Ubuntu Manpage: asmtpd.conf - Avenger SMTP Daemon configuration file

name
description
files
see also
author

Provided by: mailavenger_0.8.4-4.1_amd64

NAME

       asmtpd.conf - Avenger SMTP Daemon configuration file

DESCRIPTION

asmtpd.conf is the configuration file for asmtpd(8), the Mail Avenger mail server. The file contains a
series of directives, where each directive takes zero or more arguments. Blank lines and lines beginning
with "#" (for comments) are ignored. If a line ends with the "\" character, the "\" is ignored and the
following line is appended. In this way you can break a long list of argument over multiple
"continuation" lines.

Arguments are separated by spaces. However, you can include space in an argument by surrounding the
argument with double-quote (""") characters. A backslash ("\") followed by any other character is
interpreted as that character. Thus, a literal """ or "\" character can be included as "\"" or "\\", and
an alternative to putting double quotes around an argument with spaces is simply to put a "\" before each
space.

If you change asmtpd.conf while asmtpd is running, you must send it a SIGHUP signal for it to read the
new changes. (Note, however, that asmtpd will re-read the AliasFile, DomainFile, or SPFHostsFile
automatically if you change these.)

The rest of this man page details the various directives. Directives are case-insensitive. Depending on
the directive, the arguments may or may not be case sensitive.

GENERAL CONFIGURATION DIRECTIVES
Separator Character
This is the only option that probably needs to be set at all sites. Character is a single character
that separates usernames from the rest of the local part of an email address. For example, with
sendmail, mail for <name+extra@host.domain> is usually delivered to user name. Thus, a "+" should be
specified for Character. With qmail, it is <name-extra@host.domain> that belongs to user name
(though routing is handled differently). Thus, qmail users will want to specify "-". The default is
not to have a separator. This is probably wrong for most sites, but is a lot less bad than selecting
the wrong character!

Hostname name
"Hostname" specifies the hostname that asmtpd should use in the SMTP protocol. Ordinarily, this name
should map to the IP address of your server (or one of the IP addresses of your server). The default
is to use the local hostname (as returned by the "gethostname" system call), with the default DNS
domain name appended if your hostname does not include any "." characters.

LogPriority priority
This directive sets the priority with which diagnostic messages are sent to the system log. The
default value is "mail.info".

LogTag tag
This directive sets the tag for syslog messages generated by asmtpd. The default tag is empty. Note
that by default most messages except those created by Debug options already contain "asmtpd:".

EtcDir directory
Sets the directory in which asmtpd will search for various configuration files, including aliases,
domains, and spfhosts (see below), as well as four special rule files run under the AvengerUser UID:
default, unknown, secondary, and relay.

The file unknown consists of avenger rules that get run for any local user that does not exist in the
password file, or that exists but has a UID of 0 (root), or that exists but has an invalid shell (not
listed in /etc/shells). These rules are not run for normal users, even if those users do not have a
.avenger directory.

The default file consists of rules that are run after the rules in unknown or after the rules in a
user's .avenger directory, so long as these rules did not immediately reject, defer, accept,
redirect, or bodytest the mail. If a user does not have a .avenger directory, the rules in default
are always run.

The secondary ruleset contains rules that are run if MxLocalRcpt has been set to 1, mail is received
for user@hostname, and the mail server is an MX record for hostname, but not the highest priority MX
record. If the ruleset does not exist or simply exits, the default is to spool the mail.

The relay ruleset consists of rules that are run when mail is received for user@hostname where
hostname is not in the domains file (and, if MxLocalRcpt is 1, the server is not an MX record for
hostname). In such circumstances, if the sender address is local, asmtpd will first attempt to
execute an appropriate "mail" (as opposed to the usual "rcpt") ruleset in the user's .avenger
directory. If that ruleset does not exist or simply exits, or hostname is not local, then asmtpd
runs relay. If the rules in relay simply exit or the file does not exist, the default is to reject
the mail.

The default value of EtcDir is /etc/avenger.

NETWORK CONFIGURATION PARAMETERS
BindAddr IP-address [port-no]
"BindAddr" specifies the IP address on which the server should listen. The default is 0.0.0.0
(INADDR_ANY), meaning to accept incoming connections on any IP address. By default the server uses
TCP port 25, but port-no can be also specified to chose a different port number.

MaxClients val
Specifies the maximum number of concurrent TCP connections from clients that asmtpd should allow.
The default value is 60.

MaxConPerIP val
Specifies the maximum number of incoming TCP connections asmtpd should accept from a single IP
address. The default value is 10.

SMTPFilter prog
Specifies the name of a program asmtpd can invoke to enable packet filtering of incoming SYN packets
from a particular IP address for the SMTP port (25 by default). Note that this program should filter
only TCP packets to the SMTP port that have the TCP SYN flag set and the ACK flag cleared. It is
very important that this rule not interfere with previously established TCP connections, since asmtpd
uses this to block new connections when the per-IP-address limit has been reached.

The program will be run three different ways:

prog clear
prog add IP-addr
prog del IP-addr

The clear command should cause all previously filtered IP addresses to be re-enabled. The add
command says to add the particular IP address to the list of filtered addresses. del says to remove
an IP address from the list of addresses.

Since the details of how to filter IP packets depend entirely on the particular operating system and
firewall software being run, this task is best handled by a shell script written by the system
administrator. An example script for use with OpenBSD's pf packet filter can be found in
/usr/local/share/avenger/smtp-filter.pf. An example for use with Linux's iptables firewall can be
found in /usr/local/share/avenger/smtp-filter.iptables.

