divert(-1) # # Sendmail configuration file for lists.openbsd.org # # This config handles incoming mail for openbsd.{org,com,net} # Mailing list fanout is handled by a separate exploder running on # port 24 that is fed by mj2 (see openbsd-bulk.mc). # divert(0)dnl OSTYPE(openbsd)dnl dnl dnl Advertise ourselves as ``openbsd.org'' define(`confSMTP_LOGIN_MSG', `openbsd.org spamd IP-based SPAM blocker; $d')dnl dnl dnl Override some default values define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy,noetrn,noverb,nobodyreturn')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confMAX_HOP', `30')dnl define(`confQUEUE_LA', `6')dnl define(`confREFUSE_LA', `20')dnl dnl dnl Disable ident queries define(`confTO_IDENT', `0')dnl dnl dnl Some broken nameservers will return SERVFAIL (a temporary failure) dnl on T_AAAA (IPv6) lookups. define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl dnl dnl Do not send postmaster bounce failures define(`confDOUBLE_BOUNCE_ADDRESS', `')dnl dnl dnl Keep host status on disk between sendmail runs in the .hoststat dir define(`confHOST_STATUS_DIRECTORY', `/var/spool/mqueue/.hoststat')dnl define(`confTO_HOSTSTATUS', `30m')dnl dnl dnl Just queue incoming messages, we have a queue runner for actual delivery define(`confDELIVERY_MODE', `q')dnl dnl dnl Wait at least 27 minutes before trying to redeliver a message. define(`confMIN_QUEUE_AGE', `27m')dnl dnl dnl Don't prioritize a message based on the number of recepients. dnl This prevents retries from having higher priority than new batches. define(`confWORK_RECIPIENT_FACTOR', `0')dnl dnl dnl Reduce ClassFactor define(`confWORK_CLASS_FACTOR', `1000')dnl dnl dnl Simple queue group settings: dnl run at most 10 concurrent processes for initial submission dnl max of 3 queue runners. define(`confMAX_QUEUE_CHILDREN', `10')dnl define(`confMAX_RUNNERS_PER_QUEUE', `3')dnl define(`confFAST_SPLIT', `10')dnl QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue, R=3, F=f')dnl dnl dnl Always use fully qualified domains FEATURE(always_add_domain)dnl dnl dnl Need to add domo and mj2 as "trusted users" to rewrite From lines define(`confTRUSTED_USERS', `domo mj2')dnl dnl dnl Wait a day before sending mail about deferred messages define(`confTO_QUEUEWARN', `1d')dnl dnl dnl Wait 3 days before giving up and bouncing the message define(`confTO_QUEUERETURN', `3d')dnl dnl dnl Shared memory key used to stash disk usage stats so they dnl don't have to be checked by each sendmail process. define(`confSHARED_MEMORY_KEY', `666666')dnl dnl dnl SSL certificate paths define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl dnl dnl List of hostname we treat as local FEATURE(use_cw_file)dnl dnl dnl Make mail appear to be from openbsd.org MASQUERADE_AS(openbsd.org)dnl FEATURE(masquerade_envelope)dnl dnl dnl Need this for OpenBSD mailing lists FEATURE(stickyhost)dnl FEATURE(virtusertable)dnl dnl dnl Spam blocking features FEATURE(access_db)dnl dnl dnl Only allow up to 4 new connections per second define(`confCONNECTION_RATE_THROTTLE', `4')dnl dnl dnl Start to throttle sender after receiving 3 unknown users define(`confBAD_RCPT_THROTTLE',`3')dnl dnl dnl Reject mail from senders who don't wait for us to say hello FEATURE(`greet_pause', `700')dnl dnl dnl milter-regex INPUT_MAIL_FILTER(`milter-regex', `S=local:/var/run/milter-regex/sock, T=S:30s;R:2m')dnl dnl dnl List the mailers we support FEATURE(`no_default_msa')dnl MAILER(local)dnl MAILER(smtp)dnl dnl dnl We don't bother with the MSA sockets since they are not used here. dnl Note that there is another sendmail daemon listening on port 24. DAEMON_OPTIONS(`Family=inet, address=0.0.0.0, Name=MTA')dnl DAEMON_OPTIONS(`Family=inet6, address=::, Name=MTA6, M=O')dnl CLIENT_OPTIONS(`Family=inet6, Address=::')dnl CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl dnl dnl Finally, we have the local cf-style goo LOCAL_CONFIG # # Regular expression to reject: # * numeric-only localparts from aol.com and msn.com # * localparts starting with a digit from juno.com # * localparts longer than 20 characters from aol.com # Kcheckaddress regex -a@MATCH ^([0-9]+<@(aol|msn)\.com|[0-9][^<]*<@juno\.com|.{20}[^<]+<@aol\.com)\.?> # # SirCam worm, see below # KSirCamWormMarker regex -f -aSUSPECT multipart/mixed;boundary=----.