#
# smtpcheck: smtp processing restrictions
#

REVISION_ID='@(#)smtpcheck	3.88 (motonori/WIDE) 24 Sep 1998'

#|#MAIL_RELAY_RESTRICTION=yes
#|#WITH_OLD_CF=no	# (just for smtpcheck.def)

#|##CHECK_HOST_ALLOW=/etc/sendmail.allow
#|##CHECK_HOST_DENY=/etc/sendmail.deny
#|#CHECK_RELAY_DEFAULT=allow # (allow/deny)

#|# LOCAL_HOST_* does not check senders address
#|##LOCAL_HOST_IPADDR=/etc/sendmail.localip
#|##LOCAL_HOST_IPADDR=130.54.0
#|##LOCAL_HOST_DOMAIN=/etc/sendmail.localdomain
#|##LOCAL_HOST_DOMAIN=sub.kyoto-u.ac.jp
#|#
#|# CLIENT_* does check senders address
#|##CLIENT_HOST_IPADDR=/etc/sendmail.clientip
#|##CLIENT_HOST_IPADDR=130.54
#|##CLIENT_HOST_DOMAIN=/etc/sendmail.clientdomain
#|##CLIENT_HOST_DOMAIN=kyoto-u.ac.jp
#|##CLIENT_FROM_DOMAIN=/etc/sendmail.clientfrom
#|##CLIENT_FROM_DOMAIN=kyoto-u.ac.jp
#|#(CLIENT_FROM_DOMAIN will cause a trouble when global MLs are operated
#|#at client hosts.)
#|#
#|# ROAM_* does check senders address
#|##ROAM_HOST_IPADDR=/etc/sendmail.roamip
#|##ROAM_HOST_IPADDR=133.3
#|##ROAM_HOST_DOMAIN=/etc/sendmail.roamdomain
#|##ROAM_HOST_DOMAIN=kyoto.isp.jp
#|##ROAM_USERS=/etc/sendmail.roamusers
#|##ROAM_USERS='user1@kyoto-u.ac.jp user2@sub.kyoto-u.ac.jp'
#|#
#|# create db with "makemap hash /etc/sendmail.spamlist.db < list" for hash.
#|# types are: null, dbm, hash, btree,... (null is to ignore this map)
#|##SPAM_LIST=hash:/etc/sendmail.spamlist
#|##SPAM_REGEX='^[0-9]+@(aol|msn)\.com'
#|#
#|# Use the MAPS (the Mail Abuse Protection System) RBL (Realtime Blackhole
#|# List) by Paul Vixie (see http://maps.vix.com/rbl/) (yes/no/log/mark)
#|# ("log"/"mark" can be used with sendmail 8.9.1+3.1W)
#|# You should be aware of extra DNS traffic
#|#USE_MAPS_RBL=no
#|# Use the ORBS (Open Relay Blocking System) provided by www.dorkslayers.com
#|# (see http://www.dorkslayers.com/orbs/) (yes/no/log/mark)
#|# ("log"/"mark" can be used with sendmail 8.9.1+3.1W)
#|# You should be aware of extra DNS traffic
#|#USE_ORBS=no
#|# 
#|# Reject from-addresses without domain part (just a user name) (yes/no)
#|#NEED_SENDER_DOMAIN=yes
#|#
#|# Reject from-addresses with one-token domain part (not FQDN) (yes/no)
#|#CHECK_FROM_FQDN=yes
#|#
#|# Verify existence of DNS entry for sender address
#|# CAUTION: messages will be rejected even if just DNS lookup failure
#|# with sendmail 8.8(V7), and you also should be aware of extra DNS traffic
#|# (yes/no/log/mark) ("log"/"mark" can be used with sendmail 8.9.1+3.1W)
#|#USE_SENDER_DNS_CHECK=no
#|#
#|# Allow relaying if I am an MX host for the recipient (yes/no) (V8 or later)
#|# Your sendmail should be compiled with NAMED_BIND=1
#|#LOWER_MX_OK=no
#|#
#|##ALLOW_RECIPIENT_DOMAIN=/etc/sendmail.acceptdomain
#|##ALLOW_RECIPIENT_DOMAIN=hash:/etc/sendmail.acceptdomain
#|##ALLOW_RECIPIENT_DOMAIN=kyoto-u.ac.jp
#|##ALLOW_RELAY_FROM=/etc/sendmail.relay.from
#|##ALLOW_RELAY_FROM=kyoto-u.ac.jp
#|##ALLOW_RELAY_TO=/etc/sendmail.relay.to
#|##ALLOW_RELAY_TO=kyoto-u.ac.jp
#|##RELAY_MAP=hash:/etc/sendmail.relay.map
#|#
#|##CLIENT_DENY_TO=/etc/sendmail.deny.to
#|##CLIENT_DENY_TO=kyoto-u.ac.jp
#|##RELAY_MAP_INSIDE=hash:/etc/sendmail.inside.relay.map
#|## reject source routing from out side (yes/no)
#|#REJECT_EXTERN_SRR=yes
#|#
#|# Reject recipients as if the recipients are unknown users.
#|# create db with "makemap hash /etc/sendmail.rejrcpt.db < list" for hash.
#|# types are: null, dbm, hash, btree,... (null is to ignore this map)
#|##REJ_RCPT_LIST=hash:/etc/sendmail.rejrcpt
#|#
#|# (Following configurations are independent of MAIL_RELAY_RESTRICTION)
#|# Checking contents of header (V8 or later)
#|# Reject messages with ill formated Message-Id: (yes/no)
#|#HDR_REJECT_BADMID=no
#|# Reject messages with specific addresses in To:/Cc:
#|##HDR_REJECT_RCPTADDRS=friend
#|##HDR_REJECT_RCPTADDRS=friend@public.com
#|##HDR_REJECT_RCPTADDRS=/etc/sendmail.hdrrejaddr
#|# Action for rejection (error/discard) error=bounce; discard=/dev/null
#|#HDR_REJECT_ACTION=error


