[Esd-l] security_notify_sender

Jason Noble sysadmin at polezero.com
Thu Feb 7 19:51:01 PST 2002


Yes my sendmail.cf has that exact line.
I'm sorry for bothering you. I'm in the middle of setting up 12 new PCs 
that need to be done tomorrow, plus i'm fighting this email problem...
not a good week.

my sendmail.cf is at the bottom... sorry for the hugh email, I wasn't sure 
what parts you might want to look at.

procmail version 3.22
sendmail version 8.11.6
John's mail sanitizer version 1.133

On 2002.02.07 14:34 Joe Steele wrote:
> On Thursday, February 07, 2002 11:11 AM, Jason Noble wrote:
> >
> > This is driving me crazy, everything I try, doesnt change it.
> > The ^From is always root. The message can be internal, external, on any
> > account, and the ^From is still root.
> > This mail server is doing some weird stuff.
> >
> 
> What does your local mailer definition look like in your sendmail.cf
> file?  Here's an example:
> 
> Mlocal,         P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30,
> R=20/40,
>                 T=DNS/RFC822/X-Unix,
>                 A=procmail -Y -a $h -d $u
> 
> In this example, one of the mailer flags (after "F=") is 'n'.  This
> tells sendmail to NOT insert a unix style "From " line at the start
> of the message, leaving it up to procmail to generate the "From "
> line.  Another flag is 'f', which tells sendmail to add
> '-f <sendername>' to procmail's command line.  This will tell
> procmail to create a "From " line using <sendername>.
> 
> If the mailer flags had the 'n' but did not have 'f', then procmail
> would assume that the "From " line should be set from the user ID that
> is running the procmail process.  If procmail is running as root, the
> result would be "From root".
> 
> See if your local mailer definition does something different from
> above.
> 
> --Joe
> 

#
# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers.
#	All rights reserved.
# Copyright (c) 1983, 1995 Eric P. Allman.  All rights reserved.
# Copyright (c) 1988, 1993
#	The Regents of the University of California.  All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

######################################################################
######################################################################
#####
#####		SENDMAIL CONFIGURATION FILE
#####
#####
######################################################################
######################################################################

#####  $Id: cfhead.m4,v 8.76.4.15 2001/02/14 04:07:20 gshapiro Exp $  #####
#####  $Id: cf.m4,v 8.32 1999/02/07 07:26:14 gshapiro Exp $  #####

#####  linux setup for Red Hat Linux  #####
#####  $Id: linux.m4,v 8.11.16.2 2000/09/17 17:04:22 gshapiro Exp $  #####



#####  $Id: local_procmail.m4,v 8.21 1999/11/18 05:06:23 ca Exp $  #####



#####  $Id: no_default_msa.m4,v 8.1.10.1 2000/09/17 17:04:22 gshapiro Exp 
$  #####

#####  $Id: smrsh.m4,v 8.14 1999/11/18 05:06:23 ca Exp $  #####

#####  $Id: mailertable.m4,v 8.18 1999/07/22 17:55:35 gshapiro Exp $  #####

#####  $Id: virtusertable.m4,v 8.16 1999/07/22 17:55:36 gshapiro Exp $  
#####

#####  $Id: redirect.m4,v 8.15 1999/08/06 01:47:36 gshapiro Exp $  #####

#####  $Id: always_add_domain.m4,v 8.9 1999/02/07 07:26:08 gshapiro Exp $  
#####

#####  $Id: use_cw_file.m4,v 8.9 1999/02/07 07:26:13 gshapiro Exp $  #####


#####  $Id: use_ct_file.m4,v 8.9 1999/02/07 07:26:13 gshapiro Exp $  #####


#####  $Id: local_procmail.m4,v 8.21 1999/11/18 05:06:23 ca Exp $  #####

#####  $Id: access_db.m4,v 8.15 1999/07/22 17:55:34 gshapiro Exp $  #####

#####  $Id: blacklist_recipients.m4,v 8.13 1999/04/02 02:25:13 gshapiro 
Exp $  #####


#####  $Id: accept_unresolvable_domains.m4,v 8.10 1999/02/07 07:26:07 
gshapiro Exp $  #####


#####  $Id: proto.m4,v 8.446.2.5.2.38 2000/12/28 03:37:28 ca Exp $  #####


# level 9 config file format
V9/Berkeley

# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe

# default LDAP map specification
# need to set this now before any LDAP maps are defined
#O LDAPDefaultSpec=-h localhost

##################
#   local info   #
##################
#CPprocmail

# file containing names of hosts for which we receive email
Fw/etc/mail/local-host-names

# my official domain name
# ... define this only if sendmail cannot automatically determine your 
domain
#Dj$w.Foo.COM

CP.

# "Smart" relay host (may be null)
DS


# operators that cannot be in local usernames (i.e., network indicators)
CO @ % !

# a class with just dot (for identifying canonical names)
C..

# a class with just a left bracket (for identifying domain literals)
C[[

# access_db acceptance class
C{Accept}OK RELAY





# Hosts for which relaying is permitted ($=R)
FR-o /etc/mail/relay-domains

# arithmetic map
Karith arith
# possible values for tls_connect in access map
C{tls}VERIFY ENCR

# who I send unqualified names to (null means deliver locally)
DR

# who gets all local email traffic ($R has precedence for unqualified 
names)
DH

# dequoting map
Kdequote dequote

# class E: names that should be exposed as from this host, even if we 
masquerade
# class L: names that should be delivered locally, even if we have a relay
# class M: domains that should be converted to $M
# class N: domains that should not be converted to $M
#CL root
C{E}root

# who I masquerade as (null for no masquerading) (see also $=M)
DM

# my name for error messages
DnMAILER-DAEMON


# Mailer table (overriding domains)
Kmailertable hash -o /etc/mail/mailertable

# Virtual user table (maps incoming users)
Kvirtuser hash -o /etc/mail/virtusertable

CPREDIRECT

# Access list database (for spam stomping)
Kaccess hash /etc/mail/access

# Configuration version number
DZ8.11.3


###############
#   Options   #
###############

# strip message body to 7 bits on input?
O SevenBitInput=False

# 8-bit data handling
O EightBitMode=pass8

# wait for alias file rebuild (default units: minutes)
O AliasWait=10

# location of alias file
O AliasFile=/etc/aliases

# minimum number of free blocks on filesystem
O MinFreeBlocks=100

# maximum message size
#O MaxMessageSize=1000000

# substitution for space (blank) characters
O BlankSub=.

# avoid connecting to "expensive" mailers on initial submission?
O HoldExpensive=False

# checkpoint queue runs after every N successful deliveries
#O CheckpointInterval=10

# default delivery mode
O DeliveryMode=background

# automatically rebuild the alias database?
# NOTE: There is a potential for a denial of service attack if this is set.
#       This option is deprecated and will be removed from a future 
version.
O AutoRebuildAliases

