Spamassassin Question

[dg_w]

Think I have clam setup now .. thx .. And when I look in the headers spamassassin is running... However even on high scores 8 and 9 (default is 5) the [SPAM] header is not being attached .. Mail sent as normal ? Does this have to be setup per user ?
Default /etc/mail/spamassassin/local.cf


# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]


Thx

[pviglucci]

Are you passing the -m flag when you start the spamass-milter? Check your init script. Look for a line that says something like:

EXTRA_FLAGS="-m -r 15"

The -m flag disables subject rewriting (you can still examine the full headers to see the result of the scan). The "-r 15" will drop all messages that score 15 or higher.


The spamass-milter man page has more information.


Pete

[dg_w]

No they are # out
so not that ,

Spamd is starting with

# Options to spamd
SPAMDOPTIONS="-d -c -m5 -H"

Guess thats ok ... All default options.. Mail is being checked...Its in the headers
tail /var/log/mail/log

Milter add: header: X-Spam-Status: Yes, score=7.2 required=4.0 tests=ALL_TRUSTED,URIBL_AB_SURBL,\n\tURIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL \n\tautolearn=no version=3.0.4
Jan 12 20:36:29 ourserver sendmail[4871]: k0CKaSaK004871: Milter add: header: X-Spam-Report: \n\t* -2.8 ALL_TRUSTED Did not pass through any untrusted hosts\n\t* 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist\n\t* [URIs: keepnow.com]\n\t* 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist\n\t* [URIs: keepnow.com]\n\t* 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist\n\t* [URIs: keepnow.com]\n\t* 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist\n\t* [URIs: keepnow.com]\n\t* 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist\n\t* [URIs: keepnow.com]
Jan 12 20:36:29 ourserver sendmail[4871]: k0CKaSaK004871: Milter add: header: X-Spam-Level: *******
Jan 12 20:36:29 ourserver sendmail[4871]: k0CKaSaK004871: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on \n\ourserver.ourdomain

But the message comes through as normal ?

Thx All

[dg_w]

If I try the "test" send mail supplied with spamassassin

[root@ourserver spamassassin-3.0.4]# mail user@ourdomain.com < sample-spam.txt
[root@ourserver spamassassin-3.0.4]# Jan 12 21:28:20 ourserver spamd[4688]: processing message <200601122128.k0CLSIEA0 05028@ourserver.ourdomain.com> for root:99.
Jan 12 21:28:20 ourserver spamd[4688]: identified spam (997.2/4.0) for root:99 in 0.4 seconds, 4739 bytes.
Jan 12 21:28:20 ourserver spamd[4688]: result: Y 997 - ALL_TRUSTED,GTUBE scantime =0.4,size=4739,mid=<200601122128.k0CLSIEA005028@ourserver.ourdomain.com>,autolearn=failed
Jan 12 21:28:20 ourserver sendmail[5029]: k0CLSIXO005029: Milter add: header: Xpam-Flag: YES
Jan 12 21:28:20 ourserver sendmail[5029]: k0CLSIXO005029: Milter add: header: X-S pam-Status: Yes, score=997.2 required=4.0 tests=ALL_TRUSTED,GTUBE \n\tautolearn= failed version=3.0.4
Jan 12 21:28:20 ourserver sendmail[5029]: k0CLSIXO005029: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin
Jan 12 21:28:20 ourserver sendmail[5029]: k0CLSIXO005029:ourserver.ourdomain.com>, delay=00:00:00, pri=34397, stat=Blocked by SpamAssassin
Jan 12 21:28:20 ourserver sendmail[5028]: k0CLSIEA005028: to=postmaster, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32880, relay=[127.0.0.1] [127.0.0.1], dsn=5.0.0, stat=Service unavailable
Jan 12 21:28:20 akserver sendmail[5028]: k0CLSIE9005028: Losing ./qfk0CLSIE90050 28: savemail panic Jan 12 21:28:20 akserver sendmail[5028]: k0CLSIE9005028: SYSERR(root): savemail: cannot save rejected email anywhere


Sorry for the long file.... It appeats spamassassin \ milter scaned the mail, then rejected it ? The mail is not sent through to the mail box ..

I like the idea of rejecting mail, for maybe 4.5 and above ... But I can not see how its doing this form my basic as per install config file ?

/etc/mail/spamassassin/local.cf

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.
required_hits 4
report_safe 0
rewrite_header Subject [SPAM]


Thx

[pviglucci]

This may not be the cause of your problem, but for the sake of completeness...

The config settings that are responsible for the behavior you are witnessing are not part of the normal spamassassin config file. Sendmail uses the spamass-milter plugin. What are the flags you are using to start spamass-milter? On Fedora, they appear in two places, within the init script iteself (/etc/init.d/spamass-milter), or in /etc/sysconfig/spamass-milter. What are the contents of those two files?

[dg_w]

Thr spamass-milter (.etc.init.d/

start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
condrestart)
[ -e /var/lock/subsys/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
RETVAL=1
esac

exit $RETVAL

And in /etc/sysconfig
### Override for your different local config
# SOCKET=/var/run/spamass.sock

### Default parameter for spamass-milter is -f (work in the background)
### you may add another parameters here, see spamass-milter(1)
# EXTRA_FLAGS="-m -r 15"

I have not made amy changes to files or scripts, just installed the rpms ..
Hope these help :)

Thank you

[pviglucci]

Please post the entire contents of:

/etc/init.d/spamass-milter
/etc/mail/sendmail.cf
/var/opt/scalix/sys/smtpd.cfg

What is your OS?
What are the version numbers of the RPMS you installed?

[dg_w]

thx for the assisstance


My OS is Redhat ES 4
Spamassassin (as installed with RH) spamassassin-3.0.4-1.el4
Spamass-milter spamass-milter-0.3.0-1.2.el4.rf
sendmail-devel-8.13.1-2
If I
[root@akserver init.d]# chkconfig --list|grep 'spamd\|spamass-milter'
spamass-milter 0:off 1:off 2:off 3:on 4:off 5:off 6:off
No Spamd ?
I have not installed a spamd.rpm ? Though on
service spamassassin restart
Shutting down spamd: [ OK ]
Starting spamd: [ OK ]
So I guess its there ?

chkconfig --list|grep 'spamassassin\|spamass-milter'
[root@akserver init.d]# chkconfig --list|grep 'spamassassin\|spamass-milter'
spamass-milter 0:off 1:off 2:off 3:on 4:off 5:off 6:off
spamassassin 0:off 1:off 2:off 3:on 4:on 5:on 6:off


/etc/init.d/spamassass-milter

start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
condrestart)
[ -e /var/lock/subsys/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
RETVAL=1
esac

exit $RETVAL

/etc/mail/sendmail.cf
######################################################################
######################################################################
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by bhcompile@porky.build.redhat.com on Wed Sep 1 06:16:23 EDT 2004
##### in /usr/src/build/446503-i386/BUILD/sendmail-8.13.1/cf/cf
##### using ../ as configuration include directory
#####
######################################################################
#####
##### DO NOT EDIT THIS FILE! Only edit the source .mc file.
#####
######################################################################
######################################################################

##### $Id: cfhead.m4,v 8.116 2004/01/28 22:02:22 ca Exp $ #####
##### $Id: cf.m4,v 8.32 1999/02/07 07:26:14 gshapiro Exp $ #####
##### setup for Red Hat Linux #####
##### $Id: linux.m4,v 8.13 2000/09/17 17:30:00 gshapiro Exp $ #####



##### $Id: local_procmail.m4,v 8.22 2002/11/17 04:24:19 ca Exp $ #####


##### $Id: no_default_msa.m4,v 8.2 2001/02/14 05:03:22 gshapiro Exp $ #####

##### $Id: smrsh.m4,v 8.14 1999/11/18 05:06:23 ca Exp $ #####

##### $Id: mailertable.m4,v 8.25 2002/06/27 23:23:57 gshapiro Exp $ #####

##### $Id: virtusertable.m4,v 8.23 2002/06/27 23:23:57 gshapiro Exp $ #####

##### $Id: redirect.m4,v 8.15 1999/08/06 01:47:36 gshapiro Exp $ #####
##### $Id: always_add_domain.m4,v 8.11 2000/09/12 22:00:53 ca Exp $ #####

##### $Id: use_cw_file.m4,v 8.11 2001/08/26 20:58:57 gshapiro Exp $ #####


##### $Id: use_ct_file.m4,v 8.11 2001/08/26 20:58:57 gshapiro Exp $ #####


##### $Id: local_procmail.m4,v 8.22 2002/11/17 04:24:19 ca Exp $ #####

##### $Id: access_db.m4,v 8.26 2004/06/24 18:10:02 ca Exp $ #####

##### $Id: blacklist_recipients.m4,v 8.13 1999/04/02 02:25:13 gshapiro Exp $ #####

##### $Id: accept_unresolvable_domains.m4,v 8.10 1999/02/07 07:26:07 gshapiro Exp $ #####


##### $Id: proto.m4,v 8.710 2004/07/27 17:32:48 ca Exp $ #####

# level 10 config file format
V10/Berkeley

# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe

# default LDAP map specification
# need to set this now before any LDAP maps are defined
#O LDAPDefaultSpec=-h localhost


##################
# local info #
##################

# my LDAP cluster
# need to set this before any LDAP lookups are done (including classes)
#D{sendmailMTACluster}$m

Cwlocalhost
# file containing names of hosts for which we receive email
Fw/etc/mail/local-host-names

