.\" Copyright (c) 1983, 1995 Eric P. Allman
.\" Copyright (c) 1983, 1993
.\" The Regents of the University of California. All rights reserved.
.\" %sccs.include.redist.roff%
.\" @(#)op.me 8.58 (Berkeley) %G%
.\" eqn op.me | pic | troff -me
.eh 'SMM:08-%''Sendmail Installation and Operation Guide'
.oh 'Sendmail Installation and Operation Guide''SMM:08-%'
.\" SD is lib if sendmail is installed in /usr/lib, sbin if in /usr/sbin
.\" SB is bin if newaliases/mailq are installed in /usr/bin, ucb if in /usr/ucb
.b "INSTALLATION AND OPERATION GUIDE"
University of California, Berkeley
implements a general purpose internetwork mail routing facility
It is not tied to any one transport protocol \*-
its function may be likened to a crossbar switch,
relaying messages from one domain into another.
it can do a limited amount of message header editing
to put the message into a format that is appropriate
for the receiving domain.
All of this is done under the control of a configuration file.
Due to the requirements of flexibility
the configuration file can seem somewhat unapproachable.
However, there are only a few basic configurations
for which standard configuration files have been supplied.
Most other configurations
can be built by adjusting an existing configuration files
RFC822 (Internet Mail Format Protocol),
RFC821 (Simple Mail Transport Protocol),
RFC1123 (Internet Host Requirements),
RFC1651 (SMTP Service Extensions).
is designed to work in a wider world,
in many cases it can be configured to exceed these protocols.
These cases are described herein.
without the need for monitoring,
it has a number of features
that may be used to monitor or adjust the operation
under unusual circumstances.
These features are described.
Section one describes how to do a basic
explains the day-to-day information you should know
to maintain your mail system.
If you have a relatively normal site,
these two sections should contain sufficient information
describes some parameters that may be safely tweaked.
has information regarding the command line arguments.
contains the nitty-gritty information about the configuration
This section is for masochists
and people who must write their own configuration file.
describes configuration that can be done at compile time.
gives a brief description of differences
The appendixes give a brief
but detailed explanation of a number of features
not described in the rest of the paper.
Several major changes were introduced in version 8.7.
You should not attempt to use this document
.sh 1 "BASIC INSTALLATION"
There are two basic steps to installing
The hard part is to build the configuration table.
that describes the mailers it knows about,
how to rewrite the message header,
and the settings of various options.
Although the configuration table is quite complex,
a configuration can usually be built
by adjusting an existing off-the-shelf configuration.
The second part is actually doing the installation,
i.e., creating the necessary files, etc.
The remainder of this section will describe the installation of
assuming you can use one of the existing configurations
and that the standard installation parameters are acceptable.
All pathnames and examples
are given from the root of the
.i /usr/src/usr.\*(SD/sendmail
If you are loading this off the tape,
continue with the next section.
If you have a running binary already on your system,
you should probably skip to section 1.2.
.sh 2 "Compiling Sendmail"
If you are running on a 4.4BSD system,
On other systems, you may have to make some other adjustments.
you can do the appropriate compilation by typing
This will leave the binary in an appropriately named subdirectory.
It works for multiple object versions
compiled out of the same directory.
.sh 3 "Tweaking the Makefile"
supports two different formats
for the local (on disk) version of databases,
At least one of these should be defined if at all possible.
available on nearly all systems around today.
This was the preferred format prior to 4.4BSD.
It allows such complex things as multiple databases
and closing a currently open database.
The new database package from Berkeley.
If you have this, use it.
You can define this in conjunction with one of the other two;
but when a new database is created it will be in NEWDB format.
if you have NEWDB, NDBM, and NIS defined,
and if the alias file name includes the substring
will create both new and old versions of the alias file
This is required because the Sun NIS/YP system
reads the DBM version of the alias file.
If neither of these are defined,
reads the alias file into memory on every invocation.
This can be slow and should be avoided.
There are also several methods for remote database access:
Sun's Network Information Services (formerly YP).
Hesiod service (from Athena).
Other compilation flags are set in conf.h
and should be predefined for you
unless you are porting to a new environment.
.sh 3 "Compilation and installation"
After making the local system configuration described above,
You should be able to compile and install the system.
is the best approach on most systems:
to select the correct Makefile for your environment.
You may be able to install using
This should install the binary in
On 4.4BSD systems it will also format and install man pages.
.sh 2 "Configuration Files"
cannot operate without a configuration file.
The configuration defines the mail delivery mechanisms understood at this site,
how to forward email to remote mail systems,
and a number of tuning parameters.
This configuration file is detailed
in the later portion of this document.
configuration can be daunting at first.
and the mail configuration reflects that.
The distribution includes an m4-based configuration package
that hides a lot of the complexity.
These configuration files are simpler than old versions
largely because the world has become simpler;
text-based host files are officially eliminated,
hosts behind a registered internet gateway.
These files also assume that most of your neighbors
use domain-based UUCP addressing;
instead of naming hosts as
The configuration files can be customized to work around this,
Our configuration files are processed by
to facilitate local customization;
contains the source files.
This directory contains several subdirectories:
Both site-dependent and site-independent descriptions of hosts.
These can be literal host names
when the hosts are gateways
or more general descriptions
as a general description of an SMTP-connected host
as a general description of a UUCP-connected host).
(``Master Configuration'')
are the input descriptions;
the output is in the corresponding
The general structure of these files is described below.
Site-dependent subdomain descriptions.
These are tied to the way your organization wants to do addressing.
is our description for hosts in the CS.Berkeley.EDU subdomain
that want their individual hostname to be externally visible;
is the same except that the hostname is hidden
(everything looks like it comes from CS.Berkeley.EDU).
These are referenced using the
Definitions of specific features that some particular host in your site
These are referenced using the
to read an /etc/sendmail.cw file on startup
to find the set of local names).
Local hacks, referenced using the
The point of having them here is to make it clear that they smell.
include files that have information common to all configuration files.
This can be thought of as a
The mailer types that are known in this distribution are
For example, to include support for the UUCP-based mailers,
Definitions describing various operating system environments
(such as the location of support files).
These are referenced using the
You shouldn't have to mess with these.
Local site configuration information,
such as UUCP connectivity.
They normally contain lists of site information, for example:
They are referenced using the SITECONFIG macro:
SITECONFIG(site.config.file, name_of_site, X)
is the macro/class name to use.
(indicating locally connected hosts)
for up to three remote UUCP hubs.
If you are in a new domain
you will probably want to create a
This consists primarily of relay definitions:
for example, Berkeley's domain definition
only the UUCP relay is particularly specific
All of these are internet-style domain names.
Please check to make certain they are reasonable for your domain.
Subdomains at Berkeley are also represented in the
is the Computer Science subdomain with the local hostname shown
makes users appear to be from the CS.Berkeley.EDU subdomain
(with no local host information included).
You will probably have to update this directory
to be appropriate for your domain.
You will have to use or create
subdirectory for your hosts.
.sh 2 "Details of Installation Files"
This subsection describes the files that
.sh 3 "/usr/\*(SD/sendmail"
is located in /usr/\*(SD\**.
on 4.4BSD and newer systems;
many systems install it in
I understand it is in /usr/ucblib
It should be setuid root.
should be owned by root, mode 755\**.
\**Some vendors ship them owned by bin;
this creates a security hole that is not actually related to
Other important directories that should have restrictive ownerships
/bin, /usr/bin, /etc, /usr/etc, /lib, and /usr/lib.
This is the configuration file for
\**Actually, the pathname varies depending on the operating system;
/etc is the preferred directory.
Some older systems install it in
.b /usr/lib/sendmail.cf ,
If you want to move this file,
This and /etc/sendmail.pid
are the only non-library file names compiled into
\**The system libraries can reference other files;
in particular, system library subroutines that
The configuration file is normally created
using the distribution files described above.
If you have a particularly unusual system configuration
you may need to create a special version.
The format of this file is detailed in later sections
.sh 3 "/usr/\*(SB/newaliases"
command should just be a link to
rm \-f /usr/\*(SB/newaliases
ln \-s /usr/\*(SD/sendmail /usr/\*(SB/newaliases
This can be installed in whatever search path you prefer
.sh 3 "/var/spool/mqueue"
should be created to hold the mail queue.
This directory should be mode 700
The actual path of this directory
The system aliases are held in
which includes some aliases which
cp lib/aliases /etc/aliases
You should extend this file with any aliases that are apropos to your system.
looks at a version of these files maintained by the
These are stored either in
depending on which database package you are using.
These can initially be created as empty files,
but they will have to be initialized promptly.
These should be mode 644:
cp /dev/null /etc/aliases.dir
cp /dev/null /etc/aliases.pag
routines preset the mode reasonably,
so this step can be skipped.
The actual path of this file
It will be necessary to start up the
daemon when your system reboots.
This daemon performs two functions:
it listens on the SMTP socket for connections
(to receive mail from a remote system)
and it processes the queue periodically
to insure that mail gets delivered when hosts come up.
Add the following lines to
in the area where it is starting up the daemons:
if [ \-f /usr/\*(SD/sendmail \-a \-f /etc/sendmail.cf ]; then
(cd /var/spool/mqueue; rm \-f [lnx]f*)
/usr/\*(SD/sendmail \-bd \-q30m &
echo \-n ' sendmail' >/dev/console
commands insure that all lock files have been removed;
extraneous lock files may be left around
if the system goes down in the middle of processing a message.
The line that actually invokes
causes it to listen on the SMTP port,
causes it to run the queue every half hour.
Some people use a more complex startup script,
removing zero length qf files and df files for which there is no qf file.
For example, see Figure 1
for an example of a complex startup script.
# remove zero length qf files
echo \-n " <zero: $qffile>" > /dev/console
# rename tf files to be qf if the qf does not exist
qffile=`echo $tffile | sed 's/t/q/'`
if [ \-r $tffile \-a ! \-f $qffile ]
echo \-n " <recovering: $tffile>" > /dev/console
echo \-n " <extra: $tffile>" > /dev/console
# remove df files with no corresponding qf files
qffile=`echo $dffile | sed 's/d/q/'`
if [ \-r $dffile \-a ! \-f $qffile ]
echo \-n " <incomplete: $dffile>" > /dev/console
mv $dffile `echo $dffile | sed 's/d/D/'`
# announce files that have been saved during disaster recovery
echo \-n " <panic: $xffile>" > /dev/console
Figure 1 \(em A complex startup script
If you are not running a version of UNIX
that supports Berkeley TCP/IP,
.sh 3 "/usr/lib/sendmail.hf"
This is the help file used by the SMTP
cp lib/sendmail.hf /usr/lib
The actual path of this file
If you wish to collect statistics
you should create the file
cp /dev/null /etc/sendmail.st
chmod 666 /etc/sendmail.st
It is printed with the program
.q mailstats/mailstats.c.
The actual path of this file
will print the contents of the mail queue;
This should be a link to /usr/\*(SD/sendmail.
.sh 1 "NORMAL OPERATIONS"
The system log is supported by the
which does not support facilities in the syslog.
Each line in the system log
the name of the machine that generated it
(for logging from several machines
over the local area network),
\**This format may vary slightly if your vendor has changed
Most messages are a sequence of
The two most common lines are logged when a message is processed.
The first logs the receipt of a message;
there will be exactly one of these per message.
Some fields may be omitted if they do not contain interesting information.
The envelope sender address.
The size of the message in bytes.
The class (i.e., numeric precedence) of the message.
The initial message priority (used for queue sorting).
The number of envelope recipients for this message
(after aliasing and forwarding).
The message id of the message (from the header).
The protocol used to receive this message (e.g., ESMTP or UUCP)
The machine from which it was received.
There is also one line logged per delivery attempt
(so there can be several per message if delivery is deferred
or there are multiple recipients).
A comma-separated list of the recipients to this mailer.
The ``controlling user'', that is, the name of the user
whose credentials we use for delivery.
The total delay between the time this message was received
and the time it was delivered.
The amount of time needed in this delivery attempt
(normally indicative of the speed of the connection).
The name of the mailer used to deliver to this recipient.
The name of the host that actually accepted (or rejected) this recipient.
Not all fields are present in all messages;
for example, the relay is not listed for local deliveries.
or an equivalent installed,
you will be able to do logging.
There is a large amount of information that can be logged.
The log is arranged as a succession of levels.
only extremely strange situations are logged.
even the most mundane and uninteresting events
are recorded for posterity.
are reserved for debugging purposes.
Levels from 11\-64 are reserved for verbose information
that some sites might want.
A complete description of the log levels
to log a dump of the open files
The results are logged at
Sometimes a host cannot handle a message immediately.
For example, it may be down or overloaded, causing it to refuse connections.
The sending host is then expected to save this message in
and attempt to deliver it later.
Under normal conditions the mail queue will be processed transparently.
However, you may find that manual intervention is sometimes necessary.
if a major host is down for a period of time
the queue may become clogged.
ought to recover gracefully when the host comes up,
you may find performance unacceptably bad in the meantime.
.sh 3 "Printing the queue"
The contents of the queue can be printed
This will produce a listing of the queue id's,
the date the message entered the queue,
and the sender and recipients.
.sh 3 "Forcing the queue"
should run the queue automatically
The algorithm is to read and sort the queue,
and then to attempt to process all jobs in order.
When it attempts to run the job,
first checks to see if the job is locked.
If so, it ignores the job.
There is no attempt to insure that only one queue processor
since there is no guarantee that a job cannot take forever
does include heuristics to try to abort jobs
that are taking absurd amounts of time;
technically, this violates RFC 821, but is blessed by RFC 1123).
Due to the locking algorithm,
it is impossible for one job to freeze the entire queue.
an uncooperative recipient host
can accumulate many processes in your system.
there is no completely general way to solve this.
you may find that a major host going down
may create a prohibitively large queue.
spending an inordinate amount of time
This situation can be fixed by moving the queue to a temporary place
and creating a new queue.
