Sendmail Installation and Operation Guide
SMM:08-43
5.1.4.8. check_expn
The check_expn ruleset is passed the user name parameter of the
SMTP EXPN
com-
mand. It can accept or reject the address.
5.1.4.9. check_vrfy
The check_vrfy ruleset is passed the user name parameter of the
SMTP VRFY
com-
mand. It can accept or reject the command.
5.1.4.10. trust_auth
The trust_auth ruleset is passed the AUTH= parameter of the
SMTP MAIL
command.
It is used to determine whether this value should be trusted. In order to make this decision,
the ruleset may make use of the various ${auth_*} macros. If the ruleset does resolve to the
"error" mailer the AUTH= parameter is not trusted and hence not passed on to the next relay.
5.1.4.11. tls_client
The tls_client ruleset is called when sendmail acts as server, after a STARTTLS com-
mand has been issued, and from check_mail. The parameter is the value of ${verify} and
STARTTLS or MAIL, respectively. If the ruleset does resolve to the "error" mailer, the
appropriate error code is returned to the client.
5.1.4.12. tls_server
The tls_server ruleset is called when sendmail acts as client after a STARTTLS com-
mand (should) have been issued. The parameter is the value of ${verify}. If the ruleset does
resolve to the "error" mailer, the connection is aborted (treated as non-deliverable with a per-
manent or temporary error).
5.1.4.13. tls_rcpt
The tls_rcpt ruleset is called each time before a RCPT TO command is sent. The
parameter is the current recipient. If the ruleset does resolve to the "error" mailer, the RCPT
TO command is suppressed (treated as non-deliverable with a permanent or temporary
error). This ruleset allows to require encryption or verification of the recipient's MTA even
if the mail is somehow redirected to another host. For example, sending mail to luke@end-
mail.org may get redirected to a host named death.star and hence the tls_server ruleset
won't apply. By introducing per recipient restrictions such attacks (e.g., via DNS spoofing)
can be made impossible. See cf/README how this ruleset can be used.
5.1.4.14. srv_features
The srv_features ruleset is called with the connecting client's host name when a client
connects to sendmail. This ruleset should return $# followed by a list of options (single
characters delimited by white space). If the return value starts with anything else it is
silently ignored. Generally upper case characters turn off a feature while lower case charac-
ters turn it on. Option `S' causes the server not to offer STARTTLS, which is useful to inter-
act with MTAs/MUAs that have broken STARTTLS implementations by simply not offering
it. `V' turns off the request for a client certificate during the TLS handshake. Options `A'
and `P' suppress SMTP AUTH and PIPELINING, respectively. `c' is the equivalent to
AuthOptions=p, i.e., it doesn't permit mechanisms susceptible to simple passive attack (e.g.,
PLAIN, LOGIN), unless a security layer is active. Option `l' requires SMTP AUTH for a
connection. Options 'B', 'D', 'E', and 'X' suppress SMTP VERB, DSN, ETRN, and
EXPN, respectively.