2 # Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers.
4 # Copyright (c) 1983, 1995 Eric P. Allman. All rights reserved.
5 # Copyright (c) 1988, 1993
6 # The Regents of the University of California. All rights reserved.
8 # By using this file, you agree to the terms and conditions set
9 # forth in the LICENSE file which can be found at the top level of
10 # the sendmail distribution.
14 ######################################################################
15 ######################################################################
17 ##### SENDMAIL CONFIGURATION FILE
19 ##### built by root@alice.cs.princeton.edu on Wed Nov 3 22:29:56 UTC 2004
21 ##### using /usr/share/sendmail-cf/ as configuration include directory
23 ######################################################################
25 ##### DO NOT EDIT THIS FILE! Only edit the source .mc file.
27 ######################################################################
28 ######################################################################
32 ##### setup for Red Hat Linux #####
80 # level 10 config file format
83 # override file safeties - setting this option compromises system security,
84 # addressing the actual file configuration problem is preferred
85 # need to set this before any file actions are encountered in the cf file
86 #O DontBlameSendmail=safe
88 # default LDAP map specification
89 # need to set this now before any LDAP maps are defined
90 #O LDAPDefaultSpec=-h localhost
97 # need to set this before any LDAP lookups are done (including classes)
98 #D{sendmailMTACluster}$m
101 # file containing names of hosts for which we receive email
102 Fw/etc/mail/local-host-names
104 # my official domain name
105 # ... define this only if sendmail cannot automatically determine your domain
108 # host/domain names ending with a token in class P are canonical
111 # "Smart" relay host (may be null)
115 # operators that cannot be in local usernames (i.e., network indicators)
118 # a class with just dot (for identifying canonical names)
121 # a class with just a left bracket (for identifying domain literals)
124 # access_db acceptance class
131 # Hosts for which relaying is permitted ($=R)
132 FR-o /etc/mail/relay-domains
138 # possible values for TLS_connection in access map
148 # class E: names that should be exposed as from this host, even if we masquerade
149 # class L: names that should be delivered locally, even if we have a relay
150 # class M: domains that should be converted to $M
151 # class N: domains that should not be converted to $M
153 C{w}localhost.localdomain
155 C{M}localhost.localdomain
157 # who I masquerade as (null for no masquerading) (see also $=M)
160 # my name for error messages
164 # Mailer table (overriding domains)
165 Kmailertable hash -o /etc/mail/mailertable.db
167 # Virtual user table (maps incoming users)
168 Kvirtuser hash -o /etc/mail/virtusertable.db
172 # Access list database (for spam stomping)
173 Kaccess hash -T<TMPF> -o /etc/mail/access.db
175 # Configuration version number
183 # strip message body to 7 bits on input?
184 O SevenBitInput=False
186 # 8-bit data handling
187 #O EightBitMode=pass8
189 # wait for alias file rebuild (default units: minutes)
192 # location of alias file
193 O AliasFile=/etc/aliases
195 # minimum number of free blocks on filesystem
198 # maximum message size
199 #O MaxMessageSize=1000000
201 # substitution for space (blank) characters
204 # avoid connecting to "expensive" mailers on initial submission?
205 O HoldExpensive=False
207 # checkpoint queue runs after every N successful deliveries
208 #O CheckpointInterval=10
210 # default delivery mode
211 O DeliveryMode=background
213 # error message header/file
214 #O ErrorHeader=/etc/mail/error-header
219 # save Unix-style "From_" lines at top of header?
220 #O SaveFromLine=False
222 # queue file mode (qf files)
223 #O QueueFileMode=0600
225 # temporary file mode
228 # match recipients against GECOS field?
234 # location of help file
235 O HelpFile=/etc/mail/helpfile
237 # ignore dots as terminators in incoming messages?
240 # name resolver options
241 #O ResolverOptions=+AAONLY
243 # deliver MIME-encapsulated error messages?
244 O SendMimeErrors=True
246 # Forward file search path
247 O ForwardPath=$z/.forward.$w:$z/.forward
249 # open connection cache size
250 O ConnectionCacheSize=2
252 # open connection cache timeout
253 O ConnectionCacheTimeout=5m
255 # persistent host status directory
256 #O HostStatusDirectory=.hoststat
258 # single thread deliveries (requires HostStatusDirectory)?
259 #O SingleThreadDelivery=False
261 # use Errors-To: header?
267 # send to me too, even in an alias expansion?
270 # verify RHS in newaliases?
273 # default messages to old style headers if no special punctuation?
274 O OldStyleHeaders=True
276 # SMTP daemon options
278 O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
280 # SMTP client options
281 #O ClientPortOptions=Family=inet, Address=0.0.0.0
283 # Modifiers to define {daemon_flags} for direct submissions
284 #O DirectSubmissionModifiers
286 # Use as mail submission program? See sendmail/SECURITY
290 O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun
292 # who (if anyone) should get extra copies of error messages
293 #O PostmasterCopy=Postmaster
295 # slope of queue-only function
296 #O QueueFactor=600000
298 # limit on number of concurrent queue runners
301 # maximum number of queue-runners per queue-grouping with multiple queues
302 #O MaxRunnersPerQueue=1
304 # priority of queue runners (nice(3))
307 # shall we sort the queue by hostname first?
308 #O QueueSortOrder=priority
310 # minimum time in queue before retry
313 # how many jobs can you process in the queue?
314 #O MaxQueueRunSize=10000
316 # perform initial split of envelope without checking MX records
320 O QueueDirectory=/var/spool/mqueue
322 # key for shared memory; 0 to turn off
327 # timeouts (many of these)
328 #O Timeout.initial=5m
330 #O Timeout.aconnect=0s
331 #O Timeout.iconnect=5m
335 #O Timeout.datainit=5m
336 #O Timeout.datablock=1h
337 #O Timeout.datafinal=1h
341 #O Timeout.command=1h
343 #O Timeout.fileopen=60s
344 #O Timeout.control=2m
345 O Timeout.queuereturn=5d
346 #O Timeout.queuereturn.normal=5d
347 #O Timeout.queuereturn.urgent=2d
348 #O Timeout.queuereturn.non-urgent=7d
350 O Timeout.queuewarn=4h
351 #O Timeout.queuewarn.normal=4h
352 #O Timeout.queuewarn.urgent=1h
353 #O Timeout.queuewarn.non-urgent=12h
355 #O Timeout.hoststatus=30m
356 #O Timeout.resolver.retrans=5s
357 #O Timeout.resolver.retrans.first=5s
358 #O Timeout.resolver.retrans.normal=5s
359 #O Timeout.resolver.retry=4
360 #O Timeout.resolver.retry.first=4
361 #O Timeout.resolver.retry.normal=4
364 #O Timeout.starttls=1h
366 # time for DeliverBy; extension disabled if less than 0
369 # should we not prune routes in route-addr syntax addresses?
370 #O DontPruneRoutes=False
372 # queue up everything before forking?
