19.9 Policy Rule-Set Reference

Beginning with V8.8, sendmail calls special rule sets internally to determine its behavior. Called the policy rule sets, they are used for such varied tasks as setting spam-handling, setting policy, or validating the conditions when ETRN should be allowed, just to list a few. Table 19-2 shows the complete list of these policy rule sets. Note that we merely summarize them here, and that some are described in detail in other chapters. Those that we describe here are detailed in the following sections.

Table 19-2. The policy rule sets

Rule set	§	Hook	Description
authinfo	Section 10.9.3.2	none	Handle AuthInfo: lookups in the access database
check_compat	Section 7.1.4	see below	Validate just before delivery
check_data	check_data	none needed	Check just after DATA
check_eoh	Section 25.5.3	none needed	Validate after headers are read
check_etrn	check_etrn	none needed	Allow or disallow ETRN
check_expn	check_vrfy and check_expn	none needed	Validate EXPN
check_mail	Section 7.1.2	Local_check_mail	Validate the envelope-sender address
check_rcpt	Section 7.1.3	Local_check_rcpt	Validate the envelope-recipient address
check_relay	Section 7.1.1	Local_check_relay	Validate incoming network connections
check_vrfy	check_vrfy and check_expn	none needed	Validate VRFY
queuegroup	Section 11.4.5	see below	Select a queue group
srv_features	srv_features	none needed	Tune server setting based on connection information
tls_client	Section 10.10.8.2	LOCAL_TLS_CLIENT	With the access database, validate inbound STARTTLS or MAIL FROM SMTP command
tls_rcpt	Section 10.10.8.3	LOCAL_TLS_RCPT	Validate a server's credentials based on the recipient address
tls_server	Section 10.10.8.2	LOCAL_TLS_SERVER	Possibly with the access database, validate the inbound and outbound connections
trust_auth	Section 10.9.4	Local_trust_auth	Validate that a client's authentication identifier (authid) is trusted to act as (proxy for) the requested authorization identity (userid).
try_tls	Section 10.10.8.4	LOCAL_TRY_TLS	Disable STARTTLS for selected outbound connected-to hosts
Hname:$	Section 25.5	n/a	Reject, discard, or accept a message based on a header's value

Note that some of these rule sets are omitted from your configuration file by default. For those, no hook is needed. You merely declare the rule set in your mc file and give it appropriate rules:

LOCAL_RULESETS
Scheck_vrfy
... your rules here

Those with a Local_ hook, as shown in the table, are declared by default in your configuration file. To use them yourself, you need only declare them with the Local_ hook indicated:

LOCAL_RULESETS
SLocal_check_rcpt
... your rules here

Those with a LOCAL_ hook, as shown in the table, are declared directly with that hook. There in no need to precede the hook with LOCAL_RULESETS. For example:

LOCAL_TRY_TLS
... your rules here

The two exceptions are the check_compat and queuegroup rule sets. Each is automatically declared when you use the corresponding check_compat or queuegroup feature, but not declared if you don't use that feature.

All of these rule sets are handled in the same manner. If the rule set does not exist, the action is permitted. If the rule set returns anything other than a #error or a #discard delivery agent, the message, identity, or action is accepted for that rule set (although it can still be rejected or discarded by another rule set). Otherwise, the #error delivery agent causes the message, identity, or action to be rejected (error), and the #discard delivery agent causes the message to be accepted, then discarded (discard).