divert(-1) # $Id: sendmail.mc,v 1.1 2004/01/22 19:27:35 jmates Exp $ # # Example sendmail configuration for Mac OS X systems with SMTP AUTH # support. This file should be used in conjunction with the 8.12 domain # server configuration at: # # http://sial.org/sendmail/ # # See sendmail's conf/README file for documentation on how to adjust # this file to suit your needs. # # To build sendmail.cf from this file, configure the Makefile for the # system in question, then run 'make config reload' to rebuild the # configuration files and restart Sendmail. divert(0) OSTYPE(`darwin') dnl increasing the log level allows one to debug various things dnl define(`confLOG_LEVEL', 25) dnl keep both a vendor and a local aliases file for better manageability define(`ALIAS_FILE', `MAIL_SETTINGS_DIR`'aliases,'`MAIL_SETTINGS_DIR`'aliases.local') FEATURE(`redirect') dnl disable .forward to prevent complications (no user access anyhow) define(`confFORWARD_PATH', `') dnl Only allow user@example.org addresses. Central mail servers dnl consequently need to handle all accounts for the domain. MASQUERADE_AS(`example.org') MASQUERADE_DOMAIN(`example.org') dnl MASQUERADE_EXCEPTION(`lists.example.org') FEATURE(`allmasquerade') FEATURE(`masquerade_envelope') FEATURE(`masquerade_entire_domain') FEATURE(`always_add_domain') dnl assume hostnames canonical already FEATURE(`nocanonify') dnl some security options, aimed at machines that see light to dnl meduim traffic. Tweak to suit your site. define(`confCONNECTION_RATE_THROTTLE', `2') dnl slow down username lookup scans. May also want to patch sendmail dnl to drop the connection after X many BAD_RCPT to keep spammers dnl from consuming server resources: dnl http://lists.roaringpenguin.com/pipermail/mimedefang/2003-January/004171.html define(`confBAD_RCPT_THROTTLE', `3') dnl prevent huge files being used as DoS attack define(`confMAX_MESSAGE_SIZE', `5242880') dnl max number of children permitted to spawn, connections refused dnl past here. prevents runaway server under DoS, might need to be dnl increased for a busy mail server define(`confMAX_DAEMON_CHILDREN', `24') dnl tightest security measures as easier to lax them later... define(`confPRIVACY_FLAGS', ``needmailhelo,needvrfyhelo,needexpnhelo,restrictqrun,nobodyreturn,noetrn'') DAEMON_OPTIONS(`Family=inet, Name=MTA') dnl set this to disable listening on port 587 dnl FEATURE(`no_default_msa') dnl enable this for IPv6 support dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA6, M=O') dnl DAEMON_OPTIONS(`Family=inet6, Name=MSA6, Port=587, M=O, M=E') dnl define(`confBIND_OPTS', `WorkAroundBrokenAAAA') dnl smtps is raw TLS at port 465 (compile sendmail with _FFR_SMTP_SSL) dnl DAEMON_OPTIONS(`Family=inet, Port=smtps, Name=SSLMTA, M=s') dnl DAEMON_OPTIONS(`Family=inet6, Port=smtps, Name=SSLMTA6, M=s') dnl TLS configuration dnl disabled by default, as Sendmail must be compiled with STARTTLS support dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs') dnl define(`confCACERT', `CERT_DIR/cacert.pem') dnl define(`confCACERT_PATH', `CERT_DIR/CA') dnl define(`confSERVER_CERT', `CERT_DIR/host.cert') dnl define(`confSERVER_KEY', `CERT_DIR/host.key') dnl define(`confCLIENT_CERT', `CERT_DIR/host.cert') dnl define(`confCLIENT_KEY', `CERT_DIR/host.key') dnl SASL configuration (for SMTP AUTH) define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') dnl assumes sendmail compiled with _FFR_SASL_OPTS, disables dnl PLAIN and LOGIN over non-TLS links dnl define(`confAUTH_OPTIONS', `p') dnl sample support for Spamhaus Blackhole List dnl FEATURE(`enhdnsbl', `sbl.spamhaus.org', `Mail from $&{client_addr} rejected see http://www.spamhaus.org/SBL', `t', `127.0.0.2.') dnl for local machine names FEATURE(`use_cw_file') dnl optional support for trusted users (needed to support mailing list dnl software that munges the from addresses) define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users') FEATURE(`use_ct_file') FEATURE(`smrsh') dnl FEATURE(`genericstable') dnl GENERICS_DOMAIN_FILE(`MAIL_SETTINGS_DIR`'generics-domains') FEATURE(`mailertable') VIRTUSER_DOMAIN_FILE(`MAIL_SETTINGS_DIR`'virtual-domains') FEATURE(`virtuser_entire_domain') FEATURE(`virtusertable') FEATURE(`access_db') FEATURE(`blacklist_recipients') FEATURE(`delay_checks', `friend') dnl do not wait for ident define(`confTO_IDENT', `0') dnl disable statistics if not using mailstats(8) dnl define(`STATUS_FILE', `') dnl turn off various protocols; SMTP only by default undefine(`UUCP_RELAY') undefine(`BITNET_RELAY') undefine(`DECNET_RELAY') undefine(`FAX_RELAY') FEATURE(`nouucp', `reject') dnl explicit procmail paths may be required on some systems dnl define(`PROCMAIL_MAILER_PATH', `/usr/local/bin/procmail') dnl FEATURE(`local_procmail', `/usr/local/bin/procmail') MAILER(`smtp') MAILER(`procmail') LOCAL_CONFIG dnl see http://sial.org/sendmail/cipherlist/ for details on CipherList dnl O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL dnl optional file for allowed EXPN/VRFY hosts F{trusty}-o /etc/mail/trusted-domains LOCAL_RULESETS Scheck_expn R$* $@ $>check_expn_and_vrfy $1 Scheck_vrfy R$* $@ $>check_expn_and_vrfy $1 dnl allow EXPN/VRFY to clients in trusted-domains file, or connections dnl that have connected via SMTP AUTH or have presented a certificate dnl we can verify Scheck_expn_and_vrfy R$* $: < $&{client_name} > R< $={trusty} > $@ OK R< $+ $={trusty} > $@ OK R$* $: $&{auth_type} R$={TrustAuthMech} $@ OK R$* $: <$&{verify}> $1 R $@ OK R$* $#error $@ 5.7.1 $: 550 EXPN and VRFY not avaiable for $&{client_name}