###################################################################### # POLICY DAEMON CONFIGURATION # ###################################################################### # DATABASE CONFIG # ###################################################################### # # ip address or hostname to connect to: # # if you want to connect to a host/ip, enter it here. # if you want to via a unix socket, set MYSQLHOST="" # MYSQLHOST="127.0.0.1" # # database name: # # name of database to connect to # MYSQLDBASE="policyd" # # database username: # # username to connect to database as # MYSQLUSER="postfix" # # database password: # # password to for username # MYSQLPASS="p0stf1x" # # connection options: # # what client side connections policyd will use> # # CLIENT_COMPRESS -> compress connection from policyd -> mysql # CLIENT_SSL -> encrypt connection from policyd -> mysql # MYSQLOPT="" # # failsafe/failover mode: default: on # # if the database or queries fail, continue accepting mail # # 1=on 0=off FAILSAFE=1 # # database keep alive: default: off # # if you recieve very little mail, your connection to the # mysql database will time out. enabling this option pings # the database to ensure the database connection is alive. # if it is not, it reconnects to the database. this option # is not needed on mail servers that recieve more than one # mail every 60 to 120 seconds. disabling this increases # performance a little. # # 1=on 0=off DATABASE_KEEPALIVE=0 ###################################################################### # DAEMON CONFIG # ###################################################################### # # debugging information: default: 3 # # only use debugging when there are problems # # 0 -> off (recommended) # 1 -> standard debugging # 2 -> 1+mysql queries+results # 3 -> 1+2+network debugging # 0=off DEBUG=3 # # daemon/background mode: default: off # # detach policyd from terminal. enable when you're happy # that things are working as they should. # # 1=on 0=off DAEMON=0 # # bind to ip address: # # ip address which the policy daemon will listen on # BINDHOST=127.0.0.1 # # port to bind to: # # port which the policy daemon will listen on # BINDPORT=10031 # # path to pidfile: # # where policyd will write its current pid to # PIDFILE=/var/run/policyd.pid # # syslog facility # # what syslog facility to log to # SYSLOG_FACILITY="LOG_MAIL | LOG_INFO" ###################################################################### # SECURITY # ###################################################################### # # chroot: # # directory to change to before binding # CHROOT=/ # # uid: # # userid for the policy daemon to run as # UID=0 # # gid: # # groupid for the policy daemon to run as # GID=0 # # connection acl: # # this is the list of ip addresses or networks (cidr format) that # will be allowed to connect to policyd. leaving this blank causes # policyd to reject all connection attempts. # CONN_ACL="127.0.0.1 192.168.0.0/24" ##################################################################### # WHITELISTING (functional) # ##################################################################### # # whitelisting: default: on # # this enables whitelisting of ip/netblocks. this is needed # if you want to allow any of the whitelisting features. # # 1=on 0=off WHITELISTING=1 # # whitelist null sender: default: off # # null senders are normally used for bounce messages. many # viruses use null senders so its wise to leave this disabled. # # 1=on 0=off WHITELISTNULL=0 # # whitelist sender address/domain # # this allows you to do whitelisting based on envelope sender # address or envelope sender domain. a number of people have # been asking for this. please AVOID using this as spammers # forge senders and domains a lot. # # 1=on 0=off WHITELISTSENDER=0 # # whitelist client dns name # # this allows you whitelist clients that have proper resolving # records. for example, i could whitelist 'bulk.scd.yahoo.com'. # so any connections from n6a.bulk.scd.yahoo.com or # n6b.bulk.scd.yahoo.com would be whitelisted. this type of # whitelisting gives far greater power when it comes to # whitelisting ISPs or big companies which you know do not # house spammers. please note. this table must NOT have more # than 10 000 -> 15 000 entries. # # 1=on 0=off WHITELISTDNSNAME=0 # # automatic whitelisting default: off # # this allows whitelisting of remote networks who have sent # more than AUTO_WHITELIST_NUMBER of authenticated triplets. # # 1=on 0=off AUTO_WHITE_LISTING=0 # # auto whitelist number: default: 500 # # how many succesfull triplets does it require before a # network is automatically whitelisted # AUTO_WHITELIST_NUMBER=500 # # whitelist netblock/24: default: 0 # # when hosts get autowhitelisted, should the host be whitelisted # or should the entire netblock (class C). # # 1=class 0=host AUTO_WHITELIST_NETBLOCK=0 # # whitelist expiry default: 7 days # # this allows you to specify for what period of time any # host will be whitelisted for when