: ${MAIL_RELAY_RESTRICTION=yes}
: ${HDR_REJECT_BADMID=no}
if [ "$MAIL_RELAY_RESTRICTION" = yes -o "$HDR_REJECT_BADMID" != no -o "$HDR_REJECT_RCPTADDRS" != "" ]
then

	if [ "$REVISION_ID_LIST" ]
	then
		REVISION_ID_LIST="$REVISION_ID_LIST\\
# $REVISION_ID"
	else
		REVISION_ID_LIST="# $REVISION_ID"
	fi
fi

if [ "$MAIL_RELAY_RESTRICTION" = yes ]
then

#	: ${CHECK_HOST_ALLOW=/etc/sendmail.allow}
#	: ${CHECK_HOST_DENY=/etc/sendmail.deny}
	: ${CHECK_RELAY_DEFAULT=allow}
#	: ${LOCAL_HOST_IPADDR=/etc/sendmail.localip}
#	: ${LOCAL_HOST_DOMAIN=/etc/sendmail.localdomain}
#	: ${CLIENT_HOST_IPADDR=/etc/sendmail.clientip}
#	: ${CLIENT_HOST_DOMAIN=/etc/sendmail.clientdomain}
#	: ${CLIENT_FROM_DOMAIN=/etc/sendmail.clientfrom}
#	: ${ROAM_HOST_IPADDR=/etc/sendmail.roamip}
#	: ${ROAM_HOST_DOMAIN=/etc/sendmail.roamdomain}
#	: ${ROAM_USERS=/etc/sendmail.roamusers}
	: ${NEED_SENDER_DOMAIN=yes}
#	: ${SPAM_LIST=hash:/etc/sendmail.spamlist}
#	: ${ALLOW_RECIPIENT_DOMAIN=/etc/sendmail.acceptdomain}
#	: ${ALLOW_RELAY_FROM=/etc/sendmail.relay.from}
#	: ${ALLOW_RELAY_TO=/etc/sendmail.relay.to}
#	: ${RELAY_MAP=hash:/etc/sendmail.relay.map}
#	: ${CLIENT_DENY_TO=/etc/sendmail.deny.to}
#	: ${RELAY_MAP_INSIDE=hash:/etc/sendmail.inside.relay.map}
#	: ${REJ_RCPT_LIST=hash:/etc/sendmail.rejrcpt}

	if [ "$SPAM_LIST_TYPE" ]
	then
		echo "smtpcheck: SPAM_LIST_TYPE is obsolete. ignored." 1>&2
	fi

	if [ "$RELAY_MAP_TYPE" ]
	then
		echo "smtpcheck: RELAY_MAP_TYPE is obsolete. ignored." 1>&2
	fi

HDRCHECK='\
\
################################\
# SMTP processing restrictions #\
################################\
\
##\
## upon SMTP authentication\
##\
\
# CONFIG: clients to be allowed to connect this server\
C{HostAllow} 127.0.0.1'

	case "$CHECK_HOST_ALLOW" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{HostAllow} 12.34.56\
#F{HostAllow} -o /etc/sendmail.allow'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{HostAllow} -o '"$CHECK_HOST_ALLOW"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{HostAllow} '"$CHECK_HOST_ALLOW"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
# CONFIG: clients to be rejected to connect this server'

	case "$CHECK_HOST_DENY" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{HostDeny} 23.45.67\
#F{HostDeny} -o /etc/sendmail.deny'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{HostDeny} -o '"$CHECK_HOST_DENY"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{HostDeny} '"$CHECK_HOST_DENY"
		;;
	esac

CHECK_RELAY="$CHECK_RELAY"'\
##\
## SMTP authentication\
##\
\
Scheck_relay\
\
# hostname $| IP address\
#R $* $| $*$={HostAllow}	$@ OK\
R $* $| $={HostAllow}$*	$@ OK\
R $*$={HostAllow} $|$*	$@ OK\
#R $={HostAllow}$* $|$*	$@ OK\
#R $* $| $*$={HostDeny}	$#error $@ 5.7.1 $: 550 Can not speak with you\
R $* $| $={HostDeny}$*	$#error $@ 5.7.1 $: 550 Can not speak with you\
R $*$={HostDeny} $|$*	$#error $@ 5.7.1 $: 550 Can not speak with you\
#R $={HostDeny}$* $|$*	$#error $@ 5.7.1 $: 550 Can not speak with you\
R$+ $| $+		$: $1 $| $> SpamIP $2\
R$+ $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2'

	if [ "$CF_FORMAT" != V7 ]
	then

CHECK_RELAY="$CHECK_RELAY"'\
R$+ $| discard @rej@	$#discard $: discard'

	fi

CHECK_RELAY="$CHECK_RELAY"'\
R$+ $| $*@rej@		$#error $@ 5.7.1 $: 550 Can not speak with you'

	if [ "$CHECK_RELAY_DEFAULT" = allow ]
	then

CHECK_RELAY="$CHECK_RELAY"'\
R $* 			$@ OK\
'

	else

CHECK_RELAY="$CHECK_RELAY"'\
R $* 			$#error $@ 5.7.1 $: 550 Can not speak with you\
'

	fi

CHECK_RELAY="$CHECK_RELAY"'\
SSpamIP\
R$-.$-.$-.$-		$: $(spamlist $1.$2.$3.$4 $)\
R$+ @rej@		$@ $1 @rej@\
R$-.$-.$-.$-		$: $(spamlist $1.$2.$3 $: $1.$2.$3.$4 $)\
R$+ @rej@		$@ $1 @rej@\
R$-.$-.$-.$-		$: $(spamlist $1.$2 $: $1.$2.$3.$4 $)\
R$+ @rej@		$@ $1 @rej@\
R$-.$-.$-.$-		$: $(spamlist $1 $: $1.$2.$3.$4 $)\
\
SCheckDebug\
R$* $$ | $*		$1 $| $2\
'

HDRCHECK="$HDRCHECK"'\
# CONFIG: acceptable (no further checking) clients\
C{LocalIP} 127.0.0.1'

	case "$LOCAL_HOST_IPADDR" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{LocalIP} 34.56.78\
#F{LocalIP} -o /etc/sendmail.localip'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{LocalIP} -o '"$LOCAL_HOST_IPADDR"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{LocalIP} '"$LOCAL_HOST_IPADDR"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
C{LocalDom} localhost'

	case "$LOCAL_HOST_DOMAIN" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{LocalDom} my.local.domain\
#F{LocalDom} -o /etc/sendmail.localdomain'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{LocalDom} -o '"$LOCAL_HOST_DOMAIN"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{LocalDom} '"$LOCAL_HOST_DOMAIN"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
# CONFIG: acceptable clients (with sender address check)\
#C{ClientIP} 127.0.0.1'

	case "$CLIENT_HOST_IPADDR" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{ClientIP} 34.56.78\
#F{ClientIP} -o /etc/sendmail.clientip'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{ClientIP} -o '"$CLIENT_HOST_IPADDR"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{ClientIP} '"$CLIENT_HOST_IPADDR"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
#C{ClientDom} localhost'

	case "$CLIENT_HOST_DOMAIN" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{ClientDom} my.client.domain\
#F{ClientDom} -o /etc/sendmail.clientdomain'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{ClientDom} -o '"$CLIENT_HOST_DOMAIN"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{ClientDom} '"$CLIENT_HOST_DOMAIN"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
# CONFIG: acceptable roaming hosts (with sender address check)'

	case "$ROAM_HOST_IPADDR" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{RoamIP} 34.56.78\
#F{RoamIP} -o /etc/sendmail.roamip'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{RoamIP} -o '"$ROAM_HOST_IPADDR"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{RoamIP} '"$ROAM_HOST_IPADDR"
		;;
	esac