The old queue can be run later when the offending host returns to service.
it is acceptable to move the entire queue directory:
mv mqueue omqueue; mkdir mqueue; chmod 700 mqueue
You should then kill the existing daemon
(since it will still be processing in the old queue directory)
To run the old mail queue,
run the following command:
/usr/\*(SD/sendmail \-oQ/var/spool/omqueue \-q
flag specifies an alternate queue directory
flag says to just run every job in the queue.
If you have a tendency toward voyeurism,
flag to watch what is going on.
When the queue is finally emptied,
you can remove the directory:
.sh 2 "The Service Switch"
The implementation of certain system services
such as host and user name lookup
is controlled by the service switch.
If the host operating system supports such a switch
will use the native version.
Ultrix, Solaris, and DEC OSF/1 are examples of such systems.
If the underlying operating system does not support a service switch
(e.g., SunOS, HP-UX, BSD)
will provide a stub implementation.
option points to the name of a file that has the service definitions
Each line has the name of a service
and the possible implementations of that service.
to look for hosts in the Domain Name System first.
If the requested host name is not found,
and if that fails it tries NIS.
it will try the local files first
Service switches are not completely integrated.
For example, despite the fact that the host entry listed in the above example
specifies to look in NIS,
on SunOS this won't happen because the system implementation of
If there is enough demand
and the other system routines that would be necessary
to make this work seamlessly.
.sh 2 "The Alias Database"
The alias database exists in two forms.
The aliases are of the form
Only local names may be aliased;
eric@prep.ai.MIT.EDU: eric@CS.Berkeley.EDU
will not have the desired effect
(except on prep.ai.MIT.EDU,
and they probably don't want me)\**.
\**Actually, any mailer that has the `A' mailer flag set
this is normally limited to the local mailer.
Aliases may be continued by starting any continuation lines
Blank lines and lines beginning with a sharp sign
The second form is processed by the
package probably works as well.
This form is in the files
actually uses to resolve aliases.
This technique is used to improve performance.
The control of search order is actually set by the service switch.
is always added as the first alias entry;
also, the first alias file name without a class
will be used as the name of the file for a ``files'' entry
For example, if the configuration file contains
and the service switch contains
aliases nis files nisplus
then aliases will first be searched in the NIS database,
then in the NIS+ database.
For example, the specification:
OAnis:mail.aliases@my.nis.domain
will first search the /etc/aliases file
Warning: if you build your own
to map upper case letters in the keys to lower case;
otherwise, aliases with upper case letters in their names
won't match incoming addresses.
Additional flags can be added after the colon
OAnis:\-N mail.aliases@my.nis.domain
will search the appropriate NIS map and always include null bytes in the key.
.sh 3 "Rebuilding the alias database"
The DB or DBM version of the database
may be rebuilt explicitly by executing the command
This is equivalent to giving
option is specified in the configuration,
will rebuild the alias database automatically
Auto-rebuild can be dangerous
on heavily loaded machines
if it might take more than the rebuild timeout
which is normally five minutes)
there is a chance that several processes will start the rebuild process
If you have multiple aliases databases specified,
flag rebuilds all the database types it understands
(for example, it can rebuild NDBM databases but not NIS databases).
.sh 3 "Potential problems"
There are a number of problems that can occur
process accessing the DBM version
while it is only partially built.
This can happen under two circumstances:
One process accesses the database
while another process is rebuilding it,
or the process rebuilding the database dies
(due to being killed or a system crash)
before completing the rebuild.
Sendmail has three techniques to try to relieve these problems.
First, it ignores interrupts while rebuilding the database;
this avoids the problem of someone aborting the process
leaving a partially rebuilt database.
it locks the database source file during the rebuild \(em
but that may not work over NFS or if the file is unwritable.
at the end of the rebuild
it adds an alias of the form
(which is not normally legal).
will access the database,
it checks to insure that this entry exists\**.
option is required in the configuration
for this action to occur.
This should normally be specified.
If an error occurs on sending to a certain address,
where the submitter of the list
has no control over the maintenance of the list itself;
in this case the list maintainer would be the owner of the list.
unix-wizards: eric@ucbarpa, wnj@monet, nosuchuser,
owner-unix-wizards: unix-wizards-request
unix-wizards-request: eric@ucbarpa
to get the error that will occur
List owners also cause the envelope sender address to be modified.
The contents of the owner alias are used if they point to a single user,
otherwise the name of the alias itself is used.
For this reason, and to obey Internet conventions,
address normally points at the
address; this causes messages to go out with the typical Internet convention
.sh 2 "User Information Database"
with the user information database
and you have specified one or more databases using the
the databases will be searched for a
If found, the mail will be sent to the specified address.
.sh 2 "Per-User Forwarding (.forward Files)"
As an alternative to the alias database,
any user may put a file with the name
in his or her home directory.
redirects mail for that user
to the list of addresses listed in the .forward file.
For example, if the home directory for user
has a .forward file with contents:
then any mail arriving for
will be redirected to the specified accounts.
Actually, the configuration file defines a sequence of filenames to check.
By default, this is the user's .forward file,
but can be defined to be more generally using the
you will have to inform your user base of the change;
\&.forward is pretty well incorporated into the collective subconscious.
.sh 2 "Special Header Lines"
Several header lines have special interpretations
defined by the configuration file.
Others have interpretations built into
that cannot be changed without changing the code.
These builtins are described here.
If errors occur anywhere during processing,
this header will cause error messages to go to
This is intended for mailing lists.
The Errors-To: header was created in the bad old days
when UUCP didn't understand the distinction between an envelope and a header;
this was a hack to provide what should now be passed
as the envelope sender address.
The Errors-To: header is official deprecated
and will go away in a future release.
RFC 822 requires at least one recipient field
If a message comes in with no recipients listed in the message
will adjust the header based on the
One of the possible actions is to add an
header line for any recipients it is aware of.
This is not put in as a standard recipient line
to warn any recipients that the list is not complete.
The Apparently-To: header is non-standard
The Precedence: header can be used as a crude control of message priority.
It tweaks the sort order in the queue
and can be configured to change the message timeout values.
.sh 2 "IDENT Protocol Support"
supports the IDENT protocol as defined in RFC 1413.
Although this enhances identification
of the author of an email message
by doing a ``call back'' to the originating system to include
the owner of a particular TCP connection
it is in no sense perfect;
a determined forger can easily spoof the IDENT protocol.
The following description is excerpted from RFC 1413:
6. Security Considerations
The information returned by this protocol is at most as trustworthy
as the host providing it OR the organization operating the host. For
example, a PC in an open lab has few if any controls on it to prevent
a user from having this protocol return any identifier the user
wants. Likewise, if the host has been compromised the information
returned may be completely erroneous and misleading.
The Identification Protocol is not intended as an authorization or
access control protocol. At best, it provides some additional
auditing information with respect to TCP connections. At worst, it
can provide misleading, incorrect, or maliciously incorrect
The use of the information returned by this protocol for other than
auditing is strongly discouraged. Specifically, using Identification
Protocol information to make access control decisions - either as the
primary method (i.e., no other checks) or as an adjunct to other
methods may result in a weakening of normal host security.
An Identification server may reveal information about users,
entities, objects or processes which might normally be considered
private. An Identification server provides service which is a rough
analog of the CallerID services provided by some phone companies and
many of the same privacy considerations and arguments that apply to
the CallerID service apply to Identification. If you wouldn't run a
"finger" server due to privacy considerations you may not want to run
In some cases your system may not work properly with IDENT support
due to a bug in the TCP/IP implementation.
The symptoms will be that for some hosts
the SMTP connection will be closed
If this is true or if you do not want to use IDENT,
you should set the IDENT timeout to zero;
this will disable the IDENT protocol.
The complete list of arguments to
is described in detail in Appendix A.
Some important arguments are described here.
The amount of time between forking a process
If you run with delivery mode set to
this can be relatively large,
since it will only be relevant
when a host that was down comes back up.
it should be relatively short,
since it defines the maximum amount of time that a message
(See also the MinQueueAge option.)
RFC 1123 section 5.3.1.1 says that this value should be at least 30 minutes
(although that probably doesn't make sense if you use ``queue-only'' mode).
If you allow incoming mail over an IPC connection,
you should have a daemon running.
This should be set by your
flag may be combined in one call:
/usr/\*(SD/sendmail \-bd \-q30m
An alternative approach is to invoke sendmail from
flag to ask sendmail to speak SMTP on its standard input and output).
This works and allows you to wrap
in a TCP wrapper program,
but may be a bit slower since the configuration file
has to be re-read on every message that comes in.
If you do this, you still need to have a
running to flush the queue:
/usr/\*(SD/sendmail \-q30m
.sh 2 "Forcing the Queue"
In some cases you may find that the queue has gotten clogged for some reason.
You can force a queue run
It is entertaining to use the
when this is done to watch what happens:
/usr/\*(SD/sendmail \-q \-v
You can also limit the jobs to those with a particular queue identifier,
using one of the queue modifiers.
restricts the queue run to jobs that have the string
somewhere in one of the recipient addresses.
limits the run to particular senders and
limits it to particular queue identifiers.
There are a fairly large number of debug flags
Each debug flag has a number and a level,
where higher levels means to print out more information.
The convention is that levels greater than nine are
they print out so much information that you wouldn't normally
want to see them except for debugging that particular piece of code.
Debug flags are set using the
debug-flag: \fB\-d\fP debug-list
debug-list: debug-option [ , debug-option ]*
debug-option: debug-range [ . debug-level ]
debug-range: integer | integer \- integer
where spaces are for reading ease only.
\-d12 Set flag 12 to level 1
\-d12.3 Set flag 12 to level 3
\-d3\-17 Set flags 3 through 17 to level 1
\-d3\-17.4 Set flags 3 through 17 to level 4
For a complete list of the available debug flags
you will have to look at the code
(they are too dynamic to keep this documentation up to date).
.sh 2 "Changing the Values of Options"
Options can be overridden using the
/usr/\*(SD/sendmail \-oT2m
(timeout) option to two minutes
the equivalent line using the long option name is
/usr/\*(SD/sendmail -OQueueTimeout=2m
Some options have security implications.
Sendmail allows you to set these,
but relinquishes its setuid root permissions thereafter\**.
\**That is, it sets its effective uid to the real uid;
thus, if you are executing as root,
as from root's crontab file or during system startup
the root permissions will still be honored.
.sh 2 "Trying a Different Configuration File"
An alternative configuration file
can be specified using the
/usr/\*(SD/sendmail \-Ctest.cf \-oQ/tmp/mqueue
uses the configuration file
in the current directory.
gives up its setuid root permissions
when you use this flag, so it is common to use a publicly writable directory
as the spool directory (QueueDirectory or Q option) while testing.
Many SMTP implementations do not fully implement the protocol.
For example, some personal computer based SMTPs
do not understand continuation lines in reply codes.
These can be very hard to trace.
If you suspect such a problem, you can set traffic logging using the
/usr/\*(SD/sendmail \-X /tmp/traffic \-bd
will log all traffic in the file
This logs a lot of data very quickly and should
during normal operations.
After starting up such a daemon,
force the errant implementation to send a message to your host.
All message traffic in and out of
including the incoming SMTP traffic,
will be logged in this file.
.sh 2 "Testing Configuration Files"
When you build a configuration table,
you can do a certain amount of testing
which would read the configuration file
you enter lines of the form:
is the rewriting set you want to use
is an address to apply the set to.
Test mode shows you the steps it takes
finally showing you the address it ends up with.
You may use a comma separated list of rwsets
for sequential application of rules to an input.
first applies ruleset three to the input
Ruleset one is then applied to the output of ruleset three,
followed similarly by rulesets twenty-one and four.
flag to turn on more debugging.
turns on an incredible amount of information;
is probably going to print out several pages worth of information.
You should be warned that internally,
applies ruleset 3 to all addresses.
you will have to do that manually.
For example, older versions allowed you to use
0 bruce@broadcast.sony.com
This version requires that you use:
3,0 bruce@broadcast.sony.com
some other syntaxes are available in test mode:
This is useful when debugging rules that use the
dumps the contents of the indicated ruleset.
is equivalent to the command-line flag.
There are a number of configuration parameters
depending on the requirements of your site.
using an option in the configuration file.
.q "O Timeout.queuereturn=5d"
Most of these options have appropriate defaults for most sites.
sites having very high mail loads may find they need to tune them
as appropriate for their mail load.
sites experiencing a large number of small messages,
many of which are delivered to many recipients,
may find that they need to adjust the parameters
dealing with queue priorities.
had single character option names.
options have long (multi-character names).
Although old short names are still accepted,
most new options do not have short equivalents.
This section only describes the options you are most likely
All time intervals are set
represents ten minutes, whereas
represents two and a half hours.
The full set of scales is:
specifies how often a sub-daemon will run the queue.
This is typically set to between fifteen minutes
RFC 1123 section 5.3.1.1 recommends that this be at least 30 minutes.
Timeouts all have option names
.q Timeout.\fIsuboption\fP .
their default values, and the minimum values
allowed by RFC 1123 section 5.3.2 are:
The wait for the initial 220 greeting message
The wait for a reply from a HELO or EHLO command
This may require a host name lookup, so
five minutes is probably a reasonable minimum.
The wait for a reply from a MAIL command
The wait for a reply from a RCPT command
because it could be pointing at a list
that takes a long time to expand
The wait for a reply from a DATA command
The wait for reading a data block
(that is, the body of the message).
This should be long because it also applies to programs
which have no guarantee of promptness.
The wait for a reply from the dot terminating a message.
If this is shorter than the time actually needed
for the receiver to deliver the message,
duplicates will be generated.
This is discussed in RFC 1047.
The wait for a reply from a RSET command
The wait for a reply from a QUIT command
The wait for a reply from miscellaneous (but short) commands
such as NOOP (no-operation) and VERB (go into verbose mode).
the time to wait for another command.