# my official domain name
# ... define this only if sendmail cannot automatically determine your domain
#Dj$w.Foo.COM

# host/domain names ending with a token in class P are canonical
CP.

# "Smart" relay host (may be null)
DS


# operators that cannot be in local usernames (i.e., network indicators)
CO @ % !

# a class with just dot (for identifying canonical names)
C..

# a class with just a left bracket (for identifying domain literals)
C[[

# access_db acceptance class
C{Accept}OK RELAY


C{ResOk}OKR


# Hosts for which relaying is permitted ($=R)
FR-o /etc/mail/relay-domains

# arithmetic map
Karith arith
# macro storage map
Kmacro macro
# possible values for TLS_connection in access map
C{Tls}VERIFY ENCR
# dequoting map
Kdequote dequote

# class E: names that should be exposed as from this host, even if we masquerade
# class L: names that should be delivered locally, even if we have a relay
# class M: domains that should be converted to $M
# class N: domains that should not be converted to $M
#CL root
C{E}root
C{w}localhost.localdomain



# my name for error messages
DnMAILER-DAEMON


# Mailer table (overriding domains)
Kmailertable hash -o /etc/mail/mailertable.db

# Virtual user table (maps incoming users)
Kvirtuser hash -o /etc/mail/virtusertable.db

CPREDIRECT

# Access list database (for spam stomping)
Kaccess hash -T<TMPF> -o /etc/mail/access.db

# Configuration version number
DZ8.13.1
# Scalix Mappers and Trusted User
Komuser program /opt/scalix/bin/ommapsmtp
Komxport program /opt/scalix/bin/ommapsmtp -x
Tscalix
###############
# Options #
###############

# strip message body to 7 bits on input?
O SevenBitInput=False

# 8-bit data handling
#O EightBitMode=pass8

# wait for alias file rebuild (default units: minutes)
O AliasWait=10

# location of alias file
O AliasFile=/etc/aliases

# minimum number of free blocks on filesystem
O MinFreeBlocks=100

# maximum message size
#O MaxMessageSize=0

# substitution for space (blank) characters
O BlankSub=.

# avoid connecting to "expensive" mailers on initial submission?
O HoldExpensive=False

# checkpoint queue runs after every N successful deliveries
#O CheckpointInterval=10

# default delivery mode
O DeliveryMode=background

# error message header/file
#O ErrorHeader=/etc/mail/error-header

# error mode
#O ErrorMode=print

# save Unix-style "From_" lines at top of header?
#O SaveFromLine=False

# queue file mode (qf files)
#O QueueFileMode=0600

# temporary file mode
O # match recipients against GECOS field?
#O MatchGECOS=False

# maximum hop count
#O MaxHopCount=25

# location of help file
O HelpFile=/etc/mail/helpfile

# ignore dots as terminators in incoming messages?
#O IgnoreDots=False

# name resolver options
#O ResolverOptions=+AAONLY

# deliver MIME-encapsulated error messages?
O SendMimeErrors=True

# Forward file search path
O ForwardPath=$z/.forward.$w:$z/.forward

# open connection cache size
O ConnectionCacheSize=2

# open connection cache timeout
O ConnectionCacheTimeout=5m

# persistent host status directory
#O HostStatusDirectory=.hoststat

# single thread deliveries (requires HostStatusDirectory)?
#O SingleThreadDelivery=False

# use Errors-To: header?
O UseErrorsTo=False

# log level
O LogLevel=9

# send to me too, even in an alias expansion?
#O MeToo=True

# verify RHS in newaliases?
O CheckAliases=False

# default messages to old style headers if no special punctuation?
O OldStyleHeaders=True
TempFileMode=0600
# SMTP daemon options

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

# SMTP client options
#O ClientPortOptions=Family=inet, Address=0.0.0.0

# Modifiers to define {daemon_flags} for direct submissions
#O DirectSubmissionModifiers

# Use as mail submission program? See sendmail/SECURITY
#O UseMSP

# privacy flags
O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun

# who (if anyone) should get extra copies of error messages
#O PostmasterCopy=Postmaster

# slope of queue-only function
#O QueueFactor=600000

# limit on number of concurrent queue runners
#O MaxQueueChildren

# maximum number of queue-runners per queue-grouping with multiple queues
#O MaxRunnersPerQueue=1

# priority of queue runners (nice(3))
#O NiceQueueRun

# shall we sort the queue by hostname first?
#O QueueSortOrder=priority

# minimum time in queue before retry
#O MinQueueAge=30m

# how many jobs can you process in the queue?
#O MaxQueueRunSize=10000

# perform initial split of envelope without checking MX records
#O FastSplit=1

# queue directory
O QueueDirectory=/var/spool/mqueue

# key for shared memory; 0 to turn off
#O SharedMemoryKey=0
# timeouts (many of these)
#O Timeout.initial=5m
O Timeout.connect=1m
#O Timeout.aconnect=0s
#O Timeout.iconnect=5m
#O Timeout.helo=5m
#O Timeout.mail=10m
#O Timeout.rcpt=1h
#O Timeout.datainit=5m
#O Timeout.datablock=1h
#O Timeout.datafinal=1h
#O Timeout.rset=5m
#O Timeout.quit=2m
#O Timeout.misc=2m
#O Timeout.command=1h
O Timeout.ident=0
#O Timeout.fileopen=60s
#O Timeout.control=2m
O Timeout.queuereturn=5d
#O Timeout.queuereturn.normal=5d
#O Timeout.queuereturn.urgent=2d
#O Timeout.queuereturn.non-urgent=7d
#O Timeout.queuereturn.dsn=5d
O Timeout.queuewarn=4h
#O Timeout.queuewarn.normal=4h
#O Timeout.queuewarn.urgent=1h
#O Timeout.queuewarn.non-urgent=12h
#O Timeout.queuewarn.dsn=4h
#O Timeout.hoststatus=30m
#O Timeout.resolver.retrans=5s
#O Timeout.resolver.retrans.first=5s
#O Timeout.resolver.retrans.normal=5s
#O Timeout.resolver.retry=4
#O Timeout.resolver.retry.first=4
#O Timeout.resolver.retry.normal=4
#O Timeout.lhlo=2m
#O Timeout.auth=10m
#O Timeout.starttls=1h

# time for DeliverBy; extension disabled if less than 0
#O DeliverByMin=0

# should we not prune routes in route-addr syntax addresses?
#O DontPruneRoutes=False
# queue up everything before forking?
O SuperSafe=True

# status file
O StatusFile=/var/log/mail/statistics

# time zone handling:
# if undefined, use system default
# if defined but null, use TZ envariable passed in
# if defined and non-null, use that info
#O TimeZoneSpec=

# default UID (can be username or userid:groupid)
O DefaultUser=8:12

# list of locations of user database file (null means no lookup)
O UserDatabaseSpec=/etc/mail/userdb.db

# fallback MX host
#O FallbackMXhost=fall.back.host.net

# fallback smart host
#O FallbackSmartHost=fall.back.host.net

# if we are the best MX host for a site, try it directly instead of config err
O TryNullMXList=true

# load average at which we just queue messages
#O QueueLA=8

# load average at which we refuse connections
#O RefuseLA=12

# log interval when refusing connections for this long
#O RejectLogInterval=3h

# load average at which we delay connections; 0 means no limit
#O DelayLA=0

# maximum number of children we allow at one time
#O MaxDaemonChildren=0

# maximum number of new connections per second
#O ConnectionRateThrottle=0

# Width of the window
#O ConnectionRateWindowSize=60s
# work recipient factor
#O RecipientFactor=30000

# deliver each queued job in a separate process?
#O ForkEachJob=False

# work class factor
#O ClassFactor=1800

# work time factor
#O RetryFactor=90000

# default character set
#O DefaultCharSet=iso-8859-1

# service switch file (name hardwired on Solaris, Ultrix, OSF/1, others)
#O ServiceSwitchFile=/etc/mail/service.switch

# hosts file (normally /etc/hosts)
#O HostsFile=/etc/hosts

# dialup line delay on connection failure
#O DialDelay=10s

# action to take if there are no recipients in the message
#O NoRecipientAction=add-to-undisclosed

# chrooted environment for writing to files
#O SafeFileEnvironment=/arch

# are colons OK in addresses?
#O ColonOkInAddr=True

# shall I avoid expanding CNAMEs (violates protocols)?
#O DontExpandCnames=False

# SMTP initial login message (old $e macro)
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

# UNIX initial From header format (old $l macro)
O UnixFromLine=From $g $d

# From: lines that have embedded newlines are unwrapped onto one line
#O SingleLineFromHeader=False

# Allow HELO SMTP command that does not include a host name
#O AllowBogusHELO=False
# Characters to be quoted in a full name phrase (@,;:\()[] are automatic)
#O MustQuoteChars=.

