BarricadeMX_2.x Documentation

Transcription

BarricadeMX_2.x Documentation
2009
BarricadeMX
DOCUMENTATION
Step-by-step instructions for Getting started with BarricadeMX, version 2.x
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
Introduction
smtpf sits in front of one or more MTAs on SMTP
port 25. It acts as a proxy, filtering and forwarding
mail to one or more MTAs, which can be on the same
machine or different machines.
By using an independent SMTP pre-filter in the form
The Big Picture
of a proxy we avoid portability differences and
limitations of MTA extension methods (milters, plugins, rule sets, etc.) and tighly
couple & integrate tests to improve performance & message throughput.
smtpf supports a variety of well blended anti-spam filtering techniques that can be
individually enabled or disabled according to the rigours of the postmaster's local
filtering policy. Some of the tests available are:
●
●
●
●
●
●
●
●
●
Avast!, ClamAV, and F-Prot anti-virus support
"Client-Is-MX" heuristics for PTR and IP in name checks
Concurrent connection limits
Connection rate throttling
DNS real-time black, grey, and white lists
Enhanced grey-listing
HELO claims to be us
Local black/white list by IP, host name, domain, MAIL, RCPT
Message limit & size controls
●
●
●
●
●
●
●
●
●
●
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
b. The Access Map
c. The smtpf.cf File
d. Option Summary
E. Runtime
a. Command Line
Options
b. Runtime
Configuration
c. The Cache File
d. The Stats File
e. Log Messages
f. SMTP Replies
F. Glossary
Recipient verification using call-ahead
Sender verification using call-back
SIQ protocol support for reputation services
SMTP command & greet pause
SpamAssassin anti-spam support
SPF Classic support
Tar pitting negative SMTP responses
URI blacklist test of PTR, HELO, and MAIL
URI blacklist testing of message content
White wash & backscatter prevention with EMEW
Another feature of smtpf is the multicast / unicast cache, which provides a fast, simple, and efficient means to share cache updates across
multiple machines on the same network segment or to a set of remote hosts. The multicast / unicast cache use a broadcast-and-correct
model and support IPv4 & IPv6.
Copyright 2006, 2009 by SnertSoft. All rights reserved.
http://www.snertsoft.com/smtp/smtpf/ (1 of 2)5/4/2009 1:57:44 PM
SnertSoft - smtpf/2.2
BarricadeMX trademark & patents pending.
08285 dastardly villians since 1 November 2006
http://www.snertsoft.com/smtp/smtpf/ (2 of 2)5/4/2009 1:57:44 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
Introduction
smtpf sits in front of one or more MTAs on SMTP
port 25. It acts as a proxy, filtering and forwarding
mail to one or more MTAs, which can be on the same
machine or different machines.
By using an independent SMTP pre-filter in the form
The Big Picture
of a proxy we avoid portability differences and
limitations of MTA extension methods (milters, plugins, rule sets, etc.) and tighly
couple & integrate tests to improve performance & message throughput.
smtpf supports a variety of well blended anti-spam filtering techniques that can be
individually enabled or disabled according to the rigours of the postmaster's local
filtering policy. Some of the tests available are:
●
●
●
●
●
●
●
●
●
Avast!, ClamAV, and F-Prot anti-virus support
"Client-Is-MX" heuristics for PTR and IP in name checks
Concurrent connection limits
Connection rate throttling
DNS real-time black, grey, and white lists
Enhanced grey-listing
HELO claims to be us
Local black/white list by IP, host name, domain, MAIL, RCPT
Message limit & size controls
●
●
●
●
●
●
●
●
●
●
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
b. The Access Map
c. The smtpf.cf File
d. Option Summary
E. Runtime
a. Command Line
Options
b. Runtime
Configuration
c. The Cache File
d. The Stats File
e. Log Messages
f. SMTP Replies
F. Glossary
Recipient verification using call-ahead
Sender verification using call-back
SIQ protocol support for reputation services
SMTP command & greet pause
SpamAssassin anti-spam support
SPF Classic support
Tar pitting negative SMTP responses
URI blacklist test of PTR, HELO, and MAIL
URI blacklist testing of message content
White wash & backscatter prevention with EMEW
Another feature of smtpf is the multicast / unicast cache, which provides a fast, simple, and efficient means to share cache updates across
multiple machines on the same network segment or to a set of remote hosts. The multicast / unicast cache use a broadcast-and-correct
model and support IPv4 & IPv6.
Copyright 2006, 2009 by SnertSoft. All rights reserved.
http://www.snertsoft.com/smtp/smtpf/manual.shtml (1 of 2)5/4/2009 1:57:45 PM
SnertSoft - smtpf/2.2
BarricadeMX trademark & patents pending.
08286 dastardly villians since 1 November 2006
http://www.snertsoft.com/smtp/smtpf/manual.shtml (2 of 2)5/4/2009 1:57:45 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
License Agreement 1.7
SNERTSOFT & CO. ARE WILLING TO LICENSE THE SOFTWARE IDENTIFIED
ABOVE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF
THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE
AGREEMENT CAREFULLY. BY DOWNLOADING OR INSTALLING THIS
SOFTWARE, YOU ACCEPT THE TERMS OF THE AGREEMENT.
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
b. The Access Map
c. The smtpf.cf File
d. Option Summary
E. Runtime
a. Command Line
Options
b. Runtime
Configuration
c. The Cache File
d. The Stats File
e. Log Messages
f. SMTP Replies
F. Glossary
1. Definitions
1. ``Package'' means the identified above in source and/or binary form, any other machine readable materials provided
(including, but not limited to documentation, sample files, data files), any updates or error corrections, and its derivative
works.
2. ``Organisation'' means a legal entity or an individual.
3. ``You'' (or ``Your'') means an Organisation exercising rights under, and complying with all of the terms of, this License
or a future version of this License issued under Section 6.1. For legal entities, ``You'' includes any entity which controls,
is controlled by, or is under common control with You. For purposes of this definition,``control'' means (a) the power,
direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b)
ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
4. ``SnertSoft'' means Anthony C. Howe situated in Cannes, France (SIRET #489 259 937 00014).
5. ``SnertSoft & Co.'' means SnertSoft and all authorised & licensed partners, such as value-added resellers or appliance
manufacturers.
http://www.snertsoft.com/smtp/smtpf/license.html (1 of 3)5/4/2009 1:57:47 PM
SnertSoft - smtpf/2.2
2. Statement of Original Work
1. The Package is an original work written by SnertSoft, with exception of following third party code:
1. MD5 routines written by L. Peter Deutsch, based on RFC 1321;
2. SQLite3 package is written by D. Richard Hipp of Hwaci and is in the public domain.
3. strnatcmp.c is written by Martin Pool of sourcefrog.net and has a BSD style license.
3. License To Use
1. You may install and use this Package, without modifications, exclusively on machines for which You have purchased a
license, provided You retain this notice, SnertSoft's copyright notice, any and all license control methods (see below),
and any links within the Package back to the most current online versions of this License and Disclaimer.
2. You may copy, share, distribute, modify, and create derivative works from the user manuals and any related
documentation solely for Your internal business purposes, such as in-house documentation, training manuals, or
reference material.
4. Restrictions
1. Redistribution, including but not limited to books, CDROMS, download mirrors, floppy diskettes, hard disks, hardcopy
print outs, online archives, solid state disks, streaming tapes, or other current or future forms of storage or
communication media of the Package, with or without modifications, including any and all derivative works such as
source patches, binaries, binary patches, or similar is expressly forbidden without prior written permission in hardcopy
(ie. letter or fax) signed and dated by SnertSoft.
2. It is expressly forbidden for You to use the Package, in whole or in part, in any other software or appliance without prior
written permission in hardcopy (ie. letter or fax) signed and dated by SnertSoft.
3. It is expressly forbidden for You to use the Package to develop any software or other technology having the same
primary function as the Package, including but not limited to using the Package in any development or test procedure
that seeks to develop like software or other technology, or determine if such software or other technology performs in a
similar manner as the Package.
4. You may not sell, rent, lease, or transfer the Package to third parties without prior written permission in hardcopy (ie.
letter or fax) signed and dated by SnertSoft.
5. Termination
1. This Agreement is effective until terminated. You may terminate this Agreement at any time by destroying all copies of
the Package.
2. This Agreement will terminate immediately without notice from SnertSoft if You fail to comply with any provision of this
Agreement.
3. Either party may terminate this Agreement immediately should any portion of the Package become, or in either party's
opinion be likely to become, the subject of a claim of infringement of any intellectual property right. Upon Termination,
You must destroy all copies of the Package.
6. Versions Of The License
1. New Versions. SnertSoft may publish revised and/or new versions of the License from time to time. Each version will be
given a distinguishing version number.
2. Effect of New Versions. Once a version of the Package has been published under a particular version of the License,
You may always continue to use it under the terms of that License version. You may also choose to use such Package
under the terms of the most current version of the License published by SnertSoft.
http://www.snertsoft.com/smtp/smtpf/license.html (2 of 3)5/4/2009 1:57:47 PM
SnertSoft - smtpf/2.2
3. No one other than SnertSoft has the right to modify the terms applicable to the Package created under this License.
Disclaimer
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO WAY
SHALL SNERTSOFT OR LICENSEE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
License Control
The Package may use one or more license control methods including, but not limited to, license key activation, periodic reporting of
Package details and IP address of installation to SnertSoft & Co., or remote license verification by SnertSoft & Co.. Any information
reported to or gathered by SnertSoft & Co. shall remain strictly confidential and the private property of SnertSoft & Co.. Under no
circumstances will SnertSoft & Co. resell or release this information to third parties, unless demanded by court order.
Support
Support is provided for one year from date of purchase and only for SnertSoft's original Package that was purchased directly from
SnertSoft. Additional support beyond the first year can be obtained from SnertSoft on time & materials basis or from one of SnertSoft's
authorised partners.
Support for the Package obtained from authorised partners, such as value-added resllers or appliance manufacturers, will be supplied by
those partners. SnertSoft will not support the Package without proof of purchase from SnertSoft, such as an Order N° or Invoice N°.
Package enhancements requests and product suggestions are always welcome. A community mailing list is available; please refer to
SnertSoft web site Support area for details.
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/license.html (3 of 3)5/4/2009 1:57:47 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
Installation Pre-Built Binary Package
Centos & Redhat Linux
# rpm -i smtpf-2.2.rpm
OpenBSD & FreeBSD
# pkg_add -v smtpf-2.2.tgz
Files Installed (unix)
#
#
#
#
When using the web user interface, the web
server user should be a member of the smtpf
group in order to be able to update the .cf
and .sq3 files.
drwxrws---r--r-----rw-rw----rw-rw----r--r-----r--r-----rw-rw----rw-rw----rw-rw----
root
root
root
root
root
root
root
root
root
smtpf
smtpf
smtpf
smtpf
smtpf
smtpf
smtpf
smtpf
smtpf
/etc/smtpf/
/etc/smtpf/Makefile
/etc/smtpf/access.cf
/etc/smtpf/access.sq3
/etc/smtpf/dump.mk
/etc/smtpf/lickey.txt
/etc/smtpf/route.cf
/etc/smtpf/route.sq3
/etc/smtpf/smtpf.cf
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
b. The Access Map
c. The smtpf.cf File
d. Option Summary
E. Runtime
a. Command Line
Options
b. Runtime
Configuration
c. The Cache File
d. The Stats File
e. Log Messages
f. SMTP Replies
F. Glossary
# The start-up script is placed in one of the following depending on OS.
# For OpenBSD you modify your /etc/rc.conf.local file instead. Note that
# group *BSD group wheel (gid 0) is equivalent to Linux group root (gid 0).
-r-xr-xr-- root wheel /etc/init.d/smtpf
-r-xr-xr-- root wheel /etc/rc.d/init.d/smtpf
-r-xr-xr-- root wheel /usr/local/etc/rc.d/smtpf
-r-xr-xr-x root wheel /usr/local/sbin/kvmap
-r-xr-xr-x root wheel /usr/local/sbin/kvmc
http://www.snertsoft.com/smtp/smtpf/install.html (1 of 2)5/4/2009 1:57:47 PM
SnertSoft - smtpf/2.2
-r-xr-xr-x root wheel /usr/local/sbin/kvmd
-r-xr-xr-x root wheel /usr/local/sbin/mcc
-r-xr-x--- root wheel /usr/local/sbin/smtpf
# Note the version of SQLite3 supplied is built with --enabled-threadsafe
-r-xr-xr-x root wheel /usr/local/bin/sqlite3t
# Linux only
-rwsrws--- smtpf smtpf /var/cache/smtpf/
# Created by smtpf at startup.
-rw-rw-r-- smtpf smtpf /var/cache/cache.sq3
-rw-rw-r-- smtpf smtpf /var/cache/stats.sq3
# *BSD only
-rwsrws--- smtpf smtpf /var/db/smtpf/
# Created by smtpf at startup.
-rw-rw---- smtpf smtpf /var/db/cache.sq3
-rw-rw---- smtpf smtpf /var/db/stats.sq3
-r-xr-xr-x
-r-xr-xr-x
-r-xr-xr-x
-r-xr-xr-x
-r-xr-xr-x
-r-xr-xr-x
root
root
root
root
root
root
wheel
wheel
wheel
wheel
wheel
wheel
/usr/local/share/examples/smtpf/Makefile
/usr/local/share/examples/smtpf/access.cf
/usr/local/share/examples/smtpf/route.cf
/usr/local/share/examples/smtpf/smtpf.cf
/usr/local/share/examples/smtpf/startup.sh
/usr/local/share/examples/smtpf/welcome.txt
# A copy of the SnertSoft online documentation.
-r-xr-xr-x root wheel /usr/local/share/doc/smtpf/manual.shtml
-r-xr-xr-x root wheel /usr/local/share/doc/smtpf/*
-r-xr-xr-x root wheel /usr/local/share/man/cat1/smtpf.0
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/install.html (2 of 2)5/4/2009 1:57:47 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
route-map
smtpf sits in front of one or more mail transfer agents (MTA) on SMTP port 25.
It acts as a proxy, filtering and forwarding mail to one or more MTAs, which can
be on the same machine or different machines. To that end the file referenced
by the route-map option tells smtpf what domains, hosts, or mail addresses
you accept mail for, where to route them, where to optionally verify users, and/
or if to allow relaying.
The file referenced by the route-map option can be a simple text file,
SQLite3 database, or socket-map server. The recommended configuration
uses an SQLite3 database generated from a route.cf text file. This can be
done in one of two ways:
# kvmap -l \
"route!sql!/etc/smtpf/route.sq3" \
< /etc/smtpf/route.cf
or simply by using the supplied Makefile
# cd /etc/smtpf
# make route.sq3
If you do not specify the route.sq3 explicitly, then the make command will
build all the configuration files if necessary.
The route.cf text file consists of lines of key-value pairs. Each line consists
of a key field separated by white space from the value field, which is the
remainder of the line. Comments start with a hash (#) on a line by themselves.
The key lookups are case insensitive, while the values are case sensitive. The
order in which keys are looked up is outlined by the access-map option.
The key can be the connecting SMTP client IPv4 or IPv6 address or part
thereof, the client host name found from a DNS PTR lookup or part thereof, or
a recipient's domain name or part thereof for which we accept mail. The key is
prefixed with a route: tag. Other tags may be added in future releases.
http://www.snertsoft.com/smtp/smtpf/route-map.html (1 of 4)5/4/2009 1:57:49 PM
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
Local MTA
■ Local Route
■ FORWARD &
RELAY
■ by
domain
■ by mail
■ Call-Ahead
■ AcceptThenBounce
■ AUTH Support
■ ETRN Support
b. The Access Map
■ Lookup
Sequences
■ Tags
■ About Delay
Checks
■ Right Hand Side
Values
■ Action Words
■ Pattern Lists
■ !Simple
Patterns!
■ /Regular
Expression
Patterns/
c. The smtpf.cf File
■ Avast! AV
Support
■
SnertSoft - smtpf/2.2
The value is a semi-colon (;) separated list of one or more parameters.
Currently supported parameters are FORWARD:, RCPT:, and RELAY (case
sensitive). The FORWARD: and RCPT: parameters each specify a comma
(,) separated list of one or more hosts by IP address or name.
Local MTA
When a local MTA operates on the same machine as smtpf, it will have to be
configured to accept connections on a port other than SMTP port 25, which
smtpf will be listening on. In our examples, we use local host port 26 for the
local MTA. When specifying IPv6 addresses with a port number, the address
must appear within square brackets ([, ]), for example
"[2001:0DB8::1234]:26".
This example shows all the possible variants for the local route using a local
MTA on the same machine, though the preferred form is route:local.
The other variants are still supported for backwards compatibility with previous
releases.
route:local
route:127.0.0.1
route:::1
FORWARD: localhost:26
FORWARD: 127.0.0.1:26
FORWARD: [::1]:26
Local Route
The local route is very important in smtpf. It is used for queuing outbound
messages from a RELAY, queuing messages for SMTP authenticated
senders, and for processing messages for unqualified recipients, ie. those that
have no domain name part in the address. The local route can be a list of
other hosts machines as shown below. Note that the hosts specified in the
local route must not use the smtpf server as a smart-host, otherwise you can
end up with a mail loop.
This example shows all the possible variants for the local route, though the
preferred form is route:local. The other variants are still supported for
backwards compatibility with previous releases.
route:local
route:127.0.0.1
route:::1
FORWARD: [2001:
db8::1]:26, other.host
FORWARD: 192.0.2.1
FORWARD: 2001:db8::1
FORWARD & RELAY
After the local route, the next most important records that must be added to
the route-map are the recipient domains we will accept mail for. For example:
route:example.com FORWARD: 127.0.0.1:26,
192.168.0.9
http://www.snertsoft.com/smtp/smtpf/route-map.html (2 of 4)5/4/2009 1:57:49 PM
Cache Options
■ Call-Backs
■ Clam AV
Support
■ Command-Line
Interface
■ Client IP
Address
■ Concurrency &
Rate
■ DNS Based Lists
■ Delay Checks
■ EMEW
■ F-Prot AV
Support
■ Grey Listing
■ Grey Content
■ SMTP HELO
Testing
■ Network
Interface
■ Length & Limits
■ RFC
Conformance
■ Run Settings
■ Server
Performance
■ SIQ Support
■ SMTP Options
■ Sophos AV
Support
■ SpamAssassin
Support
■ SPF Support
■ Statistics
■ URI Blacklists
■ Verbose
Logging
d. Option Summary
■
E. Runtime
a. Command Line Options
b. Runtime Configuration
c. The Cache File
The Cache
Structure
d. The Stats File
■ The Stats
Structure
■
SnertSoft - smtpf/2.2
route:snertsoft. FORWARD: 192.0.2.1
com
route:
FORWARD: 192.0.2.2
[email protected]
e. Log Messages
f. SMTP Replies
F. Glossary
The FORWARD: parameter tells smtpf where to send a message for a recipient of that domain. When you specify more than one
FORWARD: host, as was done for route:example.com above, then they are tried in left to right order until one of them answers
(see also route-forward-selection). If no host answers, then that recipient will be temporarily rejected.
Note that it is also possible to route individual mail addresses as shown by route:[email protected] to a different host,
instead of the default for the domain, route:snertsoft.com.
When creating a route-map, it is usually a good idea to specify which hosts or subnets from your LAN are allowed to relay. For example:
route:10.0.0.1
route:192.168.0
route:FE80:0000
route:example.com
RELAY
RELAY
RELAY
FORWARD: 192.168.1.2; RELAY
The RELAY tag should be used sparingly, typically only for your LAN and trusted hosts. Any client connection that is marked as a RELAY,
will have their mail sent to the local route for queuing and white listed through many, but not all, of the tests (anti-virus scanning will
always be done when enabled and if required, EMEW transformation of the Message-Id header).
When a RELAY connects, all mail is sent to the local route for queuing. It is imperative that the SMTP servers handling the local route
know how to relay their domains correctly, otherwise mail may fail to be delivered.
The route:example.com shows an instance where inbound mail destined for example.com is forwarded to a specific host on
the LAN and outbound mail from any host within the example.com domain is relayed. The point to note here is that inbound mail route
selection is taken based on the domain name of the recipient address, while relay selection is based on the DNS PTR record found based
on the connected SMTP client's IP address. If you do not have reverse DNS entries for your internal hosts, then you must specify RELAY
entries by IP address or family as shown above.
Call-Ahead
The RCPT: parameter tells smtpf to perform a call-ahead to another set of hosts in order to verify if the recipient is valid. This parameter
is optional and is only recommended when the FORWARD: host is some intermediate MTA, such as an anti-virus appliance or gateway
machine that has no knowledge of recipients for that domain. RCPT: allows you to jump over one or more intermediate servers to talk
directly with the final mail store. Accept and reject results from a call-ahead are cached for future use, while temporary failure results are
not cached at all. Only the expire time of an accept result will be touched (see cache-accept-ttl).
route:example.net
route:example.org
FORWARD: scan.our.domain; RCPT: 192.168.1.2
FORWARD: scan.our.domain; RCPT: exchange.
our.domain
Note that some MTA by default use an accept-then-bounce model and so do not work with call-ahead very well, such as default
configurations for Microsoft Exchange and Domino servers. An accept-then-bounce server will always accept any SMTP RCPT TO:
command whether it be valid or not. Typically such servers can be configured to verify the RCPT TO: argument the moment the command
is received (instead of delaying until after the message body) so as to provide a more useful and immediate response to the call-ahead.
http://www.snertsoft.com/smtp/smtpf/route-map.html (3 of 4)5/4/2009 1:57:49 PM
SnertSoft - smtpf/2.2
The call-ahead test will perform a false-RCPT test to detect accept-then-bounce servers and cache the result. If the server does
accept-then-bounce, then future call-ahead attempts will be skipped. Alternatively, if an accept-then-bounce server cannot be
configured otherwise, then do not use the RCPT: parameter.
AUTH Support
smtpf has support for SMTP AUTH PLAIN and AUTH LOGIN methods. If you need SMTP AUTH support, then be sure to enable both
smtp-enable-esmtp, auth-delay-checks, which will postpone some connection and HELO/EHLO tests until a MAIL FROM: is
received.
If the authentication-Id given to the AUTH command is fully qualified, ie. it has the form [email protected], then AUTH
command is first proxied to the RCPT: or FORWARD: host of the route:sender.domain; if that fails, then the unqualified
version of the authentication-Id is tried. If the authentication-Id is not qualified, ie. is just a simple userid, then the AUTH command is
proxied to the RCPT: or FORWARD: host of the local route.
All mail sent over an authenticated session is forwarded (queued) to the SMTP host that authenticated the credentials. SMTP AUTH
support in smtpf is limited and it is recommended that a proper MSA be employed.
ETRN Support
smtpf has support for SMTP ETRN, where ETRN commands are simply relayed to the local route, which is responsible for queuing. If the
local route refers to more than one forward host, then those hosts must all share the same mail queue, otherwise the behaviour is
undefined.
