Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
smtp-gated.conf(1)	    General Commands Manual	    smtp-gated.conf(1)

NAME
       smtp-gated.conf - The smtp-gated	configuration file.

VERSION
       This manual describes smtp-gated	v. 1.4.20.0

DESCRIPTION
       This file defines configuration to be used by daemon.

       Options	are placed one per line, and consists of option	name, followed
       by number or spaces or tabs, and	option value. Empty lines,  and	 lines
       starting	with # or ; (hash or semicolon)	are ignored.

       Tags in square brackets,	show additional	information for	each variable.
       See EXPLANATION later in	this manual.

MAIN OPTIONS
       proxy_name STRING
	      Name that	appears	on communicates	generated by  daemon  (usually
	      errors,  or session blocking). Use asterisk '*' to use host name
	      as proxy_name.

       bind_address IP [RESTART]
	      Defines IP the daemon listes on.

       port PORT [RESTART]
	      Defines listening	TCP port.

       outgoing_addr IP
	      Defines IP for outgoing SMTP connections (this appears as	source
	      on MSA servers).	This option has	been renamed from source_addr.

       pidfile FILE [RESTART]
	      Defines .pid file	path.

       chroot_path PATH	[RESTART]
	      If this setting is defined, daemon chroot()'s to this path after
	      forking. This allows to raise security.

       set_user	USER [RESTART]

       set_group GROUP [RESTART]
	      Daemon changes it	UID/GID	to the one defined  for	 username  and
	      groupname.  This	setting	 does  not allow to specify UID/GID as
	      numbers yet. Do NOT run proxy as root, as	this will break	 lock-
	      ing.

       priority	INT [RESTART]
	      Daemon  changes  it's  priority  when  it's defined. 0 means "no
	      change". Values as in setpriority(2).

       connect_queue INT
	      Defines listen(2)	backlog.

       enfile_sleep UINT
	      Sleep time in case ENFILE	error occured.

       on_takeover_cmds	UINT
	      Limit for	commands issued	by MUA after session takeover.

       buffer_size UINT
	      Defines buffer size (in bytes) to	track SMTP sessions. Should be
	      above 1500.

       pipeline_size UINT
	      Queue size for SMTP PIPELINING extension.

       pid_hash_size UINT

       host_hash_size UINT
	      Controls	hashing	 table size for	PID and	host counters. Usually
	      there is no much sense to	set it higher than max_connections.

RESOURCE CONTROL
       limit_core_size INT
	      Set core dump file size. Helps debugging unexpected problems  :)
	      "-1"  means  to leave system default setting. "0"	turns off core
	      dump completely. If this can not be changed at runtime,  process
	      does not terminate, logging error	instead.

       limit_virt_size INT

       limit_data_size INT

       limit_fsize INT
	      Three   above   correspond   to	RLIMIT_AS,   RLIMIT_DATA   and
	      RLIMIT_FSIZE in setrlimit(3). You	should set this	to higher val-
	      ues  if  you  are	 getting "Not enought memory" errors (this can
	      also happen upon memory leak).

	      Keep in mind, that all resource limits are  inherited  by	 child
	      process, including action	scripts.

MODE
       Mode  defined method, to	discover destination IP	addres to forward con-
       nection to. It differs obviously	on different platforms,	but there  are
       couple of common	modes, platform	independent.

       mode	     fixed|fixed+xclient|remote|remote-udp|getsockname|netfil-
       ter|tproxy|tproxy,netfilter|ipfw|ipfilter|pf [ONE,RESTART]
	      Set operating mode "remote".

	      Supported	modes are printed as USE_NAT with:

	      smtp-gated -V

       In all modes except remote/remote-udp proxy must	be running on the  NAT
       machine	itself	to be able to determine	destination IP.	If you need to
       run proxy on separate machine, it's possible to use policy  routing  to
       reroute	all SMTP traffic through proxy machine.	This machine should be
       running in NAT mode specific to OS (netfilter/ipfw/ipfilter/pf/getsock-
       name/tproxy), and act as	"router" for SMTP traffic only.

