Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  SMTP-GATED.CONF (5)


smtp-gated.conf - The smtp-gated configuration file.


Main Options
Resource Control
Fixed Mode
Fixed+xclient Mode
Remote Ident Mode / Remote-udp Ident Mode
Getsockname Mode
Netfilter Mode
Tproxy Mode
Ipfw Mode
Ipfilter Mode
Pf Mode
Action Script
Authentication Control
Rate Limit
Command Filter
Messages Main
Messages Fake Msa Session
Messages Limits
Messages For Remote Ident Mode
Direct Proxy
Reporting Bugs
See Also


This manual describes smtp-gated v.


This file defines configuration to be used by daemon.

Options are placed one per line, and consists of option name, followed by number or spaces or tabs, and option value. Empty lines, and lines starting with # or ; (hash or semicolon) are ignored.

Tags in square brackets, show additional information for each variable. See EXPLANATION later in this manual.


proxy_name STRING
  Name that appears on communicates generated by daemon (usually errors, or session blocking). Use asterisk ’*’ to use host name as proxy_name.
bind_address IP [RESTART]
  Defines IP the daemon listes on.
  Defines listening TCP port.
outgoing_addr IP
  Defines IP for outgoing SMTP connections (this appears as source on MSA servers). This option has been renamed from source_addr.
pidfile FILE [RESTART]
  Defines .pid file path.
chroot_path PATH [RESTART]
  If this setting is defined, daemon chroot()’s to this path after forking. This allows to raise security.
set_user USER [RESTART]
set_group GROUP [RESTART]
  Daemon changes it UID/GID to the one defined for username and groupname. This setting does not allow to specify UID/GID as numbers yet. Do NOT run proxy as root, as this will break locking.
priority INT [RESTART]
  Daemon changes it’s priority when it’s defined. 0 means "no change". Values as in setpriority(2).
connect_queue INT
  Defines listen(2) backlog.
enfile_sleep UINT
  Sleep time in case ENFILE error occured.
on_takeover_cmds UINT
  Limit for commands issued by MUA after session takeover.
buffer_size UINT
  Defines buffer size (in bytes) to track SMTP sessions. Should be above 1500.
pipeline_size UINT
  Queue size for SMTP PIPELINING extension.
pid_hash_size UINT
host_hash_size UINT
  Controls hashing table size for PID and host counters. Usually there is no much sense to set it higher than max_connections.


limit_core_size INT
  Set core dump file size. Helps debugging unexpected problems :) "-1" means to leave system default setting. "0" turns off core dump completely. If this can not be changed at runtime, process does not terminate, logging error instead.
limit_virt_size INT
limit_data_size INT
limit_fsize INT
  Three above correspond to RLIMIT_AS, RLIMIT_DATA and RLIMIT_FSIZE in setrlimit(3). You should set this to higher values if you are getting "Not enought memory" errors (this can also happen upon memory leak).

Keep in mind, that all resource limits are inherited by child process, including action scripts.


Mode defined method, to discover destination IP addres to forward connection to. It differs obviously on different platforms, but there are couple of common modes, platform independent.

mode fixed|fixed+xclient|remote|remote-udp|getsockname|netfilter|tproxy|tproxy,netfilter|ipfw|ipfilter|pf [ONE,RESTART]
  Set operating mode "remote".

Supported modes are printed as USE_NAT with:

smtp-gated -V

In all modes except remote/remote-udp proxy must be running on the NAT machine itself to be able to determine destination IP. If you need to run proxy on separate machine, it’s possible to use policy routing to reroute all SMTP traffic through proxy machine. This machine should be running in NAT mode specific to OS (netfilter/ipfw/ipfilter/pf/getsockname/tproxy), and act as "router" for SMTP traffic only.

If you use Linux on your router, then it’s possible to run proxy on other machine (not necessarily Linux), if you run proxy-helper on the router (see for details).

Special mode tproxy,netfilter is runtime conditional. It is changed for every new connection to netfilter for private IPs (,,,, and to tproxy for routable IPs (the rest).