	case "$ROAM_HOST_DOMAIN" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{RoamDom} my.romaing.domain\
#F{RoamDom} -o /etc/sendmail.roamdomain'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{RoamDom} -o '"$ROAM_HOST_DOMAIN"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{RoamDom} '"$ROAM_HOST_DOMAIN"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
\
##\
## upon MAIL FROM response\
##\
\
# CONFIG: list of spammers/spamming domains to be rejected'

	case "$SPAM_LIST" in
	'')
HDRCHECK="$HDRCHECK"'\
Kspamlist null -a@rej@ -o /etc/sendmail.spamlist'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
Kspamlist hash -a@rej@ -o '"$SPAM_LIST"
		;;
	dbm:*)
HDRCHECK="$HDRCHECK"'\
Kspamlist dbm -a@rej@ -o '`echo "$SPAM_LIST" | sed 's/^dbm://'`
		;;
	hash:*)
HDRCHECK="$HDRCHECK"'\
Kspamlist hash -a@rej@ -o '`echo "$SPAM_LIST" | sed 's/^hash://'`
		;;
	btree:*)
HDRCHECK="$HDRCHECK"'\
Kspamlist btree -a@rej@ -o '`echo "$SPAM_LIST" | sed 's/^btree://'`
		;;
	nis:*)
HDRCHECK="$HDRCHECK"'\
Kspamlist nis -a@rej@ -o '`echo "$SPAM_LIST" | sed 's/^nis://'`
		;;
	esac

	if [ "$SPAM_REGEX" ]
	then

HDRCHECK="$HDRCHECK"'\
Kcheckaddress regex -a@MATCH '"$SPAM_REGEX"

	fi

HDRCHECK="$HDRCHECK"'\
\
# CONFIG: acceptable MAIL FROM domains (from ClientIP/ClientDom area)'

	case "$CLIENT_FROM_DOMAIN" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{ClientFrom} local.domain\
#F{ClientFrom} -o /etc/sendmail.clientfrom'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{ClientFrom} -o '"$CLIENT_FROM_DOMAIN"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{ClientFrom} '"$CLIENT_FROM_DOMAIN"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
# CONFIG: acceptable users for relaying (from RoamIP/RoamDom area)'

	case "$ROAM_USERS" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{RoamUsers} user1@domain user2@domain\
#F{RoamUsers} -o /etc/sendmail.roamusers'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{RoamUsers} -o '"$ROAM_USERS"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{RoamUsers} '"$ROAM_USERS"
		;;
	esac

	if [ "$CF_FORMAT" = V7 ]
	then

		CLIENT_ADDR='$(deq "" $\&{client_addr} $)'
		CLIENT_NAME='$(deq "" $\&{client_name} $)'
		ENVELOPE_FROM='$(deq "" $\&f $)'

	else
		# V8 or later

		CLIENT_ADDR='$\&{client_addr}'
		CLIENT_NAME='$\&{client_name}'
		ENVELOPE_FROM='$\&f'
	fi

CHECK_MAIL='\
##\
## MAIL FROM validation\
##\
\
Scheck_mail\
\
R<$+>			$:$1				strip angle brackets\
R$+.			$:$1				strip trailing dot\
\
# reject specific spammers\
R$+			$:$>Check_reject $1\
\
R$*			$: $>3 $1			canonicalize'

	: ${WITH_OLD_CF=no}
	if [ "$WITH_OLD_CF" != no ]
	then

CHECK_MAIL="$CHECK_MAIL"'\
R@			$: <@>				null address (old style)'

	fi

CHECK_MAIL="$CHECK_MAIL"'\
R<@>			$@ OK				null address is OK\
R$*<@$*.>$*		$1<@$2>$3			strip trailing dot\
\
# reject spamming domain\
R$*<@$+>$*		$: $>Check_reject_domain $1<@$2>$3 $| $2\
\
# client address check -- accept messages from hosts within allowed domain\
R$*			$: '"$CLIENT_NAME"' $| $1\
R$*			$: '"$CLIENT_ADDR"' $| $1\
# Now, we have "${client_addr} $| ${client_name} $| original_token"\
R0 $| $* $| $*		$@ $>Check_mail_local $2	no addr (may be -bs)\
R$={RoamIP}$* $| $* $| $*	$@ $>Check_mail_roam $4\
R$* $| $*$={RoamDom} $| $*	$@ $>Check_mail_roam $4\
R$={LocalIP}$* $| $* $| $*	$@ $>Check_mail_local $4\
R$* $| $*$={LocalDom} $| $*	$@ $>Check_mail_local $4\
R$={ClientIP}$* $| $* $| $*	$@ $>Check_mail_client $4\
R$* $| $*$={ClientDom} $| $*	$@ $>Check_mail_client $4\
R$* $| $* $| $*		$@ $>Check_mail_remote $3\
\
SCheck_mail_roam\
R$*<@$*>$*		$: $1<@$2>$3 $| $1@$2$3\
R$* $| $={RoamUsers}	$@ $>Check_mail_local $1\
R$* $| $*		$@ $>Check_mail_remote $1\
\
SCheck_mail_remote'

	: ${CHECK_FROM_FQDN=yes}
	if [ "$CHECK_FROM_FQDN" = yes ]
	then

CHECK_MAIL="$CHECK_MAIL"'\
R$*<@$->$*		$#error $@ 5.7.1 $: 553 FQDN addressing required'

	else

CHECK_MAIL="$CHECK_MAIL"'\
#R$*<@$->$*		$#error $@ 5.7.1 $: 553 FQDN addressing required'

	fi

CHECK_MAIL="$CHECK_MAIL"'\
# the following rule should be disabled if some users send mail from outside\
R$*<@$*>$*		$@ $>Check_mail_dns $1<@$2>$3	user@domain\
#R$*<@$*>$*		$@ OK				user@domain\
R$*			$#error $@ 5.7.1 $: 553 Domain part missing\
'

	: ${USE_SENDER_DNS_CHECK=no}
	case "$USE_SENDER_DNS_CHECK" in
	mark)

HDRCHECK="$HDRCHECK"'\
# Resolve map (to check existence of a host)\
Kresolv host -a<OK> -T<TEMP>\
'

CHECK_MAIL="$CHECK_MAIL"'\
SCheck_mail_dns\
# verify returnability of the sender address\
R$*<@$*>$*		$: $(resolv $2. $: $2 <PERM> $)	host part\
R$*<PERM>		$: $(define Unreturnable: $2 $@ {SenderMark} $)<PERM>\
R$*<PERM>		$: $(syslog check_mail $2 $)\
#R$*<TEMP>		$: $(define Unresolved: $2 $@ {SenderMark} $)<TEMP>\
#R$*<TEMP>		$: $(syslog check_mail $2 $)\
R$*			$@ OK\
'

SYSLOG_MAP='Ksyslog syslog'
DEFINE_MAP='Kdefine define /dev/null'

		;;
	log)

