Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
policyd-weight.conf(5)	      File Formats Manual	policyd-weight.conf(5)

NAME
       policyd-weight.conf - policyd-weight configuration parameters

STATUS
       Beta, Documentation incomplete

DESCRIPTION
       policyd-weight  uses  a perl(1) style configuration file	which it reads
       on  startup.  The  cache	 re-reads  the	configuration  after  $MAINTE-
       NANCE_LEVEL  (default:  5) queries. If -f is not	specified, it searches
       for configuration files on following locations:

	/etc/policyd-weight.conf
	/usr/local/etc/policyd-weight.conf
	./policyd-weight.conf

CACHE SETTINGS
       $CACHESIZE (default: 2000)
	      Set the minimum size of the SPAM cache.

       $CACHEMAXSIZE (default: 4000)
	      Set the maximum size of the SPAM cache.

       $CACHEREJECTMSG
	      (default:	550 temporarily	blocked	because	of previous errors)"

	      Set the SMTP status code and a explanatory message for  rejected
	      mails due	to cached results

       $NTTL (default: 1)
	      The client is penalized for that many retries.

       $NTIME (default:	30)
	      The  $NTTL  counter will only be decremented if the client waits
	      at least $NTIME seconds.

       $POSCACHESIZE (default: 1000)
	      Set the minimum size of the HAM cache.

       $POSCACHEMAXSIZE	(default: 2000)
	      Set the maximum size of the HAM cache.

       $PTTL (default: 60)
	      After that many queries the  HAM	entry  must  succeed  one  run
	      through the RBL checks again.

       $PTIME (default:	3h)
	      after  $PTIME in HAM Cache the client must pass one time the RBL
	      checks again.  Values must be nonfractal.	 Accepted  time-units:
	      s(econds), m(inutes), h(ours), d(ays)

       $TEMP_PTIME (default: 1d)
	      The  client  must	 pass  this time the RBL checks	in order to be
	      listed as	hard-HAM. After	this time the client will pass immedi-
	      ately  for  PTTL	within PTIME. Values must be non-fractal.  Ac-
	      cepted time-units: s(econds), m(inutes), h(ours),	d(ays)

DEBUG SETTINGS
       $DEBUG (default:	0)
	      Turn debugging on	(1) or off (0)

DNS SETTINGS
       $DNS_RETRIES (default: 2)
	      How many times a single DNS query	may be repeated

       $DNS_RETRY_IVAL (default: 2)
	      Retry a query without response after that	many seconds

       $MAXDNSERR (default: 3)
	      If that many queries fail, the mail is accepted with  $MAXDNSER-
	      RMSG.
	      In total DNS queries this	means: $MAXDNSERR * $DNS_RETRIES

MISC SETTINGS
       $MAINTENANCE_LEVEL (default: 5)
	      After  that  many	 policy	requests the cache (and	in daemon mode
	      childs) checks for configuration file changes

       $MAXIDLECACHE (default: 60)
	      After that many seconds of being idle the	cache checks for  con-
	      figuration file changes.

       $PIDFILE	(default: /var/run/policyd-weight.pid)
	      Path and filename	to store the master pid	(daemon	mode)

       $LOCKPATH (default: /var/run/policyd-weight/)
	      Directory	where policyd-weight stores sockets and	lock-files/di-
	      rectories. Its argument must contain a trailing slash.

       $SPATH (default:	$LOCKPATH.'/polw.sock')
	      Path and filename	which the cache	has to use for communication.

       $TCP_PORT (default: 12525)
	      TCP port on which	the policy server listens (daemon mode)

       $BIND_ADDRESS (default: '127.0.0.1')
	      IP Address on which policyd-weight binds.	Currently either  only
	      one  or all IPs are supported. Specify 'all' if you want to lis-
	      ten on all IPs.

       $SOMAXCONN (default: 1024)
	      Maximum connections which	policyd-weight accepts.	 This  is  set
	      high enough to cover most	scenarios.