The timeout waiting for a reply to an IDENT query
\**On some systems the default is zero to turn the protocol off entirely.
For compatibility with old configuration files,
all the timeouts marked with \(dg are set to the indicated value.
Many of the RFC 1123 minimum values
was designed to the RFC 822 protocols,
which did not specify read timeouts;
prior to version 8.1 did not guarantee to reply to messages promptly.
command specifying a mailing list
will expand and verify the entire list;
a large list on a slow system
may easily take more than five minutes\**.
\**This verification includes looking up every address
this involves network delays,
and can in some cases can be considerable.
I recommend a one hour timeout \*-
since a communications failure during the RCPT phase is rare,
a long timeout is not onerous
and may ultimately help reduce network load
sets the server SMTP command timeout to 25 minutes
and the input data block timeout to three hours.
After sitting in the queue for a few days,
This is to insure that at least the sender is aware
of the inability to send a message.
The timeout is typically set to five days.
It is sometimes considered convenient to also send a warning message
if the message is in the queue longer than a few hours
(assuming you normally have good connectivity;
if your messages normally took several hours to send
you wouldn't want to do this because it wouldn't be an unusual event).
These timeouts are set using the
options in the configuration file
(previously both were set using the
Since these options are global,
and since you can not know
how long another host outside your domain will be down,
a five day timeout is recommended.
This allows a recipient to fix the problem even if it occurs
at the beginning of a long weekend.
RFC 1123 section 5.3.1.1 says that this parameter
should be ``at least 4\-5 days''.
value can be piggybacked on the
option by indicating a time after which
a warning message should be sent;
the two timeouts are separated by a slash.
causes email to fail after five days,
but a warning message will be sent after four hours.
This should be large enough that the message will have been tried
.sh 2 "Forking During Queue Runs"
will fork before each individual message
from consuming large amounts of memory,
so it may be useful in memory-poor environments.
will keep track of hosts that are down during a queue run,
which can improve performance dramatically.
can not use connection caching.
Every message is assigned a priority when it is first instantiated,
consisting of the message size (in bytes)
offset by the message class
(which is determined from the Precedence: header)
and the number of recipients times the
.q "work recipient factor."
The priority is used to order the queue.
Higher numbers for the priority mean that the message will be processed later
The message size is included so that large messages are penalized
relative to small messages.
The message class allows users to send
the value of this field is looked up in the
lines of the configuration file.
Since the number of recipients affects the amount of load a message presents
this is also included into the priority.
The recipient and class factors
can be set in the configuration file using the
They default to 30000 (for the recipient factor)
pri = msgsize - (class times bold ClassFactor) + (nrcpt times bold RecipientFactor)
(Remember, higher values for this parameter actually mean
that the job will be treated with lower priority.)
The priority of a job can also be adjusted each time it is processed
(that is, each time an attempt is made to deliver it)
This is added to the priority,
so it normally decreases the precedence of the job,
on the grounds that jobs that have failed many times
will tend to fail again in the future.
option defaults to 90000.
can be asked to queue (but not deliver)
mail if the system load average gets too high
When the load average exceeds the value of the
the delivery mode is set to
option divided by the difference in the current load average and the
exceeds the priority of the message \(em
that is, the message is queued iff:
pri > { bold QueueFactor } over { LA - { bold QueueLA } + 1 }
option defaults to 600000,
so each point of load average is worth 600000
option defines a load average at which
to accept network connections.
(including incoming UUCP mail)
There are a number of delivery modes that
specify how quickly mail will be delivered.
i deliver interactively (synchronously)
b deliver in background (asynchronously)
q queue only (don't deliver)
gives the sender the quickest feedback,
but may slow down some mailers and
is hardly ever necessary.
puts the minimum load on your machine,
but means that delivery may be delayed for up to the queue interval.
can cause large numbers of processes
if you have a mailer that takes a long time to deliver a message.
will not expand aliases and follow .forward files
upon initial receipt of the mail.
This speeds up the response to RCPT commands.
cannot be used by the SMTP server.
The level of logging can be set for
The default using a standard configuration table is level 9.
The levels are as follows:
Serious system failures and potential security problems.
Lost communications (network problems) and protocol failures.
Message collection statistics.
Creation of error messages,
Delivery failures (host or user unknown, etc.).
Successful deliveries and alias database rebuilds.
(due to a host being down, etc.).
Database expansion (alias, forward, and userdb lookups).
Logs attempts to run locked queue files.
but can be useful to note if your queue appears to be clogged.
Lost locks (only if using lockf instead of flock).
values above 64 are reserved for extremely verbose debugging output.
No normal site would ever set these.
The modes used for files depend on what functionality you want
and the level of security you require.
.sh 3 "To suid or not to suid?"
At the point where it is about to
it checks to see if the userid is zero;
it resets the userid and groupid to a default
for mailers that are trusted
and must be called as root.)
this will cause mail processing
rather than to the user sending the mail.
setuid to root, it will still run but you lose a lot of functionality
and a lot of privacy, since you'll have to make the queue directory
setuid to some pseudo-user
(e.g., create a user called
which will fix the privacy problems
but not the functionality issues.
Also, this isn't a guarantee of security:
root occasionally sends mail,
and the daemon often runs as root.
.sh 3 "Should my alias database be writable?"
we have the alias database
While this is not as flexible as if the database
were more 666, it avoids potential security problems
with a globally writable database.
is represented by the two files
if you are running with the new Berkeley database primitives).
The mode on these files should match the mode
users will be unable to reflect their desired changes
through to the actual database.
and the DBM files are writable,
a slightly sophisticated user
can arrange to steal mail anyway.
If your DBM files are not writable by the world
or you do not have auto-rebuild enabled
then you must be careful to reconstruct the alias database
each time you change the text version:
If this step is ignored or forgotten
any intended changes will also be ignored or forgotten.
.sh 2 "Connection Caching"
When processing the queue,
will try to keep the last few open connections open
to avoid startup and shutdown costs.
This only applies to IPC connections.
When trying to open a connection
the cache is first searched.
If an open connection is found, it is probed to see if it is still active
It is not an error if this fails;
instead, the connection is closed and reopened.
Two parameters control the connection cache.
option defines the number of simultaneous open connections
connections will be closed as quickly as possible.
This should be set as appropriate for your system size;
it will limit the amount of system resources that
will use during queue runs.
Never set this higher than 4.
.b ConnectionCacheTimeout
option specifies the maximum time that any cached connection
will be permitted to idle.
When the idle time exceeds this value
the connection is closed.
This number should be small
to prevent you from grabbing too many resources
The default is five minutes.
.sh 2 "Name Server Access"
Control of host address lookups is set by the
service entry in your service switch file.
If you are on a system that has built-in service switch support
(e.g., Ultrix, Solaris, or DEC OSF/1)
then your system is probably configured properly already.
However, some systems (such as SunOS)
regardless of the setting of the service switch entry.
In particular, the system routine
is used to look up host names,
and many vendor versions try some combination of DNS, NIS,
and file lookup in /etc/hosts
without consulting a service switch.
makes no attempt to work around this problem,
and the DNS lookup will be done anyway.
If you do not have a nameserver configured at all,
such as at a UUCP-only site,
message when it tries to connect to the name server.
switch entry has the service
listed somewhere in the list,
will interpret this to mean a temporary failure
and will queue the mail for later processing;
otherwise, it ignores the name server data.
The same technique is used to decide whether to do MX lookups.
If you want MX support, you
listed as a service in the
option allows you to tweak name server options.
The command line takes a series of flags as documented in
Each can be preceded by an optional `+' or `\(mi'.
O ResolverOptions=+AAONLY \(miDNSRCH
turns on the AAONLY (accept authoritative answers only)
and turns off the DNSRCH (search the domain path) options.
Most resolver libraries default DNSRCH, DEFNAMES, and RECURSE
flags on and all others off.
to specify that there is a wildcard MX record matching your domain;
this turns off MX matching when canonifying names,
which can lead to inappropriate canonifications.
Version level 1 configurations
turn DNSRCH and DEFNAMES off when doing delivery lookups,
but leave them on everywhere else.
ignores them when doing canonification lookups
(that is, when using $[ ... $]),
and always does the search.
If you don't want to do automatic name extension,
The search rules for $[ ... $] are somewhat different than usual.
If the name being looked up
has at least one dot, it always tries the unmodified name first.
If that fails, it tries the reduced search path,
and lastly tries the unmodified name
(but only for names without a dot,
since names with a dot have already been tried).
This allows names such as
to match the site in Czechoslovakia
rather than the site in your local Computer Science department.
It also prefers A and CNAME records over MX records \*-
that is, if it finds an MX record it makes note of it,
This way, if you have a wildcard MX record matching your domain,
it will not assume that all names match.
To completely turn off all name server access
on systems without service switch support
you will have to recompile with
and remove \-lresolv from the list of libraries to be searched
.sh 2 "Moving the Per-User Forward Files"
Some sites mount each user's home directory
from a local disk on their workstation,
so that local access is fast.
However, the result is that .forward file lookups are slow.
mail can even be delivered on machines inappropriately
because of a file server being down.
The performance can be especially bad if you run the automounter.
option allows you to set a path of forward files.
For example, the config file line
O ForwardPath=/var/forward/$u:$z/.forward.$w
would first look for a file with the same name as the user's login
if that is not found (or is inaccessible)
in the user's home directory is searched.
A truly perverse site could also search by sender
If you create a directory such as /var/forward,
(that is, the sticky bit should be set).
Users should create the files mode 644.
On systems that have one of the system calls in the
you can specify a minimum number of free blocks on the queue filesystem
If there are fewer than the indicated number of blocks free
on the filesystem on which the queue is mounted
the SMTP server will reject mail
This invites the SMTP client to try again later.
Beware of setting this option too high;
it can cause rejection of email
when that mail would be processed without difficulty.
.sh 2 "Maximum Message Size"
To avoid overflowing your system with a large message,
option can be set to set an absolute limit
on the size of any one message.
This will be advertised in the ESMTP dialogue
and checked during message collection.
option allows you to set certain
Actually, many of them don't give you any extra privacy,
rather just insisting that client SMTP servers
before using certain commands
or adding extra headers to indicate possible spoof attempts.
The option takes a series of flag names;
the final privacy is the inclusive or of those flags.
O PrivacyOptions=needmailhelo, noexpn
insists that the HELO or EHLO command be used before a MAIL command is accepted
and disables the EXPN command.
The flags are detailed in section
deletes the (envelope) sender from any list expansions.
sends to a list that contains
as one of the members he won't get a copy of the message.
command line flag, or if the
option is set in the configuration file,
this behaviour is suppressed.
Some sites like to run the
.sh 1 "THE WHOLE SCOOP ON THE CONFIGURATION FILE"
This section describes the configuration file
There is one point that should be made clear immediately:
the syntax of the configuration file
is designed to be reasonably easy to parse,
since this is done every time
rather than easy for a human to read or write.
configuration-file compiler.
The configuration file is organized as a series of lines,
each of which begins with a single character
defining the semantics for the rest of the line.
Lines beginning with a space or a tab
(although the semantics are not well defined in many places).
Blank lines and lines beginning with a sharp symbol
.sh 2 "R and S \*- Rewriting Rules"
The core of address parsing
These are an ordered production system.
scans through the set of rewriting rules
looking for a match on the left hand side
the address is replaced by the right hand side
There are several sets of rewriting rules.
Some of the rewriting sets are used internally
and must have specific semantics.
do not have specifically assigned semantics,
and may be referenced by the mailer definitions
or by other rewriting sets.
The syntax of these two commands are:
Sets the current ruleset being collected to
If you begin a ruleset more than once
it deletes the old definition.
by at least one tab character;
there may be embedded spaces
is a pattern that is applied to the input.
the input is rewritten to the
Macro expansions of the form
are performed when the configuration file is read.
are performed at run time using a somewhat less general algorithm.
This for is intended only for referencing internally defined macros
that are changed at runtime.
.sh 3 "The left hand side"
The left hand side of rewriting rules contains a pattern.
Normal words are simply matched directly.
Metasyntax is introduced using a dollar sign.
.ta \w'\fB$=\fP\fIx\fP 'u
\fB$*\fP Match zero or more tokens
\fB$+\fP Match one or more tokens
\fB$\-\fP Match exactly one token
\fB$=\fP\fIx\fP Match any phrase in class \fIx\fP
\fB$~\fP\fIx\fP Match any word not in class \fIx\fP
they are assigned to the symbol
for replacement on the right hand side,
the rule will match, and the values passed to the RHS will be:
Additionally, the LHS can include
on the RHS, and is normally only used when it stands alone
in order to match the null input.
.sh 3 "The right hand side"
When the left hand side of a rewriting rule matches,
the input is deleted and replaced by the right hand side.
Tokens are copied directly from the RHS
unless they begin with a dollar sign.
\fB$\fP\fIn\fP Substitute indefinite token \fIn\fP from LHS
\fB$[\fP\fIname\fP\fB$]\fP Canonicalize \fIname\fP
\fB$(\fP\fImap key\fP \fB$@\fP\fIarguments\fP \fB$:\fP\fIdefault\fP \fB$)\fP
Generalized keyed mapping function
\fB$>\fP\fIn\fP \*(lqCall\*(rq ruleset \fIn\fP
\fB$#\fP\fImailer\fP Resolve to \fImailer\fP
\fB$@\fP\fIhost\fP Specify \fIhost\fP
\fB$:\fP\fIuser\fP Specify \fIuser\fP
syntax substitutes the corresponding value from a
A host name enclosed between
is looked up in the host database(s)
and replaced by the canonical name\**.
to $(host \fIhostname\fP$).
.q vangogh.CS.Berkeley.EDU.
recognizes it's numeric IP address
without calling the name server
and replaces it with it's canonical name.
syntax is a more general form of lookup;
it uses a named map instead of an implicit map.