       If  you	use  Linux  on your router, then it's possible to run proxy on
       other machine (not necessarily Linux), if you run proxy-helper  on  the
       router (see http://software.klolik.org for details).

       Special mode tproxy,netfilter is	runtime	conditional. It	is changed for
       every  new  connection  to  netfilter  for  private  IPs	  (10.0.0.0/8,
       172.16.0.0/12,  192.168.0.0/16,	169.254.0.0/16),  and  to  tproxy  for
       routable	IPs (the rest).

FIXED MODE
       In this mode, all connections are forwarded to one, fixed MSA. This may
       be  used	to filter SMTP traffic just before ISP SMTP server. Use	it, if
       you want	to protect your	SMTP server from outside world.

       fixed_server IP
	      IP of MSA	to connect to.

       fixed_server_port PORT
	      Port to connect to.

FIXED+XCLIENT MODE
       Accepts the same	options	as FIXED MODE.	Uses  XCLIENT  to  impersonate
       client to MSA.  Allows prefiltering for postfix (v2.3 or	later) as (al-
       most) transparent proxy.

REMOTE IDENT MODE / REMOTE-UDP IDENT MODE
       In this mode, daemon is running on dedicated server, serving protection
       for  couple  of	routers.  For each incoming connection,	lookup is per-
       formed on source	 IP,  to  discover  destination	 IP.  REMOTE  requires
       patched	ident  daemon  (not  public yet), and therefore	is useless for
       most users.  REMOTE-UDP uses so called proxy-helper.

       remote_port PORT
	      Port to lookup ident and destination IP.

       remote_udp_retries INT
	      Number of	retries	for UDP	lookup

       remote_udp_secret INT
	      Secret used for simple authentication

GETSOCKNAME MODE
       Last resort -- try it if	your OS	is not supported elsewhere. Should  it
       not run,	you'll receive 'avoiding loop' in your logs.

NETFILTER MODE
       Linux  netfilter	 mode.	All connections	are forwarded to original MSA.
       Netfilter connection tracking is	used for destination IP	 lookup.  This
       mode was	formerly enabled by "use_netfilter" option.

TPROXY MODE
       Linux/netfilter	TPROXY	module	support	 (since	1.4.16.4) for spoofing
       source address. This way	proxy preserves	source IP  of  client  (useful
       for  public  addresses).	Please note, that all port 25 traffic needs to
       flow through the	proxy. It's not	a problem if you install smtp-gated on
       your  "main" Linux router. If you use some external router, you need to
       redirect	the traffic to proxy interface.

       You need	to  have  proper  kernel  header  and  modules	to  enable  it
       (linux/netfilter/xt_TPROXY.h existing probably under /usr/include), and
       depdends	on kernel version. Works for 2.6.32  and  maybe	 earlier.  See
       ./configure summary.

       #  NAT  module  must be loaded iptables -t nat -N placeholder # packets
       for proxy need to be tproxied iptables -t mangle	-N divert iptables  -t
       mangle  -A  divert -j MARK --set-mark 1 iptables	-t mangle -A divert -j
       ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket	-j divert ipt-
       ables -t	mangle -A PREROUTING -p	tcp --dport 25 -j TPROXY --tproxy-mark
       0x1/0x1 --on-port 9199 #	packets	for tproxy need	to be rerouted ip rule
       add fwmark 1 lookup 100 ip route	add local 0.0.0.0/0 dev	lo table 100

       Please note that	when nf_conntrack_ipv4 module is loaded	on 2.6.32 (and
       maybe on	others), I've seen delay during	connection setup, and  tcpdump
       shows double TCP	SYN+ACK, with only the second being accepted, thus in-
       troducing delay during connection setup.	Connection continues normally.
       It's probably some tproxy code fault.