auto whitelisted. # a setting of 0 sets a permanent whitelist # AUTO_WHITELIST_EXPIRE=7d ##################################################################### # BLACKLISTING (functional) # ##################################################################### # # blacklisting: default: off # # this enables blacklisting of ip/netblocks. this is needed # if you want to allow any of the blacklisting features and # the spamtrapping module. if blacklisting is disabled, # the other modules still run and insert blacklisting records # into the table, but it doesn't take effect untill you # actually turn blacklisting on. this allows people to look # and what hosts get blacklisted and see if any possible # problems occured. (false-positive) # # 1=on 0=off BLACKLISTING=0 # # blacklist client dns name: # # this allows you blacklist clients that have proper resolving # records. for example, i could blacklist 'spamtargeting.com'. # so any connections from mail1.spamtargeting.com or # mail2.spamtargeting.com would be blacklisted. this type of # blacklisting gives far greater power when it comes to # blacklisting ISPs or big companies which you know do # house spammers, or e.g. ADSL home users when their ISPs # give an easily identifiable reverse DNS to them like # adsl-*.revip.thisisp.com. please note. this table must # NOT have more than 10 000 -> 15 000 entries. # 1=on 0=off BLACKLISTDNSNAME=0 # # blacklist temp rejection: default: 4xx # # this allows you to either temp reject (4xx) blacklisted # hosts or if you're sure that blacklisted hosts are safe # to reject, you can hard reject (5xx) blacklisted hosts. # # 1=4xx 0=5xx BLACKLIST_TEMP_REJECT=1 # # blacklist netblock/24: default: host # # when hosts get blacklisted, should the host be blacklisted # or should the entire netblock (class C). this applies to # both when a host gets blacklisted via the spamtrap module # or via the blacklist helo module. # # 1=class 0=host BLACKLIST_NETBLOCK=0 # # blacklist rejection default: "Abuse. Go Away" # # what error message blacklisted hosts will recieve. # BLACKLIST_REJECTION="Abuse. Go away." # # automatic blacklisting default: off # # this allows blacklisting of remote networks who have sent # more than AUTO_BLACKLIST_NUMBER of unauthenticated triplets. # # 1=on 0=off AUTO_BLACK_LISTING=0 # # auto blacklist number: default: 500 # # how many succesfull untriplets does it require before a # network is automatically blacklisted # AUTO_BLACKLIST_NUMBER=500 # # blacklist expiry default: 7 days # # this allows you to specify for what period of time any # host will be blacklisted for when auto blacklisted. # a setting of 0 sets a permanent blacklist # AUTO_BLACKLIST_EXPIRE=7d ##################################################################### # BLACKLISTING HELO (functional) # ##################################################################### # # blacklisting helo: default: off # # this enables blacklisting of ip/netblocks who attempt to # identify themselve as you. no legit MTA should be using # your helo identity when connecting to your machines. # # 1=on 0=off BLACKLIST_HELO=0 # # blacklist helo auto expire: default: permanent # # this allows you to specify for what period of time any # host will be blacklisted for when it has been caught # using your HELO to identify itself. (a setting of 0 # sets a permanent blacklist) # BLACKLIST_HELO_AUTO_EXPIRE=0 ##################################################################### # BLACKLIST SENDER (functional) # ##################################################################### # # blacklist sender: default: off # # this allows you to use policyd to block domains and/or # email addresses. # 1=on 0=off BLACKLISTSENDER=0 ##################################################################### # HELO_CHECK (functional) # ##################################################################### # # helo unique checking default: off # # (legit) hosts that connect to your mail servers 99% of # the time use static HELO information. spammers randomize # their helo. enabling this will cut down the amount of # spam entering your network. # 1=on 0=off HELO_CHECK=0 # # helo max number count: # # this allows you to specify how many unique/different # helo names a connecting host/ip is allowed to send. # spammers randomize their helo information in big # numbers. legit MTAs with floating ips also do this, # but the number of them is fairly small. # # HELO_MAX_COUNT=10 # # helo blacklist auto expire: # # this allows you to specify for what period of time any # host will be blacklisted for when it has been caught # randomizing their helo information. (a setting of 0 # sets a permanent blacklist) # HELO_BLACKLIST_AUTO_EXPIRE=14d # # helo auto expire: # # this allows you to specify for what period of time any # HELO identity will remain in the database for before it # gets expired. (a setting of 0 ensures that all HELO # information stays stored and is never expired). # HELO_AUTO_EXPIRE=7d ##################################################################### # SPAMTRAP (functional) # ##################################################################### # # enable spamtrap default: off # # the idea of this module is to allow you to capture # hosts that mail to your spamtraps without having to # resort to parsing the mails to identify senders. you # now have the ability to blacklist the host/netblock # for a period of time (definable in SPAMTRAP_AUTO_EXPIRE). # # 1=on 0=off SPAMTRAPPING=0 # # spamtrap rejection: default: "Abuse. Go Away." # # what error message the connecting host will recieve # when a message is directly sent to your spamtraps # SPAMTRAP_REJECTION="Abuse. Go away." # # spamtrap auto expire: default: 7 days # # this allows you to specify for what period of time any # host will be blacklisted for when it has been caught # mailing to your spamtrap addresses. (a setting of 0 # sets a permanent blacklist) # SPAMTRAP_AUTO_EXPIRE=7d ##################################################################### # GREYLISTING (functional) # ##################################################################### # # enable greylisting default: on # # whether greylisting should be enabled or disabled. # # 1=on 0=off GREYLISTING=1 # # greylist rejection: default: "Please try later" # # what error message the connecting host will recieve # when a new triplet has been created. # GREYLIST_REJECTION="Please try later." # # greylist x-header: default: off # # you now have the functionality of tagging all mail # that has passed greylisting. # # 1=on 0=off GREYLIST_X_HEADER=0 # # greylist host address: default: off # # by default policyd will only use 3 octets when dealing # with greylisting information. this allows policyd to # work around roaming MTAs which are known to move mail # between different queues after a 450/temp rejection. # # some dont want this functionality and wish to be more # aggressive when receiving mail. example of the format # of the ips stored: # # 1=192 # 2=192.168 # 3=192.168.0 <- default/recommended # 4=192.168.0.1 # GREYLIST_HOSTADDR=3 # # train database: default: off # # this is very usefull for people would want to build # up a collection of triplets before they start rejecting # mail. training mode allows the collection of triplets # to mature to a stage that when greylisting is actually # enabled, they impact caused is far far less. # # 1=on 0=off TRAINING_MODE=0 # # training policy duration/timeout default: 0d # # when you have run TRAINING_MODE for your all your domains # and are running greylisting across the board, adding new # domains and subjecting them to greylisting without a # training period can bring unnessasary hassles. this feature # allows you to specify for how long 'new domains' are to be # trained for before being subjected to greylisting. # # a value of 0 disables this feature. # TRAINING_POLICY_TIMEOUT=0 # # # triplet timeout: default: 4 minutes # # when a triplet is created from the first mail delivery # attempt, what period of time should go by before we # allow the 'final delivery'. a study shows that there # is no difference between 1 minute and 1 hour for spam # at this point in time. a sane limit would be 5 minutes. # TRIPLET_TIME=4m # # opt in and opt out: default: off # # some people are fairly irate when it comes to mail and # refuse wanting to have any type of delay. this feature # enables each and every person the ability to not subject # themselves to greylisting. this feature is also VERY # usefull when you dont want to subject EVERY person to # greylisting at once but instead allows you to enable # it in batches/groups of users so you get a feel on the # type of complaints or praise from your users. # # 1=on 0=off OPTINOUT=0 # # optinoutall: default: off # # this allows you to either opt everyone in, or opt every # one out and only has any effect if OPTINOUT is enabled. # # 1=on 0=off OPTINOUTALL=0 # # triplet authenticated cleanup default: 30d # # if a triplet has been successfully updated (retried and # delivered), this is what is considered an 'authenticated' # triplet. this options allows some sanity so you do not # keep these triplets forever. specify the amount of days # that we keep authenticated triplets since it was last updated. # TRIPLET_AUTH_TIMEOUT=30d # # triplet unauthenticated cleanup default: 2d # # if a triplet has NOT been successfully updated (no retry # attempt), this is what is considered as an 'unathenticated' # triplet. this option allows some sanity so you do not # keep these triplets forever. specify the amount of days # that we keep unauthenticated triplets since being inserted # into the database # TRIPLET_UNAUTH_TIMEOUT=2d ##################################################################### # SENDER THROTTLE (functional) # ##################################################################### # # throttle senders default: off # # sender throttling allows per-user limits of all # mail that passes the policy daemon. any envelope # sender that is not found in the database will # fall back to the config defaults listed below. # # 1=on 0=off SENDERTHROTTLE=0 # # throttle SASL users default=on # # throttling based upon envelope sender addresses does # not work very well as it can of course be easily forged. # if your users are forced to authenticate via SASL, enable # this option so that quotas stick like glue regardless of # what they try. # # if this option is enabled, and a remote client connects # WITHOUT sasl, it will then use the clients sending/FROM # address. # 1=on 0=off SENDER_THROTTLE_SASL=0 # # throttle IP addresses default=on # # throttling based upon the ip address of the sender # will ensure that the host does not send more than # their allowed quota. you may only enable # SENDER_THROTTLE_SASL or SENDER_THROTTLE_HOST but # *NOT* both. # 1=on 0=off SENDER_THROTTLE_HOST=1 # # quota exceeded temp rejection: default: 5xx # # select temp reject (4xx) or hard reject (5xx) on quota exceeded # # 1=4xx 0=5xx QUOTA_EXCEEDED_TEMP_REJECT=1 # # throttle rejection: default: "Quota Exceeded" # # what error message the connecting host will recieve # when they have exceeded any of their quotas. # SENDER_QUOTA_REJECTION="Quota Exceeded." # # throttle max message size reject message default: Message size too big # # # SENDER_SIZE_REJECTION="Message size too big." # # maximum mail sent per time period default: 5000 # # how many messages a user is allowed to send out # before the time limit has expired. # SENDERMSGLIMIT=512 # # maximum mail recipients per time period default: 5000 # # how many recipients a user is allowed to send out # before the time limit has expired. # SENDERRCPTLIMIT=3600 # # maximum mail quota/size per time period default: 250 meg # # how much mail will be allowed from a user (in megs) # which will be accepted before the timelimit has expired. # note: the maximum supported size is 2gig # SENDERQUOTALIMIT=250000000 # # sender time limit: default: 24 hours # # after how long does all quota last before counters # are reset back to to zero. # SENDERTIMELIMIT=1h # # sender message size: default: 10 meg # # this is the maximum sender mail size # SENDERMSGSIZE=10240000 # # sender "warning" threshold # # this is the threshold (in percentage) that will trigger a # a warning to syslog. valid percentages are 1 -> 99 # SENDERMSGSIZE_WARN=50 # # sender "panic" threshold # # this is the threshold (in percentage) that will trigger a # a warning to syslog. valid percentages are 1 -> 99 # SENDERMSGSIZE_PANIC=90 # # inactive sender database record cleanup default: 31 days # # this allows you to specify how long the throttling # records of inactive senders kept in the database. # this allows to keep the database small. a setting # of 0 keeps all entries. # SENDER_INACTIVE_EXPIRE=31d # # sender throttling automatic blacklisting default: off # # this feature works if sender throttling is enabled, with # exception of SENDER_THROTTLE_SASL. # If SENDER_THROTTLE_HOST is enabled, this feature adds the # sender's host IP address to the blacklist. # Otherwise the sender's email address is added to sender_blacklist # (BLACKLISTSENDER should be enabled in this case). # # The sender is added to the blacklist if it violates the quota # more than the specified number of times. # # 1=on 0=off SENDER_THROTTLE_AUTOBLACKLIST=0 # # sender throttling automatic blacklisting number default: 3 # # number of times that the sender quota exceeds before # the sender is put into blacklist # SENDER_THROTTLE_AUTOBLACKLIST_NUMBER=3 # # sender throttling automatic blacklisting expiration default: 6h # # how long the abusive sender is kept in the black list. # SENDER_THROTTLE_AUTOBLACKLIST_EXPIRE=6h ##################################################################### # RECIPIENT THROTTLE (functional) # ##################################################################### # # throttle recipients default: off # # recipient throttling allows per-user limits of all # mail that passes the policy daemon. any envelope # recipient that is not found in the database will # fall back to the config defaults listed below. # # 1=on 0=off RECIPIENTTHROTTLE=0 # # maximum mail sent per time period default: 5000 # # how many messages a user is allowed to send out # before the time limit has expired. # RECIPIENTMSGLIMIT=64 # # recipient time limit: default: 24 hours # # after how long does all quota last before counters # are reset back to to zero. # RECIPIENTTIMELIMIT=1h # throttle recipient rejection: default: "Quota Exceeded" # # what error message the connecting host will recieve # when they have exceeded any of their quotas. # RECIPIENT_QUOTA_REJECTION="Quota Exceeded." # # inactive recipients database record cleanup default: 31 days # # this allows you to specify how long the throttling # records of inactive recipients are kept in the database. # this allows to keep the database small. a setting # of 0 keeps all entries. # RECIPIENT_INACTIVE_EXPIRE=31d ####### # EOF # #######