In this mode, all connections are forwarded to one, fixed MSA. This may be used to filter SMTP traffic just before ISP SMTP server. Use it, if you want to protect your SMTP server from outside world.

fixed_server IP
  IP of MSA to connect to.
fixed_server_port PORT
  Port to connect to.


Accepts the same options as FIXED MODE. Uses XCLIENT to impersonate client to MSA. Allows prefiltering for postfix (v2.3 or later) as (almost) transparent proxy.


In this mode, daemon is running on dedicated server, serving protection for couple of routers. For each incoming connection, lookup is performed on source IP, to discover destination IP. REMOTE requires patched ident daemon (not public yet), and therefore is useless for most users. REMOTE-UDP uses so called proxy-helper.

remote_port PORT
  Port to lookup ident and destination IP.
remote_udp_retries INT
  Number of retries for UDP lookup
remote_udp_secret INT
  Secret used for simple authentication


Last resort -- try it if your OS is not supported elsewhere. Should it not run, you’ll receive ’avoiding loop’ in your logs.


Linux netfilter mode. All connections are forwarded to original MSA. Netfilter connection tracking is used for destination IP lookup. This mode was formerly enabled by "use_netfilter" option.


Linux/netfilter TPROXY module support (since for spoofing source address. This way proxy preserves source IP of client (useful for public addresses). Please note, that all port 25 traffic needs to flow through the proxy. It’s not a problem if you install smtp-gated on your "main" Linux router. If you use some external router, you need to redirect the traffic to proxy interface.

You need to have proper kernel header and modules to enable it (linux/netfilter/xt_TPROXY.h existing probably under /usr/include), and depdends on kernel version. Works for 2.6.32 and maybe earlier. See ./configure summary.

# NAT module must be loaded iptables -t nat -N placeholder # packets for proxy need to be tproxied iptables -t mangle -N divert iptables -t mangle -A divert -j MARK --set-mark 1 iptables -t mangle -A divert -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j divert iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 9199 # packets for tproxy need to be rerouted ip rule add fwmark 1 lookup 100 ip route add local dev lo table 100

Please note that when nf_conntrack_ipv4 module is loaded on 2.6.32 (and maybe on others), I’ve seen delay during connection setup, and tcpdump shows double TCP SYN+ACK, with only the second being accepted, thus introducing delay during connection setup. Connection continues normally. It’s probably some tproxy code fault.

Be aware, that if you use external router to redirect only SMTP traffic to proxy host, you have all the traffic seen twice. Let’s say the client IP is connects to MSA, and the proxy is 1. client sends packet from to via router 2. the packet is routed through (having source and destination intact) 3. the proxy accepts connection, does some internal magic and creates *new* connection with source and destination 4. proxy host sends it’s own version of packet from to through router 5. router should route the new packet to the MSA according to normal routing table 6. MSA replies through router to proxy 7. proxy does the reverse magic and replies through router to client

So, the packet flow is like:

client <=1/7=> proxy <=3/6=> MSA

As you can see there are two kind of packets (client<=>proxy and proxy<=>MSA) that seem to be identical. It’s your job, to setup the routers policy routing.


FreeBSD ipfw mode. All connections are forwarded to original MSA. ipfw connection tracking is used for destination IP lookup.


*BSD Packet filter mode. All connections are forwarded to original MSA. ipfilter connection tracking is used for destionation IP lookup.


FreeBSD PacketFilter mode. All connections are forwarded to original MSA. pf connection tracking is used for destination IP lookup. Proxy needs to have proper permissions to /dev/pf.


statefile FILE
  Defined file which will contains status.
statefile_perm OCT
  Statefile mode passed to open(2).
statefile_type human|flat|slots [MULTI]
  Defined status format. Flat is preferred for parsing, human is preferred to be read by humans :) By adding "slots" you can see current slot assignment and statistics for each session.

Status file is written on SIGUSR1: see smtp-gated(8).


When virus/SPAM is found, user’s IP or IP+ident can be blocked for certain time. After that time, lock is removed, and user is allowed to use SMTP again. Lockfile has name same as IP, or IP "-" IDENT if ident is used.

