mail.log. After all, most information was already there. However, I needed the RFC5322.From headers to check domain alignment and make sure we send only eMail we are authorized to send.
Sendmail, by default, logs only the envelope "From" address (AKA RFC5321.From). I wanted to add the "From:" headers of outgoing messages (AKA RFC5322.From).1) So, in sendmail.mc I added the following at the bottom:
LOCAL_CONFIG
Klog syslog
HFrom: $>+LogFrom
LOCAL_RULESETS
SLogFrom
R$* $: $(log From: $&{currHeader} $)
(Note that the block of spaces in the last line have to be TABs. For details of the syntax see e.g. The whole scoop of the configuration file.)
Basically, this defines a map "log" and a ruleset "LogFrom", looks for "From:" and "rewrites" (R) any content via "log" to syslog, prepending "From:". The results in mail.log should look similar to
Sep 21 22:03:34 localhost sm-mta[1364]: u8LK3Y6P001364: From: "Full Name" <sender@example.net> Sep 21 22:03:35 localhost sm-mta[1364]: u8LK3Y6P001364: from=<sender@mail.example.net.net>, size=724389, class=0, nrcpts=1, msgid=<005c01d21443$2bf4e600$83deb200$@example.net>, proto=ESMTP, daemon=MTA, relay=mail.example.net [127.1.0.1] Sep 21 22:03:38 localhost sm-mta[1365]: u8LK3Y6P001364: to=<receiver@example.org>, delay=00:00:04, xdelay=00:00:03, mailer=local, pri=754801, dsn=2.0.0, stat=Sent
These sendmail.cf instructions make Sendmail log "From:" headers of both incoming and outgoing mail. Only the latter was my original intention, however, I appreciate the additional log data for incoming mail, too. It helps debugging and answering user queries since they often and understandably enough only mention RFC5322.From addresses.
However, much to my surprise I found that Sendmail sometimes logged 2 "From:" headers even though the messages definitely had only 1. Turned out that Sendmail indeed inspects contents of attachments if their "Content-type" is message/rfc822.
My colleague Johann Klasek, a true Sendmail aficionado, even digged the source code to confirm my empirical findings. He also came up with the following rules to skip "From:" headers of attachments by means of a macro {InMessage} and an if-then type rewriting:
LOCAL_CONFIG
Klog syslog
HFrom: $>+LogFrom
HContent-Type: $>+CheckMessage
LOCAL_RULESETS
SLogFrom
R$* $: <$&{InMessage}> $1 are we in a message/rfc822 part?
R<> $* $: $(log From: $&{currHeader} $) $1 if not then log the From: header
SCheckMessage
Rmessage/$* $: $(macro {InMessage} $@ YES $) $1 set mark if Content-Type is message/*
In order to log "From:" headers of attached messages with e.g. keyword "MIME-From:" instead of "From:" add the following line before SCheckMessage (i.e. at the end of ruleset SLogFrom):
R<YES> $* $: $(log MIME-From: $&{currHeader} $) $1 embedded MIME part From: header
(Again, aligned whitespaces are TAB characters.)
Many thanks to Johann Klasek for his great help!
mail.log. After all, most information was already there. However, I needed the RFC5322.From headers to check domain alignment and make sure we send only eMail we are authorized to send.disclaimer & imprint :: copyright :: go to top ::