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/route-map.html (4 of 4)5/4/2009 1:57:49 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
access-map
The access-map is used to manage a variety of facilities such as black &
white listings, message limits & sizes, concurrency & rate throttling. Many
elements can be specified by IP, subnet, host name, and/or sender & recipient
address or domain.
The file referenced by the access-map option can be a simple text file,
SQLite3 database, or socket-map server. The recommended configuration uses
an SQLite3 database generated from an access.cf text file. This can be
done in one of two ways:
# cd /etc/smtpf
# kvmap -l "access!sql!access.sq3" \
< access.cf
or simply by using the supplied Makefile
# cd /etc/smtpf
# make access.sq3
If you do not specify the access.sq3 explicitly, then the make command
will build all the configuration files if necessary.
The access.cf text file consists of lines of key-value pairs. Each line
consists of a key field separated by white space from the value field, which is
the remainder of the line. Comments start with a hash (#) on a line by
themselves. The key lookups are case insensitive, while the values are case
sensitive. The order in which keys are looked up is outlined below and by the
access-map option.
There are essentially three types of keys used in the access-map. Many of
the tags available will use one or more of these lookup sequences.
IP Address Lookups
An IP address lookup is typically applied to the connected SMTP client.
It will start with a complete IPv4 or IPv6 address and break it down on
http://www.snertsoft.com/smtp/smtpf/access-map.html (1 of 7)5/4/2009 1:57:50 PM
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
Local MTA
■ Local Route
■ FORWARD &
RELAY
■ by
domain
■ by mail
■ Call-Ahead
■ AcceptThenBounce
■ AUTH Support
■ ETRN Support
b. The Access Map
■ Lookup
Sequences
■ Tags
■ About Delay
Checks
■ Right Hand Side
Values
■ Action Words
■ Pattern Lists
■ !Simple
Patterns!
■ /Regular
Expression
Patterns/
c. The smtpf.cf File
■ Avast! AV
Support
■
SnertSoft - smtpf/2.2
delimiter boundaries from right to left.
IPv4 Lookup
tag:192.0.2.9
tag:192.0.2
tag:192.0
tag:192
IPv6 Lookup
tag:2001:0DB8:0:0:0:0:1234:5678
tag:2001:0DB8:0:0:0:0:1234
tag:2001:0DB8:0:0:0:0
tag:2001:0DB8:0:0:0
tag:2001:0DB8:0:0
tag:2001:0DB8:0
tag:2001:0DB8
tag:2001
Note that the compact form of an IPv6 address,
"2001:0DB8::1234:5678", cannot be used. Only the full IPv6
address format, with all intervening zeros, is currently supported.
Domain Name Lookups
A domain lookup may be applied to either the connected SMTP client,
where the client's host name found through a DNS PTR record is
searched for, or using the domain portion of an mail address (see
below). A domain lookup will try the IP-domain literal if applicable, then
continue with the FQDN, breaking it down one label at a time from left
to right.
tag:[ipv6:2001:0DB8::1234:5678]
tag:[192.0.2.9]
tag:sub.domain.tld
tag:domain.tld
tag:tld
tag:
Note that the bare tag is often used to specify system wide defaults.
Mail Address Lookups
A mail address lookup is similar to a domain lookup, but the search first
starts with a complete mail address, before trying the address's domain,
and finally only the local part of the address.
tag:[email protected]
tag:sub.domain.tld
tag:domain.tld
tag:tld
tag:account@
tag:
Note that the bare tag is often used to specify system wide defaults.
Tags
The following list outlines the available tags and their supported key lookups:
http://www.snertsoft.com/smtp/smtpf/access-map.html (2 of 7)5/4/2009 1:57:50 PM
Cache Options
■ Call-Backs
■ Clam AV
Support
■ Command-Line
Interface
■ Client IP
Address
■ Concurrency &
Rate
■ DNS Based Lists
■ Delay Checks
■ EMEW
■ F-Prot AV
Support
■ Grey Listing
■ Grey Content
■ SMTP HELO
Testing
■ Network
Interface
■ Length & Limits
■ RFC
Conformance
■ Run Settings
■ Server
Performance
■ SIQ Support
■ SMTP Options
■ Sophos AV
Support
■ SpamAssassin
Support
■ SPF Support
■ Statistics
■ URI Blacklists
■ Verbose
Logging
d. Option Summary
■
E. Runtime
a. Command Line Options
b. Runtime Configuration
c. The Cache File
The Cache
Structure
d. The Stats File
■ The Stats
Structure
■
SnertSoft - smtpf/2.2
e. Log Messages
f. SMTP Replies
Body:ip
F. Glossary
Body:domain
Body:mail
Used to black (REJECT) or ignore (OK) domains that make up mail
addresses or URLs found within the header or body content of a message. See uri-bl and uri-dns-bl.
Concurrent-Connect:ip
Concurrent-Connect:domain
This is used to specify the maximum number of concurrent connections an SMTP client is permitted at any one time. Specify an
integer or zero (0) to disable. The bare tag can be used to specify a global setting. If an SMTP client exceeds the allotted number of
connections, then the incoming connection is dropped, while existing connections continue.
Connect:ip
Connect:domain
Used to black or white list an SMTP client. If black listed (REJECT), the connection will be dropped. If white listed (OK), then the
messages from this connection by-passes all the filtering except anti-virus. The connection can also be "grey-listed" (CONTENT),
similar to dns-gl, which only white lists a connection as far as, but not including, the data content filters.
Connect:ip:From:mail
Connect:domain:From:mail
This set of combination tags are used to black or white list sender addresses when sent from a given SMTP client. The sender
address can be easily forged and using the From: tag by itself could allow spam with a forged address. By adding the sender's
SMTP client as an extra constraint, it is possible to limit such abuse. Note that the lookup variants with blank IP, domain,
or mail are not supported.
Connect:ip:To:mail
Connect:domain:To:mail
This set of combination tags are used to black or white list recipient addresses that a given SMTP client may contact. This allows
for finer granularity of control in place of the To: tag. Note that the lookup variants with blank IP, domain, or mail are
not supported.
Emew:mail
Used to specify an alternative EMEW secret for the sender or sender's domain.
From:mail
Used to black or white list a sender's mail address. If black listed (REJECT), mail from this sender is refused. If white listed (OK),
then the messages from this sender will by-pass all the filtering except anti-virus. Black listing using this tag is fine, but white listing
is not recommended as it is too easy for someone to fake the sender address.
From:mail:To:mail
This set of combination tags are used to black or white list a pair of sender and recipient addresses. This allows for finer granularity
of control in place of the To: tag. Note that the lookup variants with blank mail elements are not supported.
Grey-Connect:ip
Grey-Connect:domain
Grey-To:mail
This is the amount of time in seconds a correspondent's grey-list record will be temporarily rejected before being accepted. If
several keys are possible for a given message, then the minimum value is used. Specify an integer number of seconds or zero (0)
to disable.
http://www.snertsoft.com/smtp/smtpf/access-map.html (3 of 7)5/4/2009 1:57:50 PM
SnertSoft - smtpf/2.2
Length-Connect:ip
Length-Connect:domain
Length-From:mail
Length-To:mail
Used to limit the maximum length of a message in octets. It is expressed as a number with an optional scale suffix K (kilo), M
(mega), or G (giga). If no length is given or is -1, then the message can be any length (ULONG_MAX).
When there are multiple message length limits possible, then the limit applied, in order of precedence is:
a. Length-To:. If there is more than one Length-To:, then the maximum limit specified will be used.
b. Length-From:
c. Length-Connect:
Msg-Limit-Connect:ip
Msg-Limit-Connect:domain
Msg-Limit-From:mail
Msg-Limit-To:mail
Used to limit the number of messages a SMTP client, sender, or recipient can send/receive in a given time period. A message limit
is given as:
messages '/' time [unit]
which is the number of messages per time interval. The time unit specifier can be one of week, day, hour, minute, or seconds (note only the
first letter is significant). A negative number for messages will disable any limit.
When there are multiple message limits possible, then the limit applied, in order of precedence is: Msg-Limit-To:, Msg-LimitFrom:, and Msg-Limit-Connect.
Null-Rate-To:mail
Spammers will often impersonate some random or otherwise false mail address within a legitimate domain, like hotmail.com.
In some cases when a third party mail system rejects spam or virus mail during the SMTP session, a DSN (bounce message) is
generated and sent back to the false sender. Since spammers typically send millions of messages with falsified sender addresses,
the mail system of the abused domain can be swamped by the backscatter. smtpf's EMEW facility was designed in part to help
with backscatter, but cannot be deployed in some mail system archietures.
So smtpf provides another mechanism to help with backscatter situations, where smtpf monitors the rate of DSN or MDN messages
(essentially any message from the "null sender") arriving per minute and rejects such messages above a certain threshold that can
be configured globally, by domain, and by recipient.
Rate-Connect:ip
Rate-Connect:domain
This is used to specify the number of connections per minute a host is allowed. Simply specify an integer or zero (0) to disable. The
bare tag can be used to specify a global setting. If an SMTP client connects too frequently in excess of this limit, then the incoming
connection is dropped.
Spamd:mail
Spamd:domain
Spamd:
Used to specify a SpamAssassin configuration to use. If the message is addressed to a single recipient, then a Spamd:mail
http://www.snertsoft.com/smtp/smtpf/access-map.html (4 of 7)5/4/2009 1:57:50 PM
SnertSoft - smtpf/2.2
lookup is done. If the message is for more than one recipient, all of whom are within the same domain, then a Spamd:
domain lookup is done. Otherwise the Spamd: default configuration is used. The right hand side action must be a user name or
address to pass to spamd. It can be a pattern list. If the special user name OK is used, then the message is not processed by
spamd.
To:mail
Used to black or white list a recipient's mail address. If black listed (REJECT), mail to this recipient will be refused; the current
message transaction is permitted to specify addition recipients or abandon the transaction. If white listed (OK), then the message
will by-passes all the filtering except anti-virus.
It should be noted that black & white listing with Connect:, Connect:From:, Connect:To:, From:, From:To:, and To:
take effect immediately in the SMTP state they apply to. This can be changed by enabling smtp-delay-checks which delays policy
rejections until the recipients have been specified with the possibility to white list. The auth-delay-checks option can be used to delay the
connection and EHLO related tests until a MAIL FROM: is received allowing for an SMTP AUTH command to be issued.
When a key lookup matches, then the value returned is a pattern list, which in its simplest and most common form is either an action word
like OK, CONTENT, DISCARD, REJECT, IREJECT, TAG, etc; or a numerical value depending on the tag involved. For example:
Connect:192.168.0
Rate-Connect:fsl.com
Msg-Limit-From:hotmail.com
OK
17
150/30m
The action words supported are:
OK
CONTENT
DISCARD
NEXT
SAVE
SKIP
SPF-PASS
TAG
TEMPFAIL
TRAP
REJECT
IREJECT
white list, by-pass one or more tests
white list as far as, but not including, the content filters;
used only with Connect:
accept & discard message
resume lookup, opposite of SKIP
save a copy of message if delivered
stop lookup & return no result
white list sender if SPF returns Pass;
used only with Connect:From: and From:
if a policy rejection or drop would occur, simply tag the Subject: header
and by-pass remaining tests
report a temporary failure condition
accept and save message to trap-dir, but do not deliver
black list, either reject or drop
immediate REJECT, ignore smtp-delay-checks; applies only to
Connect:, Connect:From:, and From:
In most instances, the above forms of key lookup and values are sufficient. However, there may be times when finer granularity of control is
required, in which case pattern lists can be used. A pattern list is a white space separated list of pattern-action pairs followed by an
optional default action. The supported types are:
[network/cidr]action
Classless Inter-Domain Routing
(only with IP address lookups)
!pattern!action
Simple fast text matching.
http://www.snertsoft.com/smtp/smtpf/access-map.html (5 of 7)5/4/2009 1:57:50 PM
SnertSoft - smtpf/2.2
/regex/action
Extended Regular Expressions.
The simple pattern matching, !pattern!, uses an asterisk (*) for a wildcard, scanning over zero or more characters; a question-mark
(?) matches any single character; a backslash followed by any character treats that character as a literal. This method always tries to match
the beginning and end of string. For example:
!abc!
!abc*!
!*abc!
!abc*def!
!*abc*def*!
exact match for 'abc'
match 'abc' at start of string
match 'abc' at the end of string
match 'abc' at the start and match 'def' at the end, maybe with stuff in
between.
find 'abc', then find 'def'
The following is an example using a simple pattern to reject client connections that originate from a range of IP addresses of an ISP
assigned to ADSL customers. Using a pattern like this allows you to drop connects from the ISP's ADSL, while still accepting connections
from mail and web servers.
Connect:hananet.net
!adsl-*-*.usr.hananet.net!REJECT
If you know that an ISP's mail and web servers follow a standard naming convention, you might prefer to only accept mail from those
instead. We include web servers here to handle the case where a web server might have to send a mail response based on a form being
filled in.
Connect:hananet.net
!smtp*.hananet.net!OK !www*.hananet.net!OK REJECT
Note that SPF was designed to help mail servers identify originators of mail, so creating patterns as shown in the above two examples is
not normally required. However, SPF is still considered experimental and not as widely deployed as one might hope.
The next example, /regex/, uses Extended Regular Expressions to validate the format of the local-part of an AOL address, which must
be between 3 and 16 characters long, can contain dots and RFC 2822 ``atext'' characters except % and /. The NEXT word allows the one
regular expression to validate the format of the address and resume key lookup if the pattern matches; otherwise if the regular expression
failed to match, REJECT the suspect aol.com address.
From:[email protected] OK
From:aol.com /^[a-zA-Z0-9!#$&'*+=?^_`{|}~.-]{3,16}@aol.com$/NEXT REJECT
The discussion of Extended Regular Expressions is vast and complex, well beyond the scope of this document. There are many on-line
tutorials and references available and the book Mastering Regular Expressions, 3e from O'Reilly covers the topic in depth.
If you need to use a pattern list, then try and follow these suggestions:
●
●
●
●
●
A pattern cannot be used as the key in an access-map lookup. Key-value tables work with constants for the keys using a
predefined lookup order as outlined above.
Use the key lookup as a selector to find a pattern list.
Use simple !pattern! matching where possible, as it will be faster than Extended Regular Expressions, /regex/.
Avoid using pattern lists with bare tag variants that specify a global default. It will more often than not cause a lot of unnecessary
attempts to match a pattern.
Keep your pattern lists short & simple.
http://www.snertsoft.com/smtp/smtpf/access-map.html (6 of 7)5/4/2009 1:57:50 PM
SnertSoft - smtpf/2.2
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/access-map.html (7 of 7)5/4/2009 1:57:50 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
smtpf.cf
While there is an example smtpf.cf file, it is recommended that you generate
one in order to have the most up-to-date version. Some options maybe dropped
or added and the example smtpf.cf may not be current. Use the command:
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
Local MTA
■ Local Route
■ FORWARD &
RELAY
■ by
domain
■ by mail
■ Call-Ahead
■ AcceptThenBounce
■ AUTH Support
■ ETRN Support
b. The Access Map
■ Lookup
Sequences
■ Tags
■ About Delay
Checks
■ Right Hand Side
Values
■ Action Words
■ Pattern Lists
■ !Simple
Patterns!
■ /Regular
Expression
Patterns/
c. The smtpf.cf File
■ Avast! AV
■
# smtpf -help > /etc/smtpf/smtpf.cf
If you already have a smtpf.cf configured, it will be read and its values merged
with the default. Values that are different from the defaults will appear
commented out above the current value.
Avast! Anti-Virus
smtpf provides support for Avast! anti-virus scanner. If you have
avastd installed and chose to scan message content as it passes
through smtpf, then specify the host:port of the avastd server with
the avastd-socket option. Make sure that the avastd process
owner, if running as something other than root, must be a member
of the same group that smtpf is running as, else it will not be
able to read any message files; see run-group.
When the avastd-socket is specified, all messages will be virus
scanned, no exceptions possible. Those servers that use MailScanner
may prefer to skip virus scanning in smtpf.
Also check the default settings for avastd-timeout option.
If a virus is found, then the default setting of avastd-policy is to reject
the message, other choices being to discard the message or take no
action (ignoring a virus infected message is a bad idea). If there is an I/
O error between smtpf and avastd, probably caused by avastd
being restarted, then the message is temporarily rejected and a
legitimate SMTP client will retry later retry sending the message.
Cache
This family of options control cache management, such as where it
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (1 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
lives, garbage collection, how long records should be kept, and whether
it needs to be shared with one or more machines.
There are three general time-to-live options which control the maximum
life span of a cache record. cache-accept-ttl is used for long term,
typically positive, results, cache-reject-ttl is used for negative results,
and cache-temp_fail-ttl for temporary failures. Unless otherwise
specified for a particular test like Grey Listing or recipient CallAheads, the life span of cache records are extended every time they
are consulted, so that active records can remain cached for long
periods of time.
If you have more than one MX on the same local network segment
then it is recommended you specify the same multicast IP group for all
MXes with cache-multicast-ip, such as 232.0.0.1 or FF12::0001. As
local cache records are added or modified, they are broadcast to this
multicast IP group so that all smtpf listeners can be kept in sync in case
an SMTP client later connects to one of the other MXes. This is
particularly important for grey-listing in order to avoid unnecessary
delays in mail delivery.
If you have more than one MX on different network segments or
different subnets, then specify either a definitive domain that lists all
those machines as MX servers with cache-unicast-domain or a list
of host names and/or IP addresses with cache-unicast-hosts. Note
these two options are mutually exclusive.
When using the cache-unicast-domain option, as local cache
records are added or modified, they are broadcast to each MX server
for the domain in turn. Note that unicast cache updates are less efficient
than multicast and should only be used in instances where multicast is
not ideal. Also note that a current limitation of the DNS client code does
not support multihomed MX records nor truncated UDP packets, so be
sure to review your MX setup and make adjustments accordingly.
Sometimes cache-unicast-domain is not convient to use, in which
case cache-unicast-hosts is provided as a simpler way to specify
hosts to which unicast cache packets should be sent. While cacheunicast-hosts is easier to use and setup, maintaining the list in sync
across many machines could be more problematic than cacheunicast-domain and managing the DNS records for a single special
(sub)domain. Note the list of unicast cache hosts is read
once when smtpf is started, therefore changes to the list of
hosts requires that smtpf be restarted.
Support
■ Cache Options
■ Call-Backs
■ Clam AV
Support
■ Command-Line
Interface
■ Client IP
Address
■ Concurrency &
Rate
■ DNS Based Lists
■ Delay Checks
■ EMEW
■ F-Prot AV
Support
■ Grey Listing
■ Grey Content
■ SMTP HELO
Testing
■ Network
Interface
■ Length & Limits
■ RFC
Conformance
■ Run Settings
■ Server
Performance
■ SIQ Support
■ SMTP Options
■ Sophos AV
Support
■ SpamAssassin
Support
■ SPF Support
■ Statistics
■ URI Blacklists
■ Verbose
Logging
d. Option Summary
E. Runtime
a. Command Line Options
b. Runtime Configuration
c. The Cache File
The Cache
Structure
d. The Stats File
■ The Stats
■
When using multicast and/or unicast cache, all participating servers
must specify the same shared cache-secret. Cache updates are
broadcast as UDP datagrams in the clear, so in order to authenticate
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (2 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
valid UDP packets and detect attempts at tampering, an MD5 signature
is generated using this secret and the packet contents, then included in
the packet sent. The receiver regenerates an MD5 signature based on
what they received and compares the signature contained in the packet
to see if they match.
Structure
e. Log Messages
f. SMTP Replies
F. Glossary
Also note when using the multicast and/or unicast cache, that clocks on all participating systems must be in sync, otherwise
unusual behaviour will result.
For information about manipulating the cache manually, please refer to the document about The Cache File.
Call-Backs
Call-backs are a form of sender address verification. The idea being to contact one of the sender's MX servers to validate if their
server and mail address is known and in good standing. Accept or reject responses to the test are cached, while temp. fail
responses are cached typically for a shorter time with call-back-temp-fail-ttl.
If a call-back succeeds and call-back-pass-grey is enabled, then grey-listing will be skipped to avoid any delays. However, with
the enhanced grey-listing as implemented in smtpf, this is not recommended, since spam can forge the sender with a valid mail
address expressly for this purpose passing the call-back and grey-listing.
Call-backs are a very unpopular technique with many large mail services. They are seen to consume their system resources
and as an abuse vector for anonymous proxy dictionary attacks used in harvesting mail addresses. As a result, some services may
chose to locally black list servers that they think are performing a dictionary attack, because there is no means to tell the difference
from a call-back.
Call-backs as implemented in smtpf are delayed until the SMTP DATA command is issued and before the 354 go-ahead response
is sent in order to allow as many passive pre-DATA tests the chance to reject the message. However, despite these best efforts to
make call-backs less intrusive, they could result in your mail servers being black listed. Use with caution.
Clam Anti-Virus
smtpf provides support for the clamd open source anti-virus scanner. If you have clamd installed and chose to scan
message content as it passes through smtpf, then specify a unix domain socket path or host:port of the clamd server with the
clamd-socket option. Make sure that the clamd process owner, if running as something other than root, must be a member
of the same group that smtpf is running as, else it will not be able to read any message files; see run-group. In addition,
in the /etc/clamd.conf specify AllowSupplementaryGroups yes and restart clamd.
When the clamd-socket is specified, all messages will be virus scanned, no exceptions possible. Those servers that use
MailScanner may prefer to skip virus scanning in smtpf.
Also be sure to check the default settings for clamd-timeout and clamd-max-size options.
If a virus is found, then the default setting of clamd-policy is to reject the message, other choices being to discard the message or
take no action (ignoring a virus infected message is a bad idea). If there is an I/O error between smtpf and clamd, probably
caused by clamd being restarted, then the message is temporarily rejected and a legitimate SMTP client will retry later retry
sending the message.
Client IP Address
There are a group of tests that deal with the SMTP client IP address. The first, client-ptr-required, will reject the SMTP client if it
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (3 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
does not have DNS PTR record.
The second, client-ip-in-ptr, takes the result of the PTR lookup and applies a heuristic that identifies if the client's PTR contains
octets from the client's IPv4 address (IPv6 is currently ignored) as this tends to be a good indicator of an ISP customer connecting
from dynamically assigned address space when they should be passing through the ISP approved outbound SMTP server.
The above two tests are very aggressive and can often lead to false positives when a legitimate ISP customer actually has a
static IP address and/or no control over ISP assigned PTR name. It is not recommended to use them by themselves.
However, the client-is-mx option will temper the above two tests by delaying their application until the MAIL FROM: is supplied.
If the sender address does not pass the SPF check and the client's IP address does not correspond to one of the MX records
listed for the sender's domain, then the MAIL FROM: may be rejected and the connection dropped if either of client-ptr-required
or client-ip-in-ptr failed.
Concurrent Connections & Connection Rate Controls
See the access-map concerning the Concurrent-Connect: and Rate-Connect: tags.