# error message header/file
#O ErrorHeader=/etc/mail/error-header

# error mode
#O ErrorMode=print

# save Unix-style "From_" lines at top of header?
#O SaveFromLine=False

# temporary file mode
O TempFileMode=0600

# match recipients against GECOS field?
#O MatchGECOS=False

# maximum hop count
#O MaxHopCount=17

# location of help file
O HelpFile=/etc/mail/helpfile

# ignore dots as terminators in incoming messages?
#O IgnoreDots=False

# name resolver options
#O ResolverOptions=+AAONLY

# deliver MIME-encapsulated error messages?
O SendMimeErrors=True

# Forward file search path
O ForwardPath=$z/.forward.$w:$z/.forward

# open connection cache size
O ConnectionCacheSize=2

# open connection cache timeout
O ConnectionCacheTimeout=5m

# persistent host status directory
#O HostStatusDirectory=.hoststat

# single thread deliveries (requires HostStatusDirectory)?
#O SingleThreadDelivery=False

# use Errors-To: header?
O UseErrorsTo=False

# log level
O LogLevel=9

# send to me too, even in an alias expansion?
#O MeToo=True

# verify RHS in newaliases?
O CheckAliases=False

# default messages to old style headers if no special punctuation?
O OldStyleHeaders=True

# SMTP daemon options

O DaemonPortOptions=Port=smtp, Name=MTA

# SMTP client options
#O ClientPortOptions=Address=0.0.0.0

# privacy flags
O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun

# who (if anyone) should get extra copies of error messages
#O PostmasterCopy=Postmaster

# slope of queue-only function
#O QueueFactor=600000

# queue directory
O QueueDirectory=/var/spool/mqueue

# timeouts (many of these)
#O Timeout.initial=5m
O Timeout.connect=1m
#O Timeout.iconnect=5m
#O Timeout.helo=5m
#O Timeout.mail=10m
#O Timeout.rcpt=1h
#O Timeout.datainit=5m
#O Timeout.datablock=1h
#O Timeout.datafinal=1h
#O Timeout.rset=5m
#O Timeout.quit=2m
#O Timeout.misc=2m
#O Timeout.command=1h
#O Timeout.ident=5s
#O Timeout.fileopen=60s
#O Timeout.control=2m
O Timeout.queuereturn=5d
#O Timeout.queuereturn.normal=5d
#O Timeout.queuereturn.urgent=2d
#O Timeout.queuereturn.non-urgent=7d
O Timeout.queuewarn=4h
#O Timeout.queuewarn.normal=4h
#O Timeout.queuewarn.urgent=1h
#O Timeout.queuewarn.non-urgent=12h
#O Timeout.hoststatus=30m
#O Timeout.resolver.retrans=5s
#O Timeout.resolver.retrans.first=5s
#O Timeout.resolver.retrans.normal=5s
#O Timeout.resolver.retry=4
#O Timeout.resolver.retry.first=4
#O Timeout.resolver.retry.normal=4

# should we not prune routes in route-addr syntax addresses?
#O DontPruneRoutes=False

# queue up everything before forking?
O SuperSafe=True

# status file
O StatusFile=/var/log/sendmail.st

# time zone handling:
#  if undefined, use system default
#  if defined but null, use TZ envariable passed in
#  if defined and non-null, use that info
#O TimeZoneSpec=

# default UID (can be username or userid:groupid)
O DefaultUser=8:12

# list of locations of user database file (null means no lookup)
O UserDatabaseSpec=/etc/mail/userdb.db

# fallback MX host
#O FallbackMXhost=fall.back.host.net

# if we are the best MX host for a site, try it directly instead of config 
err
O TryNullMXList=true

# load average at which we just queue messages
#O QueueLA=8

# load average at which we refuse connections
#O RefuseLA=12

# maximum number of children we allow at one time
#O MaxDaemonChildren=12

# maximum number of new connections per second
#O ConnectionRateThrottle=0

# work recipient factor
#O RecipientFactor=30000

# deliver each queued job in a separate process?
#O ForkEachJob=False

# work class factor
#O ClassFactor=1800

# work time factor
#O RetryFactor=90000

# shall we sort the queue by hostname first?
#O QueueSortOrder=priority

# minimum time in queue before retry
#O MinQueueAge=30m

# default character set
#O DefaultCharSet=iso-8859-1

# service switch file (ignored on Solaris, Ultrix, OSF/1, others)
#O ServiceSwitchFile=/etc/mail/service.switch

# hosts file (normally /etc/hosts)
#O HostsFile=/etc/hosts

# dialup line delay on connection failure
#O DialDelay=10s

# action to take if there are no recipients in the message
#O NoRecipientAction=add-to-undisclosed

# chrooted environment for writing to files
#O SafeFileEnvironment=/arch

# are colons OK in addresses?
#O ColonOkInAddr=True

# how many jobs can you process in the queue?
#O MaxQueueRunSize=10000

# shall I avoid expanding CNAMEs (violates protocols)?
#O DontExpandCnames=False

# SMTP initial login message (old $e macro)
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

# UNIX initial From header format (old $l macro)
O UnixFromLine=From $g $d

# From: lines that have embedded newlines are unwrapped onto one line
#O SingleLineFromHeader=False

# Allow HELO SMTP command that does not include a host name
#O AllowBogusHELO=False

# Characters to be quoted in a full name phrase (@,;:\()[] are automatic)
#O MustQuoteChars=.

# delimiter (operator) characters (old $o macro)
O OperatorChars=.:%@!^/[]+

# shall I avoid calling initgroups(3) because of high NIS costs?
#O DontInitGroups=False

# are group-writable :include: and .forward files (un)trustworthy?
#O UnsafeGroupWrites=True

# where do errors that occur when sending errors get sent?
#O DoubleBounceAddress=postmaster

# where to save bounces if all else fails
#O DeadLetterDrop=/var/tmp/dead.letter

# what user id do we assume for the majority of the processing?
#O RunAsUser=sendmail

# maximum number of recipients per SMTP envelope
#O MaxRecipientsPerMessage=100

# shall we get local names from our installed interfaces?
O DontProbeInterfaces=true

# Return-Receipt-To: header implies DSN request
#O RrtImpliesDsn=False

# override connection address (for testing)
#O ConnectOnlyTo=0.0.0.0

# Trusted user for file ownership and starting the daemon
#O TrustedUser=root

# Control socket for daemon management
#O ControlSocketName=/var/spool/mqueue/.control

# Maximum MIME header length to protect MUAs
#O MaxMimeHeaderLength=0/0

# Maximum length of the sum of all headers
#O MaxHeadersLength=32768

# Maximum depth of alias recursion
#O MaxAliasRecursion=10

# location of pid file
#O PidFile=/var/run/sendmail.pid

# Prefix string for the process title shown on 'ps' listings
#O ProcessTitlePrefix=prefix

# Data file (df) memory-buffer file maximum size
#O DataFileBufferSize=4096

# Transcript file (xf) memory-buffer file maximum size
#O XscriptFileBufferSize=4096

# list of authentication mechanisms
#O AuthMechanisms=GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5

# default authentication information for outgoing connections
#O DefaultAuthInfo=/etc/mail/default-auth-info

# SMTP AUTH flags
O AuthOptions=A



# CA directory
#O CACERTPath
# CA file
#O CACERTFile
# Server Cert
#O ServerCertFile
# Server private key
#O ServerKeyFile
# Client Cert
#O ClientCertFile
# Client private key
#O ClientKeyFile
# DHParameters (only required if DSA/DH is used)
#O DHParameters
# Random data source (required for systems without /dev/urandom under 
OpenSSL)
#O RandFile



###########################
#   Message precedences   #
###########################

Pfirst-class=0
Pspecial-delivery=100
Plist=-30
Pbulk=-60
Pjunk=-100

#####################
#   Trusted users   #
#####################

# this is equivalent to setting class "t"
Ft/etc/mail/trusted-users
Troot
Tdaemon
Tuucp

#########################
#   Format of headers   #
#########################

H?P?Return-Path: <$g>
HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
	$.$?{auth_type}(authenticated$?{auth_ssf} (${auth_ssf} bits)$.)
	$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}
	(using ${tls_version} with cipher ${cipher} (${cipher_bits} bits) 
verified ${verify})$.$?u
	for $u; $|;
	$.$b
H?D?Resent-Date: $a
H?D?Date: $a
H?F?Resent-From: $?x$x <$g>$|$g$.
H?F?From: $?x$x <$g>$|$g$.
H?x?Full-Name: $x
# HPosted-Date: $a
# H?l?Received-Date: $b
H?M?Resent-Message-Id: <$t.$i@$j>
H?M?Message-Id: <$t.$i@$j>