       Be aware, that if you use external router to redirect only SMTP traffic
       to proxy	host, you have all the	traffic	 seen  twice.  Let's  say  the
       client IP is 1.1.1.1 connects to	MSA 2.2.2.2, and the proxy is 3.3.3.3:
       1. client sends packet from 1.1.1.1 to 2.2.2.2 via router 2. the	packet
       is routed through 3.3.3.3 (having source	and destination	intact)	3. the
       proxy accepts connection, does some internal magic  and	creates	 *new*
       connection  with	 source	 1.1.1.1 and destination 2.2.2.2 4. proxy host
       sends it's own version of packet	from 1.1.1.1 to	2.2.2.2	through	router
       5.  router  should route	the new	packet to the MSA 2.2.2.2 according to
       normal routing table 6. MSA replies through router to  proxy  7.	 proxy
       does the	reverse	magic and replies through router to client

       So, the packet flow is like:

	      client <=1/7=> proxy <=3/6=> MSA

       As  you	can  see  there	 are  two  kind	of packets (client<=>proxy and
       proxy<=>MSA) that seem to be identical. It's your  job,	to  setup  the
       routers policy routing.

IPFW MODE
       FreeBSD	ipfw mode. All connections are forwarded to original MSA. ipfw
       connection tracking is used for destination IP lookup.

IPFILTER MODE
       *BSD Packet filter mode.	All connections	are forwarded to original MSA.
       ipfilter	connection tracking is used for	destionation IP	lookup.

PF MODE
       FreeBSD	PacketFilter  mode.  All connections are forwarded to original
       MSA. pf connection tracking is used for destination  IP	lookup.	 Proxy
       needs to	have proper permissions	to /dev/pf.

STATUS
       statefile FILE
	      Defined file which will contains status.

       statefile_perm OCT
	      Statefile	mode passed to open(2).

       statefile_type human|flat|slots [MULTI]
	      Defined  status  format. Flat is preferred for parsing, human is
	      preferred	to be read by humans :)	By adding "slots" you can  see
	      current slot assignment and statistics for each session.

       Status file is written on SIGUSR1: see smtp-gated(8).

LOCKING
       When virus/SPAM is found, user's	IP or IP+ident can be blocked for cer-
       tain time. After	that time, lock	is removed, and	user is	allowed	to use
       SMTP  again.  Lockfile has name same as IP, or IP "-" IDENT if ident is
       used.

       Administrator can prevent locking some IP (IP+ident), by	creating  cor-
       responding  lock	 file  with owner other	than daemon runs on. This lock
       file is not automatically deleted. Contents is ignored, so  it  can  be
       description, or sth else.

       lock_on	       virus|spam|maxhost|maxident|dnsbl|regex|earlytalk|rate-
       limit|never [MULTI]
	      Set events locking occurs	for. See max_per_host, max_per_ident.

       lock_duration INT [s]
	      Time the lock persists. 0	disables locking, -1 means  lock  for-
	      ever (or:	until manually unlocked).

       lock_path PATH
	      Directory	for lock files.

       lock_perm OCTAL
	      Lock  files permissions as for open(2). Octal value must be pre-
	      ceded by zero.

       NOTE: Lock files	are checked (and eventually removed) for every	incom-
       ing connection. This means that they will exist after expiration, until
       next connection from its	"owner". In particular,	they can be left  for-
       ever,  if  user	won't use SMTP any more. You can use crontab to	remove
       stale locks like	this (though it's not necessary	for proxy  to  funcion
       properly):

	      find  /var/spool/smtp-gated/lock -type f -user smtpgw -mtime +30
	      -exec rm {} \;

ACTION SCRIPT
       Action script is	called when virus or spam is found, and	if  host/ident
       limit is	reached. If locking is used, action_script is called only when
       lock is created (once until unblocked). This makes sure,	that script is
       called only once	for a specified	period (until lock expires). Script is
       obviously called	with proxy UID/GID.

       Despite of actions taken	by script (i.e.	firewall-level user lock), you
       should set lock_duration	high enough (i.e. 15 seconds), to prevent con-
       nection-flood translate to action-flood (scripting is as	 expensive  as
       fork() and shell	expansions).

       If  you	have  strange problems with action scripts (ENOMEM or ENFILE),
       that seem to work well when executed manually, read about resource con-
       trol  above.  This will have impact especially on language interpreters
       like perl.

       action_script FILE
	      Defines path to script called when virus/spam is found.

