当前位置:Linux教程 - Email - email - 邮件防毒

email - 邮件防毒

邮件防毒
2004-04-23 15:18 pm
来自:Linux文档
现载:Www.8s8s.coM
地址:无名

邮件防毒

linux 上的邮件网关(杀病毒)AntiVir MailGate , 它有两种方法:

1. 直接作 mail 网关,然后利用“ 管道 ”调用 smtp 程序。支持标准的 smtp 程序: sendmail、postfix、qmail。

2. 也是作 mail 网关,在 /etc/sendmail.cf 里添加 avgatemail 选项 (这样 sendmail 在 825 端口监听),然后 再利用 825 端口转发邮件。意思是:25 即是 avmailgate 的 smtp 端口,然后它再利用 825(sendmail)端口转发邮件 !
请注意:但是人家还是可以利用你的 825 端口 (就是利用原来的 senmail 来给你发送病毒邮件!但是,这种情况很少的。)。这时你可以用防火墙来阻止来自外部的对本机的 825 端口的连接。


在 /etc/services 里面增加:
smtp-backdoor 825/tcp

修改 sendmail.cf 成:
# SMTP daemon options

#O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
# 原来的。

# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
#
# 红帽子 V7.x V8.0 所建立的本文件默认 “只” 对 localhost 即 127.0.0.1
# 提供服务,根据以往本文件的内容,修改为:
#
# SMTP daemon options
O DaemonPortOptions=Name=MTA, Port=smtp-backdoor

O DaemonPortOptions=Port=587, Name=MSA, M=E

# 若 不需要 avgatemail ,则应该是:
#O DaemonPortOptions=Name=MTA

#O DaemonPortOptions=Port=587, Name=MSA, M=E
# 在端口 587 提供 submission 服务(MSA)。
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-


请看:
邮件网关杀除病毒后返回的报告:

一、

*********************************************************************
AntiVir Virus Alert
*********************************************************************
This version of AntiVir MailGate is licensed for private and non-commercial use.
*********************************************************************

AntiVir found these viruses in the following mail:

Worm/Klez.E

The mail was not delivered.

You may force the delivery without further checking the mail using:

avq --deliver=04347-536A3823

but we would not advise to do so. You should delete it with:

avq --remove=04347-536A3823

For more information, please read the manual page avmailgate(icon_cool.gif.


----------Mail-Info----------
From: winson246 <winson246@sohu.com>
To: webmaster@fruitron.com.cn
Subject: Marginheight
Mail-From: suscono@pub.dgnet.gd.cn
Rcpt: webmaster@fruitron.com.cn
Queue-Id: 04347-536A3823
Status: The mail was not delivered!
-----------------------------


-----------Log-File----------
info: extracting attachment 1 to /var/tmp/av-06051-U43SFi/av-0
(encoding="quoted-printable", name="(no name)", filename="(no name)")
info: extracting attachment 2 to /var/tmp/av-06051-U43SFi/av-1
(encoding="base64", name="Vebnq.pif", filename="(no name)")
info: extracting attachment 3 to /var/tmp/av-06051-U43SFi/av-2
(encoding="base64", name="frame", filename="(no name)")
checking file "/var/tmp/av-06051-U43SFi/av-0"
checking file "/var/tmp/av-06051-U43SFi/av-1"
checking file "/var/tmp/av-06051-U43SFi/av-2"
-----------------------------
*********************************************************************
For more information on AntiVir please visit our web site
http://www.antivir.de or http://www.hbedv.com
mailto: info@antivir.de

AntiVir is a registered trademark of
H+BEDV Datentechnik GmbH
*********************************************************************


二、

*********************************************************************
AntiVir Virus Alert
*********************************************************************
This version of AntiVir MailGate is licensed for private and non-commercial use.
*********************************************************************

AntiVir found these viruses in a mail for you from winson246 <winson246@sohu.com>:

Worm/Klez.E

The mail was not delivered.

AntiVir MailGate prevented a virus delivery. But if you need to
receive further email from winson246 <winson246@sohu.com>,
you should ask him/her to buy a professional antivirus software such
as AntiVir from H+BEDV Datentechnik GmbH. He/She can contact
mailto:sales@hbedv.com for further information.

----------Mail-Info----------
From: winson246 <winson246@sohu.com>
To: webmaster@fruitron.com.cn
Subject: Marginheight
-----------------------------

*********************************************************************
For more information on AntiVir please visit our web site
http://www.antivir.de or http://www.hbedv.com
mailto: info@antivir.de

AntiVir is a registered trademark of
H+BEDV Datentechnik GmbH
*********************************************************************


自动升级病毒库后的报告:

AntiVir has successfully updated itself.

--> /usr/lib/AntiVir/antivir.vdf

Machine: gugonghcs.fruitron.com.cn
Date: 09 May 2002
Time: 10:39:18




-----------------------------
Copyright (C) 1994-2002 by H+BEDV Datentechnik GmbH.
All rights reserved.

For private (non-commercial) use only.


请到 :

http://www.hbedv.com

下载 linux 版本,并注册,Linux 的 版本可是免费的哟。

由于附件的后缀名限制,附加的文档的 .txt 结尾是我增加附加档案时添加上去的。

avmailgate.conf
[php]

#######################################################################
## avmailgate.conf ##
#######################################################################

# This file lists all the available parameters. Lines beginning with '#'
# are comments and are ignored. When a parameter is not specified, some
# default value is used. The default values are the values shown here,
# unless otherwise indicated.



###################################
# Parameters used by both daemons #
###################################

# ------------------------------------------------------------------------
# Avgated and avgatefwd will switch to this user and group
# as soon as possible. Avgated will do this after opening
# the SMTP port and avgatefwd will do it immediatelly.

# User uucp
# Group uucp

# ------------------------------------------------------------------------
# Who will get errors, virus alerts and information about automatic updates.

Postmaster postmaster

# ------------------------------------------------------------------------
# MyHostName: FQDN of the local host.
# The default value, if not set in configuration file, is that
# obtained by gethostname(2), or if this fails, "localhost".

# MyHostName localhost

# ------------------------------------------------------------------------
# The spooldir must be owned by User:Group (as specified above)
# and must be accessible by only this user (mode = 0700).
# Both programs will yell and refuse to run if something is wrong.

# SpoolDir /var/spool/avmailgate

# ------------------------------------------------------------------------
# AntiVirDir: The antivir 'library' directory, where the VDF,
# the key, and some other files are stored.

# AntiVirDir /usr/lib/AntiVir

# ------------------------------------------------------------------------
# TemporaryDir: Where the temporary files are stored
# (for example, attachments while virus checking them).
# It needs enough space to hold uncompressed attachments
# for each forwarder, and some more.
# Default: "/var/tmp" or else "/tmp".

# TemporaryDir /var/tmp

# ------------------------------------------------------------------------
# You can set this option to RECIPIENT, SENDER or BOTH to allow matching of
# domain name of the recipient and/or sender mail address, to check if it's
# to be considered local.