DNS Black, Grey, and White Lists
When specified the dns-bl is a space or comma separated list of DNS black list zone suffixes. For example:
dns-bl="sbl-xbl.spamhaus.org bl.spamcop.net"
When enabled, smtpf will check the SMTP client's IP address against each black list specified in the order given. If the black list returns a
result indicating that client IP is a known source of spam, then the connection is dropped.
Occasionally a SMTP client takes a long time to send one or more messages through, possibly due to client CPU load and/or Internet
traffic. During such connections the idle-retest-timer will occasionally reapply some tests like dns-bl. The idea being that the dns-bl
maybe have received new information and updated their databases to include the connected client as a new spam source. When this
happens the connection is dropped.
smtpf also supports two other forms of DNS based lists using the same syntax as dns-bl. They are dns-gl and dns-wl. The dns-wl
option white lists an SMTP client through all the tests except anti-virus, dns-gl option will grey list an SMTP client through all the pre-DATA
tests upto, but not including the content based filters (anti-virus, attachment types, Digest BL, EMEW, grey content, SpamAssassin, URI
filtering, etc.). The dns-wl is used when you have total confidence in the DNS based white list, while dns-gl is intended for use with DNS
white lists when you might have less than 100% confidence in the list.
Delay Checks
Sendmail and Postfix MTAs have a concept called "delay-checks", which essentially allows for recipient white listing to override
possible rejections that might occur due to policy tests early in the SMTP session.
When the smtp-delay-checks is enabled, all the policy based tests leading up to the recipients being specified are still
performed, but any rejection or drop result is delayed and a "250 2.0.0 proceed" reply given. As each recipient address is specified,
it is checked whether it is black or white listed, in which case the recipient is rejected or accepted (and subsequent tests bypassed). Recipient addresses that are neither black nor white will either be rejected if there is a previously delayed rejection/drop
result or simply accepted.
Enhanced Message-ID as Email Watermark (EMEW)
EMEW provides a means to filter DSN and MDN backscatter caused when a spammer or virus impersonates a mail address of a
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (4 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
local mail box. It will also auto-white list replies through content filters.
When an outbound message without an EMEW passes through the mail server, the Message-Id header is modified with an
encoded timestamp and one-way security hash generated from the encoded timestamp, the original sender address, the original
Message-ID, and the emew-secret. An alternative EMEW secret can be specified using an Emew: tag in the access-map for
either the sender address or sender domain. For EMEW to work correctly all outbound and inbound mail servers for the sender's
domain must use the same secret.
When a recipient later replies, sends a mail delivery notice (MDN), or an error message (DSN) is sent back to our server, it will
contain a reference to our enhanced Message-ID that will allow smtpf to verify if the reply is actually in response to a message that
originated or transited our systems. If a DSN or MDN does not contain a reference to a valid EMEW then apply the emew-dsnpolicy.
In order to reduce the risk for replay attacks, emew-ttl specifies how long an EMEW remains valid. If a stale EMEW appears in a
DSN or MDN, then the message is rejected according to emew-dsn-policy. Otherwise if a stale EMEW appears in a recipient
reply, then the message will be subjected to content filtering as normal.
Some mail architectures make it impossible or very difficult to deploy EMEW. For this reason an alternative facility is available to
deal with backscatter, the Null-Rate-To: tag, which monitors the rate of mail from the null sender (MAIL FROM:<>) arrives
and imposes a threshold. This threshold can be global or varied according to recipient domain or address.
F-Prot Anti-Virus
smtpf provides support for F-Prot anti-virus scanner. If you have fpscand installed and chose to scan message content as it
passes through smtpf, then specify the host:port of the fpscand server with the fpscand-socket option. Make sure that the
fpscand process owner, if running as something other than root, must be a member of the same group that smtpf is
running as, else it will not be able to read any message files; see run-group.
When the fpscand-socket is specified, all messages will be virus scanned, no exceptions possible. Those servers that use
MailScanner may prefer to skip virus scanning in smtpf.
Also check the default settings for fpscand-timeout option.
If a virus is found, then the default setting of fpscand-policy is to reject the message, other choices being to discard the message
or take no action (ignoring a virus infected message is a bad idea). If there is an I/O error between smtpf and fpscand, probably
caused by fpscand being restarted, then the message is temporarily rejected and a legitimate SMTP client will retry later retry
sending the message.
Grey Listing
One of the more significant tests in smtpf is the enhanced grey-listing.
The original grey listing method keeps track of key sets consisting of the SMTP client's IP, sender's envelope, and recipient's
envelope. If a key set does not exist in the cache, then a new record is added and kept until it expires and the message is
temporarily rejected.
A legitimate server, when temporarily rejected, is expected to queue the message and retry sending it sometime in the near future.
The temporary reject policy remains in force until the temporary block period (grey-temp-fail-period) has elapsed, at which point
the message will be allowed to be delivered until the cache record expires.
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (5 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
Our enhanced grey-listing introduces some interesting optimisations. The first being that the grey-list key set is configurable
with the grey-key option and that one of the configurable key set members can be the SMTP client's PTR information found from
a DNS lookup.
One of the common problems with grey-listing is that some sending sites use a pool of mail servers with a shared mail queue (gmail.
com is one such site). This has a negative impact on recipient sites using the original grey-listing { ip, sender, recipient } key set.
The receiving site constantly sees a different IP address, but with the same sender and recipient. This results in the receiving site
greylisting and delaying a message multiple times, and may result in a message not being delivered.
With the SMTP client's PTR information, we remove the first label from the PTR (note this is a generalisation of the process), then
use this trimmed PTR as part of the grey-listing key set. If no PTR result was found, then the client's IP address is used as with the
original grey-list method. The net effect of using the trimmed PTR in place of the IP address is that it grey-lists the sender's pool of
mail servers instead of just a single machine.
For example, consider a sender site like:
out1.pool1.example.com
out2.pool1.example.com
out3.pool1.example.com
out4.pool1.example.com
192.0.2.1
192.0.2.2
192.0.2.3
192.0.2.4
Using the original grey-list key set, the first time the sending site connects, the receiver will record:
{ 192.0.2.3, [email protected], [email protected] }
and temporarily reject the mail. When the sending site retries, the receiver will likely see a different connecting IP address and record a new
grey-list key:
{ 192.0.2.1, [email protected], [email protected] }
and temporarily reject the mail. This process can repeat itself for as many times as there are machines in the sending pool of servers,
resulting in excessive mail delivery delays.
Using our optimisation, if the sender connects from IP address 192.0.2.3 which has a PTR of out3.pool1.example.com,
then the receiver would use the trimmed PTR information to record the following grey-list key the first time the sender attempts to deliver
the message:
{ pool1.example.com, [email protected], [email protected] }
and temporarily reject the message. The next time the sending site connects to the receiver, no matter from which machine within
the same pool, the trimmed PTR information will match the previously cached record and result in the mail being passed through greylisting.
The second optimisation concerns the objective of grey-listing as an anti-spam technique, which is essentially: does the remote mail
server implement a retry queue? The assumption here being that spam sources do not bother with retry queues for speed. Many
trivial grey-listing implementations record each and every unique { ip, sender, recipient } set, only allowing repeat visits from the same key
set to passed without delay. However, once it is determined that a remote mail server implements a retry queue, new mail from the same
host, but from different senders and/or to different recipients will result in additional and redundant grey-listing delays.
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (6 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
So in order to improve mail throughput, once a host or pool of hosts is known to implement a retry queue and if the grey-key specifies
either the key set members IP or PTR, then we create a new cache record with a shortened key using only the IP or trimmed PTR
information and allow all subsequent mail from that IP or trimmed PTR group to pass unhindered.
For example the first time an unknown SMTP client attempts to send a message, smtpf records:
{ pool1.example.com, [email protected], [email protected] }
When the sending site later retries to send the message, smtpf will find the above cached record and shorten that record key to be:
{ pool1.example.com }
Now when the sending site connects again in the future, smtpf will first look for the shortened key using either the SMTP client's trimmed
PTR information or IP address and if it finds the record, passes the mail regardless of who the sender and recipients are, since we know
that the hosts in question implement a retry mail queue. If the shortened key is not present, we look for the regular grey-list cache record
and handle as before.
By default grey-key="ptr,mail,rcpt" takes advantage of both optimisations. The original grey-list method can be used by specifying greykey="ip,mail,rcpt", though the second optimisation is still applied. To disable grey-listing specify an empty value grey-key="".
The grey-content option provides a variant on grey-listing. When an unknown key set is seen, a cache entry is created with the MD5
hash of the message content, and it is temporarily rejected. Subsequent attempts to deliver the message result in a temporary rejection
until the grey-temp-fail-period has expired, at which point a MD5 hash of the message content is generated and compared with that
previously saved within the cache. If the compared hashes are equal, then the message is allowed to proceed. Otherwise messages from
this key set continue to be temporarily rejected until the originally message is seen once again.
The grey-content technique is effective against spamware that changes the content of their junk messages regularly in an effort to defeat
Bayes analysis, distributed checksums, and/or simple pattern scanners. If the spammers do not change their text, then they will pass this
test only to be caught most likely by something else like URI filtering or SpamAssassin.
SMTP HELO, EHLO Argument Testing
The first test applied verifies that the SMTP HELO argument contains only valid characters that can appear in a FQDN or IPdomain literal. An invalid character will reject the command and drop the connection.
The HELO argument is suppose to be a FQDN or it may be a IP-domain literal, which is technically not allowed by RFC 2821, but
is a commonly accepted convention. The option rfc2821-strict-helo will reject and drop a connection, if the HELO argument is a
bare unqualified name.
When reject-rfc2606 is enabled and the SMTP client is not one of our relays nor a RFC 3330 private LAN address, then smtpf
with reject the command and drop the connection if the HELO argument is a reserved domain name as defined by RFC 2606 or
similar such as .localdomain.
If helo-ip-mismatch is enabled and the HELO argument is an IP-domain-literal, then it must match that of the SMTP client IP
address, otherwise the command is rejected and the connection dropped. RFC 3330 private LAN addresses are excluded.
Another interesting HELO test is helo-claims-us where the connected client is neither one of our relays nor a RFC 3330 private
LAN address, yet specifies a HELO argument that claims to be from a domain we are responsible for, in which case the command
is rejected and the connection dropped.
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (7 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
Finally if uri-bl-helo is enabled and uri-bl and/or uri-dns-bl are specified, then the HELO argument is tested against one or
more URI black lists, rejecting the command and dropping the connection if true.
Interface Settings
smtpf defaults to connecting to both IPv6 and IPv4 interfaces on port 25 (see interfaces option). This can be configured to be a
more restrictive list of hostnames or IP address if necessary in order to exclude some interfaces from the "bind to all" default. The
canonical hostname for each interface will be looked up and used as the hostname in the welcome banner and for the HELO/EHLO
argument when forwarding connections.
When specifying an IPv6 address with a port number, the address must appear within square brackets, [ and ], for example
"[2001:DB8::1234]:25". Using an IPv4 address within the square brackets is also supported, eg.
"[192.0.2.1]:25", in addition to the traditional IPv4 dot-colon notation, eg. "192.0.2.1:25".
Message Length & Limit Controls
See the access-map concerning the Length-*: and Msg-Limit-*: tags.
RFC Compliance Controls
There are many RFC documents that cover many aspects of the Internet. smtpf has several options that check for RFC
conformance pertaining to mail.
Probably the most important set of RFC documents pertain to how mail travels using SMTP (RFC 2821) and the structure of mail
messages (RFC 2822).
RFC 2821 documents several limits that SMTP servers must be able to support and that messages must not exceed, such as the
maximum length of the parts that appear before (rfc2821-local-length) and after (rfc2821-domain-length) the at-sign (@) of
an mail address, and the maximum length of a message line (rfc2821-line-length) can be. When enabled, these length related
options will reject mail addresses or messages that exceed the documented limits.
While exceeding these lengths are often a sign of spam or mail born viruses, there are also some legitimate, yet badly written mail
software throughout the Internet, that also exceed them. Therefore the above length controls should be used with caution as
they could result in legitimate mail being rejected.
SMTP is a protocol that has a well defined grammar and syntax, particularly for specifying mail addresses as arguments to the
MAIL FROM: and RCPT TO: commands. When rfc2821-angle-brackets is enabled, then mail addresses that don't adhere to
this syntax are rejected.
Sendmail is a very popular MTA, that uses a plus-sign (+) in the local part before the at-sign (@) to delimit the mail box name from
a folder or tag attributed by the mail box user. When rfc2821-literal-plus is disabled, then any plus-detail appearing in a
mail address is removed before performing various access-map or route-map lookups. When enabled, the entire local-part is
used unmodified.
The option rfc2821-strict-helo enforces the requirement that the HELO argument be a FQDN, ie. has two or more labels or is an
IP-domain-literal. Anything else would be rejected.
The end of the DATA state and message transfer is suppose to be denoted by a CRLF-DOT-CRLF sequence, ie. a line consisting
only of a single period. Enabling rfc2821-strict-dot option enforces this, since accepting other newline dot combinations could
inadvertently terminate the message transfer early and subsequent unknown command errors. When disabled, other newline
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (8 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
combinations are accepted, such as LF-DOT-LF, CRLF-DOT-LF, and LF-DOT-CRLF. Unfortunately, while typically a sign of spam
software, there are some badly written mail applications that are careless in their handling of newlines and the final dot.
Mail messages, in particular the headers, are not suppose to contain unencoded 8-bit data, since how those values are interpreted
when scanned can vary based on regional language and they can cause legacy mail systems to fail. With rfc2822-7bit-headers
set, if the message headers are not 7-bit ASCII printable, then the message is rejected.
There are several domains, as described by RFC 2606, reserved for documentation and special local uses. They are the top level
domains .test, .example, .invalid, .localhost, and the second level domain .example using any TLD. These
domains should never appear in domain names from the public Internet. If rfc2606-special-domains is enabled, then various
tests are applied at different stages to the SMTP client name, HELO argument, sender and recipients. The appearance of a
reserved domain will cause a rejection, unless the SMTP client is from the LAN or a relay. While not part of RFC 2606, .
localdomain and .local are also included in the restricted list.
Run Settings
smtpf is normally started by the root user in order to bind to SMTP port 25, set its working directory to run-work-dir, create its
run-pid-file, and switch to a chroot jail if run-jailed is set. Once initialised, the smtpf process drops root privileges and
becomes the user and group specified by run-user and run-group respectively.
The run-open-file-limit is used to specify the maximum number of open files for the smtpf process. When approximately half this
number is reached, smtpf will start to refuse SMTP connections on the assumption that each SMTP client needs at least two file
descriptors in order to process the session.
Server Performance
The server connection handling uses a collection of pre-spawned server threads that are reusable and grow or shrink as load
varies. This server design reduces the effect of constantly creating and destroying threads by maintaining an active pool of waiting
threads.
server-min-threads sets the lower bound on the number of server threads to keep in circulation. server-new-threads
specifies the number of new servers threads to create when there a no available server threads to handle new connections. The
smtp-accept-timeout option specifies how long a server thread will wait for a new connection before it times out and is possibly
terminated.
SIQ Protocol Support
smtpf provides support for the SIQ protocol used to query a list of siq-servers for a score concerning client IP and sender domain
pair according to reputation services' criteria. Reputation services use such factors as stability, longevity, identifiability, SPF match,
RHS type grouping, verified PTR record matching, etc. One such service is already available from Outbound Index. Please
check with the service(s) available before using them as some require registration before they will answer queries.
A reputation service will return a score between 0 and 100. If you want to reject a message with a low score, then set the siqscore-reject threshold to something between 0 and 99 (-1 to disable). Scores less than or equal to this threshold are rejected.
Similarly the siq-score-tag can be set to the value below which the message's Subject header would be prefixed with the siqsubject-tag.
It is possible to use both siq-score-reject and siq-score-tag so that clearly dubious message sources are rejected, while
messages sources with a less definitive score would only be tagged as suspect and continue to be delivered. A SIQ-Report header
containing a summary of any SIQ result is always added.
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (9 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
SMTP Settings
When smtpf binds to SMTP port 25, it can only accept one connection at a time, while the kernel queues any other connections that
arrive. The smtp-server-queue value is used to tell the kernel how many connections it should be prepared to handle before
refusing clients.
When an SMTP client connects, it is supposed to wait for the SMTP 220 response and welcome message. Some spam software
will often assume that the ESMTP pipelining is used and simply blast out one or more message transactions, ignoring any
responses from the server. One or more GreetPause: tags, which specify a delay in milliseconds, can be added to the
access-map. If the client sends any data before this delay expires, then the connection will be dropped.
An SMTP client that successfully connects is sent a 220 status code along with the SMTP server host name and a welcome
message. smtp-welcome-file can be used to supply a custom welcome message and it is the file path to a file containing one or
more lines of text. The 220 status code will be automatically prepended to each line. It is recommended that this message be two or
more lines as this has been found to foil some spam software that fail to handle multiline responses. If an empty string is given, a
hard coded default is used.
The CommandPause: tag used in the access-map is similar in principal to GreetPause:. It specifies the number of
milliseconds to pause before processing a SMTP command. If more input arrives before the delay passes then the command is
rejected and the connection dropped. If a CommandPause: lookup returns a value of zero (0), then smtpf will allow RFC 2920
SMTP Pipelining after a successful EHLO command.
It is possible to drop a client connection after a certain number of unsuccessful SMTP commands with smtp-drop-after.
The smtp-drop-unknown can be used to reject and drop a connection that issues an unknown SMTP command. This option
should be used with care, because it has been seen that Cisco Pix firewalls with SMTP filtering enabled, will for some silly reason
obfuscate an EHLO command and thus trigger this test. Use with caution.
smtpf provides a very simple form of tar pitting when smtp-reject-delay is set. For any negative SMTP responses, exponentially
delay sending the responses to the client. After several temporary failures or rejects, the client connection will timeout and be
dropped. Particularly interesting in combating dictionary harvesting attacks.
The smtp-connect-timeout in seconds is used when smtpf attempts to make a connection to a FORWARD: host. While the
smtp-command-timeout in seconds controls how long smtpf will wait for the next client command or server response. Finally
the smtp-data-line-timeout in seconds controls how long to wait for the next message line from the client. If a client takes too
long, the connection will be dropped.
The smtp-enable-esmtp option when disabled causes some badly written spam software that fails to fall-back to regular SMTP
to disconnect or become out-of-sync (see the ehlo-no-helo counter). Regular mail software is unaffected and falls-back correctly.
Other spam software will send an EHLO and when the command is rejected, send a HELO, but using a different host/domain
argument to the EHLO that was previously sent; smtpf will reject and drop these connections (see the helo-schizophrenic counter).
Sophos Anti-Virus
smtpf provides support for Sophos anti-virus scanner. If you have savdid installed and chose to scan message content as it
passes through smtpf, then specify the host:port of the savdid server with the savdid-socket option. Make sure that the
savdid process owner, if running as something other than root, must be a member of the same group that smtpf is
running as, else it will not be able to read any message files; see run-group.
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (10 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
When the savdid-socket is specified, all messages will be virus scanned, no exceptions possible. Those servers that use
MailScanner may prefer to skip virus scanning in smtpf.
Also check the default settings for savdid-timeout option.
If a virus is found, then the default setting of savdid-policy is to reject the message, other choices being to discard the message
or take no action (ignoring a virus infected message is a bad idea). If there is an I/O error between smtpf and savdid, probably
caused by savdid being restarted, then the message is temporarily rejected and a legitimate SMTP client will retry later retry
sending the message.
Spamd Support
smtpf provides support for SpamAssassin the open source message content scanner. If you have spamd installed and chose to
scan message content as it passes through smtpf, then specify a unix domain socket path or host:port of the spamd server with the
spamd-socket option.
Also be sure to check the default settings for spamd-timeout and spamd-max-size options.
When scanning message content with spamd, the default spamd-command is to simply CHECK and report the score and a yes/
no answer. The other commands possible are SYMBOLS, REPORT, and REPORT_IFSPAM, which provide more detailed
logging if the verbose spamd flag is set.
As of smtpf 2.0 it is now possible to tag the Subject: header with a custom prefix given by spamd-subject-tag. The Subject: tag
is applied when the score returned by SpamAssassin is greater than or equal to the required_score defined in the
SpamAssassin configuration and less than the value given by spamd-score-reject.
In addition X-Spam-Flag, X-Spam-Status, X-Spam-Level, and X-Spam-Report headers may be added
depending on the result. The X-Spam-Report varies depending on the spamd-command applied.
Some sending sites include X-Spam-Flag: YES and/or X-Spam-Status headers that indicate that they already thought
the message was spam. In such case when the X-Spam-Status score exceeds our spamd-score-reject, we reject the
message. Or if there is only a X-Spam-Flag header that states YES (regardless of case), then we reject the message.
Otherwise we discard previous X-Spam-* headers and content filtering proceeds as per usual.
It is possible to specify a specific SpamAssassin configuration file to use through the use of spamd: tag. If the message is
addressed to a single recipient, then a Spamd:mail lookup is done. If the message is for more than one recipient, all of whom
are within the same domain, then a Spamd:domain lookup is done. Otherwise the Spamd: default configuration is used. The
right hand side must be a user name or address to pass to spamd. It can be a pattern list. If the special user name OK is used,
then the message is not processed by spamd.
SPF Classic Support
SPF Classic is a means by which a domain documents, using DNS TXT records, all the valid sources of mail. SPF is an
interesting idea, but is considered experimental by the IETF. SPF checks use the SMTP client's IP address, the HELO argument,
and MAIL FROM: domain to determine whether a message is coming from an acceptable mail source. The spf-helo-policy and
spf-mail-policy options can be set to reject messages that result in hard and/or soft failures.
Many mail systems have no SPF record or have syntax errors, so when there is no SPF pass result from the SPF check, the spfbest-guess-txt option can perform a second SPF using the supplied string (for example "v=spf1 a/24 mx/24 ptr") to see if that
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (11 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
would yield a pass result. Otherwise the result of the first SPF check is retained.
The enhanced grey-listing and client-is-mx options will take the SPF results into account. When spf-received-spfheaders is set, then Received-SPF headers detailing the results will be added to a message's headers.
Statistics
smtpf can gather assorted statistics, such as the number of connections, how many were intentionally dropped, number of lost
client connections, how many times a particular test fires, etc. The majority of the counters are grouped by category: CLIENTS,
SENDERS, RECIPIENTS, and MESSAGES. The percentages are computed by dividing a counter by the counter of the
category it appears in. Note that multiple statistics counters can be incremented during the lifetime of the SMTP connection.
By default the stats-map is disabled. When enabling statistics, the SQLite database is the recommended format. Also note that it
becomes the responsibility of the statistics gathering software to age and remove old statistics from the stats-map as it will grow
over time.
The stats-map consists of key-value pairs where the key is given by a string of digits indicating the current hour according to
"YYYYMMDDHH". The value is a space separated list of hex values. The special key "fields:$VERSION", where $VERSION is the
smtpf version number. The fields key is used to obtain the field names and the order they are saved in, since this can change
between versions of smtpf.
