The users may configure a bunch of filter rules. There are two kinds of settings: settings configured by a config directive in the file "filterconf" or settings configured by it's own file. If the setting is not configured in the user directrory Qsmtpd will take the value from the domain directory. If there is no domain setting also the global one is taken if the setting is marked "global". Filterconf settings These settings can occur in the file "filterconf" in the user or domain directory. Settings marked global can also occur in the global file /var/qmail/control/filterconf. There may be comments or empty lines in the filterconf file, both will be ignored. There are two kinds of settings, boolean and integer. If there is a boolean setting "foo" and there is a line containing just "foo" foo will be enabled. If there is no foo it will be disabled. Integer settings are "keyword=number", e.g. "foo=2" will set foo to 2. There may not be any characters between the keyword, the '=' and the number. Boolean expressions may be written as integers, "foo" as a boolean is the same as "foo=1" and "foo=123877", so "foo" line in the file is the same like "foo=0". There is a special value "-1" which means that if the user sets "foo=-1" foo will be disabled and the domain config will _not_ be used. List of settings: forcestarttls: Recipient only accepts mail if the transmission is SSL-encrypted. Use this with care, this violates RfC 3207 and is only for the really paranoid users. whitelistauth: (global) If the user is authenticated by SMTP AUTH or by TLS client certificate the mail is accepted and no other filters will be checked. check_strict_rfc2822: The mail body is checked for compliance to RfC 2822 (e.g. only one From:). The mail is rejected if the mail is invalid. If only one of the recipients does not enable this check the mail will not be rejected. This is due to the fact that the mail must be completely transferred before it can be rejected but then only one reply code for all recipients can be returned. fromdomain: (global) Do some checks to the domain of the "MAIL FROM:" address. The flags are binary or'ed and stored as one number. * 1: reject mail if from domain does not exist * 2: reject mail if from domain resolves only to localhost addresses * 4: reject mail if from domain resolves only to private nets (RfC 1918) reject_ipv6only: (global) Reject if all MX records of the "MAIL FROM:" domain point to real IPv6 addresses. This is useful only on an IPv4 only node where this addresses can't be routed. spfpolicy: (global) Filter mail by the policy given by a DNS TXT record of the sender domain. The value has this meanings: * 1: temporary DNS errors will block mail temporary * 2: reject mail if the SPF record says 'fail' * 3: reject mail if the SPF record is syntactically invalid * 4: reject mail when the SPF record says 'softfail' * 5: reject mail when the SPF record says 'neutral' * 6 (or more): rejects mail when no SPF records are found => see also: rspf (file), spfstrict (file), ignorespf (file) nobounce: Don't accept bounce messages to this recipients. This is useful if this address is never used to send mail (e.g. contact addresses on websites). usersize: The maximum size of a message the user wants to accept. This only works if the client uses ESMTP SIZE (which all real mailservers do). The wide spread worm with own SMTP engine don't use this so this will not block them. block_SoberG: (global) Block a mail where the combination of HELO and MAIL FROM looks like SoberG: MAIL FROM: foo@bar.com would lead to HELO foo.com helovalid: (global) Mails with invalid helo are rejected. The value is a bitwise of these bits: 1: helo is my name 2: helo is my [IP address] 3: helo is syntactically invalid 4: currently undefined 5: 2+3 (helo is my IP address, but not enclosed in '[]' which is broken 6, 7: currently undefined fail_hard_on_temp: If any filter returns with a temporary reject (e.g. sending IP is listed in a IP blacklist) a permanent failure is announced instead of the temporary one. nonexist_on_block: If any filter returns with a reject code the mail server will lie and tell the client the user does not exist instead of returning a policy error. List of files: There are 4 basic types of files: -address files These files can contain 4 types of entries: 1) complete mail addresses: entire from address must match this one 2) @domain: from domain must match string, "@aol.com" would block "foo@aol.com" but not "foo@bar.aol.com" 3) no '@' at all: block everything from this domain and subdomains, the character in MAIL FROM before the match must be '.' or '@' so "aol.com" would reject "foo@aol.com" and "foo@bar.aol.com" but not "foo@no-aol.com" 4) beginning with '.' and no '@': block everything ending with string, so ".aol.com" would block every subdomain of aol.com, but not aol.com itself -domain files These files can contain 2 types of entries (which will look a bit familar *g*): 1) see #3 above 2) see #4 above -blocklist files Every entry in this type of file is the name of one blocklist, not beginning with a '.'. These files are used for various blocklists, e.g. an entry of "dsn.rfc-ignorant.org" in "namebl" would lead to a query of "rossmann.de.dsn.rfc-ignorant.org" if the sender address is "something@rossmann.de" -IP match files These files exist in 2 versions, one version for IPv4 addresses with record length 5 and the other for IPv6 addresses with record length 17. The first 4 (16) bytes are a netmask for the IP address, the last byte is the length of the netmask. The minimum value of the length byte is 8, the maximum 32 (128). The file is rejected if the length is not a factor of the record length. badcc: [address] badmailfrom: (global) [address] goodmailfrom: (global) [address] dnsbl: (global) [blacklist] whitednsbl: (global) [blacklist] dnsblv6: (global) [blacklist] whitednsblv6: (global) [blacklist] badhelo: (global) [domain] ipbl: (global) [IPv4 match] ipwl: (global) [IPv4 match] ipblv6: (global) [IPv6 match] ipwlv6: (global) [IPv6 match] rspf: (global) [blacklist] spfstrict: (global) [domain] ignorespf: (global) [domain] namebl: (global) [blacklist]