|
If anything other than the characters shown in the table is returned, that bad character is silently ignored. The default setting for any character depends on the use of the character. For example, if noetrn is specified for the PrivacyOptions option (See this section), the default is the character E; otherwise, the default is the character e. Whereas if Modify=A is specified for the DaemonPortOptions option (See this section) for the daemon's listening port, the default is A; otherwise, it is a. In general, B, D, E, and X take their defaults from the various PrivacyOptions option settings, whereas L and R take their defaults from the various Modify= settings. But P defaults to p if sendmail was compiled with the PIPELINING build-time macro defined; otherwise, it defaults to P, which cannot be overridden. The srv_feature rule set is passed the connecting client's hostname in its workspace. Instead, you must base your policy decisions on the various sendmail macro values available. For example, the following rule allows EXPN if the connecting host is the local machine, and denies it otherwise: LOCAL_SRV_FEATURES
R $* $: $&{client_addr}
R 127.0.0.1 $# e
R $* $# E
A special character, the t, is used to force a temporary failure: LOCAL_SRV_FEATURES
R $* $: $&{client_addr}
R $- . $- . $- . $- $: $1.$2.$3
R 123.45.67 $# temp
Here, the connecting host's address is found in the $&{client_addr} macro. The second rule strips off the host part of a class-C address. The last rule then checks to see if that network address is that of the new network, the one that should have no valid hosts on it yet. If it is, the connection is deferred by returning $#t. Note that when the returned character is t, other letters can follow it, and they will be ignored. In addition to your rules, there are default rules present that can make your job easier. The default rules perform access database lookups for entries in that database that begin with the special prefix: Srv_Features: The connecting host's name, as taken from the $&{client_name} macro, is looked up first. The connecting host's address, as taken from the $&{client_addr} macro, is looked up second. If neither of those is found, the bare prefix is looked up. The earlier example, then, if implemented in the access database, would look like this: Srv_Features:127.0.0.1 e Srv_Features: E The character letters that are returned as values by the access database are the same as those returned by your own rules, as shown in the table. Multiple letters can be returned, where each must be separated from the others by a space: Srv_Features:127.0.0.1 e b The srv_feature access database decisions can be combined with access database decisions made by other rule sets to create more complex decisions. For example: Try_TLS:broken-host.domain NO Srv_Features:your.domain v Srv_Features: V Here, we use the Try_TLS: prefix (Section 10.10.8.4) to prevent sending the STARTTLS SMTP command to the host broken-host.domain. The second line (the first Srv_Features: prefix) tells sendmail (the v) to request a client certificate during the TLS handshake only for hosts in your.domain. The last line tells sendmail to not request a client certificate from any other hosts. Note that you can use the access database (Section 7.5) only if you enabled that database with the access_db feature in your mc configuration file.  |
|
|