If no lookup is found, the indicated
if no default is specified and no lookup matches,
the value is left unchanged.
are passed to the map for possible use.
causes the remainder of the line to be substituted as usual
and then passed as the argument to ruleset
The final value of ruleset
the substitution for this rule.
syntax can only be used at the beginning of the right hand side;
it can be only be preceded by
or a subroutine of ruleset zero.
It causes evaluation of the ruleset to terminate immediately,
that the address has completely resolved.
\fB$#\fP\fImailer\fP \fB$@\fP\fIhost\fP \fB$:\fP\fIuser\fP
3-tuple necessary to direct the mailer.
the host part may be omitted\**.
\**You may want to use it for special
For example, in the address
part is not part of the user name,
and is passed to the local mailer for local use.
is the builtin IPC mailer,
may be a colon-separated list of hosts
that are searched in order for the first working address
(exactly like MX records).
is later rewritten by the mailer-specific envelope rewriting set
As a special case, if the value to
and the first character of the
is stripped off, and a flag is set in the address descriptor
that causes sendmail to not do ruleset 5 processing.
Normally, a rule that matches is retried,
the rule loops until it fails.
A RHS may also be preceded by a
prefix causes the ruleset to return with the remainder of the RHS
prefix causes the rule to terminate immediately,
but the ruleset to continue;
this can be used to avoid continued application of a rule.
The prefix is stripped before continuing.
passes that to ruleset seven,
is necessary to avoid an infinite loop.
Substitution occurs in the order described,
parameters from the LHS are substituted,
hostnames are canonicalized,
.sh 3 "Semantics of rewriting rule sets"
There are five rewriting sets
that have specific semantics.
Four of these are related as depicted by figure 1.
-->| 0 |-->resolved address
+---+ / +---+ / +---+ +---+ \e +---+
addr-->| 3 |-->| D |-- --->| 4 |-->msg
+---+ +---+ \e +---+ +---+ / +---+
BoxD: box "D"; line; L1: Here
C1: arrow; box "1"; arrow; box "S"; line; E1: Here
move to C1 down 0.5; right
C2: arrow; box "2"; arrow; box "R"; line; E2: Here
] with .w at L1 + (0.5, 0)
L4: arrow; box "4"; arrow; box invis "msg"
move to BoxD.n up 0.6; right
arrow; box invis "resolved address" width 1.3
line from 1/3 of the way between A1 and BoxD.w to Box0
Figure 1 \*- Rewriting set semantics
D \*- sender domain addition
S \*- mailer-specific sender rewriting
R \*- mailer-specific recipient rewriting
should turn the address into
This form should have the basic syntax:
local-part@host-domain-spec
before doing anything with any address.
flag is set in the mailer definition
is applied after ruleset three
to addresses that are going to actually specify recipients.
.i "{mailer, host, user}"
must be defined in the mailer definitions
from the configuration file.
for use in the argv expansion of the specified mailer.
are applied to all sender and recipient addresses respectively.
They are applied before any specification
in the mailer definition.
Ruleset four is applied to all addresses
to translate internal to external form.
Some special processing occurs
if the ruleset zero resolves to an IPC mailer
(that is, a mailer that has
listed as the Path in the
The host name passed after
has MX expansion performed;
this looks the name up in DNS to find alternate delivery sites.
The host name can also be provided as a dotted quad in square brackets;
This causes direct conversion of the numeric value
to a TCP/IP host address.
The host name passed in after the
may also be a colon-separated list of hosts.
Each is separately MX expanded and the results are concatenated
to make (essentially) one long MX list.
The intent here is to create
MX records that are not published in DNS
for private internal networks.
As a final special case, the host name can be passed in
This form avoids the MX mapping.
This is intended only for situations where you have a network firewall
or other host that will do special processing for all your mail,
so that your MX record points to a gateway machine;
this machine could then do direct delivery to machines
within your local domain.
Use of this feature directly violates RFC 1123 section 5.3.5:
it should not be used lightly.
.sh 2 "D \*- Define Macro"
Macros are named with a single character
or with a word in {braces}.
Single character names may be selected from the entire ASCII set,
should be selected from the set of upper case letters only.
Long names beginning with a lower case letter or a punctuation character
are reserved for use by sendmail,
so user-defined long macro names should begin with an upper case letter.
The syntax for macro definitions is:
(which may be a single character
is the value it should have.
There should be no spaces given
that do not actually belong in the macro value.
is the name of the macro to be interpolated.
This interpolation is done when the configuration file is read,
lines to get deferred interpolation.
Conditionals can be specified using the syntax:
Lower case macro names are reserved to have
used to pass information in or out of
and special characters are reserved to
provide conditionals, etc.
are specifically reserved for configuration file authors.
The following macros are defined and/or used internally by
for interpolation into argv's for mailers
The ones marked \(dg are information passed into sendmail\**,
all of these macros have reasonable defaults.
Previous versions required that they be defined.
the ones marked \(dd are information passed both in and out of sendmail,
and the unmarked macros are passed out of sendmail
but are not otherwise used internally.
The origination date in RFC 822 format.
This is extracted from the Date: line.
The current date in RFC 822 format.
This is a count of the number of Received: lines
The current date in UNIX (ctime) format.
This is printed out when SMTP starts up.
The first word must be the
macro as specified by RFC821.
.q "$j Sendmail $v ready at $b" .
Commonly redefined to include the configuration version number, e.g.,
.q "$j Sendmail $v/$Z ready at $b"
The envelope sender (from) address.
The sender address relative to the recipient.
or whatever is appropriate for the receiving mailer.
This is set in ruleset 0 from the $# field of a parsed address.
The \*(lqofficial\*(rq domain name for this site.
This is fully qualified if the full qualification can be found.
be redefined to be the fully qualified domain name
if your system is not configured so that information can find
The UUCP node name (from the uname system call).
The format of the UNIX from line.
Unless you have changed the UNIX mailbox format,
you should not change the default,
The domain part of the \fIgethostname\fP return value.
Under normal circumstances,
The name of the daemon (for error messages).
The set of \*(lqoperators\*(rq in addresses.
which will be considered tokens
and which will separate tokens
would be scanned as three tokens:
which is the minimum set necessary to do RFC 822 parsing;
a richer set of operators is
which adds support for UUCP, the %-hack, and X.400 addresses.
Default format of sender address.
macro specifies how an address should appear in a message
It is commonly redefined to be
corresponding to the following two formats:
Eric Allman <eric@CS.Berkeley.EDU>
eric@CS.Berkeley.EDU (Eric Allman)
properly quotes names that have special characters
if the first form is used.
Protocol used to receive the message.
command line flag or by the SMTP server code.
command line flag or by the SMTP server code.
A numeric representation of the current time.
The version number of the
The hostname of this site.
This is the root name of this host (but see below for caveats).
The full name of the sender.
The home directory of the recipient.
The validated sender address.
There are three types of dates that can be used.
macros are in RFC 822 format;
is the time as extracted from the
is the current date and time
line is found in the incoming message,
is set to the current time also.
macro is equivalent to the
are set to the identity of this host.
tries to find the fully qualified name of the host
to get the current hostname
which is supposed to return the canonical version of that host name.\**
\**For example, on some systems
Assuming this is successful,
is set to the fully qualified name
is set to the domain part of the name
(everything after the first dot).
macro is set to the first word
(everything before the first dot)
if you have a level 5 or higher configuration file;
otherwise, it is set to the same value as
If the canonification is not successful,
it is imperative that the config file set
to the fully qualified domain name\**.
\**Older versions of sendmail didn't pre-define
macro is the id of the sender
as originally determined;
when mailing to a specific host
macro is set to the address of the sender
relative to the recipient.
.q bollard@matisse.CS.Berkeley.EDU
.q vangogh.CS.Berkeley.EDU
.q eric@vangogh.CS.Berkeley.EDU.
macro is set to the full name of the sender.
This can be determined in several ways.
It can be passed as flag to
The third choice is the value of the
line in the header if it exists,
and the fourth choice is the comment field
and if the message is being originated locally,
the full name is looked up in the
macros get set to the host, user, and home directory
The first two are set from the
part of the rewriting rules, respectively.
macros are used to create unique strings
macro is set to the queue id on this host;
if put into the timestamp line
it can be extremely useful for tracking messages.
macro is set to be the version number of
this is normally put in timestamps
and has been proven extremely useful for debugging.
i.e., the number of times this message has been processed.
or by counting the timestamps in the message.
fields are set to the protocol used to communicate with
and the sending hostname.
They can be set together using the
command line flag or separately using the
is set to a validated sender host name.
If the sender is running an RFC 1413 compliant IDENT server
and the receiver has the IDENT protocol turned on,
it will include the user name on that host.
.sh 2 "C and F \*- Define Classes"
Classes of phrases may be defined
to match on the left hand side of rewriting rules,
is a sequence of characters that do not contain space characters.
a class of all local names for this site
so that attempts to send to oneself
These can either be defined directly in the configuration file
or read in from another file.
Classes are named as a single letter or a word in {braces}.
Class names beginning with lower case letters
and special characters are reserved for system use.
Classes defined in config files may be given names
from the set of upper case letters for short names
or beginning with an upper case letter for long names.
The first form defines the class
to match any of the named words.
It is permissible to split them among multiple lines;
for example, the two forms:
reads the elements of the class
Elements of classes can be accessed in rules using
(match entries not in class)
only matches a single word;
multi-word entries in the class are ignored in this context.
is set to be the set of all names
This can be used to match local hostnames.
that is, the UUCP node name.
is set to the set of domains by which this host is known,
is set to the set of trusted users by the
If you want to read trusted users from a file use
can be set to the set of MIME body types
that can never be eight to seven bit encoded.
.q message/external-body ,
can be compiled to allow a
This lets you do simplistic parsing of text files.
For example, to read all the user names in your system
which reads every line up to the first colon.
.sh 2 "M \*- Define Mailer"
Programs and interfaces to mailers
are defined in this line.
is the name of the mailer
pairs define attributes of the mailer.
Path The pathname of the mailer
Flags Special flags for this mailer
Sender Rewriting set(s) for sender addresses
Recipient Rewriting set(s) for recipient addresses
Argv An argument vector to pass to this mailer
Eol The end-of-line string for this mailer
Maxsize The maximum message length to this mailer
Linelimit The maximum line length in the message body
Directory The working directory for the mailer
Userid The default user and group id to run as
Nice The nice(2) increment for the mailer
Charset The default character set for 8-bit characters
Type The MTS type information (used for error messages)
Only the first character of the field name is checked.
The following flags may be set in the mailer description.
Any other flags may be used freely
to conditionally assign headers to messages
destined for particular mailers.
are not interpreted by the
these are the conventionally used to correlate to the flags portion
apply to the mailers for the sender address
rather than the usual recipient mailers.
Run Extended SMTP (ESMTP) protocol (defined in RFCs 1651, 1652, and 1653).
This flag defaults on if the SMTP greeting message includes the word
Look up the user part of the address in the alias database.
Normally this is only set for local mailers.
Force a blank line on the end of a message.
This is intended to work around some stupid versions of
that require a blank line, but do not provide it themselves.
It would not normally be used on network mail.
Do not include comments in addresses.
This should only be used if you have to work around
a remote mailer that gets confused by comments.
This strips addresses of the form
from a mailer with this flag set,
any addresses in the header that do not have an at sign
after being rewritten by ruleset three
clause from the sender envelope address
This allows mail with headers of the form:
To: userb@hostb, userc@hosta
However, it doesn't really work reliably.
This mailer is expensive to connect to,
so try to avoid connecting normally;
any necessary connection will occur during a queue run.
Escape lines beginning with
in the message with a `>' sign.
but only if this is a network forward operation
the mailer will give an error
does not have special permissions).
sends internally generated email (e.g., error messages)
using the null return address
However, some mailers don't accept a null return address.
from obeying the standards;
error messages will be sent as from the MAILER-DAEMON
(actually, the value of the
Upper case should be preserved in host names
This mailer will be speaking SMTP
as such it can use special protocol features.
This option is not required
if this option is omitted the transmission will still operate successfully,
although perhaps not as efficiently as possible).
connects to a host via SMTP,
it checks to make sure that this isn't accidently the same host name
is misconfigured or if a long-haul network interface is set in loopback mode.
This flag disables the loopback check.
It should only be used under very unusual circumstances.
final delivery will be performed).
Limit the line lengths as specified in RFC821.
This deprecated option should be replaced by the
For historic reasons, the
This mailer can send to multiple users
part of the mailer definition,
that field will be repeated as necessary
for all qualifying users.
Do not insert a UNIX-style
line on the front of the message.
Always run as the owner of the recipient mailbox.
runs as the sender for locally generated mail
(actually, the user specified in the
when delivering network mail.
The normal behaviour is required by most local mailers,
which will not allow the envelope sender address
to be set unless the mailer is running as daemon.
This flag is ignored if the
Use the route-addr style reverse-path in the SMTP
rather than just the return address;
although this is required in RFC821 section 3.1,
many hosts do not process reverse-paths properly.
Reverse-paths are officially discouraged by RFC 1123.
Strip quote characters (" and \e) off of the address
before calling the mailer.
before calling the mailer.
This would be used in a secure environment
This could be used to avoid forged addresses.
this flag causes the user id to always be set to that user and group
(instead of leaving it as root).
Upper case should be preserved in user names
This mailer wants UUCP-style
The user must have a valid account on this machine,
This mailer want to use the hidden dot algorithm
any line beginning with a dot
will have an extra dot prepended
(to be stripped at the other end).
This insures that lines in the message containing a dot
will not terminate the message prematurely.
If no aliases are found for this address,
pass the address through ruleset 5 for possible alternate resolution.
This is intended to forward the mail to an alternate delivery spot.
Strip all output to seven bits.