Administrator can prevent locking some IP (IP+ident), by creating corresponding lock file with owner other than daemon runs on. This lock file is not automatically deleted. Contents is ignored, so it can be description, or sth else.

lock_on virus|spam|maxhost|maxident|dnsbl|regex|earlytalk|ratelimit|never [MULTI]
  Set events locking occurs for. See max_per_host, max_per_ident.
lock_duration INT [s]
  Time the lock persists. 0 disables locking, -1 means lock forever (or: until manually unlocked).
lock_path PATH
  Directory for lock files.
lock_perm OCTAL
  Lock files permissions as for open(2). Octal value must be preceded by zero.

NOTE: Lock files are checked (and eventually removed) for every incoming connection. This means that they will exist after expiration, until next connection from its "owner". In particular, they can be left forever, if user won’t use SMTP any more. You can use crontab to remove stale locks like this (though it’s not necessary for proxy to funcion properly):

  find /var/spool/smtp-gated/lock -type f -user smtpgw -mtime +30 -exec rm {} \;


Action script is called when virus or spam is found, and if host/ident limit is reached. If locking is used, action_script is called only when lock is created (once until unblocked). This makes sure, that script is called only once for a specified period (until lock expires). Script is obviously called with proxy UID/GID.

Despite of actions taken by script (i.e. firewall-level user lock), you should set lock_duration high enough (i.e. 15 seconds), to prevent connection-flood translate to action-flood (scripting is as expensive as fork() and shell expansions).

If you have strange problems with action scripts (ENOMEM or ENFILE), that seem to work well when executed manually, read about resource control above. This will have impact especially on language interpreters like perl.

action_script FILE
  Defines path to script called when virus/spam is found.

All parameters for action_script are passed via environment variables:

  proxy name as defined in proxy_name in config file [>=1.4.12-rc7]
FOUND contains word "VIRUS" or "SPAM", "MAX_HOST", "MAX_IDENT".
  virus name if virus found.
  spam score if spam found.
  source IP.
  source port.
  target (SMTP server) IP.
  target (SMTP server) port.
  local (proxy) IP as redirected.
  local (proxy) port as redirected.
IDENT source ident [REMOTE].
  connections count from particular host+ident [REMOTE].
  SMTP "MAIL FROM" line, stripped.
  total number of mail recipients in session (not transaction).
SIZE message size [bytes].
  transaction number, starting from 1.
AUTH authentication flags bitmap: 1=supported, 2=accepted, 4=rejected; see AUTH_FLAG_* in src/smtp-gated.h
  spool file name.
  lock file name.
TIME time of connection start, human readable text.
  time of connection start, unix timestamp.


spool_path PATH
  Directory for temporary message files.
spool_perm OCTAL
  Temporary files permissions as for open(2). Octal value must be preceded by zero.
spool_leave_on error|spam|virus|never|always [MULTI]
  Set events, spool file is left for. If set to "never", spool is always deleted. If you choose "always" please note that for multi-transactional session, only the last mail is saved. Spools are also removed if they exceed size limit or if there’s error during file write (including but not limited to drive full).


All timeouts are specified in seconds.

timeout_direct UINT
  Timeout for direct proxy session. This type of session is used on TLS connections.
timeout_lookup UINT [REMOTE]
  Timeout for lookup.
timeout_scanner UINT
  Timeout for antivirus scanner engine.
timeout_spam UINT
  Timeout for antispam scanner engine.
timeout_session UINT
  Timeout for fake session (when virus/SPAM is blocked).
timeout_idle UINT
  Timeout for idle sessions. Prevents stale connections.
timeout_connect UINT
  Timeout for connecting to remote MSA.


Proxy can limit access to MSA, according to SMTP AUTH support and state. For now, there is no way to whitelist host or MSA.

auth_require no|ifsupported|mandatory [ONE]
  Set authorization requirements:

no                      do not require any authorization, pass all messages. ifsupported             require authorization if MSA advertises support for it. If authorization is not advertised, mail is passed. If authorization is advertised, mail is passed only if client has authorized successfully. mandatory               require authorization for all connections. It MSA does not support authorization, no mail is passed.

