Unacceptable HELO/EHLO greeting strings.
qmail-smtpd will reject every connection attempt
if the client MTAs HELO/EHLO greeting compares with
a wildmat pattern provided in
badhelo in case the environment variable
HELOCHECK is set.
badhelo checks have precedence over DNS lookups.
DNS lookups can be avoided, if the announced
HELO/ELO greeting string is concatinated
with a trailing ! and included in
Unacceptable envelope sender addresses.
qmail-smtpd will reject every recipient address for a message
if the envelope sender address is listed in
badmailfrom. A line in
badmailfrom may be of the form
@host, meaning every address at
host. Additionally, any envelope sender address can be filtered
with a wildmat check:
A badmailfrom file with this contents reject all mail from Earthlink except from firstname.lastname@example.org. It also rejects all mail with addresses like: email@example.com and firstname.lastname@example.org. Further, any mail with a sender address containing a percent sign (%) is rejected.
This implementation recognises appended addresss in badmailfrom allowing to reject mails with particluar spoofed domain addresses:
(1) The address is appended with a -. Now, if TCPREMOTEHOST equals unknown, mails with the corresponding address are rejected (badmailfromunknown).
(2) The address is appended with a =. In case TCPREMEOTEHOST is set mails, whose domain part of the envelope addresses not matching the corresponding entry are rejected (badmailfromwellknown).
(3) The address is appended with a +. If RELAYCLIENT is not set and the sender address matches a corresponding entry (anti-spoofing for internal addresses).
(4) The address is enhanced with a leading ~. This requires a (left to right partial) matching of TCPREMOTEHOST with the domain part of the envelope address. Thus, this specific entry in badmailfrom uses TCPREMOTEHOST in the first place (badmailfrommismachteddomains).
(5) The address is enhanced with a leading ?. Emails with the corresponding sender address pass by all further badmailfrom tests including the MFDNSCHECK check.
Note: The enhanced addresses are not subject of the wildmat check and are evaluated in lower-case.
The wildmat check is done in the order: Least significant to most significant. Example:
|Unacceptable base64 loader types in the message. qmail-smtpd will reject every message if 5 significant characters (eg. Mi5kb) anyware in the base64 encoded attachment is identical to those compiled into badloadertypes.cdb. Use qmail-badloadertypes to derive badloadertypes.cdb from badloadertypes. In order to make the search efficient, all bad loader types have to start with the same character (eg. "M"). The control file badloadertypes.cdb is evaluated if the environment variable BADLOADERTYPE is set to the first character according to the contents of badloadertypes.|
|Unacceptable base64 encoded MIME types in message. qmail-smtpd will reject every message if the first 9 significant characters (eg. TVqQAAMAA) of any of its embedded MIME types is identical with one compiled into badmimetypes.cdb. Use qmail-badmimetypes to derive badmimetypes.cdb from badmimetypes. The control file badmimetypes.cdb is evaluated if the environment variable BADMIMETYPE is set. In addition, irregular BASE64 attachments carrying whitespaces can be rejected defining BADMIMETYPE=!.|
|Unacceptable envelope recipient addresses. qmail-smtpd will reject every incoming message if the envelope recipient address is listed in badrcptto. This control file is complementary to badmailfrom. A line in badrcptto may be of the form @host, meaning every address at host. badrcptto employes the same filtering logic for the envelope recipient as badmailfrom. Effectively, badrcptto allows a "whitelisting" of envelope recipient addresses:|
Maximum number of bytes allowed in a message,
or 0 for no limit.
If a message exceeds this limit,
qmail-smtpd returns a permanent error code to the client;
in contrast, if
the disk is full or
qmail-smtpd hits a resource limit,
qmail-smtpd returns a temporary error code.
databytes counts bytes as stored on disk, not as transmitted through the network. It does not count the qmail-smtpd Received line, the qmail-queue Received line, or the envelope.
If the environment variable DATABYTES is set, it overrides databytes.
|Replacement host name for local IP addresses. Default: me, if that is supplied. qmail-smtpd is responsible for recognizing dotted-decimal addresses for the current host. When it sees a recipient address of the form box@[d.d.d.d], where d.d.d.d is a local IP address, it replaces [d.d.d.d] with localiphost. This is done before rcpthosts.|
Extra allowed RCPT domains.
morercpthosts both exist,
morercpthosts is effectively appended to
You must run qmail-newmrh whenever morercpthosts changes.
