Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
asmtpd.conf(5)		      Mail Avenger 0.8.5		asmtpd.conf(5)

       asmtpd.conf - Avenger SMTP Daemon configuration file

       asmtpd.conf is the configuration	file for asmtpd(8), the	Mail Avenger
       mail server.  The file contains a series	of directives, where each
       directive takes zero or more arguments.	Blank lines and	lines
       beginning with "#" (for comments) are ignored.  If a line ends with the
       "\" character, the "\" is ignored and the following line	is appended.
       In this way you can break a long	list of	argument over multiple
       "continuation" lines.

       Arguments are separated by spaces.  However, you	can include space in
       an argument by surrounding the argument with double-quote (""")
       characters.  A backslash	("\") followed by any other character is
       interpreted as that character.  Thus, a literal """ or "\" character
       can be included as "\"" or "\\",	and an alternative to putting double
       quotes around an	argument with spaces is	simply to put a	"\" before
       each space.

       If you change asmtpd.conf while asmtpd is running, you must send	it a
       SIGHUP signal for it to read the	new changes.  (Note, however, that
       asmtpd will re-read the AliasFile, DomainFile, or SPFHostsFile
       automatically if	you change these.)

       The rest	of this	man page details the various directives.  Directives
       are case-insensitive.  Depending	on the directive, the arguments	may or
       may not be case sensitive.

       Separator Character
	   This	is the only option that	probably needs to be set at all	sites.
	   Character is	a single character that	separates usernames from the
	   rest	of the local part of an	email address.	For example, with
	   sendmail, mail for <name+extra@host.domain> is usually delivered to
	   user	name.  Thus, a "+" should be specified for Character.  With
	   qmail, it is	<name-extra@host.domain> that belongs to user name
	   (though routing is handled differently).  Thus, qmail users will
	   want	to specify "-".	 The default is	not to have a separator.  This
	   is probably wrong for most sites, but is a lot less bad than
	   selecting the wrong character!

       Hostname	name
	   "Hostname" specifies	the hostname that asmtpd should	use in the
	   SMTP	protocol.  Ordinarily, this name should	map to the IP address
	   of your server (or one of the IP addresses of your server).	The
	   default is to use the local hostname	(as returned by	the
	   "gethostname" system	call), with the	default	DNS domain name
	   appended if your hostname does not include any "." characters.

       LogPriority priority
	   This	directive sets the priority with which diagnostic messages are
	   sent	to the system log.  The	default	value is "".

       LogTag tag
	   This	directive sets the tag for syslog messages generated by
	   asmtpd.  The	default	tag is empty.  Note that by default most
	   messages except those created by Debug options already contain

       EtcDir directory
	   Sets	the directory in which asmtpd will search for various
	   configuration files,	including aliases, domains, and	spfhosts (see
	   below), as well as four special rule	files run under	the
	   AvengerUser UID:  default, unknown, secondary, and relay.

	   The file unknown consists of	avenger	rules that get run for any
	   local user that does	not exist in the password file,	or that	exists
	   but has a UID of 0 (root), or that exists but has an	invalid	shell
	   (not	listed in /etc/shells).	 These rules are not run for normal
	   users, even if those	users do not have a .avenger directory.

	   The default file consists of	rules that are run after the rules in
	   unknown or after the	rules in a user's .avenger directory, so long
	   as these rules did not immediately reject, defer, accept, redirect,
	   or bodytest the mail.  If a user does not have a .avenger
	   directory, the rules	in default are always run.

	   The secondary ruleset contains rules	that are run if	MxLocalRcpt
	   has been set	to 1, mail is received for user@hostname, and the mail
	   server is an	MX record for hostname,	but not	the highest priority
	   MX record.  If the ruleset does not exist or	simply exits, the
	   default is to spool the mail.