       $USER (default: polw)
	      Set the user under which policyd-weight runs

       $GROUP (default:	$USER)
	      Set the group under which	policyd-weight runs

OUTPUT AND LOG SETTINGS
       $ADD_X_HEADER (default: 1)
	      Insert a X-policyd-weight: header	with evaluation	messages.
	      1	= on, 0	= off

       $LOG_BAD_RBL_ONLY (default: 1)
	      Insert  only  RBL	 results  in  logging strings if the RBL score
	      changes the overall score. Thus RBLs with	 a  GOOD  SCORE	 of  0
	      don't appear in logging strings if the RBL returned no BAD hit.
	      1	= on, 0	= off

       $MAXDNSBLMSG (default: 550 Your MTA is listed in	too many DNSBLs)
	      The  message sent	to the client if it was	reject due to $MAXDNS-
	      BLHITS and/or $MAXDNSBLSCORE.

       $REJECTMSG (default: 550	Mail appeared to be SPAM or forged.  Ask  your
       Mail/DNS-Adminisrator to	correct	HELO and DNS MX	settings or to get re-
       moved from DNSBLs)

	      Set the SMTP status code for rejected mails and  a  message  why
	      the action was taken

RESOURCE AND OPTIMIZATIONS
       $CHILDIDLE (default: 120)
	      How  many	 seconds  a  child  may	be idle	before it dies (daemon
	      mode)

       $MAX_PROC (default: 50)
	      Process limit on how many	processes  policyd-weight  will	 spawn
	      (daemon mode)

       $MIN_PROC (default: 2)
	      Minimum childs which are kept alive in idle times	(daemon	mode)

       $PUDP (default: 0)
	      Set  persistent  UDP  connections	used for DNS queries on	(1) or
	      off (0).

SCORE SETTINGS
       Positive	values indicate	a bad (SPAM) score, negative values indicate a
       good (HAM) score.

       @bogus_mx_score (2.1, 0)
	      If  the  sender  domain  has  neither  MX	nor A records or these
	      records resolve to a bogus IP-Address (for instance private net-
	      works)  then this	check asigns the full score of bogus_mx_score.
	      If there is no MX	but an A record	of the sender domain  then  it
	      receives a penalty only if DNSBL-listed.

	      Log Entries:

	      BOGUS_MX
	       The sender A and	MX records are bogus or	empty.

	      BAD_MX
	       The  sender  domain  has	 an  empty  or bogus MX	record and the
	       client is DNSBL listed.

	      Related RFCs:

	      [1918] Address Allocation	for Private Internets
	      [2821] Simple Mail Transfer Protocol (Sect 3.6 and Sect 5)

       @client_ip_eq_helo_score	(1.5, -1.25)
	      Define scores for	the match of  the  reverse  record  (hostname)
	      against the HELO argument. Reverse lookups are done, if the for-
	      ward lookups failed and are not trusted.

	      Log Entries:

	      REV_IP_EQ_HELO
	       The  Client's  PTR  matched  the	 HELO  argument.

	      REV_IP_EQ_HELO_DOMAIN
	       Domain portions	of Client PTR and HELO argument	matched.

	      RESOLVED_IP_IS_NOT_HELO
	       Client  PTRs  found   but  did  not  match  HELO	argument.

       @helo_score (1.5, -2)
	      Define scores for	the match of the Client	IP and its /24	subnet
	      against  the A records of	HELO or	MAIL FROM domain/host. It also
	      holds the	bad score for MX verifications.

	      Log Entries:

	      CL_IP_EQ_HELO_NUMERIC
	       Client IP matches the [IPv4] HELO.

	      CL_IP_EQ_FROM_IP
	       Client IP matches  the A	record of the  MAIL  FROM  sender  do-
	       main/host.

	      CL_IP_EQ_HELO_IP
	       Client  IP  matches  the	 A  record  of the HELO	argument.

	      CL_IP_NE_HELO
	       The  IP	and   the /24  subnet did  not	match A/MX records  of
	       HELO  and MAIL FROM  arguments and their	subdomains.

       @helo_from_mx_eq_ip_score (1.5, -3.1)
	      Define scores for	the match of Client  IP	 against  MX  records.
	      Positive	(SPAM)	values	are used in case the MAIL FROM matches
	      not the HELO argument AND	the client seems to be dynamic AND the
	      client  is  no  MX  for  HELO and	MAIL FROM arguments. The total
	      DNSBL score is added to its bad score.