It is possible to observe the raw statistics while smtpf is running. See the SMTP STAT extension.
URI Black Listing
URI can appear in the headers and content of a message. They typically take the form of email addresses, machine host names,
and web page links. When the uri-bl and/or uri-dns-bl are specified, smtpf will parse and MIME decode a message looking for
URI and check the domain portion against one or more DNS based URI black list services. When a black listed URI is found, the
uri-bl-policy is then applied at the end of the message.
By enabling uri-sub-domains it is possible to check sub-domains against all the URI black lists servers specified by uri-bl and/or
uri-dns-bl. Note though that most URI black lists currently only list the top level domains, therefore enabling this option will
generate more DNS traffic with little result.
Sometimes spammers will use the same domain that appears in their spam content for the their host name or as the domain that
appears in either the HELO or MAIL FROM: arguments and so it is sometimes possible to catch spam early in the SMTP
transaction. By enabling uri-bl-ptr, uri-bl-helo, or uri-bl-mail options the SMTP client host name, HELO argument, or MAIL
FROM: arguments repectively are checked against the URI black list services given by uri-bl and/or uri-dns-bl.
Some messages, be them spam or HTML formatted news letters for example, will include a lot of URI throughout. The uri-maxtest option will limit the number of unique URI domains that are checked in order to avoid possible denial of service situations from
looking up too many URI, while the uri-max-limit counts how many URI are present and if over a given threshold a message
would be rejected.
Some spam messages intentionally add broken or circular web page links. By specifying a uri-links-policy other than none, each
web link will be tested using an HTTP HEAD request to see if a link is broken or generates a circular loop of HTTP redirects. If true
the selected policy is applied. The http-timeout option specifies how long to wait in seconds before giving up testing a link.
Verbose Logging
smtpf is capable of logging a lot of detail about the software's behaviour, SMTP transaction details concerning the SMTP client and
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (12 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
FORWARD: hosts, and actions of various options to the system's mail log. The extra logging can aid in finding software and/or
configuration issues. However, in day to day operations verbose='error,info' is typically sufficient. Note too that the
logging level can be adjusted at runtime without having to restart the server. See the SMTP VERB extension.
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html (13 of 13)5/4/2009 1:57:53 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
Option Syntax
Options can be expressed in four different ways. Boolean options are
expressed as +option or -option to turn the option on or off
respectively. Numeric, string, and list options are expressed as
option=value to set the option or option+=value to append to a
list. Note that the +option and -option syntax are equivalent to
option=1 and option=0 respectively. String values containing white
space must be quoted using single (') or double (") quotes. Option names are
case insensitive.
Some options, like +help or -help, are treated as immediate actions or
commands. Unknown options are ignored and not reported. The first commandline argument is that which does not adhere to the above option syntax. The
special command-line argument -- can be used to explicitly signal an end to
the list of options.
The default options, as shown below, can be altered by specifying them on the
command-line or within an option file, which simply contains command-line
options one or more per line and/or on multiple lines. Comments are allowed
and are denoted by a line starting with a hash (#) character. If the file option is
defined and not empty, then it is parsed first, followed by the command line
options.
Option names that start with a leading underscore (_) are considered
experimental and subject to change or be removed from future builds. They
should not normally be used on production systems.
Option Summary
access-map=sql!/etc/smtpf/access.sq3
The type and location of the read-only access key-value map. It
provides a centralised means to black and white list hosts, domains,
mail addresses, etc. The following methods are supported:
sql!/path/database
socketmap!host:port
http://www.snertsoft.com/smtp/smtpf/summary.html (1 of 21)5/4/2009 1:57:57 PM
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
Local MTA
■ Local Route
■ FORWARD &
RELAY
■ by
domain
■ by mail
■ Call-Ahead
■ AcceptThenBounce
■ AUTH Support
■ ETRN Support
b. The Access Map
■ Lookup
Sequences
■ Tags
■ About Delay
Checks
■ Right Hand Side
Values
■ Action Words
■ Pattern Lists
■ !Simple
Patterns!
■ /Regular
Expression
Patterns/
c. The smtpf.cf File
■ Avast! AV
Support
■
SnertSoft - smtpf/2.2
socketmap!/path/local/socket
socketmap!123.45.67.89:port
socketmap![2001:0DB8::1234]:port
For those locations that specify a host:port, if :port is omitted, the
default is 7953.
The access-map contains key-value pairs. Lookups are performed from
most to least specific, stopping on the first entry found. Keys are caseinsensitive.
An IPv4 lookup is repeated several times reducing the IP address by one octet
from right to left until a match is found.
tag:192.0.2.9
tag:192.0.2
tag:192.0
tag:192
An IPv6 lookup is repeated several times reducing the IP address by one 16-bit
word from right to left until a match is found.
tag:2001:0DB8:0:0:0:0:1234:5678
tag:2001:0DB8:0:0:0:0:1234
tag:2001:0DB8:0:0:0:0
tag:2001:0DB8:0:0:0
tag:2001:0DB8:0:0
tag:2001:0DB8:0:0
tag:2001:0DB8:0
tag:2001:0DB8
tag:2001
A domain lookup is repeated several times reducing the domain by one label
from left to right until a match is found.
tag:[ipv6:2001:0DB8::1234:5678]
tag:[192.0.2.9]
tag:sub.domain.tld
tag:domain.tld
tag:tld
tag:
An email lookup is similar to a domain lookup, the exact address is first tried,
then the address's domain, and finally the local part of the address.
Cache Options
■ Call-Backs
■ Clam AV
Support
■ Command-Line
Interface
■ Client IP
Address
■ Concurrency &
Rate
■ DNS Based Lists
■ Delay Checks
■ EMEW
■ F-Prot AV
Support
■ Grey Listing
■ Grey Content
■ SMTP HELO
Testing
■ Network
Interface
■ Length & Limits
■ RFC
Conformance
■ Run Settings
■ Server
Performance
■ SIQ Support
■ SMTP Options
■ Sophos AV
Support
■ SpamAssassin
Support
■ SPF Support
■ Statistics
■ URI Blacklists
■ Verbose
Logging
d. Option Summary
■
E. Runtime
a. Command Line Options
b. Runtime Configuration
c. The Cache File
The Cache
Structure
d. The Stats File
■ The Stats
Structure
■
tag:[email protected]
tag:sub.domain.tld
tag:domain.tld
tag:tld
tag:account@
http://www.snertsoft.com/smtp/smtpf/summary.html (2 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
e. Log Messages
f. SMTP Replies
tag:
F. Glossary
If a key is found and is a milter specific tag (ie. smtpf-Connect, smtpf-From,
smtpf-Auth, smtpf-To), then the value is processed as a pattern list and the
result returned. The Sendmail variants cannot have a pattern list. A pattern list
is a whitespace separated list of pattern-action pairs followed by an optional default action. The supported patterns are:
[network/cidr]action
!pattern!action
/regex/action
Classless Inter-Domain Routing
Simple fast text matching.
Extended Regular Expressions
The CIDR will only ever match for IP address related lookups.
A !pattern! uses an asterisk (*) for a wildcard, scanning over zero or more characters; a question-mark (?) matches any single
character; a backslash followed by any character treats it as a literal (it loses any special meaning).
!abc!
!abc*!
!*abc!
!abc*def!
!*abc*def*!
exact match for 'abc'
match 'abc' at start of string
match 'abc' at the end of string
match 'abc' at the start and match 'def' at the end, maybe
with stuff in between.
find 'abc', then find 'def'
For black-white lookups, the following actions are recognised: OK (white list), SPF-PASS (white-list sender if SPF passed), REJECT (black
list), DISCARD (accept & discard), SKIP or DUNNO (stop lookup, no result), and NEXT (opposite of SKIP, resume lookup). It is possible to
specify an empty action after a pattern, which is treated like SKIP returning an undefined result. Other options may specify other actions.
±access-tag-words
Write to standard output access-map action tag and valid word mapping.
±access-word-tags
Write to standard output access-map action word and valid tag mapping.
-auth-delay-checks
Delay some client connection and HELO tests until MAIL FROM: to allow the sender to authenticate using the AUTH command.
avastd-policy=reject
Policy to apply if message is infected. Specify either none, reject, or discard.
avastd-socket=
The unix domain socket or Internet host[:port] of the avastd server. Specify the empty string to disable avastd scan. The default
clamd port is 5037.
avastd-timeout=120
The avastd I/O timeout in seconds.
cache-accept-ttl=604800
Cache time-to-live in seconds for positive results. A record will be maintained as long as there is regular activity.
http://www.snertsoft.com/smtp/smtpf/summary.html (3 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
cache-gc-interval=300
Cache garbage collection interval in seconds.
cache-multicast-ip=
The Multicast Cache facility provides the ability to share cache updates between two or more machines on the same network
segment. The multicast group can be an IPv4 or IPv6 address plus an optional port. For IPv4, RFC 3171 reserves 232/8 for one-tomany applications. RFC 3513 outlines multicast IPv6 assignment and it is recommended to use something within FF12/16 for linklocal. To disable the multicast cache updates, specify the empty string.
cache-multicast-port=6920
The listener port for multicast cache updates.
cache-multicast-ttl=1
The multicast TTL value to be applied to broadcast packets.
cache-on-corrupt=replace
Action taken if cache corruption is detected. Set to one of: exit, rename, or replace. This is intended for debugging.
cache-path=/var/db/smtpf/cache.sq3
The file path of the SQLite3 cache. The directory containing the cache must be read-writable by the process so that SQLite3 can
create journal files as required.
cache-reject-ttl=604800
Cache time-to-live in seconds for reject results.
cache-secret=
The Multicast & Unicast Cache facility broadcasts UDP packets in the clear on the link-local network segment or direct to a set of
hosts. In order to identify valid broadcasts, each participating machine must have the same shared secret used to generate and
validate the cache updates.
cache-sync-mode=off
Cache synchronisation mode. Set to one of: off, normal, or full. The normal and full modes improve reliability at the sake of speed.
cache-temp-fail-ttl=7200
Cache time-to-live in seconds for temporary failure results.
cache-unicast-hosts=
The Unicast Cache facility provides the ability to broadcast cache updates to a set of remote hosts beyond the local network
segment. A space or comma separated list of host names and/or IP addresses with optional colon separated port numbers. This
option and cache-unicast-domain are mutually exclusive.
cache-unicast-port=6921
The listener port for unicast cache updates.
-call-back
When set, performs sender address verification using a call-back to one of the sender's MX hosts. Note that this form of test is very
unpopular with large mail services for a variety of reasons such as resource consumption and that it can be abused for proxied
dictionary harvesting attacks. Use of this test could result in black listing of your host by those services. Use with care.
http://www.snertsoft.com/smtp/smtpf/summary.html (4 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
-call-back-pass-grey
If the call-back returns a pass result, then skip grey-listing.
-call-back-strict-greeting
During a call-back, require that the first word of the 220 response is a FQDN, otherwise fail the call-back. See RFC 2821 section 4.2
grammar for greeting and section 4.3.1 paragraph 3.
-call-back-uri-greeting
During a call-back, URI BL test the FQDN host name given by the 220 response. The call-back fails if the host name is listed.
clamd-max-size=10000
Max. number of kilobytes to pass to clamd, 0 for unlimited.
clamd-policy=reject
Policy to apply if message is infected. Specify either none, reject, or discard.
+clamd-scan-all
When set, scan all messages for viruses. ClamAV can also scan for phishing scams. Otherwise, as an optimisation, only scan
messages with attachments for viruses.
clamd-socket=
The unix domain socket or Internet host[:port] of the clamd server. Specify the empty string to disable clamd scan. The default
clamd port is 3310.
clamd-timeout=120
The clamd I/O timeout in seconds.
click-secret=
Specify a phrase used to generate and validate a click challenge. Be sure to quote the string if it contains white space.
click-ttl=90000
Time-to-live in seconds for click challenge links.
click-url=
Specify either an empty string, mailto, or an http URL. If set to mailto, then reject messages are appended with a special
mail address that a sender can mail in order to get temporarily white listed.
If set to an http: URL, then a reject messages are appended with a URL that the sender can click on in order to get temporarily
white listed. The click-url is suffixed with query string parameters, where c= is the trimmed PTR or IP of the sender (see
grey-key), a comma, and the sender's mail address; the h= is the ASCII encoded time stamp and MD5 hash generated from the
binary value of the timestamp, the click-secret, and the c= value.
Otherwise set to empty string to disable this facility.
-client-ip-in-ptr
Apply a pattern heuristic to the connected client's PTR record. Reject if it looks like it is composed from the client IP address. See
also client-is-mx.
-client-is-mx
http://www.snertsoft.com/smtp/smtpf/summary.html (5 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
Weaken rejects based on client-ptr-required or client-ip-in-ptr until the sender address is known. If the client IP and sender
combination pass SPF or the client IP is an MX for the sender, then ignore the results of client-ptr-required and client-ip-in-ptr.
Otherwise reject if client-ptr-required is false or client-ip-in-ptr is true.
-client-ptr-required
The connecting client IP address must have a PTR record. See also client-is-mx.
Concurrent Connection Control
The tag Concurrent-Connect: can be used in the access-map.
If a key is found, then the value is processed as a pattern list and the result returned. A positive integer value is specified in place of
an action and is the maximum number of concurrent connections permitted at any one time.
Connection Rate Control
The tag Rate-Connect: can be used in the access-map.
If a key is found, then the value is processed as a pattern list and the result returned. An integer, in place of an action word,
specifies the number of connections per minute allowed. Specify zero (0) connections to disable the rate limit.
+daemon
Start as a background daemon or foreground application.
deny-compressed-name=*.bat
deny-compressed-name+=*.com
deny-compressed-name+=*.cpl
deny-compressed-name+=*.exe
deny-compressed-name+=*.inf
deny-compressed-name+=*.msi
deny-compressed-name+=*.msp
deny-compressed-name+=*.pif
deny-compressed-name+=*.scr
semi-colon separated list of unacceptable file patterns to reject when found RAR or ZIP attachments. The default list consists of
unsafe Windows file extensions as given by Microsoft. Specify an empty list to disable.
-deny-content
When enabled, then deny-content-* options are applied.
deny-content-name=*.adp
deny-content-name+=*.bas
deny-content-name+=*.bat
deny-content-name+=*.chm
deny-content-name+=*.cmd
deny-content-name+=*.com
deny-content-name+=*.cpl
deny-content-name+=*.crt
deny-content-name+=*.exe
deny-content-name+=*.hlp
deny-content-name+=*.hta
deny-content-name+=*.inf
deny-content-name+=*.ins
http://www.snertsoft.com/smtp/smtpf/summary.html (6 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
deny-content-name+=*.isp
deny-content-name+=*.js
deny-content-name+=*.jse
deny-content-name+=*.lnk
deny-content-name+=*.mdb
deny-content-name+=*.mde
deny-content-name+=*.msc
deny-content-name+=*.msi
deny-content-name+=*.msp
deny-content-name+=*.mst
deny-content-name+=*.pcd
deny-content-name+=*.pif
deny-content-name+=*.reg
deny-content-name+=*.scr
deny-content-name+=*.sct
deny-content-name+=*.shs
deny-content-name+=*.shb
deny-content-name+=*.url
deny-content-name+=*.vb
deny-content-name+=*.vbe
deny-content-name+=*.vbs
deny-content-name+=*.wsc
deny-content-name+=*.wsf
deny-content-name+=*.wsh
A semi-colon separated list of unacceptable file patterns to reject when found as MIME attachments. The default list consists of
unsafe Windows file extensions as given by Microsoft. Specify an empty list to disable.
deny-content-type=application/*executable
deny-content-type+=application/*msdos-program
deny-content-type+=message/partial
A semi-colon separated list of unacceptable MIME types to reject. Specify an empty list to disable.
digest-bl=
A list of MD5 digest based BL suffixes to consult. Aggregate lists are supported using suffix/mask. Without a /mask, suffix is the
same as suffix/0x00FFFFFE.
dns-bl=
A list of IP based DNS BL suffixes to consult, like sbl-xbl.spamhaus.org. Aggregate lists are supported using suffix/mask. Without a /
mask, suffix is the same as suffix/0x00FFFFFE.
dns-bl-headers=
A semi-colon separated list of mail headers to parse for IP addresses and check against one or more DNS BL. Specify the empty
list to disable.
dns-gl=
A list of IP based DNS grey-list suffixes to consult. This is similar to dns-wl, but only white lists as far as, but not including, the data
content filters. Intended for use with less reliable DNS white lists. Aggregate lists are supported using suffix/mask. Without a /mask,
suffix is the same as suffix/0x00FFFFFE.
dns-max-timeout=45
Maximum timeout in seconds for a DNS query.
http://www.snertsoft.com/smtp/smtpf/summary.html (7 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
-dns-round-robin
Set true to query NS servers in round robin order. Set false to query all the NS servers in parallel.
dns-wl=
A list of IP based DNS WL suffixes to consult. Aggregate lists are supported using suffix/mask. Without a /mask, suffix is the same
as suffix/0x00FFFFFE.
-dupmsg-track-all
When set, we track all Message-ID headers received and reject any duplicates messages that arrive again. This can prevent
some types of spam from being sent repeatedly, however it will greatly increase the size of the cache on high volume systems and
so should be used with care.
dupmsg-ttl=90000
Time-to-live in seconds for duplicate message tracking records. These records are created in the event that there was an I/O error
while sending a 250 message accepted reply and have successfully relayed the message to the forward host(s), in which case
record the message ID in order accept and discard future retries of the same message and so avoid duplicates.
emew-dsn-policy=none
If the message is a DSN or MDN and does not contain a reference to an enhanced Message-ID that originated here, then apply the
given policy, which can be either reject or none.
emew-secret=
Specify a phrase used to generate and validate an enhanced Message-ID. Be sure to quote the string if it contains white space.
Specify the empty string to disable enhanced Message-ID support.
emew-ttl=604800
Time-to-live in seconds for an enhanced Message-ID header. Messages referring to stale mail that originated here are rejected.
This limits the window of opportunity for replay attacks.
file=/etc/smtpf/smtpf.cf
Read option file before command line options.
fpscand-policy=reject
Policy to apply if message is infected. Specify either none, reject, or discard.
fpscand-socket=
The unix domain socket or Internet host[:port] of the fpscand server. Specify the empty string to disable fpscand scan. The default
fpscand port is 10200.
fpscand-timeout=120
The fpscand I/O timeout in seconds.
-grey-content
Content based grey listing. After all other content filters have passed over a message and when the grey-list key tuple has not been
previously seen, we store a hash for the message and temporarily reject it, and grey-list at DATA until the grey-temp-fail-period
expires. If the same message returns and matches the previously stored hash, then update the grey-list record to a pass. All other
messages from the matching grey-list key tuple are temporarily rejected until the previously hashed message is sent again.
http://www.snertsoft.com/smtp/smtpf/summary.html (8 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
-grey-content-save
When set, save the DATA content that is hashed to a file in the save-dir directory. Intended for testing and diagnosis.
grey-key=ptr,mail,rcpt
A comma separated list of what composes the grey-list key: ip, ptr, helo, mail, rcpt. The ptr element is the PTR record for the
connecting client minus the first label, so if host.example.com is the returned PTR value, then example.com is the value used. If
there is no PTR record found or the client IP appears to be a dynamic IP, then the client IP address is used. Specify the empty
string to disable grey-listing.
grey-report-header=X-Grey-Report
The name of the grey report header. Empty string to disable.
grey-temp-fail-period=600
This is the amount of time in seconds a correspondent's grey-list record will be temporarily rejected before being upgraded to a
pass.
The tags Grey-Connect: and Grey-To: can be used in the access-map to override this option's value. If a key is found,
then the value is processed as a pattern list and the result returned. An integer, in place of an action word, specifies the number of
seconds to temporarily reject a client. If several Grey-Connect: and Grey-To: keys are found, then the minimum value is
used. Specify zero (0) seconds to disable grey listing.
grey-temp-fail-ttl=90000
Cache time-to-live in seconds to retain grey-list record that are in the temporary rejection state.
+helo-claims-us
Drop any host that claims to be from a domain we are responsible for in the HELO/EHLO argument.
-helo-ip-mismatch
Drop any host that specifies an IP address as the HELO argument that does not correspond to the connecting client's IP, excluding
RFC 3330 IP addresses reserved for LANs.
-helo-is-ptr
If the HELO argument is the same as the PTR name and the PTR record is an instance of client IP-in-PTR, then reject the HELO
command. See also client-is-mx.
±help
help=filepath
Write the option summary to standard output and exit. The output is suitable for use as an option file. For Windows this option can
be assigned a file path string to save the output to a file, eg. help=./smtpf.cf.txt
http-timeout=60
Socket timeout used when testing HTTP links.
idle-retest-timer=300
Periodically reapply some tests, such as dns-bl, on long running connections. Specify zero (0) to disable.
±info
Write the configuration and compile time options to standard output and exit.
http://www.snertsoft.com/smtp/smtpf/summary.html (9 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
interfaces=[::0]:25; 0.0.0.0:25
A semi-colon separared list of interface host names or IP addresses on which to bind and listen for new connections. They can be
IPv4 and/or IPv6.
lickey-file=/etc/smtpf/lickey.txt
The license key file.
-lint
Lint SMTP sessions and messages for as many issues as possible. A report of the results is sent to postmaster. This option
requires a special license key.
+mail-require-mx
Reject if the sender's domain has no MX record.
-mail-retest-client
If set, recheck the client IP every message transaction. A client's IP could be black listed locally or by a DNS BL during a message
transaction and would be caught starting with the next transaction.
Message Length Controls
The tags Length-Connect:, Length-From:, and Length-To: can be used in the access-map.
If a key is found, then the value is processed as a pattern list and the result returned. A size limit is specified in place of an action,
and is the maximum number of octets permitted per message. it is expressed as a number with an optional scale suffix K (kilo), M
(mega), or G (giga). If no size limit is given or is -1, then the message can be any length (ULONG_MAX).
When there are multiple message size limits possible, then the limit applied, in order of precedence is: maximum value of all
relevant Length-To:, Length-From:, or Length-Connect:.
Message Limit Controls
The tags Msg-Limit-Connect:, Msg-Limit-From:, and Msg-Limit-To: can be used in the access-map.
If a key is found, then the value is processed as a pattern list and the result returned. A message limit is specified in place of an
action and has the following format:
messages '/' time [unit]
which is the number of messages per time interval. The time unit specifier can be one of week, day, hour, minute, or seconds (note only the
first letter is significant). Specify a negative number for messages to disable a limit.
When there are multiple message limits possible, then the limit applied, in order of precedence is: Msg-Limit-To:, Msg-LimitFrom:, and Msg-Limit-Connect.
ns-bl=
A list of name based NS BL suffixes to consult. Aggregate lists are supported using suffix/mask. Without a /mask, suffix is the same
as suffix/0x00FFFFFE. ns-bl=
+ns-sub-domains
When querying against name based black lists, first test the registered domain, then any sub-domains from right-to-left.
http://www.snertsoft.com/smtp/smtpf/summary.html (10 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
Null Sender Rate Control
The tag Null-Rate-To: can be used in the access-map. If a key is found, then the value is processed as a pattern list and
the result returned. An integer, in place of an action word, specifies the number of DSN/MDN messages per minute allowed.