HDRCHECK="$HDRCHECK"'\
# Resolve map (to check existence of a host)\
Kresolv host -a<OK> -T<TEMP>\
'

CHECK_MAIL="$CHECK_MAIL"'\
SCheck_mail_dns\
# verify returnability of the sender address\
R$*<@$*>$*		$: $(resolv $2. $: $2 <PERM> $)	host part\
R$*<PERM>		$: $(syslog check_mail Unreturnable address: $2 $)\
#R$*<TEMP>		$: $(syslog check_mail Unresolved address: $2 $)\
R$*			$@ OK\
'

SYSLOG_MAP='Ksyslog syslog'

		;;
	yes)

		if [ "$CF_FORMAT" = V7 ]
		then

CHECK_MAIL="$CHECK_MAIL"'\
SCheck_mail_dns\
# verify returnability of the sender address\
# CAUTION!: messages will be rejected even if just DNS lookup failure\
R$*<@$*>$*		$: $[ $2. $]			host part\
R$*.			$@ OK				found\
#R$*			$#error $@ 5.7.1 $: 553 Unreturnable address rejected\
R$*			$#error $@ 4.5.1 $: 451 Unreturnable address rejected\
#R$*			$@ OK\
'

		else

HDRCHECK="$HDRCHECK"'\
# Resolve map (to check existence of a host)\
Kresolv host -a<OK> -T<TEMP>\
'

CHECK_MAIL="$CHECK_MAIL"'\
SCheck_mail_dns\
# verify returnability of the sender address\
R$*<@$*>$*		$: $(resolv $2. $: $2 <PERM> $)	host part\
R$*<OK>			$@ OK					found\
R$*<PERM>		$#error $@ 5.1.8 $: 553 Unreturnable address rejected\
R$*<TEMP>		$#error $@ 4.1.8 $: 451 Sender domain must be resolved\
'

		fi
		;;
	*)

CHECK_MAIL="$CHECK_MAIL"'\
SCheck_mail_dns\
R$*			$@ OK				no checking\
'
		;;
	esac

CHECK_MAIL="$CHECK_MAIL"'\
SCheck_mail_local\
# checking sender addresses (for hosts with forwarding feature)\
R$*			$@ OK				no checking\
\
SCheck_mail_client\
# checking sender addresses (for hosts just for sending)'

	if [ "$NEED_SENDER_DOMAIN" = yes ]
	then

CHECK_MAIL="$CHECK_MAIL"'\
R$-			$@ OK				user'

	else

CHECK_MAIL="$CHECK_MAIL"'\
#R$-			$@ OK				user'

	fi

CHECK_MAIL="$CHECK_MAIL"'\
R$-<@$=w>		$@ OK				user@localhost\
R$-<@$*$={ClientFrom}>	$@ OK				user@good.domain\
R$-<@$*>$*		$#error $@ 5.7.1 $: 553 Sorry, your address is not for this domain'

CHECK_MAIL="$CHECK_MAIL"'\
\
SCheck_reject'

	: ${USE_MAPS_RBL=no}
	: ${USE_ORBS=no}
	if [ "$USE_MAPS_RBL" != no -o "$USE_ORBS" != no ]
	then

		: ${RBL=rbl.maps.vix.com}
		: ${ORBS=orbs.dorkslayers.com}

HDRCHECK="$HDRCHECK"'\
# CONFIG: skip RBL/ORBS checking domains/ip-addresses\
C{SkipChkDom} localhost'

	case "$SKIP_CHECK_DOMAIN" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{SkipChkDom} my.local.domain\
#F{SkipChkDom} -o /etc/sendmail.localdomain'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{SkipChkDom} -o '"$SKIP_CHECK_DOMAIN"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{SkipChkDom} '"$SKIP_CHECK_DOMAIN"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
#C{SkipChkIP} 127.0.0.1'

	case "$SKIP_CHECK_IPADDR" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{SkipChkIP} 34.56.78\
#F{SkipChkIP} -o /etc/sendmail.clientip'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{SkipChkIP} -o '"$SKIP_CHECK_IPADDR"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{SkipChkIP} '"$SKIP_CHECK_IPADDR"
		;;
	esac

CHECK_MAIL="$CHECK_MAIL"'\
R$*			$: $1 $| '"$CLIENT_ADDR"'\
R$* $| 0		$: $1				command line is OK\
R$*$={SkipChkDom} $| $*	$: $1				no checking\
R$* $| $={SkipChkIP}$*	$: $1				no checking'

	case "$USE_MAPS_RBL" in
	log)

CHECK_MAIL="$CHECK_MAIL"'\
# deny with MAPS (Mail Abuse Protection System) RBL (Realtime Blackhole List)\
R$* $| $-.$-.$-.$-	$: $1 $| $2.$3.$4.$5 $| $(host $5.$4.$3.$2.'"$RBL"'. $: $)\
R$* $| $* $| $+		$: $1 $| $2 $| $(syslog check_mail MAPSRBL: $2 $: $)\
R$* $| $* $| $*		$: $1 $| $2'

SYSLOG_MAP='Ksyslog syslog'

		;;
	mark)

CHECK_MAIL="$CHECK_MAIL"'\
# deny with MAPS (Mail Abuse Protection System) RBL (Realtime Blackhole List)\
R$* $| $-.$-.$-.$-	$: $1 $| $2.$3.$4.$5 $| $(host $5.$4.$3.$2.'"$RBL"'. $: $)\
R$* $| $* $| $+		$: $1 $| $2 $| $(define MAPSRBL: $2 $@ {SenderMark} $)\
R$* $| $* $| $+		$: $1 $| $2 $| $(syslog check_mail MAPSRBL: $2 $)\
R$* $| $* $| $*		$: $1 $| $2'

SYSLOG_MAP='Ksyslog syslog'
DEFINE_MAP='Kdefine define /dev/null'

		;;
	yes)

CHECK_MAIL="$CHECK_MAIL"'\
# deny with MAPS (Mail Abuse Protection System) RBL (Realtime Blackhole List)\
R$* $| $-.$-.$-.$-	$: $1 $| $2.$3.$4.$5 $| $(host $5.$4.$3.$2.'"$RBL"'. $: $)\
R$* $| $* $| $+		$#error $@ 5.7.1 $: "550 Mail from " $2 " refused, see http://maps.vix.com/rbl/"'

		;;
	esac

	case "$USE_ORBS" in
	log)

CHECK_MAIL="$CHECK_MAIL"'\
# deny with ORBS (Open Relay Blocking System) by dorkslayers.com\
R$* $| $-.$-.$-.$-	$: $1 $| $2.$3.$4.$5 $| $(host $5.$4.$3.$2.'"$ORBS"'. $: $)\
R$* $| $* $| $+		$: $1 $| $2 $| $(syslog check_mail ORBS: $2 $: $)\
R$* $| $* $| $*		$: $1 $| $2'

SYSLOG_MAP='Ksyslog syslog'

		;;
	mark)

