divert(-1) dnl # * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * dnl # Author: A-NAME-HERE dnl # File: sendmail.mc for dnl # Change Log: dnl # Who When_______ What________________________________________________ dnl # dnl # NOTE: Sendmail book (Chap 4.2.3, page 155) states recommended dnl # order of entries in .mc file dnl # dnl # dnl # This sendmail.mc is based on the configurations presented dnl # in "Defense in Depth: Anti-SPAM for sendmail environments" dnl # available at http://www.hiredavidbank.com dnl # dnl # * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * divert(0)dnl dnl ############## dnl ## Preamble ## dnl ############## VERSIONID(`$Id: sendmail.mc, v8.17 2008/MM/DD HH:MM:SS name Exp $')dnl OSTYPE( OS selection here )dnl DOMAIN(generic)dnl dnl #################### dnl ## Option Section ## dnl #################### dnl # Sendmail, Chap 24.9.8, Page 951 dnl # As an anti-SPAM measure, instruct daemon that after a sending host dnl # gives more than one RCPT TO: for a non-existent/invalid destination, dnl # throttle the connection by delaying the "550 user unknown" reply define(`confBAD_RCPT_THROTTLE',`1')dnl dnl # Sendmail, Chap 24.9.13, Page 955 dnl # Force daemon to re-write queue control file after successful delivery dnl # to 5 recipients; this will minimize duplicates if the daemon is dnl # interrupted during a delivery (by default, queue control file dnl # is not checkpointed until SMTP session ends) define(`confCHECKPOINTINTERVAL',`5')dnl dnl # Sendmail, Chap 24.9.21, Page 960 dnl # Instruct daemon to throttle acceptance of any new connections if more dnl # than 5 new connections arrive in 1 second define(`confCONNECTION_RATE_THROTTLE',`5')dnl dnl # Sendmail v8.13 Companion, Chap 4.1.3, Page 17 dnl # Instruct daemon to maintain record of host connections for 120 dnl # seconds (default is 60; for use with ratecontrol and conncontrol dnl # features) define(`confCONNECTION_RATE_WINDOW_SIZE',`120')dnl dnl # Sendmail, Chap 24.9.26, Page 967 dnl # Send E-Mail that double-bounces and is directed to no local dnl # recipient to /dev/null define(`confDEAD_LETTER_DROP',`/dev/null')dnl dnl # Sendmail, Chap 24.9.30, Page 971 dnl # Instruct sendmail to delay responses to SMTP commands when dnl # system load average exceeds this limit (see QUEUE_LA and REFUSE_LA) define(`confDELAY_LA',5)dnl dnl # Sendmail, Chap 24.9.32, Page 973 dnl # Set Delivery Mode to "background" ("interactive" used for debugging) dnl # As of v8.14.2, "interactive" is silently changed to "background" if dnl # a MILTER registers and is able to reject or delete a Recipient define(`confDELIVERY_MODE',`background')dnl dnl # Sendmail, Chap 24.9.25, Page 967 dnl # Specify the maximum size, in bytes, of buffered df* files (default is dnl # 4096 bytes; 0 turns this off and is not recommended) define(`confDF_BUFFER_SIZE',`16384')dnl dnl # Sendmail, Chap 24.9.41, Page 993 dnl # Return error messages that bounce (a double-bounce) to User ID dnl # "nobody" (will eventually be routed to /dev/null) define(`confDOUBLE_BOUNCE_ADDRESS',`nobody')dnl dnl # New option in v8.14.0 dnl # Specify FQDN that sendmail will use when identifing itself to a dnl # remote host (this does not affect the daemon's self-identification dnl # when presenting its own HELO banner) dnl #define(`confHELO_NAME', `hostname.domain.tld')dnl dnl # New option in v8.14.0 dnl # Override default limit (of 20) NOOPs (invalid or unsupported SMTP dnl # commands) before daemon will throttle connection by slowing dnl # error message replies (similar to "confBAD_RCPT_THROTTLE") define(`MaxNOOPCommands', `5')dnl