Specify -1 to disable the limit.
+one-rcpt-per-null
When the sender is MAIL FROM:<>, then there can only be one RCPT TO: specified since the null address is only used to return a
Delivery Status Notification or Message Disposition Notification to the original sender and it is not possible to have two or more
sender's for one message (in theory).
-p0f-mutex
The p0f daemon is a single threaded process, but supposedly fast enough not to require threading or mutex locking. When
enabled, a mutex is used to control access to the p0f daemon. (Experimental)
p0f-report-header=X-p0f-Report
The name of the p0f report header. Empty string to disable.
p0f-socket=
When set to the unix domain socket path of the p0f (passive OS finger-printing) server, typically /var/run/p0f.socket,
then an X-p0f-Report: header is added to each message containing details about the SMTP client connection. The p0f
socket may have to set to world read-writable in order for smtpf to be able to connect. Specify the empty string to
disable.
p0f-timeout=60
The p0f I/O timeout in seconds.
±quit
Quit an already running instance and exit.
+rate-drop
When a client exceeds per-client rate connection limits, send a 421 reply and if this option is set, drop the connection, otherwise
wait for the client to send the QUIT command.
rate-throttle=20
Overall client connections per second allowed before imposing a one second delay. Specify zero (0) to disable.
+reject-percent-relay
Reject occurrences of % relay hack in addresses.
+reject-quoted-at-sign
Reject occurrences of quoted @-sign in the local-part of the address.
+reject-unknown-tld
Reject top-level-domains not listed by IANA.
+reject-uucp-route
Reject UUCP !-path addresses.
-relay-reply
http://www.snertsoft.com/smtp/smtpf/summary.html (11 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
Relay downstream MTA error responses during RCPT TO: processing to connected clients. Enabling this option might disclose
information about internal network structure, present incomplete or out of context errors, have inconsistent message styles from
multiple MTAs, and generally appear more confusing than helpful to the connecting client.
±restart
Terminate an already running instance before starting.
±restart-if
Only restart when there is a currently running instance.
-rfc1652-8bitmime
Enables support for RFC 1652 8BITMIME transfers when the client sends EHLO. Note that the support for this is weak, pass
through only. If enabled, then all forward hosts must also advertise 8BITMIME, otherwise the behaviour is undefined. See also
smtp-enable-esmtp.
+rfc2606-special-domains
When set, use of RFC 2606 reserved domains from the Internet or in mail addresses is rejected. They are the TLDs .test, .
example, .invalid, .localhost, and the second level domain .example using any TLD. While not part of RFC 2606, .localdomain and .
local are also included. Clients within the LAN and relays are excluded.
+rfc2821-angle-brackets
Strict RFC 2821 grammar requirement for mail addresses be surrounded by angle brackets in MAIL FROM: and RCPT TO:
commands.
-rfc2821-command-length
Strict RFC 2821 command line length limit.
-rfc2821-domain-length
Strict RFC 2821 domain name length limit.
-rfc2821-extra-spaces
Strict RFC 2821 grammar requirement that SMTP commands not contain any supurious white spaces.
-rfc2821-line-length
Strict RFC 2821 data line length limit.
-rfc2821-literal-plus
Treat plus-sign as itself; not a sendmail plussed address.
-rfc2821-local-length
Strict RFC 2821 local-part length limit.
-rfc2821-pad-reply-octet=
Specify a printable padding octet, then SMTP replies are padded out to the maximum reply line length of 512 bytes as sepecified in
RFC 2821 section 4.5.3.1. Specify an empty string to disable padding.
-rfc2821-strict-dot
Strict RFC 2821 section 4.1.1.4 DATA handling of CRLF-DOT-CRLF sequence.
http://www.snertsoft.com/smtp/smtpf/summary.html (12 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
+rfc2821-strict-helo
Strict RFC 2821 section 4.1.1.1 HELO argument must be a FQDN or ip-domain literal.
-rfc2822-7bit-headers
Strict RFC 2822 7-bit ASCII printable message headers.
-rfc2822-min-headers
Require RFC 2822 minimum required headers.
-rfc2822-strict-date
Check Date, Resent-Date, and Received headers for strict RFC 2822 date syntax.
+rfc2920-pipelining
Enables support for RFC 2920 SMTP command pipelining when the client sends EHLO. When there is early input before HELO/
EHLO, HELO is used, or EHLO PIPELINING has been disabled by this option, earlier talkers are detected and rejected. See also
smtp-enable-esmtp.
route-forward-selection=ordered
The FORWARD host selection policy used when there is more than one FORWARD host. Specify ordered or random. Ordered
selection connects to each host in turn until one answers or the list is exhausted. Random selection will randomly connect to hosts
from the list until one answers or the list is exhausted.
route-map=sql!/etc/smtpf/route.sq3
The type & location of the route key-value map used for forwarding, authentication, and recipient validation. The following methods
are supported:
text!/path/map.txt
sql!/path/database
socketmap!host:port
socketmap!/path/local/socket
socketmap!123.45.67.89:port
socketmap![2001:0DB8::1234]:port
R/O text file, in-memory hash
An SQLite3 database
Sendmail style socket-map
Sendmail style socket-map
Sendmail style socket-map
Sendmail style socket-map
If port is omitted, the default is 7953.
The route-map contains key-value pairs. Lookups are performed from most to least specific, stopping on the first entry found. Keys are
case-insensitive. Lookups are the same as for access-map using a route: tag and can include recipient mail address lookups.
If a key is found, then the value is a semicolon separated list of one or more parameters. The three types of parameters are:
RELAY
RCPT: host:port ...
FORWARD: host:port ...
connecting clients can relay
recipient verification list
accept & forward mail list
If the :port is omitted from a host name or IP address, then the default is SMTP port 25. The hosts are tried in the order they were specified.
Some examples:
route:127.0.0.1
FORWARD: 127.0.0.1:26; RELAY
http://www.snertsoft.com/smtp/smtpf/summary.html (13 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
Relay mail inbound and outbound for the local host. Unqualifed recipients will be directed to here as well.
route:192.0.2
RELAY
Relay mail outbound for the LAN.
route:example.com
FORWARD: mx.filter.net; RCPT: in.our.net
Forward mail to another mail appliance, but call-ahead to validate recipients deeper inside our network.
route:other.example
RELAY; FORWARD: mx.other.example:8025
Relay mail outbound from client connections that resolve to other.example and forward mail destined for other.example to to an MX
listening on a different port.
route:[email protected]
FORWARD: mx1.baka.tld mx2.baka.tld
Forward mail for this recipient address to one of these two hosts.
run-group=smtpf
Run as this Unix group.
-run-jailed
Run in a chroot jail; run-work-dir used as the new root directory.
run-open-file-limit=1024
The maximum open file limit for the process.
run-pid-file=/var/run/smtpf.pid
The file path of where to save the process-id.
run-user=smtpf
Run as this Unix user.
run-work-dir=/var/tmp
The working directory of the process.
savdid-policy=reject
Policy to apply if message is infected. Specify either none, reject, or discard.
savdid-socket=
The unix domain socket or Internet host[:port] of the savdid server. Specify the empty string to disable savdid scan. The default
savdid port is 4010.
savdid-timeout=120
The savdid I/O timeout in seconds.
http://www.snertsoft.com/smtp/smtpf/summary.html (14 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
-save-data
When set, save the DATA content to a file in the save-dir directory. Intended for testing and diagnosis.
save-dir=/var/tmp
A directory where to save temporary message files and/or output for diagnosis.
server-max-threads=0
Maximum number of server threads possible to handle new requests. Specify zero to allow upto the system thread limit.
server-min-threads=10
Minimum number of server threads to keep alive to handle new requests.
server-new-threads=10
Number of new server threads to create when all the existing threads are in use.
±service
Add or remove Windows service.
±slow-quit
Quit an already running instance, waiting for all the connections to terminate, then exit.
siq-score-reject=-1
Reject on or below this score, between 0 and 99; -1 to disable.
siq-score-tag=50
Tag the subject on or below this score, between 0 and 99; -1 to disable.
siq-servers=
Comma separated list of SIQ server host[:port] addresses.
This filter can tag or reject mail according to a score returned by a SIQ Protocol server that grades IP/domain pairs based on the
server's reputation criteria. Third-party SIQ servers can provide facts about the reputation of an outbound mail server IP and/or
MAIL FROM: domain including: stability, longevity, identifiability, SPF match, RHS type grouping, verified PTR record matching, et
al. One such service is already available from Outbound Index. Please check with the service(s) available before using them as
some require registration before they will answer queries.
siq-subject-tag=[SPAM]
Subject tag to preprend for messages identified as suspect.
-smtp-auth-enable
When set, enable SMTP AUTH support when EHLO command is given.
-smtp-auth-white
When set, successful SMTP authenticated sessions are white listed through content filters. Otherwise, content filtering is applied.
Regardless of this setting, successful SMTP AUTH sessions are always allowed to relay.
smtp-command-timeout=300
SMTP command timeout in seconds.
http://www.snertsoft.com/smtp/smtpf/summary.html (15 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
smtp-connect-timeout=60
SMTP client connection timeout in seconds.
smtp-data-line-timeout=180
SMTP data line timeout in seconds after DATA while collecting message content.
-smtp-delay-checks
Postpone any policy based 5xy rejections until after the first RCPT has been specified. Temporary failures and rejections due to
syntax or protocol errors are still reported immediately. This allows recipient white-listing to override policy rejections based on
connection, HELO, AUTH, or MAIL arguments.
-smtp-disconnect-after-dot
If the SMTP client drops the connection after sending the dot for end of message, but before the SMTP response is sent indicating
whether the message was accepted or not, then the message is discarded and our end of the connection closed.
smtp-dot-timeout=600
Timeout in seconds to wait for a reply to the SMTP final dot sent to the forward hosts.
smtp-drop-after=5
Drop the connection after N temporary and permanently rejected commands, ie. count any 4xy or 5xy responses and eventually
drop. Zero to disable.
-smtp-drop-unknown
Drop the connection if client sends an unknown command. To work around Cisco PIX firewalls broken fix-up protocol, this option
ignores any command that starts with 'XXX'.
smtp-dsn-reply-to=
When set this is the mail address of the site's postmaster or help desk used for the Reply-To header in DSN error messages.
Specify the empty string to disable.
+smtp-enable-esmtp
Enable enhanced SMTP (ESMTP) for all clients. When disabled any hosts marked as RELAY in the route-map or from RFC 3330
private IP addresses will be exempt and always allowed to use ESMTP regardless.
smtp-keep-alive-timeout=60
In some cases, the forwarding of the DATA command is delayed and so we have to keep the forward connection(s) alive until they
pass into the DATA state. The timeout is specified in seconds; specify 0 to disable the timeout.
-smtp-reject-delay
When set, exponentially delay the reporting of SMTP temporary and permanent rejects during the SMTP session. After enough
rejects the client connection will timeout and be dropped. See also rfc2920-pipelining. and smtp-drop-after.
smtp-reject-file=
The file path of a text file containing a site specific message that will be appended to all SMTP reject responses. This text should
contain brief instructions for the sender about who to contact for help. The text can be more than one line. Specify the empty string
to disable this message.
smtp-report-header=X-smtpf-Report
The name of the smtpf report header. Empty string to disable.
http://www.snertsoft.com/smtp/smtpf/summary.html (16 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
smtp-server-queue=20
SMTP server connection queue size. This setting is OS specific and tells the kernel how many unanswered connections on the
socket it should allow.
-smtp-slow-reply
Impose an throttling delay for all SMTP server replies. This option will most likely result in increased concurrency, which is normal.
-smtp-strict-relay
Only allow outbound messages from our specified relays and where the sender is from one of our routed domains (see routemap).
smtp-welcome-file=/etc/smtpf/welcome.txt
The file path to a text file containing one or more lines used for the SMTP welcome message banner. The 220 status code will be
automatically prepended to each line. It is recommended that this message be two or more lines as this has been found to foil some
spamware. If an empty string is given, a hard coded default will be used.
spamd-command=CHECK
Specify one of the SPAMD protocol commands: CHECK, SYMBOLS, REPORT, REPORT_IFSPAM to check the message. When
used in conjunction with verbose=spamd, more detailed results from spamd will be logged.
spamd-flag-header=X-Spam-Flag
The name of the flag header. Empty string to disable.
spamd-level-header=X-Spam-Level
The name of the level header. Empty string to disable.
spamd-max-size=0
Max. number of kilobytes to pass to spamd, 0 for unlimited.
+spamd-reject-sender-marked-spam
When an X-Spam-Status header is supplied by the sender, then check their claimed score against spamd-score-reject and
reject if they exceed it. Else if an "X-Spam-Flag: YES" header is supplied by the sender, then reject the message. If the
sender thought it was spam, why would we want it? Otherwise the message will be scanned and scored as per usual.
spamd-report-header=X-Spam-Report
The name of the report header. Empty string to disable.
spamd-score-reject=10
When spamd returns a score greater than or equal to this value then the message will be rejected. Specify -1 to never reject.
spamd-socket=
The unix domain socket or Internet host[:port] of the spamd server. Specify the empty string to disable spamd scan. The default
spamd port is 783.
spamd-status-header=X-Spam-Status
The name of the status header. Empty string to disable.
spamd-subject-tag=[SPAM]
http://www.snertsoft.com/smtp/smtpf/summary.html (17 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
When the score is greater than or equal to SpamAssassin's required_score and less than spamd-score-reject (when not
disabled), then the Subject header is prepended with this tag to identify suspect messages. Specify the empty string to disable the
subject tag.
spamd-timeout=120
The spamd I/O timeout in seconds.
spf-best-guess-txt=
If the initial SPF test does not yield a Pass for any reason, then we check this "best guess" TXT record (eg. v=spf1 a/24 mx/24 ptr)
to see if it yields a Pass result. Otherwise use the original SPF result.
spf-helo-policy=
Check HELO argument and act according to a comma separated list: softfail-reject, softfail-tag, fail-reject, fail-tag Example: spf-helopolicy=fail-reject
spf-mail-policy=fail-reject
Check MAIL FROM: domain and act according to a comma separated list: softfail-reject, softfail-tag, fail-reject, fail-tag Example: spfmail-policy=softfail-reject,fail-reject
+spf-received-spf-headers
Add Received-SPF: headers with results of HELO and MAIL FROM: checks.
+spf-temp-error-dns
RFC 4408 specifies that DNS lookup failures should return a TempError result. However, there are many broken SPF records that
rely on other domains that may no longer exist or have connectity problems. Disabling this option allows such failures to be ignored
and the remainder of the SPF record to be processed in hopes of finding a result.
stats-http-pass=
HTTP password for restricted access.
stats-http-post=
Specify an HTTP URL used to gather statistic data each garabage collection run. Specify the empty string to disable. The data sent
has the same format as the STAT command output. Runtime, hourly, and 60 minute window data including route stats are all sent.
stats-http-user=
HTTP user name for restricted access.
stats-map=sql!/var/db/smtpf/stats.sq3
This option specifies the cache type and path used to record hourly statistic counters. Specify the empty string to disable. This file is
updated according to the cache-gc-interval. Note that it is the responsibility of the data gatherer process to expire old entries from
this file, otherwise it will grow indefinitely.
The following map methods are supported:
file!/path/map.txt
text!/path/map.txt
sql!/path/database
socketmap!host:port
socketmap!/path/local/socket
http://www.snertsoft.com/smtp/smtpf/summary.html (18 of 21)5/4/2009 1:57:57 PM
R/W Berstein string file, in-memory hash
R/O text file, in-memory hash
An SQLite3 database
Sendmail style socket-map
Sendmail style socket-map
SnertSoft - smtpf/2.2
socketmap!123.45.67.89:port
socketmap![2001:0DB8::1234]:port
Sendmail style socket-map
Sendmail style socket-map
If port is omitted, the default is 7953.
The stats-map contains key-value pairs. The key is the current hour specified as "YYYYMMDDHH" and the value is a white space
separated list of hex values, the first two being the process start time in seconds from the epoch and the last update time in seconds from
the epoch followed by the counters (see STAT).
time-limit-delimiters=
A string of characters that can be used to indicate a time limit field in the local part of a recipient address. Specify the empty string
to disable. Characters that can be used are defined in RFC 5322 "atext". They are:
! # $ % & ' * + - / = ? ^ _ ` { | } ~ .
Note that dot (.) is fairly common and should not be used. Also sendmail and postfix treat plus (+) and hyphen (-) specially and are not
recommended. Percent (%) was used for an old routing synatx, which may be rejected by sites and not recommeded.
The delimiter indicates the start of a time limit field, which is an optional non-numeric informational token followed by a series of 4 to 12
decimal digits. The digits represents "YYYY[MM[DD[hh[mm]]]]" of the expire time when this recipient address is no longer valid and will be
rejected. The delimiter and time limit field can appear any where in the user portion of the address and are removed before forwarding the
receipient.
Examples using the address <[email protected]> and delimiter dollar-sign ($):
<[email protected]>
<[email protected]>
<[email protected]>
tld-level-one-file=
The absolute file path of a text file, containing white space separated list of global and country top level domains (without any
leading dot), eg. biz com info net org eu fr uk. This list will override the built-in list.
tld-level-two-file=
The absolute file path of a text file, containing white space separated list of two-level domains (without any leading dot), eg. co.uk
ac.uk com.au gouv.fr tm.fr. This list will override the built-in list.
trap-dir=/var/tmp
A directory where to save temporary message files and/or output marked by TRAP action for diagnosis.
uri-bl=
Extract from text, HTML, and/or MIME encoded messages bodies URIs such as http: and mailto: links, then check one or more URI
black lists. Give a list of domain based DNS BL suffixes to consult, like .multi.surbl.org. Aggregate lists are supported
using suffix/mask. Without a /mask, suffix is the same as suffix/0x00FFFFFE.
The tag Body: can be used in the access-map to white-list domains found within the message, for example w3c.org or
google.com.
uri-bl-headers=
http://www.snertsoft.com/smtp/smtpf/summary.html (19 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
A semi-colon separated list of mail headers to parse for URI and check against one or more URI BL. Specify the empty list to
disable.
-uri-bl-helo
Check if the HELO/EHLO argument is black listed using uri-dns-bl and/or uri-bl.
-uri-bl-mail
Check if the domain of the MAIL FROM: argument is black listed using uri-dns-bl and/or uri-bl.
uri-bl-policy=reject
Check if the message contains a black listed URI found by uri-bl or uri-dns-bl. Specify one of none, reject, or discard. When set to
none, the test is disabled.
-uri-bl-ptr
Check if the PTR result is black listed using uri-dns-bl and/or uri-bl.
+uri-cite-list
When enabled, URI BL based rejection will cite the black list used.
uri-dns-bl=
Extract from text, HTML, and/or MIME encoded messages bodies URIs such as http: and mailto: links, then consult one or more IP
black lists. Give a list of IP based DNS BL suffixes to consult, like sbl-xbl.spamhaus.org. Aggregate lists are supported using suffix/
mask. Without a /mask, suffix is the same as suffix/0x00FFFFFE.
The tag Body: can be used in the access-map to white-list domains found within the message, for example w3c.org or google.
com.
-uri-ip-in-name
For each URI, apply a pattern heuristic to the host's name and reject if it looks like it is composed from it's IP address.
-uri-ip-in-ns
For each URI, apply a pattern heuristic to the host's NS server names and reject if any look like they are composed from their IP
addresses.
uri-links-policy=none
Test if message contains a broken URL and apply policy if found. Specify one of none, reject, or discard. When set to none, the test
is disabled.
uri-max-test=10
Maximum number of unique URI to check. Specify zero for unlimited.
-uri-ns-nxdomain
Reject if a URI's NS host is in a non-existant domain.
-uri-reject-on-timeout
Reject any URI host/domain that times out while looking up DNS A records.
-uri-reject-unknown
Reject any URI host/domain that does not exist.
http://www.snertsoft.com/smtp/smtpf/summary.html (20 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
-uri-require-domain
Reject URLs that specify a scheme and refer to a bare IP address.
uri-require-ptr=0
Reject any URI where the host name is missing a PTR record for any of its IP addresses. Specify the minimum number of IP
addresses a host must have before applying this test; zero to disable.
-uri-sub-domains
When querying against name based black lists, like .multi.surbl.org or .black.uribl.com, first test the registered domain, then any subdomains from right-to-left. Typically sub-domains are not listed on URI black lists.
-uri-valid-soa
For each URI found, check that the domain has a valid SOA and reject otherwise.
verbose=warn,info
Verbose logging to system mail log. Specify one or more comma separated words: access attachment auth avastd cache clamd
connect data db debug digest dns dupmsg emew fpscand grey headers helo info kvm mail mutex noop p0f rate rbl rcpt rset sav
savdid save size smtp smtp-data smtp-dot socket-fd spamd spf stats subject timelimitrcpt timers trace uri warn
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/summary.html (21 of 21)5/4/2009 1:57:57 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
smtpf Command Options
To review the smtpf option summary:
$ smtpf -help
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
Local MTA
■ Local Route
■ FORWARD &
RELAY
■ by
domain
■ by mail
■ Call-Ahead
■ AcceptThenBounce
■ AUTH Support
■ ETRN Support
b. The Access Map
■ Lookup
Sequences
■ Tags
■ About Delay
Checks
■ Right Hand Side
Values
■ Action Words
■ Pattern Lists
■ !Simple
Patterns!
■ /Regular
Expression
Patterns/
c. The smtpf.cf File
■ Avast! AV
Support
■
To start smtpf:
# smtpf
To stop smtpf:
# smtpf -quit
To restart smtpf:
# smtpf -restart
To restart smtpf using a different configuration file:
# smtpf -restart \
file=/path/to/alt/smtpf.cf
The file option when it appears in the smtpf.cf does nothing other than
document which smtpf.cf was read. It's possible to specify one or more options
on the command line in order to override what appears in smtpf.cf or the hard
coded default.
To restart smtpf only if it is currently running:
# smtpf -restart-if
The command options shown above can be prefixed by either a plus (+) or
minus (-) sign and both behave the same.
http://www.snertsoft.com/smtp/smtpf/runtime.html (1 of 5)5/4/2009 1:57:58 PM
SnertSoft - smtpf/2.2
Runtime Configuration
Typically if you change the contents of smtpf.cf, you must restart smtpf in order
for those options to take affect.
# smtpf +restart
However many of the smtpf options can be configured during runtime by
telneting to localhost port 25 and issuing smtpf commands.
$ telnet 127.0.0.1 25
For security reasons, these commands only work when the connection comes
from localhost. They are:
CACHE GETkey
CACHE PUTkey value
CACHE DELETEkey
Cache manipulation commands.