This is the default if the
Note that clearing this option is not
sufficient to get full eight bit data passed through
option is set, this is essentially always set,
since the eighth bit was stripped on input.
Note that this option will only impact messages
that didn't have 8\(->7 bit MIME conversions performed.
it is acceptable to send eight bit data to this mailer;
the usual attempt to do 8\(->7 bit MIME conversions will be bypassed.
Check addresses to see if they begin
if they do, convert them to the
Check addresses to see if they begin with a `|';
if they do, convert them to the
Check addresses to see if they begin with a `/';
if they do, convert them to the
Look up addresses in the user database.
Configuration files prior to level 6
assume the `A', `w', `5', `:', `|', `/', and `@' options
The mailer with the special name
can be used to generate a user error.
The (optional) host field is an exit status to be returned,
and the user field is a message to be printed.
The exit status may be numeric or one of the values
USAGE, NOUSER, NOHOST, UNAVAILABLE, SOFTWARE, TEMPFAIL, PROTOCOL, or CONFIG
to return the corresponding EX_ exit code.
$#error $@ NOHOST $: Host unknown in this domain
will cause the specified error to be generated
exit status to be returned
This mailer is only functional in rulesets zero or five.
be defined in every configuration file.
This is used to deliver local mail,
and is treated specially in several ways.
Additionally, three other mailers named
may be defined to tune the delivery of messages to programs,
and :include: lists respectively.
Mprog, P=/bin/sh, F=lsD, A=sh \-c $u
M*file*, P=/dev/null, F=lsDFMPEu, A=FILE
M*include*, P=/dev/null, F=su, A=INCLUDE
The Sender and Recipient rewriting sets
may either be a simple ruleset id
or may be two ids separated by a slash;
if so, the first rewriting set is applied to envelope
and the second is applied to headers.
is actually a colon-separated path of directories to try.
For example, the definition
first tries to execute in the recipient's home directory;
if that is not available,
it tries to execute in the root of the filesystem.
This is intended to be used only on the
since some shells (such as
refuse to execute if they cannot read the home directory.
Since the queue directory is not normally readable by unprivileged users
scripts as recipients can fail.
specifies the default user and group id to run as,
mailer flag is also specified,
this is the user and group to run as in all circumstances.
to set both the user and group id;
either may be an integer or a symbolic name to be looked up
If only a symbolic user name is specified,
file for that user is used as the group id.
is used when converting a message to MIME;
this is the character set used in the
and if that is not set, the value
this field applies to the sender's mailer,
not the recipient's mailer.
For example, if the envelope sender address
lists an address on the local network
and the recipient is on an external network,
the character set will be set from the Charset= field
for the local network mailer,
not that of the external network mailer.
sets the type information
used in MIME error messages
It is actually three values separated by slashes:
the MTA-type (that is, the description of how hosts are named),
the address type (the description of e-mail addresses),
and the diagnostic type (the description of error diagnostic codes).
Each of these must be a registered value
.sh 2 "H \*- Define Header"
The format of the header lines that
The syntax of this line is:
Continuation lines in this spec
are reflected directly into the outgoing message.
is macro expanded before insertion into the message.
(surrounded by question marks)
at least one of the specified flags
must be stated in the mailer definition
for this header to be automatically output.
If one of these headers is in the input
it is reflected to the output
regardless of these flags.
Some headers have special semantics
that will be described later.
can be set from a configuration file.
Options are represented by full words;
some are also representable as single characters
The syntax of this line is:
be a space between the letter `O' and the name of the option.
may be a string, an integer,
The options supported (with the old, one character names in brackets) are:
.ip "AliasFile=\fIspec, spec, ...\fP"
Specify possible alias file(s).
is optional and defaults to ``implicit''.
is compiled, valid classes are
(search through a compiled-in list of alias file types,
(internal symbol table \*- not normally used
unless you have no other database lookup),
.ip AliasWait=\fItimeout\fP
(units default to minutes)
entry to exist in the alias database
If it does not appear in the
rebuild the alias database if necessary and possible.
If this option is not set,
will never rebuild the alias database
unless explicitly requested
Not recommended \(em can cause thrashing.
Set the blank substitution character to
Unquoted spaces in addresses are replaced by this character.
Defaults to space (i.e., no change is made).
Validate the RHS of aliases when rebuilding the alias database.
.ip CheckpointInterval=\fIN\fP
Checkpoints the queue every
If your system crashes during delivery to a large list,
this prevents retransmission to any but the last
.ip ClassFactor=\fIfact\fP
is multiplied by the message class
(determined by the Precedence: field in the user header
lines in the configuration file)
and subtracted from the priority.
Thus, messages with a higher Priority: will be favored.
If set, colons are acceptable in e-mail addresses
If not set, colons indicate the beginning of a RFC 822 group construct
.q "groupname: member1, member2, ... memberN;" ).
Doubled colons are always acceptable
and proper route-addr nesting is understood
Furthermore, this option defaults on if the configuration version level
is less than 6 (for back compatibility).
However, it must be off for full compatibility with RFC 822.
.ip ConnectionCacheSize=\fIN\fP
The maximum number of open connections that will be cached at a time.
This delays closing the current connection until
either this invocation of
needs to connect to another host
Setting it to zero defaults to the old behavior,
that is, connections are closed immediately.
Since this consumes file descriptors,
the connection cache should be kept small:
4 is probably a practical maximum.
.ip ConnectionCacheTimeout=\fItimeout\fP
The maximum amount of time a cached connection will be permitted to idle
If this time is exceeded,
the connection is immediately closed.
This value should be small (on the order of ten minutes).
uses a cached connection,
it always sends a RSET command
if this fails, it reopens the connection.
This keeps your end from failing if the other end times out.
The point of this option is to be a good network neighbor
and avoid using up excessive resources
The default is five minutes.
.ip DaemonPortOptions=\fIoptions\fP
Port Name/number of listening port (defaults to "smtp")
Addr Address mask (defaults INADDR_ANY)
Family Address family (defaults to INET)
Listen Size of listen queue (defaults to 10)
SndBufSize Size of TCP send buffer
RcvBufSize Size of TCP receive buffer
mask may be a numeric address in dot notation
.ip DefaultCharSet=\fIcharset\fP
When a message that has 8-bit characters but is not in MIME format
(see the EightBitMode option)
a character set must be included in the Content-Type: header.
This character set is normally set from the Charset= field
of the mailer descriptor.
If that is not set, the value of this option is used.
If this option is not set, the value
.ip DefaultUser=\fIuser:group\fP
Set the default userid for mailers to
(as opposed to a numeric user id)
the default group listed in the /etc/passwd file for that user is used
flag in the mailer definition
The value can also be given as a symbolic user name.\**
option has been combined into the
i Deliver interactively (synchronously)
b Deliver in background (asynchronously)
q Just queue the message (deliver during queue run)
Defaults to ``b'' if no option is specified,
``i'' if it is specified but given no argument
(i.e., ``Od'' is equivalent to ``Odi'').
command line flag sets this to
.ip DialDelay=\fIsleeptime\fP
Dial-on-demand network connections can see timeouts
if a connection is opened before the call is set up.
If this is set to an interval and a connection times out
on the first connection being attempted
will sleep for this amount of time and try again.
This should give your system time to establish the connection
to your service provider.
Units default to seconds, so
uses a five second delay.
The standards say that all host addresses used in a mail message
For example, if your host is named
the former name must be used at all times.
This is enforced during host name canonification
If this option is set, the protocols are ignored and the
However, the IETF is moving toward changing this standard,
so the behaviour may become acceptable.
Please note that hosts downstream may still rewrite the address
to be the true canonical name however.
tries to eliminate any unnecessary explicit routes
when sending an error message
(as discussed in RFC 1123 \(sc 5.2.6).
when sending an error message to
<@known1,@known2,@known3:user@unknown>
in order to make the route as direct as possible.
option is set, this will be disabled,
and the mail will be sent to the first address in the route,
even if later addresses are known.
This may be useful if you are caught behind a firewall.
.ip EightBitMode=\fIaction\fP
Set handling of eight-bit data.
There are two kinds of eight-bit data:
that declared as such using the
and undeclared 8-bit data, that is,
input that just happens to be eight bits.
There are three basic operations that can happen:
undeclared 8-bit data can be automatically converted to 8BITMIME,
undeclared 8-bit data can be passed as-is without conversion to MIME
and declared 8-bit data can be converted to 7-bits
for transmission to a non-8BITMIME mailer.
.\" r Reject undeclared 8-bit data;
.\" don't convert 8BITMIME\(->7BIT (``reject'')
s Reject undeclared 8-bit data (``strict'')
.\" do convert 8BITMIME\(->7BIT (``strict'')
.\" c Convert undeclared 8-bit data to MIME;
.\" don't convert 8BITMIME\(->7BIT (``convert'')
m Convert undeclared 8-bit data to MIME (``mime'')
.\" do convert 8BITMIME\(->7BIT (``mime'')
.\" j Pass undeclared 8-bit data;
.\" don't convert 8BITMIME\(->7BIT (``just send 8'')
p Pass undeclared 8-bit data (``pass'')
.\" do convert 8BITMIME\(->7BIT (``pass'')
.\" a Adaptive algorithm: see below
.\"The adaptive algorithm is to accept 8-bit data,
.\"converting it to 8BITMIME only if the receiver understands that,
.\"otherwise just passing it as undeclared 8-bit data;
.\"8BITMIME\(->7BIT conversions are done.
In all cases properly declared 8BITMIME data will be converted to 7BIT
.ip ErrorHeader=\fIfile-or-message\fP
Prepend error messages with the indicated message.
If it begins with a slash,
it is assumed to be the pathname of a file
containing a message (this is the recommended setting).
Otherwise, it is a literal message.
The error file might contain the name, email address, and/or phone number
of a local postmaster who could provide assistance
If the option is missing or null,
or if it names a file which does not exist or which is not readable,
Dispose of errors using mode
p Print error messages (default)
q No messages, just give exit status
w Write back errors (mail if user not logged in)
e Mail back errors and give zero exit stat always
.ip FallbackMXhost=\fIfallbackhost\fP
acts like a very low priority MX
This is intended to be used by sites with poor network connectivity.
deliver each job that is run from the queue in a separate process.
Use this option if you are short of memory,
since the default tends to consume considerable amounts of memory
while the queue is being processed.
.ip ForwardPath=\fIpath\fP
Set the path for searching for users' .forward files.
Some sites that use the automounter may prefer to change this to
to search a file with the same name as the user in a system directory.
It can also be set to a sequence of paths separated by colons;
stops at the first file it can successfully and safely open.
.q /var/forward/$u:$z/.forward
will search first in /var/forward/\c
(but only if the first file does not exist).
If an outgoing mailer is marked as being expensive,
don't connect immediately.
This requires that queueing be compiled in,
since it will depend on a queue run process to
Ignore dots in incoming messages.
This is always disabled (that is, dots are always accepted)
Set the default log level to
This is intended only for use from the command line.
Allow fuzzy matching on the GECOS field.
and the usual user name lookups fail
(that is, there is no alias with this name and a
sequentially search the password file
for a matching entry in the GECOS field.
This also requires that MATCHGECOS
be turned on during compilation.
This option is not recommended.
Messages that have been processed more than
times are assumed to be in a loop and are rejected.
.ip MaxHostStatAge=\fIage\fP
This option specifies how long host status information will be retained.
For example, if a host is found to be down,
connections to that host will not be retried for this interval.
The units default to minutes.
.ip MaxQueueRunSize=\fIN\fP
The maximum number of jobs that will be processed
If not set, there is no limit on the size.
If you have very large queues or a very short queue run interval
jobs in queue directory order are run (rather than the
this should be set as high as possible to avoid
jobs that happen to fall late in the queue directory.
even if I am in an alias expansion.
.ip MaxMessageSize=\fIN\fP
Specify the maximum message size
to be advertised in the ESMTP EHLO response.
Messages larger than this will be rejected.
.ip MinFreeBlocks=\fIN\fP
blocks free on the filesystem that holds the queue files
before accepting email via SMTP.
If there is insufficient space
This invites the sender to try again later.
.ip MinQueueAge=\fPage\fP
Don't process any queued jobs
that have been in the queue less than the indicated time interval.
This is intended to allow you to get responsiveness
by processing the queue fairly frequently
without thrashing your system by trying jobs too often.
The default units are minutes.
.ip ResolverOptions=\fIoptions\fP
can be specified to turn off matching against MX records
when doing name canonifications.
this option indicated that the name server be responding
in order to accept addresses.
This has been replaced by checking to see
method is listed in the service switch entry for the
The action to take when you receive a message that has no valid
recipient headers (To:, Cc:, Bcc:).
to pass the message on unmodified,
which violates the protocol,
to add a To: header with any recipients it can find in the envelope
(which might expose Bcc: recipients),
to add an Apparently-To: header
(this is only for back-compatibility
and is officially deprecated),
.q "To: undisclosed-recipients:;"
to make the header legal without disclosing anything,
to add an empty Bcc: header.
Assume that the headers may be in old format,
if any recipient address contains a comma, parenthesis,
it will be assumed that commas already exist.
only commas delimit names.
Headers are always output with commas between the names.
.ip PostmasterCopy=\fIpostmaster\fP
copies of error messages will be sent to the named
Only the header of the failed message is sent.
Since most errors are user problems,
this is probably not a good idea on large sites,
and arguably contains all sorts of privacy violations,
but it seems to be popular with certain operating systems vendors.
Defaults to no postmaster copies.