#
######################################################################
######################################################################
#####
#####			REWRITING RULES
#####
######################################################################
######################################################################

############################################
###  Ruleset 3 -- Name Canonicalization  ###
############################################
Scanonify=3

# handle null input (translate to <@> special case)
R$@			$@ <@>

# strip group: syntax (not inside angle brackets!) and trailing semicolon
R$*			$: $1 <@>			mark addresses
R$* < $* > $* <@>	$: $1 < $2 > $3			unmark <addr>
R@ $* <@>		$: @ $1				unmark @host:...
R$* :: $* <@>		$: $1 :: $2			unmark node::addr
R:include: $* <@>	$: :include: $1			unmark :include:...
R$* [ IPv6 $- ] <@>	$: $1 [ IPv6 $2 ]		unmark IPv6 addr
R$* : $* [ $* ]		$: $1 : $2 [ $3 ] <@>		remark if leading 
colon
R$* : $* <@>		$: $2				strip colon if 
marked
R$* <@>			$: $1				unmark
R$* ;			   $1				strip trailing semi
R$* < $+ :; > $*	$@ $2 :; <@>			catch <list:;>
R$* < $* ; >		   $1 < $2 >			bogus bracketed 
semi

# null input now results from list:; syntax
R$@			$@ :; <@>

# strip angle brackets -- note RFC733 heuristic to get innermost item
R$*			$: < $1 >			housekeeping <>
R$+ < $* >		   < $2 >			strip excess on 
left
R< $* > $+		   < $1 >			strip excess on 
right
R<>			$@ < @ >			MAIL FROM:<> case
R< $+ >			$: $1				remove 
housekeeping <>

# strip route address <@a, at b, at c:user at d> -> <user at d>
R@ $+ , $+		$2
R@ $+ : $+		$2

# find focus for list syntax
R $+ : $* ; @ $+	$@ $>Canonify2 $1 : $2 ; < @ $3 >	list syntax
R $+ : $* ;		$@ $1 : $2;			list syntax

# find focus for @ syntax addresses
R$+ @ $+		$: $1 < @ $2 >			focus on domain
R$+ < $+ @ $+ >		$1 $2 < @ $3 >			move gaze right
R$+ < @ $+ >		$@ $>Canonify2 $1 < @ $2 >	already canonical

# do some sanity checking
R$* < @ $* : $* > $*	$1 < @ $2 $3 > $4		nix colons in addrs

# convert old-style addresses to a domain-based address
R$- ! $+		$@ $>Canonify2 $2 < @ $1 .UUCP >	resolve 
uucp names
R$+ . $- ! $+		$@ $>Canonify2 $3 < @ $1 . $2 >		domain 
uucps
R$+ ! $+		$@ $>Canonify2 $2 < @ $1 .UUCP >	uucp 
subdomains

# if we have % signs, take the rightmost one
R$* % $*		$1 @ $2				First make them 
all @s.
R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the 
last.
R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and 
finish

# else we must be a local name
R$*			$@ $>Canonify2 $1


################################################
###  Ruleset 96 -- bottom half of ruleset 3  ###
################################################

SCanonify2=96

# handle special cases for local names
R$* < @ localhost > $*		$: $1 < @ $j . > $2		no domain 
at all
R$* < @ localhost . $m > $*	$: $1 < @ $j . > $2		local 
domain
R$* < @ localhost . UUCP > $*	$: $1 < @ $j . > $2		.UUCP 
domain

# check for IPv6 domain literal (save quoted form)
R$* < @ [ IPv6 $- ] > $*	$: $2 $| $1 < @@ [ $(dequote $2 $) ] > 
$3	mark IPv6 addr
R$- $| $* < @@ $=w > $*		$: $2 < @ $j . > $4		 
self-literal
R$- $| $* < @@ [ $+ ] > $*	$@ $2 < @ [ IPv6 $1 ] > $4	canon IP 
addr

# check for IPv4 domain literal
R$* < @ [ $+ ] > $*		$: $1 < @@ [ $2 ] > $3		mark 
[a.b.c.d]
R$* < @@ $=w > $*		$: $1 < @ $j . > $3		 
self-literal
R$* < @@ $+ > $*		$@ $1 < @ $2 > $3		canon IP 
addr





# if really UUCP, handle it immediately

# try UUCP traffic as a local address
R$* < @ $+ . UUCP > $*		$: $1 < @ $[ $2 $] . UUCP . > $3
R$* < @ $+ . . UUCP . > $*	$@ $1 < @ $2 . > $3

# hostnames ending in class P are always canonical
R$* < @ $* $=P > $*		$: $1 < @ $2 $3 . > $4
R$* < @ $* $~P > $*		$: $&{daemon_flags} $| $1 < @ $2 $3 > $4
R$* CC $* $| $* < @ $+.$+ > $*	$: $3 < @ $4.$5 . > $6
R$* CC $* $| $*			$: $3
# pass to name server to make hostname canonical
R$* $| $* < @ $* > $*		$: $2 < @ $[ $3 $] > $4
R$* $| $*			$: $2

# local host aliases and pseudo-domains are always canonical
R$* < @ $=w > $*		$: $1 < @ $2 . > $3
R$* < @ $=M > $*		$: $1 < @ $2 . > $3
R$* < @ $={VirtHost} > $* 	$: $1 < @ $2 . > $3
R$* < @ $* . . > $*		$1 < @ $2 . > $3


##################################################
###  Ruleset 4 -- Final Output Post-rewriting  ###
##################################################
Sfinal=4

R$+ :; <@>		$@ $1 :				handle <list:;>
R$* <@>			$@				handle <> and 
list:;

# strip trailing dot off possibly canonical name
R$* < @ $+ . > $*	$1 < @ $2 > $3

# eliminate internal code
R$* < @ *LOCAL* > $*	$1 < @ $j > $2

# externalize local domain info
R$* < $+ > $*		$1 $2 $3			defocus
R@ $+ : @ $+ : $+	@ $1 , @ $2 : $3		<route-addr> 
canonical
R@ $*			$@ @ $1				... and exit

# UUCP must always be presented in old form
R$+ @ $- . UUCP		$2!$1				u at h.UUCP => h!u

# delete duplicate local names
R$+ % $=w @ $=w		$1 @ $2				u%host at host => 
u at host



##############################################################
###   Ruleset 97 -- recanonicalize and call ruleset zero   ###
###		   (used for recursive calls)		   ###
##############################################################

SRecurse=97
R$*			$: $>canonify $1
R$*			$@ $>parse $1


######################################
###   Ruleset 0 -- Parse Address   ###
######################################

Sparse=0

R$*			$: $>Parse0 $1		initial parsing
R<@>			$#local $: <@>		special case error msgs
R$*			$: $>ParseLocal $1	handle local hacks
R$*			$: $>Parse1 $1		final parsing

#
#  Parse0 -- do initial syntax checking and eliminate local addresses.
#	This should either return with the (possibly modified) input
#	or return with a #error mailer.  It should not return with a
#	#mailer other than the #error mailer.
#

