Qmail-control-files

From Qmailwiki
Jump to: navigation, search

I've found that some patches use control files and these aren't well documented. This page is for a central place with the control files meanings.


Contents

control/badhelo

In general this is meant for checking against the envelope greeting (HELO/EHLO) argument.

qregex in particular, threats the contents of this control file as regular expressions (one per line). It then attempts a case insensitive matching against the HELO or EHLO string. If a match is made then a 553 permanent error will be issued to the client. Negation is also supported via use of the '!' operator.

Examples:

# Reject spambots using our mailserver's 11.22.33.44 IP as HELO/EHLO
^11\.22\.33\.44$
# Reject spambots using our mailserver's a.mx.ourdomian.tld name as HELO/EHLO
^a\.mx\.ourdomian\.tld$

control/badmailfrom

In general this is meant for checking against the envelope sender string (MAIL) argument.

qregex in particular, threats the contents of this control file as regular expressions (one per line). It then attempts a case insensitive matching against the envelope sender string, provided it is non-empty (ie bounces are never rejected). If a match is made then a 553 permanent error will be issued to the client at the RCPT stage. Negation is also supported via use of the '!' operator.

Examples:

# Reject senders with @spammer.com addresses
@spammer\.com$

control/badmailfromnorelay

In general this is meant for checking against the envelope sender string (MAIL) argument when the RELAYCLIENT environment variable is not set.

qregex in particular, uses it in the same manner as control/badmailfrom when the RELAYCLIENT environment variable is not set.

Examples:

# Reject senders without '@'
!@
# Reject senders spoofing @ourdomain.tld local adresses
@ourdomain\.tld$

control/badmailto

In general this is meant for checking against the envelope recipient string (RCPT) arguments.

qregex in particular, threats the contents of this control file as regular expressions (one per line). It then attempts a case insensitive matching against each envelope recipient string. If a match is made then a 553 permanent error will be issued to the client. Negation is also supported via use of the '!' operator.

Examples:

# Don't accept messages for addresses containing more than one '@'
@.+@

control/badmailtonorelay

In general this is meant for checking against the envelope recipient string (RCPT) arguments when the RELAYCLIENT environment variable is not set.

qregex in particular, uses it in the same manner as control/badmailto, when the RELAYCLIENT environment variable is not set.

Examples:

# Don't accept messages for addresses containing ' ', '!', '%', '#' etc
[ !%#:*^(){}]
# Don't allow outsiders to send messages to our staff@ourdomain.tld list
^staff@ourdomain\.tld$

control/bouncefrom

control/bouncehost

control/clientca.pem

control/clientcert.pem

control/clientcrl.pem

control/concurrencylocal

control/concurrencyremote

control/databytes

control/databytes

control/defaultdomain

control/defaulthost

control/dh1024.pem

control/dh512.pem

control/doublebouncehost

control/doublebounceto

control/envnoathost

control/helohost

control/idhost

control/localiphost

control/locals

control/me

control/morercpthosts

control/percenthack

control/plusdomain

control/qmqpservers

control/queuelifetime

control/rcpthosts

control/rsa512.pem

control/servercert.pem

control/smtpgreeting

control/smtproutes

control/spamt

man file

example:

192.168.0.0/24:private:2000:120000::::::
192.168.1.0/24:/24:2000:120000::::::
.

note that the file must end with a single dot!

each line format is: ipblock:dir:st:stmax:flush:rcpt:tg:tg_resp:

  • ipblock:
  • dir: directory where to store the stats, if two ip have the same dir, they will be thrated as a single user. use /## for making dirs based on the mask

control/spfbehavior

Use this to turn on SPF checking. The default value is 0 (off). You can specify a value between 0 and 6:

       * 0: Never do SPF lookups, don't create Received-SPF headers
       * 1: Only create Received-SPF headers, never block
       * 2: Use temporary errors when you have DNS lookup problems
       * 3: Reject mails when SPF resolves to fail (deny)
       * 4: Reject mails when SPF resolves to softfail
       * 5: Reject mails when SPF resolves to neutral
       * 6: Reject mails when SPF does not resolve to pass

Values bigger than 3 are strongly discouraged, you probably want to go with 2 or 3. Important: This setting can be overridden using the environment variable SPFBEHAVIOR, e.g. from tcpserver rules. Note: If RELAYCLIENT is set, SPF checks won't run at all.(This also includes SMTP-AUTH and similar patches)

control/spfexp

control/spfguess

control/spfrules

control/timeoutconnect

control/timeoutremote

control/timeoutsmtpd

control/tlsclientciphers

control/tlsclients

control/tlshosts/

control/tlsserverciphers

This one-line file supplies a cipher list string to the OpenSSL libraries when the netqmail patched version of qmail (and its descendants) offers TLS-protected SMTP to a remote TLS-using client. When either the client connects to port 465 ("SMTPS", or SMTP-over-SSL/TLS) or the client connects to plaintext port 25 but then uses the STARTTLS command to initiate TLS, the local OpenSSL server must know which cipher suites it is allowed to negotiate with the far side. By default qmail-smtpd passes the string "DEFAULT", which means OpenSSL may negotiate every cipher it knows about, which includes some old and weak encryption ciphers. If a PCI audit of your qmail server fails because you are unintentionally offering SSLv2 and low- or export-strength SSLv3 ciphers, you can restrict it by passing a cipher list to qmail-smtpd, either in an environment variable called TLSCIPHERS or in the control file tlsserverciphers.

Example:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-SSLv2

This says to initially consider all ciphers, but then take away some non-encrypting ones and low- and export-strength ones, then explicitly add back the high- and medium-strength ones, and finally remove anything used in SSLv2. This is probably not optimal, but it works; a complete explanation of the syntax of this cipher string may be found at the documentation section of OpenSSL.org.

Note that there doesn't seem to be a way to prevent the offering of the SSLv2 protocol at all (that would be the list of protocols, not the list of cipher suites). But you can disable all the protocols that SSLv2 is defined to use (as in "-SSLv2" above), which effectively disables the use of SSLv2 to connect to the server.

control/virtualdomains

Personal tools