	   The relay ruleset consists of rules that are	run when mail is
	   received for	user@hostname where hostname is	not in the domains
	   file	(and, if MxLocalRcpt is	1, the server is not an	MX record for
	   hostname).  In such circumstances, if the sender address is local,
	   asmtpd will first attempt to	execute	an appropriate "mail" (as
	   opposed to the usual	"rcpt")	ruleset	in the user's .avenger
	   directory.  If that ruleset does not	exist or simply	exits, or
	   hostname is not local, then asmtpd runs relay.  If the rules	in
	   relay simply	exit or	the file does not exist, the default is	to
	   reject the mail.

	   The default value of	EtcDir is /etc/avenger.

       BindAddr	IP-address [port-no]
	   "BindAddr" specifies	the IP address on which	the server should
	   listen.  The	default	is (INADDR_ANY), meaning to accept
	   incoming connections	on any IP address.  By default the server uses
	   TCP port 25,	but port-no can	be also	specified to chose a different
	   port	number.

       MaxClients val
	   Specifies the maximum number	of concurrent TCP connections from
	   clients that	asmtpd should allow.  The default value	is 60.

       MaxConPerIP val
	   Specifies the maximum number	of incoming TCP	connections asmtpd
	   should accept from a	single IP address.  The	default	value is 10.

       SMTPFilter prog
	   Specifies the name of a program asmtpd can invoke to	enable packet
	   filtering of	incoming SYN packets from a particular IP address for
	   the SMTP port (25 by	default).  Note	that this program should
	   filter only TCP packets to the SMTP port that have the TCP SYN flag
	   set and the ACK flag	cleared.  It is	very important that this rule
	   not interfere with previously established TCP connections, since
	   asmtpd uses this to block new connections when the per-IP-address
	   limit has been reached.

	   The program will be run three different ways:

	   prog	clear
	   prog	add IP-addr
	   prog	del IP-addr

	   The clear command should cause all previously filtered IP addresses
	   to be re-enabled.  The add command says to add the particular IP
	   address to the list of filtered addresses.  del says	to remove an
	   IP address from the list of addresses.

	   Since the details of	how to filter IP packets depend	entirely on
	   the particular operating system and firewall	software being run,
	   this	task is	best handled by	a shell	script written by the system
	   administrator.  An example script for use with OpenBSD's pf packet
	   filter can be found in /usr/local/share/avenger/  An
	   example for use with	Linux's	iptables firewall can be found in

       MaxMsgsPerIP msgs-per-hour [msgs-max]
	   Specifies the maximum rate at which asmtpd will allow successful
	   SMTP	RCPT commands from a particular	IP address.  After this	limit
	   is reached, further RCPT commands will be rejected with a temporary
	   SMTP	error code saying too much load.  msgs-per-hour	is the number
	   of RCPT commands per	hour.  msgs-max	is the hard limit after	which
	   further RCPTs are refused.  msgs-max, if not	specified, defaults to
	   the same value as msgs-per-hour.  However, it can be	set to a
	   greater value to accept bursts of traffic.

       MaxErrorsPerIP msgs-per-hour [msgs-max]
	   Similar to MaxMsgsPerIP, except this	parameter specifies the
	   maximum rate	at which clients from a	particular IP address can
	   issue SMTP commands that return errors.  If a client	is issuing too
	   many	commands that cause errors (as can often happen	with spambots
	   that	don't check the	results	of commands, or	that relay spam
	   through HTTP	proxies), asmtpd will temporarily filter new
	   connections from that client	if SMTPFilter has been specified.
	   Otherwise, it will immediately shutdown any incoming	new TCP
	   connections from the	client with a temporary	SMTP error code.

       MaxMsgsPerUser msgs-per-hour [msgs-max]
	   Specifies the maximum rate at which asmtpd will allow successful
	   SMTP	RCPT commands from a particular	authenticated user.  The name
	   used	for the	check is either	the username from SASL authentication,
	   or the common name of the client certificate	with SSL
	   authentication.  With this feature, you can prevent people who have
	   legitimate relay privileges from sending bulk mail, as might	happen
	   if a	spammer	somehow	stole a	SASL password.