SParse0
R<@>			$@ <@>			special case error msgs
R$* : $* ; <@>		$#error $@ 5.1.3 $: "501 List:; syntax illegal for 
recipient addresses"
R@ <@ $* >		< @ $1 >		catch "@@host" bogosity
R<@ $+>			$#error $@ 5.1.3 $: "501 User address required"
R$*			$: <> $1
R<> $* < @ [ $+ ] > $*	$1 < @ [ $2 ] > $3
R<> $* <$* : $* > $*	$#error $@ 5.1.3 $: "501 Colon illegal in host 
name part"
R<> $*			$1
R$* < @ . $* > $*	$#error $@ 5.1.2 $: "501 Invalid host name"
R$* < @ $* .. $* > $*	$#error $@ 5.1.2 $: "501 Invalid host name"
R$* , $~O $*		$#error $@ 5.1.2 $: "501 Invalid route address"

# now delete the local info -- note $=O to find characters that cause 
forwarding
R$* < @ > $*		$@ $>Parse0 $>canonify $1	user@ => user
R< @ $=w . > : $*	$@ $>Parse0 $>canonify $2	@here:... -> ...
R$- < @ $=w . >		$: $(dequote $1 $) < @ $2 . >	dequote "foo"@here
R< @ $+ >		$#error $@ 5.1.3 $: "501 User address required"
R$* $=O $* < @ $=w . >	$@ $>Parse0 $>canonify $1 $2 $3	... at here -> ...
R$- 			$: $(dequote $1 $) < @ *LOCAL* >	dequote 
"foo"
R< @ *LOCAL* >		$#error $@ 5.1.3 $: "501 User address required"
R$* $=O $* < @ *LOCAL* >
			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
R$* < @ *LOCAL* >	$: $1

#
#  Parse1 -- the bottom half of ruleset 0.
#

SParse1

# handle numeric address spec
R$* < @ [ $+ ] > $*	$: $>ParseLocal $1 < @ [ $2 ] > $3	numeric 
internet spec
R$* < @ [ $+ ] > $*	$1 < @ [ $2 ] : $S > $3		Add smart host to 
path
R$* < @ [ IPv6 $- ] : > $*
		$#esmtp $@ [ $(dequote $2 $) ] $: $1 < @ [IPv6 $2 ] > 
$3	no smarthost: send
R$* < @ [ $+ ] : > $*	$#esmtp $@ [$2] $: $1 < @ [$2] > $3	no 
smarthost: send
R$* < @ [ $+ ] : $- : $*> $*	$#$3 $@ $4 $: $1 < @ [$2] > $5	smarthost 
with mailer
R$* < @ [ $+ ] : $+ > $*	$#esmtp $@ $3 $: $1 < @ [$2] > $4	 
smarthost without mailer

# handle virtual users
R$+			$: <!> $1		Mark for lookup
R<!> $+ < @ $={VirtHost} . > 	$: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 
< @ $2 . >
R<!> $+ < @ $=w . > 	$: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 
. >
R<@> $+ + $* < @ $* . >
			$: < $(virtuser $1 + * @ $3 $@ $1 $@ $2 $: @ $) > 
$1 + $2 < @ $3 . >
R<@> $+ + $* < @ $* . >
			$: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < 
@ $3 . >
R<@> $+ + $+ < @ $+ . >	$: < $(virtuser + * @ $3 $@ $1 $@ $2 $: @ $) > $1 
+ $2 < @ $3 . >
R<@> $+ + $* < @ $+ . >	$: < $(virtuser @ $3 $@ $1 $@ $2 $: @ $) > $1 + $2 
< @ $3 . >
R<@> $+ < @ $+ . >	$: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+			$: $1
R<!> $+			$: $1
R< error : $-.$-.$- : $+ > $* 	$#error $@ $1.$2.$3 $: $4
R< error : $- $+ > $* 	$#error $@ $(dequote $1 $) $: $2
R< $+ > $+ < @ $+ >	$: $>Recurse $1

# short circuit local delivery so forwarded email works


R$=L < @ $=w . >	$#local $: @ $1			special local names
R$+ < @ $=w . >		$#local $: $1			regular local name

# not local -- try mailer table lookup
R$* <@ $+ > $*		$: < $2 > $1 < @ $2 > $3	extract host name
R< $+ . > $*		$: < $1 > $2			strip trailing dot
R< $+ > $*		$: < $(mailertable $1 $) > $2	lookup
R< $~[ : $* > $* 	$>MailerToTriple < $1 : $2 > $3		check -- 
resolved?
R< $+ > $*		$: $>Mailertable <$1> $2		try domain

# resolve remotely connected UUCP links (if any)

# resolve fake top level domains by forwarding to other hosts



# pass names that still have a host to a smarthost (if defined)
R$* < @ $* > $*		$: $>MailerToTriple < $S > $1 < @ $2 > $3	 
glue on smarthost name

# deal with other remote names
R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user at host.domain

# handle locally delivered names
R$=L			$#local $: @ $1		special local names
R$+			$#local $: $1			regular local names

###########################################################################
###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
###########################################################################

SLocal_localaddr
Slocaladdr=5
R$+			$: $1 $| $>"Local_localaddr" $1
R$+ $| $#$*		$#$2
R$+ $| $*		$: $1




# deal with plussed users so aliases work nicely
R$+ + *			$#local $@ $&h $: $1
R$+ + $*		$#local $@ + $2 $: $1 + *

# prepend an empty "forward host" on the front
R$+			$: <> $1


# see if we have a relay or a hub
R< > $+			$: < $H > $1			try hub
R< > $+			$: < $R > $1			try relay

R< > $+			$: < > < $1 <> $&h >		nope, restore 
+detail
R< > < $+ <> + $* >	$: < > < $1 + $2 >		check whether 
+detail
R< > < $+ <> $* >	$: < > < $1 >			else discard
R< > < $+ + $* > $*	   < > < $1 > + $2 $3		find the user part
R< > < $+ > + $*	$#local $@ $2 $: @ $1		strip the extra +
R< > < $+ >		$@ $1				no +detail
R$+			$: $1 <> $&h			add +detail back in
R$+ <> + $*		$: $1 + $2			check whether 
+detail
R$+ <> $*		$: $1				else discard
R< local : $* > $*	$: $>MailerToTriple < local : $1 > $2	no host 
extension
R< error : $* > $*	$: $>MailerToTriple < error : $1 > $2	no host 
extension
R< $- : $+ > $+		$: $>MailerToTriple < $1 : $2 > $3 < @ $2 >
R< $+ > $+		$@ $>MailerToTriple < $1 > $2 < @ $1 >

###################################################################
###  Ruleset 90 -- try domain part of mailertable entry 	###
###################################################################

SMailertable=90
R$* <$- . $+ > $*	$: $1$2 < $(mailertable .$3 $@ $1$2 $@ $2 $) > $4
R$* <$~[ : $* > $*	$>MailerToTriple < $2 : $3 > $4		check -- 
resolved?
R$* < . $+ > $* 	$@ $>Mailertable $1 . <$2> $3		no -- 
strip & try again
R$* < $* > $*		$: < $(mailertable . $@ $1$2 $) > $3	try "."
R< $~[ : $* > $*	$>MailerToTriple < $1 : $2 > $3		"." found?
R< $* > $*		$@ $2				no mailertable 
match

###################################################################
###  Ruleset 95 -- canonify mailer:[user@]host syntax to triple	###
###################################################################

