bionic (5) policyd-weight.conf.5.gz

Provided by: policyd-weight_0.1.15.2-12_all bug

NAME

       policyd-weight.conf - policyd-weight configuration parameters

STATUS

       Beta, Documentation incomplete

DESCRIPTION

       policyd-weight  uses a perl(1) style configuration file which it reads on startup. The cache re-reads the
       configuration after $MAINTENANCE_LEVEL (default: 5) queries. If -f is  not  specified,  it  searches  for
       configuration files on following locations:

        /etc/policyd-weight.conf
        /usr/local/etc/policyd-weight.conf
        ./policyd-weight.conf

CACHE SETTINGS

       $CACHESIZE (default: 2000)
              Set the minimum size of the SPAM cache.

       $CACHEMAXSIZE (default: 4000)
              Set the maximum size of the SPAM cache.

       $CACHEREJECTMSG
              (default: 550 temporarily blocked because of previous errors)"

              Set the SMTP status code and a explanatory message for rejected mails due to cached results

       $NTTL (default: 1)
              The client is penalized for that many retries.

       $NTIME (default: 30)
              The $NTTL counter will only be decremented if the client waits at least $NTIME seconds.

       $POSCACHESIZE (default: 1000)
              Set the minimum size of the HAM cache.

       $POSCACHEMAXSIZE (default: 2000)
              Set the maximum size of the HAM cache.

       $PTTL (default: 60)
              After that many queries the HAM entry must succeed one run through the RBL checks again.

       $PTIME (default: 3h)
              after  $PTIME  in  HAM  Cache  the client must pass one time the RBL checks again.  Values must be
              nonfractal. Accepted time-units: s(econds), m(inutes), h(ours), d(ays)

       $TEMP_PTIME (default: 1d)
              The client must pass this time the RBL checks in order to be listed as hard-HAM. After  this  time
              the  client  will  pass  immediately  for PTTL within PTIME. Values must be non-fractal.  Accepted
              time-units: s(econds), m(inutes), h(ours), d(ays)

DEBUG SETTINGS

       $DEBUG (default: 0)
              Turn debugging on (1) or off (0)

DNS SETTINGS

       $DNS_RETRIES (default: 2)
              How many times a single DNS query may be repeated

       $DNS_RETRY_IVAL (default: 2)
              Retry a query without response after that many seconds

       $MAXDNSERR (default: 3)
              If that many queries fail, the mail is accepted with $MAXDNSERRMSG.
              In total DNS queries this means: $MAXDNSERR * $DNS_RETRIES

       $IGNORE_RFC1918_A (default: 0)
              If enabled (1) A records with RFC1918 addresses aren't treated  as  bogus  addresses  by  policyd-
              weight and therefore bogus_mx_score isn't added.

MISC SETTINGS

       $MAINTENANCE_LEVEL (default: 5)
              After  that  many  policy  requests  the  cache  (and  in  daemon mode child processes) checks for
              configuration file changes

       $MAXIDLECACHE (default: 60)
              After that many seconds of being idle the cache checks for configuration file changes.

       $PIDFILE (default: /var/run/policyd-weight.pid)
              Path and filename to store the master pid (daemon mode)

       $LOCKPATH (default: /tmp/.policyd-weight/)
              Directory where policyd-weight  stores  sockets  and  lock-files/directories.  Its  argument  must
              contain a trailing slash.

       $SPATH (default: $LOCKPATH.'/polw.sock')
              Path and filename which the cache has to use for communication.

       $TCP_PORT (default: 12525)
              TCP port on which the policy server listens (daemon mode)

       $BIND_ADDRESS (default: '127.0.0.1')
              IP  Address  on  which  policyd-weight  binds. Currently either only one or all IPs are supported.
              Specify 'all' if you want to listen on all IPs.

       $SOMAXCONN (default: 1024)
              Maximum connections which policyd-weight accepts. This is set high enough to cover most scenarios.