# delimiter (operator) characters (old $o macro)
O OperatorChars=.:%@!^/[]+

# shall I avoid calling initgroups(3) because of high NIS costs?
#O DontInitGroups=False

# are group-writable :include: and .forward files (un)trustworthy?
# True (the default) means they are not trustworthy.
#O UnsafeGroupWrites=True


# where do errors that occur when sending errors get sent?
#O DoubleBounceAddress=postmaster

# where to save bounces if all else fails
#O DeadLetterDrop=/var/tmp/dead.letter

# what user id do we assume for the majority of the processing?
#O RunAsUser=sendmail

# maximum number of recipients per SMTP envelope
#O MaxRecipientsPerMessage=0

# limit the rate recipients per SMTP envelope are accepted
# once the threshold number of recipients have been rejected
#O BadRcptThrottle=0

# shall we get local names from our installed interfaces?
O DontProbeInterfaces=true

# Return-Receipt-To: header implies DSN request
#O RrtImpliesDsn=False

# override connection address (for testing)
#O ConnectOnlyTo=0.0.0.0

# Trusted user for file ownership and starting the daemon
#O TrustedUser=root

# Control socket for daemon management
#O ControlSocketName=/var/spool/mqueue/.control

# Maximum MIME header length to protect MUAs
#O MaxMimeHeaderLength=0/0
# Maximum length of the sum of all headers
#O MaxHeadersLength=32768

# Maximum depth of alias recursion
#O MaxAliasRecursion=10

# location of pid file
#O PidFile=/var/run/sendmail.pid

# Prefix string for the process title shown on 'ps' listings
#O ProcessTitlePrefix=prefix

# Data file (df) memory-buffer file maximum size
#O DataFileBufferSize=4096

# Transcript file (xf) memory-buffer file maximum size
#O XscriptFileBufferSize=4096

# lookup type to find information about local mailboxes
#O MailboxDatabase=pw

# override compile time flag REQUIRES_DIR_FSYNC
#O RequiresDirfsync=true

# list of authentication mechanisms
#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5

# Authentication realm
#O AuthRealm

# default authentication information for outgoing connections
#O DefaultAuthInfo=/etc/mail/default-auth-info

# SMTP AUTH flags
O AuthOptions=A

# SMTP AUTH maximum encryption strength
#O AuthMaxBits

# SMTP STARTTLS server options
#O TLSSrvOptions
# ############################################################################################
# Input mail filters
O InputMailFilters=Spamassassin
# Milter options
#O Milter.LogLevel
O Milter.macros.connect=b, j, _, {daemon_name}, {if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr}


# CA directory
#O CACertPath
# CA file
#O CACertFile
# Server Cert
#O ServerCertFile
# Server private key
#O ServerKeyFile
# Client Cert
#O ClientCertFile
# Client private key
#O ClientKeyFile
# File containing certificate revocation lists
#O CRLFile
# DHParameters (only required if DSA/DH is used)
#O DHParameters
# Random data source (required for systems without /dev/urandom under OpenSSL)
#O RandFile

############################
# QUEUE GROUP DEFINITIONS #
############################


###########################
# Message precedences #
###########################

Pfirst-class=0
Pspecial-delivery=100
Plist=-30
Pbulk=-60
Pjunk=-100

#####################
# Trusted users #
#####################

# this is equivalent to setting class "t"
Ft/etc/mail/trusted-users
Troot
Tdaemon
Tuucp
#########################
# Format of headers #
#########################

H?P?Return-Path: <$g>
HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
$.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}
(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})$.$?u
for $u; $|;
$.$b
H?D?Resent-Date: $a
H?D?Date: $a
H?F?Resent-From: $?x$x <$g>$|$g$.
H?F?From: $?x$x <$g>$|$g$.
H?x?Full-Name: $x
# HPosted-Date: $a
# H?l?Received-Date: $b
H?M?Resent-Message-Id: <$t.$i@$j>
H?M?Message-Id: <$t.$i@$j>

#^L
######################################################################
######################################################################
#####
##### REWRITING RULES
#####
######################################################################
######################################################################

############################################
### Ruleset 3 -- Name Canonicalization ###
############################################
Scanonify=3

# handle null input (translate to <@> special case)
R$@ $@ <@>

# strip group: syntax (not inside angle brackets!) and trailing semicolon
R$* $: $1 <@> mark addresses
R$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>
R@ $* <@> $: @ $1 unmark @host:...
R$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr
R$* :: $* <@> $: $1 :: $2 unmark node::addr
R:iR$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon
R$* : $* <@> $: $2 strip colon if marked
R$* <@> $: $1 unmark
R$* ; $1 strip trailing semi
R$* < $+ :; > $* $@ $2 :; <@> catch <list:;>
R$* < $* ; > $1 < $2 > bogus bracketed semi

# null input now results from list:; syntax
R$@ $@ :; <@>

# strip angle brackets -- note RFC733 heuristic to get innermost item
R$* $: < $1 > housekeeping <>
R$+ < $* > < $2 > strip excess on left
R< $* > $+ < $1 > strip excess on right
R<> $@ < @ > MAIL FROM:<> case
R< $+ > $: $1 remove housekeeping <>

# strip route address <@a,@b,@c:user@d> -> <user@d>
R@ $+ , $+ $2
R@ [ $* ] : $+ $2
R@ $+ : $+ $2

# find focus for list syntax
R $+ : $* ; @ $+ $@ $>Canonify2 $1 : $2 ; < @ $3 > list syntax
R $+ : $* ; $@ $1 : $2; list syntax

# find focus for @ syntax addresses
R$+ @ $+ $: $1 < @ $2 > focus on domain
R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right
R$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical
# convert old-style addresses to a domain-based address
R$- ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names
R$+ . $- ! $+ $@ $>Canonify2 $3 < @ $1 . $2 > domain uucps
R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains

# if we have % signs, take the rightmost one
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish

# else we must be a local name
R$* $@ $>Canonify2 $1


################################################
### Ruleset 96 -- bottom half of ruleset 3 ###
################################################

SCanonify2=96

# handle special cases for local names
R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all
R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain
R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain

# check for IPv4/IPv6 domain literal
R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr]
R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal
R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr
# if really UUCP, handle it immediately

# try UUCP traffic as a local address
R$* < @ $+ . UUCP > $* $: $1 < @ $[ $2 $] . UUCP . > $3
R$* < @ $+ . . UUCP . > $* $@ $1 < @ $2 . > $3

# hostnames ending in class P are always canonical
R$* < @ $* $=P > $* $: $1 < @ $2 $3 . > $4
R$* < @ $* $~P > $* $: $&{daemon_flags} $| $1 < @ $2 $3 > $4
R$* CC $* $| $* < @ $+.$+ > $* $: $3 < @ $4.$5 . > $6
R$* CC $* $| $* $: $3
# pass to name server to make hostname canonical
R$* $| $* < @ $* > $* $: $2 < @ $[ $3 $] > $4
R$* $| $* $: $2

# local host aliases and pseudo-domains are always canonical
R$* < @ $=w > $* $: $1 < @ $2 . > $3
R$* < @ $=M > $* $: $1 < @ $2 . > $3
R$* < @ $={VirtHost} > $* $: $1 < @ $2 . > $3
R$* < @ $* . . > $* $1 < @ $2 . > $3


##################################################
### Ruleset 4 -- Final Output Post-rewriting ###
##################################################
Sfinal=4

R$+ :; <@> $@ $1 : handle <list:;>
R$* <@> $@ handle <> and list:;

# strip trailing dot off possibly canonical name
R$* < @ $+ . > $* $1 < @ $2 > $3

# eliminate internal code
R$* < @ *LOCAL* > $* $1 < @ $j > $2

# externalize local domain info
R$* < $+ > $* $1 $2 $3 defocus
R@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical
R@ $* $@ @ $1 ... and exit

# UUCP must always be presented in old form
R$+ @ $- . UUCP $2!$1 u@h.UUCP => h!u

# delete duplicate local names
R$+ % $=w @ $=w $1 @ $2 u%host@host => u@host

##############################################################
### Ruleset 97 -- recanonicalize and call ruleset zero ###
### (used for recursive calls) ###
##############################################################

SRecurse=97
R$* $: $>canonify $1
R$* $@ $>parse $1


######################################
### Ruleset 0 -- Parse Address ###
######################################

Sparse=0

R$* $: $>Parse0 $1 initial parsing
R<@> $#local $: <@> special case error msgs
R$* $: $>ParseLocal $1 handle local hacks
R$* $: $>Parse1 $1 final parsing

#
# Parse0 -- do initial syntax checking and eliminate local addresses.
# This should either return with the (possibly modified) input
# or return with a #error mailer. It should not return with a
# #mailer other than the #error mailer.
#

SParse0
R<@> $@ <@> special case error msgs
R$* : $* ; <@> $#error $@ 5.1.3 $: "553 List:; syntax illegal for recipient addresses"
R@ <@ $* > < @ $1 > catch "@@host" bogosity
R<@ $+> $#error $@ 5.1.3 $: "553 User address required"
R$+ <@> $#error $@ 5.1.3 $: "553 Hostname required"
R$* $: <> $1
R<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4
R<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4
R<> $* < @ [ $* ] $+ > $* $#error $@ 5.1.2 $: "553 Invalid address"
R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3
R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "553 Colon illegal in host name part"
R<> $* $1
R$* < @ . $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
R$* < @ $* @ > $* $#error $@ 5.1.2 $: "553 Invalid route address"
R$* @ $* < @ $* > $* $#error $@ 5.1.3 $: "553 Invalid route address"
R$* , $~O $* $#error $@ 5.1.3 $: "553 Invalid route address"
# now delete the local info -- note $=O to find characters that cause forwarding
R$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user
R< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ...
R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here
R< @ $+ > $#error $@ 5.1.3 $: "553 User address required"
R$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@here -> ...
R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"
R< @ *LOCAL* > $#error $@ 5.1.3 $: "553 User address required"
R$* $=O $* < @ *LOCAL* >
$@ $>Parse0 $>canonify $1 $2 $3 ...@*LOCAL* -> ...
R$* < @ *LOCAL* > $: $1