376 O StatusFile=/var/log/mail/statistics
378 # time zone handling:
379 # if undefined, use system default
380 # if defined but null, use TZ envariable passed in
381 # if defined and non-null, use that info
384 # default UID (can be username or userid:groupid)
387 # list of locations of user database file (null means no lookup)
388 O UserDatabaseSpec=/etc/mail/userdb.db
391 #O FallbackMXhost=fall.back.host.net
393 # if we are the best MX host for a site, try it directly instead of config err
396 # load average at which we just queue messages
399 # load average at which we refuse connections
402 # load average at which we delay connections; 0 means no limit
405 # maximum number of children we allow at one time
406 #O MaxDaemonChildren=0
408 # maximum number of new connections per second
409 #O ConnectionRateThrottle=0
411 # work recipient factor
412 #O RecipientFactor=30000
414 # deliver each queued job in a separate process?
423 # default character set
424 #O DefaultCharSet=iso-8859-1
426 # service switch file (name hardwired on Solaris, Ultrix, OSF/1, others)
427 #O ServiceSwitchFile=/etc/mail/service.switch
429 # hosts file (normally /etc/hosts)
430 #O HostsFile=/etc/hosts
432 # dialup line delay on connection failure
435 # action to take if there are no recipients in the message
436 #O NoRecipientAction=add-to-undisclosed
438 # chrooted environment for writing to files
439 #O SafeFileEnvironment=/arch
441 # are colons OK in addresses?
442 #O ColonOkInAddr=True
444 # shall I avoid expanding CNAMEs (violates protocols)?
445 #O DontExpandCnames=False
447 # SMTP initial login message (old $e macro)
448 O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
450 # UNIX initial From header format (old $l macro)
451 O UnixFromLine=From $g $d
453 # From: lines that have embedded newlines are unwrapped onto one line
454 #O SingleLineFromHeader=False
456 # Allow HELO SMTP command that does not include a host name
457 #O AllowBogusHELO=False
459 # Characters to be quoted in a full name phrase (@,;:\()[] are automatic)
462 # delimiter (operator) characters (old $o macro)
463 O OperatorChars=.:%@!^/[]+
465 # shall I avoid calling initgroups(3) because of high NIS costs?
466 #O DontInitGroups=False
468 # are group-writable :include: and .forward files (un)trustworthy?
469 # True (the default) means they are not trustworthy.
470 #O UnsafeGroupWrites=True
473 # where do errors that occur when sending errors get sent?
474 #O DoubleBounceAddress=postmaster
476 # where to save bounces if all else fails
477 #O DeadLetterDrop=/var/tmp/dead.letter
479 # what user id do we assume for the majority of the processing?
480 #O RunAsUser=sendmail
482 # maximum number of recipients per SMTP envelope
483 #O MaxRecipientsPerMessage=100
485 # limit the rate recipients per SMTP envelope are accepted
486 # once the threshold number of recipients have been rejected
487 #O BadRcptThrottle=20
489 # shall we get local names from our installed interfaces?
490 O DontProbeInterfaces=true
492 # Return-Receipt-To: header implies DSN request
493 #O RrtImpliesDsn=False
495 # override connection address (for testing)
496 #O ConnectOnlyTo=0.0.0.0
498 # Trusted user for file ownership and starting the daemon
501 # Control socket for daemon management
502 #O ControlSocketName=/var/spool/mqueue/.control
504 # Maximum MIME header length to protect MUAs
505 #O MaxMimeHeaderLength=2048/1024
507 # Maximum length of the sum of all headers
508 #O MaxHeadersLength=32768
510 # Maximum depth of alias recursion
511 #O MaxAliasRecursion=10
513 # location of pid file
514 #O PidFile=/var/run/sendmail.pid
516 # Prefix string for the process title shown on 'ps' listings
517 #O ProcessTitlePrefix=prefix
519 # Data file (df) memory-buffer file maximum size
520 #O DataFileBufferSize=4096
522 # Transcript file (xf) memory-buffer file maximum size
523 #O XscriptFileBufferSize=4096
525 # lookup type to find information about local mailboxes
526 #O MailboxDatabase=pw
528 # list of authentication mechanisms
529 #O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
531 # default authentication information for outgoing connections
532 #O DefaultAuthInfo=/etc/mail/default-auth-info
537 # SMTP AUTH maximum encryption strength
540 # SMTP STARTTLS server options
548 O CACertPath=/etc/mail/certs
550 O CACertFile=/etc/mail/certs/cacert.pem
552 O ServerCertFile=/etc/mail/certs/cert.pem
554 O ServerKeyFile=/etc/mail/certs/key.pem
556 O ClientCertFile=/etc/mail/certs/cert.pem
558 O ClientKeyFile=/etc/mail/certs/key.pem
559 # DHParameters (only required if DSA/DH is used)
561 # Random data source (required for systems without /dev/urandom under OpenSSL)
564 ############################
565 # QUEUE GROUP DEFINITIONS #
566 ############################
569 ###########################
570 # Message precedences #
571 ###########################
574 Pspecial-delivery=100
579 #####################
581 #####################
583 # this is equivalent to setting class "t"
584 Ft/etc/mail/trusted-users
589 #########################
590 # Format of headers #
591 #########################
593 H?P?Return-Path: <$g>
594 HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
595 $.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
596 $.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}
597 (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})$.$?u
602 H?F?Resent-From: $?x$x <$g>$|$g$.
603 H?F?From: $?x$x <$g>$|$g$.
606 # H?l?Received-Date: $b
607 H?M?Resent-Message-Id: <$t.$i@$j>
608 H?M?Message-Id: <$t.$i@$j>
611 ######################################################################
612 ######################################################################
614 ##### REWRITING RULES
616 ######################################################################
617 ######################################################################
619 ############################################
620 ### Ruleset 3 -- Name Canonicalization ###
621 ############################################
624 # handle null input (translate to <@> special case)