       $USER (default: polw)
              Set the user under which policyd-weight runs

       $GROUP (default: $USER)
              Set the group under which policyd-weight runs

OUTPUT AND LOG SETTINGS

       $ADD_X_HEADER (default: 1)
              Insert a X-policyd-weight: header with evaluation messages.
              1 = on, 0 = off

       $LOG_BAD_RBL_ONLY (default: 1)
              Insert only RBL results in logging strings if the RBL score changes the overall score.  Thus  RBLs
              with a GOOD SCORE of 0 don't appear in logging strings if the RBL returned no BAD hit.
              1 = on, 0 = off

       $MAXDNSBLMSG (default: 550 Your MTA is listed in too many DNSBLs)
              The message sent to the client if it was reject due to $MAXDNSBLHITS and/or $MAXDNSBLSCORE.

       $REJECTMSG  (default:  550  Mail appeared to be SPAM or forged. Ask your Mail/DNS-Adminisrator to correct
       HELO and DNS MX settings or to get removed from DNSBLs)

              Set the SMTP status code for rejected mails and a message why the action was taken

RESOURCE AND OPTIMIZATIONS

       $CHILDIDLE (default: 120)
              How many seconds a child may be idle before it dies (daemon mode)

       $MAX_PROC (default: 50)
              Process limit on how many processes policyd-weight will spawn (daemon mode)

       $MIN_PROC (default: 2)
              Minimum child processes which are kept alive in idle times (daemon mode)

       $PUDP (default: 0)
              Set persistent UDP connections used for DNS queries on (1) or off (0).

SCORE SETTINGS

       Positive values indicate a bad (SPAM) score, negative values indicate a good (HAM) score.

       @bogus_mx_score (2.1, 0)
              If the sender domain has neither MX nor A records or these records resolve to a  bogus  IP-Address
              (for  instance private networks) then this check asigns the full score of bogus_mx_score. If there
              is no MX but an A record of the sender domain then it receives a penalty only if DNSBL-listed.

              Log Entries:

              BOGUS_MX
               The sender A and MX records are bogus or empty.

              BAD_MX
               The sender domain has an empty or bogus MX record and the client is DNSBL listed.

              Related RFCs:

              [1918] Address Allocation for Private Internets
              [2821] Simple Mail Transfer Protocol (Sect 3.6 and Sect 5)

       @client_ip_eq_helo_score (1.5, -1.25)
              Define scores for the match of the reverse record (hostname) against the  HELO  argument.  Reverse
              lookups are done, if the forward lookups failed and are not trusted.

              Log Entries:

              REV_IP_EQ_HELO
               The  Client's  PTR  matched  the  HELO  argument.

              REV_IP_EQ_HELO_DOMAIN
               Domain portions  of Client PTR and HELO argument matched.

              RESOLVED_IP_IS_NOT_HELO
               Client  PTRs  found   but  did  not  match  HELO argument.

       @helo_score (1.5, -2)
              Define  scores  for the match of the Client IP and its /24 subnet against the A records of HELO or
              MAIL FROM domain/host. It also holds the bad score for MX verifications.

              Log Entries:

              CL_IP_EQ_HELO_NUMERIC
               Client IP matches the [IPv4] HELO.

              CL_IP_EQ_FROM_IP
               Client IP matches  the A record of the MAIL FROM sender domain/host.

              CL_IP_EQ_HELO_IP
               Client  IP  matches  the  A  record  of the HELO argument.

              CL_IP_NE_HELO
               The IP and  the /24  subnet did  not  match A/MX records  of  HELO  and MAIL FROM  arguments  and
               their subdomains.

       @helo_from_mx_eq_ip_score (1.5, -3.1)
              Define  scores  for  the match of Client IP against MX records. Positive (SPAM) values are used in
              case the MAIL FROM matches not the HELO argument AND the client seems to be dynamic AND the client
              is no MX for HELO and MAIL FROM arguments. The total DNSBL score is added to its bad score.