Authentication state is logged in "CLOSE by=... auth=N", where N is bitwise OR for following values:

  1                       MSA supports auth (advertised in EHLO response) 2                       user authenticated successfuly 4                       user authentication failed (rejected by MSA)

auth_skip none|direct|antivir|antispam|dnsbl|regex [MULTI]
  Skip checking/scanning if session is authenticated. direct is special one: after authentication, session goes to DIRECT PROXY mode. Using any other option together with direct obviously makes no sense. Note that ’auth_skip dnsbl’ delays dnsbl rejection to MAIL FROM stage (as opposite to connect stage).


All sizes are specified in bytes. Loadavg limits can be disabled by specyfing zero, but this is not recommended.

max_connections UINT [RESTART]
  Total maximum connections.
max_per_host UINT
  Maximum connections per source IP (see also: lock_on maxhost).
max_per_ident UINT [REMOTE]
  maximum connections per IP+ident (see also: lock_on maxident).
max_load FLOAT
  Reject connections if load is above this setting.
size_limit UINT
  Limit maximum message size. 0=disabled (default).
scan_max_size UINT
  av-scan messages with size up to this limit.
spam_max_size INT
  SPAM-scan messages with size up to this limit. Should spam scanning be turned off, set it to 0 (default).
spam_max_load FLOAT
  Don’t SPAM-scan messages if load above this setting.
spam_threshold FLOAT
  Treat message as SPAM if it’s score is equal/greater than this value.


ignore_errors BOOL
  Continue when possible even if error occured (i.e. virus scanner failure).


Daemon logs messages via syslog, facility daemon.

log_helo BOOL
  Logs HELO/EHLO issued by client.
log_mail_from accepted|rejected|base64|off [MULTI]
  Client MAIL FROM logging options:

  off             do not (log) accepted        log if address is accepted by MSA rejected        log if address is rejected by MSA base64          log as base64 encoded md5 hash of e-mail

log_rcpt_to [MULTI]
  Client RCPT TO logging mask. (see log_mail_from).
email_length UINT
  MAIL FROM/RCPT TO email length limit (before optional md5 encoding).
log_level debug|info|notice|warning|err|alert|emerg|crit [ONE,RESTART]
  Defined log level, as used by syslog(3):

crit    Emergency messages (highest priority) emerg   Critical, requires intervention alert   Critical messages err     Errors warning Warnings notice  Normal, but significiant messages info    Informational messages debug   Debugging messages (lowest priority)

log_facility user|mail|daemon|auth|news|authpriv|local0|local1|local2|local3|local4|local5|local6|local7 [ONE,RESTART]
  Defined log facility, as used by syslog(3).


  Header injected into message stream header (sent to MSA); default is "X-NAT-Received" [>=1.4.12-rc5]
nat_header_type none|simple|ip-only ONE, OLD: (nat_header)
  Turns on/off injecting X-NAT-Received headers to messages. [>=1.4.12-rc5]

none    no (header) ip-only         include only source IP in header generic         generic header (MSA-like)

  Header injected into message spool header (not sent to MSA, visible in AV-scanner and AS-scanner), default is "X-Proxy-Spool-Info" [>=1.4.12-rc5]
abuse STRING
  Sets "abuse" info in full X-NAT-Received header.


scanner_path FILE
  not used.
antivirus_type off|clamd|mksd [ONE]
  Choose antivirus to use. "off" means no scanning.
antivirus_path SOCKET
  Path for clamd socket.
antispam_type off|spamassassin [ONE]
  Choose antispam to use. "off" means no scanning.
antispam_path SOCKET
  Path for spamd socket.
dspam_storage PATH
  DSPAM storage home.


dnsbl zone,zone,[...]
  Check incoming connections on specified DNSBL lists. Probably makes sense for FIXED MODE only. See also: lock_on dnsbl


Check messages against SPF. IP used for SPF verification depends on spf option.

spf none|incoming|outgoing|fixed [ONE]
  Enables SPF checking.

none    SPF turned off incoming        check against client incoming-IP, probably useful for mode fixed only. outgoing        check against proxy outgoing-IP (outgoing_addr), probably useful for NAT-mode only. fixed   check against static IP defined by spf_fixed_ip

spf_log_only yes|no
  Logging only of SPF results, no mail rejection.

spf_fixed_ip IP
  Static IP used by spf fixed only. Useful if proxy is behind NAT.


regex_enforce_helo REGEX
regex_enforce_mail_from REGEX
regex_enforce_rcpt_to REGEX

Rejects HELO/MAIL FROM/RCPT TO if don’t match regex_enforce_*.

regex_reject_helo REGEX
regex_reject_mail_from REGEX
regex_reject_rcpt_to REGEX

Rejects HELO/MAIL FROM/RCPT TO if they match regex_reject_*.