# If MatchMailAddressForLocal is RECIPIENT, and the recipient address matches
# the domain given in "local:", mail will be accepted.
# If MatchMailAddressForLocal is SENDER, and the sender address matches the
# domain given in "local:", mail will be accepted.
# If MatchMailAdressForLocal is BOTH, and the recipient or the sender adresses
# matches the domain given in "local:" mail will be accepted.

# MatchMailAddressForLocal RECIPIENT

# ------------------------------------------------------------------------
# SMTP greeting message.

SMTPBanner "AntiVir MailGate"


##############################
# Parameters used by avgated #
##############################

# ------------------------------------------------------------------------
# The pid file of the SMTP daemon

PidFile_avgated /var/run/avmailgate_d.pid

# ------------------------------------------------------------------------
# Select the interface, the smtp daemon will listen on.
# The default listen address of 0.0.0.0 means all interfaces.
# IF YOU ARE UNSURE JUST LEAVE IT AS IS!

ListenAddress 0.0.0.0 port 25

# ------------------------------------------------------------------------
# Limit the number of simultanous connections from remote sites.
# A limit of 0 disables this feature.

MaxIncomingConnections 0

# ------------------------------------------------------------------------
# Number of seconds until a timeout occures in SMTP conversation.

# SmtpTimeout 300

# ------------------------------------------------------------------------
# Larger mails will be rejected.
# A limit of 0 means "no limit".

MaxMessageSize 5000000

# ------------------------------------------------------------------------
# Refuse incoming connections if less free blocks are available
# on the filesystem containing the spool directory.

# MinFreeBlocks 100

# ------------------------------------------------------------------------
# So many recipients can be accepted at once.

MaxRecipientsPerMessage 100

# ------------------------------------------------------------------------
# Refuse 'MAIL FROM:<>'.
# Actually, RFC2821, RFC821 and RFC2505 explicitely note that 'MAIL FROM: <>'
# MUST be accepted. It is strongly recommended not to change the
# default setting.

RefuseEmptyMailFrom YES

# ------------------------------------------------------------------------
# When AllowSourceRouting is NO, if source routing is present in the
# given recipient address path, it's removed.

# When AllowSourceRouting is YES, then source routing is honored, and
# the messages is forwared to the first host specified in the route..

# AllowSourceRouting NO

# ------------------------------------------------------------------------
# When InEnvelopAddressesBangIs is REFUSED, the presence of an unquoted
# "!" in the recipient envelop address implies that the message will be
# refused.

# When InEnvelopAddressesBangIs is IGNORED, any unquoted "!" will be
# processed as any other non-special character of the address.

# When InEnvelopAddressesBangIs is INTERPRETED, then the address is
# rewritten in RFC821 standard form. An address such as:

# hostA!hostB!hostC!user

# is rewritten as:

# @hostA,@hostB:user@hostC

# Then, if source routing is allowed, the message is transmited to
# hostA, otherwise it's directly sent to hostC.

# Thus, this rewritting allow us to discover the recipient host, in the
# case where all the UUCP gateways on the route would have interpreted
# the address the same way as us. (If that were not the case, then this
# parameters should be set to IGNORED).

# InEnvelopAddressesBangIs REFUSED

# ------------------------------------------------------------------------
# When InEnvelopAddressesPercentIs is REFUSED, the presence of an
# unquoted "%" in the recipient envelop address implies that the message
# will be refused.

# When InEnvelopAddressesPercentIs is IGNORED, any unquoted "%" will be
# processed as any other non-special character of the address.

# When InEnvelopAddressesPercentIs is INTERPRETED, then the address is
# rewritten in RFC821 standard form. An address such as:

# user%hostC%hostB@hostA

# is rewritten as:

# @hostA,@hostB:user@hostC

# Then, if source routing is allowed, the message is transmited to
# hostA, otherwise it's directly sent to hostC.

# Thus, this rewritting allow us to discover the recipient host, in the
# case where all the gateways on the route would have interpreted the
# address the same way as us. (If that were not the case, then this
# parameters should be set to IGNORED).

# InEnvelopAddressesPercentIs REFUSED

# ------------------------------------------------------------------------
# When AcceptLooseDomainName is NO, if the name of the domain selected
# for delivery (depending on source routing) does not strictly conform
# it the domain name syntax,then it's refused.

# When AcceptLooseDomainName is YES, then no check is done on the domain
# name, apart of interpretting the domain name syntax for numerical IP
# addresses.

# AcceptLooseDomainName NO


################################
# Parameters used by avgatefwd #
################################

# ------------------------------------------------------------------------
# The pid file of the forwarder

PidFile_avgatefwd /var/run/avmailgate_fwd.pid

# ------------------------------------------------------------------------
# Number of forwarders running simultanously.
# (All the forwarders are of the same class, as specified by
# the following option).

# MaxForwarders 10

# ------------------------------------------------------------------------
# Select how mail should be forwarded.
# Send mail by piping it thru sendmail (this is the default):

# ForwardTo /usr/lib/sendmail -oem -oi

# Or if you want the mail to be sent by SMTP:

ForwardTo SMTP: localhost port 825

# ------------------------------------------------------------------------
# Stop delivery of suspicious MIME mails, that is
# a MIME nesting level > 20 or more than 100 attachments.

BlockSuspiciousMime YES

# ------------------------------------------------------------------------
# Send virus alerts to receipients outside your domain if
# the sender is a user local to your domain.

# ExposeAlerts NO

# ------------------------------------------------------------------------
# Send virus alerts to sender if the sender address is not local.
# This option is only available in commercial mode.

# ExposeSenderAlerts NO

# ------------------------------------------------------------------------
# User name of sender of virus alerts, if virus was found in a mail.

VirusAlertsUser AvMailGate

# ------------------------------------------------------------------------
# When AddStatusInBody is NO, no not status notification is inserted in
# the body of the emails.

# When AddStatusInBody is YES:
# For plain rfc822 email (non MIME), just insert the notification
# paragraph in the begining of the body.
# For MIME email, transmit the checked email as a new MIME
# multipart/mixed email, with a first text/plain section containing the
# status notification paragraph, and with a second message/rfc822
# section containgin the whole original message. Most headers from the
# orginal are copied to the transmited message.

# AddStatusInBody NO

# ------------------------------------------------------------------------
# When ForwardAllEmailAsMIME is NO, incoming emails that are not MIME
# emails get out as they came, non-MIME.

# When ForwardAllEmailAsMIME is YES:
# The behaviour does not change for MIME emails.
# However, plain rfc822 emails are encapsulated into a MIME
# message/rfc822 section of a multipart/mixed email that will inherit
# all the headers of the user email. If AddStatusInBody is YES too,
# then our text is added into a text/plain entity inserted before the
# message/rfc822 entity.

# ForwardAllEmailAsMIME NO

# ------------------------------------------------------------------------
# If ScanInArchive is NO, no files in an archive will be scanned.

# If ScanInArchives is YES, all files in archives are going to be extracted
# and scanned, depending on the resctrictions given with
# MaxFilesizeInArchive and MaxRecursionDepthInArchive.

ScanInArchive YES

# ------------------------------------------------------------------------
# If MaxFilesizeInArchive is 0, all files in an archive will be extracted,
# don't care of their unpacked size.