CONN
The CONN command will display a list of all the currently active
connections showing the session ID, SMTP state, client name and IP,
session age in seconds, input idle time in seconds, and total number of
octets sent in messages.
KILL session-id
The KILL command will terminate the SMTP client session matching
the given session-ID. Currently not available for Windows.
OPTN
OPTN ±option-name
OPTN option-name=value
The OPTN command without any argument, will display all the current
option settings, one per line. If an argument is specified, it is the same
as would be specified in the smtpf.cf file. Some options cannot be
changed at runtime, if they influence how smtpf starts up.
STAT
The STAT command will display the current runtime statistics since the
last restart, current hour, and last 60 rolling window. Each line reflects
either a test or checkpoint. The statistics are intentionally not
documented as they are intended for diagnostics and subject to
change.
Cache Options
■ Call-Backs
■ Clam AV
Support
■ Command-Line
Interface
■ Client IP
Address
■ Concurrency &
Rate
■ DNS Based Lists
■ Delay Checks
■ EMEW
■ F-Prot AV
Support
■ Grey Listing
■ Grey Content
■ SMTP HELO
Testing
■ Network
Interface
■ Length & Limits
■ RFC
Conformance
■ Run Settings
■ Server
Performance
■ SIQ Support
■ SMTP Options
■ Sophos AV
Support
■ SpamAssassin
Support
■ SPF Support
■ Statistics
■ URI Blacklists
■ Verbose
Logging
d. Option Summary
■
E. Runtime
a. Command Line Options
b. Runtime Configuration
c. The Cache File
The Cache
Structure
d. The Stats File
■ The Stats
Structure
■
VERB
VERB ±verbose-flag ...
The VERB command without any argument, will display the current
verbose logging flags. Sometimes it's useful to turn on and off certain
verbose logging flags in order to diagnose a problem. For example:
http://www.snertsoft.com/smtp/smtpf/runtime.html (2 of 5)5/4/2009 1:57:58 PM
SnertSoft - smtpf/2.2
e. Log Messages
f. SMTP Replies
VERB +smtp -uri
F. Glossary
The Cache File
The cache file is an SQLite3 database and can be manipulated using the supplied programs sqlite3t (our version build with thread
support enabled) and mcc. Manipulating the cache is particular useful when there are records that may be preventing one or more
messages to pass. This can occur for example if you suddenly white list a sender in the access-map, but mail from that sender is still
being blocked, because of a cache entry that has not yet expired.
# sqlite3t /var/db/smtpf/cache.sq3
Using sqlite3t it is possible to add, remove, or modify cache entries using standard SQL commands. How to use sqlite3t and
SQL in general is beyond the scope of this document and not covered here.
The mcc provides a simplified means of manipulating the cache locally and across machines that listen to multicast or unicast cache
broadcasts. The short usage summary is displayed with:
# mcc
The mcc command reads commands from standard input and writes informational messages to standard output. The are four commands:
GET, PUT, DELETE and QUIT. The GET command reads from the local cache, while the PUT and DELETE will update the local cache and
broadcast to the multicast group or unicast host list. The values for mcc options -m, -M, -d, -U, and -s should correspond with those
specified in smtpf.cf for: cache-multicast-ip, cache-multicast-port, cache-unicast-domain, cache-unicast-port, and cachesecret.
# mcc -m 232.1.2.3:6920 -s your-secret-here /var/db/smtpf/cache.sq3
The cache's SQL data was designed to fit within the 512 octets of a UDP datagram and is defined in SQL as follows (note this is different
from the UDP datagram structure which is not specified here):
CREATE TABLE mcc (
k VARCHAR(383) PRIMARY KEY, -- the tagged key
d VARCHAR(92),
-- data value
h INTEGER DEFAULT 1,
-- hit counter
c INTEGER,
-- create timestamp
t INTEGER,
-- last touched timestamp
e INTEGER
-- expires timestamp, indexed
);
Note that the above structure may change without notice. When using the sqlite3t command, all columns are accessible, while with
the mcc PUT command only the k and d can be altered since the client/server portions of the mcc protocol manage the others columns.
The format of the cache k and d columns varies depending on the test. The following is a brief summary of the possible formats used for
both k and d columns in the event they need to be modified manually. Note that this information may change without notice.
click:ip,ptr,mail
ASCII 2 = accept. Either ip or ptr is present, never both; similar to the
definition of the ptr element used in grey-key.
http://www.snertsoft.com/smtp/smtpf/runtime.html (3 of 5)5/4/2009 1:57:58 PM
SnertSoft - smtpf/2.2
dumb:host
grey:ip,ptr,helo,mail,rcpt
ASCII 2 = accept, 5 = reject
ASCII 0 = continue, 4 = temp. fail, 5 = reject; optionally followed by a
space and two hexdecimal MD5 hashes when using +grey-content.
The key field order remains constant, fields present according to greykey; be sure to review how the ip and ptr fields are used.
msg-limit:client-ip
msg-limit:sender
msg-limit:recipient
rcpt:recipient
sav:sender-domain
sav:sender
siq:client-ip,sender-domain
ASCII integer counter of messages sent
ASCII integer counter of messages sent
ASCII integer counter of messages sent
ASCII 2 = accept, 5 = reject
ASCII 2 = accept, 5 = reject
ASCII 2 = accept, 4 = temp.fail, 5 = reject
mixed binary & ASCII content
The Stats File
The stats file is an SQLite3 database and can be manipulated using the supplied programs sqlite3t (our version build with thread
support enabled). Generally it is not a good idea to manipulating the statistics file, but we describe it here for completeness.
# sqlite3t /var/db/smtpf/stats.sq3
Using sqlite3t it is possible to add, remove, or modify records using standard SQL commands. How to use sqlite3t and SQL in
general is beyond the scope of this document and not covered here.
The statistics file uses a generalised key-value-map (KVM) API, which does not take advantage of SQL to the fullest. This may change in
future releases of smtpf.
CREATE TABLE kvm (
k TEXT PRIMARY KEY,
v TEXT
);
-- the key
-- data value
The format of the k and v columns varies. The following is a brief summary of the possible formats used for both k and v columns in the
event they need to be modified manually or consulted by third-party tools. Note that this information may change without notice.
YYYYMMDDHH
fields:version
route:recipient
ASCII space separated list of values corresponding to the field order
given by fields:; start-time and touch-time values are given in
hexdecimal, while all other values are decimal.
ASCII space separate list of field names in store order.
ASCII space separated fields; first field in decimal is the day-of-year
followed by the last 31 days of hexadecimal triples accept:
reject:volume giving message counts and volume in kilobytes.
The route: key used corresponds to those found in the route-map.
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
http://www.snertsoft.com/smtp/smtpf/runtime.html (4 of 5)5/4/2009 1:57:58 PM
SnertSoft - smtpf/2.2
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/runtime.html (5 of 5)5/4/2009 1:57:58 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf 2.2.15
«An SMTP Filtering Proxy»
Mail Log Messages
The default verbose logging level for smtpf is to display all warnings and
informational messages. Error messages are always reported. The debugging
log messages are not explained. Each log message has a timestamp when the
message was generated, the smtpf process name and ID, the session ID of the
current connected SMTP client, followed by the message number and text of
the message.
Below is a list of log messages in numerical order, with a brief explination and/
or a link to the documentation where the options responsible are explained in
more detail.
ERR #100 pattern delimiter error: "%.50s..."
Failed to find the end bang (!) delimiter of a !simple! pattern. See
access-map about right-hand-side pattern lists.
ERR #103 network delimiter error: "%.50s..."
Failed to find the end square-bracket (]) delimiter of a [network/
cidr] pattern. See access-map about right-hand-side pattern
lists.
ERR #105 network specifier error: "%.50s..."
ERR #106 network specifier error, "%.50s..."
The network portion of a [network/cidr] pattern does not
parse to a valid IPv4 or IPv6 address. See access-map about righthand-side pattern lists.
ERR #108 regular expression delimiter error:
"%.50s..."
Failed to find the end slash (/) delimiter of a /regex/ pattern. See
access-map about right-hand-side pattern lists.
ERR #110 regular expression error: %s
"%.50s..."
http://www.snertsoft.com/smtp/smtpf/syslog.html (1 of 14)5/4/2009 1:58:01 PM
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
Local MTA
■ Local Route
■ FORWARD &
RELAY
■ by
domain
■ by mail
■ Call-Ahead
■ AcceptThenBounce
■ AUTH Support
■ ETRN Support
b. The Access Map
■ Lookup
Sequences
■ Tags
■ About Delay
Checks
■ Right Hand Side
Values
■ Action Words
■ Pattern Lists
■ !Simple
Patterns!
■ /Regular
Expression
Patterns/
c. The smtpf.cf File
■ Avast! AV
■
SnertSoft - smtpf/2.2
ERR #112 regular expression error: %s
"%.50s..."
There is an error in a /regex/ pattern that prevents it from being
compiled.
WARN #115 access-map option disabled
The access-map option has been set to an empty string.
ERR #116 access-map=%s text method no longer
supported
ERR #117 access-map=%s open error
The key-value-map specified by the access-map option could not be
opened. Check the map type, file path, and file permissions &
ownership.
INFO #119 host %s [%s] %s
There is a Connect: tag entry for either the client name or IP
address with a right-hand-side value of OK. See access-map.
INFO #124 host %s [%s] sender <%s> %s
There is a Connect:From: combo tag entry for either the client
name and sender pair or client IP address and sender pair with a righthand-side value of OK. See access-map.
INFO #126 sender <%s> %s
There is a From: tag entry for the sender address or their domain with
a right-hand-side value of OK. See access-map.
INFO #134 host %s [%s] recipient <%s> %s
There is a Connect:To: combo tag entry for either the client name
and recipient pair or client IP address and recipient pair with a righthand-side value of OK. See access-map.
INFO #136 sender <%s> recipient <%s> %s
There is a From:To: combo tag entry for a sender and recipient pair
with a right-hand-side value of OK. See access-map.
INFO #138 recipient <%s> %s
There is a To: tag entry for sender's address with a right-hand-side
value of OK. See access-map.
ERR #161 %s
The avastd daemon found a virus or suspicious content in the message.
See avastd-policy.
ERR #163 avastd error: %s
ERR #172 cache-path=%s open error: %s (%d)
http://www.snertsoft.com/smtp/smtpf/syslog.html (2 of 14)5/4/2009 1:58:01 PM
Support
■ Cache Options
■ Call-Backs
■ Clam AV
Support
■ Command-Line
Interface
■ Client IP
Address
■ Concurrency &
Rate
■ DNS Based Lists
■ Delay Checks
■ EMEW
■ F-Prot AV
Support
■ Grey Listing
■ Grey Content
■ SMTP HELO
Testing
■ Network
Interface
■ Length & Limits
■ RFC
Conformance
■ Run Settings
■ Server
Performance
■ SIQ Support
■ SMTP Options
■ SpamAssassin
Support
■ SPF Support
■ Statistics
■ URI Blacklists
■ Verbose
Logging
d. Option Summary
E. Runtime
a. Command Line Options
b. Runtime Configuration
c. The Cache File
The Cache
Structure
d. The Stats File
■ The Stats
Structure
e. Log Messages
■
SnertSoft - smtpf/2.2
The cache database could not be opened. Check the cache.sq3
file permissions & ownership
f. SMTP Replies
F. Glossary
ERR #173 cache-sync-mode=%s error
An invalid value was specified for this option.
ERR #174 cache-unicast-domain and cache-unicast-hosts are mutually exclusive
options
Check the smtpf.cf file. Specify either cache-unicast-domain or cache-unicast-hosts, but not both.
ERR #175 cache-unicast-domain error: %s (%d)
ERR #176 cache-unicast-hosts error: %s (%d)
ERR #177 cache-unicast-hosts error: %s (%d)
An error in parsing the option or starting the unicast cache listener thread. See cache-unicast-domain or cache-unicasthosts.
WARN #202 clamd-max-size=%ld reached
The size of the message passed to clamd has been reached. No additional data will be passed to clamd. See clamd-max-size.
ERR #207 %s
The clamd daemon found a virus or suspicious content in the message. See clamd-policy.
ERR #210 error parsing %s='%s': %s (%d)
See cli-content and cli-envelope.
INFO #212 started %s[%d] %s
See CLI section, and the options cli-content and cli-envelope.
ERR #213 cmdStart(%s) failed: %s (%d)
There was a problem invoking the specified command-line. Things to check are if the command is on default PATH or specify an
absolute path and/or check that options are correct. See cli-content and cli-envelope.
ERR #215 write error to child=%d: %s (%d)
There was a problem closing the input stream to the CLI child process. See cli-content and cli-envelope.
ERR #220 %s[%d] terminated on signal=%d%s",
The CLI child process terminated on signal, possibly due to a program fault. See cli-content and cli-envelope.
ERR #221 exit status=%d out of range
The CLI child process returned an unsupported exit code. See cli-content and cli-envelope.
INFO #222 %s[%d] exit status=%d
The CLI child process returned a supported exit code. See cli-content and cli-envelope.
INFO #225 %s
The CLI child process standard output and standard error are logged. See cli-content and cli-envelope.
http://www.snertsoft.com/smtp/smtpf/syslog.html (3 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
INFO #242 host %s [%s] sender <%s> white listed
ERR #257 client %s [%s] I/O error: %s (%d)
During AUTH LOGIN, there was a client read error while waiting for login name.
ERR #260 AUTH LOGIN buffer overflow caught
During AUTH LOGIN, the login user name given exceeds the size of the decoding buffer.
ERR #261 login base64 decode error
During AUTH LOGIN, the login user name could not be decoded according to Base64 rules.
ERR #262 client %s [%s] I/O error: %s (%d)
During AUTH LOGIN, there was a client read error while waiting for password.
ERR #265 password base64 decode error
During AUTH LOGIN, the password could not be decoded according to Base64 rules.
ERR #268 AUTH PLAIN buffer overflow caught
During AUTH PLAIN, the Base64 argument given exceeds the size of the decoding buffer.
ERR #270 AUTH base64 decode error
The AUTH PLAIN argument could not be decoded according to Base64 rules.
INFO #272 queuing all messages on %s [%s]
All messages from successfully authenticated clients are queued on the local route. See route-map documentation.
INFO #273 auth-id=<%s> relay=%d
WARN #281 filter_mail_table unexpected rc=%d
This is an internal error.
WARN #291 filter_rcpt_table unexpected rc=%d
This is an internal error.
INFO #294 queuing message on %s [%s] for <%s>
The message is being sent to the local route. See route-map about the local route and AUTH support.
ERR #301 chunk write error: %s (%d)
There was an I/O write error while trying to relay a DATA chunk to a forward host.
ERR #309 missing temp. file name
ERR #310 open error "%s": %s (%d)
ERR #311 seek error "%s": %s (%d)
An error trying to find and open a temporary message file which is to be relayed onto the forward hosts. See save-dir option.
ERR #312 DATA rejected by all forward hosts
All of the forward hosts for this message rejected the DATA command. This message almost never appears. If it does, check if the
forward hosts have implemented any filtering that rejects at DATA, like smtpf does for grey-listing and call-back failures.
http://www.snertsoft.com/smtp/smtpf/syslog.html (4 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
ERR #313 read error "%s": %s (%d)
An error while reading from a temporary message file, which is to be relayed onto the forward hosts. See save-dir option.
ERR #314 %s [%s] I/O error: %s (%d)
The connected client disconnected or generated an I/O error after sending the final dot to end a message, but before the SMTP
response was sent.
INFO #315 pipelining byte=%.2x
ERR #316 %s [%s] I/O error: %s (%d)
The connected client disconnected or generated an I/O error after sending the final dot to end a message, but before the SMTP
response was sent.
ERR #319 client %s [%s] timeout after DOT-LF; message must end with CRLF-DOT-CRLF
See rfc2821-strict-dot.
ERR #320 client %s [%s] I/O error: %s (%d)
The client appears to have disconnected. A read error occured in the DATA collection loop.
ERR #331 %s rejected message: %s
A forward host has rejected a message and a DSN has been sent,
INFO #337 %s duplicate Message-Id=%s previous session=%s
smtpf tracks what messages have already been seen and discards any message that have prevously been processed. This can
occur when the client connection disappears between the time we relay the end-of-message to the forward host(s) and the client
receiving an SMTP reply. When the client disconnects, it will assume a 421 response and rety sending the message later. Mean
while if the forward hosts accepted the message the first time, then these retries can result in duplicate messages being received.
See the dupmsg-ttl option.
WARN #346 EMEW Message-ID buffer error or no secret set
The buffer used to generate the EMEW Message-ID is too small.
ERR #375 %s
The fpscand daemon found a virus or suspicious content in the message. See fpscand-policy.
ERR #378 sql=%s create error: %s %s
ERR #379 sql=%s statement error: %s %s
ERR #908 sql=%s statement error: %s %s
INFO #910 greyGcExpire count=%d
ERR #383 greyMakeKey() overflow caught, key={%s} truncated
INFO #387 grey listed {%s} for %ld seconds
See grey-key, grey-content, and grey-temp-fail-period options.
INFO #393 grey-content message mismatch
See grey-content option.
INFO #394 grey-content listed {%s} for %ld seconds
See grey-content and grey-temp-fail-period options.
http://www.snertsoft.com/smtp/smtpf/syslog.html (5 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
WARN #395 %s-%s license key expires in less than %d day%s
ERR #396 license key %s must be set
ERR #397 license key date-issued is in the future, please check your system clock
ERR #398 license key has expired
ERR #399 license key %s error: %s (%d)
ERR #400 license key %s mismatch
ERR #401 license key invalid
ERR #402 license key not for %s/%s
ERR #403 license key not for %s
ERR #404 invalid license key IP address [%s]
ERR #405 lickey syntax error: %s
ERR #406 not licensed for IP [%s]
ERR #407 IP [%s] not licensed for %ld cores (max. %ld)
INFO #408 found valid licensed IP [%s]
ERR #409 license key "%s" load error: %s (%d)
ERR #410 route count error
ERR #411 route-map entries=%lu exceeds license key max-domains=%ld
ERR #411 route-map unique-domains=%lu exceeds license key max-domains=%ld
ERR #412 %s load error: %s (%d)
The lickey-file option is a required option and must be the absolute path of the license key file.
WARN #429 %s [%s] HELO %s is not FQDN
See rfc2821-strict-helo option.
ERR #435 MX %s error %s
The MX record is always fetched and verified regardless of the setting of client-is-mx and mail-require-mx options.
INFO #437) CLIENT_FORMAT " is MX for %s
See client-is-mx option.
WARN #438 empty MX list after pruning
The MX list gathered from DNS is pruned to remove hosts that resolve to localhost, RFC 3330 reserved IP addresses that cannot
be reached from the Internet, or have no A/AAAA record. This message is reported if the MX list is empty after pruning.
WARN #906 MX list incomplete
The MX list gather from DNS had one or more A/AAAA records that returned a SERVFAIL result. See mail-require-mx option.
WARN #444 empty MX list after pruning
The MX list gathered from DNS is pruned to remove hosts that resolve to localhost, RFC 3330 reserved IP addresses that cannot
be reached from the Internet, or have no A/AAAA record. This message is reported if the MX list is empty after pruning.
ERR #446 MX %s lookup: %s (%d)
The MX record is always fetched and verified regardless of the setting of client-is-mx and mail-require-mx options.
INFO #448 client %s [%s] is MX for %s
See client-is-mx option.
ERR #453 MX %s lookup: %s (%d)
The process checks if the connected client is a secondary MX for any of the recipients, during which a DNS MX lookup error may
http://www.snertsoft.com/smtp/smtpf/syslog.html (6 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
occur.
ERR #465 domain %s does not exist
The top level domain is unknown.
ERR #467 domain %s does not exist
ERR #468 SOA for %s lookup error: %s
ERR #469 SOA for %s does not exist
Part of the experimental is-nxdomain family of tests. Reject a domain if the host and none of its parent domains upto, but not
including, the TLD have an SOA. Temp. fail if there was a DNS lookup error. Otherwise continue if the host name or any of its
parent domains have an SOA before the TLD is reached.
ERR #470 domain %s does not exist
The top level domain is unknown.
ERR #472 domain %s does not exist
ERR #473 SOA for %s lookup error: %s
ERR #474 SOA for %s does not exist
Part of the experimental is-nxdomain family of tests. Reject a domain if the host and none of its parent domains upto, but not
including, the TLD have an SOA. Temp. fail if there was a DNS lookup error. Otherwise continue if the host name or any of its
parent domains have an SOA before the TLD is reached.
ERR #480 %s write error: %s (%d)
ERR #482 %s write error: %s (%d)
An error occurred while sending an SMTP command to a forward host.
ERR #484 %s read error: %s (%d)
ERR #486 %s read error: %s (%d)
An error occurred while reading an SMTP reply from a forward host.
ERR #490 MX %s error %s
While attempting to perfom a call-back, there was an error looking up the MX records of the sender's domain. See call-back
option.
ERR #497 %s %s
While attempting to perfom a call-back, there was an error looking up the MX records of the sender's domain. See call-back
option.
ERR #506 p0f address error: %s (%d)
ERR #507 p0f open error: %s (%d)
ERR #508 p0f connection error: %s (%d)
ERR #510 p0f write error: %s (%d)
ERR #511 p0f timeout error: %s (%d)
ERR #512 p0f read error: %s (%d)
ERR #513 p0f mutex unlock failed: %s (%d)
ERR #515 p0f magic number error
ERR #516 p0f query error (%d)
INFO #517 p0f %s
See p0f-socket and p0f-timeoutoptions.
http://www.snertsoft.com/smtp/smtpf/syslog.html (7 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
ERR #519 %lu connections exceeds %ld per second
See the rate-throttle option.
INFO #523 %s found %s %s
See dns-bl, dns-gl, dns-wl, ns-bl, uri-bl, and uri-dns-bl options.
INFO #527 %s found %s %s
See dns-bl, dns-gl, and dns-wl options.
ERR #537 init error %s(%lu) %s: %s (%d)
A generic initialisation error reporting file and line number where it occured.
ERR #538 out of memory %s(%lu)
A generic out of memory error reporting file and line number where it occured.
ERR #539 internal error %s(%lu) %s: %s (%d)
A generic internal error reporting file and line number where it occured and some extra context. Not expected to occur outside of
code development.
INFO #540 pipeline input=%ld:%s
Log any premature input from the connected client.
ERR #542 cache get error key={%s} %s(%lu)
A generic error where a module could not get a cache record for unspecified reasons. This is not the same as record not found.
ERR #544 cache put error key={%s} value={%s} %s(%lu)
A generic error where a module failed to update a cache record for unspecified reasons.
ERR #546 cache delete error key={%s} %s(%lu)
A generic error where a module failed to delete a cache record for unspecified reasons.
ERR #556 resources error %s(%lu): %s (%d)
A runtime error reporting file and line number. Check the process status and ulimit settings. Typically the only solution is to restart
the process.