Please note, regex matching occurs only when corresponding command is given. As a result, it is not possible to check if there was no HELO/EHLO. See also: auth_skip regex, lock_on regex.


Earlytalker means MUA which starts to send SMTP commands before the greeting from MSA. This is SMTP protocol violation and no legitimate mail software should do that.

earlytalker BOOLEAN
  Enable/disable earlytalker rejection.
lock_on earlytalker
  Enable locking earlytalkers.


Limits for client per time-period.

ratelimit_path PATH
  Path for ratelimit files ("database"). If rate limiting is enabled, these get rewritten for every connection, so it’s probably a bad idea to put them on any kind of Flash (SSD) drive.

ratelimit_period SECONDS
  Time period for limits. 0 disables rate limiting entirely.

ratelimit_generation UINT
  Generation is saved in ratelimiting structures together with ratelimit_* limits. Limits are updated only if this generation is increased. Recomended format is YYYYMMDDHHMMSS. To setup personalised limit, write them with really high generation (no tool for this yet).

ratelimit_connections INT
ratelimit_sessions INT
ratelimit_recipients INT
ratelimit_bytes INT
  Limit per duration limits for each client (host or host+ident). Limit database is saved into ratelimit_path directory. Setting any limit to 0 disables that limit, and setting duration to 0 disables all limits.
ratelimit_mailfrom_rejects UINT
ratelimit_rcptto_rejects UINT
ratelimit_auth_rejects UINT
  Limits on MAIL FROM, RCPT TO and AUTH rejected by MSA.

See also: lock_on ratelimit.


If client sends any command before MSA greeting, gets kicked. Current implementation does not delay the greeting by itself, but relies on the MSA.

earlytalk BOOL
  enable/disable earlytalk check (enabled by default) See also: lock_on earlytalk


forbid_starttls BOOL
  Forbid entering TLS mode.


All messages sent to user are customisable.

locale NAME
  Changes locale of system errors from strerror(3). See setlocale(3). Does not change messages generated by daemon itself.


  Virus found in message.
  User locked, virus or SPAM found before.
  SPAM found in message.
  Virus name substituted, when it’s unknown.
  Spooling file name problem.
  Spool creation failed.
  Pipeline queue full.
  Scanner has failed.
  Cannot connect to MSA.
  Connection to MSA timed out.
  Out of memory


  Hello message.
  Signing off.
  Virus found, please end the session.
  Session timed out.
  Protocol error.
  Fake MSA transaction failed.
  Unimplemented command (SMTP verb).
  Service temporarily unavailable.


  Total connections limit reached, try again later.
  Connections limit for IP reached, try again later.
  Connections limit for IP+ident reached, try again later.
  System load too high, try again later.


msg_malformed_ip [REMOTE]
  Malformed IP received
  Lookup failed.
  Lookup timed out.
  Invalid lookup response format.
  Lookup failed, not enough memory.


Direct proxy is a mode where proxy simply passes traffic between client and MSA without any interaction or processing. This of course means, that any checks/limits/quota/etc are ignored. You cannot force this mode by config (it would be pointless to have the proxy), however proxy enters this mode if:

1. STARTTLS is successfully requested by the client (proxy couldn’t process encrypted traffic anyway)
2. auth_skip direct is set and client has successfully authenticated to the MSA.

As the traffic in direct proxy mode is not processed, this means less overhead to the proxy host.


These are popular Questions and Answers:

Q1: Antispam is not working! What is wrong?
  You must change max_spam_size to something above 0 to turn on antispam scanning. It’s set to 0 by default, and this means turning antispam off. Also, set antispam_type.