627 # strip group: syntax (not inside angle brackets!) and trailing semicolon
628 R$* $: $1 <@> mark addresses
629 R$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>
630 R@ $* <@> $: @ $1 unmark @host:...
631 R$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr
632 R$* :: $* <@> $: $1 :: $2 unmark node::addr
633 R:include: $* <@> $: :include: $1 unmark :include:...
634 R$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon
635 R$* : $* <@> $: $2 strip colon if marked
637 R$* ; $1 strip trailing semi
638 R$* < $+ :; > $* $@ $2 :; <@> catch <list:;>
639 R$* < $* ; > $1 < $2 > bogus bracketed semi
641 # null input now results from list:; syntax
644 # strip angle brackets -- note RFC733 heuristic to get innermost item
645 R$* $: < $1 > housekeeping <>
646 R$+ < $* > < $2 > strip excess on left
647 R< $* > $+ < $1 > strip excess on right
648 R<> $@ < @ > MAIL FROM:<> case
649 R< $+ > $: $1 remove housekeeping <>
651 # strip route address <@a,@b,@c:user@d> -> <user@d>
656 # find focus for list syntax
657 R $+ : $* ; @ $+ $@ $>Canonify2 $1 : $2 ; < @ $3 > list syntax
658 R $+ : $* ; $@ $1 : $2; list syntax
660 # find focus for @ syntax addresses
661 R$+ @ $+ $: $1 < @ $2 > focus on domain
662 R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right
663 R$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical
666 # convert old-style addresses to a domain-based address
667 R$- ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names
668 R$+ . $- ! $+ $@ $>Canonify2 $3 < @ $1 . $2 > domain uucps
669 R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
671 # if we have % signs, take the rightmost one
672 R$* % $* $1 @ $2 First make them all @s.
673 R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
674 R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
676 # else we must be a local name
677 R$* $@ $>Canonify2 $1
680 ################################################
681 ### Ruleset 96 -- bottom half of ruleset 3 ###
682 ################################################
686 # handle special cases for local names
687 R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all
688 R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain
689 R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain
691 # check for IPv4/IPv6 domain literal
692 R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr]
693 R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal
694 R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr
700 # if really UUCP, handle it immediately
702 # try UUCP traffic as a local address
703 R$* < @ $+ . UUCP > $* $: $1 < @ $[ $2 $] . UUCP . > $3
704 R$* < @ $+ . . UUCP . > $* $@ $1 < @ $2 . > $3
706 # hostnames ending in class P are always canonical
707 R$* < @ $* $=P > $* $: $1 < @ $2 $3 . > $4
708 R$* < @ $* $~P > $* $: $&{daemon_flags} $| $1 < @ $2 $3 > $4
709 R$* CC $* $| $* < @ $+.$+ > $* $: $3 < @ $4.$5 . > $6
710 R$* CC $* $| $* $: $3
711 # pass to name server to make hostname canonical
712 R$* $| $* < @ $* > $* $: $2 < @ $[ $3 $] > $4
715 # local host aliases and pseudo-domains are always canonical
716 R$* < @ $=w > $* $: $1 < @ $2 . > $3
717 R$* < @ $* $=M > $* $: $1 < @ $2 $3 . > $4
718 R$* < @ $={VirtHost} > $* $: $1 < @ $2 . > $3
719 R$* < @ $* . . > $* $1 < @ $2 . > $3
722 ##################################################
723 ### Ruleset 4 -- Final Output Post-rewriting ###
724 ##################################################
727 R$+ :; <@> $@ $1 : handle <list:;>
728 R$* <@> $@ handle <> and list:;
730 # strip trailing dot off possibly canonical name
731 R$* < @ $+ . > $* $1 < @ $2 > $3
733 # eliminate internal code
734 R$* < @ *LOCAL* > $* $1 < @ $j > $2
736 # externalize local domain info
737 R$* < $+ > $* $1 $2 $3 defocus
738 R@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical
739 R@ $* $@ @ $1 ... and exit
741 # UUCP must always be presented in old form
742 R$+ @ $- . UUCP $2!$1 u@h.UUCP => h!u
744 # delete duplicate local names
745 R$+ % $=w @ $=w $1 @ $2 u%host@host => u@host
749 ##############################################################
750 ### Ruleset 97 -- recanonicalize and call ruleset zero ###
751 ### (used for recursive calls) ###
752 ##############################################################
759 ######################################
760 ### Ruleset 0 -- Parse Address ###
761 ######################################
765 R$* $: $>Parse0 $1 initial parsing
766 R<@> $#local $: <@> special case error msgs
767 R$* $: $>ParseLocal $1 handle local hacks
768 R$* $: $>Parse1 $1 final parsing
771 # Parse0 -- do initial syntax checking and eliminate local addresses.
772 # This should either return with the (possibly modified) input
773 # or return with a #error mailer. It should not return with a
774 # #mailer other than the #error mailer.
778 R<@> $@ <@> special case error msgs
779 R$* : $* ; <@> $#error $@ 5.1.3 $: "553 List:; syntax illegal for recipient addresses"
780 R@ <@ $* > < @ $1 > catch "@@host" bogosity
781 R<@ $+> $#error $@ 5.1.3 $: "553 User address required"
782 R$+ <@> $#error $@ 5.1.3 $: "553 Hostname required"
784 R<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4
785 R<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4
786 R<> $* < @ [ $* ] $+ > $* $#error $@ 5.1.2 $: "553 Invalid address"
787 R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3
788 R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "553 Colon illegal in host name part"
790 R$* < @ . $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
791 R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
792 R$* < @ $* @ > $* $#error $@ 5.1.2 $: "553 Invalid route address"
793 R$* @ $* < @ $* > $* $#error $@ 5.1.3 $: "553 Invalid route address"
794 R$* , $~O $* $#error $@ 5.1.3 $: "553 Invalid route address"
797 # now delete the local info -- note $=O to find characters that cause forwarding
798 R$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user
799 R< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ...
800 R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here
801 R< @ $+ > $#error $@ 5.1.3 $: "553 User address required"
802 R$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@here -> ...
803 R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"
804 R< @ *LOCAL* > $#error $@ 5.1.3 $: "553 User address required"
805 R$* $=O $* < @ *LOCAL* >
806 $@ $>Parse0 $>canonify $1 $2 $3 ...@*LOCAL* -> ...
807 R$* < @ *LOCAL* > $: $1
810 # Parse1 -- the bottom half of ruleset 0.
815 # handle numeric address spec
816 R$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec
817 R$* < @ [ $+ ] > $* $: $1 < @ [ $2 ] : $S > $3 Add smart host to path
818 R$* < @ [ $+ ] : > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send
819 R$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost with mailer
820 R$* < @ [ $+ ] : $+ > $* $#esmtp $@ $3 $: $1 < @ [$2] > $4 smarthost without mailer
822 # handle virtual users
823 R$+ $: <!> $1 Mark for lookup
824 R<!> $+ < @ $={VirtHost} . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
825 R<!> $+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
826 R<@> $+ + $+ < @ $* . >
827 $: < $(virtuser $1 + + @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
828 R<@> $+ + $* < @ $* . >
829 $: < $(virtuser $1 + * @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