# If MaxFilesizeInArchive is >0, all files up to the adjusted size will be
# extracted.

# MaxFilesizeInArchive 0

# ------------------------------------------------------------------------
# If MaxRecursionDepthInArchive is 0, recursive archives are going to be
# unpacked with an unlimited recursion depth.

# If MaxRecursionDepthInArchive is >0, recursive archives are going to be
# unpacked up to the adjusted recursion depth.

# MaxRecursionDepthInArchive 5

# ------------------------------------------------------------------------
# If BlockSuspiciousArchive is NO, don't stop delivery of mails
# containing archives with a suspicious recursion depth.

# If BlockSuspiciousArchive is YES, stop delivery of mails
# containing archives if MaxRecursionDepthInArchive has been reached.

# BlockSuspiciousArchive NO

# ------------------------------------------------------------------------
# If BlockEncryptedArchive is NO, don't stop delivery of mails
# containing encrypted files in archives.

# If BlockEncryptedArchive is YES, stop delivery of mails
# containing encrypted files in an archive.

# BlockEncryptedArchive NO


# ------------------------------------------------------------------------

# PollPeriod specifies the periodicity, in seconds, of the queue
# scanning done by avgatefwd.

# PollPeriod 20

# ------------------------------------------------------------------------

# User name of sender of error messages, if a mail couldn't be delivered via
# MTA (bounce messages).

BounceMessageUser MAILER-DAEMON

# ------------------------------------------------------------------------

# If AddXHeaderInfo is YES, information about scanning status is added
# to the header of checked mail. E.g.: "X-AntiVirus: Checked by ..."
# This option is only available in commercial mode.

AddXHeader YES


# ------------------------------------------------------------------------

# If AddReceivedByHeaderInfo is YES, a "Received by:" stamp is added to
# the header of mail.
# This option is only available in commercial mode.

AddReceivedByHeader YES


# ------------------------------------------------------------------------

# ScanTimeout specifies the scan time of mail, in seconds, when to stop
# scanning of mails.

# ScanTimeout 300


# ------------------------------------------------------------------------

# Call external program or script if virus was found. The argument is the id of
# rejected message.

# ExternalProgram /dir/my_own_script



#########################
## That's all folks! ##
#########################
[/php]

avmailgate.acl
[php]
# Access lists for AvMailGate

# These hosts and/or domains are local.
local: localhost
local: fruitron.com.cn mail.fruitron.com.cn

# These hosts and networks are allowed to relay.
relay: 127.0.0.1/8 192.168.0.0/24 211.148.130.128/28
[/php]

sendmail.cf

[php]
#
# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers.
# All rights reserved.
# Copyright (c) 1983, 1995 Eric P. Allman. All rights reserved.
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

######################################################################
######################################################################
#####
##### SENDMAIL CONFIGURATION FILE
#####
#####
######################################################################
######################################################################

##### $Id: cfhead.m4,v 8.76.4.16 2001/03/06 22:56:36 ca Exp $ #####
##### $Id: cf.m4,v 8.32 1999/02/07 07:26:14 gshapiro Exp $ #####

##### linux setup for Red Hat linux #####
##### $Id: linux.m4,v 8.11.16.2 2000/09/17 17:04:22 gshapiro Exp $ #####



##### $Id: local_procmail.m4,v 8.21 1999/11/18 05:06:23 ca Exp $ #####



##### $Id: no_default_msa.m4,v 8.1.10.1 2000/09/17 17:04:22 gshapiro Exp $ #####

##### $Id: smrsh.m4,v 8.14 1999/11/18 05:06:23 ca Exp $ #####

##### $Id: mailertable.m4,v 8.18 1999/07/22 17:55:35 gshapiro Exp $ #####

##### $Id: virtusertable.m4,v 8.16 1999/07/22 17:55:36 gshapiro Exp $ #####

##### $Id: redirect.m4,v 8.15 1999/08/06 01:47:36 gshapiro Exp $ #####

##### $Id: always_add_domain.m4,v 8.9 1999/02/07 07:26:08 gshapiro Exp $ #####

##### $Id: use_cw_file.m4,v 8.9 1999/02/07 07:26:13 gshapiro Exp $ #####


##### $Id: use_ct_file.m4,v 8.9 1999/02/07 07:26:13 gshapiro Exp $ #####


##### $Id: local_procmail.m4,v 8.21 1999/11/18 05:06:23 ca Exp $ #####

##### $Id: access_db.m4,v 8.15 1999/07/22 17:55:34 gshapiro Exp $ #####

##### $Id: blacklist_recipients.m4,v 8.13 1999/04/02 02:25:13 gshapiro Exp $ #####


##### $Id: accept_unresolvable_domains.m4,v 8.10 1999/02/07 07:26:07 gshapiro Exp $ #####
Cwlocalhost.localdomain


##### $Id: proto.m4,v 8.446.2.5.2.44 2001/07/31 22:25:49 gshapiro Exp $ #####


# level 9 config file format
V9/Berkeley

# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe

# default LDAP map specification
# need to set this now before any LDAP maps are defined
#O LDAPDefaultSpec=-h localhost

##################
# local info #
##################

Cwlocalhost
# file containing names of hosts for which we receive email
Fw/etc/mail/local-host-names

# my official domain name
# ... define this only if sendmail cannot automatically determine your domain
#Dj$w.Foo.COM

CP.

# "Smart" relay host (may be null)
DS
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
#DSmail.fruitron.com.cn
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

# operators that cannot be in local usernames (i.e., network indicators)
CO @ % !

# a class with just dot (for identifying canonical names)
C..

# a class with just a left bracket (for identifying domain literals)
C[[

# access_db acceptance class
C{Accept}OK RELAY




# Hosts for which relaying is permitted ($=R)
FR-o /etc/mail/relay-domains

# arithmetic map
Karith arith
# possible values for tls_connect in access map
C{tls}VERIFY ENCR

# who I send unqualified names to (null means deliver locally)
#DR
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
DRmail.fruitron.com.cn
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

# who gets all local email traffic ($R has precedence for unqualified names)
#DH
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
DHmail.fruitron.com.cn
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

# dequoting map
Kdequote dequote

# class E: names that should be exposed as from this host, even if we masquerade
# class L: names that should be delivered locally, even if we have a relay
# class M: domains that should be converted to $M
# class N: domains that should not be converted to $M
#CL root
C{E}root

# who I masquerade as (null for no masquerading) (see also $=M)
#DM
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
DMfruitron.com.cn
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

# my name for error messages
DnMAILER-DAEMON


# Mailer table (overriding domains)
Kmailertable hash -o /etc/mail/mailertable.db

# Virtual user table (maps incoming users)
Kvirtuser hash -o /etc/mail/virtusertable.db

CPREDIRECT

# Access list database (for spam stomping)
Kaccess hash -o /etc/mail/access.db

# Configuration version number
DZ8.11.6


###############
# Options #
###############

# strip message body to 7 bits on input?
O SevenBitInput=False

# 8-bit data handling
#O EightBitMode=pass8

# wait for alias file rebuild (default units: minutes)
O AliasWait=10

# location of alias file
O AliasFile=/etc/aliases

# minimum number of free blocks on filesystem
O MinFreeBlocks=100

# maximum message size
#O MaxMessageSize=1000000
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
O MaxMessageSize=5000000
# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