CHECK_MAIL="$CHECK_MAIL"'\
# deny with ORBS (Open Relay Blocking System) by dorkslayers.com\
R$* $| $-.$-.$-.$-	$: $1 $| $2.$3.$4.$5 $| $(host $5.$4.$3.$2.'"$ORBS"'. $: $)\
R$* $| $* $| $+		$: $1 $| $2 $| $(define ORBS: $2 $@ {SenderMark} $)\
R$* $| $* $| $+		$: $1 $| $2 $| $(syslog check_mail ORBS: $2 $)\
R$* $| $* $| $*		$: $1 $| $2'

SYSLOG_MAP='Ksyslog syslog'
DEFINE_MAP='Kdefine define /dev/null'

		;;
	yes)

CHECK_MAIL="$CHECK_MAIL"'\
# deny with ORBS (Open Relay Blocking System) by dorkslayers.com\
R$* $| $-.$-.$-.$-	$: $1 $| $2.$3.$4.$5 $| $(host $5.$4.$3.$2.'"$ORBS"'. $: $)\
R$* $| $* $| $+		$#error $@ 5.7.1 $: "550 Mail from " $2 " refused, see http://dorkslayers.com/orbs/"'

		;;
	esac

HDRCHECK="$HDRCHECK\\
$SYSLOG_MAP\\
$DEFINE_MAP"

CHECK_MAIL="$CHECK_MAIL"'\
R$* $| $*		$: $1\
'

	fi

	if [ "$CF_FORMAT" != V7 ]
	then

CHECK_MAIL="$CHECK_MAIL"'\
# deny with spamlist DB\
R$+			$: $1 $| $(spamlist $1$)\
R$+ $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2\
R$+ $| discard @rej@	$#discard $: discard\
R$+ $| $+ @rej@		$#error $@ 5.7.1 $: 553 Message from $1 rejected\
R$+ $| $*		$: $1\
'

	else

CHECK_MAIL="$CHECK_MAIL"'\
# deny with spamlist DB\
R$+			$: $1 $| $(spamlist $1$)\
R$+ $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2\
R$+ $| $+ @rej@		$#error $@ 5.7.1 $: 553 Message from $1 rejected\
R$+ $| $*		$: $1\
'

	fi

	if [ "$SPAM_REGEX" ]
	then

CHECK_MAIL="$CHECK_MAIL"'\
R$+			$: $(checkaddress $1$)\
R@MATCH			$#error $@ 5.7.1 $: 553 Message rejected\
'

	fi

	if [ "$CF_FORMAT" != V7 ]
	then

CHECK_MAIL="$CHECK_MAIL"'\
SCheck_reject_domain\
# deny with spamlist DB\
R$* $| $+		$: $1 $| $(spamlist $2$)\
R$* $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2\
R$* $| discard @rej@	$#discard $: discard\
R$* $| $+ @rej@		$#error $@ 5.7.1 $: 553 Message from $1 rejected\
R$* $| $-.$+		$: $> Check_reject_domain $1 $| $3\
R$* $| $*		$: $1				good address\
'

	else

CHECK_MAIL="$CHECK_MAIL"'\
SCheck_reject_domain\
# deny with spamlist DB\
R$* $| $+		$: $1 $| $(spamlist $2$)\
R$* $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2\
R$* $| $+ @rej@		$#error $@ 5.7.1 $: 553 Message from $1 rejected\
R$* $| $-.$+		$: $> Check_reject_domain $1 $| $3\
R$* $| $*		$: $1				good address\
'

	fi

HDRCHECK="$HDRCHECK"'\
\
##\
## upon RCPT TO response\
##\
'

HDRCHECK="$HDRCHECK"'\
# CONFIG: acceptable destination addresses'

	case "$ALLOW_RECIPIENT_DOMAIN" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{AcceptDom} local.domain\
#F{AcceptDom} -o /etc/sendmail.acceptdomain'
		;;
	dbm:*)
HDRCHECK="$HDRCHECK"'\
KAcceptDom hash -m -a@ '`echo "$ALLOW_RECIPIENT_DOMAIN" | sed 's/^dbm://'`
		;;
	hash:*)
HDRCHECK="$HDRCHECK"'\
KAcceptDom hash -m -a@ '`echo "$ALLOW_RECIPIENT_DOMAIN" | sed 's/^hash://'`
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{AcceptDom} -o '"$ALLOW_RECIPIENT_DOMAIN"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{AcceptDom} '"$ALLOW_RECIPIENT_DOMAIN"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
# CONFIG: acceptable addresses to relay from'

	case "$ALLOW_RELAY_FROM" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{RelayFrom} relay.from.domain\
#F{RelayFrom} -o /etc/sendmail.relay.from'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{RelayFrom} -o '"$ALLOW_RELAY_FROM"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{RelayFrom} '"$ALLOW_RELAY_FROM"
		;;
	esac

HDRCHECK="$HDRCHECK"'\
# CONFIG: acceptable addresses to relay to'

	case "$ALLOW_RELAY_TO" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{RelayTo} relay.to.domain\
#F{RelayTo} -o /etc/sendmail.relay.to'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{RelayTo} -o '"$ALLOW_RELAY_TO"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{RelayTo} '"$ALLOW_RELAY_TO"
		;;
	esac

	if [ "$RELAY_MAP" ]
	then

HDRCHECK="$HDRCHECK"'\
# CONFIG: list of relay pair (sender!recipient) to be allowed/rejected'

		case "$RELAY_MAP" in
		/*)
HDRCHECK="$HDRCHECK"'\
Krelay hash -o '"$RELAY_MAP"
			;;
		dbm:*)
HDRCHECK="$HDRCHECK"'\
Krelay dbm -o '`echo "$RELAY_MAP" | sed 's/^dbm://'`
			;;
		hash:*)
HDRCHECK="$HDRCHECK"'\
Krelay hash -o '`echo "$RELAY_MAP" | sed 's/^hash://'`
			;;
		btree:*)
HDRCHECK="$HDRCHECK"'\
Krelay btree  -o '`echo "$RELAY_MAP" | sed 's/^btree://'`
			;;
		nis:*)
HDRCHECK="$HDRCHECK"'\
Krelay nis -o '`echo "$RELAY_MAP" | sed 's/^nis://'`
			;;
		esac

	else

HDRCHECK="$HDRCHECK"'\
# CONFIG: list of relay pair (sender!recipient) to be allowed/rejected\
#Krelay '"$RELAY_MAP_TYPE"' -o /etc/sendmail.relay.map'

	fi

HDRCHECK="$HDRCHECK"'\
'

	case "$CLIENT_DENY_TO" in
	'')
HDRCHECK="$HDRCHECK"'\
#C{ClientDenyTo} client.deny.to.domain\
#F{ClientDenyTo} -o /etc/sendmail.deny.to'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
F{ClientDenyTo} -o '"$CLIENT_DENY_TO"
		;;
	*)
HDRCHECK="$HDRCHECK"'\
C{ClientDenyTo} '"$CLIENT_DENY_TO"
		;;
	esac