       All parameters for action_script	are passed via environment variables:

       PROXY_NAME
	      proxy  name  as	defined	  in   proxy_name   in	 config	  file
	      [>=1.4.12-rc7]

       FOUND  contains word "VIRUS" or "SPAM", "MAX_HOST", "MAX_IDENT".

       VIRUS_NAME
	      virus name if virus found.

       SPAM_SCORE
	      spam score if spam found.

       SOURCE_IP
	      source IP.

       SOURCE_PORT
	      source port.

       TARGET_IP
	      target (SMTP server) IP.

       TARGET_PORT
	      target (SMTP server) port.

       LOCAL_IP
	      local (proxy) IP as redirected.

       LOCAL_PORT
	      local (proxy) port as redirected.

       IDENT  source ident [REMOTE].

       IDENT_COUNT
	      connections count	from particular	host+ident [REMOTE].

       HELO   HELO/EHLO	string.

       MAIL_FROM
	      SMTP "MAIL FROM" line, stripped.

       RCPTS_TOTAL
	      total number of mail recipients in session (not transaction).

       SIZE   message size [bytes].

       TRANSACTION
	      transaction number, starting from	1.

       AUTH   authentication  flags  bitmap:  1=supported,  2=accepted,	 4=re-
	      jected; see AUTH_FLAG_* in src/smtp-gated.h

       SPOOL_NAME
	      spool file name.

       LOCK_FILE
	      lock file	name.

       TIME   time of connection start,	human readable text.

       UNIXTIME
	      time of connection start,	unix timestamp.

SPOOLING
       spool_path PATH
	      Directory	for temporary message files.

       spool_perm OCTAL
	      Temporary	files permissions as for open(2). Octal	value must  be
	      preceded by zero.

       spool_leave_on error|spam|virus|never|always [MULTI]
	      Set  events, spool file is left for. If set to "never", spool is
	      always deleted.  If you choose "always"  please  note  that  for
	      multi-transactional session, only	the last mail is saved.	Spools
	      are also removed if they exceed size limit or if	there's	 error
	      during file write	(including but not limited to drive full).

TIMEOUTS
       All timeouts are	specified in seconds.

       timeout_direct UINT
	      Timeout  for  direct proxy session. This type of session is used
	      on TLS connections.

       timeout_lookup UINT [REMOTE]
	      Timeout for lookup.

       timeout_scanner UINT
	      Timeout for antivirus scanner engine.

       timeout_spam UINT
	      Timeout for antispam scanner engine.

       timeout_session UINT
	      Timeout for fake session (when virus/SPAM	is blocked).

       timeout_idle UINT
	      Timeout for idle sessions. Prevents stale	connections.

       timeout_connect UINT
	      Timeout for connecting to	remote MSA.

AUTHENTICATION CONTROL
       Proxy can limit access to MSA,  according  to  SMTP  AUTH  support  and
       state.  For now,	there is no way	to whitelist host or MSA.

       auth_require no|ifsupported|mandatory [ONE]
	      Set authorization	requirements:

	      no	     do	 not  require any authorization, pass all mes-
	      sages.
	      ifsupported	  require authorization	if MSA advertises sup-
	      port for it. If authorization is not advertised, mail is passed.
	      If authorization is advertised, mail is passed  only  if	client
	      has authorized successfully.
	      mandatory	     require authorization for all connections.	It MSA
	      does not support authorization, no mail is passed.

	 Authentication	state is logged	in "CLOSE by=... auth=N", where	 N  is
       bitwise OR for following	values:

	      1		     MSA supports auth (advertised in EHLO response)
	      2		     user authenticated	successfuly
	      4		     user authentication failed	(rejected by MSA)

       auth_skip none|direct|antivir|antispam|dnsbl|regex [MULTI]
	      Skip  checking/scanning  if  session is authenticated. direct is
	      special one: after authentication, session goes to DIRECT	 PROXY
	      mode.  Using  any	 other	option	together with direct obviously
	      makes no sense.  Note that 'auth_skip dnsbl' delays dnsbl	rejec-
	      tion to MAIL FROM	stage (as opposite to connect stage).