Q2: Spammers don’t get locked! What is wrong?
  If you want to block spammers, set "lock_on spam[,...]", and see Question#1.

Q3: I wanted to block some user by creating lockfile manually, but now his traffic is not even scanned!
  Creating lockfile with owner other than proxy process runs with, will protect that host from being locked. The contents of file does not matter.

Q4: My header is invalid after upgrading!
  nat_header changed into nat_header_type since 1.4.12-rc5, so after upgrade header will not be injected unless you rename it in configuration file.

Q5: I don’t have idents in my logs or headers, why?
  It simple -- ident is used in REMOTE IDENT mode, which is currently not available.

Q6: I don’t see X-NAT-Received header in mails, why?
  Please remember, that mail sent with TLS is not scanned. Also, check nat_header_type directive in your config file, and nat_header (see MANGLING above).

Q7: When X-Virus-Scan and/or X-Spam-Status headers will be supported?
  The answer is: never. Reason is simple -- proxy is passing-thru email headers and body. Because headers are sent first, we can’t predict spam-score or virus presence. The main assumption for this project was not to buffer mail before forwarding, so this option won’t appear.

Q8: I have many locks left, even if they should be gone long time ago!
  Please see note for the LOCKING.

Q9: Host gets locked, lock file appears, but he can still send e-mails!
  Please *do not* run proxy as root, and set set_user properly. If you do, remove all locks manually.

Q10: action_script does not work!
  Please read about ACTION SCRIPT. Script will not be called once the lock exists. If you were testing "by hand" by writing some text to some log file, make sure the script has permissions to write to it too, i.e. by temporarily doing chmod a+rw on that log file. You should also check if disabling limit_* variables will do the trick, and if the answer is yes, try to set them high enough for script needs.

Q11: spamassassin gets timeout
  Please check if "spamd -L" resolves this issue.

Q12: clamd fails with: SCAN:FAILED [...] result=lstat() failed.
  Antispam and antivirus scanners need to have access to spool files (spool_path, spool_perm). If you want to seal your setup, you can add clamav user smtpgw group, and deny other to access the spool directory.

Q13: action script does not seem to work well when executed by smtp-gated, possibly failing with ENFILE or ENOMEM
  Read notes about resource control and action scripts.



changed: source -> incoming
added: fixed


added options:
renamed options:
source_addr -> outgoing_addr
changed options:
auth_skip: "regex", "dnsbl" added
lock_on: "regex", "dnsbl" added

1.4.14-rc2:   renamed options:

dumpfile -> statefile
dumpfile_perm -> statefile_perm

1.4.14-rc1:   Changed many configuration options. Please review your previous configuration using:

smtp-gated -t /path/to/smtp-gated.conf


If you are willing to sent me a bug report, please check manuals first to ensure you have configured properly. In report, please include:

1. output of "smtp-gated -V"
2. config file (as attachment if big)
3. full logs related to e-mails sent, with "log_level debug"
4. optional mail header (as sent from proxy).

If you get ’unknown option’ or ’invalid value’ errors, you can list all supported options with supported values by running:

smtp-gated -T


INT Signed integer
UINT Unsigned number; can be specified as decimal, octal (beginning with 0), or hexadecimal (beginning with 0x or 0X)
BOOL Boolean (0, 1)
FLOAT Floating-point number
IP Valid IP address
PORT Valid IP port
STRING Arbitrary text string
PATH Valid directory name
FILE Valid file name
SOCKET UNIX socket or TCP socket. UNIX socket must begin with backslash ("/"), otherwise path is considered TCP socket and must be submitted in following form: ip:port (i.e.
[ONE] Only one value allowed.
  Multiple values allowed, comma separated (do NOT insert any white space before comma).
  This option needs full restart to take effect.
  This option affects REMOTE IDENT MODE only.


MSA Mail Submission Agent





Bartlomiej Korupczynski <>

Search for    or go to Top of page |  Section 5 |  Main Index

Bartlomiej Korupczynski SMTP-GATED.CONF (1) 2013-02-26

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.