+_Outlook_Express_message_boundary # # Names that won't be allowed in a To: line (local-part and domains) # C{RejectToLocalparts} friend you user 3Dobsdpaypal obsdpaypal C{RejectToDomains} public.com the-internet.com LOCAL_RULESETS ######################################################################### # # w32.sircam.worm@mm # # There are serveral patterns that appear common ONLY to SirCam worm and # not to Outlook Express, which claims to have sent the worm. There are # four headers that always appear together and in this order: # # X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 # X-Mailer: Microsoft Outlook Express 5.50.4133.2400 # Content-Type: multipart/mixed; boundary="----27AA9124_Outlook_Express_message_boundary" # Content-Disposition: Multipart message # # Empirical study of the worm message headers vs. true Outlook Express # (5.50.4133.2400 & 5.50.4522.1200) messages with multipart/mixed attachments # shows Outlook Express does: # # a) NOT supply a Content-Disposition header for multipart/mixed messages. # b) NOT specify the header X-MimeOLE header name in all-caps # c) NOT specify boundary tag with the expression "_Outlook_Express_message_boundary" # # The solution below catches any one of this three issues. This is not an ideal # solution, but a temporary measure. A correct solution would be to check for # the presence of ALL three header attributes. Also the solution is incomplete # since Outlook Express 5.0 and 4.0 were not compared. # # NOTE regex keys are first dequoted and spaces removed before matching. # This caused me no end of grief. # ######################################################################### # # Header checks # HTo: $>CheckTo HMessage-Id: $>CheckMessageId HSubject: $>Check_Subject HContent-Type: $>CheckContentType HContent-Disposition: $>CheckContentDisposition # # Beagle.k@mm worm detection (done in Check_Subject) # See http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html?Open # D{BKPat1}E-mail account disabling warning. D{BKPat2}E-mail account security warning. D{BKPat3}Email account utilization warning. D{BKPat4}Important notify about your e-mail account. D{BKPat5}Notify about using the e-mail account. D{BKPat6}Notify about your e-mail account utilization. D{BKPat7}Warning about your e-mail account. # # Sobig.F worm detection (done in Check_Subject) # See http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html # D{SBJPat1}Re: Details D{SBJPat2}Re: Approved D{SBJPat3}Re: Re: My details D{SBJPat4}Re: Thank You! D{SBJPat5}Re: That Movie D{SBJPat6}Re: Wicked screensaver D{SBJPat7}Re: Your application D{SBJPat8}Thank You! D{SBJPat9}Your details # # W32/Badtrans worm detection (done in CheckContentType) # See see http://vil.nai.com/vil/virusSummary.asp?virus_k=99069 # D{WPat1}boundary= \"====_ABC1234567890DEF_====\" D{WPat2}boundary= \"====_ABC0987654321DEF_====\" D{WMsg}This message may contain the W32/Badtrans@MM virus; see http://vil.nai.com/vil/virusSummary.asp?virus_k=99069 # # Reject mail based on regexp above # SLocal_check_mail R$* $: $>Parse0 $>3 $1 R$+ $: $(checkaddress $1 $) R@MATCH $#error $: "553 Header error" # # Reject some mail based on To: header # SCheckTo R$={RejectToLocalparts}@$* $#error $: "553 Header error" R$*@$={RejectToDomains} $#error $: "553 Header error" # # Enforce valid Message-Id to help stop spammers # SCheckMessageId R< $+ @ $+ > $@ OK R$* $#error $: 553 Header Error # # Check Subject line for worm/virus telltales # SCheck_Subject R${SBJPat1} $#discard $: discard R${SBJPat2} $#discard $: discard R${SBJPat3} $#discard $: discard R${SBJPat4} $#discard $: discard R${SBJPat5} $#discard $: discard R${SBJPat6} $#discard $: discard R${SBJPat7} $#discard $: discard R${SBJPat8} $#discard $: discard R${SBJPat9} $#discard $: discard R${BKPat1} $#discard $: discard R${BKPat2} $#discard $: discard R${BKPat3} $#discard $: discard R${BKPat4} $#discard $: discard R${BKPat5} $#discard $: discard R${BKPat6} $#discard $: discard R${BKPat7} $#discard $: discard # # Check Content-Type header for worm/virus telltales # SCheckContentType R$+ $: $(SirCamWormMarker $1 $) R$+ ${WPat1} $* $#error $: 553 ${WMsg} R$+ ${WPat2} $* $#error $: 553 ${WMsg} RSUSPECT $#error $: "553 Possible virus, see http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html" # # Check Content-Disposition header for worm/virus telltales # SCheckContentDisposition R$- $@ OK R$- ; $+ $@ OK R$* $#error $: "553 Illegal Content-Disposition"