LIMITS
       All  sizes  are	specified in bytes.  Loadavg limits can	be disabled by
       specyfing zero, but this	is not recommended.

       max_connections UINT [RESTART]
	      Total maximum connections.

       max_per_host UINT
	      Maximum connections per source IP	(see also: lock_on maxhost).

       max_per_ident UINT [REMOTE]
	      maximum connections per IP+ident (see also: lock_on maxident).

       max_load	FLOAT
	      Reject connections if load is above this setting.

       size_limit UINT
	      Limit maximum message size. 0=disabled (default).

       scan_max_size UINT
	      av-scan messages with size up to this limit.

       spam_max_size INT
	      SPAM-scan	messages with size up to this limit. Should spam scan-
	      ning be turned off, set it to 0 (default).

       spam_max_load FLOAT
	      Don't SPAM-scan messages if load above this setting.

       spam_threshold FLOAT
	      Treat  message  as SPAM if it's score is equal/greater than this
	      value.

MISCELLANOUS
       ignore_errors BOOL
	      Continue when possible even if error occured (i.e. virus scanner
	      failure).

LOGGING
       Daemon logs messages via	syslog,	facility daemon.

       log_helo	BOOL
	      Logs HELO/EHLO issued by client.

       log_mail_from accepted|rejected|base64|off [MULTI]
	      Client MAIL FROM logging options:

		     off       do  not	(log)  accepted	 log if	address	is ac-
		     cepted by MSA rejected  log if address is rejected	by MSA
		     base64	    log	as base64 encoded md5 hash of e-mail

       log_rcpt_to [MULTI]
	      Client RCPT TO logging mask. (see	log_mail_from).

       email_length UINT
	      MAIL FROM/RCPT TO	email length limit (before optional md5	encod-
	      ing).

       log_level debug|info|notice|warning|err|alert|emerg|crit	[ONE,RESTART]
	      Defined log level, as used by syslog(3):

	      crit Emergency messages (highest	priority)  emerg     Critical,
	      requires	intervention  alert	Critical  messages err	Errors
	      warning	Warnings notice	   Normal, but	significiant  messages
	      info Informational messages debug	    Debugging messages (lowest
	      priority)

       log_facility	 user|mail|daemon|auth|news|authpriv|local0|local1|lo-
       cal2|local3|local4|local5|local6|local7 [ONE,RESTART]
	      Defined log facility, as used by syslog(3).

MANGLING
       nat_header
	      Header  injected	into  message stream header (sent to MSA); de-
	      fault is "X-NAT-Received"	[>=1.4.12-rc5]

       nat_header_type none|simple|ip-only ONE,	OLD: (nat_header)
	      Turns  on/off  injecting	X-NAT-Received	headers	 to  messages.
	      [>=1.4.12-rc5]

	      none no (header) ip-only	      include only source IP in	header
	      generic	     generic header (MSA-like)

       spool_header
	      Header injected into message spool header	(not sent to MSA, vis-
	      ible    in    AV-scanner	  and	 AS-scanner),	 default    is
	      "X-Proxy-Spool-Info" [>=1.4.12-rc5]

       abuse STRING
	      Sets "abuse" info	in full	X-NAT-Received header.

SCANNERS
       scanner_path FILE
	      not used.

       antivirus_type off|clamd|mksd [ONE]
	      Choose antivirus to use. "off" means no scanning.

       antivirus_path SOCKET
	      Path for clamd socket.

       antispam_type off|spamassassin [ONE]
	      Choose antispam to use. "off" means no scanning.

       antispam_path SOCKET
	      Path for spamd socket.

       dspam_storage PATH
	      DSPAM storage home.

DNSBL
       dnsbl zone,zone,[...]
	      Check incoming connections on specified  DNSBL  lists.  Probably
	      makes sense for FIXED MODE only.	See also: lock_on dnsbl

SPF
       Check messages against SPF. IP used for SPF verification	depends	on spf
       option.

       spf none|incoming|outgoing|fixed	[ONE]
	      Enables SPF checking.

	      none SPF turned off
	      incoming	check against client incoming-IP, probably useful  for
	      mode fixed only.
	      outgoing	check against proxy outgoing-IP	(outgoing_addr), prob-
	      ably useful for NAT-mode only.
	      fixed	check against static IP	defined	by spf_fixed_ip

       spf_log_only yes|no
	      Logging only of SPF results, no mail rejection.

       spf_fixed_ip IP
	      Static IP	used by	spf fixed only.	Useful if proxy	is behind NAT.

