration File"
Almost all configuration information is read at runtime
(defining the value of macros used internally),
(telling sendmail the format of header lines that it will process specially,
i.e., lines that it will add or reformat),
(giving information such as the location and characteristics
and address rewriting rules
(a limited production system to rewrite addresses
which is used to parse and rewrite the addresses).
To improve performance when reading the configuration file,
a memory image can be provided.
form of the configuration file.
.sh 1 "USAGE AND IMPLEMENTATION"
Arguments may be flags and addresses.
Flags set various processing options.
Following flag arguments,
address arguments may be given,
unless we are running in SMTP mode.
Addresses follow the syntax in RFC822
Anything in parentheses is thrown away
Anything in angle brackets (\c
This rule implements the ARPANET standard that addresses of the form
user name <machine-address>
will send to the electronic
backslashes quote characters.
Backslashes are more powerful
in that they will cause otherwise equivalent phrases
to compare differently \*- for example,
is different from either of them.
Parentheses, angle brackets, and double quotes
must be properly balanced and nested.
The rewriting rules control remaining parsing\**.
\**Disclaimer: Some special processing is done
after rewriting local names; see below.
.sh 2 "Mail to Files and Programs"
Files and programs are legitimate message recipients.
Files provide archival storage of messages,
useful for project administration and history.
Programs are useful as recipients in a variety of situations,
to maintain a public repository of systems messages
Any address passing through the initial parsing algorithm
(i.e, not appearing to be a valid address for another mailer)
is scanned for two special cases.
If prefixed by a vertical bar (\c
the rest of the address is processed as a shell command.
If the user name begins with a slash mark (\c
the name is used as a file name,
Files that have setuid or setgid bits set
have those bits honored if
.sh 2 "Aliasing, Forwarding, Inclusion"
reroutes mail three ways.
Aliasing applies system wide.
Forwarding allows each user to reroute incoming mail
destined for that account.
to read a file for a list of addresses,
in conjunction with aliasing.
Aliasing maps names to address lists using a system-wide file.
This file is indexed to speed access.
Only names that parse as local
this guarantees a unique key
(since there are no nicknames for the local host).
recipients that are local and valid
are checked for the existence of a
file in their home directory.
but rather to the list of users in that file.
this list will contain only one address,
and the feature will be used for network mail forwarding.
Forwarding also permits a user to specify a private incoming mailer.
"\^|\|/usr/local/newmail myname"
will use a different incoming mailer.
Inclusion is specified in RFC 733 [Crocker77a] syntax:
An address of this form reads the file specified by
and sends to all users listed in that file.
to support direct use of this feature,
but rather to use this as a subset of aliasing.
project: :include:/usr/project/userlist
is a method of letting a project maintain a mailing list
without interaction with the system administration,
even if the alias file is protected.
It is not necessary to rebuild the index on the alias database
when a :include: list is changed.
.sh 2 "Message Collection"
Once all recipient addresses are parsed and verified,
the message is collected.
The message comes in two parts:
a message header and a message body,
separated by a blank line.
The header is formatted as a series of lines
Field-value can be split across lines by starting the following
lines with a space or a tab.
Some header fields have special internal meaning,
and have appropriate special processing.
Other headers are simply passed through.
Some header fields may be added automatically,
The body is a series of text lines.
It is completely uninterpreted and untouched,
except that lines beginning with a dot
when transmitted over an SMTP channel.
This extra dot is stripped by the receiver.
The send queue is ordered by receiving host
to implement message batching.
Each address is marked as it is sent
so rescanning the list is safe.
An argument list is built as the scan proceeds.
Mail to files is detected during the scan of the send list.
The interface to the mailer
is performed using one of the techniques
described in section 2.2.
After a connection is established,
makes the per-mailer changes to the header
and sends the result to the mailer.
If any mail is rejected by the mailer,
a flag is set to invoke the return-to-sender function
after all delivery completes.
A control file is used to describe the recipients to be sent to
and various other parameters.
This control file is formatted as a series of lines,
each describing a sender,
or some other salient parameter of the message.
The header of the message is stored
so that the associated data file in the queue
is just the temporary file that was originally collected.
Configuration is controlled primarily by a configuration file
should not need to be recomplied except
To change operating systems
To remove or insert the DBM
To change ARPANET reply codes.
To add headers fields requiring special processing.
Adding mailers or changing parsing
does not require recompilation.
If the mail is being sent by a local user,
exists in the sender's home directory,
that file is read as a configuration file
after the system configuration file.