#
# Parse1 -- the bottom half of ruleset 0.
#

SParse1

# handle numeric address spec
R$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec
R$* < @ [ $+ ] > $* $: $1 < @ [ $2 ] : $S > $3 Add smart host to path
R$* < @ [ $+ ] : > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send
R$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost with mailer
R$* < @ [ $+ ] : $+ > $* $#esmtp $@ $3 $: $1 < @ [$2] > $4 smarthost without mailer
# handle virtual users
R$+ $: <!> $1 Mark for lookup
R<!> $+ < @ $={VirtHost} . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<!> $+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ + $+ < @ $* . >
$: < $(virtuser $1 + + @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 + * @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $+ < @ $+ . > $: < $(virtuser + + @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $* < @ $+ . > $: < $(virtuser + * @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $* < @ $+ . > $: < $(virtuser @ $3 $@ $1 $@ $2 $@ +$2 $: ! $) > $1 + $2 < @ $3 . >
R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ $: $1
R<!> $+ $: $1
R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4
R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2
R< $+ > $+ < @ $+ > $: $>Recurse $1

# short circuit local delivery so forwarded email works


# The following lines were inserted for Scalix. Ignore the preceding comment.

Rscalix $#omxport$@ $( omxport $w $) $:scalix
Rscalix < @ $=w . > $#omxport$@ $( omxport $1 $) $:scalix

R$+ $: $(omuser $1 $)
Rscalix:$-:$+ $# scalix $@ $1 $: $2

# End of Scalix lines. The Remaining names must be local
R$=L < @ $=w . > $#local $: @ $1 special local names
R$+ < @ $=w . > $#local $: $1 regular local name

# not local -- try mailer table lookup
R$* <@ $+ > $* $: < $2 > $1 < @ $2 > $3 extract host name
R< $+ . > $* $: < $1 > $2 strip trailing dot
R< $+ > $* $: < $(mailertable $1 $) > $2 lookup
R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 check -- resolved?
R< $+ > $* $: $>Mailertable <$1> $2 try domain

# resolve remotely connected UUCP links (if any)

# resolve fake top level domains by forwarding to other hosts
# pass names that still have a host to a smarthost (if defined)
R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name

# deal with other remote names
R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domain

# handle locally delivered names
R$=L $#local $: @ $1 special local names
R$+ $#local $: $1 regular local names

###########################################################################
### Ruleset 5 -- special rewriting after aliases have been expanded ###
###########################################################################

SLocal_localaddr
Slocaladdr=5
R$+ $: $1 $| $>"Local_localaddr" $1
R$+ $| $#ok $@ $1 no change
R$+ $| $#$* $#$2
R$+ $| $* $: $1




# deal with plussed users so aliases work nicely
R$+ + * $#local $@ $&h $: $1
R$+ + $* $#local $@ + $2 $: $1 + *

# prepend an empty "forward host" on the front
R$+ $: <> $1



R< > $+ $: < > < $1 <> $&h > nope, restore +detail

R< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail
R< > < $+ <> $* > $: < > < $1 > else discard
R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part
R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +
R< > < $+ > $@ $1 no +detail
R$+ $: $1 <> $&h add +detail back in

R$+ <> + $* $: $1 + $2 check whether +detail
R$+ <> $* $: $1 else discard
R< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension
R< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension
R< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 >

R< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 >


###################################################################
### Ruleset 90 -- try domain part of mailertable entry ###
###################################################################

SMailertable=90
R$* <$- . $+ > $* $: $1$2 < $(mailertable .$3 $@ $1$2 $@ $2 $) > $4
R$* <$~[ : $* > $* $>MailerToTriple < $2 : $3 > $4 check -- resolved?
R$* < . $+ > $* $@ $>Mailertable $1 . <$2> $3 no -- strip & try again
R$* < $* > $* $: < $(mailertable . $@ $1$2 $) > $3 try "."
R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 "." found?
R< $* > $* $@ $2 no mailertable match

###################################################################
### Ruleset 95 -- canonify mailer:[user@]host syntax to triple ###
###################################################################

SMailerToTriple=95
R< > $* $@ $1 strip off null relay
R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4
R< error : $- : $+ > $* $#error $@ $(dequote $1 $) $: $2
R< error : $+ > $* $#error $: $1
R< local : $* > $* $>CanonLocal < $1 > $2
R< $~[ : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal user
R< $~[ : $+ > $* $# $1 $@ $2 $: $3 try qualified mailer
R< $=w > $* $@ $2 delete local host
R< $+ > $* $#relay $@ $1 $: $2 use unqualified mailer

###################################################################
### Ruleset CanonLocal -- canonify local: syntax ###
###################################################################

SCanonLocal
# strip local host from routed addresses
R< $* > < @ $+ > : $+ $@ $>Recurse $3
R< $* > $+ $=O $+ < @ $+ > $@ $>Recurse $2 $3 $4

# strip trailing dot from any host name that may appear
R< $* > $* < @ $* . > $: < $1 > $2 < @ $3 >

# handle local: syntax -- use old user, either with or without host
R< > $* < @ $* > $* $#local $@ $1@$2 $: $1
R< > $+ $#local $@ $1 $: $1

# handle local:user@host syntax -- ignore host part
R< $+ @ $+ > $* < @ $* > $: < $1 > $3 < @ $4 >

# handle local:user syntax
R< $+ > $* <@ $* > $* $#local $@ $2@$3 $: $1
R< $+ > $* $#local $@ $2 $: $1

###################################################################
### Ruleset 93 -- convert header names to masqueraded form ###
###################################################################

SMasqHdr=93


# do not masquerade anything in class N
R$* < @ $* $=N . > $@ $1 < @ $2 $3 . >

R$* < @ *LOCAL* > $@ $1 < @ $j . >

###################################################################
### Ruleset 94 -- convert envelope names to masqueraded form ###
###################################################################

SMasqEnv=94
R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2

###################################################################
### Ruleset 98 -- local part of ruleset zero (can be null) ###
###################################################################

SParseLocal=98

# addresses sent to foo@host.REDIRECT will give a 551 error code
R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT . > < ${opMode} >
R$* < @ $+ .REDIRECT. > <i> $: $1 < @ $2 . REDIRECT. >
R$* < @ $+ .REDIRECT. > < $- > $#error $@ 5.1.1 $: "551 User has moved; please try " <$1@$2>
######################################################################
### D: LookUpDomain -- search for domain in access database
###
### Parameters:
### <$1> -- key (domain name)
### <$2> -- default (what to return if not found in db)
### <$3> -- mark (must be <(!|+) single-token>)
### ! does lookup only with tag
### + does lookup with and without tag
### <$4> -- passthru (additional data passed unchanged through)
######################################################################

SD
R<$*> <$+> <$- $-> <$*> $: < $(access $4:$1 $: ? $) > <$1> <$2> <$3 $4> <$5>
R<?> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4>
R<?> <[$+.$-]> <$+> <$- $-> <$*> $@ $>D <[$1]> <$3> <$4 $5> <$6>
R<?> <[$+::$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6>
R<?> <[$+:$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6>
R<?> <$+.$+> <$+> <$- $-> <$*> $@ $>D <$2> <$3> <$4 $5> <$6>
R<?> <$+> <$+> <$- $-> <$*> $@ <$2> <$5>
R<$* <TMPF>> <$+> <$+> <$- $-> <$*> $@ <<TMPF>> <$6>
R<$*> <$+> <$+> <$- $-> <$*> $@ <$1> <$6>

######################################################################
### A: LookUpAddress -- search for host address in access database
###
### Parameters:
### <$1> -- key (dot quadded host address)
### <$2> -- default (what to return if not found in db)
### <$3> -- mark (must be <(!|+) single-token>)
### ! does lookup only with tag
### + does lookup with and without tag
### <$4> -- passthru (additional data passed through)
######################################################################

SA
R<$+> <$+> <$- $-> <$*> $: < $(access $4:$1 $: ? $) > <$1> <$2> <$3 $4> <$5>
R<?> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4>
R<?> <$+::$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
R<?> <$+:$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
R<?> <$+.$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
R<?> <$+> <$+> <$- $-> <$*> $@ <$2> <$5>
R<$* <TMPF>> <$+> <$+> <$- $-> <$*> $@ <<TMPF>> <$6>
R<$*> <$+> <$+> <$- $-> <$*> $@ <$1> <$6>
######################################################################
### CanonAddr -- Convert an address into a standard form for
### relay checking. Route address syntax is
### crudely converted into a %-hack address.
###
### Parameters:
### $1 -- full recipient address
###
### Returns:
### parsed address, not in source route form
######################################################################

