Beginning with V8.8, sendmail calls special rule sets internally to determine its behavior. Called the policy rule sets, they are used for such varied tasks as setting spam-handling, setting policy, or validating the conditions when ETRN should be allowed, just to list a few. Table 19-2 shows the complete list of these policy rule sets. Note that we merely summarize them here, and that some are described in detail in other chapters. Those that we describe here are detailed in the following sections.
Rule set |
§ |
Hook |
Description |
---|---|---|---|
authinfo |
Section 10.9.3.2 |
none |
Handle AuthInfo: lookups in the access database |
check_compat |
Section 7.1.4 |
see below |
Validate just before delivery |
check_data |
check_data |
none needed |
Check just after DATA |
check_eoh |
Section 25.5.3 |
none needed |
Validate after headers are read |
check_etrn |
check_etrn |
none needed |
Allow or disallow ETRN |
check_expn |
check_vrfy and check_expn |
none needed |
Validate EXPN |
check_mail |
Section 7.1.2 |
Local_check_mail |
Validate the envelope-sender address |
check_rcpt |
Section 7.1.3 |
Local_check_rcpt |
Validate the envelope-recipient address |
check_relay |
Section 7.1.1 |
Local_check_relay |
Validate incoming network connections |
check_vrfy |
check_vrfy and check_expn |
none needed |
Validate VRFY |
queuegroup |
Section 11.4.5 |
see below |
Select a queue group |
srv_features |
srv_features |
none needed |
Tune server setting based on connection information |
tls_client |
Section 10.10.8.2 |
LOCAL_TLS_CLIENT |
With the access database, validate inbound STARTTLS or MAIL FROM SMTP command |
tls_rcpt |
Section 10.10.8.3 |
LOCAL_TLS_RCPT |
Validate a server's credentials based on the recipient address |
tls_server |
Section 10.10.8.2 |
LOCAL_TLS_SERVER |
Possibly with the access database, validate the inbound and outbound connections |
trust_auth |
Section 10.9.4 |
Local_trust_auth |
Validate that a client's authentication identifier (authid) is trusted to act as (proxy for) the requested authorization identity (userid). |
try_tls |
Section 10.10.8.4 |
LOCAL_TRY_TLS |
Disable STARTTLS for selected outbound connected-to hosts |
Hname:$ |
Section 25.5 |
n/a |
Reject, discard, or accept a message based on a header's value |
Note that some of these rule sets are omitted from your configuration file by default. For those, no hook is needed. You merely declare the rule set in your mc file and give it appropriate rules:
LOCAL_RULESETS Scheck_vrfy ... your rules here
Those with a Local_ hook, as shown in the table, are declared by default in your configuration file. To use them yourself, you need only declare them with the Local_ hook indicated:
LOCAL_RULESETS SLocal_check_rcpt ... your rules here
Those with a LOCAL_ hook, as shown in the table, are declared directly with that hook. There in no need to precede the hook with LOCAL_RULESETS. For example:
LOCAL_TRY_TLS ... your rules here
The two exceptions are the check_compat and queuegroup rule sets. Each is automatically declared when you use the corresponding check_compat or queuegroup feature, but not declared if you don't use that feature.
All of these rule sets are handled in the same manner. If the rule set does not exist, the action is permitted. If the rule set returns anything other than a #error or a #discard delivery agent, the message, identity, or action is accepted for that rule set (although it can still be rejected or discarded by another rule set). Otherwise, the #error delivery agent causes the message, identity, or action to be rejected (error), and the #discard delivery agent causes the message to be accepted, then discarded (discard).