# substitution for space (blank) characters
O BlankSub=.

# avoid connecting to "expensive" mailers on initial submission?
O HoldExpensive=False

# checkpoint queue runs after every N successful deliveries
#O CheckpointInterval=10

# default delivery mode
O DeliveryMode=background

# automatically rebuild the alias database?
# NOTE: There is a potential for a denial of service attack if this is set.
# This option is deprecated and will be removed from a future version.
O AutoRebuildAliases

# error message header/file
#O ErrorHeader=/etc/mail/error-header

# error mode
#O ErrorMode=print

# save Unix-style "From_" lines at top of header?
#O SaveFromLine=False

# temporary file mode
O TempFileMode=0600

# match recipients against GECOS field?
#O MatchGECOS=False

# maximum hop count
#O MaxHopCount=17

# location of help file
O HelpFile=/etc/mail/helpfile

# ignore dots as terminators in incoming messages?
#O IgnoreDots=False

# name resolver options
#O ResolverOptions=+AAONLY

# deliver MIME-encapsulated error messages?
O SendMimeErrors=True

# Forward file search path
O ForwardPath=$z/.forward.$w:$z/.forward

# open connection cache size
O ConnectionCacheSize=2

# open connection cache timeout
O ConnectionCacheTimeout=5m

# persistent host status directory
#O HostStatusDirectory=.hoststat

# single thread deliveries (requires HostStatusDirectory)?
#O SingleThreadDelivery=False

# use Errors-To: header?
O UseErrorsTo=False

# log level
O LogLevel=9

# send to me too, even in an alias expansion?
#O MeToo=True

# verify RHS in newaliases?
O CheckAliases=False

# default messages to old style headers if no special punctuation?
O OldStyleHeaders=True

# SMTP daemon options

#O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
#
# &ìñ×Ó V7.x Ëù½¨Á&&ı¾Îļ&Ä&ÈÏ &°Ö&&± &Ô localhost ¼& 127.0.0.1
# Ìá¹&·&Î&,&ù¾ÝÒÔÍù±¾Îļ&&ÄÄÚÈÝ&&ÐÞ&ÄÎ&&&
#
# SMTP daemon options

#O DaemonPortOptions=Name=MTA

# Î&ʹÓà Avmailgate &&ÉèÖÃ&&ÏêÏ&Ç&¼&&&http://www.hbedv.com
O DaemonPortOptions=Name=MTA, Port=smtp-backdoor
# ²&Ò&ÍüÁË&&ÔÚ /etc/services Îļ&À&Ô&¼ÓÒ&ÐÐ&&
# Added For Avmailgate:
# smtp-backdoor 825/tcp

O DaemonPortOptions=Port=587, Name=MSA, M=E
# ÔÚ&Ë&Ú 587 Ìá¹& submission ·&Î&&¨MSA&&&&


# -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- gugong -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-


# SMTP client options
#O ClientPortOptions=Address=0.0.0.0

# privacy flags
O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun

# who (if anyone) should get extra copies of error messages
#O PostmasterCopy=Postmaster

# slope of queue-only function
#O QueueFactor=600000

# queue directory
O QueueDirectory=/var/spool/mqueue

# timeouts (many of these)
#O Timeout.initial=5m
O Timeout.connect=1m
#O Timeout.iconnect=5m
#O Timeout.helo=5m
#O Timeout.mail=10m
#O Timeout.rcpt=1h
#O Timeout.datainit=5m
#O Timeout.datablock=1h
#O Timeout.datafinal=1h
#O Timeout.rset=5m
#O Timeout.quit=2m
#O Timeout.misc=2m
#O Timeout.command=1h
#O Timeout.ident=5s
#O Timeout.fileopen=60s
#O Timeout.control=2m
O Timeout.queuereturn=5d
#O Timeout.queuereturn.normal=5d
#O Timeout.queuereturn.urgent=2d
#O Timeout.queuereturn.non-urgent=7d
O Timeout.queuewarn=4h
#O Timeout.queuewarn.normal=4h
#O Timeout.queuewarn.urgent=1h
#O Timeout.queuewarn.non-urgent=12h
#O Timeout.hoststatus=30m
#O Timeout.resolver.retrans=5s
#O Timeout.resolver.retrans.first=5s
#O Timeout.resolver.retrans.normal=5s
#O Timeout.resolver.retry=4
#O Timeout.resolver.retry.first=4
#O Timeout.resolver.retry.normal=4

# should we not prune routes in route-addr syntax addresses?
#O DontPruneRoutes=False

# queue up everything before forking?
O SuperSafe=True

# status file
O StatusFile=/etc/mail/statistics

# time zone handling:
# if undefined, use system default
# if defined but null, use TZ envariable passed in
# if defined and non-null, use that info
#O TimeZoneSpec=