SCanonAddr
R$* $: $>Parse0 $>canonify $1 make domain canonical


######################################################################
### ParseRecipient -- Strip off hosts in $=R as well as possibly
### $* $=m or the access database.
### Check user portion for host separators.
###
### Parameters:
### $1 -- full recipient address
###
### Returns:
### parsed, non-local-relaying address
######################################################################

SParseRecipient
R$* $: <?> $>CanonAddr $1
R<?> $* < @ $* . > <?> $1 < @ $2 > strip trailing dots
R<?> $- < @ $* > $: <?> $(dequote $1 $) < @ $2 > dequote local part

# if no $=O character, no host in the user portion, we are done
R<?> $* $=O $* < @ $* > $: <NO> $1 $2 $3 < @ $4>
R<?> $* $@ $1


R<NO> $* < @ $* $=R > $: <RELAY> $1 < @ $2 $3 >
R<NO> $* < @ $+ > $: $>D <$2> <NO> <+ To> <$1 < @ $2 >>
R<$+> <$+> $: <$1> $2



R<RELAY> $* < @ $* > $@ $>ParseRecipient $1
R<$+> $* $@ $2
######################################################################
### check_relay -- check hostname/address on SMTP startup
######################################################################



SLocal_check_relay
Scheck_relay
R$* $: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$* $#$3
R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2

SBasic_check_relay
# check for deferred delivery mode
R$* $: < $&{deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2

R$+ $| $+ $: $>D < $1 > <?> <+ Connect> < $2 >
R $| $+ $: $>A < $1 > <?> <+ Connect> <> empty client_name
R<?> <$+> $: $>A < $1 > <?> <+ Connect> <> no: another lookup
R<?> <$*> $: OK found nothing
R<$={Accept}> <$*> $@ $1 return value of lookup
R<REJECT> <$*> $#error $@ 5.7.1 $: "550 Access denied"
R<DISCARD> <$*> $#discard $: discard
R<QUARANTINE:$+> <$*> $#error $@ quarantine $: $1
R<ERROR:$-.$-.$-:$+> <$*> $#error $@ $1.$2.$3 $: $4
R<ERROR:$+> <$*> $#error $: $1
R<$* <TMPF>> <$*> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R<$+> <$*> $#error $: $1



######################################################################
### check_mail -- check SMTP `MAIL FROM:' command argument
######################################################################

SLocal_check_mail
Scheck_mail
R$* $: $1 $| $>"Local_check_mail" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_mail" $1
SBasic_check_mail
# check for deferred delivery mode
R$* $: < $&{deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2

# authenticated?
R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL
R$* $| $#$+ $#$2
R$* $| $* $: $1

R<> $@ <OK> we MUST accept <> (RFC 1123)
R$+ $: <?> $1
R<?><$+> $: <@> <$1>
R<?>$+ $: <@> <$1>
R$* $: $&{daemon_flags} $| $1
R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 >
R$* u $* $| <@> < $* > $: <?> < $3 >
R$* $| $* $: $2
# handle case of @localhost on address
R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
R<@> < $* @ [127.0.0.1] >
$: < ? $&{client_name} > < $1 @ [127.0.0.1] >
R<@> < $* @ localhost.$m >
$: < ? $&{client_name} > < $1 @ localhost.$m >
R<@> < $* @ localhost.UUCP >
$: < ? $&{client_name} > < $1 @ localhost.UUCP >
R<@> $* $: $1 no localhost as domain
R<? $=w> $* $: $2 local client: ok
R<? $+> <$+> $#error $@ 5.5.4 $: "553 Real domain name required for sender address"
R<?> $* $: $1
R$* $: <?> $>CanonAddr $1 canonify sender address and mark it
R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dots
# handle non-DNS hostnames (*.bitnet, *.decnet, *.uucp, etc)
R<?> $* < @ $* $=P > $: <OKR> $1 < @ $2 $3 >
R<?> $* < @ $j > $: <OKR> $1 < @ $j >
R<?> $* < @ $+ > $: <OKR> $1 < @ $2 > ... unresolvable OK

# check sender address: user@address, user@, address
R<$+> $+ < @ $* > $: @<$1> <$2 < @ $3 >> $| <F:$2@$3> <U:$2@> <D:$3>
R<$+> $+ $: @<$1> <$2> $| <U:$2@>
R@ <$+> <$*> $| <$+> $: <@> <$1> <$2> $| $>SearchList <+ From> $| <$3> <>
R<@> <$+> <$*> $| <$*> $: <$3> <$1> <$2> reverse result
# retransform for further use
R<?> <$+> <$*> $: <$1> $2 no match
R<$+> <$+> <$*> $: <$1> $3 relevant result, keep it
# handle case of no @domain on address
R<?> $* $: $&{daemon_flags} $| <?> $1
R$* u $* $| <?> $* $: <OKR> $3
R$* $| $* $: $2
R<?> $* $: < ? $&{client_addr} > $1
R<?> $* $@ <OKR> ...local unqualed ok
R<? $+> $* $#error $@ 5.5.4 $: "553 Domain name required for sender address " $&f
...remote is not
# check results
R<?> $* $: @ $1 mark address: nothing known about it
R<$={ResOk}> $* $@ <OKR> domain ok: stop
R<TEMP> $* $#error $@ 4.1.8 $: "451 Domain of sender address " $&f " does not resolve"
R<PERM> $* $#error $@ 5.1.8 $: "553 Domain of sender address " $&f " does not exist"
R<$={Accept}> $* $# $1 accept from access map
R<DISCARD> $* $#discard $: discard
R<QUARANTINE:$+> $* $#error $@ quarantine $: $1
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4
R<ERROR:$+> $* $#error $: $1
R<<TMPF>> $* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R<$+> $* $#error $: $1 error from access db

######################################################################
### check_rcpt -- check SMTP `RCPT TO:' command argument
######################################################################

SLocal_check_rcpt
Scheck_rcpt
R$* $: $1 $| $>"Local_check_rcpt" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_rcpt" $1

SBasic_check_rcpt
# empty address?
R<> $#error $@ nouser $: "553 User address required"
R$@ $#error $@ nouser $: "553 User address required"
# check for deferred delivery mode
R$* $: < $&{deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2

######################################################################
R$* $: $1 $| @ $>"Rcpt_ok" $1
R$* $| @ $#TEMP $+ $: $1 $| T $2
R$* $| @ $#$* $#$2
R$* $| @ RELAY $@ RELAY
R$* $| @ $* $: O $| $>"Relay_ok" $1
R$* $| T $+ $: T $2 $| $>"Relay_ok" $1
R$* $| $#TEMP $+ $#error $2
R$* $| $#$* $#$2
R$* $| RELAY $@ RELAY
R T $+ $| $* $#error $1
# anything else is bogus
R$* $#error $@ 5.7.1 $: "550 Relaying denied"


######################################################################
### Rcpt_ok: is the recipient ok?
######################################################################
SRcpt_ok
R$* $: $>ParseRecipient $1 strip relayable hosts



# blacklist local users or any host from receiving mail
R$* $: <?> $1
R<?> $+ < @ $=w > $: <> <$1 < @ $2 >> $| <F:$1@$2> <U:$1@> <D:$2>
R<?> $+ < @ $* > $: <> <$1 < @ $2 >> $| <F:$1@$2> <D:$2>
R<?> $+ $: <> <$1> $| <U:$1@>
R<> <$*> $| <$+> $: <@> <$1> $| $>SearchList <+ To> $| <$2> <>
R<@> <$*> $| <$*> $: <$2> <$1> reverse result
R<?> <$*> $: @ $1 mark address as no match
R<$={Accept}> <$*> $: @ $2 mark address as no match

R<REJECT> $* $#error $@ 5.2.1 $: "550 Mailbox disabled for this recipient"
R<DISCARD> $* $#discard $: discard
R<QUARANTINE:$+> $* $#error $@ quarantine $: $1
R<ERROR:$-.$-.$-:$+> $* $#error $@ $1.$2.$3 $: $4
R<ERROR:$+> $* $#error $: $1
R<<TMPF>> $* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R<$+> $* $#error $: $1 error from access db
R@ $* $1 remove mark
# authenticated via TLS?
R$* $: $1 $| $>RelayTLS client authenticated?
R$* $| $# $+ $# $2 error/ok?
R$* $| $* $: $1 no

R$* $: $1 $| $>"Local_Relay_Auth" $&{auth_type}
R$* $| $# $* $# $2
R$* $| NO $: $1
R$* $| $* $: $1 $| $&{auth_type}
R$* $| $: $1
R$* $| $={TrustAuthMech} $# RELAY
R$* $| $* $: $1
# anything terminating locally is ok
R$+ < @ $=w > $@ RELAY
R$+ < @ $* $=R > $@ RELAY
R$+ < @ $+ > $: $>D <$2> <?> <+ To> <$1 < @ $2 >>
R<RELAY> $* $@ RELAY
R<$* <TMPF>> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R<$*> <$*> $: $2



# check for local user (i.e. unqualified address)
R$* $: <?> $1
R<?> $* < @ $+ > $: <REMOTE> $1 < @ $2 >
# local user is ok
R<?> $+ $@ RELAY
R<$+> $* $: $2