       MaxRcpts	val
	   Specifies the maximum number	of recipients on a single message.
	   Once	this number is reached,	asmtpd rejects further recipients with
	   a temporary SMTP error code,	causing	the sender to send a separate
	   copy	of the message to the remaining	recipients.  The default value
	   is 5.  (Note	that this limit	does not apply to trusted clients.)

       MaxRelayRcpts val
	   If val is greater than the number of	recipients specified for
	   MaxRcpts, then this specifies a higher limit	on the number of
	   recipients when recipients are accepted by the relay	script.

       MaxMsgSize bytes
	   The largest mail message asmtpd should accept.  The default value
	   is 104,857,600 (100 MBytes).

       SMTPTimeout seconds
	   Determines how long asmtpd will keep	an open	connection from	a
	   client while	awaiting an SMTP command.

       DataTimeout seconds
	   Determines how long asmtpd will keep	an idle	connection from	a
	   client open while waiting for mail message contents (after the SMTP
	   DATA	command).  It is advisable to set a reasonable DataTimeout
	   even	if SMTPTimeout is short, so as not to force a client behind an
	   unreliable network connection to keep having	to start over.

       SMTPCB [0|1|2]
	   If set to 2 (the default), asmtpd will attempt to verify the	sender
	   address of mail messages by going through the initial steps of
	   sending back	a bounce message, a technique known as an "SMTP
	   callback."  If the mail cannot get through, the SENDER_BOUNCERES
	   environment variable	will contain an	SMTP error code, and
	   MAIL_ERROR will be set to reject the	mail by	default.  The next
	   several parameters (ClientTimeout, VrfyDelay, VrfyCacheTime,	and
	   MaxRevClients) control the behavior of SMTP callbacks.

	   If SMTPCB is	set to 0, SMTP callbacks are entirely disabled.	 If it
	   is set to 1,	then asmtpd still performs callbacks and sets the
	   SENDER_BOUNCERES environment	variable, but does not set MAIL_ERROR
	   or reject mail by default if	the callback fails.

       ClientTimeout seconds
	   Specifies the SMTP timeout for asmtpd when it acts as an SMTP
	   client, probing remote servers to check the validity	of the sender
	   address on incoming mail messages.  The default value is 300.

       VrfyDelay seconds
	   When	probing	a remote SMTP server to	validate an email address,
	   asmtpd will keep the	TCP connection open at least this long (after
	   sending an HELO/EHLO	command) before	probing	the address.  The idea
	   is to make bulk mailing harder by preventing	remote servers from
	   validating more than	a few thousand (or a few tens of thousands of)
	   email addresses per second.	The default value for seconds is 2.

       VrfyCacheTime seconds
	   If asmtpd probes a remote server and	discovers that it cannot send
	   bounce messages to an address, it caches the	result for this	amount
	   of time.  If	someone	is mailbombing an asmtpd server	from a forged
	   address, this option	prevents asmtpd	from initiating	too many
	   connections to the forgery victim's mail server.  (Of course, if
	   the victim publishes	an SPF record, asmtpd will never contact the
	   server and this is not an issue.)  The default vaule	for seconds is

       MaxRevClients val
	   The number of idle reverse SMTP connections (to remote SMTP
	   servers) to cache when not in use.  These connections are used to
	   validate sending addresses of received mail.	 This number is

       IdentTimeout seconds
	   The number of seconds to wait for the client	to respond to an
	   RFC1413 ident lookup.  The default is 15.

       SynFp [0|1]
	   If set to 0,	disables the collection	of SYN fingerprint
	   information,	which asmtpd ordinarily	includes in headers of mail
	   messages and	in the CLIENT_SYNFP environment	variable of avenger
	   processes.  The default value is 1.

       SynFpWait msec
	   Sets	the number of milliseconds after accepting a TCP connection
	   that	asmtpd should wait to receive the full SYN packet from the
	   packet filter (bpf) device.	If the time is exceeded, no SYN
	   fingerprint will be recorded	for the	connection.  The default value
	   is 500.