dnl # Sendmail, Chap 24.9.60, Page 1011 dnl # Instruct daemon to stop spawning new children when 25 children already dnl # exist (note that this can enable a DoS attack) define(`confMAX_DAEMON_CHILDREN',`25')dnl dnl # Sendmail, Chap 24.9.63, Page 1013 dnl # Limit maximum size, in bytes, of any given E-Mail to 10 MB dnl # (10485760 bytes) - checked if sender reports and again at end of DATA define(`confMAX_MESSAGE_SIZE',`10485760')dnl dnl # Sendmail, Chap 24.9.66, Page 1016 dnl # Set the upper limit on the number of messages that may be processed dnl # during any one queue run define(`confMAX_QUEUE_RUN_SIZE',`100')dnl dnl # Sendmail, Chap 24.9.67, Page 1016 dnl # As an anti-SPAM measure, limit the number of recipients per mail dnl # envelope to 100 (over the limit tells sending host to defer to later dnl # for just those addresses over the limit) define(`confMAX_RCPTS_PER_MESSAGE',`100')dnl dnl # Sendmail, Chap 24.9.19, Page 959 dnl # Turn on connection caching and limit maximum number of simultaneous dnl # outbound connections kept open to 1; default is 2; this option also dnl # depends on MCI_CACHE_TIMEOUT (below) define(`confMCI_CACHE_SIZE',`1')dnl dnl # Sendmail, Chap 24.9.19, Page 959 dnl # Set time limit on how long a cached outbound connection may be dnl # kept open to 120 seconds (2 minutes) - see MCI_CACHE_SIZE above define(`confMCI_CACHE_TIMEOUT',`120s')dnl dnl # Sendmail, Chap 24.9.72, Page 1022 dnl # Force messages that are not delivered on the first try to wait a dnl # minimum of 15 minutes before being processed for another delivery dnl # attempt (keeps the same failed messages from clogging system) define(`confMIN_QUEUE_AGE',`15m')dnl dnl # Sendmail, Chap 24.9.75, Page 1024 dnl # Instruct daemon that if an envelope does not have at least one dnl # "Recipient:" header, then add a "To: undisclosed-recipients;" header dnl # to the E-Mail (this can legitmately happen if all recipients are BCCd) define(`confNO_RCPT_ACTION',`add-to-undisclosed')dnl dnl # Sendmail, Chap 24.9.78, Page 1027 dnl # Define the name and path of the daemon's PID file define(`confPID_FILE',`/var/run/sendmail-mta.pid')dnl dnl # Sendmail, Chap 24.9.80, Page 1029 dnl # Privacy/Security settings dnl # needmailhelo - require sending host to issue HELO/EHLO before conversing dnl # noexpn - disable name expansion command dnl # novrfy - disable SMTP verify command dnl # noverb - disable SMTP Verbose mode dnl # authwarnings - enable "X-Authentication-Warning:" headers dnl # noetrn - disable client ability to force queue run dnl # restrictmailq - restrict who can view mail queue with mailq command dnl # restrictqrun - restrict who can force a queue run dnl # noactualrecipient - supress adding "X-Actual-Recipient:" headers to DSN replies dnl # (new option in v8.14) define(`confPRIVACY_FLAGS', `needmailhelo,noexpn,novrfy,noverb,authwarnings,noetrn,restrictmailq,restrictqrun,noactualrecipient')dnl dnl # Sendmail, Chap 24.9.85, Page 1036 dnl # Instruct sendmail to queue (not immediately process) mail when the dnl # system load average exceeds this limit (see DELAY_LA and REFUSE_LA) define(`confQUEUE_LA',7)dnl dnl # Sendmail, Chap 24.9.90, Page 1042 dnl # Instruct sendmail to refuse SMTP (port 25 only) connections when dnl # system load average exceeds this limit (see DELAY_LA and QUEUE_LA) define(`confREFUSE_LA',9)dnl dnl # Sendmail, Chap 24.9.93, Page 1045 dnl # Instruct daemon to convert the non-standard "Return-Receipt-To:" header dnl # to a DSN NOTIFY=SUCCESS request (omitted boolean parameter defaults to "true") define(`confRRT_IMPLIES_DSN')dnl dnl # Sendmail, Chapter 24.9.107, Page 1057 dnl # Force MTA to queue each message, even for local delivery, and to sync dnl # to disk before forking (do not use "interactive" with dnl # "background" delivery mode) define(`confSAFE_QUEUE',`true')dnl dnl # New option in v8.14.1 dnl # Instruct daemon to use TEMPFAIL error codes (4XY) when it would ordinarily dnl # return PERMFAIL (5XY) error codes dnl # define(`confSOFT_BOUNCE',`true')dnl dnl # Sendmail, Chap 24.9.109.3, Page 1061 dnl # Reduce timeout between commands issued by remote host from insane dnl # default of 1 hour to minimum (by RFC) of 5 minutes define(`confTO_COMMAND',`5m')dnl dnl # Sendmail, Chap 24.9.109.6, Page 1062 dnl # Reduce timeout for receiving system to acknowledge a data xmission dnl # from insane default of 1 hour to minimum (by RFC) of 3 minutes define(`confTO_DATABLOCK',`3m')dnl dnl # Sendmail, Chap 24.9.109.7, Page 1062 dnl # Reduce timeout for receiving system to acknowlege the final . from insane dnl # default of 1 hour to minimum (by RFC) of 10 minutes define(`confTO_DATAFINAL',`10m')dnl dnl # Sendmail, Chap 24.9.109.13, Page 1065 dnl # Disable IDENT (RFC 1413) calls/turn off sending user-host verification define(`confTO_IDENT',`0')dnl dnl # Sendmail, Chap 24.9.109.18, Page 1066 dnl # Set a timeout of 3 days before a message that has not been dnl # successfully delivered is returned to the sender as undeliverable dnl # (default is 5 days) define(`confTO_QUEUERETURN',`3d')dnl dnl # Sendmail, Chap 24.9.109.19, Page 1067 dnl # Set a timeout of 6 hours (24 attempts) before a message that has not dnl # been delivered generates a warning to the sender that it hasn't been dnl # delivered yet (default is 4 hours) define(`confTO_QUEUEWARN',`6h')dnl dnl # Sendmail, Chap 24.9.120, Page 1077 dnl # Specify the maximum size, in bytes, of buffered xf* files (default is dnl # 4096 bytes; 0 turns this off and is not recommended) define(`confXF_BUFFER_SIZE',`16384')dnl dnl ###################### dnl ## Features Section ## dnl ###################### dnl # Disable the following features undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl undefine(`DECNET_RELAY')dnl undefine(`FAX_RELAY')dnl dnl # Sendmail, Chap 7.5, Page 311 dnl # Turn on Access DB to accept/reject mail from selected sites, and dnl # specify database type, path and name; "-o" makes it optional and dnl # "-T" parameter instructs daemon to return SMTP 4xy codes dnl # for temporary errors FEATURE(`access_db',`hash -o -T /etc/mail/access')dnl dnl # New feature in v8.14.0 dnl # During RCPT TO;, takes Domain portion of Envelope Sender and dnl # checks DNS for a corresponding MX record dnl # Will strip down to domain.tld before giving up dnl # Requires an MX record to exist, will not look for A record dnl # FEATURE(`badmx')dnl dnl # Sendmail, Chap 7.5.5, Page 317 dnl # Allow blacklisting to be done on a per-recipient basis FEATURE(blacklist_recipients)dnl dnl # New feature in v8.14.0 dnl # Despite name, is checked during MAIL FROM: step dnl # Compares HELO provided by connecting host against values dnl # in Class $w, and rejects connection if the HELO matches dnl # any of those values. In practical terms, this will dnl # cause rejection when a foreign host HELOs with dnl # the sendmail server's FQDN (host.domain.tld), short name (host), dnl # IP address, any aliased names in /etc/hosts (for example, "loghost" dnl # and/or "localhost"), or the loopback address. dnl # A HELO that does not contain a ".", or contains only one ".", dnl # is also rejected dnl # FEATURE(`block_bad_helo')dnl dnl # Sendmail, Chap 7.5.6, Page 318 dnl # Change order of relay checks (requires "access_db" feature above) dnl # to check SMTP RCPT TO: first, then SMTP MAIL FROM:, and finally dnl # the host (via access_db and RBLs) - "friend" keyword allows dnl # entries in access_db to override RBLs and "n" turns off dnl # backwards-compatibility with earlier versions of sendmail dnl # Has interaction and dependency relationships with dnl # FEATURE(`conncontrol') and FEATURE(`ratecontrol') FEATURE(`delay_checks',`friend',`n')dnl dnl # Sendmail v8.13 Companion, Chap 4.1.8, Page 20 dnl # Enable access map DB feature to control the number of simultaneous dnl # connections other hosts may have to this server; "nodelay" dnl # causes this feature to bypass "delay_checks" and work at connection dnl # time instead of after RCPT_TO; "terminate" means that sendmail dnl # will immediately drop a violating connection instead of waiting dnl # for other server to drop it; MUST appear AFTER "delay_checks" dnl # Has interaction and dependency relationships with dnl # FEATURE(`delay_checks') and FEATURE(`ratecontrol') FEATURE(`conncontrol', `nodelay', `terminate')dnl dnl # Sendmail, Chap 7.2.2, Page 297 dnl # Add SpamHaus BL with custom reject message dnl # Is affected by FEATURE(`delay_checks') FEATURE(`enhdnsbl',`sbl.spamhaus.org',`"ACCESS DENIED. Mail from " $&{client_addr} " refused based on information from http://www.spamhaus.org/SBL"')dnl dnl # Sendmail, Chap 7.2.2, Page 297 dnl # Added NJABL BL with custom reject message dnl # Is affected by FEATURE(`delay_checks') FEATURE(`enhdnsbl',`dnsbl.njabl.org',`"ACCESS DENIED. Mail from " $&{client_addr} " refused based on information from http://njabl.org"')dnl dnl # Sendmail, Chap 7.2.2, Page 297 dnl # Add AbuseAt BL with custom reject message dnl # Is affected by FEATURE(`delay_checks') FEATURE(`enhdnsbl',`cbl.abuseat.org',`"ACCESS DENIED. Mail from " $&{client_addr} " refused based on information from http://cbl.abuseat.org"')dnl dnl # Sendmail, Chap 7.2.2, Page 297 dnl # Add SpamCop BL with custom reject message dnl # Is affected by FEATURE(`delay_checks') FEATURE(`enhdnsbl',`bl.spamcop.net',`"ACCESS DENIED. Mail from " $&{client_addr} " refused based on information from http://spamcop.net/bl.shtml?"$&{client_addr}')dnl dnl # Sendmail, Chap 4.8.16, Page 181 dnl # Turn on Generics mapping and specify database type, path and dnl # name; "-o" makes it optional (used for re-writing FROM of dnl # outgoing mail) FEATURE(`genericstable',`hash -o /etc/mail/genericstable')dnl dnl # New feature in v8.13.1 (not listed in Companion) dnl # Set time in milliseconds before sendmail will present its banner dnl # to a remote host (spammers won't wait and will already be dnl # transmitting before pause expires, and sendmail will dnl # refuse based on pre-greeting traffic) 5000=5 seconds dnl # NOTE: Requires use of FEATURE(`access_db') and "GreetPause" entries dnl # in access table FEATURE(`greet_pause',`5000')dnl dnl # Sendmail, Chap 4.8.24, Page 188 dnl # Turn on per-Domain message delivery agent selection and specify dnl # database type, path and name; "-o" makes it optional FEATURE(`mailertable',`hash -o /etc/mail/mailertable')dnl dnl # Sendmail, Chap 4.8.28, Page 192 dnl # Turn off E-Mail canonization (should be done by MSA) FEATURE(`nocanonify')dnl dnl # Sendmail, Chap 4.8.30, Page 194 dnl # Instruct daemon not to listen on port 587 for local MSA FEATURE(`no_default_msa')dnl dnl # Sendmail, Chap 4.8.32, Page 194 dnl # Turn off all UUCP support and give reject message FEATURE(`nouucp',reject)dnl