The primary use of this feature is to add header lines.
The configuration file encodes macro definitions,
Macros can be used in three ways.
unstructured textual information
will use to identify itself in error messages.
Other macros transmit information from
to the configuration file
for use in creating other fields
(such as argument vectors to mailers);
e.g., the name of the sender,
Other macros are unused internally,
and can be used as shorthand in the configuration file.
.sh 3 "Header declarations"
Header declarations inform
of the format of known header lines.
Knowledge of a few header lines
will be automatically inserted
if they don't exist in the incoming message.
Certain headers are suppressed by some mailers.
.sh 3 "Mailer declarations"
of the various mailers available to it.
The definition specifies the internal name of the mailer,
the pathname of the program to call,
some flags associated with the mailer,
and an argument vector to be used on the call;
this vector is macro-expanded before use.
.sh 3 "Address rewriting rules"
The heart of address parsing in
is a set of rewriting rules.
These are an ordered list of pattern-replacement rules,
(somewhat like a production system,
except that order is critical),
which are applied to each address.
The address is rewritten textually until it is either rewritten
into a special canonical form
such as {arpanet, usc-isif, postel}
the rule is reapplied until it fails.
The configuration file also supports the editing of addresses
to conform to the domain syntax.
Translations can also be done in the other direction.
There are several options that can be set
from the configuration file.
These include the pathnames of various support files,
.sh 1 "COMPARISON WITH OTHER MAILERS"
The primary differences are:
Configuration information is not compiled in.
This change simplifies many of the problems
of moving to other machines.
It also allows easy debugging of new mailers.
Address parsing is more flexible.
only supported one gateway to any network,
can be sensitive to host names
and reroute to different gateways.
features eliminate the requirement that the system alias file
(or that an update program be written,
or that the system administration make all changes).
supports message batching across networks
when a message is being sent to multiple recipients.
A mail queue is provided in
Mail that cannot be delivered immediately
but can potentially be delivered later
is stored in this queue for a later retry.
The queue also provides a buffer against system crashes;
after the message has been collected
it may be reliably redelivered
even if the system crashes during the initial delivery.
uses the networking support provided by 4.2BSD
to provide a direct interface networks such as the ARPANET
using SMTP (the Simple Mail Transfer Protocol)
over a TCP/IP connection.
spans a wider problem set than
calls on preexisting mailers in most cases.
automatic forwarding to gateways,
MMDF supports two-stage timeout,
The configuration for MMDF
is compiled into the code\**.
\**Dynamic configuration tables are currently being considered
allowing the installer to select either compiled
Since MMDF does not consider backwards compatibility
the address parsing is simpler but much less flexible.
It is somewhat harder to integrate a new channel\**
\**The MMDF equivalent of a
MMDF must know the location and format
of host tables for all channels,
and the channel must speak a special protocol.
This allows MMDF to do additional verification
(such as verifying host names)
MMDF strictly separates the submission and delivery phases.
has the concept of each of these stages,
they are integrated into one program,
whereas in MMDF they are split into two programs.
.sh 2 "Message Processing Module"
The Message Processing Module (MPM)
discussed by Postel [Postel79b]
closely in terms of its basic architecture.
the MPM includes the network interface software
MPM also postulates a duplex channel to the receiver,
thus allowing simpler handling of errors
any errors must be returned to the sender
Both MPM and MMDF mailers
can return an immediate error response,
and a single error processor can create an appropriate response.
MPM prefers passing the message as a structured object,
with type-length-value tuples\**.
\**This is similar to the NBS standard.
Such a convention requires a much higher degree of cooperation
between mailers than is required by
MPM also assumes a universally agreed upon internet name space
(with each address in the form of a net-host-user tuple),
.sh 1 "EVALUATIONS AND FUTURE PLANS"
is designed to work in a nonhomogeneous environment.
Every attempt is made to avoid imposing unnecessary constraints
on the underlying mailers.
This goal has driven much of the design.
One of the major problems
has been the lack of a uniform address space,
as postulated in [Postel79a]
A nonuniform address space implies that a path will be specified
either explicitly (as part of the address)
(as with implied forwarding to gateways).
This restriction has the unpleasant effect of making replying to messages
but only a way to get there from wherever you are.
Interfacing to mail programs
that were not initially intended to be applied
in an internet environment
has been amazingly successful,
and has reduced the job to a manageable task.
has knowledge of a few difficult environments
It generates ARPANET FTP/SMTP compatible error messages
(prepended with three-digit numbers
[Neigus73, Postel74, Postel82])
optionally generates UNIX-style
lines on the front of messages for some mailers,
and knows how to parse the same lines on input.
error handling has an option customized for BerkNet.
