divert(-1) # $Id: sendmail.mc,v 1.1 2004/01/22 19:27:38 jmates Exp $ # # Configuration for a sendmail daemon that accepts mail for a domain as # a primary server (e.g. mail.example.org) and acts as a POP/IMAP host # with no general user access. Incoming mail will either be saved # locally with procmail, or passed on to internal endnode systems for # power users that need command line mail access. Mail submitted on the # command line is processed by sendmail running with the submit.cf # configuration, note sendmail.cf. # # See sendmail's cf/README file for documentation on how to adjust this # file to suit your needs. # # To build sendmail.cf from this file, configure the Makefile for the # system in question, then run 'make config reload' to rebuild the # configuration files and restart Sendmail. divert(0) dnl adjust following for system in question (darwin, linux, solaris2 are dnl common; see the cf/ostype directory for others). OSTYPE(`CHANGETHIS') dnl increasing the log level allows one to debug various things dnl define(`confLOG_LEVEL', 25) dnl keep both a vendor and a local aliases file for better manageability define(`ALIAS_FILE', `MAIL_SETTINGS_DIR`'aliases,'`MAIL_SETTINGS_DIR`'aliases.local') FEATURE(`redirect') dnl disable .forward to prevent complications (no user access anyhow) define(`confFORWARD_PATH', `') dnl Only allow user@example.org addresses. Central mail servers dnl consequently need to handle all accounts for the domain. MASQUERADE_AS(`$m') MASQUERADE_DOMAIN(`$m') dnl MASQUERADE_EXCEPTION(`lists.$m') FEATURE(`allmasquerade') FEATURE(`masquerade_envelope') FEATURE(`masquerade_entire_domain') FEATURE(`always_add_domain') dnl assume hostnames canonical already FEATURE(`nocanonify') dnl some security options, aimed at machines that see light to dnl meduim traffic. Tweak to suit your site. define(`confCONNECTION_RATE_THROTTLE', `2') dnl slow down username lookup scans. May also want to patch sendmail dnl to drop the connection after X many BAD_RCPT to keep spammers dnl from consuming server resources: dnl http://lists.roaringpenguin.com/pipermail/mimedefang/2003-January/004171.html define(`confBAD_RCPT_THROTTLE', `3') dnl prevent huge files being used as DoS attack define(`confMAX_MESSAGE_SIZE', `5242880') dnl max number of children permitted to spawn, connections refused dnl past here. prevents runaway server under DoS, might need to be dnl increased for a busy mail server define(`confMAX_DAEMON_CHILDREN', `24') dnl tightest security measures as easier to lax them later... define(`confPRIVACY_FLAGS', ``needmailhelo,needvrfyhelo,needexpnhelo,restrictqrun,nobodyreturn,noetrn'') DAEMON_OPTIONS(`Family=inet, Name=MTA') dnl set this to disable listening on port 587 dnl FEATURE(`no_default_msa') dnl enable this for IPv6 support dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA6, M=O') dnl DAEMON_OPTIONS(`Family=inet6, Name=MSA6, Port=587, M=O, M=E') dnl define(`confBIND_OPTS', `WorkAroundBrokenAAAA') dnl smtps is raw TLS at port 465 (compile sendmail with _FFR_SMTP_SSL) dnl DAEMON_OPTIONS(`Family=inet, Port=smtps, Name=SSLMTA, M=s') dnl DAEMON_OPTIONS(`Family=inet6, Port=smtps, Name=SSLMTA6, M=s') dnl TLS configuration dnl disabled by default, as Sendmail must be compiled with STARTTLS support dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs') dnl define(`confCACERT', `CERT_DIR/cacert.pem') dnl define(`confCACERT_PATH', `CERT_DIR/CA') dnl define(`confSERVER_CERT', `CERT_DIR/host.cert') dnl define(`confSERVER_KEY', `CERT_DIR/host.key') dnl define(`confCLIENT_CERT', `CERT_DIR/host.cert') dnl define(`confCLIENT_KEY', `CERT_DIR/host.key') dnl SASL configuration (for SMTP AUTH) dnl disabled by default, as Sendmail must be compiled with SASL support dnl how folks can authenticate, and which methods are allowed to relay dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') dnl TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN') dnl assumes sendmail compiled with _FFR_SASL_OPTS, disables dnl PLAIN and LOGIN over non-TLS links dnl define(`confAUTH_OPTIONS', `p') dnl sample MIMEDefang support (F=T tempfails mail when filter not available!) dnl INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, T=S:5m;R:5m') dnl define(`confMILTER_LOG_LEVEL', 1) dnl define(`confMILTER_MACROS_HELO', ``{tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}, {verify}'') dnl These may improve performace at cost of memory, open connections. dnl Tip: connections will be held open if MILTER is being used. dnl define(`confDELIVERY_MODE', `interactive') dnl define(`confSAFE_QUEUE', `interactive') dnl define(`confDF_BUFFER_SIZE', `16384') dnl define(`confXF_BUFFER_SIZE', `16384') dnl sample support for Spamhaus Blackhole List dnl FEATURE(`enhdnsbl', `sbl.spamhaus.org', `Mail from $&{client_addr} rejected see http://www.spamhaus.org/SBL', `t', `127.0.0.2.') dnl for local machine names FEATURE(`use_cw_file') dnl optional support for trusted users (needed to support mailing list dnl software that munges the from addresses) define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users') FEATURE(`use_ct_file') FEATURE(`smrsh') dnl FEATURE(`genericstable') dnl GENERICS_DOMAIN_FILE(`-o MAIL_SETTINGS_DIR`'generics-domains') FEATURE(`mailertable') FEATURE(`virtusertable') VIRTUSER_DOMAIN_FILE(`-o MAIL_SETTINGS_DIR`'virtual-domains') FEATURE(`virtuser_entire_domain') FEATURE(`access_db') FEATURE(`blacklist_recipients') dnl FEATURE(`delay_checks', `friend') dnl do not wait for ident define(`confTO_IDENT', `0') dnl disable statistics if not using mailstats(8) dnl define(`STATUS_FILE', `') dnl turn off various protocols; SMTP only by default undefine(`UUCP_RELAY') undefine(`BITNET_RELAY') undefine(`DECNET_RELAY') undefine(`FAX_RELAY') FEATURE(`nouucp', `reject') dnl explicit procmail paths may be required on some systems dnl define(`PROCMAIL_MAILER_PATH', `/usr/local/bin/procmail') dnl FEATURE(`local_procmail', `/usr/local/bin/procmail') MAILER(`smtp') MAILER(`procmail') LOCAL_CONFIG dnl domains treated as local (see also local-host-names file) Cwlocalhost $m mail.$m dnl set following if internal hostname not resolvable by external dnl systems, but mail.example.org is dnl Djmail.$m LOCAL_RULESETS