SMailerToTriple=95
R< > $*				$@ $1			strip off null 
relay
R< error : $-.$-.$- : $+ > $* 	$#error $@ $1.$2.$3 $: $4
R< error : $- $+ > $*		$#error $@ $(dequote $1 $) $: $2
R< local : $* > $*		$>CanonLocal < $1 > $2
R< $- : $+ @ $+ > $*<$*>$*	$# $1 $@ $3 $: $2<@$3>	use literal user
R< $- : $+ > $*			$# $1 $@ $2 $: $3	try qualified 
mailer
R< $=w > $*			$@ $2			delete local host
R< [ IPv6 $+ ] > $*		$#relay $@ $(dequote $1 $) $: $2	 
use unqualified mailer
R< $+ > $*			$#relay $@ $1 $: $2	use unqualified 
mailer

###################################################################
###  Ruleset CanonLocal -- canonify local: syntax		###
###################################################################

SCanonLocal
# strip local host from routed addresses
R< $* > < @ $+ > : $+		$@ $>Recurse $3
R< $* > $+ $=O $+ < @ $+ >	$@ $>Recurse $2 $3 $4

# strip trailing dot from any host name that may appear
R< $* > $* < @ $* . >		$: < $1 > $2 < @ $3 >

# handle local: syntax -- use old user, either with or without host
R< > $* < @ $* > $*		$#local $@ $1@$2 $: $1
R< > $+				$#local $@ $1    $: $1

# handle local:user at host syntax -- ignore host part
R< $+ @ $+ > $* < @ $* >	$: < $1 > $3 < @ $4 >

# handle local:user syntax
R< $+ > $* <@ $* > $*		$#local $@ $2@$3 $: $1
R< $+ > $* 			$#local $@ $2    $: $1

###################################################################
###  Ruleset 93 -- convert header names to masqueraded form	###
###################################################################

SMasqHdr=93


# do not masquerade anything in class N
R$* < @ $* $=N . >	$@ $1 < @ $2 $3 . >

# special case the users that should be exposed
R$=E < @ *LOCAL* >	$@ $1 < @ $j . >		leave exposed
R$=E < @ $=M . >	$@ $1 < @ $2 . >
R$=E < @ $=w . >	$@ $1 < @ $2 . >

# handle domain-specific masquerading
R$* < @ $=M . > $*	$: $1 < @ $2 . @ $M > $3	convert 
masqueraded doms
R$* < @ $=w . > $*	$: $1 < @ $2 . @ $M > $3
R$* < @ *LOCAL* > $*	$: $1 < @ $j . @ $M > $2
R$* < @ $+ @ > $*	$: $1 < @ $2 > $3		$M is null
R$* < @ $+ @ $+ > $*	$: $1 < @ $3 . > $4		$M is not null

###################################################################
###  Ruleset 94 -- convert envelope names to masqueraded form	###
###################################################################

SMasqEnv=94
R$* < @ *LOCAL* > $*	$: $1 < @ $j . > $2

###################################################################
###  Ruleset 98 -- local part of ruleset zero (can be null)	###
###################################################################

SParseLocal=98

# addresses sent to foo at host.REDIRECT will give a 551 error code
R$* < @ $+ .REDIRECT. >		$: $1 < @ $2 . REDIRECT . > < ${opMode} >
R$* < @ $+ .REDIRECT. > <i>	$: $1 < @ $2 . REDIRECT. >
R$* < @ $+ .REDIRECT. > < $- >	$#error $@ 5.1.1 $: "551 User has moved; 
please try " <$1@$2>




######################################################################
###  LookUpDomain -- search for domain in access database
###
###	Parameters:
###		<$1> -- key (domain name)
###		<$2> -- default (what to return if not found in db)
###		<$3> -- passthru (additional data passed unchanged through)
###		<$4> -- mark (must be <(!|+) single-token>)
###			! does lookup only with tag
###			+ does lookup with and without tag
######################################################################

SLookUpDomain
R<[IPv6 $-]> <$+> <$*> <$*>	$: <[$(dequote $1 $)]> <$2> <$3> <$4>
R<$*> <$+> <$*> <$- $->		$: < $(access $5:$1 $: ? $) > <$1> <$2> 
<$3> <$4 $5>
R<?> <$+> <$+> <$*> <+ $*>	$: < $(access $1 $: ? $) > <$1> <$2> <$3> 
<+ $4>
R<?> <[$+.$-]> <$+> <$*> <$*>	$@ $>LookUpDomain <[$1]> <$3> <$4> <$5>
R<?> <[$+::$-]> <$+> <$*> <$*>	$: $>LookUpDomain <[$1]> <$3> <$4> <$5>
R<?> <[$+:$-]> <$+> <$*> <$*>	$: $>LookUpDomain <[$1]> <$3> <$4> <$5>
R<?> <$+.$+> <$+> <$*> <$*>	$@ $>LookUpDomain <$2> <$3> <$4> <$5>
R<?> <$+> <$+> <$*> <$*>	$@ <$2> <$3>
R<$*> <$+> <$+> <$*> <$*>	$@ <$1> <$4>

######################################################################
###  LookUpAddress -- search for host address in access database
###
###	Parameters:
###		<$1> -- key (dot quadded host address)
###		<$2> -- default (what to return if not found in db)
###		<$3> -- passthru (additional data passed through)
###		<$4> -- mark (must be <(!|+) single-token>)
###			! does lookup only with tag
###			+ does lookup with and without tag
######################################################################

SLookUpAddress
R<$+> <$+> <$*> <$- $+>		$: < $(access $5:$1 $: ? $) > <$1> <$2> 
<$3> <$4 $5>
R<?> <$+> <$+> <$*> <+ $+>	$: < $(access $1 $: ? $) > <$1> <$2> <$3> 
<+ $4>
R<?> <$+::$-> <$+> <$*> <$*>	$@ $>LookUpAddress <$1> <$3> <$4> <$5>
R<?> <$+:$-> <$+> <$*> <$*>	$@ $>LookUpAddress <$1> <$3> <$4> <$5>
R<?> <$+.$-> <$+> <$*> <$*>	$@ $>LookUpAddress <$1> <$3> <$4> <$5>
R<?> <$+> <$+> <$*> <$*>	$@ <$2> <$3>
R<$*> <$+> <$+> <$*> <$*>	$@ <$1> <$4>

######################################################################
###  CanonAddr --	Convert an address into a standard form for
###			relay checking.  Route address syntax is
###			crudely converted into a %-hack address.
###
###	Parameters:
###		$1 -- full recipient address
###
###	Returns:
###		parsed address, not in source route form
######################################################################

SCanonAddr
R$*			$: $>Parse0 $>canonify $1	make domain 
canonical


######################################################################
###  ParseRecipient --	Strip off hosts in $=R as well as possibly
###			$* $=m or the access database.
###			Check user portion for host separators.
###
###	Parameters:
###		$1 -- full recipient address
###
###	Returns:
###		parsed, non-local-relaying address
######################################################################

SParseRecipient
R$*				$: <?> $>CanonAddr $1
R<?> $* < @ $* . >		<?> $1 < @ $2 >			strip 
trailing dots
R<?> $- < @ $* >		$: <?> $(dequote $1 $) < @ $2 >	dequote 
local part

# if no $=O character, no host in the user portion, we are done
R<?> $* $=O $* < @ $* >		$: <NO> $1 $2 $3 < @ $4>
R<?> $*				$@ $1



R<NO> $* < @ $* $=R >		$: <RELAY> $1 < @ $2 $3 >
R<NO> $* < @ $+ >		$: $>LookUpDomain <$2> <NO> <$1 < @ $2 >> 
<+To>
R<$+> <$+>			$: <$1> $2