830 R<@> $+ + $* < @ $* . >
831 $: < $(virtuser $1 @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
832 R<@> $+ + $+ < @ $+ . > $: < $(virtuser + + @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
833 R<@> $+ + $* < @ $+ . > $: < $(virtuser + * @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
834 R<@> $+ + $* < @ $+ . > $: < $(virtuser @ $3 $@ $1 $@ $2 $@ +$2 $: ! $) > $1 + $2 < @ $3 . >
835 R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
838 R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4
839 R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2
840 R< $+ > $+ < @ $+ > $: $>Recurse $1
842 # short circuit local delivery so forwarded email works
845 R$=L < @ $=w . > $#local $: @ $1 special local names
846 R$+ < @ $=w . > $#local $: $1 regular local name
848 # not local -- try mailer table lookup
849 R$* <@ $+ > $* $: < $2 > $1 < @ $2 > $3 extract host name
850 R< $+ . > $* $: < $1 > $2 strip trailing dot
851 R< $+ > $* $: < $(mailertable $1 $) > $2 lookup
852 R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 check -- resolved?
853 R< $+ > $* $: $>Mailertable <$1> $2 try domain
855 # resolve remotely connected UUCP links (if any)
857 # resolve fake top level domains by forwarding to other hosts
861 # pass names that still have a host to a smarthost (if defined)
862 R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name
864 # deal with other remote names
865 R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domain
867 # handle locally delivered names
868 R$=L $#local $: @ $1 special local names
869 R$+ $#local $: $1 regular local names
871 ###########################################################################
872 ### Ruleset 5 -- special rewriting after aliases have been expanded ###
873 ###########################################################################
877 R$+ $: $1 $| $>"Local_localaddr" $1
878 R$+ $| $#ok $@ $1 no change
885 # deal with plussed users so aliases work nicely
886 R$+ + * $#local $@ $&h $: $1
887 R$+ + $* $#local $@ + $2 $: $1 + *
889 # prepend an empty "forward host" on the front
894 R< > $+ $: < > < $1 <> $&h > nope, restore +detail
896 R< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail
897 R< > < $+ <> $* > $: < > < $1 > else discard
898 R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part
899 R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +
900 R< > < $+ > $@ $1 no +detail
901 R$+ $: $1 <> $&h add +detail back in
903 R$+ <> + $* $: $1 + $2 check whether +detail
904 R$+ <> $* $: $1 else discard
905 R< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension
906 R< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension
908 R< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 >
910 R< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 >
913 ###################################################################
914 ### Ruleset 90 -- try domain part of mailertable entry ###
915 ###################################################################
918 R$* <$- . $+ > $* $: $1$2 < $(mailertable .$3 $@ $1$2 $@ $2 $) > $4
919 R$* <$~[ : $* > $* $>MailerToTriple < $2 : $3 > $4 check -- resolved?
920 R$* < . $+ > $* $@ $>Mailertable $1 . <$2> $3 no -- strip & try again
921 R$* < $* > $* $: < $(mailertable . $@ $1$2 $) > $3 try "."
922 R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 "." found?
923 R< $* > $* $@ $2 no mailertable match
925 ###################################################################
926 ### Ruleset 95 -- canonify mailer:[user@]host syntax to triple ###
927 ###################################################################
930 R< > $* $@ $1 strip off null relay
931 R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4
932 R< error : $- : $+ > $* $#error $@ $(dequote $1 $) $: $2
933 R< error : $+ > $* $#error $: $1
934 R< local : $* > $* $>CanonLocal < $1 > $2
935 R< $~[ : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal user
936 R< $~[ : $+ > $* $# $1 $@ $2 $: $3 try qualified mailer
937 R< $=w > $* $@ $2 delete local host
938 R< $+ > $* $#relay $@ $1 $: $2 use unqualified mailer
940 ###################################################################
941 ### Ruleset CanonLocal -- canonify local: syntax ###
942 ###################################################################
945 # strip local host from routed addresses
946 R< $* > < @ $+ > : $+ $@ $>Recurse $3
947 R< $* > $+ $=O $+ < @ $+ > $@ $>Recurse $2 $3 $4
949 # strip trailing dot from any host name that may appear
950 R< $* > $* < @ $* . > $: < $1 > $2 < @ $3 >
952 # handle local: syntax -- use old user, either with or without host
953 R< > $* < @ $* > $* $#local $@ $1@$2 $: $1
954 R< > $+ $#local $@ $1 $: $1
956 # handle local:user@host syntax -- ignore host part
957 R< $+ @ $+ > $* < @ $* > $: < $1 > $3 < @ $4 >
959 # handle local:user syntax
960 R< $+ > $* <@ $* > $* $#local $@ $2@$3 $: $1
961 R< $+ > $* $#local $@ $2 $: $1
963 ###################################################################
964 ### Ruleset 93 -- convert header names to masqueraded form ###
965 ###################################################################
970 # do not masquerade anything in class N
971 R$* < @ $* $=N . > $@ $1 < @ $2 $3 . >
973 # special case the users that should be exposed
974 R$=E < @ *LOCAL* > $@ $1 < @ $j . > leave exposed
975 R$=E < @ $* $=M . > $@ $1 < @ $2 $3 . >
976 R$=E < @ $=w . > $@ $1 < @ $2 . >
978 # handle domain-specific masquerading
979 R$* < @ $* $=M . > $* $: $1 < @ $2 $3 . @ $M > $4 convert masqueraded doms
980 R$* < @ $=w . > $* $: $1 < @ $2 . @ $M > $3
981 R$* < @ *LOCAL* > $* $: $1 < @ $j . @ $M > $2
982 R$* < @ $+ @ > $* $: $1 < @ $2 > $3 $M is null
983 R$* < @ $+ @ $+ > $* $: $1 < @ $3 . > $4 $M is not null
985 ###################################################################
986 ### Ruleset 94 -- convert envelope names to masqueraded form ###
987 ###################################################################
992 ###################################################################
993 ### Ruleset 98 -- local part of ruleset zero (can be null) ###
994 ###################################################################
998 # addresses sent to foo@host.REDIRECT will give a 551 error code
999 R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT . > < ${opMode} >
1000 R$* < @ $+ .REDIRECT. > <i> $: $1 < @ $2 . REDIRECT. >
1001 R$* < @ $+ .REDIRECT. > < $- > $#error $@ 5.1.1 $: "551 User has moved; please try " <$1@$2>
1006 ######################################################################
1007 ### D: LookUpDomain -- search for domain in access database
1010 ### <$1> -- key (domain name)
1011 ### <$2> -- default (what to return if not found in db)
1012 ### <$3> -- mark (must be <(!|+) single-token>)
1013 ### ! does lookup only with tag
1014 ### + does lookup with and without tag
1015 ### <$4> -- passthru (additional data passed unchanged through)
1016 ######################################################################
1019 R<$*> <$+> <$- $-> <$*> $: < $(access $4:$1 $: ? $) > <$1> <$2> <$3 $4> <$5>
1020 R<?> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4>
1021 R<?> <[$+.$-]> <$+> <$- $-> <$*> $@ $>D <[$1]> <$3> <$4 $5> <$6>
1022 R<?> <[$+::$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6>
1023 R<?> <[$+:$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6>
1024 R<?> <$+.$+> <$+> <$- $-> <$*> $@ $>D <$2> <$3> <$4 $5> <$6>
1025 R<?> <$+> <$+> <$- $-> <$*> $@ <$2> <$5>
1026 R<$* <TMPF>> <$+> <$+> <$- $-> <$*> $@ <<TMPF>> <$6>
1027 R<$*> <$+> <$+> <$- $-> <$*> $@ <$1> <$6>
1029 ######################################################################
1030 ### A: LookUpAddress -- search for host address in access database
1033 ### <$1> -- key (dot quadded host address)
1034 ### <$2> -- default (what to return if not found in db)
1035 ### <$3> -- mark (must be <(!|+) single-token>)
1036 ### ! does lookup only with tag
1037 ### + does lookup with and without tag
1038 ### <$4> -- passthru (additional data passed through)
1039 ######################################################################
1042 R<$+> <$+> <$- $-> <$*> $: < $(access $4:$1 $: ? $) > <$1> <$2> <$3 $4> <$5>
1043 R<?> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4>
1044 R<?> <$+::$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
1045 R<?> <$+:$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
1046 R<?> <$+.$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
1047 R<?> <$+> <$+> <$- $-> <$*> $@ <$2> <$5>
1048 R<$* <TMPF>> <$+> <$+> <$- $-> <$*> $@ <<TMPF>> <$6>
1049 R<$*> <$+> <$+> <$- $-> <$*> $@ <$1> <$6>
1051 ######################################################################
1052 ### CanonAddr -- Convert an address into a standard form for
1053 ### relay checking. Route address syntax is
1054 ### crudely converted into a %-hack address.
1057 ### $1 -- full recipient address
1060 ### parsed address, not in source route form
1061 ######################################################################
1064 R$* $: $>Parse0 $>canonify $1 make domain canonical
1067 ######################################################################
1068 ### ParseRecipient -- Strip off hosts in $=R as well as possibly
1069 ### $* $=m or the access database.