	      Log Entries:

	      CL_IP_EQ_FROM_MX
	       Client IP  matches  the MAIL FROM domain/host MX	record

	      CL_IP_EQ_HELO_MX
	       Client IP matches the HELO domain/host MX record

	      CLIENT_NOT_MX/A_FROM_DOMAIN
	       Client is not a verified	 HELO and doesn't match	 A/MX  records
	       of MAIL FROM argument

	      CLIENT/24_NOT_MX/A_FROM_DOMAIN
	       Client's	 subnet	does  not  match A/MX records of the MAIL FROM
	       argument

       $dnsbl_checks_only (default: 0)
	      Disable HELO/RHSBL verifications	and  the  like.	 Do  only  RBL
	      checks.
	      1	= on, 0	= off

       @dnsbl_score (default: see below)
	      A	list of	RBLs to	be checked. If you want	that a host is not be-
	      ing evaluated any	further	if it is listed	on several lists or  a
	      very  trustworthy	 list  you can control a immediate REJECT with
	      $MAXDNSBLHITS and/or $MAXDNSBLSCORE. A  list  of	RBLs  must  be
	      build as follows:

	      @dnsbl_score = (
		  RBLHOST1,   HIT SCORE,  MISS SCORE,	  LOG NAME,
		  RBLHOST2,   HIT SCORE,  MISS SCORE,	  LOG NAME,
		  ...
	      );
	      The default is:

	      @dnsbl_score = (
		  "pbl.spamhaus.org",	  3.25,	  0,	  "DYN_PBL_SPAMHAUS",
		  "sbl-xbl.spamhaus.org", 4.35,	  -1.5,	  "SBL_XBL_SPAMHAUS",
		  "bl.spamcop.net",	  1.75,	  -1.5,	  "SPAMCOP",
		  "ix.dnsbl.manitu.net",  4.35,	  0,	  "IX_MANITU"
	      );

       @rhsbl_score (default: see below)
	      Define a list of RHSBL host which	are queried for	the sender do-
	      main. Results get	additionaly scores of 0.5 * DNSBL results  and
	      @rhsbl_penalty_score.   A	list of	RHSBL hosts to be queried must
	      be build as follows:

	      @rhsbl_score = (
		  RHSBLHOST1,  HIT SCORE,  MISS	SCORE,	   LOG NAME,
		  RHSBLHOST2,  HIT SCORE,  MISS	SCORE,	   LOG NAME,
		  ...
	      );
	      The default is:

	      @rhsbl_score = (
		  'multi.surbl.org',	   4,	 0,	   'SURBL'
	      );

       @rhsbl_penalty_score (3.1, 0)
	      This score will be added to each RHSBL hit if  following	crite-
	      rias are met:

		  Sender has a random local-part (i.e. yztrzgb@example.tld)

	       or MX records of	sender domain are bogus

	       or FROM matches not HELO

	       or HELO is untrusted (Forward record matched, reverse record
		  did not match)

       $MAXDNSBLHITS (default: 2)
	      If  the client is	listed in more than $MAXDNSBLHITS RBLs it will
	      be rejected immediately with $MAXDNSBLMSG	 and  without  further
	      evaluation. Results are cached by	default.

       $MAXDNSBLSCORE (default:	8)
	      If  the  BAD  SCOREs  of	@dnsbl_score listed RBLs reach a level
	      greater than $MAXDNSBLSCORE the client will be rejected  immedi-
	      ately  with $MAXDNSBLMSG and without further evaluation. Results
	      are cached by default.

       $REJECTLEVEL (default: 1)
	      Score results equal or greater than this level will be  rejected
	      with $REJECTMSG

SEE ALSO
       policyd-weight(8), Policyd-weight daemon
       perl(1),	Practical Extraction and Report	Language
       perlsyn(1), Perl	syntax
       access(5), Postfix SMTP access control table

LICENSE
       GNU General Public License

AUTHOR
       Robert Felber <r.felber@selling-it.de>
       PC & IT Services	Selling-IT
       85560, Ebersberg

				Aug 25th, 2006		policyd-weight.conf(5)

NAME | STATUS | DESCRIPTION | CACHE SETTINGS | DEBUG SETTINGS | DNS SETTINGS | MISC SETTINGS | OUTPUT AND LOG SETTINGS | RESOURCE AND OPTIMIZATIONS | SCORE SETTINGS | SEE ALSO | LICENSE | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=policyd-weight.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help