       SynFpBuf	count
	   Sets	the maximum number of SYN fingerprints to keep around while
	   waiting for the corresponding connections.  The default value is

       SynOsMTU	size
	   Sets	an additional size to try for the network's maximum
	   transmission	unit (MTU) when	guessing the client operating system.
	   If size is set to 0,	asmtpd will only try the value in the TCP MSS
	   option + 40 bytes.  (Otherwise, when	size is	non-zero, asmtpd tries
	   both	MSS + 40 and size.)  The default for size is 1500.

       NetPath [0|1]
	   If set to 0,	disables the collection	of IP "traceroute"
	   information,	which is normally included in the headers of mail
	   messages and	in the CLIENT_NETPATH environment variable of avenger
	   processes.  The default value is 1.

       TrustedNet IP-addr/len
	   If the first	len bits of a client's IP address match	IP-addr, the
	   client will be considered trusted.  Trusted clients can relay mail
	   through asmtpd to arbitrary addresses, and do not undergo any
	   checks or processing	by any avenger scripts.	 This option can be
	   given multiple times	to list	multiple networks.

       TrustedDomain domain
	   If a	client's verified DNS name is domain or	ends .domain, the
	   client will be considered trusted, and as described above will be
	   allowed to relay mail unchecked.  This option can be	given multiple
	   times to list multiple domains.

       SASL [0|1|2]
	   This	option only exists if asmtpd has been compiled with SASL
	   support (via	the --enable-sasl option to "configure").  If set to 0
	   (the	default), the AUTH SMTP	verb is	disabled, and asmtpd performs
	   no SASL authentication.  If set to 1, asmtpd	performs SASL
	   authentication when requested by clients, but does not inherently
	   trust SASL-authenticated users.  You	must check the AUTH_USER
	   environment variable	in the system-wide relay script	and explicitly
	   permit users	to relay mail.

	   If SASL is set to 2,	then clients that have authenticated via SASL
	   can relay mail just like TrustedNet and TrustedDomain machines--no
	   further scripts are run.  However, the authenticated	user name is
	   still recorded in the Received: header to track abuse, and
	   MaxMsgsPerUser is still enforced to prevent bulk mailing.  2	is a
	   reasonable value for	ordinary usage,	since users without permission
	   to relay mail have no reason	to be listed in	the SASL database

	   For more information	on SASL, see the SASL home page	at

       InsecureSASL [0|1]
	   When	set to 0, which	is the default,	plaintext SASL authentication
	   is disabled unless the connection is	encrypted with SSL.  If	set to
	   1, plaintext	authentication is allowed even over unencrypted
	   connections,	which is insecure.

       MxLocalRcpt [0|1]
	   If set to 1,	asmtpd will accept mail	for user@host even if host
	   does	not appear in DomainFile, as long as the local server's	IP
	   address corresponds to one of the DNS MX records for	host.
	   Decisions about accepting mail will be made by the policies in the
	   file	secondary in EtcDir.

       AvengerUser username
	   Specifies the user in the password file whose identity asmtpd
	   should assume when running system-wide default rules, as well as
	   the mail injection program specified	by Sendmail.  The default
	   value is "avenger".	Note that for efficiency, asmtpd will cache
	   the user and	group IDs of this user.	 If for	instance, you change
	   the AvengerUser's group membership, you will	have to	send asmtpd a
	   SIGHUP signal (or restart it).

       Sendmail	program	[arg ...]
	   Specifies the program to run	to inject new mail messages into the
	   system.  The	default	value is:

	       sendmail	-oi -os	-oee

	   Whatever arguments you give,	asmtpd will additionally supply	the
	   sender and recipient(s) by appending	the following options:

	       -f sender -- recipient-1	[recipient-2 ...]

	   The -oee flag tells sendmail	always to exit cleanly even if it
	   generated a bounce message.	Without	it, sometimes sendmail
	   generates a bounce for a message and	exits with an error code,
	   which would cause asmtpd to generate	an error despite the fact that
	   the message has already been	bounced.  This results in multiple
	   bounces for the same	message.