REGEX
       regex_enforce_helo REGEX

       regex_enforce_mail_from REGEX

       regex_enforce_rcpt_to REGEX

	      Rejects HELO/MAIL	FROM/RCPT TO if	don't match regex_enforce_*.

       regex_reject_helo REGEX

       regex_reject_mail_from REGEX

       regex_reject_rcpt_to REGEX

	      Rejects HELO/MAIL	FROM/RCPT TO if	they match regex_reject_*.

       Please note, regex matching occurs only when corresponding  command  is
       given.  As  a  result,  it  is  not  possible  to check if there	was no
       HELO/EHLO.  See also: auth_skip regex, lock_on regex.

EARLYTALK
       Earlytalker means MUA which starts to send  SMTP	 commands  before  the
       greeting	 from  MSA.  This is SMTP protocol violation and no legitimate
       mail software should do that.

       earlytalker BOOLEAN
	      Enable/disable earlytalker rejection.

       lock_on earlytalker
	      Enable locking earlytalkers.

RATE LIMIT
       Limits for client per time-period.

       ratelimit_path PATH
	      Path for ratelimit files ("database"). If	rate limiting  is  en-
	      abled,  these get	rewritten for every connection,	so it's	proba-
	      bly a bad	idea to	put them on any	kind of	Flash (SSD) drive.

       ratelimit_period	SECONDS
	      Time period for limits. 0	disables rate limiting entirely.

       ratelimit_generation UINT
	      Generation is saved in  ratelimiting  structures	together  with
	      ratelimit_*  limits.  Limits are updated only if this generation
	      is increased. Recomended format is YYYYMMDDHHMMSS. To setup per-
	      sonalised	limit, write them with really high generation (no tool
	      for this yet).

       ratelimit_connections INT

       ratelimit_sessions INT

       ratelimit_recipients INT

       ratelimit_bytes INT
	      Limit per	duration limits	for each client	(host or  host+ident).
	      Limit  database  is saved	into ratelimit_path directory. Setting
	      any limit	to 0 disables that limit, and setting  duration	 to  0
	      disables all limits.

       ratelimit_mailfrom_rejects UINT

       ratelimit_rcptto_rejects	UINT

       ratelimit_auth_rejects UINT
	      Limits on	MAIL FROM, RCPT	TO and AUTH rejected by	MSA.

	      See also:	lock_on	ratelimit.

EARLYTALK
       If  client  sends any command before MSA	greeting, gets kicked. Current
       implementation does not delay the greeting by itself, but relies	on the
       MSA.

       earlytalk BOOL
	      enable/disable  earlytalk	 check	(enabled by default) See also:
	      lock_on earlytalk

COMMAND	FILTER
       forbid_starttls BOOL
	      Forbid entering TLS mode.

MESSAGES
       All messages sent to user are customisable.

       locale NAME
	      Changes locale of	system errors  from  strerror(3).  See	setlo-
	      cale(3). Does not	change messages	generated by daemon itself.

MESSAGES MAIN
       msg_virus_found
	      Virus found in message.

       msg_virus_locked
	      User locked, virus or SPAM found before.

       msg_spam_found
	      SPAM found in message.

       msg_unknown_virus
	      Virus name substituted, when it's	unknown.

       msg_spool_problem
	      Spooling file name problem.

       msg_spool_open_fail
	      Spool creation failed.

       msg_pipeline_full
	      Pipeline queue full.

       msg_scanner_failed
	      Scanner has failed.

       msg_cannot_connect
	      Cannot connect to	MSA.

       msg_connect_timeout
	      Connection to MSA	timed out.

       msg_nomem
	      Out of memory

MESSAGES FAKE MSA SESSION
       msg_hello
	      Hello message.

       msg_sign_off
	      Signing off.

       msg_virus_no_more
	      Virus found, please end the session.

       msg_session_timeout
	      Session timed out.

       msg_proto_error
	      Protocol error.

       msg_transaction_failed
	      Fake MSA transaction failed.

       msg_unimpl_command
	      Unimplemented command (SMTP verb).

       msg_temp_unavail
	      Service temporarily unavailable.