.ip PrivacyOptions=\fI\|opt,opt,...\fP
``Privacy'' is really a misnomer;
many of these are just a way of insisting on stricter adherence
needmailhelo Insist on HELO or EHLO command before MAIL
needexpnhelo Insist on HELO or EHLO command before EXPN
noexpn Disallow EXPN entirely
needvrfyhelo Insist on HELO or EHLO command before VRFY
novrfy Disallow VRFY entirely
restrictmailq Restrict mailq command
restrictqrun Restrict \-q command line flag
noreceipts Ignore Return-Receipt-To: header
goaway Disallow essentially all SMTP status queries
authwarnings Put X-Authentication-Warning: headers in messages
pseudo-flag sets all flags except
only people in the same group as the queue directory
If queue runs are restricted,
only root and the owner of the queue directory
Authentication Warnings add warnings about various conditions
that may indicate attempts to spoof the mail system,
such as using an non-standard queue directory.
.ip QueueDirectory=\fIdir\fP
.ip QueueFactor=\fIfactor\fP
as the multiplier in the map function
to decide when to just queue up jobs rather than run them.
This value is divided by the difference between the current load average
and the load average limit
to determine the maximum message priority
When the system load average exceeds
(i.e., don't try to send them).
.ip QueueSortOrder=\fIalgorithm\fP
used for sorting the queue.
Only the first character of the value is used.
(to order by the name of the first host name of the first recipient)
(to order strictly by message priority).
Host ordering makes better use of the connection cache,
but may tend to process low priority messages
over high priority messages that go to several hosts;
it probably shouldn't be used on slow network links.
Priority ordering is the default.
.ip Timeout.\fItype\fP=\|\fItimeout\fP
[r; subsumes old T option as well]
The actual timeout is indicated by the
The recognized timeouts and their default values, and their
minimum values specified in RFC 1123 section 5.3.2 are:
initial wait for initial greeting message [5m, 5m]
helo reply to HELO or EHLO command [5m, none]
mail reply to MAIL command [10m, 5m]
rcpt reply to RCPT command [1h, 5m]
datainit reply to DATA command [5m, 2m]
datablock data block read [1h, 3m]
datafinal reply to final ``.'' in data [1h, 10m]
rset reply to RSET command [5m, none]
quit reply to QUIT command [2m, none]
misc reply to NOOP and VERB commands [2m, none]
ident IDENT protocol timeout [30s, none]
fileopen\(dg timeout on opening .forward and :include: files [60s, none]
command\(dg command read [1h, 5m]
queuereturn\(dg how long until a message is returned [5d, 5d]
queuewarn\(dg how long until a warning is sent [none, none]
All but those marked with a dagger (\(dg)
If the message is submitted using the
warning messages will only be sent if
The queuereturn and queuewarn timeouts
can be further qualified with a tag based on the Precedence: field
(indicating a positive non-zero precedence)
(indicating a zero precedence), or
(indicating negative precedences).
.q Timeout.queuewarn.urgent=1h
sets the warning timeout for urgent messages only
The default if no precedence is indicated
is to set the timeout for all precedences.
.ip RecipientFactor=\fIfact\fP
is added to the priority (thus
i.e., this value penalizes jobs with large numbers of recipients.
When the system load average exceeds
refuse incoming SMTP connections.
.ip RetryFactor=\fIfact\fP
every time a job is processed.
each time a job is processed,
its priority will be decreased by the indicated value.
In most environments this should be positive,
since hosts that are down are all too often down for a long time.
lines at the front of headers.
Normally they are assumed redundant
If set, send error messages in MIME format
(see RFC1521 and RFC1344 for details).
.ip ServiceSwitchFile=\fIfilename\fP
If your host operating system has a service switch abstraction
(e.g., /etc/nsswitch.conf on Solaris
or /etc/svc.conf on Ultrix and DEC OSF/1)
that service will be consulted and this option is ignored.
Otherwise, this is the name of a file
that provides the list of methods used to implement particular services.
The syntax is a series of lines,
each of which is a sequence of words.
The first word is the service name,
and following words are service types.
(with the caveat that the appropriate support
before the service can be referenced).
If ServiceSwitchFile is not specified, it defaults to /etc/service.switch.
If that file does not exist, the default switch is:
Strip input to seven bits for compatibility with old systems.
This shouldn't be necessary.
.ip StatusFile=\fIfile\fP
Log summary statistics in the named
no summary statistics are saved.
This file does not grow in size.
It can be printed using the
Be super-safe when running things,
always instantiate the queue file,
even if you are going to attempt immediate delivery.
always instantiates the queue file
before returning control the client
.ip TempFileMode=\fImode\fP
The file mode for queue files.
It is interpreted in octal by default.
.ip TimeZoneSpec=\fItzinfo\fP
Set the local time zone info to
Actually, if this is not set,
the TZ environment variable is cleared (so the system default is used);
if set but null, the user's TZ variable is used,
and if set and non-null the TZ variable is set to this value.
(that is, lowest preference)
its configuration rules should normally detect this situation
and treat that condition specially
by forwarding the mail to a UUCP feed,
However, in some cases (such as Internet firewalls)
you may want to try to connect directly to that host
as though it had no MX records at all.
Setting this option causes
The downside is that errors in your configuration
are likely to be diagnosed as
instead of something more meaningful.
This option is disrecommended.
header, send error messages to the addresses listed there.
They normally go to the envelope sender.
Use of this option causes
This option is disrecommended and deprecated.
.ip UserDatabaseSpec=\fIudbspec\fP
The user database specification.
so that all mail is delivered completely
so that you can see the entire delivery process.
be set in the configuration file;
it is intended for command line use only.
All options can be specified on the command line using the
to relinquish its setuid permissions.
The options that will not cause this are
Also, M (define macro) when defining the r or s macros
.sh 2 "P \*- Precedence Definitions"
field may be defined using the
The syntax of this field is:
\fBP\fP\fIname\fP\fB=\fP\fInum\fP
the message class is set to
Higher numbers mean higher precedence.
have the special property
that if an error occurs during processing
the body of the message will not be returned;
this is expected to be used for
mail such as through mailing lists.
The default precedence is zero.
our list of precedences is:
People writing mailing list exploders
(which discarded all error returns for negative precedences)
didn't recognize this name, giving it a default precedence of zero.
This allows list maintainers to see error returns
on both old and new versions of
.sh 2 "V \*- Configuration Version Level"
To provide compatibility with old configuration files,
line has been added to define some very basic semantics
of the configuration file.
These are not intended to be long term supports;
rather, they describe compatibility features
which will probably be removed in future releases.
used version level 6 configurations.
configuration files are defined as version level one.
Version level two files make the following changes:
Host name canonification ($[ ... $])
appends a dot if the name is recognized;
this gives the config file a way of finding out if anything matched.
(Actually, this just initializes the
flag \*- you can reset it to anything you prefer
by declaring the map explicitly.)
Default host name extension is consistent throughout processing;
version level one configurations turned off domain extension
(that is, adding the local domain name)
during certain points in processing.
Version level two configurations are expected to include a trailing dot
to indicate that the name is already canonical.
Local names that are not aliases
are passed through a new distinguished ruleset five;
this can be used to append a local relay.
This behaviour can be prevented by resolving the local name
That is, something that resolves to a local mailer and a user name of
will be passed through ruleset five,
will have the `@' stripped,
will not be passed through ruleset five,
but will otherwise be treated the same as the prior example.
The expectation is that this might be used to implement a policy
was handled by a central hub,
Version level three files
allow # initiated comments on all lines.
Exceptions are backslash escaped # marks
Version level four configurations
are completely equivalent to level three
Version level five configuration files
change the default definition of
to be just the first component of the hostname.
Version level six configuration files
change many of the local processing options
(such as aliasing and matching the beginning of the address for
this allows fine-grained control over the special local processing.
Level six configuration files may also use long option names.
option (to allow colons in the local-part of addresses)
for lower numbered configuration files;
the configuration file requires some additional intelligence
to properly handle the RFC 822 group construct.
line may have an optional
to indicate that this configuration file uses modifications
specific to a particular vendor\**.
\**And of course, vendors are encouraged to add themselves
to the list of recognized vendors by editing the routine
Please send e-mail to sendmail@CS.Berkeley.EDU
to register your vendor dialect.
to emphasize that this configuration file
uses the Berkeley dialect of
.sh 2 "K \*- Key File Declaration"
Special maps can be defined using the line:
Kmapname mapclass arguments
is the handle by which this map is referenced in the rewriting rules.
is the name of a type of map;
are interpreted depending on the class;
there would be a single argument naming the file containing the map.
Maps are referenced using the syntax:
$( \fImap\fP \fIkey\fP $@ \fIarguments\fP $: \fIdefault\fP $)
where either or both of the
may appear more than once.
are passed to the appropriate mapping function.
If it returns a value, it replaces the input.
If it does not return a value and the
Otherwise, the input is unchanged.
During replacement of either a map value or default
is replaced by the corresponding
is always the database key.
R$\- ! $+ $: $(uucp $1 $@ $2 $: %1 @ %0 . UUCP $)
Looks up the UUCP name in a (user defined) UUCP map;
if not found it turns it into
The database might contain records like:
The built in map with both name and class
is the host name canonicalization lookup.
There are many defined classes.
Database lookups using the ndbm(3) library.
Database lookups using the btree interface to the Berkeley db(3) library.
Database lookups using the hash interface to the Berkeley db(3) library.
The argument is the name of the table to use for lookups,
flags may be used to set the key and value columns respectively.
The format of the text file is defined by the
Internal symbol table lookups.
Used internally for aliasing.
\(em this is used to get the default lookups
and is the default if no class is specified for alias files.
flag can be used to specify the name of the field to return
(although this is normally used only to check the existence
Canonifies host domain names.
Given a host name it calls the name server
to find the canonical name for that host.
The arguments on the `K' line are a list of maps;
the resulting map searches the argument maps in order
until it finds a match for the indicated key.
For example, if the key definition is:
Kseqmap sequence map1 map2
first does a lookup in map1.
If that is found, it returns immediately.
Otherwise, the same key is used for map2.
map except that the order of maps is determined by the service switch.
The argument is the name of the service to be looked up;
the values from the service switch are appended to the service name
For example, consider the key definition:
together with the service switch entry:
This causes a query against the map
Strip double quotes (") from a name.
It does not strip backslashes,
and will not strip quotes if the resulting string
would contain unscannable syntax
(that is, basic errors like unbalanced angle brackets;
more sophisticated errors such as unknown hosts are not checked).
The intent is for use when trying to accept mail from systems such as
that routinely quote odd syntax such as
A typical usage is probably something like:
Care must be taken to prevent unexpected results;
"|someprogram < input > output"
will have quotes stripped,
but the result is probably not what you had in mind.
Fortunately these cases are rare.
Most of these accept as arguments the same optional flags
the filename is the root of the database path,
or some other extension appropriate for the database type
will be added to get the actual database name).
Indicates that this map is optional \*- that is,
will behave as if the map existed but was empty.
uses an adaptive algorithm to decide whether or not to look for null bytes
It starts by trying both;
if it finds any key with a null byte it never tries again without a null byte
is specified it never tries without a null byte and
is specified it never tries with a null byte.
these can speed matches but are never necessary.
will never try any matches at all \(em
that is, everything will appear to fail.
map appends a dot on successful matches.
Do not fold upper to lower case before looking up the key.
Match only (without replacing the value).
If you only care about the existence of a key and not the value
(as you might when searching the NIS map
this flag prevents the map from substituting the value.
The \-a argument is still appended on a match,
and the default is still taken if the match fails.
The key column name (for NIS+) or number
The value column name (for NIS+) or number
The column delimiter (for text lookups).
It can be a single character or one of the special strings
to indicate newline or tab respectively.
the column separator is any sequence of whitespace.
For the dequote map only,
the character to use to replace space characters
after a successful dequote.
For example, the map specification
Kuucp dbm \-o \-N /usr/lib/uucpmap
specifies an optional map named
it always has null bytes at the end of every string,
and the data is located in
/usr/lib/uucpmap.{dir,pag}.
can be used to build any of the three database-oriented maps.
It takes the following flags:
Do not fold upper to lower case in the map.
Include null bytes in keys.
Append to an existing (old) file.
Allow replacement of existing keys;
normally, re-inserting an existing key is an error.
daemon does not have to be restarted to read the new maps
as long as you change them in place;
file locking is used so that the maps won't be read
while they are being updated.\**
\**That is, don't create new maps and then use
Since the maps are already open
the new maps will never be seen.
New classes can be added in the routine
.sh 2 "The User Database"
with the user database package
the handling of sender and recipient addresses
The location of this database is controlled with the
.sh 3 "Structure of the user database"
The database is a sorted (BTree-based) structure.
User records are stored with the key:
\fIuser-name\fP\fB:\fP\fIfield-name\fP
The sorted database format ensures that user records are clustered together.
Meta-information is always stored with a leading colon.
Field names define both the syntax and semantics of the value.
The delivery address for this user.
There may be multiple values of this record.
mailing lists will have one
record for each user on the list.
The outgoing mailname for this user.
there should be an appropriate
record for that name to allow return mail.
Changes any mail sent to this address to have the indicated envelope sender.
This is intended for mailing lists,
and will normally be the name of an appropriate -request address.
It is very similar to the owner-\c
syntax in the alias file.
The full name of the user.
The office address for this user.
The office phone number for this user.
The office FAX number for this user.
The home address for this user.
The home phone number for this user.
The home FAX number for this user.
A (short) description of the project this person is affiliated with.
In the University this is often just the name of their graduate advisor.
A pointer to a file from which plan information can be gathered.
only a few of these fields are actually being used by
program that uses the other fields is planned.
.sh 3 "User database semantics"
When the rewriting rules submit an address to the local mailer,
the user name is passed through the alias file.
If no alias is found (or if the alias points back to the same address),
is then used as a key in the user database.
If no match occurs (or if the maildrop points at the same address),
If the first token of the user name returned by ruleset 0
sign, the user database lookup is skipped.
The intent is that the user database will act as a set of defaults
for a cluster (in our case, the Computer Science Division);
mail sent to a specific machine should ignore these defaults.
the name of the sending user is looked up in the database.
the value of that record is used as their outgoing name.