	   Note	that some sendmail replacements	(including Exim) do not
	   support the -oee flag.  However, these systems typically behave
	   correctly even without the -oee flag, meaning their sendmail
	   programs exit cleanly if and	only if	the sender no longer needs to
	   worry about the message.  If	your sendmail executable rejects the
	   argument -oee, try using -oem instead.

       EmptySender sender
	   In some old versions	of sendmail, running

	       sendmail	-f ''

	   (where '' is	a zero-length argument)	does not produce an empty
	   envelope sender, as should happen for bounces.  EmptySender lets
	   you specify an alternate sender to use for the empty	envelope
	   sender.  Try	using the single-character string "@"--that seems to
	   produce the desired envelope	sender (which turns into MAILER-
	   DAEMON) with	both old and new versions of sendmail, though it is
	   not necessarily compatible with other MTAs.

       SendmailPriv [0|1]
	   By default, asmtpd drops privilege to run Sendmail as AvengerUser.
	   If, however,	you specify SendmailPriv 1, asmtpd will	instead	run
	   Sendmail as root.  One possible use of this,	for users of the
	   sendmail MTA, is to invoke sendmail with the	-Am flag, which
	   requires root privileges but	bypasses an extra level	of queuing.
	   (Note that with newer versions of sendmail, if you do not run
	   sendmail as a daemon	on address, you will have to
	   configure asmtpd to use the -Am flag.)

       SendmailFromLine	[0|1]
	   If you set this value to 1, the message fed to the Sendmail program
	   will	start with a UNIX mailbox style	"From "	line (which is not
	   actually part of the	message	header).  The default value is 0.

       AliasFile path
	   Specifies the path of the user-mapping file,	which by default is
	   the file aliases in the directory specified by EtcDir.  Each	line
	   of this file	is of the form:

	       prefix: replacement

	   Before deciding which user's	rules to process for a particular mail
	   message, the	local part of the email	address	is transformed based
	   on the aliases file.	 An address of prefix is replaced by the
	   replacement.	 In addition, if the Separator character has been
	   defined, then if an address begins with prefix followed immediately
	   by the separator character, replacement is also substituted.	 If
	   the alias file contains multiple matching prefixes, the longest one
	   is chosen.  Alias substitution continues recursively	unless a loop
	   is detected or the recursion	reaches	a depth	of 20.

	   Note:  It is	important to emphasize that the	aliases	mechanism only
	   governs which user checks the validity of a particular piece	of
	   mail.  It does not affect where the mail is eventually delivered,
	   should the resulting	rules accept the mail.

       DomainFile path
	   Specifies the path of the domain-mapping file, which	by default is
	   the file domains in the directory specified by EtcDir.  This	file
	   allows one to map responsibility for	all users in a domain onto a
	   particular local user.  Each	line of	the file must have one of the
	   following forms:

	       domain: user
	       domain: userSEPARATOR

	   In the first	case, when receiving mail for local@domain, the	local
	   part	local is simply	taken as is and	treated	as a local username
	   (with the first separator character and anything following
	   removed).  In the second case, the mail is checked by user instead.
	   In the third	case, SEPARATOR	is the separator character, which must
	   have	been declared with a Separator directive.  Here, user and the
	   separator character are pre-pended to local.	 For instance, if
	   SEPARATOR is	-, the mail would be checked by	user-local.  In	all
	   cases, the result of	the mapping is subject to alias	substitution
	   as described	for AliasFile.

	   Note:  As with AliasFile, the domain	mechanism only governs which
	   user	checks the validity of a particular piece of mail.  It does
	   not affect where the	mail is	eventually delivered, should the
	   resulting rules accept the mail.

       Env var[=value]
	   Specifies an	environment variable to	supply when running avenger.
	   Ordinarily, avenger is run with a clean environment,	with only a
	   few variables such as PATH passed through.  If the Env directive
	   specifies a value, the environment variable will be be set to this
	   value.  If =value is	omitted, asmtpd	will pass through the value of
	   the environment variable it inherits, or leave the variable unset
	   if it is not	set in the environment in which	asmtpd is run.