R<RELAY> $* < @ $* >		$@ $>ParseRecipient $1
R<$-> $*			$@ $2


######################################################################
###  check_relay -- check hostname/address on SMTP startup
######################################################################

SLocal_check_relay
Scheck_relay
R$*			$: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$*	$#$3
R$* $| $* $| $*		$@ $>"Basic_check_relay" $1 $| $2

SBasic_check_relay
# check for deferred delivery mode
R$*			$: < ${deliveryMode} > $1
R< d > $*		$@ deferred
R< $* > $*		$: $2

R$+ $| $+		$: $>LookUpDomain < $1 > <?> < $2 > <+Connect>
R<?> <$+>		$: $>LookUpAddress < $1 > <?> < $1 > <+Connect>	 
no: another lookup
R<?> < $+ >		$: $1					found 
nothing
R<$={Accept}> < $* >	$@ $1				return value of 
lookup
R<REJECT> $*		$#error $@ 5.7.1 $: "550 Access denied"
R<DISCARD> $*		$#discard $: discard
R<ERROR:$-.$-.$-:$+> <$*>	$#error $@ $1.$2.$3 $: $4
R<ERROR:$+> <$*>		$#error $: $1
R<$+> <$*>		$#error $: $1



######################################################################
###  check_mail -- check SMTP `MAIL FROM:' command argument
######################################################################

SLocal_check_mail
Scheck_mail
R$*			$: $1 $| $>"Local_check_mail" $1
R$* $| $#$*		$#$2
R$* $| $*		$@ $>"Basic_check_mail" $1

SBasic_check_mail
# check for deferred delivery mode
R$*			$: < ${deliveryMode} > $1
R< d > $*		$@ deferred
R< $* > $*		$: $2

# authenticated?
R$*			$: $1 $| $>"tls_client" $&{verify} $| MAIL
R$* $| $#$+		$#$2
R$* $| $*		$: $1

R<>			$@ <OK>			we MUST accept <> (RFC 
1123)
R$+			$: <?> $1
R<?><$+>		$: <@> <$1>
R<?>$+			$: <@> <$1>
R$*			$: $&{daemon_flags} $| $1
R$* f $* $| <@> < $* @ $- >	$: < ? $&{client_name} > < $3 @ $4 >
R$* u $* $| <@> < $* >	$: <?> < $3 >
R$* $| $*		$: $2
# handle case of @localhost on address
R<@> < $* @ localhost >	$: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
			$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ localhost.$m >
			$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
			$: < ? $&{client_name} > < $1 @ localhost.UUCP >
R<@> $*			$: $1			no localhost as domain
R<? $=w> $*		$: $2			local client: ok
R<? $+> <$+>		$#error $@ 5.5.4 $: "501 Real domain name required 
for sender address"
R<?> $*			$: $1
R$*			$: <?> $>CanonAddr $1		canonify sender 
address and mark it
R<?> $* < @ $+ . >	<?> $1 < @ $2 >			strip trailing dots
# handle non-DNS hostnames (*.bitnet, *.decnet, *.uucp, etc)
R<?> $* < @ $* $=P >	$: <OK> $1 < @ $2 $3 >
R<?> $* < @ $+ >	$: <OK> $1 < @ $2 >		... unresolvable OK

# check sender address: user at address, user@, address
R<$+> $+ < @ $* >	$: @<$1> <$2 < @ $3 >> $| <F:$2@$3> <U:$2@> <H:$3>
R<$+> $+		$: @<$1> <$2> $| <U:$2@>
R@ <$+> <$*> $| <$+>	$: <@> <$1> <$2> $| $>SearchList <+From> $| <$3> <>
R<@> <$+> <$*> $| <$*>	$: <$3> <$1> <$2>		reverse result
# retransform for further use
R<?> <$+> <$*>		$: <$1> $2	no match
R<$+> <$+> <$*>		$: <$1> $3	relevant result, keep it

# handle case of no @domain on address
R<?> $*			$: $&{daemon_flags} $| <?> $1
R$* u $* $| <?> $*	$: <OK> $3
R$* $| $*		$: $2
R<?> $*			$: < ? $&{client_name} > $1
R<?> $*			$@ <OK>				...local unqualed 
ok
R<? $+> $*		$#error $@ 5.5.4 $: "501 Domain name required for 
sender address " $&f
							...remote is not
# check results
R<?> $*			$: @ $1		mark address: nothing known about 
it
R<OK> $*		$@ <OK>
R<TEMP> $*		$#error $@ 4.1.8 $: "451 Domain of sender address 
" $&f " does not resolve"
R<PERM> $*		$#error $@ 5.1.8 $: "501 Domain of sender address 
" $&f " does not exist"
R<$={Accept}> $*	$# $1
R<DISCARD> $*		$#discard $: discard
R<REJECT> $*		$#error $@ 5.7.1 $: "550 Access denied"
R<ERROR:$-.$-.$-:$+> $*		$#error $@ $1.$2.$3 $: $4
R<ERROR:$+> $*		$#error $: $1
R<$+> $*		$#error $: $1		error from access db

######################################################################
###  check_rcpt -- check SMTP `RCPT TO:' command argument
######################################################################

SLocal_check_rcpt
Scheck_rcpt
R$*			$: $1 $| $>"Local_check_rcpt" $1
R$* $| $#$*		$#$2
R$* $| $*		$@ $>"Basic_check_rcpt" $1

SBasic_check_rcpt
# check for deferred delivery mode
R$*			$: < ${deliveryMode} > $1
R< d > $*		$@ deferred
R< $* > $*		$: $2


R$*			$: $>ParseRecipient $1		strip relayable 
hosts



# blacklist local users or any host from receiving mail
R$*			$: <?> $1
R<?> $+ < @ $=w >	$: <> <$1 < @ $2 >> $| <F:$1@$2> <U:$1@> <H:$2>
R<?> $+ < @ $* >	$: <> <$1 < @ $2 >> $| <F:$1@$2> <H:$2>
R<?> $+			$: <> <$1> $| <U:$1@>
R<> <$*> $| <$+>	$: <@> <$1> $| $>SearchList <+To> $| <$2> <>
R<@> <$*> $| <$*>	$: <$2> <$1>		reverse result
R<?> <$*>		$: @ $1		mark address as no match
R<$={Accept}> <$*>	$: @ $2		mark address as no match

R<REJECT> $*		$#error $@ 5.2.1 $: "550 Mailbox disabled for this 
recipient"
R<DISCARD> $*		$#discard $: discard
R<ERROR:$-.$-.$-:$+> $*		$#error $@ $1.$2.$3 $: $4
R<ERROR:$+> $*		$#error $: $1
R<$+> $*		$#error $: $1		error from access db
R@ $*			$1		remove mark


# authenticated?
R$*		$: $1 $| $>RelayAuth $1 $| $&{verify}	client 
authenticated?
R$* $| $# $+		$# $2				error/ok?
R$* $| $*		$: $1				no

# authenticated by a trusted mechanism?
R$*			$: $1 $| $&{auth_type}
R$* $|			$: $1
R$* $| $={TrustAuthMech}	$# RELAYAUTH
R$* $| $*		$: $1
# anything terminating locally is ok
R$+ < @ $=w >		$@ RELAYTO
R$+ < @ $* $=R >	$@ RELAYTO
R$+ < @ $+ >		$: $>LookUpDomain <$2> <?> <$1 < @ $2 >> <+To>
R<RELAY> $*		$@ RELAYTO
R<$*> <$*>		$: $2



