19.9 Policy Rule-Set Reference

Beginning with V8.8, sendmail calls special rule sets internally to determine its behavior. Called the policy rule sets, they are used for such varied tasks as setting spam-handling, setting policy, or validating the conditions when ETRN should be allowed, just to list a few. Table 19-2 shows the complete list of these policy rule sets. Note that we merely summarize them here, and that some are described in detail in other chapters. Those that we describe here are detailed in the following sections.

Table 19-2. The policy rule sets
Rule set	§	Hook	Description
`authinfo`	Section 10.9.3.2	none	Handle `AuthInfo:` lookups in the `access` database
`check_compat`	Section 7.1.4	see below	Validate just before delivery
`check_data`	check_data	none needed	Check just after DATA
`check_eoh`	Section 25.5.3	none needed	Validate after headers are read
`check_etrn`	check_etrn	none needed	Allow or disallow ETRN
`check_expn`	check_vrfy and check_expn	none needed	Validate EXPN
`check_mail`	Section 7.1.2	Local_check_mail	Validate the envelope-sender address
`check_rcpt`	Section 7.1.3	Local_check_rcpt	Validate the envelope-recipient address
`check_relay`	Section 7.1.1	Local_check_relay	Validate incoming network connections
`check_vrfy`	check_vrfy and check_expn	none needed	Validate VRFY
`queuegroup`	Section 11.4.5	see below	Select a queue group
`srv_features`	srv_features	none needed	Tune server setting based on connection information
`tls_client`	Section 10.10.8.2	LOCAL_TLS_CLIENT	With the access database, validate inbound STARTTLS or MAIL FROM SMTP command
`tls_rcpt`	Section 10.10.8.3	LOCAL_TLS_RCPT	Validate a server's credentials based on the recipient address
`tls_server`	Section 10.10.8.2	LOCAL_TLS_SERVER	Possibly with the access database, validate the inbound and outbound connections
`trust_auth`	Section 10.9.4	Local_trust_auth	Validate that a client's authentication identifier (`authid`) is trusted to act as (proxy for) the requested authorization identity (`userid`).
`try_tls`	Section 10.10.8.4	LOCAL_TRY_TLS	Disable STARTTLS for selected outbound connected-to hosts
`Hname:$`	Section 25.5	n/a	Reject, discard, or accept a message based on a header's value

Note that some of these rule sets are omitted from your configuration file by default. For those, no hook is needed. You merely declare the rule set in your mc file and give it appropriate rules:

LOCAL_RULESETS
Scheck_vrfy
... your rules here

Those with a Local_ hook, as shown in the table, are declared by default in your configuration file. To use them yourself, you need only declare them with the Local_ hook indicated:

LOCAL_RULESETS
SLocal_check_rcpt
... your rules here

Those with a LOCAL_ hook, as shown in the table, are declared directly with that hook. There in no need to precede the hook with LOCAL_RULESETS. For example:

LOCAL_TRY_TLS
... your rules here

The two exceptions are the check_compat and queuegroup rule sets. Each is automatically declared when you use the corresponding check_compat or queuegroup feature, but not declared if you don't use that feature.

All of these rule sets are handled in the same manner. If the rule set does not exist, the action is permitted. If the rule set returns anything other than a #error or a #discard delivery agent, the message, identity, or action is accepted for that rule set (although it can still be rejected or discarded by another rule set). Otherwise, the #error delivery agent causes the message, identity, or action to be rejected (error), and the #discard delivery agent causes the message to be accepted, then discarded (discard).

19.9 Policy Rule-Set Reference

Table 19-2. The policy rule sets