	if [ "$RELAY_MAP_INSIDE" ]
	then

HDRCHECK="$HDRCHECK"'\
# CONFIG: list of inside relay pair (sender!recipient) to be allowed/rejected'

		case "$RELAY_MAP_INSIDE" in
		/*)
HDRCHECK="$HDRCHECK"'\
Krelayinside hash -o '"$RELAY_MAP_INSIDE"
			;;
		dbm:*)
HDRCHECK="$HDRCHECK"'\
Krelayinside dbm -o '`echo "$RELAY_MAP_INSIDE" | sed 's/^dbm://'`
			;;
		hash:*)
HDRCHECK="$HDRCHECK"'\
Krelayinside hash -o '`echo "$RELAY_MAP_INSIDE" | sed 's/^hash://'`
			;;
		btree:*)
HDRCHECK="$HDRCHECK"'\
Krelayinside btree  -o '`echo "$RELAY_MAP_INSIDE" | sed 's/^btree://'`
			;;
		nis:*)
HDRCHECK="$HDRCHECK"'\
Krelayinside nis  -o '`echo "$RELAY_MAP_INSIDE" | sed 's/^nis://'`
			;;
		esac

	else

HDRCHECK="$HDRCHECK"'\
# CONFIG: list of inside relay pair (sender!recipient) to be allowed/rejected\
#Krelayinside '"$RELAY_MAP_TYPE"' -o /etc/sendmail.inside.relay.map\
'

	fi

	case "$REJ_RCPT_LIST" in
	'')
HDRCHECK="$HDRCHECK"'\
Krejrcpt null -a@rej@ -o /etc/sendmail.rejrcpt'
		;;
	/*)
HDRCHECK="$HDRCHECK"'\
Krejrcpt hash -a@rej@ -o '"$REJ_RCPT_LIST"
		;;
	dbm:*)
HDRCHECK="$HDRCHECK"'\
Krejrcpt dbm -a@rej@ -o '`echo "$REJ_RCPT_LIST" | sed 's/^dbm://'`
		;;
	hash:*)
HDRCHECK="$HDRCHECK"'\
Krejrcpt hash -a@rej@ -o '`echo "$REJ_RCPT_LIST" | sed 's/^hash://'`
		;;
	btree:*)
HDRCHECK="$HDRCHECK"'\
Krejrcpt btree -a@rej@ -o '`echo "$REJ_RCPT_LIST" | sed 's/^btree://'`
		;;
	nis:*)
HDRCHECK="$HDRCHECK"'\
Krejrcpt nis -a@rej@ -o '`echo "$REJ_RCPT_LIST" | sed 's/^nis://'`
		;;
	esac

HDRCHECK="$HDRCHECK"'\
\
# Dequoting map\
Kdeq dequote\
'


CHECK_RCPT='\
##\
## RCPT TO validation\
##\
\
Scheck_rcpt\
\
R<$+>			$:$1				strip angle brackets\
R$+.			$:$1				strip trailing dot\
\
'

	if [ "$CF_FORMAT" != V7 ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
# deny with recrcpt DB\
R$+			$: $1 $| $(rejrcpt $1$)\
R$+ $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2\
R$+ $| discard @rej@	$#discard $: discard\
R$+ $| $+ @rej@		$#error $@ 5.7.1 $: 550 User unknown\
R$+ $| $*		$: $1 $| $>3 $1			canonicalize\
R$+ $| $*<@$+>$*	$: $1 $| $(rejrcpt $3$)\
R$+ $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2\
R$+ $| discard @rej@	$#discard $: discard\
R$+ $| $+ @rej@		$#error $@ 5.7.1 $: 550 Host unknown\
R$+ $| $*		$: $1\
'

	else

CHECK_RCPT="$CHECK_RCPT"'\
# deny with recrcpt DB\
R$+			$: $1 $| $(rejrcpt $1$)\
R$+ $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2\
R$+ $| $+ @rej@		$#error $@ 5.7.1 $: 550 User unknown\
R$+ $| $*		$: $1 $| $>3 $1			canonicalize\
R$+ $| $*<@$+>$*	$: $1 $| $(rejrcpt $3$)\
R$+ $| errmsg $* @rej@	$#error $@ 5.7.1 $: $2\
R$+ $| $+ @rej@		$#error $@ 5.7.1 $: 550 Host unknown\
R$+ $| $*		$: $1\
'

	fi

CHECK_RCPT="$CHECK_RCPT"'\
# prepending client address information\
R$*			$: '"$CLIENT_NAME"' $| $1\
R$*			$: '"$CLIENT_ADDR"' $| $1\
# Now, we have "${client_addr} $| ${client_name} $| original_token"\
R0 $| $* $| $*		$@ OK				no addr (may be -bs)\
\
# pairing with sender address\
R$* $| $* $| $*		$: $1 $| $2 $| '"$ENVELOPE_FROM"' $| $3\
# now, we can check c_addr-c_name-sender-recipient quad
\
# client address check -- accept messages from hosts within allowed domain\
R$={RoamIP}$* $| $* $| $* $| $*		$@ $>Check_rcpt_roam $4 $| $5\
R$* $| $*$={RoamDom} $| $* $| $*	$@ $>Check_rcpt_roam $4 $| $5\
R$={LocalIP}$* $| $* $| $* $| $*	$@ $>Check_rcpt_inside $4 $| $5\
R$* $| $*$={LocalDom} $| $* $| $*	$@ $>Check_rcpt_inside $4 $| $5\
R$={ClientIP}$* $| $* $| $* $| $*	$@ $>Check_rcpt_inside $4 $| $5\
R$* $| $*$={ClientDom} $| $* $| $*	$@ $>Check_rcpt_inside $4 $| $5\
R$* $| $* $| $* $| $*	$: $>Check_rcpt_local $3 $| $4	remove client info\
R<OK> 			$@ OK				destination is local\
R$* 			$@ $>Check_rcpt_outside $1\
\
SCheck_rcpt_roam\
# checking on sender-recipient pair (compatible with check_compat)\
R$={RoamUsers} $| $*	$@ $>Check_rcpt_inside $1 $| $2\
R$*			$: $>Check_rcpt_local $1\
R<OK> 			$@ OK				destination is local\
R$* 			$@ $>Check_rcpt_outside $1\
\
SCheck_rcpt_local\
# checking on sender-recipient pair (compatible with check_compat)\
R$* $| $*		$: $2 $| $>3 $1			canonicalize sender\
R$* $| $*<@$*.>$*	$1 $| $2<@$3>$4			strip trailing dot\
R$* $| $*		$: $2 $| $>3 $1			canonicalize recipient\
R$* $| $*<@$*.>$*	$1 $| $2<@$3>$4			strip trailing dot\
\
# destination address check (localization)\
R$* $| <@$=w>:$*	$1 $| $>3 $3			strip my acceptables\
R$* $| $*<@$=w>		$1 $| $>3 $2			strip my acceptables'

