Qmail-control-files
I've found that some patches use control files and these aren't well documented. This page is for a central place with the control files meanings.
control/badhelo
In general this is meant for checking against the envelope greeting (HELO/EHLO) argument.
qregex in particular, threats the contents of this control file as regular expressions (one per line). It then attempts a case insensitive matching against the HELO or EHLO string. If a match is made then a 553 permanent error will be issued to the client. Negation is also supported via use of the '!' operator.
Examples:
# Reject spambots using our mailserver's 11.22.33.44 IP as HELO/EHLO ^11\.22\.33\.44$ # Reject spambots using our mailserver's a.mx.ourdomian.tld name as HELO/EHLO ^a\.mx\.ourdomian\.tld$
control/badmailfrom
In general this is meant for checking against the envelope sender string (MAIL) argument.
qregex in particular, threats the contents of this control file as regular expressions (one per line). It then attempts a case insensitive matching against the envelope sender string, provided it is non-empty (ie bounces are never rejected). If a match is made then a 553 permanent error will be issued to the client at the RCPT stage. Negation is also supported via use of the '!' operator.
Examples:
# Reject senders with @spammer.com addresses @spammer\.com$
control/badmailfromnorelay
In general this is meant for checking against the envelope sender string (MAIL) argument when the RELAYCLIENT environment variable is not set.
qregex in particular, uses it in the same manner as control/badmailfrom when the RELAYCLIENT environment variable is not set.
Examples:
# Reject senders without '@' !@ # Reject senders spoofing @ourdomain.tld local adresses @ourdomain\.tld$
control/badmailto
In general this is meant for checking against the envelope recipient string (RCPT) arguments.
qregex in particular, threats the contents of this control file as regular expressions (one per line). It then attempts a case insensitive matching against each envelope recipient string. If a match is made then a 553 permanent error will be issued to the client. Negation is also supported via use of the '!' operator.
Examples:
# Don't accept messages for addresses containing more than one '@' @.+@
control/badmailtonorelay
In general this is meant for checking against the envelope recipient string (RCPT) arguments when the RELAYCLIENT environment variable is not set.
qregex in particular, uses it in the same manner as control/badmailto, when the RELAYCLIENT environment variable is not set.
Examples:
# Don't accept messages for addresses containing ' ', '!', '%', '#' etc
[ !%#:*^(){}]
# Don't allow outsiders to send messages to our staff@ourdomain.tld list
^staff@ourdomain\.tld$
control/bouncefrom
control/bouncehost
control/clientca.pem
control/clientcert.pem
control/clientcrl.pem
control/concurrencylocal
control/concurrencyremote
control/databytes
control/databytes
control/defaultdomain
control/defaulthost
control/dh1024.pem
control/dh512.pem
control/doublebouncehost
control/doublebounceto
control/envnoathost
control/helohost
control/idhost
control/localiphost
control/locals
control/me
control/morercpthosts
control/percenthack
control/plusdomain
control/qmqpservers
control/queuelifetime
control/rcpthosts
control/rsa512.pem
control/servercert.pem
control/smtpgreeting
control/smtproutes
control/spamt
example:
192.168.0.0/24:private:2000:120000:::::: 192.168.1.0/24:/24:2000:120000:::::: .
note that the file must end with a single dot!
each line format is: ipblock:dir:st:stmax:flush:rcpt:tg:tg_resp:
- ipblock:
- dir: directory where to store the stats, if two ip have the same dir, they will be thrated as a single user. use /## for making dirs based on the mask
control/spfbehavior
Use this to turn on SPF checking. The default value is 0 (off). You can specify a value between 0 and 6:
* 0: Never do SPF lookups, don't create Received-SPF headers
* 1: Only create Received-SPF headers, never block
* 2: Use temporary errors when you have DNS lookup problems
* 3: Reject mails when SPF resolves to fail (deny)
* 4: Reject mails when SPF resolves to softfail
* 5: Reject mails when SPF resolves to neutral
* 6: Reject mails when SPF does not resolve to pass
Values bigger than 3 are strongly discouraged, you probably want to go with 2 or 3. Important: This setting can be overridden using the environment variable SPFBEHAVIOR, e.g. from tcpserver rules. Note: If RELAYCLIENT is set, SPF checks won't run at all.(This also includes SMTP-AUTH and similar patches)
control/spfexp
control/spfguess
control/spfrules
control/timeoutconnect
control/timeoutremote
control/timeoutsmtpd
control/tlsclientciphers
control/tlsclients
control/tlshosts/
control/tlsserverciphers
This one-line file supplies a cipher list string to the OpenSSL libraries when the netqmail patched version of qmail (and its descendants) offers TLS-protected SMTP to a remote TLS-using client. When either the client connects to port 465 ("SMTPS", or SMTP-over-SSL/TLS) or the client connects to plaintext port 25 but then uses the STARTTLS command to initiate TLS, the local OpenSSL server must know which cipher suites it is allowed to negotiate with the far side. By default qmail-smtpd passes the string "DEFAULT", which means OpenSSL may negotiate every cipher it knows about, which includes some old and weak encryption ciphers. If a PCI audit of your qmail server fails because you are unintentionally offering SSLv2 and low- or export-strength SSLv3 ciphers, you can restrict it by passing a cipher list to qmail-smtpd, either in an environment variable called TLSCIPHERS or in the control file tlsserverciphers.
Example:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-SSLv2
This says to initially consider all ciphers, but then take away some non-encrypting ones and low- and export-strength ones, then explicitly add back the high- and medium-strength ones, and finally remove anything used in SSLv2. This is probably not optimal, but it works; a complete explanation of the syntax of this cipher string may be found at the documentation section of OpenSSL.org.
Note that there doesn't seem to be a way to prevent the offering of the SSLv2 protocol at all (that would be the list of protocols, not the list of cipher suites). But you can disable all the protocols that SSLv2 is defined to use (as in "-SSLv2" above), which effectively disables the use of SSLv2 to connect to the server.