For example, I might have a record:
eric:mailname Eric.Allman@CS.Berkeley.EDU
This would cause my outgoing mail to be sent as Eric.Allman.
If present, this is the name of a host to override the local host.
For example, in our case we would set it to
The effect is that anyone known in the database
gets their outgoing mail stamped as
.q user@CS.Berkeley.EDU ,
but people not listed in the database use the local hostname.
.sh 3 "Creating the database\**"
\**These instructions are known to be incomplete.
A future version of the user database is planned
including things such as finger service \*- and good documentation.
The user database is built from a text file
(in the distribution in the makemap subdirectory).
The text file is a series of lines corresponding to userdb records;
each line has a key and a value separated by white space.
The key is always in the format described above \*-
This file is normally installed in a system directory;
for example, it might be called
To make the database version of the map, run the program:
makemap btree /etc/userdb.db < /etc/userdb
Then create a config file that uses this.
For example, using the V8 M4 configuration, include the
following line in your .mc file:
define(\`confUSERDB_SPEC\', /etc/userdb.db)
.sh 1 "OTHER CONFIGURATION"
There are some configuration changes that can be made by
This section describes what changes can be made
and what has to be modified to make them.
In most cases this should be unnecessary
.sh 2 "Parameters in src/Makefile"
These parameters are intended to describe the compilation environment,
and should normally be defined in src/Makefile.
the new version of the DBM library
that allows multiple databases will be used.
If neither NDBM nor NEWDB are set,
a much less efficient method of alias lookup is used.
If set, use the new database package from Berkeley (from 4.4BSD).
This package is substantially faster than DBM or NDBM.
If NEWDB and NDBM are both set,
but will create and use NEWDB files.
will create both DBM and NEWDB files if and only if
an alias file includes the substring
This is intended for compatibility with Sun Microsystems'
program used on YP masters.
Compile in support for NIS+.
Compile in support for NetInfo (NeXT stations).
Compile in support for Hesiod.
The pathname of the sendmail.cf file.
The pathname of the sendmail.pid file.
There are also several compilation flags to indicate the environment
file for the latest scoop on these flags.
.sh 2 "Parameters in src/conf.h"
Parameters and compilation options
Most of these need not normally be tweaked;
common parameters are all in sendmail.cf.
However, the sizes of certain primitive vectors, etc.,
are included in this file.
The numbers following the parameters
The maximum line length of any input line.
If message lines exceed this length
they will still be processed correctly;
configuration file lines,
must fit within this limit.
The maximum length of any name,
such as a host or a user name.
The maximum number of parameters to any mailer.
This limits the number of recipients that may be passed in one transaction.
It can be set to any arbitrary number above about 10,
will break up a delivery into smaller batches as needed.
A higher number may reduce load on your system, however.
The maximum number of atoms
.q "eric@CS.Berkeley.EDU"
The maximum number of mailers that may be defined
in the configuration file.
The maximum number of rewriting sets
The first half of these are reserved for numeric specification
while the upper half are reserved for auto-numbering
Thus, with a value of 200 an attempt to use ``S99'' will succeed,
The maximum number of values for the
field that may be defined
.ip "MAXUSERENVIRON [40]"
The maximum number of items in the user environment
that will be passed to subordinate mailers.
The maximum number of MX records we will accept for any single host.
A number of other compilation options exist.
These specify whether or not specific code should be compiled in.
If set, debugging information is compiled in.
To actually get the debugging output,
.b "WE STRONGLY RECOMMEND THAT THIS BE LEFT ON."
Some people, believing that it was a security hole
have turned it off and thus crippled debuggers.
support for Internet protocol networking is compiled in.
this old usage is now incorrect.
support for ISO protocol networking is compiled in
(it may be appropriate to #define this in the Makefile instead of conf.h).
routine in use at some sites is used.
This makes an informational log record
for each message processed,
and makes a higher priority log record
for internal system errors.
.b "STRONGLY RECOMMENDED"
\(em if you want no logging, turn it off in the configuration file.
Compile in the code to do ``fuzzy matching'' on the GECOS field
This also requires that the
Compile in code to use the
Berkeley Internet Name Domain (BIND) server
to resolve TCP/IP host names.
If you are using a non-UNIX mail format,
you can set this flag to turn off special processing
This flag should be set to compile in the queueing code.
mailers must accept the mail immediately
or it will be returned to the sender.
array to indicate its current status.
This can be used in conjunction with the
command to find out just what it's up to.
the code to handle user and server SMTP will be compiled in.
This is only necessary if your machine has some mailer
(this means most machines everywhere).
If you have a UUCP host adjacent to you which is not running
you will have to set this flag to include the
Otherwise, UUCP gets confused about where the mail came from.
Berkeley user information database package.
This adds a new level of local name expansion
between aliasing and forwarding.
It also uses the NEWDB package.
This may change in future releases.
The following options are normally turned on
in per-operating-system clauses in conf.h.
Compile in the IDENT protocol as defined in RFC 1413.
This defaults on for all systems except Ultrix,
which apparently has the interesting
message it closes all open connections to that host.
Since some firewall gateways send this error code
when you access an unauthorized port (such as 113, used by IDENT),
Ultrix cannot receive email from such hosts.
Set all of the compilation parameters appropriate for System V.
Due to the highly unusual semantics of locks
this should never be used unless absolutely necessary.
Set this if your system has the
(if you have multiple group support).
This is the default if SYSTEM5 is
defined or if you are on HPUX.
system call (or corresponding library routine).
This will allow you to give a temporary failure
message to incoming SMTP email
when you are low on disk space.
It is set by default on 4.4BSD and OSF/1 systems.
This is an alternative implementation of disk space control.
You should only set one of HASSTATFS or HASUSTAT;
Details are described below.
The are several built-in ways of computing the load average.
tries to auto-configure them based on imperfect guesses;
you can select one using the
The kernel stores the load average in the kernel as an array of long integers.
The actual values are scaled by a factor FSCALE
The kernel stores the load average in the kernel as an array of short integers.
The actual values are scaled by a factor FSCALE
The kernel stores the load average in the kernel as an array of
Use MACH-style load averages.
routine to get the load average as an array of doubles.
Always return zero as the load average.
This is the fallback case.
you may also need to specify
(the path to your system binary)
(the name of the variable containing the load average in the kernel;
.sh 2 "Configuration in src/conf.c"
The following changes can be made in conf.c.
.sh 3 "Built-in Header Semantics"
Not all header semantics are defined in the configuration file.
Header lines that should only be included by certain mailers
(as well as other more obscure semantics)
This table contains the header name
(which should be in all lower case)
and a set of header control flags (described below),
Normally when the check is made to see if a header line is compatible
will not delete an existing line.
even existing header lines.
if this bit is set and the mailer does not have flag bits set
that intersect with the required mailer flags
in the header definition in
If this header field is set,
treat it like a blank line,
it will signal the end of the header
and the beginning of the message text.
even if one existed in the message before.
If a header entry does not have this bit set,
will not add another header line if a header line
of this name already existed.
This would normally be used to stamp the message
by everyone who handled it.
If the number of trace fields in a message
on the assumption that it has an aliasing loop.
this field contains recipient addresses.
flag to determine who to send to
when it is collecting recipients from the message.
This flag indicates that this field
The order of these fields in the
for which field to return error messages to.
This header has return-receipt information.
Addresses in this header should receive error messages.
This header is a Content-Transfer-Encoding header.
This header is a Content-Type header.
Strip the value from the header (for Bcc:).
.ta 4n +\w'"return-receipt-to", 'u
struct hdrinfo HdrInfo[] =
/* originator fields, most to least significant */
"return-receipt-to", H_FROM\^|\^H_RECEIPTTO,
"errors-to", H_FROM\^|\^H_ERRORSTO,
"bcc", H_RCPT\^|\^H_STRIPVAL,
/* message identification and control */
"received", H_TRACE\^|\^H_FORCE,
/* miscellaneous fields */
"content-transfer-encoding", H_CTE,
This structure indicates that the
all specify recipient addresses.
field will be deleted unless the required mailer flag
(indicated in the configuration file)
fields will terminate the header;
these are used by random dissenters around the network world.
field will always be added,
and can be used to trace messages.
There are a number of important points here.
header fields are not added automatically just because they are in the
they must be specified in the configuration file
in order to be added to the message.
Any header fields mentioned in the configuration file but not
structure have default processing performed;
they are added unless they were in the message already.
structure only specifies cliched processing;
certain headers are processed specially by ad hoc code
regardless of the status specified in
fields are always scanned on ARPANET mail
to determine the sender\**;
\**Actually, this is no longer true in SMTP;
this information is contained in the envelope.
The older ARPANET protocols did not completely distinguish
this is used to perform the
fields are used to determine the full name of the sender
this is stored in the macro
and used in a number of ways.
.sh 3 "Restricting Use of Email"
If it is necessary to restrict mail through a relay,
This routine is called for every recipient address.
It returns an exit status
indicating the status of the message.
queues the message for a later try,
to print an error message
if the message is rejected.
.ta 4n +4n +4n +4n +4n +4n +4n
s = stab("private", ST_MAILER, ST_FIND);
if (s != NULL && e\->e_from.q_mailer != LocalMailer &&
to->q_mailer == s->s_mailer)
usrerr("No private net mail allowed through this machine");
if (MsgSize > 50000 && bitnset(M_LOCALMAILER, to\->q_mailer))
usrerr("Message too large for non-local delivery");
e\->e_flags |= EF_NORETURN;
This would reject messages greater than 50000 bytes
to suppress the return of the actual body
of the message in the error return.
The actual use of this routine is highly dependent on the
and use should be limited.
.sh 3 "Load Average Computation"
should return an approximation of the current system load average
There are several versions included on compilation flags
.sh 3 "New Database Map Classes"
New key maps can be added by creating a class initialization function
These are then added to the routine
The initialization function is called as
\fIxxx\fP_map_init(MAP *map, char *mapname, char *args)
is an internal data structure.
is the name of the map (used for error messages).
is a pointer to the rest of the configuration file line;
flags and filenames can be extracted from this line.
The initialization function must return
if it successfully opened the map,
The lookup function is called as
\fIxxx\fP_map_lookup(MAP *map, char buf[], int bufsize, char **av, int *statp)
defines the map internally.
This may be (and often is) used destructively.
is a list of arguments passed in from the rewrite line.
The lookup function should return a pointer to the new value.
should be set to an exit status code;
in particular, it should be set to
if recovery is to be attempted by the higher level code.
.sh 3 "Queueing Function"
is called to decide if a message should be queued
or processed immediately.
Typically this compares the message priority to the current load average.
The default definition is:
if (CurrentLA >= RefuseLA)
return (pri > (QueueFactor / (CurrentLA \- QueueLA + 1)));
If the current load average
which is set before this function is called)
is less than the low threshold load average
If the current load average exceeds the high threshold load average
Otherwise, it computes the function based on the message priority,
and the current and threshold load averages.
An implementation wishing to take the actual age of the message into account
which is the time that the message was first submitted to
parameter is already weighted
by the number of times the message has been tried
(although this tends to lower the priority of the message with time);
the expectation is that the
to ensure that messages are eventually processed.
.sh 3 "Refusing Incoming SMTP Connections"
if incoming SMTP connections should be refused.
The current implementation is based exclusively on the current load average
and the refuse load average option
return (CurrentLA >= RefuseLA);
A more clever implementation
could look at more system resources.
.sh 3 "Load Average Computation"
returns the current load average (as a rounded integer).
The distribution includes several possible implementations.
If you are porting to a new environment
you may need to add some new tweaks.\**
\**If you do, please send updates to
sendmail@CS.Berkeley.EDU.
.sh 2 "Configuration in src/daemon.c"
contains a number of routines that are dependent
on the local networking environment.
The version supplied assumes you have BSD style sockets.
we recommended that you modify the routine
if you wanted to generalize
We now recommend that you create a new keyed map instead.
.sh 1 "CHANGES IN VERSION 8"
The following summarizes changes
since the last commonly available version of
in the root directory of the
.sh 2 "Connection Caching"
Instead of closing SMTP connections immediately,
those connections are cached for possible future use.
The advent of MX records made this effective for mailing lists;
substantial performance improvements can be expected for queue processing.
If two hosts with different names in a single message
happen to have the same set of MX hosts,
they can be sent in the same transaction.
Version 8 notices this and tries to batch the messages.
.sh 2 "RFC 1123 Compliance"
A number of changes have been made to make
.q "conditionally compliant"
clauses and most but not all of the
The major areas of change are (numbers are RFC 1123 section numbers):
Response to RCPT command is fast.
Numeric IP addresses are logged in Received: lines.
Self domain literal is properly handled.
Better control over individual timeouts.
Error messages are sent as
Error messages are never sent to
.q "unconditionally compliant"
doesn't always use the exact SMTP message text
doesn't guarantee only one connect for each host in queue runs.
doesn't always provide adequate concurrency limits.
.sh 2 "Extended SMTP Support"
Version 8 includes both sending and receiving support for Extended
SMTP support as defined by RFC 1651 (basic) and RFC 1653 (SIZE);
and limited support for RFC 1652 (BODY).
used the 0200 bit for quoting.
This version avoids that use.
However, for compatibility with RFC 822,
you can set option `7' to get seven bit stripping.
Individual mailers can still produce seven bit output using the
The user database is an as-yet experimental attempt
to provide unified large-site name support.
We are installing it at Berkeley;
future versions may show significant modifications.
.sh 2 "Improved BIND Support"
particularly for MX records,
which have been removed in this release.
these more tightly bind (pun intended) the name server to
so that the name server resolution rules are incorporated directly into
Generalized keyed files is an idea taken directly from
(albeit with a completely different implementation).
They can be useful on large sites.
Version 8 also understands YP.
.sh 2 "Multi-Word Classes"
Classes can now be multiple words.