	case "$ALLOW_RECIPIENT_DOMAIN" in
	dbm:*|hash:*)
CHECK_RCPT="$CHECK_RCPT"'\
R$* $| $*<@$*>$*	$:$1 $| $1<@$(AcceptDom $3$)>$4	check my acceptables\
R$* $| <@$*@>:$*	$1 $| $>3 $3			strip my acceptables\
R$* $| $*<@$*@>		$1 $| $>3 $2			strip my acceptables'
		;;
	*)
CHECK_RCPT="$CHECK_RCPT"'\
R$* $| <@$*$={AcceptDom}>:$*	$1 $| $>3 $4		strip my acceptables\
R$* $| $*<@$*$={AcceptDom}>	$1 $| $>3 $2		strip my acceptables'
		;;
	esac

	if [ "$_AA_CHAR" ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
R$* $| <@$='"$_AA_CHAR"'>:$*	$1 $| $>3 $3		strip my acceptables\
R$* $| $*<@$='"$_AA_CHAR"'>	$1 $| $>3 $2		strip my acceptables'

	fi

	if [ "$_UD_CHAR" ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
R$* $| <@$='"$_UD_CHAR"'>:$*	$1 $| $>3 $3		strip my acceptables\
R$* $| $*<@$='"$_UD_CHAR"'>	$1 $| $>3 $2		strip my acceptables'

	fi

	if [ "$_SD_CHAR" ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
R$* $| <@$'"$_SD_CHAR"'>:$*	$1 $| $>3 $2		strip my acceptables\
R$* $| $*<@$'"$_SD_CHAR"'>	$1 $| $>3 $2		strip my acceptables'

	fi

	if [ "$_SA_CHAR" ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
R$* $| <@$'"$_SA_CHAR"'>:$*	$1 $| $>3 $2		strip my acceptables\
R$* $| $*<@$'"$_SA_CHAR"'>	$1 $| $>3 $2		strip my acceptables'

	fi

CHECK_RCPT="$CHECK_RCPT"'\
#R$* $| $*<@$+>$*	$@ $>Check_rcpt_outside $1 $| $2<@$3>$4\
R$* $| $*<@$+>$*	$@ $1 $| $2<@$3>$4		not local\
R$* $| $+		$: $1 $| $(deq $2 $)		strip quotes\
R$* $| $+$=@$+		$@ $>Check_rcpt_local $1 $| $2$3$4	try again\
R$*			$@ <OK>				local names are OK\
\
SCheck_rcpt_inside\
# checking on sender-recipient pair (compatible with check_compat)\
# will be canonicalized in Check_rcpt_local\
#R$* $| $*		$: $2 $| $>3 $1			canonicalize sender\
#R$* $| $*<@$*.>$*	$1 $| $2<@$3>$4			strip trailing dot\
#R$* $| $*		$: $2 $| $>3 $1			canonicalize recipient\
#R$* $| $*<@$*.>$*	$1 $| $2<@$3>$4			strip trailing dot\
R$*			$: $>Check_rcpt_local $1\
R<OK> 			$@ OK				destination is local\
\
# reject source routing\
#R$* $| $*@$*<@$*>$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
#R$* $| $*%$*<@$*>$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
#R$* $| <@$*>:$*@$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
'

	if [ "$NEED_SENDER_DOMAIN" = yes ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
#R$- $| $*		$@ OK				from here is OK'

	else

CHECK_RCPT="$CHECK_RCPT"'\
R$- $| $*		$@ OK				from here is OK'

	fi

	if [ "$WITH_OLD_CF" != no ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
R@ $| $*		$: <@> $| $1			null address (old style)'

	fi

CHECK_RCPT="$CHECK_RCPT"'\
#R<@> $| $*		$@ OK				null address is OK\
\
# check address pair for relaying\
R$* $| $*<@$*$={ClientDenyTo}>$*	$#error $@ 5.7.1 $: 553 Relay operation rejected'

	if [ "$RELAY_MAP_INSIDE" ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
R$* $| $*		$:$> Relay_map_check_inside $1 $| $2'

	else

CHECK_RCPT="$CHECK_RCPT"'\
#R$* $| $*		$:$> Relay_map_check_inside $1 $| $2'

	fi

CHECK_RCPT="$CHECK_RCPT"'\
Rdeny			$#error $@ 5.7.1 $: 553 Relay operation rejected\
Rerrmsg $*		$#error $@ 5.7.1 $: $1'

	if [ "$CF_FORMAT" != V7 ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
Rdiscard		$# discard $: discard'

	fi

CHECK_RCPT="$CHECK_RCPT"'\
R$* 			$@ OK\
\
SCheck_rcpt_outside\
# checking on sender-recipient pair (compatible with check_compat)\
# already canonicalized
#R$* $| $*		$: $2 $| $>3 $1			canonicalize sender\
#R$* $| $*<@$*.>$*	$1 $| $2<@$3>$4			strip trailing dot\
#R$* $| $*		$: $2 $| $>3 $1			canonicalize recipient\
#R$* $| $*<@$*.>$*	$1 $| $2<@$3>$4			strip trailing dot\
\
# reject source routing'

: ${REJECT_EXTERN_SRR=yes}
if [ "$REJECT_EXTERN_SRR" = "yes" ]
then

CHECK_RCPT="$CHECK_RCPT"'\
R$* $| $*@$*<@$*>$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
R$* $| $*%$*<@$*>$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
R$* $| <@$*>:$*@$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
'

else

CHECK_RCPT="$CHECK_RCPT"'\
#R$* $| $*@$*<@$*>$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
#R$* $| $*%$*<@$*>$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
#R$* $| <@$*>:$*@$*	$#error $@ 5.7.1 $: 553 Source routing rejected\
'

fi

	if [ "$WITH_OLD_CF" != no ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
R@ $| $*		$: <@> $| $1			null address (old style)'

	fi

CHECK_RCPT="$CHECK_RCPT"'\
#R<@> $| $*		$@ OK				null address is OK\
\
# check address pair for relaying\
R$*<@$*$={RelayFrom}>$* $| $*	$@ OK		from check\
R$* $| $*<@$*$={RelayTo}>$*	$@ OK		to check'

	if [ "$RELAY_MAP" ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
R$* $| $*		$:$> Relay_map_check_outside $1 $| $2'

	else

CHECK_RCPT="$CHECK_RCPT"'\
#R$* $| $*		$:$> Relay_map_check_outside $1 $| $2'

	fi

CHECK_RCPT="$CHECK_RCPT"'\
Rallow			$@ OK\
Rerrmsg $*		$#error $@ 5.7.1 $: $1'

	if [ "$CF_FORMAT" != V7 ]
	then

CHECK_RCPT="$CHECK_RCPT"'\
Rdiscard		$# discard $: discard'

	fi

	: ${LOWER_MX_OK=no}
	if [ "$MX_SENDMAIL" != yes -a "$LOWER_MX_OK" != no ]
	then

		LOWER_MX_OK=no
		echo "smtpcheck: LOWER_MX_OK will be ignored with MX_SENDMAIL=no." 1>&2

	fi

	if [ "$LOWER_MX_OK" != no -a "$CF_FORMAT" != V7 ]
	then

HDRCHECK="$HDRCHECK"'\
# MX map (to allow relaying to hosts that we MX for)\
Kmxserved bestmx -z: -TTEMP\
'