MESSAGES LIMITS
       msg_max_reached
	      Total connections	limit reached, try again later.

       msg_max_per_host
	      Connections limit	for IP reached,	try again later.

       msg_max_per_ident
	      Connections limit	for IP+ident reached, try again	later.

       msg_system_load
	      System load too high, try	again later.

MESSAGES FOR REMOTE IDENT MODE
       msg_malformed_ip	[REMOTE]
	      Malformed	IP received

       msg_lookup_failed
	      Lookup failed.

       msg_lookup_timeout
	      Lookup timed out.

       msg_lookup_mismatch
	      Invalid lookup response format.

       msg_lookup_nomem
	      Lookup failed, not enough	memory.

DIRECT PROXY
       Direct proxy is a mode where proxy simply passes	traffic	between	client
       and MSA without any interaction or processing.  This of	course	means,
       that  any  checks/limits/quota/etc  are	ignored. You cannot force this
       mode by config (it would	be pointless to	have the proxy), however proxy
       enters this mode	if:

       1.     STARTTLS is successfully requested by the	client (proxy couldn't
	      process encrypted	traffic	anyway)

       2.     auth_skip	direct is set and client  has  successfully  authenti-
	      cated to the MSA.

       As  the	traffic	in direct proxy	mode is	not processed, this means less
       overhead	to the proxy host.

FAQ
       These are popular Questions and Answers:

       Q1: Antispam is not working! What is wrong?
	      You must change max_spam_size to something above 0  to  turn  on
	      antispam	scanning.  It's	 set  to  0 by default,	and this means
	      turning antispam off. Also, set antispam_type.

       Q2: Spammers don't get locked! What is wrong?
	      If you want to block spammers, set "lock_on spam[,...]", and see
	      Question#1.

       Q3:  I wanted to	block some user	by creating lockfile manually, but now
       his traffic is not even scanned!
	      Creating lockfile	with owner other than proxy process runs with,
	      will  protect  that host from being locked. The contents of file
	      does not matter.

       Q4: My header is	invalid	after upgrading!
	      nat_header changed into nat_header_type since 1.4.12-rc5,	so af-
	      ter  upgrade header will not be injected unless you rename it in
	      configuration file.

       Q5: I don't have	idents in my logs or headers, why?
	      It simple	-- ident is used in REMOTE IDENT mode, which  is  cur-
	      rently not available.

       Q6: I don't see X-NAT-Received header in	mails, why?
	      Please  remember,	 that mail sent	with TLS is not	scanned. Also,
	      check  nat_header_type  directive	 in  your  config  file,   and
	      nat_header (see MANGLING above).

       Q7: When	X-Virus-Scan and/or X-Spam-Status headers will be supported?
	      The  answer is: never. Reason is simple -- proxy is passing-thru
	      email headers and	body. Because headers are sent first, we can't
	      predict  spam-score  or  virus presence. The main	assumption for
	      this project was not to buffer mail before forwarding,  so  this
	      option won't appear.

       Q8: I have many locks left, even	if they	should be gone long time ago!
	      Please see note for the LOCKING.

       Q9: Host	gets locked, lock file appears,	but he can still send e-mails!
	      Please *do not* run proxy	as root, and set set_user properly. If
	      you do, remove all locks manually.

       Q10: action_script does not work!
	      Please read about	ACTION SCRIPT. Script will not be called  once
	      the  lock	 exists. If you	were testing "by hand" by writing some
	      text to some log file, make sure the script has  permissions  to
	      write  to	 it  too, i.e. by temporarily doing chmod a+rw on that
	      log file.	You should also	check if disabling  limit_*  variables
	      will  do	the  trick,  and if the	answer is yes, try to set them
	      high enough for script needs.

       Q11: spamassassin gets timeout
	      Please check if "spamd -L" resolves this issue.