The decision to avoid doing any type of delivery where possible
(even, or perhaps especially, local delivery)
has turned out to be a good idea.
Even with local delivery,
there are issues of the location of the mailbox,
the format of the mailbox,
the locking protocol used,
that are best decided by other programs.
One surprisingly major annoyance in many internet mailers
is that the location and format of local mail is built in.
The feeling seems to be that local mail is so common
that it should be efficient.
This feeling is not born out by
the location and format of mailboxes seems to vary widely
The ability to automatically generate a response to incoming mail
(by forwarding mail to a program)
.q "I am on vacation until late August...." )
(two people on vacation whose programs send notes back and forth,
if these programs are not well written.
A program could be written to do standard tasks correctly,
but this would solve the general case.
It might be desirable to implement some form of load limiting.
I am unaware of any mail system that addresses this problem,
nor am I aware of any reasonable solution at this time.
The configuration file is currently practically inscrutable;
considerable convenience could be realized
with a higher-level format.
It seems clear that common protocols will be changing soon
to accommodate changing requirements and environments.
These changes will include modifications to the message header
or to the body of the message itself
(such as for multimedia messages
Experience indicates that
these changes should be relatively trivial to integrate
into the existing system.
In tightly coupled environments,
it would be nice to have a name server
integrated into the mail system.
This would allow a site such as
to appear as a single host,
rather than as a collection of hosts,
and would allow people to move transparently among machines
without having to change their addresses.
would require an automatically updated database
and some method of resolving conflicts.
Ideally this would be effective even without
it is not clear whether this feature
should be integrated into the
or should be considered a
As a more interesting case,
provides an facility that goes beyond a single
tightly-coupled environment.
Such a facility would normally exist outside of
Thanks are due to Kurt Shoens for his continual cheerful
assistance and good advice,
Bill Joy for pointing me in the correct direction
and Mark Horton for more advice,
and many of the good ideas.
Kurt and Eric Schmidt are to be credited
as a server for their programs
and BerkNet respectively)
before any sane person should have,
and making the necessary modifications
Eric gave me considerable advice about the perils
of network software which saved me an unknown
amount of work and grief.
Mark did the original implementation of the DBM version
of aliasing, installed the VFORK code,
wrote the current version of
and was the person who really convinced me
Kurt deserves accolades for using
when I was myself afraid to take the risk;
how a person can continue to be so enthusiastic
in the face of so much bitter reality is beyond me.
and many others have reviewed this paper,
giving considerable useful advice.
Special thanks are reserved for Mike Stonebraker at Berkeley
and Bob Epstein at Britton-Lee,
who both knowingly allowed me to put so much work into this
when there were so many other things I really should
.q "Grapevine: An Exercise in Distributed Computing."
The MH Message Handling System: Users' Manual.
Standard for the Format of ARPA Network Text Messages.
Framework and Functions of the MS Personal Message System.
Santa Monica, California.
An Internetwork Memo Distribution Facility \*- MMDF.
6th Data Communication Symposium,
Standard for the Format of Arpa Internet Text Messages.
Network Information Center,
.q "Ethernet: Distributed Packet Switching for Local Computer Networks" ,
Communications of the ACM 19,
ARPANET Protocol Handbook.
Network Information Center,
National Bureau of Standards,
Specification of a Draft Message Format Standard.
Report No. ICST/CBOS 80-2.
File Transfer Protocol for the ARPA Network.
A Dial-Up Network of UNIX Systems.
UNIX Programmer's Manual, Seventh Edition,
Uucp Implementation Description.
UNIX Programmer's Manual, Seventh Edition,
Internet Message Protocol.
Network Information Center,
An Internetwork Message Structure.
Proceedings of the Sixth Data Communications Symposium,
A Structured Format for Transmission of Multi-Media Documents.
Network Information Center,
Simple Mail Transfer Protocol.
Network Information Center,
An Introduction to the Berkeley Network.
University of California, Berkeley California.
University of California, Berkeley.
In UNIX Programmer's Manual,
Network Information Center,
Solomon, M., Landweber, L., and Neuhengen, D.,
.q "The Design of the CSNET Name Server."
University of Wisconsin, Madison.
The Domain Naming Convention for Internet User Applications.
Network Information Center,
The UNIX Programmer's Manual, Seventh Edition,
modified by the University of California,