# default UID (can be username or userid:groupid)
O DefaultUser=8:12

# list of locations of user database file (null means no lookup)
O UserDatabaseSpec=/etc/mail/userdb.db

# fallback MX host
#O FallbackMXhost=fall.back.host.net

# if we are the best MX host for a site, try it directly instead of config err
O TryNullMXList=true

# load average at which we just queue messages
#O QueueLA=8

# load average at which we refuse connections
#O RefuseLA=12

# maximum number of children we allow at one time
#O MaxDaemonChildren=12

# maximum number of new connections per second
#O ConnectionRateThrottle=0

# work recipient factor
#O RecipientFactor=30000

# deliver each queued job in a separate process?
#O ForkEachJob=False

# work class factor
#O ClassFactor=1800

# work time factor
#O RetryFactor=90000

# shall we sort the queue by hostname first?
#O QueueSortOrder=priority

# minimum time in queue before retry
#O MinQueueAge=30m

# default character set
#O DefaultCharSet=iso-8859-1

# service switch file (ignored on Solaris, Ultrix, OSF/1, others)
#O ServiceSwitchFile=/etc/mail/service.switch

# hosts file (normally /etc/hosts)
#O HostsFile=/etc/hosts

# dialup line delay on connection failure
#O DialDelay=10s

# action to take if there are no recipients in the message
#O NoRecipientAction=add-to-undisclosed

# chrooted environment for writing to files
#O SafeFileEnvironment=/arch

# are colons OK in addresses?
#O ColonOkInAddr=True

# how many jobs can you process in the queue?
#O MaxQueueRunSize=10000

# shall I avoid expanding CNAMEs (violates protocols)?
#O DontExpandCnames=False

# SMTP initial login message (old $e macro)
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

# UNIX initial From header format (old $l macro)
O UnixFromLine=From $g $d

# From: lines that have embedded newlines are unwrapped onto one line
#O SingleLineFromHeader=False

# Allow HELO SMTP command that does not include a host name
#O AllowBogusHELO=False

# Characters to be quoted in a full name phrase (@,;:()[] are automatic)
#O MustQuoteChars=.

# delimiter (operator) characters (old $o macro)
O OperatorChars=.:%@!^/[]+

# shall I avoid calling initgroups(3) because of high NIS costs?
#O DontInitGroups=False

# are group-writable :include: and .forward files (un)trustworthy?
#O UnsafeGroupWrites=True

# where do errors that occur when sending errors get sent?
#O DoubleBounceAddress=postmaster

# where to save bounces if all else fails
#O DeadLetterDrop=/var/tmp/dead.letter

# what user id do we assume for the majority of the processing?
#O RunAsUser=sendmail

# maximum number of recipients per SMTP envelope
#O MaxRecipientsPerMessage=100

# shall we get local names from our installed interfaces?
O DontProbeInterfaces=true

# Return-Receipt-To: header implies DSN request
#O RrtImpliesDsn=False

# override connection address (for testing)
#O ConnectOnlyTo=0.0.0.0

# Trusted user for file ownership and starting the daemon
#O TrustedUser=root

# Control socket for daemon management
#O ControlSocketName=/var/spool/mqueue/.control

# Maximum MIME header length to protect MUAs
#O MaxMimeHeaderLength=0/0

# Maximum length of the sum of all headers
#O MaxHeadersLength=32768

# Maximum depth of alias recursion
#O MaxAliasRecursion=10

# location of pid file
#O PidFile=/var/run/sendmail.pid

# Prefix string for the process title shown on 'ps' listings
#O ProcessTitlePrefix=prefix

# Data file (df) memory-buffer file maximum size
#O DataFileBufferSize=4096

# Transcript file (xf) memory-buffer file maximum size
#O XscriptFileBufferSize=4096

# list of authentication mechanisms
#O AuthMechanisms=GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5

# default authentication information for outgoing connections
#O DefaultAuthInfo=/etc/mail/default-auth-info

# SMTP AUTH flags
O AuthOptions=A



# CA directory
#O CACERTPath
# CA file
#O CACERTFile
# Server Cert
#O ServerCertFile
# Server private key
#O ServerKeyFile
# Client Cert
#O ClientCertFile
# Client private key
#O ClientKeyFile
# DHParameters (only required if DSA/DH is used)
#O DHParameters
# Random data source (required for systems without /dev/urandom under OpenSSL)
#O RandFile



###########################
# Message precedences #
###########################

Pfirst-class=0
Pspecial-delivery=100
Plist=-30
Pbulk=-60
Pjunk=-100

#####################
# Trusted users #
#####################

# this is equivalent to setting class "t"
Ft/etc/mail/trusted-users
Troot
Tdaemon
Tuucp

#########################
# Format of headers #
#########################

H?P?Return-Path: <$g>
HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
$.$?{auth_type}(authenticated$?{auth_ssf} (${auth_ssf} bits)$.)
$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}
(using ${tls_version} with cipher ${cipher} (${cipher_bits} bits) verified ${verify})$.$?u
for $u; $|;
$.$b
H?D?Resent-Date: $a
H?D?Date: $a
H?F?Resent-From: $?x$x <$g>$|$g$.
H?F?From: $?x$x <$g>$|$g$.
H?x?Full-Name: $x
# HPosted-Date: $a
# H?l?Received-Date: $b
H?M?Resent-Message-Id: <$t.$i@$j>
H?M?Message-Id: <$t.$i@$j>

#
######################################################################
######################################################################
#####
##### REWRITING RULES
#####
######################################################################
######################################################################

############################################
### Ruleset 3 -- Name Canonicalization ###
############################################
Scanonify=3

# handle null input (translate to <@> special case)
R$@ $@ <@>

# strip group: syntax (not inside angle brackets!) and trailing semicolon
R$* $: $1 <@> mark addresses
R$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>
R@ $* <@> $: @ $1 unmark @host:...
R$* :: $* <@> $: $1 :: $2 unmark node::addr
R:include: $* <@> $: :include: $1 unmark :include:...
R$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr
R$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon
R$* : $* <@> $: $2 strip colon if marked
R$* <@> $: $1 unmark
R$* ; $1 strip trailing semi
R$* < $+ :; > $* $@ $2 :; <@> catch <list:;>
R$* < $* ; > $1 < $2 > bogus bracketed semi

# null input now results from list:; syntax
R$@ $@ :; <@>

# strip angle brackets -- note RFC733 heuristic to get innermost item
R$* $: < $1 > housekeeping <>
R$+ < $* > < $2 > strip excess on left
R< $* > $+ < $1 > strip excess on right
R<> $@ < @ > MAIL FROM:<> case
R< $+ > $: $1 remove housekeeping <>

# strip route address <@a,@b,@c:user@d> -> <user@d>
R@ $+ , $+ $2
R@ $+ : $+ $2

# find focus for list syntax
R $+ : $* ; @ $+ $@ $>Canonify2 $1 : $2 ; < @ $3 > list syntax
R $+ : $* ; $@ $1 : $2; list syntax

# find focus for @ syntax addresses
R$+ @ $+ $: $1 < @ $2 > focus on domain
R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right
R$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical

# do some sanity checking
R$* < @ $* : $* > $* $1 < @ $2 $3 > $4 nix colons in addrs

# convert old-style addresses to a domain-based address
R$- ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names
R$+ . $- ! $+ $@ $>Canonify2 $3 < @ $1 . $2 > domain uucps
R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains

# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish

# else we must be a local name
R$* $@ $>Canonify2 $1


################################################
### Ruleset 96 -- bottom half of ruleset 3 ###
################################################

SCanonify2=96

# handle special cases for local names
R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all
R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain
R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain

# check for IPv6 domain literal (save quoted form)
R$* < @ [ IPv6 : $+ ] > $* $: $2 $| $1 < @@ [ $(dequote $2 $) ] > $3 mark IPv6 addr
R$+ $| $* < @@ $=w > $* $: $2 < @ $j . > $4 self-literal
R$+ $| $* < @@ [ $+ ] > $* $@ $2 < @ [ IPv6 : $1 ] > $4 canon IP addr

# check for IPv4 domain literal
R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [a.b.c.d]
R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal
R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr





# if really UUCP, handle it immediately

# try UUCP traffic as a local address
R$* < @ $+ . UUCP > $* $: $1 < @ $[ $2 $] . UUCP . > $3
R$* < @ $+ . . UUCP . > $* $@ $1 < @ $2 . > $3

# hostnames ending in class P are always canonical
R$* < @ $* $=P > $* $: $1 < @ $2 $3 . > $4
R$* < @ $* $~P > $* $: $&{daemon_flags} $| $1 < @ $2 $3 > $4
R$* CC $* $| $* < @ $+.$+ > $* $: $3 < @ $4.$5 . > $6
R$* CC $* $| $* $: $3
# pass to name server to make hostname canonical
R$* $| $* < @ $* > $* $: $2 < @ $[ $3 $] > $4
R$* $| $* $: $2

# local host aliases and pseudo-domains are always canonical
R$* < @ $=w > $* $: $1 < @ $2 . > $3
R$* < @ $=M > $* $: $1 < @ $2 . > $3
R$* < @ $={VirtHost} > $* $: $1 < @ $2 . > $3
R$* < @ $* . . > $* $1 < @ $2 . > $3