# check for local user (i.e. unqualified address)
R$*			$: <?> $1
R<?> $* < @ $+ >	$: <REMOTE> $1 < @ $2 >
# local user is ok
R<?> $+			$@ RELAYTOLOCAL
R<$+> $*		$: $2

# anything originating locally is ok
# check IP address
R$*			$: $&{client_addr}
R$@			$@ RELAYFROM		originated locally
R0			$@ RELAYFROM		originated locally
R$=R $*			$@ RELAYFROM		relayable IP address
R$*			$: $>LookUpAddress <$1> <?> <$1> <+Connect>
R<RELAY> $* 		$@ RELAYFROM		relayable IP address
R<$*> <$*>		$: $2
R$*			$: [ $1 ]		put brackets around it...
R$=w			$@ RELAYFROM		... and see if it is local


# check client name: first: did it resolve?
R$*			$: < $&{client_resolve} >
R<TEMP>			$#error $@ 4.7.1 $: "450 Relaying temporarily 
denied. Cannot resolve PTR record for " $&{client_addr}
R<FORGED>		$#error $@ 5.7.1 $: "550 Relaying denied. IP name 
possibly forged " $&{client_name}
R<FAIL>			$#error $@ 5.7.1 $: "550 Relaying denied. IP name 
lookup failed " $&{client_name}
R$*			$: <?> $&{client_name}
# pass to name server to make hostname canonical
R<?> $* $~P 		$:<?>  $[ $1 $2 $]
R$* .			$1			strip trailing dots
R<?>			$@ RELAYFROM
R<?> $=w		$@ RELAYFROM
R<?> $* $=R			$@ RELAYFROM
R<?> $*			$: $>LookUpDomain <$1> <?> <$1> <+Connect>
R<RELAY> $*		$@ RELAYFROM
R<$*> <$*>		$: $2

# anything else is bogus
R$*			$#error $@ 5.7.1 $: "550 Relaying denied"

######################################################################
###  SearchList: search a list of items in the access map
###	Parameters:
###		<exact tag> $| <mark:address> <mark:address> ... <>
###	where "exact" is either "+" or "!":
###	<+ TAG>	lookup with and w/o tag
###	<! TAG>	lookup with tag
###	possible values for "mark" are:
###		H: recursive host lookup (LookUpDomain)
###		E: exact lookup, no modifications
###		F: full lookup, try user+ext at domain and user at domain
###		U: user lookup, try user+ext and user (input must have 
trailing @)
###	return: <RHS of lookup> or <?> (not found)
######################################################################

# class with valid marks for SearchList
C{src}E F H U
SSearchList
# mark H: lookup domain
R<$+> $| <H:$+> <$*>		$: <$1> $| <@> $>LookUpDomain <$2> <?> 
<$3> <$1>
R<$+> $| <@> <$+> <$*>		$: <$1> $| <$2> <$3>
R<$- $-> $| <$={src}:$+> <$*>	$: <$1 $2> $| <$(access $2:$4 $: $3:$4 $)> 
<$5>
R<+ $-> $| <$={src}:$+> <$*>	$: <+ $1> $| <$(access $3 $: $2:$3 $)> <$4>
R<$- $-> $| <F:$* + $*@$+> <$*>	$: <$1 $2> $| <$(access $2:$3@$5 $: F:$3 + 
$4@$5$)> <$6>
R<+ $-> $| <F:$* + $*@$+> <$*>	$: <+ $1> $| <$(access $2@$4 $: F:$2 + 
$3@$4$)> <$5>
R<$- $-> $| <U:$* + $*> <$*>	$: <$1 $2> $| <$(access $2:$3@ $: U:$3 + 
$4$)> <$5>
R<+ $-> $| <U:$* + $*> <$*>	$: <+ $1> $| <$(access $2@ $: U:$2 + $3$)> 
<$4>
R<$+> $| <$={src}:$+> <$+>	$@ $>SearchList <$1> $| <$4>
R<$+> $| <$={src}:$+> <>	$@ <?>
R<$+> $| <$+> <$*>		$@ <$2>
R<$+> $| <$+>			$@ <$2>

# is user trusted to authenticate as someone else?
Strust_auth
R$*			$: $&{auth_type} $| $1
# required by RFC 2554 section 4.
R$@ $| $*		$#error $@ 5.7.1 $: "550 not authenticated"
R$* $| $&{auth_authen}		$@ identical
R$* $| <$&{auth_authen}>	$@ identical
R$* $| $*		$: $1 $| $>"Local_trust_auth" $1
R$* $| $#$*		$#$2
R$*			$#error $@ 5.7.1 $: "550 " $&{auth_authen} " not 
allowed to act as " $&{auth_author}

SLocal_trust_auth


# is connection with client "good" enough? (done in server)
# input: ${verify} $| (MAIL|STARTTLS)
Stls_client
R$* $| $*	$: $1 $| $>LookUpDomain <$&{client_name}> <?> <> <! 
TLS_Clt>
R$* $| <?>$*	$: $1 $| $>LookUpAddress <$&{client_addr}> <?> <> <! 
TLS_Clt>
R$* $| <?>$*	$: $1 $| <$(access TLS_Clt: $: ? $)>
R$*		$@ $>"tls_connection" $1

# is connection with server "good" enough? (done in client)
# input: ${verify}
Stls_server
R$*		$: $1 $| $>LookUpDomain <$&{server_name}> <?> <> <! 
TLS_Srv>
R$* $| <?>$*	$: $1 $| $>LookUpAddress <$&{server_addr}> <?> <> <! 
TLS_Srv>
R$* $| <?>$*	$: $1 $| <$(access TLS_Srv: $: ? $)>
R$*		$@ $>"tls_connection" $1

Stls_connection
R$* $| <$*>$*			$: $1 $| <$2>
R$* $| <PERM + $={tls} $*>	$: $1 $| <503:5.7.0> <$2 $3>
R$* $| <TEMP + $={tls} $*>	$: $1 $| <403:4.7.0> <$2 $3>
R$* $| <$={tls} $*>		$: $1 $| <403:4.7.0> <$2 $3>
RSOFTWARE $| <$-:$+> $* 	$#error $@ $2 $: $1 " TLS handshake 
failed."
RSOFTWARE $| $* 		$#error $@ 4.7.0 $: "403 TLS handshake 
failed."
R$* $| <$*> <VERIFY>		$: <$2> <VERIFY> $1
R$* $| <$*> <$={tls}:$->$*	$: <$2> <$3:$4> $1
R$* $| $*			$@ OK
# authentication required: give appropriate error
# other side did authenticate (via STARTTLS)
R<$*><VERIFY> OK		$@ OK
R<$*><VERIFY:$-> OK		$: <$1> <REQ:$2>
R<$*><ENCR:$-> $*		$: <$1> <REQ:$2>
R<$-:$+><VERIFY $*>		$#error $@ $2 $: $1 " authentication 
required"
R<$-:$+><VERIFY $*> FAIL	$#error $@ $2 $: $1 " authentication 
failed"
R<$-:$+><VERIFY $*> NO		$#error $@ $2 $: $1 " not authenticated"
R<$-:$+><VERIFY $*> NONE	$#error $@ $2 $: $1 " other side does not 
support STARTTLS"
R<$-:$+><VERIFY $*> $+		$#error $@ $2 $: $1 " authentication 
failure " $4
R<$*><REQ:$->			$: <$1> <REQ:$2> $>max $&{cipher_bits} : 
$&{auth_ssf}
R<$*><REQ:$-> $-		$: <$1> <$2:$3> $(arith l $@ $3 $@ $2 $)
R<$-:$+><$-:$-> TRUE		$#error $@ $2 $: $1 " encryption too weak 
" $4 " less than " $3