       AvengerMaxPerUser val
	   Specifies how many concurrent avenger processes to launch for a
	   particular user.  If	a particular user already has this many
	   avenger processes running, and another SMTP client issues an	RCPT
	   command that	resolves to the	same local user	(or another local user
	   with	the same numeric UID), then asmtpd will	wait for one of	the
	   existing avenger processes to exit before launching a new avenger
	   to evaluate the new RCPT command.  The default for val is 5.	 This
	   limit does not apply	to the system-wide unknown, default, and relay
	   files processed under the AvengerUser UID.  (Note that bodytests
	   run for a particular	user are also included in that user's count of
	   avenger processes.)

       AvengerTimeout seconds
	   Specifies a timeout value after which asmtpd	will attempt to	kill
	   an avenger process, in case the process has somehow gotten stuck.
	   asmtpd does this, before launching avenger, by setting an alarm for
	   the process.	 The default for seconds is 600.

       NoCheck user[<@>host]
	   Specifies that asmtpd's internal checks for email validity should
	   be bypassed for email to a particular email address.	 If host is
	   not specified, then this applies to user at any acceptable local
	   host	(asmtpd	still will not allow relaying, of course).  It is a
	   good	idea to	enable this for	usernames specified in RFC 2142, such
	   as postmaster and abuse.

       RBL [-i]	[-p] [-f] -s score domain
	   Checks real-time blackhole list domain.  If -i is present, looks up
	   the client's	IP address reversed (i.e., for client, this
	   will	match when DNS name exists).  If	-p is present,
	   the name of the client (as specified	by a verified PTR DNS record)
	   will	be looked up.  If -f is	present, the hostname from the
	   envelope sender (the	address	in the SMTP MAIL) command will be
	   looked up (i.e., mail from user@host	matches	if host.domain
	   exists).  If	none of	-i, -p,	or -f is specified, -i is assumed by

	   score is an integer (which can be negative).	 The scores of all
	   matching RBLs are added together, and a message is rejected if the
	   total is greater than or equal to 100.

       UserMail	[0|1]
	   If set to 0,	asmtpd will not	chack mail* files in users' .avenger
	   directories,	but will always	use the	system-wide relay file (and
	   secondary file) to decide whether to	relay mail.  The default value
	   is 0.

       UserRcpt	[0|1]
	   If set to 0,	asmtpd will not	chack rcpt* files in users' .avenger
	   directories,	but will always	use the	system-wide default file.  The
	   default value is 1.

       AllowPercent [0|1]
	   If set to 0 (the default), asmtpd will reject any email whose local
	   part	contains a "%" character.  This	is because many	MTAs will
	   relay mail for users	of the form user%host1@host2 to	user@host1.
	   While of course it is possible to reject such messages with the
	   /etc/avenger/unknown	file, it is easy to forget to do so.  Failing
	   to do so can	get your site listed in	various	spam source lists,
	   which will have some	serious	consequences.  For that	reason,
	   AllowPercent	is 0 by	default.  Set it to 1 if you really do want
	   mail	for users with "%" characters.

       AllowDNSFail [0|1|2]
	   Upon	accepting a connection from a client, asmtpd attempts to
	   resolve the client's	IP address to a	hostname.  If a	temporary DNS
	   error occurs	and AllowDNSFail is set	to 0 (the default), asmtpd
	   will	reject the connection immediately.  If AllowDNSFail is set to
	   1, however, then asmtpd will	accept the connection and continue.
	   However, in this case that the CLIENT_DNSFAIL environment variable
	   will	be set to an error message, and	mail will still	be rejected by
	   default unless an rcpt script explicitly calls accept.  If
	   AllowDNSFail	is set to 2, then CLIENT_DNSFAIL will still be set,
	   but by default mail will be accepted	unless explicitly rejected.

	   Note	that this option has no	effect on IP addresses that don't
	   resolve to a	domain name (e.g., where a lookup of the
	   domain returns an empty result or the NXDOMAIN error).