              Log Entries:

              CL_IP_EQ_FROM_MX
               Client IP  matches  the MAIL FROM domain/host MX record

              CL_IP_EQ_HELO_MX
               Client IP matches the HELO domain/host MX record

              CLIENT_NOT_MX/A_FROM_DOMAIN
               Client is not a verified  HELO and doesn't match A/MX records of MAIL FROM argument

              CLIENT/24_NOT_MX/A_FROM_DOMAIN
               Client's subnet does  not  match A/MX records of the MAIL FROM argument

       $dnsbl_checks_only (default: 0)
              Disable HELO/RHSBL verifications and the like. Do only RBL checks.
              1 = on, 0 = off

       @dnsbl_score (default: see below)
              A  list of RBLs to be checked. If you want that a host is not being evaluated any further if it is
              listed on several lists or a very trustworthy  list  you  can  control  a  immediate  REJECT  with
              $MAXDNSBLHITS and/or $MAXDNSBLSCORE. A list of RBLs must be build as follows:

              @dnsbl_score = (
                  RBLHOST1,   HIT SCORE,  MISS SCORE,     LOG NAME,
                  RBLHOST2,   HIT SCORE,  MISS SCORE,     LOG NAME,
                  ...
              );
              The default is:

              @dnsbl_score = (
                  "pbl.spamhaus.org",     3.25,   0,      "DYN_PBL_SPAMHAUS",
                  "sbl-xbl.spamhaus.org", 4.35,   -1.5,   "SBL_XBL_SPAMHAUS",
                  "bl.spamcop.net",       3.75,   -1.5,   "SPAMCOP",
                  "ix.dnsbl.manitu.net",  4.35,   0,      "IX_MANITU"
              );

       @rhsbl_score (default: see below)
              Define  a  list  of  RHSBL  host which are queried for the sender domain. Results get additionally
              scores of 0.5 * DNSBL results and @rhsbl_penalty_score.  A list of RHSBL hosts to be queried  must
              be build as follows:

              @rhsbl_score = (
                  RHSBLHOST1,  HIT SCORE,  MISS SCORE,     LOG NAME,
                  RHSBLHOST2,  HIT SCORE,  MISS SCORE,     LOG NAME,
                  ...
              );
              The default is:

              @rhsbl_score = (
                  "multi.surbl.org",      4,      0,      "SURBL"
              );

       @rhsbl_penalty_score (3.1, 0)
              This score will be added to each RHSBL hit if following criteria are met:

                  Sender has a random local-part (i.e. yztrzgb@example.tld)

               or MX records of sender domain are bogus

               or FROM matches not HELO

               or HELO is untrusted (Forward record matched, reverse record
                  did not match)

       $MAXDNSBLHITS (default: 2)
              If  the  client  is  listed  in  more than $MAXDNSBLHITS RBLs it will be rejected immediately with
              $MAXDNSBLMSG and without further evaluation. Results are cached by default.

       $MAXDNSBLSCORE (default: 8)
              If the BAD SCOREs of @dnsbl_score listed RBLs reach a level greater than $MAXDNSBLSCORE the client
              will  be rejected immediately with $MAXDNSBLMSG and without further evaluation. Results are cached
              by default.

       $REJECTLEVEL (default: 1)
              Score results equal or greater than this level will be rejected with $REJECTMSG

SEE ALSO

       policyd-weight(8), Policyd-weight daemon
       perl(1), Practical Extraction and Report Language
       perlsyn(1), Perl syntax
       access(5), Postfix SMTP access control table

LICENSE

       GNU General Public License

AUTHOR

       Robert Felber <r.felber@ek-muc.de>
       Autohaus Erich Kuttendreier
       81827 Munich, Germany

                                                 Aug 25th, 2006                           policyd-weight.conf(5)