1070 ### Check user portion for host separators.
1073 ### $1 -- full recipient address
1076 ### parsed, non-local-relaying address
1077 ######################################################################
1080 R$* $: <?> $>CanonAddr $1
1081 R<?> $* < @ $* . > <?> $1 < @ $2 > strip trailing dots
1082 R<?> $- < @ $* > $: <?> $(dequote $1 $) < @ $2 > dequote local part
1084 # if no $=O character, no host in the user portion, we are done
1085 R<?> $* $=O $* < @ $* > $: <NO> $1 $2 $3 < @ $4>
1089 R<NO> $* < @ $* $=R > $: <RELAY> $1 < @ $2 $3 >
1090 R<NO> $* < @ $+ > $: $>D <$2> <NO> <+ To> <$1 < @ $2 >>
1091 R<$+> <$+> $: <$1> $2
1095 R<RELAY> $* < @ $* > $@ $>ParseRecipient $1
1099 ######################################################################
1100 ### check_relay -- check hostname/address on SMTP startup
1101 ######################################################################
1105 R$* $: $1 $| $>"Local_check_relay" $1
1106 R$* $| $* $| $#$* $#$3
1107 R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2
1110 # check for deferred delivery mode
1111 R$* $: < $&{deliveryMode} > $1
1112 R< d > $* $@ deferred
1115 R$+ $| $+ $: $>D < $1 > <?> <+ Connect> < $2 >
1116 R $| $+ $: $>A < $1 > <?> <+ Connect> <> empty client_name
1117 R<?> <$+> $: $>A < $1 > <?> <+ Connect> <> no: another lookup
1118 R<?> <$*> $: OK found nothing
1119 R<$={Accept}> <$*> $@ $1 return value of lookup
1120 R<REJECT> <$*> $#error $@ 5.7.1 $: "550 Access denied"
1121 R<DISCARD> <$*> $#discard $: discard
1122 R<ERROR:$-.$-.$-:$+> <$*> $#error $@ $1.$2.$3 $: $4
1123 R<ERROR:$+> <$*> $#error $: $1
1124 R<$* <TMPF>> <$*> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1125 R<$+> <$*> $#error $: $1
1129 ######################################################################
1130 ### check_mail -- check SMTP `MAIL FROM:' command argument
1131 ######################################################################
1135 R$* $: $1 $| $>"Local_check_mail" $1
1137 R$* $| $* $@ $>"Basic_check_mail" $1
1140 # check for deferred delivery mode
1141 R$* $: < $&{deliveryMode} > $1
1142 R< d > $* $@ deferred
1146 R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL
1150 R<> $@ <OK> we MUST accept <> (RFC 1123)
1152 R<?><$+> $: <@> <$1>
1154 R$* $: $&{daemon_flags} $| $1
1155 R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 >
1156 R$* u $* $| <@> < $* > $: <?> < $3 >
1158 # handle case of @localhost on address
1159 R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
1160 R<@> < $* @ [127.0.0.1] >
1161 $: < ? $&{client_name} > < $1 @ [127.0.0.1] >
1162 R<@> < $* @ localhost.$m >
1163 $: < ? $&{client_name} > < $1 @ localhost.$m >
1164 R<@> < $* @ localhost.UUCP >
1165 $: < ? $&{client_name} > < $1 @ localhost.UUCP >
1166 R<@> $* $: $1 no localhost as domain
1167 R<? $=w> $* $: $2 local client: ok
1168 R<? $+> <$+> $#error $@ 5.5.4 $: "553 Real domain name required for sender address"
1170 R$* $: <?> $>CanonAddr $1 canonify sender address and mark it
1171 R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dots
1172 # handle non-DNS hostnames (*.bitnet, *.decnet, *.uucp, etc)
1173 R<?> $* < @ $* $=P > $: <OKR> $1 < @ $2 $3 >
1174 R<?> $* < @ $j > $: <OKR> $1 < @ $j >
1175 R<?> $* < @ $+ > $: <OKR> $1 < @ $2 > ... unresolvable OK
1177 # check sender address: user@address, user@, address
1178 R<$+> $+ < @ $* > $: @<$1> <$2 < @ $3 >> $| <F:$2@$3> <U:$2@> <D:$3>
1179 R<$+> $+ $: @<$1> <$2> $| <U:$2@>
1180 R@ <$+> <$*> $| <$+> $: <@> <$1> <$2> $| $>SearchList <+ From> $| <$3> <>
1181 R<@> <$+> <$*> $| <$*> $: <$3> <$1> <$2> reverse result
1182 # retransform for further use
1183 R<?> <$+> <$*> $: <$1> $2 no match
1184 R<$+> <$+> <$*> $: <$1> $3 relevant result, keep it
1186 # handle case of no @domain on address
1187 R<?> $* $: $&{daemon_flags} $| <?> $1
1188 R$* u $* $| <?> $* $: <OKR> $3
1190 R<?> $* $: < ? $&{client_addr} > $1
1191 R<?> $* $@ <OKR> ...local unqualed ok
1192 R<? $+> $* $#error $@ 5.5.4 $: "553 Domain name required for sender address " $&f
1195 R<?> $* $: @ $1 mark address: nothing known about it
1196 R<$={ResOk}> $* $@ <OKR> domain ok: stop
1197 R<TEMP> $* $#error $@ 4.1.8 $: "451 Domain of sender address " $&f " does not resolve"
1198 R<PERM> $* $#error $@ 5.1.8 $: "553 Domain of sender address " $&f " does not exist"
1199 R<$={Accept}> $* $# $1 accept from access map
1200 R<DISCARD> $* $#discard $: discard
1201 R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
1202 R<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4
1203 R<ERROR:$+> $* $#error $: $1
1204 R<<TMPF>> $* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1205 R<$+> $* $#error $: $1 error from access db
1207 ######################################################################
1208 ### check_rcpt -- check SMTP `RCPT TO:' command argument
1209 ######################################################################
1213 R$* $: $1 $| $>"Local_check_rcpt" $1
1215 R$* $| $* $@ $>"Basic_check_rcpt" $1
1219 R<> $#error $@ nouser $: "553 User address required"
1220 R$@ $#error $@ nouser $: "553 User address required"
1221 # check for deferred delivery mode
1222 R$* $: < $&{deliveryMode} > $1
1223 R< d > $* $@ deferred
1227 ######################################################################
1228 R$* $: $1 $| @ $>"Rcpt_ok" $1
1229 R$* $| @ $#TEMP $+ $: $1 $| T $2
1231 R$* $| @ RELAY $@ RELAY
1232 R$* $| @ $* $: O $| $>"Relay_ok" $1
1233 R$* $| T $+ $: T $2 $| $>"Relay_ok" $1
1234 R$* $| $#TEMP $+ $#error $2
1236 R$* $| RELAY $@ RELAY
1237 R T $+ $| $* $#error $1
1238 # anything else is bogus
1239 R$* $#error $@ 5.7.1 $: "550 Relaying denied"
1242 ######################################################################
1243 ### Rcpt_ok: is the recipient ok?