       SSL [0|1|2]
	   This	and the	following options are supported	if Mail	Avenger	has
	   been	compiled with support for the STARTTLS command (using the
	   --enable-ssl	option to "configure").	 If SSL	is set to 0, then the
	   STARTTLS command will be disabled.

	   If SSL is set to 1 (the default), then STARTTLS will	be enabled
	   profiled the	private	key and	certificate files can be found.
	   (Since these	files will not exist by	default, STARTTLS is still
	   disabled by default.)  Relaying based on client certificates	can be
	   enabled by checking the SSL_ISSUER and SSL_SUBJECT environment
	   variables in	the relay script.

	   If SSL is set to 2, then authentication with	any valid client
	   certificate will allow mail relaying	with no	further	checks.	 This
	   value makes sense only if your organization runs a private
	   certificate authority and you only place your local CA key in the
	   SSLCAcert file, as otherwise	you will have no control over who can
	   relay mail through your machine.

       SSLCAcert path
	   SSLCAcert specifies the certificate authorities allowed to sign
	   client certificates.	 path must be a	file containing	one or more
	   trusted CA certificates in PEM format.  If <path> is	not an
	   absolute path name, asmtpd will look	for the	file in	EtcDir.	 The
	   default path	is cacert.pem.

       SSLCRL path
	   If SSL is in	use, path specifies a PEM-format certificate
	   revocation list.  The default value is crl.pem.

       SSLkey path
	   If SSL is in	use, path specifies a PEM-format file containing the
	   server's private key.  If the file is not present, the STARTTLS
	   command will	be disabled.  The default path is privkey.pem.

       SSLcert path
	   If SSL is in	use, path specifies a PEM-format file containing a
	   certificate for the public key corresponding	to private key SSLkey.
	   If the file is not present, the STARTTLS command will be disabled.
	   The default path is cert.pem.

       SSLciphers string
	   string specifies the	preference for ciphers with SSL.  For example,
	   to allow all	ciphers	except anonymous Diffie-Hellman, low key
	   sizes, exportable ciphers, and MD%-based MAC, and to	sort ciphers
	   by strength,	you might use the following string>:


	   By default, asmtpd just uses	the OpenSSL library's default cipher

       SPFfail [SPF-rule ...]
	   SPF (Sender Policy Framework) is a mechanism	to prevent forgery of
	   email sender	addresses.  (More information is available at
	   <> and in the	forthcoming RFC	4408.)	asmtpd
	   always runs SPF checks on incoming email.  An SPF check returns one
	   of seven possible results:  none, neutral, pass, fail, softfail,
	   error, or unknown.  asmtpd will reject mail if the result is	fail
	   (and	defer mail if the result is error).

	   The SPFfail directive provides a second chance to mail that would
	   otherwise resolve to	fail.  If SPF rules are	provided with this
	   directive, and the SPF check	on a message resolves to fail, then
	   asmtpd will re-evaluate the message with the	rules from the SPFfail
	   directive.  If the SPFfail rules evaluate to	none, neutral, or
	   unknown, then the original fail result will remain.	Otherwise, the
	   result of the SPFfail rules overrides the fail result.

	   This	directive can be used to work-around the problem of sites,
	   such	as, that forge email,	but do not actually send spam. maintains a white-list	of such	sites, and it
	   is highly recommended that you use this whitelist until SPF is more
	   widely deployed.  To	do so, you can use the configuration line:


       SPFnone [SPF-rule ...]
	   This	directive is similar to	SPFfail, but supplies additional SPF
	   rules to be run in the event	that the SPF result for	a message
	   resolves to none--meaning that the domain from which	the mail comes
	   does	not publish an SPF record.  One	possible use might be the

	       SPFnone a/24 mx/24 ptr

	   This	rule says that if the sending domain does not publish an SPF
	   record, consider its	result to be pass nonetheless as long as the
	   sending host	shares a 24-bit	IP prefix with the address of the
	   domain, or the address of any of the	mail exchangers	(DNS MX
	   records) for	the domain, or if the domain name of the sending
	   machine has the sender domain name as a suffix.