######################################################################
### Relay_ok: is the relay/sender ok?
######################################################################
SRelay_ok
# anything originating locally is ok
# check IP address
R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address
R$* $: $>A <$1> <?> <+ Connect> <$1>
R<RELAY> $* $@ RELAY relayable IP address
R<<TMPF>> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R<$*> <$*> $: $2
R$* $: [ $1 ] put brackets around it...
R$=w $@ RELAY ... and see if it is local


# check client name: first: did it resolve?
R$* $: < $&{client_resolve} >
R<TEMP> $#TEMP $@ 4.4.0 $: "450 Relaying temporarily denied. Cannot resolve PTR record for " $&{client_addr}
R<FORGED> $#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name}
R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name}
R$* $: <@> $&{client_name}
# pass to name server to make hostname canonical
R<@> $* $=P $:<?> $1 $2
R<@> $+ $:<?> $[ $1 $]
R$* . $1 strip trailing dots
R<?> $=w $@ RELAY
R<?> $* $=R $@ RELAY
R<?> $* $: $>D <$1> <?> <+ Connect> <$1>
R<RELAY> $* $@ RELAY
R<$* <TMPF>> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R<$*> <$*> $: $2


######################################################################
### F: LookUpFull -- search for an entry in access database
###
### lookup of full key (which should be an address) and
### variations if +detail exists: +* and without +detail
###
### Parameters:
### <$1> -- key
### <$2> -- default (what to return if not found in db)
### <$3> -- mark (must be <(!|+) single-token>)
### ! does lookup only with tag
### + does lookup with and without tag
### <$4> -- passthru (additional data passed unchanged through)
#SF
R<$+> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
R<?> <$+ + $* @ $+> <$*> <$- $-> <$*>
$: <$(access $6:$1+*@$3 $: ? $)> <$1+$2@$3> <$4> <$5 $6> <$7>
R<?> <$+ + $* @ $+> <$*> <+ $-> <$*>
$: <$(access $1+*@$3 $: ? $)> <$1+$2@$3> <$4> <+ $5> <$6>
R<?> <$+ + $* @ $+> <$*> <$- $-> <$*>
$: <$(access $6:$1@$3 $: ? $)> <$1+$2@$3> <$4> <$5 $6> <$7>
R<?> <$+ + $* @ $+> <$*> <+ $-> <$*>
$: <$(access $1@$3 $: ? $)> <$1+$2@$3> <$4> <+ $5> <$6>
R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
R<$+ <TMPF>> <$*> <$- $-> <$*> $@ <<TMPF>> <$5>
R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>

######################################################################
### E: LookUpExact -- search for an entry in access database
###
### Parameters:
### <$1> -- key
### <$2> -- default (what to return if not found in db)
### <$3> -- mark (must be <(!|+) single-token>)
### ! does lookup only with tag
### + does lookup with and without tag
### <$4> -- passthru (additional data passed unchanged through)
######################################################################

SE
R<$*> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
R<$+ <TMPF>> <$*> <$- $-> <$*> $@ <<TMPF>> <$5>
R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>

######################################################################
### U: LookUpUser -- search for an entry in access database
###
### lookup of key (which should be a local part) and
### variations if +detail exists: +* and without +detail
###
### Parameters:
### <$1> -- key (user@)
### <$2> -- default (what to return if not found in db)
### <$3> -- mark (must be <(!|+) single-token>)
### ! does lookup only with tag
### + does lookup with and without tag
### <$4> -- passthru (additional data passed unchanged through)
######################################################################
#####################################################################

SU
R<$+> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
R<?> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
R<?> <$+ + $* @> <$*> <$- $-> <$*>
$: <$(access $5:$1+*@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6>
R<?> <$+ + $* @> <$*> <+ $-> <$*>
$: <$(access $1+*@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5>
R<?> <$+ + $* @> <$*> <$- $-> <$*>
$: <$(access $5:$1@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6>
R<?> <$+ + $* @> <$*> <+ $-> <$*>
$: <$(access $1@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5>
R<?> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
R<$+ <TMPF>> <$*> <$- $-> <$*> $@ <<TMPF>> <$5>
R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>

######################################################################
### SearchList: search a list of items in the access map
### Parameters:
### <exact tag> $| <mark:address> <mark:address> ... <>
### where "exact" is either "+" or "!":
### <+ TAG> lookup with and w/o tag
### <! TAG> lookup with tag
### possible values for "mark" are:
### D: recursive host lookup (LookUpDomain)
### E: exact lookup, no modifications
### F: full lookup, try user+ext@domain and user@domain
### U: user lookup, try user+ext and user (input must have trailing @)
### return: <RHS of lookup> or <?> (not found)
######################################################################

# class with valid marks for SearchList
C{Src}E F D U
SSearchList
# just call the ruleset with the name of the tag... nice trick...
R<$+> $| <$={Src}:$*> <$*> $: <$1> $| <$4> $| $>$2 <$3> <?> <$1> <>
R<$+> $| <> $| <?> <> $@ <?>
R<$+> $| <$+> $| <?> <> $@ $>SearchList <$1> $| <$2>
R<$+> $| <$*> $| <$+> <> $@ <$3>
R<$+> $| <$+> $@ <$2>


######################################################################
### trust_auth: is user trusted to authenticate as someone else?
###
### Parameters:
### $1: AUTH= parameter from MAIL command
######################################################################
SLocal_trust_auth
Strust_auth
R$* $: $&{auth_type} $| $1
# required by RFC 2554 section 4.
R$@ $| $* $#error $@ 5.7.1 $: "550 not authenticated"
R$* $| $&{auth_authen} $@ identical
R$* $| <$&{auth_authen}> $@ identical
R$* $| $* $: $1 $| $>"Local_trust_auth" $2
R$* $| $#$* $#$2
R$* $#error $@ 5.7.1 $: "550 " $&{auth_authen} " not allowed to act as " $&{auth_author}

######################################################################
### Relay_Auth: allow relaying based on authentication?
###
### Parameters:
### $1: ${auth_type}
######################################################################
SLocal_Relay_Auth

######################################################################
### srv_features: which features to offer to a client?
### (done in server)
######################################################################
Ssrv_features
R$* $: $>D <$&{client_name}> <?> <! "Srv_Features"> <>
R<?>$* $: $>A <$&{client_addr}> <?> <! "Srv_Features"> <>
R<?>$* $: <$(access "Srv_Features": $: ? $)>
R<?>$* $@ OK
R<$* <TMPF>>$* $#temp
R<$+>$* $# $1

######################################################################
### try_tls: try to use STARTTLS?
### (done in client)
######################################################################
Stry_tls
R$* $: $>D <$&{server_name}> <?> <! "Try_TLS"> <>
R<?>$* $: $>A <$&{server_addr}> <?> <! "Try_TLS"> <>
R<?>$* $: <$(access "Try_TLS": $: ? $)>
R<?>$* $@ OK
R<$* <TMPF>>$* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R<NO>$* $#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"]"

######################################################################
### tls_rcpt: is connection with server "good" enough?
### (done in client, per recipient)
###
### Parameters:
### $1: recipient
######################################################################
Stls_rcpt
R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
R$+ $: <?> $>CanonAddr $1
R<?> $+ < @ $+ . > <?> $1 <@ $2 >
R<?> $+ < @ $+ > $: $1 <@ $2 > $| <F:$1@$2> <U:$1@> <D:$2> <E:>
R<?> $+ $: $1 $| <U:$1@> <E:>
R$* $| $+ $: $1 $| $>SearchList <! "TLS_Rcpt"> $| $2 <>
R$* $| <?> $@ OK
R$* $| <$* <TMPF>> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R$* $| <$+> $@ $>"TLS_connection" $&{verify} $| <$2>

######################################################################
### tls_client: is connection with client "good" enough?
### (done in server)
###
### Parameters:
### ${verify} $| (MAIL|STARTTLS)
######################################################################
Stls_client
R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
R$* $| $* $: $1 $| $>D <$&{client_name}> <?> <! "TLS_Clt"> <>
R$* $| <?>$* $: $1 $| $>A <$&{client_addr}> <?> <! "TLS_Clt"> <>
R$* $| <?>$* $: $1 $| <$(access "TLS_Clt": $: ? $)>
R$* $| <$* <TMPF>> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R$* $@ $>"TLS_connection" $1

######################################################################
### tls_server: is connection with server "good" enough?
### (done in client)
###
### Parameter:
### ${verify}
######################################################################
Stls_server
R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
R$* $: $1 $| $>D <$&{server_name}> <?> <! "TLS_Srv"> <>
R$* $| <?>$* $: $1 $| $>A <$&{server_addr}> <?> <! "T

[dg_w]

######################################################################
### tls_server: is connection with server "good" enough?
### (done in client)
###
### Parameter:
### ${verify}
######################################################################
Stls_server
R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
R$* $: $1 $| $>D <$&{server_name}> <?> <! "TLS_Srv"> <>
R$* $| <?>$* $: $1 $| $>A <$&{server_addr}> <?> <! "TLS_Srv"> <>
R$* $| <?>$* $: $1 $| <$(access "TLS_Srv": $: ? $)>
R$* $| <$* <TMPF>> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
R$* $@ $>"TLS_connection" $1