dnl # Sendmail v8.13 Companion, Chap 4.1.8, Page 20 dnl # Enable access map DB feature to control the number of connections dnl # other hosts may make to this server; "nodelay" causes this feature dnl # to bypass "delay_checks" and work at connection time instead of dnl # after RCPT_TO; "terminate" means that sendmail will immediately drop dnl # a violating connection instead of waiting for other server to drop dnl # it; MUST appear AFTER "delay_checks" dnl # Has interaction and dependency relationships with dnl # FEATURE(`delay_checks') and FEATURE(`conncontrol') FEATURE(`ratecontrol', `nodelay', `terminate')dnl dnl # New feature in v8.14.0 dnl # Require connecting host to have a valid rDNS entry (PTR record) dnl # Check is performed at connect-time (check_relay), after dnl # access map is consulted dnl # Does not validate PTR entry or compare it against the A record, nor dnl # insure the PTR matches the HELO from the host dnl # FEATURE(`require_rdns')dnl dnl # Sendmail, Chap 4.8.47, Page 199 dnl # Enable use of Trusted User's file dnl # Default location is /etc/mail/trusted-users dnl # File is required by default; see Page 199 FEATURE(`use_ct_file')dnl dnl # Sendmail, Chap 4.8.51, Page 201 dnl # Turn on Virtual User mapping and specify database type, path and dnl # name; "-o" makes it optional FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl dnl ####################### dnl ## Macro Definitions ## dnl ####################### dnl # Sendmail, Chap 21.9.100, Page 834 dnl # Set the config file version in format - define(`confCF_VERSION',`host-001')dnl dnl # Set a custom message for connection rejections based on access DB define(`confREJECT_MSG',`550 Your mail has been rejected. Report problems to whitelist.request@somedomain.tld')dnl dnl # Set a custom message for relay attempts by unauthorized hosts define(`confRELAY_MSG',`550 Relay DENIED: report problems to whitelist.request@somedomain.tld')dnl dnl # Sendmail, Chap 4.8.16.2, Page 183 dnl # Define the name and path of the Generic Domains file; "-o" makes dnl # its existence optional; used in conjunction with genericstable feature GENERICS_DOMAIN_FILE(`-o /etc/mail/generic-domains')dnl dnl ############# dnl ## Mailers ## dnl ############# dnl # Per Sendmail book (Chapter 4.2.2.2, page 152) do not change order MAILER(local)dnl MAILER(smtp)dnl dnl ############# dnl ## MILTERs ## dnl ############# dnl # MILTER entry for MIMEDefang dnl # Uncomment to use dnl # See http://www.mimedefang.org for more information dnl # INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/defang/MIMEDefang/mimedefang.sock, F=T, T=C:30m;S:30m;R:30m;E:30m') dnl ########################## dnl ## Local Config Section ## dnl ########################## dnl # Define a file for Virtual Hosting - but do not use the dnl # built-in VIRTUSER_DOMAIN_FILE macro, as that also dnl # adds the Domains to RELAY_DOMAINS, and we don't want that LOCAL_CONFIG F{VirtHost}/etc/mail/virtuser.domains dnl ######################### dnl ## Local Rules Section ## dnl ######################### dnl # Per Sendmail book (Chapter 4.2.2.2, page 153) the LOCAL_RULES dnl # need to go AFTER the Mailers dnl # See Sendmail book pages 158, 159 and Chapters 19 and 25 dnl # Define special rules for this host to use when processing mail dnl # IMPORTANT NOTES: Ruleset names should begin with capital dnl # letter to avoid collision with sendmail internal dnl # rulesets; TAB is the delimiter between key entries - dnl # spaces will NOT work dnl ######################## dnl ## End of sendmail.mc ## dnl ########################