Smax
R:		$: 0
R:$-		$: $1
R$-:		$: $1
R$-:$-		$: $(arith l $@ $1 $@ $2 $) : $1 : $2
RTRUE:$-:$-	$: $2
R$-:$-:$-	$: $2

SRelayAuth
# authenticated?
R$* $| OK		$: $1
R$* $| $*		$@ NO		not authenticated
R$*			$: $1 $| $&{cert_issuer}
R$* $| $+		$: $1 $| $(access CERTISSUER:$2 $)
R$* $| RELAY		$# RELAYCERTISSUER
R$* $| SUBJECT		$: $1 $| <@> $&{cert_subject}
R$* $| <@> $+		$: $1 $| <@> $(access CERTSUBJECT:$2 $)
R$* $| <@> RELAY	$# RELAYCERTSUBJECT
R$* $| $*		$: $1


#
######################################################################
######################################################################
#####
#####			MAILER DEFINITIONS
#####
######################################################################
######################################################################

#####################################
###   SMTP Mailer specification   ###
#####################################

#####  $Id: smtp.m4,v 8.56.2.1.2.3 2000/09/25 13:53:27 ca Exp $  #####

#
#  common sender and masquerading recipient rewriting
#
SMasqSMTP=61
R$* < @ $* > $*		$@ $1 < @ $2 > $3		already fully 
qualified
R$+			$@ $1 < @ *LOCAL* >		add local 
qualification

#
#  convert pseudo-domain addresses to real domain addresses
#
SPseudoToReal=51

# pass <route-addr>s through
R< @ $+ > $*		$@ < @ $1 > $2			resolve 
<route-addr>

# output fake domains as user%fake at relay

# do UUCP heuristics; note that these are shared with UUCP mailers
R$+ < @ $+ .UUCP. >	$: < $2 ! > $1			convert to UUCP 
form
R$+ < @ $* > $*		$@ $1 < @ $2 > $3		not UUCP form

# leave these in .UUCP form to avoid further tampering
R< $&h ! > $- ! $+	$@ $2 < @ $1 .UUCP. >
R< $&h ! > $-.$+ ! $+	$@ $3 < @ $1.$2 >
R< $&h ! > $+		$@ $1 < @ $&h .UUCP. >
R< $+ ! > $+		$: $1 ! $2 < @ $Y >		use UUCP_RELAY
R$+ < @ $+ : $+ >	$@ $1 < @ $3 >			strip mailer: part
R$+ < @ >		$: $1 < @ *LOCAL* >		if no UUCP_RELAY


#
#  envelope sender rewriting
#
SEnvFromSMTP=11
R$+			$: $>PseudoToReal $1		sender/recipient 
common
R$* :; <@>		$@				list:; special case
R$*			$: $>MasqSMTP $1		qualify unqual'ed 
names
R$+			$: $>MasqEnv $1			do masquerading


#
#  envelope recipient rewriting --
#  also header recipient if not masquerading recipients
#
SEnvToSMTP=21
R$+			$: $>PseudoToReal $1		sender/recipient 
common
R$+			$: $>MasqSMTP $1		qualify unqual'ed 
names
R$* < @ *LOCAL* > $*	$: $1 < @ $j . > $2

#
#  header sender and masquerading header recipient rewriting
#
SHdrFromSMTP=31
R$+			$: $>PseudoToReal $1		sender/recipient 
common
R:; <@>			$@				list:; special case

# do special header rewriting
R$* <@> $*		$@ $1 <@> $2			pass null host 
through
R< @ $* > $*		$@ < @ $1 > $2			pass route-addr 
through
R$*			$: $>MasqSMTP $1		qualify unqual'ed 
names
R$+			$: $>MasqHdr $1			do masquerading


#
#  relay mailer header masquerading recipient rewriting
#
SMasqRelay=71
R$+			$: $>MasqSMTP $1
R$+			$: $>MasqHdr $1

Msmtp,		P=[IPC], F=mDFMuX, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, 
E=\r\n, L=990,
		T=DNS/RFC822/SMTP,
		A=TCP $h
Mesmtp,		P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, 
R=EnvToSMTP, E=\r\n, L=990,
		T=DNS/RFC822/SMTP,
		A=TCP $h
Msmtp8,		P=[IPC], F=mDFMuX8, S=EnvFromSMTP/HdrFromSMTP, 
R=EnvToSMTP, E=\r\n, L=990,
		T=DNS/RFC822/SMTP,
		A=TCP $h
Mdsmtp,		P=[IPC], F=mDFMuXa%, S=EnvFromSMTP/HdrFromSMTP, 
R=EnvToSMTP, E=\r\n, L=990,
		T=DNS/RFC822/SMTP,
		A=TCP $h
Mrelay,		P=[IPC], F=mDFMuXa8, S=EnvFromSMTP/HdrFromSMTP, 
R=MasqSMTP, E=\r\n, L=2040,
		T=DNS/RFC822/SMTP,
		A=TCP $h


######################*****##############
###   PROCMAIL Mailer specification   ###
##################*****##################

#####  $Id: procmail.m4,v 8.20 1999/10/18 04:57:54 gshapiro Exp $  #####

#Mprocmail,	P=/usr/bin/procmail, F=DFMSPhnu9, 
S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP/HdrFromSMTP,
#		T=DNS/RFC822/X-Unix,
#		A=procmail -Yf- -m $h $f $u

Mprocmail,	P=/usr/bin/procmail, F=DFMmShun, S=11/31, R=21/31, 
T=DNS/RFC822/X-Unix,
		A=procmail -m $h $g $u


##################################################
###   Local and Program Mailer specification   ###
##################################################

#####  $Id: local.m4,v 8.50.16.2 2000/09/17 17:04:22 gshapiro Exp $  #####

#
#  Envelope sender rewriting
#
SEnvFromL=10
R<@>			$n			errors to mailer-daemon
R@ <@ $*>		$n			temporarily bypass Sun 
bogosity
R$+			$: $>AddDomain $1	add local domain if needed
R$*			$: $>MasqEnv $1		do masquerading

#
#  Envelope recipient rewriting
#
SEnvToL=20
R$+ < @ $* >		$: $1			strip host part

#
#  Header sender rewriting
#
SHdrFromL=30
R<@>			$n			errors to mailer-daemon
R@ <@ $*>		$n			temporarily bypass Sun 
bogosity
R$+			$: $>AddDomain $1	add local domain if needed
R$*			$: $>MasqHdr $1		do masquerading

#
#  Header recipient rewriting
#
SHdrToL=40
R$+			$: $>AddDomain $1	add local domain if needed
R$* < @ *LOCAL* > $*	$: $1 < @ $j . > $2

#
#  Common code to add local domain name (only if always-add-domain)
#
SAddDomain=50
R$* < @ $* > $* 	$@ $1 < @ $2 > $3	already fully qualified
R$+			$@ $1 < @ *LOCAL* >	add local qualification

#Mlocal,         P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, 
S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
#                T=DNS/RFC822/X-Unix,
#                A=procmail -Yf- -a $h -d $u

Mlocal,		P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30, 
R=20/40,
		T=DNS/RFC822/X-Unix,
		A=procmail -Y -a $h -d $u

Mprog,		P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, 
R=EnvToL/HdrToL, D=$z:/,
		T=X-Unix/X-Unix/X-Unix,
		A=smrsh -c $u

O MaxMessageSize=40000000
O MatchGECOS=False



More information about the esd-l mailing list