######################################################################
### TLS_connection: is TLS connection "good" enough?
###
### Parameters:
### ${verify} $| <Requirement> [<>]
### Requirement: RHS from access map, may be ? for none.
######################################################################
STLS_connection
R$* $| <$*>$* $: $1 $| <$2>
# create the appropriate error codes
R$* $| <PERM + $={Tls} $*> $: $1 $| <503:5.7.0> <$2 $3>
R$* $| <TEMP + $={Tls} $*> $: $1 $| <403:4.7.0> <$2 $3>
R$* $| <$={Tls} $*> $: $1 $| <403:4.7.0> <$2 $3>
# deal with TLS handshake failures: abort
RSOFTWARE $| <$-:$+> $* $#error $@ $2 $: $1 " TLS handshake failed."
RSOFTWARE $| $* $#error $@ 4.7.0 $: "403 TLS handshake failed."
R$* $| <$*> <VERIFY> $: <$2> <VERIFY> <> $1
R$* $| <$*> <VERIFY + $+> $: <$2> <VERIFY> <$3> $1
R$* $| <$*> <$={Tls}:$->$* $: <$2> <$3:$4> <> $1
R$* $| <$*> <$={Tls}:$- + $+>$* $: <$2> <$3:$4> <$5> $1
R$* $| $* $@ OK
# authentication required: give appropriate error
# other side did authenticate (via STARTTLS)
R<$*><VERIFY> <> OK $@ OK
R<$*><VERIFY> <$+> OK $: <$1> <REQ:0> <$2>
R<$*><VERIFY:$-> <$*> OK $: <$1> <REQ:$2> <$3>
R<$*><ENCR:$-> <$*> $* $: <$1> <REQ:$2> <$3>
R<$-:$+><VERIFY $*> <$*> $#error $@ $2 $: $1 " authentication required"
R<$-:$+><VERIFY $*> <$*> FAIL $#error $@ $2 $: $1 " authentication failed"
R<$-:$+><VERIFY $*> <$*> NO $#error $@ $2 $: $1 " not authenticated"
R<$-:$+><VERIFY $*> <$*> NOT $#error $@ $2 $: $1 " no authentication requested"
R<$-:$+><VERIFY $*> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS"
R<$-:$+><VERIFY $*> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4
R<$*><REQ:$-> <$*> $: <$1> <REQ:$2> <$3> $>max $&{cipher_bits} : $&{auth_ssf}
R<$*><REQ:$-> <$*> $- $: <$1> <$2:$4> <$3> $(arith l $@ $4 $@ $2 $)
R<$-:$+><$-:$-> <$*> TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3
R<$-:$+><$-:$-> <$*> $* $: <$1:$2 ++ $5>
R<$-:$+ ++ > $@ OK
R<$-:$+ ++ $+ > $: <$1:$2> <$3>
R<$-:$+> < $+ ++ $+ > <$1:$2> <$3> <$4>
R<$-:$+> $+ $@ $>"TLS_req" $3 $| <$1:$2>

######################################################################
### TLS_req: check additional TLS requirements
###
### Parameters: [<list> <of> <req>] $| <$-:$+>
### $-: SMTP reply code
### $+: Enhanced Status Code
######################################################################
STLS_req
R $| $+ $@ OK
R<CN> $* $| <$+> $: <CN:$&{TLS_Name}> $1 $| <$2>
R<CN:$&{cn_subject}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
R<CN:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " CN " $&{cn_subject} " does not match " $1
R<CS:$&{cert_subject}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
R<CS:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " Cert Subject " $&{cert_subject} " does not match " $1
R<CI:$&{cert_issuer}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
R<CI:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " Cert Issuer " $&{cert_issuer} " does not match " $1
ROK $@ OK

######################################################################
### max: return the maximum of two values separated by :
###
### Parameters: [$-]:[$-]
######################################################################
Smax
R: $: 0
R:$- $: $1
R$-: $: $1
R$-:$- $: $(arith l $@ $1 $@ $2 $) : $1 : $2
RTRUE:$-:$- $: $2
R$-:$-:$- $: $2


######################################################################
### RelayTLS: allow relaying based on TLS authentication
###
### Parameters:
### none
######################################################################
SRelayTLS
# authenticated?
R$* $: <?> $&{verify}
R<?> OK $: OK authenticated: continue
R<?> $* $@ NO not authenticated
R$* $: $&{cert_issuer}
R$+ $: $(access CERTISSUER:$1 $)
RRELAY $# RELAY
RSUBJECT $: <@> $&{cert_subject}
R<@> $+ $: <@> $(access CERTSUBJECT:$1 $)
R<@> RELAY $# RELAY
R$* $: NO

######################################################################
### authinfo: lookup authinfo in the access map
###
### Parameters:
### $1: {server_name}
### $2: {server_addr}
######################################################################
Sauthinfo
R$* $: $1 $| $>D <$&{server_name}> <?> <! AuthInfo> <>
R$* $| <?>$* $: $1 $| $>A <$&{server_addr}> <?> <! AuthInfo> <>
R$* $| <?>$* $: $1 $| <$(access AuthInfo: $: ? $)> <>
R$* $| <?>$* $@ no no authinfo available
R$* $| <$*> <> $# $2





#
######################################################################
######################################################################
#####
##### MAIL FILTER DEFINITIONS
#####
######################################################################
######################################################################
Xspamassassin, S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m
#
######################################################################
######################################################################
#####
##### MAILER DEFINITIONS
#####
######################################################################
######################################################################

#####################################
### SMTP Mailer specification ###
#####################################

##### $Id: smtp.m4,v 8.64 2001/04/03 01:52:54 gshapiro Exp $ #####

#
# common sender and masquerading recipient rewriting
#
SMasqSMTP
R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified
R$+ $@ $1 < @ *LOCAL* > add local qualification
#
# convert pseudo-domain addresses to real domain addresses
#
SPseudoToReal

# pass <route-addr>s through
R< @ $+ > $* $@ < @ $1 > $2 resolve <route-addr>

# output fake domains as user%fake@relay

# do UUCP heuristics; note that these are shared with UUCP mailers
R$+ < @ $+ .UUCP. > $: < $2 ! > $1 convert to UUCP form
R$+ < @ $* > $* $@ $1 < @ $2 > $3 not UUCP form

# leave these in .UUCP form to avoid further tampering
R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. >
R< $&h ! > $-.$+ ! $+ $@ $3 < @ $1.$2 >
R< $&h ! > $+ $@ $1 < @ $&h .UUCP. >
R< $+ ! > $+ $: $1 ! $2 < @ $Y > use UUCP_RELAY
R$+ < @ $~[ $* : $+ > $@ $1 < @ $4 > strip mailer: part
R$+ < @ > $: $1 < @ *LOCAL* > if no UUCP_RELAY


#
# envelope sender rewriting
#
SEnvFromSMTP
R$+ $: $>PseudoToReal $1 sender/recipient common
R$* :; <@> $@ list:; special case
R$* $: $>MasqSMTP $1 qualify unqual'ed names
R$+ $: $>MasqEnv $1 do masquerading


#
# envelope recipient rewriting --
# also header recipient if not masquerading recipients
#
SEnvToSMTP
R$+ $: $>PseudoToReal $1 sender/recipient common
R$+ $: $>MasqSMTP $1 qualify unqual'ed names
R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2

#
# header sender and masquerading header recipient rewriting
#
SHdrFromSMTP
R$+ $: $>PseudoToReal $1 sender/recipient common
R:; <@> $@ list:; special case
# do special header rewriting
R$* <@> $* $@ $1 <@> $2 pass null host through
R< @ $* > $* $@ < @ $1 > $2 pass route-addr through
R$* $: $>MasqSMTP $1 qualify unqual'ed names
R$+ $: $>MasqHdr $1 do masquerading


#
# relay mailer header masquerading recipient rewriting
#
SMasqRelay
R$+ $: $>MasqSMTP $1
R$+ $: $>MasqHdr $1

Msmtp, P=[IPC], F=mDFMuX, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=TCP $h
Mesmtp, P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=TCP $h
Msmtp8, P=[IPC], F=mDFMuX8, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=TCP $h
Mdsmtp, P=[IPC], F=mDFMuXa%, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=TCP $h
Mrelay, P=[IPC], F=mDFMuXa8, S=EnvFromSMTP/HdrFromSMTP, R=MasqSMTP, E=\r\n, L=2040,
T=DNS/RFC822/SMTP,
A=TCP $h


######################*****##############
### PROCMAIL Mailer specification ###
##################*****##################

##### $Id: procmail.m4,v 8.22 2001/11/12 23:11:34 ca Exp $ #####

Mprocmail, P=/usr/bin/procmail, F=DFMSPhnu9, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP/HdrFromSMTP,
T=DNS/RFC822/X-Unix,
A=procmail -Y -m $h $f $u


##################################################
### Local and Program Mailer specification ###
##################################################

##### $Id: local.m4,v 8.58 2000/10/26 01:58:29 ca Exp $ #####
#
# Envelope sender rewriting
#
SEnvFromL
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>AddDomain $1 add local domain if needed
R$* $: $>MasqEnv $1 do masquerading

#
# Envelope recipient rewriting
#
SEnvToL
R$+ < @ $* > $: $1 strip host part

#
# Header sender rewriting
#
SHdrFromL
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>AddDomain $1 add local domain if needed
R$* $: $>MasqHdr $1 do masquerading