       Q12: clamd fails	with: SCAN:FAILED [...]	result=lstat() failed.
	      Antispam and antivirus scanners need to  have  access  to	 spool
	      files (spool_path, spool_perm).  If you want to seal your	setup,
	      you can add clamav user smtpgw group, and	deny other  to	access
	      the spool	directory.

       Q13:  action  script  does  not	seem  to  work	well  when executed by
       smtp-gated, possibly failing with ENFILE	or ENOMEM
	      Read notes about resource	control	and action scripts.

CHANGES
	 1.4.16-rc2:
		 spf:

			    changed: source -> incoming
			    added: fixed

	 1.4.16-rc1:

		     added options:
			    dnsbl
			    spf
			    spf_log_only
			    regex_*
		     renamed options:
			    source_addr	-> outgoing_addr
		     changed options:
			    nat_header_type
			    auth_require
			    auth_skip: "regex",	"dnsbl"	added
			    lock_on: "regex", "dnsbl" added

	 1.4.14-rc2:  renamed options:

		     dumpfile -> statefile
		     dumpfile_perm -> statefile_perm

	 1.4.14-rc1:  Changed many configuration options. Please  review  your
       previous	configuration using:

	      smtp-gated -t /path/to/smtp-gated.conf

REPORTING BUGS
       If  you are willing to sent me a	bug report, please check manuals first
       to ensure you have configured properly. In report, please include:

	      1. output	of "smtp-gated -V"

	      2. config	file (as attachment if big)

	      3. full logs related to e-mails sent, with "log_level debug"

	      4. optional mail header (as sent from proxy).

		 If you	get 'unknown option' or	'invalid  value'  errors,  you
		 can  list all supported options with supported	values by run-
		 ning:

	      smtp-gated -T

EXPLANATION
       INT    Signed integer

       UINT   Unsigned number; can be specified	as decimal,  octal  (beginning
	      with 0), or hexadecimal (beginning with 0x or 0X)

       BOOL   Boolean (0, 1)

       FLOAT  Floating-point number

       IP     Valid IP address

       PORT   Valid IP port

       STRING Arbitrary	text string

       PATH   Valid directory name

       FILE   Valid file name

       SOCKET UNIX socket or TCP socket. UNIX socket must begin	with backslash
	      ("/"), otherwise path is considered TCP socket and must be  sub-
	      mitted in	following form:	ip:port	(i.e. 127.0.0.1:1097)

       [ONE]  Only one value allowed.

       [MULTI]
	      Multiple	values	allowed,  comma	 separated  (do	NOT insert any
	      white space before comma).

       [RESTART]
	      This option needs	full restart to	take effect.

       [REMOTE]
	      This option affects REMOTE IDENT MODE only.

GLOSSARY
       MSA    Mail Submission Agent

SEE ALSO
       smtp-gated(8)

HOMEPAGE
       http://smtp-proxy.klolik.org

AUTHOR
       Bartlomiej Korupczynski <smtp-proxy@klolik.org>

Bartlomiej Korupczynski		  2013-02-26		    smtp-gated.conf(1)

NAME | VERSION | DESCRIPTION | MAIN OPTIONS | RESOURCE CONTROL | MODE | FIXED MODE | FIXED+XCLIENT MODE | REMOTE IDENT MODE / REMOTE-UDP IDENT MODE | GETSOCKNAME MODE | NETFILTER MODE | TPROXY MODE | IPFW MODE | IPFILTER MODE | PF MODE | STATUS | LOCKING | ACTION SCRIPT | SPOOLING | TIMEOUTS | AUTHENTICATION CONTROL | LIMITS | MISCELLANOUS | LOGGING | MANGLING | SCANNERS | DNSBL | SPF | REGEX | EARLYTALK | RATE LIMIT | EARLYTALK | COMMAND FILTER | MESSAGES | MESSAGES MAIN | MESSAGES FAKE MSA SESSION | MESSAGES LIMITS | MESSAGES FOR REMOTE IDENT MODE | DIRECT PROXY | FAQ | CHANGES | REPORTING BUGS | EXPLANATION | GLOSSARY | SEE ALSO | HOMEPAGE | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=smtp-gated.conf&sektion=5&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help