1244 ######################################################################
1246 R$* $: $>ParseRecipient $1 strip relayable hosts
1250 # blacklist local users or any host from receiving mail
1252 R<?> $+ < @ $=w > $: <> <$1 < @ $2 >> $| <F:$1@$2> <U:$1@> <D:$2>
1253 R<?> $+ < @ $* > $: <> <$1 < @ $2 >> $| <F:$1@$2> <D:$2>
1254 R<?> $+ $: <> <$1> $| <U:$1@>
1255 R<> <$*> $| <$+> $: <@> <$1> $| $>SearchList <+ To> $| <$2> <>
1256 R<@> <$*> $| <$*> $: <$2> <$1> reverse result
1257 R<?> <$*> $: @ $1 mark address as no match
1258 R<$={Accept}> <$*> $: @ $2 mark address as no match
1260 R<REJECT> $* $#error $@ 5.2.1 $: "550 Mailbox disabled for this recipient"
1261 R<DISCARD> $* $#discard $: discard
1262 R<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4
1263 R<ERROR:$+> $* $#error $: $1
1264 R<<TMPF>> $* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1265 R<$+> $* $#error $: $1 error from access db
1266 R@ $* $1 remove mark
1268 # authenticated via TLS?
1269 R$* $: $1 $| $>RelayTLS client authenticated?
1270 R$* $| $# $+ $# $2 error/ok?
1273 R$* $: $1 $| $>"Local_Relay_Auth" $&{auth_type}
1276 R$* $| $* $: $1 $| $&{auth_type}
1278 R$* $| $={TrustAuthMech} $# RELAY
1280 # anything terminating locally is ok
1281 R$+ < @ $=w > $@ RELAY
1282 R$+ < @ $* $=R > $@ RELAY
1283 R$+ < @ $+ > $: $>D <$2> <?> <+ To> <$1 < @ $2 >>
1284 R<RELAY> $* $@ RELAY
1285 R<$* <TMPF>> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1290 # check for local user (i.e. unqualified address)
1292 R<?> $* < @ $+ > $: <REMOTE> $1 < @ $2 >
1297 ######################################################################
1298 ### Relay_ok: is the relay/sender ok?
1299 ######################################################################
1301 # anything originating locally is ok
1303 R$* $: $&{client_addr}
1304 R$@ $@ RELAY originated locally
1305 R0 $@ RELAY originated locally
1306 R127.0.0.1 $@ RELAY originated locally
1307 RIPv6:::1 $@ RELAY originated locally
1308 R$=R $* $@ RELAY relayable IP address
1309 R$* $: $>A <$1> <?> <+ Connect> <$1>
1310 R<RELAY> $* $@ RELAY relayable IP address
1312 R<<TMPF>> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1314 R$* $: [ $1 ] put brackets around it...
1315 R$=w $@ RELAY ... and see if it is local
1318 # check client name: first: did it resolve?
1319 R$* $: < $&{client_resolve} >
1320 R<TEMP> $#TEMP $@ 4.7.1 $: "450 Relaying temporarily denied. Cannot resolve PTR record for " $&{client_addr}
1321 R<FORGED> $#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name}
1322 R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name}
1323 R$* $: <@> $&{client_name}
1324 # pass to name server to make hostname canonical
1325 R<@> $* $=P $:<?> $1 $2
1326 R<@> $+ $:<?> $[ $1 $]
1327 R$* . $1 strip trailing dots
1329 R<?> $* $=R $@ RELAY
1330 R<?> $* $: $>D <$1> <?> <+ Connect> <$1>
1331 R<RELAY> $* $@ RELAY
1332 R<$* <TMPF>> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1336 ######################################################################
1337 ### F: LookUpFull -- search for an entry in access database
1339 ### lookup of full key (which should be an address) and
1340 ### variations if +detail exists: +* and without +detail
1344 ### <$2> -- default (what to return if not found in db)
1345 ### <$3> -- mark (must be <(!|+) single-token>)
1346 ### ! does lookup only with tag
1347 ### + does lookup with and without tag
1348 ### <$4> -- passthru (additional data passed unchanged through)
1349 ######################################################################
1352 R<$+> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
1353 R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
1354 R<?> <$+ + $* @ $+> <$*> <$- $-> <$*>
1355 $: <$(access $6:$1+*@$3 $: ? $)> <$1+$2@$3> <$4> <$5 $6> <$7>
1356 R<?> <$+ + $* @ $+> <$*> <+ $-> <$*>
1357 $: <$(access $1+*@$3 $: ? $)> <$1+$2@$3> <$4> <+ $5> <$6>
1358 R<?> <$+ + $* @ $+> <$*> <$- $-> <$*>
1359 $: <$(access $6:$1@$3 $: ? $)> <$1+$2@$3> <$4> <$5 $6> <$7>
1360 R<?> <$+ + $* @ $+> <$*> <+ $-> <$*>
1361 $: <$(access $1@$3 $: ? $)> <$1+$2@$3> <$4> <+ $5> <$6>
1362 R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
1363 R<$+ <TMPF>> <$*> <$- $-> <$*> $@ <<TMPF>> <$5>
1364 R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>
1366 ######################################################################
1367 ### E: LookUpExact -- search for an entry in access database
1371 ### <$2> -- default (what to return if not found in db)
1372 ### <$3> -- mark (must be <(!|+) single-token>)
1373 ### ! does lookup only with tag
1374 ### + does lookup with and without tag
1375 ### <$4> -- passthru (additional data passed unchanged through)
1376 ######################################################################
1379 R<$*> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
1380 R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
1381 R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
1382 R<$+ <TMPF>> <$*> <$- $-> <$*> $@ <<TMPF>> <$5>
1383 R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>
1385 ######################################################################
1386 ### U: LookUpUser -- search for an entry in access database
1388 ### lookup of key (which should be a local part) and
1389 ### variations if +detail exists: +* and without +detail
1392 ### <$1> -- key (user@)
1393 ### <$2> -- default (what to return if not found in db)
1394 ### <$3> -- mark (must be <(!|+) single-token>)
1395 ### ! does lookup only with tag
1396 ### + does lookup with and without tag
1397 ### <$4> -- passthru (additional data passed unchanged through)
1398 ######################################################################
1401 R<$+> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
1402 R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
1403 R<?> <$+ + $* @> <$*> <$- $-> <$*>
1404 $: <$(access $5:$1+*@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6>
1405 R<?> <$+ + $* @> <$*> <+ $-> <$*>
1406 $: <$(access $1+*@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5>
1407 R<?> <$+ + $* @> <$*> <$- $-> <$*>
1408 $: <$(access $5:$1@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6>
1409 R<?> <$+ + $* @> <$*> <+ $-> <$*>
1410 $: <$(access $1@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5>
1411 R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
1412 R<$+ <TMPF>> <$*> <$- $-> <$*> $@ <<TMPF>> <$5>
1413 R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>
1415 ######################################################################
1416 ### SearchList: search a list of items in the access map
1418 ### <exact tag> $| <mark:address> <mark:address> ... <>
1419 ### where "exact" is either "+" or "!":
1420 ### <+ TAG> lookup with and w/o tag
1421 ### <! TAG> lookup with tag
1422 ### possible values for "mark" are:
1423 ### D: recursive host lookup (LookUpDomain)
1424 ### E: exact lookup, no modifications
1425 ### F: full lookup, try user+ext@domain and user@domain
1426 ### U: user lookup, try user+ext and user (input must have trailing @)
1427 ### return: <RHS of lookup> or <?> (not found)
1428 ######################################################################
1430 # class with valid marks for SearchList
1433 # just call the ruleset with the name of the tag... nice trick...
1434 R<$+> $| <$={src}:$*> <$*> $: <$1> $| <$4> $| $>$2 <$3> <?> <$1> <>
1435 R<$+> $| <> $| <?> <> $@ <?>
1436 R<$+> $| <$+> $| <?> <> $@ $>SearchList <$1> $| <$2>
1437 R<$+> $| <$*> $| <$+> <> $@ <$3>
1438 R<$+> $| <$+> $@ <$2>
1441 ######################################################################
1442 ### trust_auth: is user trusted to authenticate as someone else?
1445 ### $1: AUTH= parameter from MAIL command
1446 ######################################################################
1450 R$* $: $&{auth_type} $| $1
1451 # required by RFC 2554 section 4.
1452 R$@ $| $* $#error $@ 5.7.1 $: "550 not authenticated"
1453 R$* $| $&{auth_authen} $@ identical
1454 R$* $| <$&{auth_authen}> $@ identical
1455 R$* $| $* $: $1 $| $>"Local_trust_auth" $2
1457 R$* $#error $@ 5.7.1 $: "550 " $&{auth_authen} " not allowed to act as " $&{auth_author}
1459 ######################################################################
1460 ### Relay_Auth: allow relaying based on authentication?
1463 ### $1: ${auth_type}
1464 ######################################################################
1467 ######################################################################
1468 ### srv_features: which features to offer to a client?
1469 ### (done in server)
1470 ######################################################################
1472 R$* $: $>D <$&{client_name}> <?> <! "Srv_Features"> <>
1473 R<?>$* $: $>A <$&{client_addr}> <?> <! "Srv_Features"> <>
1474 R<?>$* $: <$(access "Srv_Features": $: ? $)>
1476 R<$* <TMPF>>$* $#temp
1479 ######################################################################
1480 ### try_tls: try to use STARTTLS?
1481 ### (done in client)
1482 ######################################################################
1484 R$* $: $>D <$&{server_name}> <?> <! "Try_TLS"> <>
1485 R<?>$* $: $>A <$&{server_addr}> <?> <! "Try_TLS"> <>
1486 R<?>$* $: <$(access "Try_TLS": $: ? $)>
1488 R<$* <TMPF>>$* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1489 R<NO>$* $#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"]"
1491 ######################################################################
1492 ### tls_rcpt: is connection with server "good" enough?
1493 ### (done in client, per recipient)
1497 ######################################################################
1499 R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
1500 R$+ $: <?> $>CanonAddr $1
1501 R<?> $+ < @ $+ . > <?> $1 <@ $2 >
1502 R<?> $+ < @ $+ > $: $1 <@ $2 > $| <F:$1@$2> <U:$1@> <D:$2> <E:>
1503 R<?> $+ $: $1 $| <U:$1@> <E:>
1504 R$* $| $+ $: $1 $| $>SearchList <! "TLS_Rcpt"> $| $2 <>
1506 R$* $| <$* <TMPF>> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1507 R$* $| <$+> $@ $>"TLS_connection" $&{verify} $| <$2>
1509 ######################################################################
1510 ### tls_client: is connection with client "good" enough?
1511 ### (done in server)
1514 ### ${verify} $| (MAIL|STARTTLS)
1515 ######################################################################
1517 R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
1518 R$* $| $* $: $1 $| $>D <$&{client_name}> <?> <! "TLS_Clt"> <>
1519 R$* $| <?>$* $: $1 $| $>A <$&{client_addr}> <?> <! "TLS_Clt"> <>
1520 R$* $| <?>$* $: $1 $| <$(access "TLS_Clt": $: ? $)>
1521 R$* $| <$* <TMPF>> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1522 R$* $@ $>"TLS_connection" $1
1524 ######################################################################
1525 ### tls_server: is connection with server "good" enough?
1526 ### (done in client)
1530 ######################################################################
1532 R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
1533 R$* $: $1 $| $>D <$&{server_name}> <?> <! "TLS_Srv"> <>
1534 R$* $| <?>$* $: $1 $| $>A <$&{server_addr}> <?> <! "TLS_Srv"> <>
1535 R$* $| <?>$* $: $1 $| <$(access "TLS_Srv": $: ? $)>
1536 R$* $| <$* <TMPF>> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
1537 R$* $@ $>"TLS_connection" $1
1539 ######################################################################
1540 ### TLS_connection: is TLS connection "good" enough?
1543 ### ${verify} $| <Requirement> [<>]
1544 ### Requirement: RHS from access map, may be ? for none.