#
# Header recipient rewriting
#
SHdrToL
R$+ $: $>AddDomain $1 add local domain if needed
R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2

#
# Common code to add local domain name (only if always-add-domain)
#
SAddDomain
R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified

R$+ $@ $1 < @ *LOCAL* > add local qualification

Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
T=DNS/RFC822/X-Unix,
A=procmail -t -Y -a $h -d $u
Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/,
T=X-Unix/X-Unix/X-Unix,
A=smrsh -c $u

### Scalix mailers
Mscalix, P=/opt/scalix/bin/unix.in, E=\n, F=PDFMXmnu, A=unix.in -s $h
Momxport, P=/opt/scalix/bin/xport.in, F=LMn, A=xport.in -s $h $u



And /var/opt/scalix/sys/smtpd.cfg



###############################################################################
# SMTP Relay Configuration
# ########################
#
# For details please see Scalix Overview - Security
#
###############################################################################

###############################################################################
# Relay Configuration
# ###################
#
# EXTENSIONS These extensions will be advertised by the EHLO reply
# DOMAIN_NAME Local host FQDN
# LOCAL_NAMES Local aliases of DOMAIN_NAME
# DEFAULT_SMTP Either the name of a program (which must begin with
# a "/") or a hostname and optional port number. The
# default value is "/usr/sbin/sendmail -bs". Note that if
# mail is being re-directed to another machine, then that
# machine should be able to deal correctly with addresses that
# are nominally local to the originating machine.
# MAX_HOP_COUNT If the number of Received: header lines in a message sent to
# the relay exceed this number then the message will be
# rejected by the relay. The default value is zero and any
# non-positive value is interpreted as infinity. The default
# value means that no loop detection is done by the relay,
# any loop detection will only be done by sendmail.
# GREETING This is the text after the domain on the connection
# greeting line.
# LISTEN_PORT Alternative port to listen to, default is "smtp" port
#
###############################################################################


EXTENSIONS=AUTH,DSN,8BITMIME


###############################################################################
# Authentication and Anti-Spamming Measures
# #########################################
#
# Each line is of the form:
# EVENT ACTION PATTERN PATTERN...
# When an event happens the SMTP Relay checks for a matching event/pattern
# sequentially in this file. When it finds the first match, it takes the
# action specified.
#
# ######
# EVENTS
# ######
#
# AUTH_SUCCESS An attempt is made to submit a
# successfully authenticated message.
#
# AUTH_MISMATCH An attempt is made to submit a
# successfully authenticated message but
# the originator name does not match
# the authenticated name.
#
# ANONYMOUS An attempt is made to submit a message
# sent without authentication or after
# failed authentication.
#
# SUBMIT An attempt is made to submit a message from
# the host specified in pattern
#
# RELAY An attempt is made to relay a message through the SMTP Relay
#
# ORIGINATOR An attempt is made to submit a message from a user whose
# email address matches pattern
#
# RECIPIENT An attempt is made to submit a message to a user whose
# email address matches pattern
#
# #######
# ACTIONS
# #######
#
# Accept The message is unconditionally accepted and processed
# normally.
#
# Defer The message is deferred with a 400 code
#
# Discard The message is accepted but then discarded
#
# Header The message is accepted, but an extra header is inserted.
#
# Reject The message is rejected with a 500 code
#
# If Log_ added to the start of an action, then the action is also recorded
# in the SMTP Relay log file.
#
# ########
# PATTERNS
# ########
## Hostname Patterns
# - an IP address, eg 123.234.132.231
# - an IP subnet and mask, eg 123.234.200.0/255.255.240.0
# - a hostname, eg bert.loc.co.uk
# - the end of a domain, eg .spammer.net
# - the start of a domain, 123.234.
# - the keyword ALL matches all hosts
# - the keyword LOCAL matches all hosts that do not contain a .
#
# Email Patterns - used by ORIGINATOR and RECIPIENT
# - *@*.spam.net
#
###############################################################################
SMTPFILTER=TRUE
RELAY accept 127.0.0.1
RELAY accept .ak-digital.com
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*



Hope these help .... I just tried to send myself a spam email ...


Output on /var/log/maillog

Jan 13 23:48:31 akserver spamd[4689]: processing message <001701c6189c$7058a420$0a00a8c0@xppro> for root:99.
Jan 13 23:48:35 akserver spamd[4689]: identified spam (4.8/4.0) for root:99 in 3.9 seconds, 16446 bytes.
Jan 13 23:48:35 akserver spamd[4689]: result: Y 4 - DRUGS_ERECTILE,DRUG_ED_ONLINE,EXTRA_MPART_TYPE,HTML_90_100,HTML_MESSAGE,HTML_TAG_EXIST_TBODY,SUBJECT_DRUG_GAP_VIA,SUBJ_BUY scantime=3.9,size=16446,mid=<001701c6189c$7058a420$0a00a8c0@xppro>,autolearn=no
Jan 13 23:48:35 akserver sendmail[8532]: k0DNmUlq008532: Milter add: header: X-Spam-Flag: YES
Jan 13 23:48:35 akserver sendmail[8532]: k0DNmUlq008532: Milter add: header: X-Spam-Status: Yes, score=4.8 required=4.0 tests=DRUGS_ERECTILE,\n\tDRUG_ED_ONLINE,EXTRA_MPART_TYPE,HTML_90_100,HTML_MESSAGE,\n\tHTML_TAG_EXIST_TBODY,SUBJECT_DRUG_GAP_VIA,SUBJ_BUY autolearn=no \n\tversion=3.0.4
Jan 13 23:48:35 akserver sendmail[8532]: k0DNmUlq008532: Milter add: header: X-Spam-Report: \n\t* 1.8 SUBJECT_DRUG_GAP_VIA Subject contains a gappy version of 'X'\n\t* 0.2 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry\n\t* 0.5 SUBJ_BUY Subject line starts with Buy or Buying\n\t* 1.8 DRUG_ED_ONLINE BODY: Fast X Delivery\n\t* 0.2 HTML_TAG_EXIST_TBODY BODY: HTML has "tbody" tag\n\t* 0.2 HTML_90_100 BODY: Message is 90% to 100% HTML\n\t* 0.0 HTML_MESSAGE BODY: HTML included in message\n\t* 0.0 DRUGS_ERECTILE Refers to an erectile drug
Jan 13 23:48:35 akserver sendmail[8532]: k0DNmUlq008532: Milter add: header: X-Spam-Level: ****
Jan 13 23:48:35 akserver sendmail[8532]: k0DNmUlq008532: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on \n\takserver.ak-digital.com
Jan 13 23:48:35 akserver sendmail[8531]: k0DNmUGr008531: to=<d.wooldridge@ak-digital.com>, delay=00:00:05, xdelay=00:00:05, mailer=relay, pri=45640, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (k0DNmUlq008532 Message accepted for delivery)
Jan 13 23:48:35 akserver sendmail[8540]: k0DNmUlq008532: to=<d.wooldridge@ak-digital.com>, delay=00:00:04, xdelay=00:00:00, mailer=scalix, pri=135842, relay=any, dsn=2.0.0, stat=Sent (Ok)

So it identifies it , and says it has added the tag , though it does no appear in the recieved email >?

The recieved mail header reads

Message-ID: <000901c618a0$78d6b9d0$0a00a8c0@xppro>
Subject: Fw: buy X online
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-Antivirus: avast! (VPS 0602-3, 13/01/2006), Outbound message
X-Antivirus-Status: Clean
X-Spam-Flag: YES
X-Spam-Status: Yes, score=4.1 required=4.0 tests=DRUGS_ERECTILE,
DRUG_ED_ONLINE,EXTRA_MPART_TYPE,HTML_MESSAGE,HTML_TAG_EXIST_TBODY,
SUBJECT_DRUG_GAP_VIA autolearn=no version=3.0.4
X-Spam-Report:
* 1.8 SUBJECT_DRUG_GAP_VIA Subject contains a gappy version of 'X'
* 0.2 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
* 1.8 DRUG_ED_ONLINE BODY: Fast X Delivery
* 0.2 HTML_TAG_EXIST_TBODY BODY: HTML has "tbody" tag
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 DRUGS_ERECTILE Refers to an erectile drug
X-Spam-Level: ****
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
akserver.ak-digital.com
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0005_01C61

[dg_w]

Maybe found the cause ?
The spamass-milter startupscript
/etc/init.d/spamass-milter

### Default variables
SOCKET="/var/run/spamass.sock"
EXTRA_FLAGS="-m -r 15"
SYSCONFIG="/etc/sysconfig/spamass-milter"

That -m could be causing the issue ?

[pviglucci]

Sorry for the delay in getting back, I was called away over the weekend.

That is the "m" I was referring to in my earlier posts. In all liklihood, that is the culprit. The "r" flag is the one that is causing your messages to be dropped.

Comment/change them and restart the spamass-milter service.

Check the man pages for spamass-milter for more detailed information on the flags available.

Don't worry about the missing spamd service on RedHat. RedHat prefers to call the service spamassassin. Once you start it, you'll find spamd in the output of ps. Just make sure that both the spamassassin and spamass-milter services are running and configured to start on boot.


Pete

[dg_w]

Many thanks for your help, I appreciate it
That seems to have done it

Thank you
:wink: