SMM:08-36
Sendmail Installation and Operation Guide
4.11. Name Server Access
Control of host address lookups is set by the hosts service entry in your service switch file. If
you are on a system that has built-in service switch support (e.g., Ultrix, Solaris, or DEC OSF/1)
then your system is probably configured properly already. Otherwise, sendmail will consult the file
/etc/mail/service.switch
, which should be created. Sendmail only uses two entries: hosts and
aliases
, although system routines may use other services (notably the passwd service for user name
lookups by getpwname).
However, some systems (such as SunOS 4.X) will do DNS lookups regardless of the setting
of the service switch entry. In particular, the system routine gethostbyname(3) is used to look up
host names, and many vendor versions try some combination of DNS, NIS, and file lookup in
/etc/hosts without consulting a service switch. Sendmail makes no attempt to work around this
problem, and the DNS lookup will be done anyway. If you do not have a nameserver configured at
all, such as at a UUCP-only site, sendmail will get a "connection refused" message when it tries to
connect to the name server. If the hosts switch entry has the service "dns" listed somewhere in the
list, sendmail will interpret this to mean a temporary failure and will queue the mail for later pro-
cessing; otherwise, it ignores the name server data.
The same technique is used to decide whether to do MX lookups. If you want MX support,
you must have "dns" listed as a service in the hosts switch entry.
The ResolverOptions (I) option allows you to tweak name server options. The command
line takes a series of flags as documented in resolver(3) (with the leading "RES_" deleted). Each
can be preceded by an optional `+' or `
-
'. For example, the line
O ResolverOptions=+AAONLY
-
DNSRCH
turns on the AAONLY (accept authoritative answers only) and turns off the DNSRCH (search the
domain path) options. Most resolver libraries default DNSRCH, DEFNAMES, and RECURSE
flags on and all others off. If NETINET6 is enabled, most libraries default to USE_INET6 as well.
You can also include "HasWildcardMX" to specify that there is a wildcard MX record matching
your domain; this turns off MX matching when canonifying names, which can lead to inappropriate
canonifications. Use "WorkAroundBrokenAAAA" when faced with a broken nameserver that
returns SERVFAIL (a temporary failure) on T_AAAA (IPv6) lookups during hostname canonifica-
tion. Notice: it might be necessary to apply the same (or similar) options to submit.cf too.
Version level 1 configurations (see the section about ``Configuration Version Level'') turn
DNSRCH and DEFNAMES off when doing delivery lookups, but leave them on everywhere else.
Version 8 of sendmail ignores them when doing canonification lookups (that is, when using $[ ...
$]), and always does the search. If you don't want to do automatic name extension, don't call $[ ...
$].
The search rules for $[ ... $] are somewhat different than usual. If the name being looked up
has at least one dot, it always tries the unmodified name first. If that fails, it tries the reduced search
path, and lastly tries the unmodified name (but only for names without a dot, since names with a dot
have already been tried). This allows names such as ``utc.CS'' to match the site in Czechoslovakia
rather than the site in your local Computer Science department. It also prefers A and CNAME
records over MX records -- that is, if it finds an MX record it makes note of it, but keeps looking.
This way, if you have a wildcard MX record matching your domain, it will not assume that all
names match.
To completely turn off all name server access on systems without service switch support
(such as SunOS 4.X) you will have to recompile with -DNAMED_BIND=0 and remove -lresolv
from the list of libraries to be searched when linking.