UNIX System Administration Handbook - Evi Nemeth [350]
Master machine at sendmail.com
The master machine at sendmail.com may be one of the most attacked sendmail installations around. It must deal with spam as best it can, be secure to all the twisty mailer attacks that people come up with, and protect the machines behind it. Here is its configuration file:
divert(-1)
##### smi-master, katroo.mc, version 8.9.3
divert(0)
VERSIONID('@(#)katroo.mc 2.1 (sendmail) 10/19/98')
OSTYPE('solaris2')
DOMAIN('generic')
MASQUERADE_AS('sendmail.com')
MASQUERADE_DOMAIN('sendmail.com')
undefine('BITNET_RELAY')
undefine('UUCP_RELAY')
define('confCHECK_ALIASES', 'True')
define('confCOPY_ERRORS_TO', 'Postmaster')
define('confEBINDIR', '/usr/lib')
define('confERROR_MODE', 'm')
define('confHOST_STATUS_DIRECTORY', '.hoststat')
define('confNO_RCPT_ACTION', 'add-to-undisclosed')
define('confPRIVACY_FLAGS', 'authwarnings,needmailhelo,noexpn,novrfy')
define('confTRUSTED_USERS', 'majordomo')
define('confMAX_DAEMON_CHILDREN', '30')
FEATURE('allmasquerade')
FEATURE('masquerade_entire_domain')
FEATURE('masquerade_envelope')
FEATURE('always_add_domain')
FEATURE('local_lmtp')
define('LOCAL_MAILER_FLAGS', 'SXfmnz9PE')
FEATURE('mailertable', 'hash /etc/mail/mailertable')
FEATURE('virtusertable', 'hash /etc/mail/virtusertable')
MAILER('local')
MAILER('smtp')
LOCAL_CONFIG
'###### Regular expression to reject:'
'# * numeric-only localparts from aol.com and msn.com'
'# * localparts starting with a digit from juno.com'
Kcheckaddress regex -a@MATCH
^([0-9]+<@(aol|msn)\.com|[0-9][^<]*<@juno\.com)\.?>
'###### Names that won't be allowed in a To: line'
C{RejectToLocalparts} friend you
C{RejectToDomains} public.com
LOCAL_RULESETS
HTo: $>CheckTo
SCheckTo
R$={RejectToLocalparts}@$* $#error $: "553 Header error"
R$*@$={RejectToDomains} $#error $: "553 Header error"
HMessage-Id: $>CheckMessageId
SCheckMessageId
R< $+ @ $+ > $@ OK
R$* $#error $: "553 Header error"
LOCAL_RULESETS
SLocal_check_mail
'# check address against various regex checks'
R$* $: $>Parse0 $>3 $1
R$+ $: $(checkaddress $1 $)
R@MATCH $#error $: "553 Header error"
The LOCAL_CONFIG rules at the end of the config file do header checking for various viruses and known spammers. We have left this section in, without describing it in detail, for those of you who grew up on the raw config file and can easily read it and adapt it to your own site.
Clients have no spam control in their config files because all mail coming into the site comes through the mail hub and the spam is winnowed there. Some of the features and other constructs in this example are not covered in our configuration section, but you can find documentation on them in the cf/README file.
The generic.m4 domain file referenced by katroo.mc is distributed with sendmail as an example and contains the following lines:
divert(-1)
'######## generic.m4 from domain directory'
divert(0)
VERSIONID('$Id: generic.m4,v 8.15 1999/04/04 00:51:09 ca Exp $')
define('confFORWARD_PATH', '$z/.forward.$w+$h:$z/.forward+$h:
$z/.forward.$w:$z/.forward')
define('confMAX_HEADERS_LENGTH', '32768')
FEATURE('redirect')
FEATURE('use_cw_file')
EXPOSED_USER('root')
The confFORWARD_PATH line above was wrapped to fit the page; it’s a single line.
Another master/client example
XOR Inc. is a medium-sized company with a single master mail machine. Although XOR’s overall mail design is similar to that of sendmail.com, it’s implemented with slightly different configuration primitives.
Here is the client configuration:
divert(-1)
##### xor-client.mc, all clients to relay to xor.com
divert(0)
VERSIONID('@(#)tcpproto.mc8.5 (Berkeley) 3/23/96')
OSTYPE('bsdi')
define('confPRIVACY_FLAGS', 'noexpn')
FEATURE('nullclient', 'xor.com')
This configuration is pretty minimal. Even local mail is forwarded to xor.com, the machine