##################################################
### Ruleset 4 -- Final Output Post-rewriting ###
##################################################
Sfinal=4

R$+ :; <@> $@ $1 : handle <list:;>
R$* <@> $@ handle <> and list:;

# strip trailing dot off possibly canonical name
R$* < @ $+ . > $* $1 < @ $2 > $3

# eliminate internal code
R$* < @ *LOCAL* > $* $1 < @ $j > $2

# externalize local domain info
R$* < $+ > $* $1 $2 $3 defocus
R@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical
R@ $* $@ @ $1 ... and exit

# UUCP must always be presented in old form
R$+ @ $- . UUCP $2!$1 u@h.UUCP => h!u

# delete duplicate local names
R$+ % $=w @ $=w $1 @ $2 u%host@host => u@host



##############################################################
### Ruleset 97 -- recanonicalize and call ruleset zero ###
### (used for recursive calls) ###
##############################################################

SRecurse=97
R$* $: $>canonify $1
R$* $@ $>parse $1


######################################
### Ruleset 0 -- Parse Address ###
######################################

Sparse=0

R$* $: $>Parse0 $1 initial parsing
R<@> $#local $: <@> special case error msgs
R$* $: $>ParseLocal $1 handle local hacks
R$* $: $>Parse1 $1 final parsing

#
# Parse0 -- do initial syntax checking and eliminate local addresses.
# This should either return with the (possibly modified) input
# or return with a #error mailer. It should not return with a
# #mailer other than the #error mailer.
#

SParse0
R<@> $@ <@> special case error msgs
R$* : $* ; <@> $#error $@ 5.1.3 $: "553 List:; syntax illegal for recipient addresses"
R@ <@ $* > < @ $1 > catch "@@host" bogosity
R<@ $+> $#error $@ 5.1.3 $: "553 User address required"
R$* $: <> $1
R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3
R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "553 Colon illegal in host name part"
R<> $* $1
R$* < @ . $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
R$* , $~O $* $#error $@ 5.1.2 $: "553 Invalid route address"

# now delete the local info -- note $=O to find characters that cause forwarding
R$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user
R< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ...
R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here
R< @ $+ > $#error $@ 5.1.3 $: "553 User address required"
R$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@here -> ...
R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"
R< @ *LOCAL* > $#error $@ 5.1.3 $: "553 User address required"
R$* $=O $* < @ *LOCAL* >
$@ $>Parse0 $>canonify $1 $2 $3 ...@*LOCAL* -> ...
R$* < @ *LOCAL* > $: $1

#
# Parse1 -- the bottom half of ruleset 0.
#

SParse1

# handle numeric address spec
R$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec
R$* < @ [ $+ ] > $* $1 < @ [ $2 ] : $S > $3 Add smart host to path
R$* < @ [ IPv6 : $+ ] : > $*
$#esmtp $@ [ $(dequote $2 $) ] $: $1 < @ [IPv6 : $2 ] > $3 no smarthost: send
R$* < @ [ $+ ] : > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send
R$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost with mailer
R$* < @ [ $+ ] : $+ > $* $#esmtp $@ $3 $: $1 < @ [$2] > $4 smarthost without mailer

# handle virtual users
R$+ $: <!> $1 Mark for lookup
R<!> $+ < @ $={VirtHost} . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<!> $+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 + * @ $3 $@ $1 $@ $2 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $+ < @ $+ . > $: < $(virtuser + * @ $3 $@ $1 $@ $2 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $* < @ $+ . > $: < $(virtuser @ $3 $@ $1 $@ $2 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ $: $1
R<!> $+ $: $1
R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4
R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2
R< $+ > $+ < @ $+ > $: $>Recurse $1

# short circuit local delivery so forwarded email works


R$=L < @ $=w . > $#local $: @ $1 special local names
R$+ < @ $=w . > $#local $: $1 regular local name

# not local -- try mailer table lookup
R$* <@ $+ > $* $: < $2 > $1 < @ $2 > $3 extract host name
R< $+ . > $* $: < $1 > $2 strip trailing dot
R< $+ > $* $: < $(mailertable $1 $) > $2 lookup
R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 check -- resolved?
R< $+ > $* $: $>Mailertable <$1> $2 try domain

# resolve remotely connected UUCP links (if any)

# resolve fake top level domains by forwarding to other hosts



# pass names that still have a host to a smarthost (if defined)
R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name

# deal with other remote names
R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domain

# handle locally delivered names
R$=L $#local $: @ $1 special local names
R$+ $#local $: $1 regular local names

###########################################################################
### Ruleset 5 -- special rewriting after aliases have been expanded ###
###########################################################################

SLocal_localaddr
Slocaladdr=5
R$+ $: $1 $| $>"Local_localaddr" $1
R$+ $| $#$* $#$2
R$+ $| $* $: $1




# deal with plussed users so aliases work nicely
R$+ + * $#local $@ $&h $: $1
R$+ + $* $#local $@ + $2 $: $1 + *

# prepend an empty "forward host" on the front
R$+ $: <> $1


# see if we have a relay or a hub
R< > $+ $: < $H > $1 try hub
R< > $+ $: < $R > $1 try relay

R< > $+ $: < > < $1 <> $&h > nope, restore +detail
R< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail
R< > < $+ <> $* > $: < > < $1 > else discard
R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part
R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +
R< > < $+ > $@ $1 no +detail
R$+ $: $1 <> $&h add +detail back in
R$+ <> + $* $: $1 + $2 check whether +detail
R$+ <> $* $: $1 else discard
R< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension
R< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension
R< $- : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 >
R< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 >

###################################################################
### Ruleset 90 -- try domain part of mailertable entry ###
###################################################################

SMailertable=90
R$* <$- . $+ > $* $: $1$2 < $(mailertable .$3 $@ $1$2 $@ $2 $) > $4
R$* <$~[ : $* > $* $>MailerToTriple < $2 : $3 > $4 check -- resolved?
R$* < . $+ > $* $@ $>Mailertable $1 . <$2> $3 no -- strip & try again
R$* < $* > $* $: < $(mailertable . $@ $1$2 $) > $3 try "."
R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 "." found?
R< $* > $* $@ $2 no mailertable match

###################################################################
### Ruleset 95 -- canonify mailer:[user@]host syntax to triple ###
###################################################################

SMailerToTriple=95
R< > $* $@ $1 strip off null relay
R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4
R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2
R< local : $* > $* $>CanonLocal < $1 > $2
R< $- : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal user
R< $- : $+ > $* $# $1 $@ $2 $: $3 try qualified mailer
R< $=w > $* $@ $2 delete local host
R< [ IPv6 : $+ ] > $* $#relay $@ $(dequote $1 $) $: $2 use unqualified mailer
R< $+ > $* $#relay $@ $1 $: $2 use unqualified mailer

###################################################################
### Ruleset CanonLocal -- canonify local: syntax ###
###################################################################

SCanonLocal
# strip local host from routed addresses
R< $* > < @ $+ > : $+ $@ $>Recurse $3
R< $* > $+ $=O $+ < @ $+ > $@ $>Recurse $2 $3 $4