Rule of thumb for large sites: Put your 50 most commonly used domains into rcpthosts, and the rest into morercpthosts.
|Acceptable "Mail From:" addresses for RELAYCLIENTs are included here. Use qmail-mfrules to derive|
Allowed RCPT domains.
rcpthosts is supplied,
qmail-smtpd will reject
any envelope recipient address with a domain not listed in
Exception: If the environment variable RELAYCLIENT is set, qmail-smtpd will ignore rcpthosts, and will append the value of RELAYCLIENT to each incoming recipient address.
rcpthosts may include wildcards:
Envelope recipient addresses without @ signs are always allowed through.
List of external resources providing acceptable,
full-qualified envelope addresses
('RCPT to: <recip@domain>')
to be used for recipient verification
during the SMTP session.
The external sources can be either fastforward compliant cdbs including the envelope addresses, where the path to a cdb has to be referenced relative to Qmails home directory - or - checkpassword compatible Plugable Authentication Modules (PAM), receiving the envelope address on FD 3 as recip@domain\0\0\0 and returning 0 in a case of success and 1 in case of failure. The use of a PAM is indicated with a delimiting | and it will be called with up to five additional parameters; while a cdb follows a :, which can be omitted.
The list of external sources is consulted line-by-line for each recipient envelope address until the first positive answer, or a final negative response is encountered. Which external source to be queried, depends on the domain part of the recipient envelope address specified on the left side of the recipients file, while the external resource is provided right from the delimitor.
The addresses domain part is evaluted in lower-case. An exact domain match can be encompassed by means of a leading @. The * is a generic wildcard for all domains. Specific domains can be excluded from the lookup by means of a leading !; thus all recipient addresses are accepted for this domain. Additionally, a !* can be used as wildcard for all domains not encountered before in recipients (pass-thru).
A recipients file is always constructed like domain:cdb,domain|pam, or simply cdb:
Note: Excluded domains starting with a ! should be placed in the beginning of the recipients file for performance reasons, while the pass-thru statement !* has to be on the last line. The recipients check is applied after the rcpthosts evaluation.
qmail-recipients may be used to construct a users/recipients.cdb from users/recipients.
The qmail-smtpd recipients mechanism supports Qmails address extension (VERP). Unqualified envelope recipients are appended with '@localhost'.
|SMTP greeting message. Default: me, if that is supplied; otherwise qmail-smtpd will refuse to run. The first word of smtpgreeting should be the current hosts name.|
Number of seconds
qmail-smtpd will wait for each new buffer of data from the remote SMTP client.
The control files rcpthosts, morecpthosts, recipients, badhelo are "conditional" control files and evaluated only if the environment variable RELAYCLIENT is not set. On the other hand, mailfromrules.cdb is only taken into account, if RELAYCLIENT is set. This allows qmail-smtpd to relay mail messages from local clients and to filter mails with certain SMTP envelope conditions originating from particular clients ("Split Horizon"). Other conditional control files are badloadertypes, badmimetypes which depend on the setting of the corresponding environment variables.
Environment variables may be defined globally in the qmail-smtpd startup script and/or individually as part of the tcpservers cdb database. The environment variables may be quoted ("variable", or variable) and in case of global use, have to be exported. qmail-smtpd supports the following legacy environment variables, typically provided by tcpserver or sslserver or tcp-env: TCPREMOTEIP, TCPREMOTEHOST TCPREMOTEINFO and TCPLOCALPORT as well as RELAYCLIENT. Additionally, with SPAMCONTROL qmail-smtpd may use several environment variables for different purposes.
Controlling the SMTP EHLO/EHLO:
Controlling the SMTP Mail From:
HELOCHECK= enables a check of the provided HELO/EHLO greeting against the content of the control file badhelo. In case no HELO/EHLO greeting is given, SMTP connections can be rejected, if HELOCHECK=! is set. Checks on the presence and the content of the HELO/EHLO greeting string is facilitated, setting HELOCHECK=.. To enforce the match of the HELO/EHLO greeting with the remote hosts FQDN ( TCPREMOTEHOST), use HELOCHECK==. HELOCHECK=A|HELOCHECK=M enable DNS A/MX lookup for the HELO/EHLO greeting string. In addition, the HELO/EHLO string is checked against the content of badhelo.
Controlling the SMTP RCTP TO:
LOCALMFCHECK is used to enable a "Mail From:" address Verification (MAV) for RELAYCLIENTs. Thus, the domain part of the "Mail From:" envelope sender address has to match an entry in rcpthosts or morercpthosts control files, if not explicitly defined otherwise.
If LOCALMFCHECK=! is set, the control file mailfromrules.cdb is evaluated and the MAV is facilitated employing the environment variables TCPREMOTEINFO, TCPREMOTIP, or TCPREMOTEHOST as a key. However, if LOCALMFCHECK== is provided, TCPREMOTEINFO (i.e. set by Auth) has to match the "Mail From:" envelope address (case insensitive). Alternativley, using LOCALMFCHECK=? the email address embedded in the DN of a X.509 client is used and compared against the "Mail From:" envelope address. Of course, this requires sslserver to request a client cert for mutual authentication.