CShofmann.CS.Berkeley.EDU
allows you to match the entire string
.q hofmann.CS.Berkeley.EDU
using the single construct
.sh 2 "Deferred Macro Expansion"
construct has been adopted from
.sh 2 "IDENT Protocol Support"
The IDENT protocol as defined in RFC 1413 is supported.
.sh 2 "Parsing Bug Fixes"
A number of small bugs having to do with things like
backslash-escaped quotes inside of comments
.sh 2 "Separate Envelope/Header Processing"
Since the From: line is passed in separately from the envelope sender,
these have both been made visible;
macro is set to the envelope sender during processing
of mailer argument vectors
and the header sender during processing of headers.
It is also possible to specify separate per-mailer
envelope and header processing.
to give different rewritings for envelope versus header addresses.
.sh 2 "Owner-List Propagates to Envelope"
When an alias has an associated owner\-list name,
that alias is used to change the envelope sender address.
This will cause downstream errors to be returned to that owner.
.sh 2 "Dynamic Header Allocation"
The fixed size limit on header lines has been eliminated.
.sh 2 "New Command Line Flags"
flag has been added to pass in body type information.
to pass in protocol information.
to allow logging of all protocol in and out of
flag simplies setting long-form options.
.sh 2 "Enhanced Command Line Flags"
flag can limit limit a queue run to specific recipients, senders, or queue ids
.sh 2 "New and Old Configuration Line Types"
line has been added to declare database maps.
line has been added to declare the configuration version level.
field that lets you change into a temporary directory while that mailer
field to allow you to set the user and group id to be used
Several new options have been added,
many to support new features,
others to allow tuning that was previously available
They are described in detail in Section 5.1.5.
Insist on a minimum number of disk blocks.
Send errors in MIME-encapsulated format.
Connection cache lifetime.
Enable Errors-To: header.
These headers violate RFC 1123;
this option is included to provide back compatibility
Set incoming SMTP daemon options, such as an alternate SMTP port.
Do not run eight bit clean.
Eight bit data handling mode.
options have been extended to pass in more information.
Several new mailer flags have been added.
Try to use ESMTP when creating a connection.
will still try if the other end hints that it knows about ESMTP
this flag says to try even if it doesn't hint.
If the EHLO (extended hello)
Try the user part of addresses for this mailer as aliases.
Ensure that there is a blank line at the end of all messages.
Strip all comments from addresses;
this should only be used as a last resort
when dealing with cranky mailers.
Never use the null sender as the envelope sender,
Although this violates RFC 1123,
it may be necessary when you must deal with some obnoxious old hosts.
Turn off the loopback check in the HELO protocol;
doing this may cause mailer loops.
Always run the mailer as the recipient of the message.
This user should have a passwd file entry.
Try ruleset 5 if no local aliases.
Strip all output to 7 bits.
Check for :include: files.
Check for |program addresses.
Check for /file addresses.
Check this user against the user database.
.sh 2 "Long Option Names"
All options can be specified using long names,
and some new options can only be specified with long names.
.sh 2 "New Pre-Defined Macros"
The following macros are pre-defined:
The domain part of our full hostname.
The RFC 1413-provided sender address.
on the Left Hand Side of an
line to match zero tokens.
This is intended to be used to match the null input.
Version 8 allows up to 100 rulesets instead of 30.
It is recommended that rulesets 0\-9 be reserved for
dedicated use in future releases.
The total number of MX records that can be used has been raised to 20.
The number of queued messages that can be handled at one time
has been raised from 600 to 1000.
.sh 2 "Different Default Tuning Parameters"
Version 8 has changed the default parameters
to make the number of recipients more important
than the size of the message (for small messages).
This is reasonable if you are connected with reasonably fast links.
.sh 2 "Auto-Quoting in Addresses"
.q "Full Name <email address>"
syntax would generate incorrect protocol output
had special characters such as dot.
This version puts quotes around such names.
.sh 2 "Symbolic Names On Error Mailer"
Several names have been built in to the $@ portion of the $#error
.sh 2 "SMTP VRFY Doesn't Expand"
treated VRFY and EXPN the same.
VRFY doesn't expand aliases or follow .forward files.
As an optimization, if you run with your default delivery mode being
queue-only or deliver-in-background,
the RCPT command will also not chase aliases and .forward files.
It will chase them when it processes the queue.
.sh 2 "[IPC] Mailers Allow Multiple Hosts"
When an address resolves to a mailer that has
can be a colon-separated list of hosts instead of a single hostname.
to search the list for the first entry that is available
exactly as though it were an MX record.
The intent is to route internal traffic through internal networks
without publishing an MX record to the net.
MX expansion is still done on the individual items.
The implementation has been merged with maps.
this supports NIS-based aliases.
.sh 2 "Portability and Security Enhancements"
A number of internal changes have been made to enhance portability.
Several fixes have been made to increase the paranoia factor.
.sh 2 "Miscellaneous Changes"
file with the current process id of the SMTP daemon.
Two people using the same program in their .forward file
so that duplicate elimination doesn't delete one of them.
program prints mailer names
and gets the location of the
Many minor bugs have been fixed, such as handling of backslashes
A hook (ruleset 5) has been added
to allow rewriting of local addresses after aliasing.
and many employers have been remarkably patient
about letting me work on a large project
that was not part of my official job.
This includes time on the INGRES Project at Berkeley,
and again on the Mammoth Project at Berkeley.
Much of the second wave of improvements
should be credited to Bryan Costales of ICSI.
As he passed me drafts of his book on
I was inspired to start working on things again.
Bryan was also available to bounce ideas off of.
Many, many people contributed chunks of code and ideas to
It has proven to be a group network effort.
Version 8 in particular was a group project.
The following people made notable contributions:
John Beck, Hewlett-Packard
Keith Bostic, CSRG, University of California, Berkeley
Andrew Cheng, Sun Microsystems
Michael J. Corrigan, University of California, San Diego
Bryan Costales, International Computer Science Institute
Pa\*:r (Pell) Emanuelsson
Craig Everhart, Transarc Corporation
Tom Ivar Helbekkmo, Norwegian School of Economics
Jonathan Kamens, OpenVision Technologies, Inc.
Takahiro Kanbe, Fuji Xerox Information Systems Co., Ltd.
Brian Kantor, University of California, San Diego
Murray S. Kucherawy, HookUp Communication Corp.
Motonori Nakamura, Ritsumeikan University & Kyoto University
John Gardiner Myers, Carnegie Mellon University
Neil Rickert, Northern Illinois University
Eric Schnoebelen, Convex Computer Corp.
Eric Wassenaar, National Institute for Nuclear and High Energy Physics, Amsterdam
Christophe Wolfhugel, Pasteur Institute & Herve Schauer Consultants (Paris)
I apologize for anyone I have omitted, misspelled, misattributed, or
At this point, I suspect that at least a hundred people
and many more have contributed ideas, comments, and encouragement.
I've tried to list them in the RELEASE_NOTES in the distribution directory.
I appreciate their contribution as well.
Special thanks are reserved for Michael Corrigan and Christophe Wolfhugel,
who besides being wonderful guinea pigs and contributors
have also consented to be added to the ``sendmail@CS.Berkeley.EDU'' list
and, by answering the bulk of the questions sent to that list,
have freed me up to do other work.
Arguments must be presented with flags before addresses.
s Speak SMTP on input side
a\(dg ``Arpanet'' mode (get envelope sender information from header)
v Just verify addresses, don't collect or deliver
i Initialize the alias database
Use a different configuration file.
runs as the invoking user (rather than root)
when this flag is specified.
The sender's machine address is
Sets the full name of this user to
This represents the number of times this message has been processed
(to the extent that it is supported by the underlying networks).
is incremented during processing,
throws away the message with an error.
Don't do aliasing or forwarding.
These options are described in Appendix B.
.ip \-O\fIoption\fP\fB=\fP\fIvalue\fP
(for long form option names).
Set the sending protocol.
Programs are encouraged to set this.
The protocol field can be in the form
to set both the sending protocol and sending host.
sets the sending protocol to UUCP
and the sending host to uunet.
(Some existing programs use \-oM to set the r and s macros;
this is equivalent to using \-p.)
Try to process the queued up mail.
will run through the queue at the specified interval
otherwise, it only runs once.
limiting the jobs to those matching
to limit based on queue identifier,
to limit based on recipient,
to limit based on sender.
A particular queued job is accepted if one of the corresponding addresses
lines, and send to everyone listed in those lists.
line will be deleted before sending.
Any addresses in the argument vector will be deleted
Log all traffic in and out of
for debugging mailer problems.
This produces a lot of data very quickly and should be used sparingly.
There are a number of options that may be specified as
These are the e, i, m, and v options.
This appendix describes the format of the queue files.
These files live in the directory defined by the
All queue files have the name
\fIx\fP\|\fBf\fP\fIAAA99999\fP
The first letter of the id encodes the hour of the day
that the message was received by the system
(with A being the hour between midnight and 1:00AM).
All files with the same id collectively define one message.
The message body (excluding the header) is kept in this file.
This file contains the information necessary to process the job.
These are an image of the
file when it is being rebuilt.
It should be renamed to a
existing during the life of a session
showing everything that happens
file is structured as a series of lines
each beginning with a code letter.
The lines are as follows:
The version number of the queue file format,
binaries to read queue files created by older versions.
Defaults to version zero.
Must be the first line of the file if present.
There may be any number of these lines.
they represent the order in the final message.
These use the same syntax
as header definitions in the configuration file.
Recipient addresses following this line
will be flagged so that deliveries will be run as the
(a user name from the /etc/passwd file);
is the name of the alias that expanded to this address
(used for printing messages).
The ``original recipient'',
specified by the ORCPT= field in an ESMTP transaction.
Used exclusively for Delivery Status Notifications.
It applies only to the immediately following `R' line.
This will normally be completely aliased,
but is actually realiased when the job is processed.
also include a leading colon-terminated list of flags,
`S' to return a message on successful final delivery,
`F' to return a message on failure,
`D' to return a message if the message is delayed,
`B' to indicate that the body should be returned,
`N' to suppress returning the body,
`P' to declare this as a ``primary'' (command line or SMTP-session) address.
There may only be one of these lines.
This is used to compute when to time out the job.
The current message priority.
This is used to order the queue.
Higher numbers mean lower priorities.
as the message sits in the queue.
The initial priority depends on the message class
and the size of the message.
This line is printed by the
and is generally used to store status information.
Flag bits, represented as one letter per flag.
indicating that this is a response message
indicating that a warning message has been sent
announcing that the mail has been delayed.
The total number of delivery attempts.
The time (as seconds since January 1, 1970)
of the last delivery attempt.
The i-number of the data file;
this can be used to recover your mail queue
after a disastrous disk crash.
The values of certain macros
(as of this writing, only
are passed through to the queue run phase.
The remainder of the line is a text string defining the body type.
If this field is missing,
the body type is assumed to be
and no special processing is attempted.
The original MTS value (from the ESMTP transaction).
For Deliver Status Notifications only.
The original envelope id (from the ESMTP transaction).
For Deliver Status Notifications only.
the following is a queue file sent to
.q eric@mammoth.Berkeley.EDU
.q bostic@okeeffe.CS.Berkeley.EDU \**:
\**This example is contrived and probably inaccurate for your environment.
Glance over it to get an idea;
nothing can replace looking at what your own system generates.
Ceric:sendmail@vangogh.CS.Berkeley.EDU
Reric@mammoth.Berkeley.EDU
Rbostic@okeeffe.CS.Berkeley.EDU
H?P?return-path: <owner-sendmail@vangogh.CS.Berkeley.EDU>
Hreceived: by vangogh.CS.Berkeley.EDU (5.108/2.7) id AAA06703;
Fri, 17 Jul 92 00:28:55 -0700
Hreceived: from mail.CS.Berkeley.EDU by vangogh.CS.Berkeley.EDU (5.108/2.7)
id AAA06698; Fri, 17 Jul 92 00:28:54 -0700
Hreceived: from [128.32.31.21] by mail.CS.Berkeley.EDU (5.96/2.5)
id AA22777; Fri, 17 Jul 92 03:29:14 -0400
Hreceived: by foo.bar.baz.de (5.57/Ultrix3.0-C)
id AA22757; Fri, 17 Jul 92 09:31:25 GMT
H?F?from: eric@foo.bar.baz.de (Eric Allman)
H?x?full-name: Eric Allman
Hmessage-id: <9207170931.AA22757@foo.bar.baz.de>
HTo: sendmail@vangogh.CS.Berkeley.EDU
Hsubject: this is an example message
the person who sent the message,
(in seconds since January 1, 1970),
and the headers for the message.
.+c "SUMMARY OF SUPPORT FILES"
This is a summary of the support files
Many of these can be changed by editing the sendmail.cf file;
check there to find the actual pathnames.
.ip "/usr/\*(SD/sendmail"
.ip /usr/\*(SB/newaliases
A link to /usr/\*(SD/sendmail;
causes the alias database to be rebuilt.
Running this program is completely equivalent to giving
Prints a listing of the mail queue.
This program is equivalent to using the
A statistics file; need not be present.
it contains the process id of the current SMTP daemon.
If you use this in scripts;
use ``head \-1'' to get just the first line;
may add information to subsequent lines.
The textual version of the alias file.
.ip /etc/aliases.{pag,dir}
The directory in which the mail queue
and temporary files reside.
.ip /var/spool/mqueue/qf*
Control (queue) files for messages.
.ip /var/spool/mqueue/df*
.ip /var/spool/mqueue/tf*
Temporary versions of the qf files,
used during queue file rebuild.
.ip /var/spool/mqueue/xf*
A transcript of the current session.
.\"INSTALLATION AND OPERATION GUIDE
This page intentionally left blank;
replace it with a blank sheet for double-sided output.
.\" remove some things to avoid "out of temp file space" problem