# strip trailing dot from any host name that may appear
R< $* > $* < @ $* . > $: < $1 > $2 < @ $3 >

# handle local: syntax -- use old user, either with or without host
R< > $* < @ $* > $* $#local $@ $1@$2 $: $1
R< > $+ $#local $@ $1 $: $1

# handle local:user@host syntax -- ignore host part
R< $+ @ $+ > $* < @ $* > $: < $1 > $3 < @ $4 >

# handle local:user syntax
R< $+ > $* <@ $* > $* $#local $@ $2@$3 $: $1
R< $+ > $* $#local $@ $2 $: $1

###################################################################
### Ruleset 93 -- convert header names to masqueraded form ###
###################################################################

SMasqHdr=93


# do not masquerade anything in class N
R$* < @ $* $=N . > $@ $1 < @ $2 $3 . >

# special case the users that should be exposed
R$=E < @ *LOCAL* > $@ $1 < @ $j . > leave exposed
R$=E < @ $=M . > $@ $1 < @ $2 . >
R$=E < @ $=w . > $@ $1 < @ $2 . >

# handle domain-specific masquerading
R$* < @ $=M . > $* $: $1 < @ $2 . @ $M > $3 convert masqueraded doms
R$* < @ $=w . > $* $: $1 < @ $2 . @ $M > $3
R$* < @ *LOCAL* > $* $: $1 < @ $j . @ $M > $2
R$* < @ $+ @ > $* $: $1 < @ $2 > $3 $M is null
R$* < @ $+ @ $+ > $* $: $1 < @ $3 . > $4 $M is not null

###################################################################
### Ruleset 94 -- convert envelope names to masqueraded form ###
###################################################################

SMasqEnv=94
R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2

###################################################################
### Ruleset 98 -- local part of ruleset zero (can be null) ###
###################################################################

SParseLocal=98

# addresses sent to foo@host.REDIRECT will give a 551 error code
R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT . > < ${opMode} >
R$* < @ $+ .REDIRECT. > <i> $: $1 < @ $2 . REDIRECT. >
R$* < @ $+ .REDIRECT. > < $- > $#error $@ 5.1.1 $: "551 User has moved; please try " <$1@$2>




######################################################################
### LookUpDomain -- search for domain in access database
###
### Parameters:
### <$1> -- key (domain name)
### <$2> -- default (what to return if not found in db)
### <$3> -- passthru (additional data passed unchanged through)
### <$4> -- mark (must be <(!|+) single-token>)
### ! does lookup only with tag
### + does lookup with and without tag
######################################################################

SLookUpDomain
R<[IPv6 : $+]> <$+> <$*> <$*> $: <[$(dequote $1 $)]> <$2> <$3> <$4>
R<$*> <$+> <$*> <$- $-> $: < $(access $5:$1 $: ? $) > <$1> <$2> <$3> <$4 $5>
R<?> <$+> <$+> <$*> <+ $*> $: < $(access $1 $: ? $) > <$1> <$2> <$3> <+ $4>
R<?> <[$+.$-]> <$+> <$*> <$*> $@ $>LookUpDomain <[$1]> <$3> <$4> <$5>
R<?> <[$+::$-]> <$+> <$*> <$*> $: $>LookUpDomain <[$1]> <$3> <$4> <$5>
R<?> <[$+:$-]> <$+> <$*> <$*> $: $>LookUpDomain <[$1]> <$3> <$4> <$5>
R<?> <$+.$+> <$+> <$*> <$*> $@ $>LookUpDomain <$2> <$3> <$4> <$5>
R<?> <$+> <$+> <$*> <$*> $@ <$2> <$3>
R<$*> <$+> <$+> <$*> <$*> $@ <$1> <$4>

######################################################################
### LookUpAddress -- search for host address in access database
###
### Parameters:
### <$1> -- key (dot quadded host address)
### <$2> -- default (what to return if not found in db)
### <$3> -- passthru (additional data passed through)
### <$4> -- mark (must be <(!|+) single-token>)
### ! does lookup only with tag
### + does lookup with and without tag
######################################################################

SLookUpAddress
R<$+> <$+> <$*> <$- $+> $: < $(access $5:$1 $: ? $) > <$1> <$2> <$3> <$4 $5>
R<?> <$+> <$+> <$*> <+ $+> $: < $(access $1 $: ? $) > <$1> <$2> <$3> <+ $4>
R<?> <$+::$-> <$+> <$*> <$*> $@ $>LookUpAddress <$1> <$3> <$4> <$5>
R<?> <$+:$-> <$+> <$*> <$*> $@ $>LookUpAddress <$1> <$3> <$4> <$5>
R<?> <$+.$-> <$+> <$*> <$*> $@ $>LookUpAddress <$1> <$3> <$4> <$5>
R<?> <$+> <$+> <$*> <$*> $@ <$2> <$3>
R<$*> <$+> <$+> <$*> <$*> $@ <$1> <$4>

######################################################################
### CanonAddr -- Convert an address into a standard form for
### relay checking. Route address syntax is
### crudely converted into a %-hack address.
###
### Parameters:
### $1 -- full recipient address
###
### Returns:
### parsed address, not in source route form
######################################################################

SCanonAddr
R$* $: $>Parse0 $>canonify $1 make domain canonical


######################################################################
### ParseRecipient -- Strip off hosts in $=R as well as possibly
### $* $=m or the access database.
### Check user portion for host separators.
###
### Parameters:
### $1 -- full recipient address
###
### Returns:
### parsed, non-local-relaying address
######################################################################

SParseRecipient
R$* $: <?> $>CanonAddr $1
R<?> $* < @ $* . > <?> $1 < @ $2 > strip trailing dots
R<?> $- < @ $* > $: <?> $(dequote $1 $) < @ $2 > dequote local part

# if no $=O character, no host in the user portion, we are done
R<?> $* $=O $* < @ $* > $: <NO> $1 $2 $3 < @ $4>
R<?> $* $@ $1



R<NO> $* < @ $* $=R > $: <RELAY> $1 < @ $2 $3 >
R<NO> $* < @ $+ > $: $>LookUpDomain <$2> <NO> <$1 < @ $2 >> <+To>
R<$+> <$+> $: <$1> $2


R<RELAY> $* < @ $* > $@ $>ParseRecipient $1
R<$-> $* $@ $2


######################################################################
### check_relay -- check hostname/address on SMTP startup
######################################################################

SLocal_check_relay
Scheck_relay
R$* $: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$* $#$3
R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2

SBasic_check_relay
# check for deferred delivery mode
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2

R$+ $| $+ $: $>LookUpDomain < $1 > <?> < $2 > <+Connect>
R<?> <$+> $: $>LookUpAddress < $1 > <?> < $1 > <+Connect> no: another lookup
R<?> < $+ > $: $1 found nothing
R<$={Accept}> < $* > $@ $1 return value of lookup
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<DISCARD> $* $#discard $: discard
R<ERROR:$-.$-.$-:$+> <$*> $#error $@ $1.$2.$3 $: $4
R<ERROR:$+> <$*> $#error $: $1
R<$+> <$*> $#error $: $1