INFO #557 route domains=%lu addresses=%lu accounts=%lu unique-domains=%lu
A summary of route types found in the route-map, used for max-domains license control. The domain, addresses, and accounts
refer to records in the route-map of the form route:some.domain, route:[email protected], and route:
user@ respectively.
The license key field max-domains is a bit of a misnomer. It should have been called max-routes, but it is easier for people to
think in terms of domains and in the majority of cases routing is by-domain only.
However, our logic counts all route: records, regardless of type, towards the license's max-domains, since the same amount
of work is necessary to route by-domain as by-address or by-account.
INFO #558 call-ahead host=%s rcpt=<%s> rc=%d reply="%s"
A summary of call-ahead results.
http://www.snertsoft.com/smtp/smtpf/syslog.html (8 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
ERR #566 localhost route required
ERR #567 localhost route requires FORWARD definition
The local route is not defined and is required for correct operation. See route-map documentation.
ERR #568 mail loop from %s [%s] in localhost route
When the mail is coming from one of our smart hosts then we would like to relay outbound, not forward inbound, otherwise we end
up in a loop.
INFO #570 smtp-strict-relay client %s [%s] sender <%s> denied",
See smtp-strict-relay options.
See rfc2821-strict-greeting option.
ERR #830 %s
See uri-call-back-greeting option.
INFO #573 call-back mail=<%s> rc=%d reply="%s"
A summary of call-back results.
ERR #846 %s
The savdid daemon found a virus or suspicious content in the message. See savdid-policy.
ERR
ERR
ERR
ERR
#574 save-dir must be defined
#577 delete error "%s": %s (%d)
#579 temp. file name "%s": %s (%d)
#580 create error "%s": %s (%d)
See save-data, save-dir option. In addition, the avastd-socket, fpscand-socket, and spamd-socket options also rely on
the save-dir option being defined in order to function.
ERR #876 rename(%s, %s) failed: %s (%d)
ERR #877 hard link(%s, %s) failed: %s (%d)
INFO #595 interface=%s ready
The interface is ready to accept connections.
ERR #596 interface=%s error: %s (%d)
ERR #914 interface=%s error: %s (%d)
ERR #915 interface=%s error: %d
An error occurred when smtpf tried to bind to the socket. The most likely cause of this is that something else is already bound to the
socket, like another MTA.
ERR #813 lint option requires special license key
The lint option requires a special license key offered only for special partnership deals and is not generally available to customers.
WARN #597 interface=%s disabled
On some platforms it is possible to bind two separate sockets for IPv6 ::0 and IPv4 0.0.0.0, both on the same port. On others
platforms binding a single socket to ::0 will also include 0.0.0.0 for the same port and so generate a warning that can be ignored.
Using lsof(1), fstat(1), and/or netsat(1) one should be able to determine if it is an error due to another process being bound to the
same port and so corrected, or simply to be ignored and the configuration adjusted to silence the warning in future. See interfaces
http://www.snertsoft.com/smtp/smtpf/syslog.html (9 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
option.
ERR #812 no matching interfaces="%s"
See interfaces option.
ERR #598 create "%s" failed: %s (%d)
ERR #905 lock "%s" failed: %s (%d)
See run-pid-file option.
INFO #599 ready
The SMTP service is ready to accept connections.
ERR #602 socket accept: %s (%d); th=%u cn=%u
When this error occurs, it is most likely due to two types of errors: a timeout or the process is out of file discriptors, though other
network related errors may occur.
The former case (ETIMEDOUT) is trival and occurs when there is a lull in activity, in which case surplus threads are discontinued as
they timeout.
The latter case (EMFILE) is more serious, in which case the process is out of file descriptors, so the thread is terminated cleanly to
release resources. If this occurs in multiple threads in the accept state, then this will terminate any surplus of threads, temporarily
preventing the server from answering more connections. This will allow the threads with active connections to finish, release
resources, and eventually resume answering again once sufficent resources are available.
If the process got an error during socket accept and did not terminate the thread and eliminate the surplus, it might be possible to
get into a tight busy loop, which contantly tries to accept a connection yet fails with EMFILE. This would slow down or prevent other
threads with active connections from completing normally and possibly hang the process.
ERR #603 terminating excess thread th=%u cn=%u
INFO #604 smtpf 2.2 Copyright 2006, 2009 by SnertSoft. All rights reserved.
INFO #605 LibSnert %s %s
INFO #606 SQLite %s Public Domain by D. Richard Hipp
INFO #904 Built on " _BUILT);
Version and copyright notices.
ERR #608 siq-score-discard number must -1 to disable, or 0..99
ERR #609 siq-score-reject number must -1 to disable, or 0..99
ERR #610 siq-score-tag number must -1 to disable, or 0..99
INFO #615 siq score=%d confidence=%d ttl=%u text='%.83s'
ERR #616 %s
INFO #618 siq-score=%d less than %ld, discarding message
See siq-score-reject, siq-score-tag, and siq-servers options.
ERR #628 server I/O error: %s (%d)
While trying to send a reply back to the client, the server had an I/O error. Typical cause is "broken pipe", ie. the connection with the
client was lost, most likely due to the client voluntarily dropping the connection. A lot of spamware reacts on the first digit of the
response, dropping the connection as soon as it gets a 4xy or 5xy indication and ignoring the rest.
Sometimes the client might disconnect during the welcome banner, because of an option like smtp-slow-reply which impose
http://www.snertsoft.com/smtp/smtpf/syslog.html (10 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
delays. A lot of spamware is impatient and will drop the connection as a result.
INFO #635 client [%s] has CNAME/PTR delegation %s",
INFO #636 client [%s] has CNAME/PTR delegation %s",
INFO #637 start %s [%s] f="%s" th=%u cn=%u cs=%lu",
The start of the session after the client IP checks, but before the welcome banner. When the verbose option is set to an empty
string (terse mode), then the information found here is available in the session "end" log line only.
ERR #639 client %s [%s] I/O error: %s (%d)
The client appears to have disconnected. A read error occured in the SMTP command loop. Similar to "server I/O error" in nature.
Typical cause is "broken pipe", ie. the connection with the client was lost, most likely due to the client voluntarily dropping the
connection. A lot of spamware reacts to the last response they receive, dropping the connection if they get a 4xy or 5xy reply.
Sometimes the client disconnects during the welcome banner, because of an option like smtp-slow-reply which imposes delays.
A lot of spamware is impatient and will drop the connection as a result.
INFO #644 dropping %s [%s] after %d errors
See smtp-drop-after option.
ERR #646 spamd connect error "%s": %s (%d)
ERR #649 spamd write error: %s (%d)
WARN #656 spamd-max-size=%ld reached
ERR #657 spamd write error after %lu bytes
ERR #659 spamd read error: %s (%d)
ERR #661 spamd error: %s
ERR #663 spamd parse error: %s
ERR #664 spamd read error: %s (%d)
ERR #667 %s
INFO #668 %s
Assorted spamd errors from the 1.0 version of the spamd module.
INFO #670 spamd disabled this message
ERR #671 spamd connect error "%s": %s (%d)
ERR #675 spamd write error: %s (%d)
An I/O error trying to connect or send to spamd. See spamd-socket option.
ERR #682 spamd open error "%s": %s (%d)
An error trying to open a temporary message file to forward to spamd. See save-dir option.
WARN #684 spamd-max-size=%ld reached
The size of the message passed to spamd have been reached. No additional data will be passed to spamd. See spamd-maxsize.
ERR #685 spamd read error: %s (%d)
An I/O error while reading from spamd. See spamd-socket option.
http://www.snertsoft.com/smtp/smtpf/syslog.html (11 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
ERR #687 spamd parse error: %s
ERR #689 spamd parse error: %s
The response from spamd does not match the current supported protocol.
ERR #690 spamd read error: %s (%d)
An I/O error while reading from spamd. See spamd-socket option.
INFO #692 spamd %s [%s] %s
A summary of the spamd score for a message.
ERR
ERR
ERR
ERR
ERR
ERR
ERR
#706 stats-map get key={%s} failed
#708 stats-map key={%s} value={%s} truncated
#710 statsSave() field name buffer overflow caught
#711 statsSave() buffer overflow caught
#878 stats-http-post request buffer overflow
#879 stats-http-post error: %s
#714 stats-map=%s open error: %s (%d)
See stats-map option.
INFO #715 hourly %s was=%lu now=%lu
INFO #716 runtime %s was=%lu now=%lu
Logging of change in high water marks. See STAT command.
INFO #880 hourly %s was=%lu now=%lu
INFO #881 runtime %s was=%lu now=%lu
Not used at this time.
INFO #717 sender %s f="%s" spf-mail=%s spf-helo=%s x="%s"
The start of a message transaction. This line gives a summary of sender highlights. It cannot be suppressed. The fields are: f=
flags, spf-mail= SPF result for the MAIL FROM: argument, spf-helo= SPF result for the HELO argument, and x= SMTP response.
INFO #718 recipient %s f="%s" x="%s"
This line gives a summary of recipient highlights. It cannot be suppressed. The fields are: f= flags and x= SMTP response.
INFO #719 data f="%s" x="%s"
The start of message content. It cannot be suppressed. The fields are: x= SMTP response.
WARN #851 removed previous instance of header "%s"
INFO #720 message <%s> f="%s" b=%lu r=%u m=%s %sx="%s"
The end of a message transaction. This line gives a summary of message highlights. It cannot be suppressed. The fields are: f=
flags, b= bytes sent for the message, r= RCPT TO: count, m= smtpf message-id, s= the subject header, and x= SMTP response.
INFO #721 end i=%s p="%s" f="%s" h="%s" m=%u/%u b=%lu t=%lu %s
The end of a connected client's session. This line gives a summary of client information. It cannot be suppressed. The fields are: i=
connected client IP, p= client PTR name, f= session flags, h= HELO argument, m= MAIL FROM: count, b= bytes sent during the
session, t= session time in seconds, and p0f= p0f information.
INFO #722 signal %d, slow quit cn=%u
http://www.snertsoft.com/smtp/smtpf/syslog.html (12 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
INFO #722 signal %d, stopping sessions, cn=%u
INFO #723 signal %d, terminating process
smtpf is going through the process of shutting down.
INFO #724 signal %d received, cn=%u
A special signal not currently acted upon was received. Normally this message should never be seen.
INFO #725 signal %d, terminating process
smtpf is going through the process of shutting down.
ERR #726 sigaltstack() failed, size=%lu: %s (%d)
A fatal initialisation error occured while setting up signal handlers.
ERR #727 user "%s" not found
ERR #728 group "%s" not found
ERR #729 chown("%s", "%s", "%s") error: %s (%d)
Failure to set user and group ownership on a specific file or directory.
ERR #730 chmod("%s", %o) error: %s (%d)
Failure to set file permission on a specific file or directory.
ERR #731 unlink("%s"): %s (%d)
During process termination, the process pid file could not be removed. See run-pid-file option.
INFO #732 terminated
ERR #733 no previous instance running: %s (%d)
Generated when restart-if action was issued and no previous instance could be found to restart, in which case the process will not
start.
ERR #734 host info error: %s (%d)
A fatal initialisation error while trying to obtain the host and network interface details of the machine smtpf is running on, such as
host name and IP address.
ERR #735 fork failed: %s (%d)
ERR #736 set process group ID failed: %s (%d)
A fatal initialisation error while trying to become a daemon (background) process by detatching from the controlling terminal. The daemon option can be used to run smtpf as a foreground application.
WARN #738 %s increased to %ld
INFO #764 URI %s %s
See the access-map concerning the Body: tag.
ERR #785 discarded: %s
See uri-bl-policy option.
ERR #795 verbose word list too long
INFO #798 signal %d, stopping sessions, cn=%lu
INFO #799 signal %d, terminating process
INFO #802 terminated
http://www.snertsoft.com/smtp/smtpf/syslog.html (13 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
ERR #807 %s quit error %d
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/syslog.html (14 of 14)5/4/2009 1:58:01 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf 2.2.15
«An SMTP Filtering Proxy»
SMTP Replies
Below is a list of smtpf reply messages in numerical order, with a brief
explination and/or a link to the documentation where the options responsible are
explained in more detail.
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
Local MTA
■ Local Route
■ FORWARD &
RELAY
■ by
domain
■ by mail
■ Call-Ahead
■ AcceptThenBounce
■ AUTH Support
■ ETRN Support
b. The Access Map
■ Lookup
Sequences
■ Tags
■ About Delay
Checks
■ Right Hand Side
Values
■ Action Words
■ Pattern Lists
■ !Simple
Patterns!
■ /Regular
Expression
Patterns/
c. The smtpf.cf File
■ Avast! AV
■
550 5.7.1 host %s [%s] %s #120
There is a Connect: tag entry for either the client name or IP
address with a right-hand-side value of REJECT. See access-map.
450 4.7.1 host %s [%s] %s #853
There is a Connect: tag entry for either the client name or IP
address with a right-hand-side value of TEMPFAIL. See access-map.
550 5.7.1 host %s [%s] %s #854
There is a Connect: tag entry for either the client name or IP
address with a right-hand-side value of IREJECT. See access-map.
550 5.7.1 host %s [%s] from RFC2606 reserved
domain #121
See rfc2606-special-domains.
550 5.7.1 host %s [%s] from unknown TLD #122
See reject-unknown-tld.
550 5.7.1 host %s [%s] sender <%s> %s #125
There is a Connect:From: combo tag entry for either the client
name and sender pair or client IP address and sender pair with a righthand-side value of REJECT. See access-map.
450 4.7.1 host %s [%s] sender <%s> %s #814
There is a Connect:From: combo tag entry for either the client
name and sender pair or client IP address and sender pair with a righthand-side value of TEMPFAIL. See access-map.
http://www.snertsoft.com/smtp/smtpf/reply.html (1 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
550 5.7.1 host %s [%s] sender <%s> %s #855
There is a Connect:From: combo tag entry for either the client
name and sender pair or client IP address and sender pair with a righthand-side value of IREJECT. See access-map.
550 5.7.1 sender <%s> %s #127
There is a From: tag entry for the sender address or their domain with
a right-hand-side value of REJECT. See access-map.
450 4.7.1 sender <%s> %s #815
There is a From: tag entry for the sender address or their domain with
a right-hand-side value of TEMPFAIL. See access-map.
550 5.7.1 sender <%s> %s #856
There is a From: tag entry for the sender address or their domain with
a right-hand-side value of IREJECT. See access-map.
550 5.7.1 sender <%s> from RFC2606 reserved
domain #128
See rfc2606-special-domains.
550 5.7.1 sender <%s> from unknown TLD #129
See reject-unknown-tld.
550 5.7.1 routed address relaying denied #131
See reject-percent-relay.
550 5.7.1 UUCP addressing denied #132
See reject-uucp-route. smtpf currently does nothing special with
UUCP paths, so disabling this option will have undefined results.
550 5.7.1 special case of at-sign in local-part
denied #133
See reject-quoted-at-sign.
550 5.7.1 host %s [%s] recipient <%s> %s #135
There is a Connect:To: combo tag entry for either the client name
and recipient pair or client IP address and recipient pair with a righthand-side value of REJECT. See access-map.
450 4.7.1 host %s [%s] recipient <%s> %s #816
There is a Connect:To: combo tag entry for either the client name
and recipient pair or client IP address and recipient pair with a righthand-side value of TEMPFAIL. See access-map.
550 5.7.1 sender <%s> recipient <%s> %s #137
There is a From:To: combo tag entry for a sender and recipient pair
http://www.snertsoft.com/smtp/smtpf/reply.html (2 of 13)5/4/2009 1:58:04 PM
Support
■ Cache Options
■ Call-Backs
■ Clam AV
Support
■ Command-Line
Interface
■ Client IP
Address
■ Concurrency &
Rate
■ DNS Based Lists
■ Delay Checks
■ EMEW
■ F-Prot AV
Support
■ Grey Listing
■ Grey Content
■ SMTP HELO
Testing
■ Network
Interface
■ Length & Limits
■ RFC
Conformance
■ Run Settings
■ Server
Performance
■ SIQ Support
■ SMTP Options
■ SpamAssassin
Support
■ SPF Support
■ Statistics
■ URI Blacklists
■ Verbose
Logging
d. Option Summary
E. Runtime
a. Command Line Options
b. Runtime Configuration
c. The Cache File
The Cache
Structure
d. The Stats File
■ The Stats
Structure
e. Log Messages
■
SnertSoft - smtpf/2.2
with a right-hand-side value of REJECT. See access-map.
f. SMTP Replies
F. Glossary
450 4.7.1 sender <%s> recipient <%s> %s #817
There is a From:To: combo tag entry for a sender and recipient pair with a right-hand-side value of TEMPFAIL. See accessmap.
550 5.7.1 recipient <%s> %s #139
There is a To: tag entry for sender's address with a right-hand-side value of REJECT. See access-map.
450 4.7.1 recipient <%s> %s #818
There is a To: tag entry for sender's address with a right-hand-side value of TEMPFAIL. See access-map.
550 5.7.1 recipient <%s> from RFC2606 reserved domain #140
See rfc2606-special-domains.
550 5.7.1 recipient <%s> from unknown TLD #141
See reject-unknown-tld.
550 5.7.0 message contains blocked file attachment (%s) #826
See deny-content, deny-content-type, deny-content-name, and deny-compressed-name options.
451
451
451
451
451
451
451
451
4.4.0 avastd address error: %s (%d) #149
4.4.0 avastd open error: %s (%d) #150
4.4.0 avastd connect error: %s (%d) #151
4.4.0 avastd read error: %s (%d) #153
4.4.0 avastd buffer overflow #154
4.4.0 avastd write error: %s (%d) #156
4.4.0 avastd read error: %s (%d) #158
4.4.0 avastd read error: %s (%d) #160
See avastd-socket and avastd-timeout.
550 5.7.1 %s #162
The avastd daemon found a virus or suspicious content in the message. See avastd-policy.
451
451
451
451
451
451
451
451
451
451
451
451
451
451
4.4.0 clamd address error: %s (%d) #178
4.4.0 clamd open error: %s (%d) #179
4.4.0 clamd connect error: %s (%d) #180
4.4.0 clamd buffer overflow #181
4.4.0 clamd write error: %s (%d) #183
4.4.0 clamd write error: %s (%d) #185
4.4.0 clamd read error: %s (%d) #186
4.4.0 clamd session port "%s" parse error #188
4.4.0 clamd address error: %s (%d) #189
4.4.0 clamd session open error: %s (%d) #190
4.4.0 clamd session connection error: %s (%d) #191
4.4.0 clamd session write error after %lu bytes #196
4.4.0 clamd session write error after %lu bytes #199
4.4.0 clamd session read error: %s (%d) #204
See clamd-socket and clamd-timeout.
http://www.snertsoft.com/smtp/smtpf/reply.html (3 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
451 4.4.0 unexpected clamd result: %s #206
The clamd daemon returned an unexpected result. This may be due to unexpected changes in the clamd protocol between program
updates or data corruption over the network (assuming clamd runs on a different machine).
550 5.7.1 %s #208
The clamd daemon found a virus or suspicious content in the message. See clamd-policy.
%d %d.7.0 %s #224
The CLI child process standard output and standard error are used for specifying a multiline response. See cli-content and clienvelope.
550 5.7.1 recipient <%s> expired #244
550 5.7.1 recipient <%s> invalid #245
221 2.0.0 %s closing connection #247
The connected client sent an SMTP QUIT command. The server will now close the connection.
500 5.5.1 %s command unknown #248
An unknown command was sent.
501 5.5.2 %s missing argument #249
The specified command requires one or more arguments.
502 5.5.1 %s not implemented #250
The given command is specified in a known RFC, but not supported.
503 5.5.1 %s out of sequence #251
The specified command was sent out of order with respect to other commands expected before this command. For example HELO
or EHLO must be issued and accepted before the first MAIL FROM:; a successful MAIL FROM: must be sent before any RCPT TO:
commands; and there must be at least one successful RCPT TO: before the DATA command will be accepted. See RFC 2821 for
details. Other SMTP command extensions may impose similar sequence restrictions, such as AUTH (RFC 2554) after EHLO and
before MAIL FROM:.
550 5.7.1 client %s [%s] is schizophrenic #252
The client has sent HELO or EHLO more than once with different arguments each time.
502 5.5.1 EHLO not supported #253
When the smtp-enable-esmtp option is off, we force the client to down grade to the older HELO command per RFC 2821.
250-Hello %s [%s] #254
550 5.7.1 client %s [%s] is schizophrenic #255
The client has sent HELO or EHLO more than once with different arguments each time.
250 Hello %s [%s] #256
http://www.snertsoft.com/smtp/smtpf/reply.html (4 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
501 5.5.1 AUTH cancelled #259
501 5.5.1 AUTH cancelled #264
502 5.5.1 AUTH not supported #827
See smtp-auth-enable documentation.
503 5.5.1 already authenticated #267
RFC 2554 states that once a client successfully authenticates, additional AUTH commands are rejected.
504 5.5.4 unknown AUTH mechanism #269
smtpf only supports AUTH PLAIN and AUTH LOGIN mechanisms.
235 2.0.0 authenticated #274
The client has successfully authenticated and their messages will be queued by the local route. See route-map documentation.
535 5.7.0 authentication failed #275
458 4.4.0 unable to queue messages for %s #276
SMTP ETRN commands are sent to the local route, which is responsible for queuing. See route-map documentation.
%s #277
After an SMTP ETRN command, this is the response relayed from the one of local route servers.
553 5.5.2 rejected sender %s %s #279
The SMTP MAIL FROM: address could not be correctly parsed according to the strict application of one or more RFC 2821
grammar rules. See rfc2821-line-length, rfc2821-local-length, rfc2821-domain-length, rfc2821-literal-plus, rfc2821strict-dot.
501 5.5.2 syntax error #280
The RFC 2821 grammar for the MAIL FROM: command does not allow for white space between the FROM: and the <address>
argument. When they appear it is typically a virus or spamware sign. See rfc2821-extra-spaces.
%d %d.1.0 sender <%s> denied #282
The forward host rejected or temporarily failed the sender.
250 2.1.0 sender <%s> accepted #283
553 5.5.2 rejected recipient %s %s #284
The SMTP RCPT TO: address could not be correctly parsed according to the strict application of one or more RFC 2821
grammar rules. See rfc2821-line-length, rfc2821-local-length, rfc2821-domain-length, rfc2821-literal-plus, rfc2821strict-dot.
501 5.5.2 syntax error #285
The RFC 2821 grammar for the RCPT TO: command does not allow for white space between the TO: and the <address>
argument. When they appear it is typically a virus or spamware sign. See rfc2821-extra-spaces.
550 5.7.1 null recipient invalid #286
The SMTP client specified RCPT TO:<>
http://www.snertsoft.com/smtp/smtpf/reply.html (5 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
451 4.0.0 cannot forward mail for <%s> at this time #287
550 5.7.1 recipient <%s> relaying denied #288
The SMTP client is attempting to relay mail for an unknown recipient domain. Domains that smtpf is responsible for is specified in
the route-map. Either the domain has not yet been added, was removed, or the SMTP client is hoping that the server is an open
relay.