CHECK_RCPT="$CHECK_RCPT"'\
# allow relaying for hosts which we MX serve\
R$* $| $*<@$*>$*	$: $1 $| $2<@$3>$4 $| : $(mxserved $3 $) :\
R$* $| $* $| : TEMP :	$#error $@ 4.7.1 $: "450 Can not check MX records for recipient " $2\
R$* $| $* $| $* : $=w . : $*	$@ OK\
R$* $| $* $| $*		$: $1 $| $2\
'

	fi

CHECK_RCPT="$CHECK_RCPT"'\
# anything else should be rejected\
R$*			$#error $@ 5.7.1 $: 553 Relay operation rejected\
\
# sender-recipient domain pair checking with relay-map (from inside)\
SRelay_map_check_inside\
#R $* $| $*		$: $2 $| $> 3 $1		focus on sender\
#R $* $| $*		$: $2 $| $> 3 $1		focus on recipient\
#R $*. $| $*		$1 $| $2			strip trailing dot\
#R $* $| $*.		$1 $| $2			strip trailing dot\
R$*<@$*>$* $| $*<@$*>$*	$@ $> Relay_map_i_s $2 $| $5\
\
# sender matching\
SRelay_map_i_s\
R $* $| $*		$: $> Relay_map_i_r $1 $| $2\
R $* $| $*		$@ $> Relay_map_i_s_sub $1 $| $2\
R $*			$@ $1				found\
\
# sender sub-domain matching\
SRelay_map_i_s_sub\
R $-.$* $| $+		$: $> Relay_map_i_r .$2 $| $3\
R .$-.$* $| $+		$@ $> Relay_map_i_s_sub $1.$2 $| $3\
R .$- $| $+		$: $> Relay_map_i_r . $| $2	wildcard match\
R $* $| $*		$@ allow			default\
R $*			$@ $1				found\
\
# recipient matching\
SRelay_map_i_r\
R $* $| $*		$: $2 $| $(relayinside $1 ! $2 $: $1 $| $2 $)\
R $* $| $* $| $*	$@ $> Relay_map_i_r_sub $1 $| $2 $| $3\
R $* $| $*		$@ $2				found\
\
# recipient sub-domain matching\
SRelay_map_i_r_sub\
R $* $| $* $| $-.$+	$: $1 $| $(relayinside $2 ! .$4 $: $2 $| $4 $)\
R $* $| $* $| $-	$: $1 $| $(relayinside $2 ! . $: $2 $| . $)\
R $* $| $* $| $-.$+	$@ $> Relay_map_i_r_sub $1 $| $2 $| $3.$4\
R $* $| $* $| $*	$@ $2 $| $1			not found\
R $* $| $*		$@ $2				found\
\
# sender-recipient domain pair checking with relay-map (from outside)\
SRelay_map_check_outside\
#R $* $| $*		$: $2 $| $> 3 $1		focus on sender\
#R $* $| $*		$: $2 $| $> 3 $1		focus on recipient\
#R $*. $| $*		$1 $| $2			strip trailing dot\
#R $* $| $*.		$1 $| $2			strip trailing dot\
R$*<@$*>$* $| $*<@$*>$*	$@ $> Relay_map_o_s $2 $| $5\
\
# sender matching\
SRelay_map_o_s\
R $* $| $*		$: $> Relay_map_o_r $1 $| $2\
R $* $| $*		$@ $> Relay_map_o_s_sub $1 $| $2\
R $*			$@ $1				found\
\
# sender sub-domain matching\
SRelay_map_o_s_sub\
R $-.$* $| $+		$: $> Relay_map_o_r .$2 $| $3\
R .$-.$* $| $+		$@ $> Relay_map_o_s_sub $1.$2 $| $3\
R .$- $| $+		$: $> Relay_map_o_r . $| $2	wildcard match\
R $* $| $*		$@ deny				default\
R $*			$@ $1				found\
\
# recipient matching\
SRelay_map_o_r\
R $* $| $*		$: $2 $| $(relay $1 ! $2 $: $1 $| $2 $)\
R $* $| $* $| $*	$@ $> Relay_map_o_r_sub $1 $| $2 $| $3\
R $* $| $*		$@ $2				found\
\
# recipient sub-domain matching\
SRelay_map_o_r_sub\
R $* $| $* $| $-.$+	$: $1 $| $(relay $2 ! .$4 $: $2 $| $4 $)\
R $* $| $* $| $-	$: $1 $| $(relay $2 ! . $: $2 $| . $)	wildcard match\
R $* $| $* $| $-.$+	$@ $> Relay_map_o_r_sub $1 $| $2 $| $3.$4\
R $* $| $* $| $*	$@ $2 $| $1			not found\
R $* $| $*		$@ $2				found'

fi

if [ "$CF_FORMAT" != V7 ]
then

	: ${HDR_REJECT_ACTION=error}

	if [ "$HDR_REJECT_BADMID" != no ]
	then

CHECK_HDR="$CHECK_HDR"'\
HMessage-Id: $>CheckMessageId\
\
SCheckMessageId\
R<$+@$+>		$@ OK\
R$*			$#'"$HDR_REJECT_ACTION"' $: "553 Header error"'

	fi

	if [ "$HDR_REJECT_RCPTADDRS" ]
	then

		case "$HDR_REJECT_RCPTADDRS" in
		/*)
HDRCHECK="$HDRCHECK"'\
F{RejHdrAddrs} -o '"$HDR_REJECT_RCPTADDRS"
			;;
		*)
HDRCHECK="$HDRCHECK"'\
C{RejHdrAddrs} '"$HDR_REJECT_RCPTADDRS"
			;;
		esac

CHECK_HDR="$CHECK_HDR"'\
HTo: $>CheckRcpt\
HCc: $>CheckRcpt\
\
SCheckRcpt\
R$* , $*		$: $2 $| $> CheckRcptSub $1\
R$* $| $# $*		$# $2				trap $#error\
R$* $| $*		$: $> CheckRcpt $1\
R$*			$: $> CheckRcptSub $1\
\
SCheckRcptSub\
R$={RejHdrAddrs}	$#'"$HDR_REJECT_ACTION"' $: 553 Header Error\
R$={RejHdrAddrs}@$+	$#'"$HDR_REJECT_ACTION"' $: 553 Header Error'

	fi

fi