1545 ######################################################################
1547 R$* $| <$*>$* $: $1 $| <$2>
1548 # create the appropriate error codes
1549 R$* $| <PERM + $={tls} $*> $: $1 $| <503:5.7.0> <$2 $3>
1550 R$* $| <TEMP + $={tls} $*> $: $1 $| <403:4.7.0> <$2 $3>
1551 R$* $| <$={tls} $*> $: $1 $| <403:4.7.0> <$2 $3>
1552 # deal with TLS handshake failures: abort
1553 RSOFTWARE $| <$-:$+> $* $#error $@ $2 $: $1 " TLS handshake failed."
1554 RSOFTWARE $| $* $#error $@ 4.7.0 $: "403 TLS handshake failed."
1555 R$* $| <$*> <VERIFY> $: <$2> <VERIFY> <> $1
1556 R$* $| <$*> <VERIFY + $+> $: <$2> <VERIFY> <$3> $1
1557 R$* $| <$*> <$={tls}:$->$* $: <$2> <$3:$4> <> $1
1558 R$* $| <$*> <$={tls}:$- + $+>$* $: <$2> <$3:$4> <$5> $1
1560 # authentication required: give appropriate error
1561 # other side did authenticate (via STARTTLS)
1562 R<$*><VERIFY> <> OK $@ OK
1563 R<$*><VERIFY> <$+> OK $: <$1> <REQ:0> <$2>
1564 R<$*><VERIFY:$-> <$*> OK $: <$1> <REQ:$2> <$3>
1565 R<$*><ENCR:$-> <$*> $* $: <$1> <REQ:$2> <$3>
1566 R<$-:$+><VERIFY $*> <$*> $#error $@ $2 $: $1 " authentication required"
1567 R<$-:$+><VERIFY $*> <$*> FAIL $#error $@ $2 $: $1 " authentication failed"
1568 R<$-:$+><VERIFY $*> <$*> NO $#error $@ $2 $: $1 " not authenticated"
1569 R<$-:$+><VERIFY $*> <$*> NOT $#error $@ $2 $: $1 " no authentication requested"
1570 R<$-:$+><VERIFY $*> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS"
1571 R<$-:$+><VERIFY $*> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4
1572 R<$*><REQ:$-> <$*> $: <$1> <REQ:$2> <$3> $>max $&{cipher_bits} : $&{auth_ssf}
1573 R<$*><REQ:$-> <$*> $- $: <$1> <$2:$4> <$3> $(arith l $@ $4 $@ $2 $)
1574 R<$-:$+><$-:$-> <$*> TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3
1575 R<$-:$+><$-:$-> <$*> $* $: <$1:$2 ++ $5>
1577 R<$-:$+ ++ $+ > $: <$1:$2> <$3>
1578 R<$-:$+> < $+ ++ $+ > <$1:$2> <$3> <$4>
1579 R<$-:$+> $+ $@ $>"TLS_req" $3 $| <$1:$2>
1581 ######################################################################
1582 ### TLS_req: check additional TLS requirements
1584 ### Parameters: [<list> <of> <req>] $| <$-:$+>
1585 ### $-: SMTP reply code
1586 ### $+: Enhanced Status Code
1587 ######################################################################
1590 R<CN> $* $| <$+> $: <CN:$&{TLS_Name}> $1 $| <$2>
1591 R<CN:$&{cn_subject}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
1592 R<CN:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " CN " $&{cn_subject} " does not match " $1
1593 R<CS:$&{cert_subject}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
1594 R<CS:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " Cert Subject " $&{cert_subject} " does not match " $1
1595 R<CI:$&{cert_issuer}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
1596 R<CI:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " Cert Issuer " $&{cert_issuer} " does not match " $1
1599 ######################################################################
1600 ### max: return the maximum of two values separated by :
1602 ### Parameters: [$-]:[$-]
1603 ######################################################################
1608 R$-:$- $: $(arith l $@ $1 $@ $2 $) : $1 : $2
1613 ######################################################################
1614 ### RelayTLS: allow relaying based on TLS authentication
1618 ######################################################################
1621 R$* $: <?> $&{verify}
1622 R<?> OK $: OK authenticated: continue
1623 R<?> $* $@ NO not authenticated
1624 R$* $: $&{cert_issuer}
1625 R$+ $: $(access CERTISSUER:$1 $)
1627 RSUBJECT $: <@> $&{cert_subject}
1628 R<@> $+ $: <@> $(access CERTSUBJECT:$1 $)
1632 ######################################################################
1633 ### authinfo: lookup authinfo in the access map
1636 ### $1: {server_name}
1637 ### $2: {server_addr}
1638 ######################################################################
1640 R$* $: $1 $| $>D <$&{server_name}> <?> <! AuthInfo> <>
1641 R$* $| <?>$* $: $1 $| $>A <$&{server_addr}> <?> <! AuthInfo> <>
1642 R$* $| <?>$* $: $1 $| <$(access AuthInfo: $: ? $)> <>
1643 R$* $| <?>$* $@ no no authinfo available
1644 R$* $| <$*> <> $# $2
1647 ######################################################################
1648 ######################################################################
1650 ##### MAIL FILTER DEFINITIONS
1652 ######################################################################
1653 ######################################################################
1656 ######################################################################
1657 ######################################################################
1659 ##### MAILER DEFINITIONS
1661 ######################################################################
1662 ######################################################################
1664 #####################################
1665 ### SMTP Mailer specification ###
1666 #####################################
1671 # common sender and masquerading recipient rewriting
1674 R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified
1675 R$+ $@ $1 < @ *LOCAL* > add local qualification
1678 # convert pseudo-domain addresses to real domain addresses
1682 # pass <route-addr>s through
1683 R< @ $+ > $* $@ < @ $1 > $2 resolve <route-addr>
1685 # output fake domains as user%fake@relay
1687 # do UUCP heuristics; note that these are shared with UUCP mailers
1688 R$+ < @ $+ .UUCP. > $: < $2 ! > $1 convert to UUCP form
1689 R$+ < @ $* > $* $@ $1 < @ $2 > $3 not UUCP form
1691 # leave these in .UUCP form to avoid further tampering
1692 R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. >
1693 R< $&h ! > $-.$+ ! $+ $@ $3 < @ $1.$2 >
1694 R< $&h ! > $+ $@ $1 < @ $&h .UUCP. >
1695 R< $+ ! > $+ $: $1 ! $2 < @ $Y > use UUCP_RELAY
1696 R$+ < @ $~[ $* : $+ > $@ $1 < @ $4 > strip mailer: part
1697 R$+ < @ > $: $1 < @ *LOCAL* > if no UUCP_RELAY
1701 # envelope sender rewriting
1704 R$+ $: $>PseudoToReal $1 sender/recipient common
1705 R$* :; <@> $@ list:; special case
1706 R$* $: $>MasqSMTP $1 qualify unqual'ed names
1707 R$+ $: $>MasqEnv $1 do masquerading
1711 # envelope recipient rewriting --
1712 # also header recipient if not masquerading recipients
1715 R$+ $: $>PseudoToReal $1 sender/recipient common
1716 R$+ $: $>MasqSMTP $1 qualify unqual'ed names
1717 R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2
1720 # header sender and masquerading header recipient rewriting
1723 R$+ $: $>PseudoToReal $1 sender/recipient common
1724 R:; <@> $@ list:; special case
1726 # do special header rewriting
1727 R$* <@> $* $@ $1 <@> $2 pass null host through
1728 R< @ $* > $* $@ < @ $1 > $2 pass route-addr through
1729 R$* $: $>MasqSMTP $1 qualify unqual'ed names
1730 R$+ $: $>MasqHdr $1 do masquerading
1734 # relay mailer header masquerading recipient rewriting
1737 R$+ $: $>MasqSMTP $1
1740 Msmtp, P=[IPC], F=mDFMuX, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
1743 Mesmtp, P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
1746 Msmtp8, P=[IPC], F=mDFMuX8, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
1749 Mdsmtp, P=[IPC], F=mDFMuXa%, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
1752 Mrelay, P=[IPC], F=mDFMuXa8, S=EnvFromSMTP/HdrFromSMTP, R=MasqSMTP, E=\r\n, L=2040,
1757 ######################*****##############
1758 ### PROCMAIL Mailer specification ###
1759 ##################*****##################
1763 Mprocmail, P=/usr/bin/procmail, F=DFMSPhnu9, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP/HdrFromSMTP,
1764 T=DNS/RFC822/X-Unix,
1765 A=procmail -Y -m $h $f $u
1768 ##################################################
1769 ### Local and Program Mailer specification ###
1770 ##################################################
1775 # Envelope sender rewriting
1778 R<@> $n errors to mailer-daemon
1779 R@ <@ $*> $n temporarily bypass Sun bogosity
1780 R$+ $: $>AddDomain $1 add local domain if needed
1781 R$* $: $>MasqEnv $1 do masquerading
1784 # Envelope recipient rewriting
1787 R$+ < @ $* > $: $1 strip host part
1790 # Header sender rewriting
1793 R<@> $n errors to mailer-daemon
1794 R@ <@ $*> $n temporarily bypass Sun bogosity
1795 R$+ $: $>AddDomain $1 add local domain if needed
1796 R$* $: $>MasqHdr $1 do masquerading
1799 # Header recipient rewriting
1802 R$+ $: $>AddDomain $1 add local domain if needed
1803 R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2
1806 # Common code to add local domain name (only if always-add-domain)
1809 R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified
1811 R$+ $@ $1 < @ *LOCAL* > add local qualification
1813 Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
1814 T=DNS/RFC822/X-Unix,
1815 A=procmail -t -Y -a $h -d $u
1816 Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/,
1817 T=X-Unix/X-Unix/X-Unix,