Note: Adding a qualifier to LOCALMFCHCEK, the entire "Mail From:" address is verified; not only the domain part.
MFDNSCHECK enable DNS MX lookup for the domain part of the "Mail From:" envelope sender address.
Controlling the email body:
MAXRECIPIENTS is the number of Rcpt To:s qmail-smtpd will accept in a SMTP session. If MAXRECIPIENTS ist not set, any number is allowed. TARPITCOUNT is the number of Rcpt To: qmail-smtpd accepts before it starts tarpitting. Default: 0 which means no tarpitting. TARPITDELAY tarpitdelay is the time in seconds of delay to be introduced after each subsequent Rcpt To:.
Smart Rejection Notes: If TARPITCOUNT is set and TARPITDELAY = 0 (default) qmail-smtpd will issue after recognising TARPITCOUNT invalid Rcpt To: a Recipient failure; thus additional Rcpt Tos will not be accepted. If, however TARPITCOUNT is set and TARPITDELAY = 999 qmail-smtpd will issue after TARPITCOUNT invalid Rcpt To: a Recipient failure
RECIPIENTS450 tells to issue a SMTP reply 450 (temporary rejection) instead the default 550 in case the recipient was not listed in any recipients cdb. REPLYMAV allows the setting of customized SMTP reply messages in case of a MAV mismatch.
Environment variables for SMTP authentication:
BADLOADERTYPE=c tells qmail-smtpd to evalute the control file badloadertypes.cdb with the starting string c. If BADLOADERTYPE=- is set, the check is disabled. In case BADLOADERTYPE=+ is defined, the check is disabled for RELAYCLIENTS. BADMIMETYPE see control file badmimetypes.cdb. In case BADMIMETYPE=- is set; badmimetypes.cdb is not considered; thus the check is disabled. Providing BADMIMTETYPE=+ the check is disabled if in addition RELAYCLIENTS are recognized.
BASE64 tells QHPSI to enable virus checking only if a base64 encoded attachment was identified. DATABYTES see control file databytes. QHPSI is used by qmail-smtpd to supply the name of the virus scanner and its path.
Setting up the TLS/STARTTLS environment:
SMTPAUTH is used to enable SMTP Authentication for the AUTH types LOGIN and PLAIN. In case SMTPAUTH=+cram is defined, qmail-smtpd honors LOGIN, PLAIN, and additionally CRAM-MD5 authentication. Simply SMTPAUTH=cram restricts authentication just to CRAM-MD5. If however SMTPAUTH=! starts with an exclamation mark, AUTH is required. You can enforce Submission using this option and binding qmail-smtpd to the SUBMISSION port '587. In particular, SMTPAUTH=!cram may be useful. In opposite, if SMTPAUTH=- starts with a dash, AUTH is disabled for particular connections. Note: The use of cram requires a CRAM-MD5 enabled PAM.
Other environment variables used:
UCSPITLS enables encrpyted SMTP communication via STARTTLS in case sslserver is provided. In case UCSPITLS=! is set, STARTTLS is required; while setting UCSPITLS=- disables STARTTLS. Further, UCSPITLS=@ may be defined to force a X.509 cert to be presented for client authentication.
DELIVERTO mail address for special recipients. RBLSMTPD feed from rblsmtpd including the information received from the inquired RBL hosts and displayed as X-RBL-Info: message header. SPFINFO feed from a SPF enabled pre-processor including the following information: SPFINFO=result|identity|clientip|helo|envelopefrom|receiver|problem|mechanism|. These are included into a SPF-Received: message header by qmail-smtpd.
By means of the following environment variables, the SMTP session an be interrogated:
HELOHOST the HELO/EHLO greeting of the SMTP client. AUTHPROTOCOL the ESMTPA protocol uses for authentication. AUTHUSER the supplied username for authentication. MAILFROM containes the received "Mail From:" address. RCPTTO containes all received "Rcpt To:" addresses separated by blanks. TCPREMOTEINFO in authentication mode set to the accepted username. SSL_* information from sslserver , if applicable.
tcp-env(1), tcp-environ(5), qmail-control(5), qmail-inject(8), qmail-newmrh(8), qmail-newbmt(8), qmail-recipients(8), qmail-smtpam(8), qmail-mfrules(8), qmail-queue(8), qmail-remote(8), qmail-send(8), tcpserver(8), and sslserver(8).
The patch enabling the ESMTP AUTH and STARTTLS option is not part of the standard qmail-1.03 distribution. This man-page describes the options of qmail-1.03 in addition with the SPAMCONTROL 2.7 patch.