250 2.1.5 recipient <%s> accepted #290
550 5.7.1 recipient <%s> unknown #292
A call-ahead to a down stream host rejected the recipient. See route-map about RCPT: attribute.
550 5.7.1 recipient <%s> relaying denied #293
The SMTP client is attempting to relay mail for an unknown recipient domain. Domains that smtpf is responsible for is specified in
the route-map. Either the domain has not yet been added, was removed, or the SMTP client is hoping that the server is an open
relay.
451 4.0.0 cannot forward mail for <%s> at this time #295
We are responsible for this domain, but had a connection error with the forward host.
550 5.7.1 recipient <%s> relaying denied #296
The SMTP client is attempting to relay mail for an unknown recipient domain. Domains that smtpf is responsible for is specified in
the route-map. Either the domain has not yet been added, was removed, or the SMTP client is hoping that the server is an open
relay.
250 2.1.5 recipient <%s> accepted #297
%s #299
See relay-reply option. The whole reply from the forward host is relayed to the client.
%srecipient <%s> denied #300
See relay-reply option. Only the reply codes from the forward host are relayed to the client with a standardise reason.
554 5.7.0 transaction failed #306
While forwarding a message for a single recipient, the forward host rejected the message.
451 4.4.0 transaction aborted #307
While forwarding a message for a single recipient, the forward host returned a temporary failure of the message.
554 5.5.2 content line too long (%ld); RFC 2821 section 4.5.3.1 #321
See rfc2821-line-length.
501 5.5.4 %s requires restart #323
Some options cannot be changed during runtime. Modify the /etc/smtpf/smtpf.cf options file, then restart the smtpf process.
214 2.0.0 killing session %s #324
http://www.snertsoft.com/smtp/smtpf/reply.html (6 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
550 5.0.0 session %s killed #325
504 5.5.4 session %s not found #326
The session given to KILL was not found. It probably terminated before this command was entered or there is a typo in the session
ID given.
421 4.7.1 client %s [%s] too many concurrent connections, max=%ld #329
See the access-map concerning the Concurrent-Connect: tag.
550 5.7.0 message contains blocked MIME part (%s) #870
550 5.3.4 duplicate message rejected #340
550 5.7.1 DSN or MDN in response to an old message #357
See the emew-ttl option.
550 5.7.1 DSN or MDN for message that did not originate here #358
See the emew-secret and emew-dsn-policy options.
421 4.4.0 client %s [%s] unknown #363
The Four21 module is experimental and is only present at select test sites. See four21-unknown-ip option.
This is a RFC 2821 conformance test. Check if the connecting client IP that has never been seen before. If it has not, then 421 the
connection and observe if they send a clean QUIT (as specified in RFC 2821), pipeline, or disconnect. If the latter two occur, then
the IP is auto-blacklisted.
554 5.4.0 client %s [%s] "No soup for you!" #364
The Four21 module is experimental and only present at select test sites. This response (a reference to the Sienfeld Soup Nazi
episode) is the reply given if the client IP failed the 421 test and was subsequently auto-blacklisted. See four21-unknown-ip
option.
451
451
451
451
451
451
4.4.0 fpscand address error: %s (%d) #367
4.4.0 fpscand open error: %s (%d) #368
4.4.0 fpscand connect error: %s (%d) #369
4.4.0 fpscand buffer overflow #370
4.4.0 fpscand write error: %s (%d) #372
4.4.0 fpscand read error: %s (%d) #373
See fpscand-socket and fpscand-timeout.
550 5.7.1 %s #376
The fpscand daemon found a virus or suspicious content in the message. See fpscand-policy.
550 5.7.1 %s [%s] failed grey listing #388
421 4.4.5 client %s [%s] connections %ld exceed %ld/60s #522
See the access-map concerning the Rate-Connect: tag.
421 4.4.3 PTR record lookup error for [%s] #415
554 5.7.1 reject [%s] missing PTR record #416
See client-is-mx and client-ptr-required options.
http://www.snertsoft.com/smtp/smtpf/reply.html (7 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
550 5.7.1 reject IP in client name %s [%s] (1) #418
See client-is-mx and client-ip-in-ptr options.
501 5.5.4 invalid HELO %s #423
The HELO or EHLO argument contains include characters in the string. The set of valid characters are alpha-numerics, hyphen,
underscore, square brackets, and dot. There is no option to turn this test off.
550 5.7.0 HELO %s does not match client %s [%s] #424
See helo-ip-mismatch option.
550 5.7.0 HELO %s from RFC2606 reserved domain #427
See rfc2606-special-domains option.
550 5.7.0 HELO %s argument must be a FQDN or IP-domain literal #428
See rfc2821-strict-helo option.
550 5.7.0 %s [%s] claims to be us "%s" #430
See helo-claims-us option.
550 5.7.0 HELO %s equivalent to client IP-in-PTR #432
See helo-is-ptr option.
553 5.1.8 sender <%s> from %s has no MX record #434
See mail-require-mx option.
451 4.4.3 sender <%s> from %s MX lookup error #436
See mail-require-mx option.
553 5.1.8 sender <%s> from %s MX invalid #439
The MX list gathered from DNS is pruned to remove hosts that resolve to localhost, RFC 3330 reserved IP addresses that cannot
be reached from the Internet, or have no A/AAAA record. This message is reported if the MX list is empty after pruning.
451 4.1.8 sender <%s> from %s MX lookup error #907
The MX list gather from DNS had one or more A/AAAA records that returned a SERVFAIL result. See mail-require-mx option.
550 5.7.1 too many recipients for DSN or MDN #441
See one-rcpt-per-null option.
553 5.1.8 sender <%s> from %s has no MX record #443
See mail-require-mx option.
553 5.1.8 sender <%s> from %s MX invalid #445
The MX list gathered from DNS is pruned to remove hosts that resolve to localhost, RFC 3330 reserved IP addresses that cannot
be reached from the Internet, or have no A/AAAA record. This message is reported if the MX list is empty after pruning.
451 4.4.3 sender <%s> from %s MX lookup error #447
See mail-require-mx option.
http://www.snertsoft.com/smtp/smtpf/reply.html (8 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
550 5.7.1 reject [%s] missing PTR record (2) #449
See client-is-mx and client-ptr-required options.
550 5.7.1 reject IP in client name %s [%s] (2) #450
See client-is-mx and client-ip-in-ptr options.
550 5.7.1 too many recipients for DSN or MDN #452
See one-rcpt-per-null option.
554 5.6.0 message headers must be US-ASCII, found 0x%.2X; RFC 2822 section 2.2 #456
See rfc2822-7bit-headers option.
Date:", ID_ARG(sess));
See rfc2822-strict-date option.
Message-ID:", ID_ARG(sess));
See rfc2822-min-headers option. The Message-ID is not correctly formatted according to RFC 2822 grammar.
Received:", ID_ARG(sess));
Resent-Date:", ID_ARG(sess));
See rfc2822-strict-date option.
554 5.6.0 missing RFC 2822 required headers #462
See rfc2822-min-headers option.
451 4.7.1 %s has exceeded %ld message%s per %ld %s%s #475
See the access-map concerning the Msg-Limit-Connect:, Msg-Limit-From:, Msg-Limit-To: tags.
451 4.4.2 internal network error for %s #481
An error occurred while sending an SMTP command to a forward host.
451 4.4.2 internal network error for %s #485
An error occurred while reading an SMTP reply from a forward host.
451 4.4.4 no answer from %s MX #488
While attempting to perfom a call-back, there was no answer from any of the MX servers tried. See call-back option.
553 5.4.4 %s does not exist #489
451 4.4.3 %s MX lookup error #491
While attempting to perfom a call-back, there was an error looking up the MX records of the sender's domain. See call-back
option.
550 5.4.4 no acceptable MX for %s #493
While attempting to perfom a call-back, the MX list gathered from DNS was pruned to remove hosts that resolve to localhost, RFC
3330 reserved IP addresses that cannot be reached from the Internet, or have no A/AAAA record. This message is reported if the
MX list is empty after pruning. See call-back option.
http://www.snertsoft.com/smtp/smtpf/reply.html (9 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
451 4.4.4 no answer from %s MX #496
While attempting to perfom a call-back, there was no answer from any of the MX servers tried. See call-back option.
451 4.4.3 %s %s #498
553 5.4.4 %s %s #499
While attempting to perfom a call-back, there was an error looking up the MX records of the sender's domain. See call-back
option.
550 5.4.4 no acceptable MX for %s #501
While attempting to perfom a call-back, the MX list gathered from DNS was pruned to remove hosts that resolve to localhost, RFC
3330 reserved IP addresses that cannot be reached from the Internet, or have no A/AAAA record. This message is reported if the
MX list is empty after pruning. See call-back option.
550 5.7.1 null-sender messages %ld for <%s> exceed %ld/60s #505
See the access-map concerning the Null-Rate-To: tag.
421 4.4.5 client %s [%s] connections %ld exceed %ld/60s #522
See the access-map concerning the Rate-Connect: tag.
550
550
550
250
5.7.0 %s [%s] black listed by %s #525
5.7.0 IP [%s] in header black listed by %s #873
5.7.0 %s [%s] black listed by %s #530
2.0.0 OK #547
Generic response that indicates the command was accepted.
214 2.0.0 end #548
Generic end of a multiline response.
250 2.0.0 proceed #507
There is is a delayed rejection/drop response that will be reported when the RCPT TO: is sent. See smtp-delay-checks.
421 4.3.0 internal server error #549
451 4.3.0 internal server error #550
421 4.3.2 system resources exceeded #551
Some serious condition such as out-of-memory, no more disk space, or similar resource related issue has occured. The connected
client will be dropped as it is not possible to proceed until the condition has been resolved by the destination postmaster.
451 4.7.0 try again later #552
This is a generic response, typicall issued by grey-listing during the grey-temp-fail-period, however other tests such as SIQ
support may also issue this response.
450 4.4.5 try again later #553
This is an alternate response issued by grey-content after the grey-temp-fail-period when the hashed message content does
not match previously saved message hash.
250 2.0.0 message %s accepted #554
http://www.snertsoft.com/smtp/smtpf/reply.html (10 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
The message transaction has reached the final dot to end the message and was accepted for delivery.
550 5.7.1 message %s rejected #555
The message transaction has reached the final dot to end the message and was NOT accepted for delivery.
%d %d.7.0 sender <%s> verification failed #572
A call-back to the sender's MX failed to validate their address. See call-back option.
451
451
451
451
451
451
4.4.0 savdid address error: %s (%d) #832
4.4.0 savdid open error: %s (%d) #833
4.4.0 savdid connect error: %s (%d) #834
4.4.0 savdid read error: %s (%d) #836
4.4.0 savdid write error: %s (%d) #837
4.4.0 savdid read error: %s (%d) #839
See savdid-socket and savdid-timeout.
451 4.4.0 savdid read error: %s (%d) #841
See savdid-socket and savdid-timeout.
451 4.4.0 savdid buffer overflow #842
451 4.4.0 savdid write error: %s (%d) #844
550 5.7.1 %s #847
The savdid daemon found a virus or suspicious content in the message. See savdid-policy.
550 5.7.1 message rejected, SIQ score %d too low #617
See siq-score-reject option.
501 5.5.4 <%s> SIZE exceeds RFC 1870 max. length #903
552 5.3.4 <%s> (%lu bytes) exceeded max. message size of %lu bytes #901
550 5.3.4 %s [%s] (%lu bytes) exceeded max. message size of %lu bytes #625
See the access-map concerning the Length-Connect:, Length-From:, Length-To: tags.
550 5.3.3 pipelining not allowed #643
See the access-map concerning the Connect: tag.
220 %s %sSMTP #632
A stripped down single line welcome banner sent to only localhost, LAN, and relays.
220%c%s %sSMTP %s #633
The first line of possible a multiline welcome banner.
500 5.5.2 RFC 2821 max. command line length exceeded (%ld) #640
See rfc2821-command-length.
500 5.5.2 %s [%s] sent non-printable characters in SMTP command #641
SMTP commands and their arguments can only consist of printable ASCII characters.
550 5.3.3 pipelining not allowed #643
http://www.snertsoft.com/smtp/smtpf/reply.html (11 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
See the access-map concerning the Connect: tag.
550 5.7.1 %s #666
See spamd-score-reject option.
550 5.7.1 message was already marked as spam by sender #678
See spamd-reject-sender-marked-spam and spamd-score-reject options.
550 5.7.1 message was already marked as spam by sender #679
See spamd-sender-marked-spam option.
550 5.7.1 %s #693
See spamd-score-reject option.
%s HELO %s from %s [%s] SPF result %s; %s #701
See spf-helo-policy option.
%s sender <%s> via %s (%s [%s]) SPF result %s; %s #702
See spf-mail-policy option.
550 5.7.1 recipient <%s> black listed #886
A time-limited recipient has expired and was rejected. See time-limit-delimiters.
URI host %s in non-existant domain #740
URI domain %s where NS %s contains IP %s in name #741
See uri-ip-in-ns and uri-bl-policy options.
URI domain %s where NS %s in non-existant domain #743
See uri-ns-nxdomain and uri-bl-policy options.
URI domain %s lookup timeout #744
See uri-reject-on-timeout and uri-bl-policy options.
URI domain %s does not exist (%s) #745
See uri-reject-unknown and uri-bl-policy options.
URI host %s contains IP %s in %s #746
See uri-ip-in-name and uri-bl-policy options.
URL host %s is missing a PTR #748
See uri-require-ptr and uri-bl-policy options.
black listed %s by %s #762
See ns-bl, uri-bl, uri-dns-bl, and uri-bl-policy options.
http://www.snertsoft.com/smtp/smtpf/reply.html (12 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
URI %s %s #763
See the access-map concerning the Body: tag.
host is an IP in URL %s #765
See uri-require-domain and uri-bl-policy options.
broken URL "%s": %s #766
See uri-links-policy option.
URI per message limit exceeded #781
See uri-max-limit option.
550
450
URI
550
550
5.7.1 rejected URI NS, %s #894
4.7.1 URI %s SOA lookup error #919
%s invalid SOA (%d) #000
5.7.1 rejected content, %s #895
5.7.1 rejected client %s [%s], %s #790
See uri-bl-ptr option.
550 5.7.1 rejected PTR NS, %s #790
550 5.7.1 rejected HELO, %s #792
See uri-bl-helo option.
550 5.7.1 rejected MAIL FROM, %s #794
See uri-bl-mail option.
550 5.7.1 rejected MAIL NS, %s #900
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/reply.html (13 of 13)5/4/2009 1:58:04 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
Glossary
AUTH
DNS
Authentication. In the context of mail, SMTP AUTH (RFC 2554, 4954),
is an extension that allows for assorted different mechanisms to be
used to accept authentication creditials, ie. account name and
password details. Most common are LOGIN and PLAIN (RFC 2595,
4616), which are insecure clear text mechanisms support by most
MUA. Some others mechanisms include CRAM-MD5 (RFC 2195),
DIGEST-MD5 (RFC 2831), KERBEROS_V5 (RFC 4752).
Domain Name Service is a distributed database that acts a phone book
to the Internet. Typically used to map domain names and machine
names into IP addresses, though many other related pieces of
information can be found through the DNS. See RFC 1034, 1035.
DNS A or AAAA record
A domain name record used to map a domain name into an IPv4 or
IPv6 address. This is the opposite to a PTR record discussed below.
See RFC 1035, 3596.
DNS MX record
A mail exchange record that specifies where mail destined for a domain
name should be sent. See RFC 1035 and 2821.
DNS PTR record
A domain name pointer record used to map an IP address into a
domain name. This is the opposite to an A or AAAA record. See RFC
1035.
DNS TXT record
A domain name text record used to store arbitrary text or binary data.
Used by many DNS blacklists for comments and for SPF tests. See
RFC 1035.
http://www.snertsoft.com/smtp/smtpf/glossary.html (1 of 4)5/4/2009 1:58:05 PM
A.
B.
C.
D.
Introduction
License & Support
Installation
Configuration
a. The Route Map
Local MTA
■ Local Route
■ FORWARD &
RELAY
■ by
domain
■ by mail
■ Call-Ahead
■ AcceptThenBounce
■ AUTH Support
■ ETRN Support
b. The Access Map
■ Lookup
Sequences
■ Tags
■ About Delay
Checks
■ Right Hand Side
Values
■ Action Words
■ Pattern Lists
■ !Simple
Patterns!
■ /Regular
Expression
Patterns/
c. The smtpf.cf File
■ Avast! AV
Support
■
SnertSoft - smtpf/2.2
DSN, NDR
Delivery Status Notification is more commonly referred to as a "bounce
message" or Non-Delivery Report. It provides a summary as to why a
messsage could not be delivered.
EMEW
FQDN
HTTP
IETF
Enhanced Message-ID as Email Watermark.
Full Qualified Domain Name is typically a host name of a machine
connected to the Internet that is three or more labels in length, such as
smtp.snertsoft.com. A host name may also be a domain
name, such as snertsoft.com or snertsoft.co.uk,
though such usage is frowned upon. While not strictly a FQDN, an IPdomain literal, which is an IP address between square brackets ([, ]),
for example "[192.0.2.9]" and can often be used in place of host
name.
Hyper-Text Transfer Protocol is used for requesting web resources
such as documents and images. See RFC 2616.
Internet Engineering Task Force is an open international
community concerned with the evolution of the Internet architecture and
the smooth operation; they review Internet Drafts and published RFC
documents, which typically pertain to interoperability over the Internet.
IPv6
MDN
MSA
MTA
Internet Protocol version 6, the successor to the original Internet
Protocol version 4. See RFC 3516.
Message Disposition Notification is the term for the various flavours of
"return receipts" defined by RFC 3798,
Mail Submission Agent is a special SMTP server that listens on port
587 and is the entry point for new mail into the mail system. It can
typically validate and/or authenticate the origin of the mail as coming
from a known user.
Mail Transfer Agent is an SMTP client/server that listens normally on
port 25 and handles the routing and delivery of mail between remote
locations. It makes up the backbone of the Internet mail system. When
smtpf is installed, it is configured to listen on port 25. Any MTA that was
previous configured to listen on port 25 of the same machine, has to be
configured to listen on an unused port, such as port 26; ideally only on
the localhost interface.
http://www.snertsoft.com/smtp/smtpf/glossary.html (2 of 4)5/4/2009 1:58:05 PM
Cache Options
■ Call-Backs
■ Clam AV
Support
■ Command-Line
Interface
■ Client IP
Address
■ Concurrency &
Rate
■ DNS Based Lists
■ Delay Checks
■ EMEW
■ F-Prot AV
Support
■ Grey Listing
■ Grey Content
■ SMTP HELO
Testing
■ Network
Interface
■ Length & Limits
■ RFC
Conformance
■ Run Settings
■ Server
Performance
■ SIQ Support
■ SMTP Options
■ Sophos AV
Support
■ SpamAssassin
Support
■ SPF Support
■ Statistics
■ URI Blacklists
■ Verbose
Logging
d. Option Summary
■
E. Runtime
a. Command Line Options
b. Runtime Configuration
c. The Cache File
The Cache
Structure
d. The Stats File
■ The Stats
Structure
■
SnertSoft - smtpf/2.2
MUA
MIME
RFC
e. Log Messages
f. SMTP Replies
Mail User Agent is the end user's mail program that is used to compose,
send, and read mail.
F. Glossary
Multipurpose Internet Mail Extensions used to specify how mail attachments can encoded and transfered using mail messages.
Also used for HTTP. There are many RFC documents pertaining to MIME. The initial set to start with are 2045, 2046, 2047, 2048,
2049, 2387, ...
Request For Comments: originally intended as published technical documents related to Internet operations that was intended to
solicit feedback. Now RFC are more formal documents providing information, approved standards, protocols, experimental options,
etc. New RFC documents start life as an Internet Draft to be discussed and are later voted on for approval, further review, or
dropped by the IETF.
Proxy or Gateway
An intermediary server or application that accepts requests from clients, screening and/or caching them, before forward the
requests to other proxy servers, origin servers, or services. Gateway is often used as a synonym for "proxy server".
SMTP
Simple Mail Transfer Protocol. See RFC 821, 822, 1870, 1985, 2554, 2821, 2822, 2920, 3463, 3848, 4954. 5321. 5322.
There are several other RFC documents for SMTP extensions not mentioned here.
Briefly, an SMTP session follows these states: connection, HELO/EHLO, AUTH, MAIL, RCPT, DATA, content, dot, QUIT. Each
successful MAIL command during the SMTP session starts a new message transaction, which ends when either the final dot is sent
or RSET is given. For each message, there can be more than one RCPT given.
Of the information obtained from each state, only the IP address of the SMTP client and each valid RCPT address specified can be
relied upon. Even then, the connecting IP might be questionable, because it's possibly in a dynamic IP address pool, the reverse
DNS of the IP is often poorly configured or non-existent, or the WhoIs information about IP and domain assignment might be
restricted, due to privacy concerns (RFC 3912). As for the other states, the HELO, MAIL, and message content can be
misrepresented or faked, and thus cannot be immediately trusted.
Most spam filtering techniques fall into two classes: those that act on the SMTP client's IP address and envelope information (preDATA) and those that act on the message content (post-DATA). This distinction is important, because once the DATA command is
accepted by the receiving server, it is generally committed to reading the entire message until the SMTP client indicates it has
finished. This, of course, consumes bandwidth and system resources, so several filtering techniques attempt to make a decision
based on policy or behaviour before accepting DATA in order to avoid/reduce more expensive forms of filtering after.
SPF
Sender Policy Framework is an experimental protocol. See RFC 4408.
TLD, gTLD, ccTLD
Global Top Level Domain such as .com, .net, and .org. In most cases Country Code Top Level Domain that have a
secondary level classification, for example .co.uk, .edu.au, or .gouv.fr can be lump together under TLD.
TTL
Time To Live is the life span for some piece of locally stored information before it expires and is retested or refetched. This value is
http://www.snertsoft.com/smtp/smtpf/glossary.html (3 of 4)5/4/2009 1:58:05 PM
SnertSoft - smtpf/2.2
typically expressed in seconds.
URI, URL, URN
Uniform Resource Identifiers, Uniform Resource Locators, and Uniform Resource Names are used to specify how and where an
object or resource can be found. See RFC 2396.
- TOP Copyright 2006, 2009 by SnertSoft. All rights reserved.
BarricadeMX trademark & patents pending.
http://www.snertsoft.com/smtp/smtpf/glossary.html (4 of 4)5/4/2009 1:58:05 PM
SnertSoft - smtpf/2.2
Barricade MX
smtpf/2.2
«An SMTP Filtering Proxy»
http://www.snertsoft.com/smtp/smtpf/BarricadeMX.html (1 of 2)5/4/2009 1:58:07 PM
SnertSoft - smtpf/2.2
Copyright 2006, 2009 by SnertSoft. All rights reserved.
http://www.snertsoft.com/smtp/smtpf/BarricadeMX.html (2 of 2)5/4/2009 1:58:07 PM