######################################################################
### check_mail -- check SMTP `MAIL FROM:' command argument
######################################################################

SLocal_check_mail
Scheck_mail
R$* $: $1 $| $>"Local_check_mail" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_mail" $1

SBasic_check_mail
# check for deferred delivery mode
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2

# authenticated?
R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL
R$* $| $#$+ $#$2
R$* $| $* $: $1

R<> $@ <OK> we MUST accept <> (RFC 1123)
R$+ $: <?> $1
R<?><$+> $: <@> <$1>
R<?>$+ $: <@> <$1>
R$* $: $&{daemon_flags} $| $1
R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 >
R$* u $* $| <@> < $* > $: <?> < $3 >
R$* $| $* $: $2
# handle case of @localhost on address
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
$: < ? $&{client_name} > < $1 @ localhost.UUCP >
R<@> $* $: $1 no localhost as domain
R<? $=w> $* $: $2 local client: ok
R<? $+> <$+> $#error $@ 5.5.4 $: "553 Real domain name required for sender address"
R<?> $* $: $1
R$* $: <?> $>CanonAddr $1 canonify sender address and mark it
R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dots
# handle non-DNS hostnames (*.bitnet, *.decnet, *.uucp, etc)
R<?> $* < @ $* $=P > $: <OK> $1 < @ $2 $3 >
R<?> $* < @ $+ > $: <OK> $1 < @ $2 > ... unresolvable OK

# check sender address: user@address, user@, address
R<$+> $+ < @ $* > $: @<$1> <$2 < @ $3 >> $| <F:$2@$3> <U:$2@> <H:$3>
R<$+> $+ $: @<$1> <$2> $| <U:$2@>
R@ <$+> <$*> $| <$+> $: <@> <$1> <$2> $| $>SearchList <+From> $| <$3> <>
R<@> <$+> <$*> $| <$*> $: <$3> <$1> <$2> reverse result
# retransform for further use
R<?> <$+> <$*> $: <$1> $2 no match
R<$+> <$+> <$*> $: <$1> $3 relevant result, keep it

# handle case of no @domain on address
R<?> $* $: $&{daemon_flags} $| <?> $1
R$* u $* $| <?> $* $: <OK> $3
R$* $| $* $: $2
R<?> $* $: < ? $&{client_name} > $1
R<?> $* $@ <OK> ...local unqualed ok
R<? $+> $* $#error $@ 5.5.4 $: "553 Domain name required for sender address " $&f
...remote is not
# check results
R<?> $* $: @ $1 mark address: nothing known about it
R<OK> $* $@ <OK>
R<TEMP> $* $#error $@ 4.1.8 $: "451 Domain of sender address " $&f " does not resolve"
R<PERM> $* $#error $@ 5.1.8 $: "553 Domain of sender address " $&f " does not exist"
R<$={Accept}> $* $# $1
R<DISCARD> $* $#discard $: discard
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4
R<ERROR:$+> $* $#error $: $1
R<$+> $* $#error $: $1 error from access db

######################################################################
### check_rcpt -- check SMTP `RCPT TO:' command argument
######################################################################

SLocal_check_rcpt
Scheck_rcpt
R$* $: $1 $| $>"Local_check_rcpt" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_rcpt" $1

SBasic_check_rcpt
# check for deferred delivery mode
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2


R$* $: $>ParseRecipient $1 strip relayable hosts



# blacklist local users or any host from receiving mail
R$* $: <?> $1
R<?> $+ < @ $=w > $: <> <$1 < @ $2 >> $| <F:$1@$2> <U:$1@> <H:$2>
R<?> $+ < @ $* > $: <> <$1 < @ $2 >> $| <F:$1@$2> <H:$2>
R<?> $+ $: <> <$1> $| <U:$1@>
R<> <$*> $| <$+> $: <@> <$1> $| $>SearchList <+To> $| <$2> <>
R<@> <$*> $| <$*> $: <$2> <$1> reverse result
R<?> <$*> $: @ $1 mark address as no match
R<$={Accept}> <$*> $: @ $2 mark address as no match

R<REJECT> $* $#error $@ 5.2.1 $: "550 Mailbox disabled for this recipient"
R<DISCARD> $* $#discard $: discard
R<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4
R<ERROR:$+> $* $#error $: $1
R<$+> $* $#error $: $1 error from access db
R@ $* $1 remove mark


# authenticated?
R$* $: $1 $| $>RelayAuth $1 $| $&{verify} client authenticated?
R$* $| $# $+ $# $2 error/ok?
R$* $| $* $: $1 no

# authenticated by a trusted mechanism?
R$* $: $1 $| $&{auth_type}
R$* $| $: $1
R$* $| $={TrustAuthMech} $# RELAYAUTH
R$* $| $* $: $1
# anything terminating locally is ok
R$+ < @ $=w > $@ RELAYTO
R$+ < @ $* $=R > $@ RELAYTO
R$+ < @ $+ > $: $>LookUpDomain <$2> <?> <$1 < @ $2 >> <+To>
R<RELAY> $* $@ RELAYTO
R<$*> <$*> $: $2



# check for local user (i.e. unqualified address)
R$* $: <?> $1
R<?> $* < @ $+ > $: <REMOTE> $1 < @ $2 >
# local user is ok
R<?> $+ $@ RELAYTOLOCAL
R<$+> $* $: $2

# anything originating locally is ok
# check IP address
R$* $: $&{client_addr}
R$@ $@ RELAYFROM originated locally
R0 $@ RELAYFROM originated locally
R$=R $* $@ RELAYFROM relayable IP address
R$* $: $>LookUpAddress <$1> <?> <$1> <+Connect>
R<RELAY> $* $@ RELAYFROM relayable IP address
R<$*> <$*> $: $2
R$* $: [ $1 ] put brackets around it...
R$=w $@ RELAYFROM ... and see if it is local


# check client name: first: did it resolve?
R$* $: < $&{client_resolve} >
R<TEMP> $#error $@ 4.7.1 $: "450 Relaying temporarily denied. Cannot resolve PTR record for " $&{client_addr}
R<FORGED> $#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name}
R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name}
R$* $: <?> $&{client_name}
# pass to name server to make hostname canonical
R<?> $* $~P $:<?> $[ $1 $2 $]
R$* . $1 strip trailing dots
R<?> $@ RELAYFROM
R<?> $=w $@ RELAYFROM
R<?> $* $=R $@ RELAYFROM
R<?> $* $: $>LookUpDomain <$1> <?> <$1> <+Connect>
R<RELAY> $* $@ RELAYFROM
R<$*> <$*> $: $2

# anything else is bogus
R$* $#error $@ 5.7.1 $: "550 Relaying denied"

######################################################################
### SearchList: search a list of items in the access map
### Parameters:
### <exact tag> $| <mark:address> <mark:address> ... <>
### where "exact" is either "+" or "!":
### <+ TAG> lookup with and w/o tag
### <! TAG> lookup with tag
### po


购关网关SMTP防毒软件.

symantec8.5企业版有