Sendmail Ruleset Examples

Logging | EXPN & VRFY | Foreign Character Sets | Passing macros to MILTER

This page contains various example rulesets for the sendmail Mail Transport Agent (MTA).

These notes assume one is reasonably competent with Unix and sendmail. Unless noted otherwise, instructions are on data that should be placed in the sendmail.mc from which the sendmail.cf is built.

For more information on sendmail and rulesets, see the cf/README and doc/op/op.ps under the sendmail source for starters.

Logging

To log custom data to syslog from a sendmail ruleset, use the syslog database-map. For example, the following shows how to log the cert_issuer macro via a message subject ruleset, which can help when testing TLS relaying in sendmail.

LOCAL_CONFIG
Ksyslog syslog

LOCAL_RULESETS
HSubject: $>Log_Subject

SLog_Subject
R$* $: $(syslog $&{cert_issuer} $)

EXPN & VRFY

Due to spammers and security reasons, disabling the EXPN and VRFY SMTP commands by default is recommended to prevent theft of account information. However, these commands are useful for internal and trusted users, and can be enabled for certain hosts, authenticated users, or clients with a verified TLS certificate.

LOCAL_CONFIG
dnl list of hosts trusted to do EXPN/VRFY
F{trusty}/etc/mail/trusted-domains

LOCAL_RULESETS
Scheck_expn
R$* $@ $>check_expn_and_vrfy $1

Scheck_vrfy
R$* $@ $>check_expn_and_vrfy $1

Scheck_expn_and_vrfy
R$* $: < $&{client_name} >
R< $={trusty} > $@ OK
R< $+ $={trusty} > $@ OK
R$* $: $&{auth_type}
R$={TrustAuthMech} $@ OK
R$* $: <$&{verify}> $1
R<OK> $@ OK
R$* $#error $@ 5.7.1 $: 550 EXPN and VRFY not available for?
$&{client_name}

Foreign Character Sets

Indiscriminate spammers often will send unreadable messages. I, for instance, cannot read Korean, nor do I like HTML mail. The following shows how to block HTML mail written using a Korean character set. Clever spammers will be able to bypass this in MIME by placing the HTML content in a MIME part whose information does not appear in the message header.

LOCAL_CONFIG
Kbadcharsets regex -m text/html[; ]*charset="?(ks_c_5601-1987|iso-2022-kr|euc-kr)

LOCAL_RULESETS
HContent-Type: $>Block_charset

SBlock_charset
R$* $: $(badcharsets $1 $: <OK> $) # Using a regex
R<OK> $@ OK
R$+ $#error $: 561 HTML charset specified not supported

Sendmail will need to be compiled with MAP_REGEX support for the above to work.

$ sendmail -d0 </dev/null | grep -i regex
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7

Passing macros to MILTER

Custom macro values may be set in sendmail rulesets in response to various checks, and that information passed to MILTER agents. Applications of this method include aborting MILTER processing early for trusted hosts, or to alter the behavior of the agent based on the ruleset outcome.

For an example of this technique, see passing macros to MIMEDefang, which covers setting up sendmail and MIMEDefang to pass a custom macro, and rulesets and perl code to set or act on the macro value.