       SPFlocal	[SPF-rule ...]
	   Unlike the previous two rules, which	provide	hooks to run after an
	   SPF result has been determined, SPFlocal supplies SPF rules to be
	   run before even attempting SPF rules	for the	domain.	 If the	local
	   rules return	pass, fail, softfail, or error,	this reult becomes the
	   SPF result for the message.	Otherwise, asmtpd evaluates the
	   appropriate rules for the domain as usual.

	   An example use might	be to reject mail from a real-time black hole
	   list	(RBL), such as spamcop:

	       SPFlocal	-exists:%{ir}

       SPFexp [explanation ...]
	   Provides a default explanation for an SPF failure, if the sender
	   domain does not have	one.  The default is:

	       SPFexp See{S}&ip=%{I}

       SPFHostsFile path
	   This	specifies the pathname of a file that contains "fallback" SPF
	   records for domains that fail to supply SPF records themselves.
	   This	file effectively achieves the same result as SPFNone, but on a
	   per-hostname	basis.	The default path is spfhosts in	the directory
	   specified by	EtcDir (or /etc/avenger	by default).  Each line	of the
	   file	has the	form:

	       domain: SPF-rules

	   domain is the domain	name for which the SPF-rules apply.  If	domain
	   starts with a ".", then the rule matches all	host names with	domain
	   as a	suffix.	 In other words, "" matches
	   "", "", but not "".  Note	that
	   if a	domain publishes an SPF	record through DNS, the	record in DNS
	   overrides the record	specified in this file.

	   As an example, suppose Microsoft does not publish an	SPF record in
	   DNS,	but you	happen to know that all	mail from users	at
	   "" comes from machines whose reverse DNS mapping ends
	   either "" or "", or else whose IP addresses
	   share a 16-bit prefix with one of the mail exchangers for
	   "".  You might place the following line	in your
	   spfhosts file: ptr mx/16 ~all

	   Here	"~all" resorts to softfail when	the sender does	not match,
	   which tags the message but does not reject it.  Use "-all" to
	   reject the mail outright.  Note that	if Microsoft ever starts
	   publishing an SPF record in DNS, it will override the above line.

       DebugSMTP [0|1]
	   When	set to 1, causes asmtpd	to log a complete trace	of all SMTP
	   traffic to and from connecting clients.  Produces a large amount of
	   data, but can be useful for debugging.  Each	trace line list	the
	   name	of the connecting client and asmtpd's file descriptor number
	   in parentheses.

       DebugSMTPc [0|1]
	   When	receiving mail,	asmtpd connects	to remote mail servers to
	   ensure the envelope sender addresses	of incoming messages are valid
	   email addresses, and	in particular that they	can receive bounces.
	   When	DebugSMTPc is set to 1,	all outgoing SMTP connection traffic
	   from	SMTPc is logged.  The output format is similar to DebugSMTP,
	   but file descriptor numbers are prefixed with "R" to	indicate this
	   is a	reverse	connection.

       DebugAvenger [0|1]
	   Prints a trace of input and output to all avenger processes run.
	   The name also has a file descriptor number prefixed with "a"	for

	   default location of file

	   default for EtcDir, location	of other configuration files

       aliases,	domains, spfhosts
	   see the descriptions	of AliasFile, DomainFile, and SPFHostsFile

       unknown,	default, secondary, relay
	   avenger rules to be run by the AvengerUser under different
	   circumstances; see the description of EtcDir	above, and the manual
	   page	for avenger(1)

	   File	containing the process ID of a running asmtpd process.	You
	   must	send this process a SIGHUP signal for it to re-read the
	   asmtpd.conf file.

	   Example configuration files.

	   Example scripts for the SMTPFilter directive.

       asmtpd(8), avenger(1)

       The Mail	Avenger	home page: <>.

       David Mazieres

Mail Avenger 0.8.5		  2018-10-09			asmtpd.conf(5)


Want to link to this manual page? Use this URL:

home | help