MaxMsgsPerIP msgs-per-hour [msgs-max]
Specifies the maximum rate at which asmtpd will allow successful SMTP RCPT commands from a particular
IP address. After this limit is reached, further RCPT commands will be rejected with a temporary
SMTP error code saying too much load. msgs-per-hour is the number of RCPT commands per hour. msgs-
max is the hard limit after which further RCPTs are refused. msgs-max, if not specified, defaults to
the same value as msgs-per-hour. However, it can be set to a greater value to accept bursts of
traffic.

MaxErrorsPerIP msgs-per-hour [msgs-max]
Similar to MaxMsgsPerIP, except this parameter specifies the maximum rate at which clients from a
particular IP address can issue SMTP commands that return errors. If a client is issuing too many
commands that cause errors (as can often happen with spambots that don't check the results of
commands, or that relay spam through HTTP proxies), asmtpd will temporarily filter new connections
from that client if SMTPFilter has been specified. Otherwise, it will immediately shutdown any
incoming new TCP connections from the client with a temporary SMTP error code.

MaxMsgsPerUser msgs-per-hour [msgs-max]
Specifies the maximum rate at which asmtpd will allow successful SMTP RCPT commands from a particular
authenticated user. The name used for the check is either the username from SASL authentication, or
the common name of the client certificate with SSL authentication. With this feature, you can
prevent people who have legitimate relay privileges from sending bulk mail, as might happen if a
spammer somehow stole a SASL password.

MaxRcpts val
Specifies the maximum number of recipients on a single message. Once this number is reached, asmtpd
rejects further recipients with a temporary SMTP error code, causing the sender to send a separate
copy of the message to the remaining recipients. The default value is 5. (Note that this limit does
not apply to trusted clients.)

MaxRelayRcpts val
If val is greater than the number of recipients specified for MaxRcpts, then this specifies a higher
limit on the number of recipients when recipients are accepted by the relay script.

MaxMsgSize bytes
The largest mail message asmtpd should accept. The default value is 104,857,600 (100 MBytes).

SMTPTimeout seconds
Determines how long asmtpd will keep an open connection from a client while awaiting an SMTP command.

DataTimeout seconds
Determines how long asmtpd will keep an idle connection from a client open while waiting for mail
message contents (after the SMTP DATA command). It is advisable to set a reasonable DataTimeout even
if SMTPTimeout is short, so as not to force a client behind an unreliable network connection to keep
having to start over.

SMTPCB [0|1|2]
If set to 2 (the default), asmtpd will attempt to verify the sender address of mail messages by going
through the initial steps of sending back a bounce message, a technique known as an "SMTP callback."
If the mail cannot get through, the SENDER_BOUNCERES environment variable will contain an SMTP error
code, and MAIL_ERROR will be set to reject the mail by default. The next several parameters
(ClientTimeout, VrfyDelay, VrfyCacheTime, and MaxRevClients) control the behavior of SMTP callbacks.

If SMTPCB is set to 0, SMTP callbacks are entirely disabled. If it is set to 1, then asmtpd still
performs callbacks and sets the SENDER_BOUNCERES environment variable, but does not set MAIL_ERROR or
reject mail by default if the callback fails.

ClientTimeout seconds
Specifies the SMTP timeout for asmtpd when it acts as an SMTP client, probing remote servers to check
the validity of the sender address on incoming mail messages. The default value is 300.

VrfyDelay seconds
When probing a remote SMTP server to validate an email address, asmtpd will keep the TCP connection
open at least this long (after sending an HELO/EHLO command) before probing the address. The idea is
to make bulk mailing harder by preventing remote servers from validating more than a few thousand (or
a few tens of thousands of) email addresses per second. The default value for seconds is 2.

VrfyCacheTime seconds
If asmtpd probes a remote server and discovers that it cannot send bounce messages to an address, it
caches the result for this amount of time. If someone is mailbombing an asmtpd server from a forged
address, this option prevents asmtpd from initiating too many connections to the forgery victim's
mail server. (Of course, if the victim publishes an SPF record, asmtpd will never contact the server
and this is not an issue.) The default vaule for seconds is 300.

MaxRevClients val
The number of idle reverse SMTP connections (to remote SMTP servers) to cache when not in use. These
connections are used to validate sending addresses of received mail. This number is approximate.

IdentTimeout seconds
The number of seconds to wait for the client to respond to an RFC1413 ident lookup. The default is
15.

SynFp [0|1]
If set to 0, disables the collection of SYN fingerprint information, which asmtpd ordinarily includes
in headers of mail messages and in the CLIENT_SYNFP environment variable of avenger processes. The
default value is 1.

SynFpWait msec
Sets the number of milliseconds after accepting a TCP connection that asmtpd should wait to receive
the full SYN packet from the packet filter (bpf) device. If the time is exceeded, no SYN fingerprint
will be recorded for the connection. The default value is 500.

SynFpBuf count
Sets the maximum number of SYN fingerprints to keep around while waiting for the corresponding
connections. The default value is 100.

SynOsMTU size
Sets an additional size to try for the network's maximum transmission unit (MTU) when guessing the
client operating system. If size is set to 0, asmtpd will only try the value in the TCP MSS option +
40 bytes. (Otherwise, when size is non-zero, asmtpd tries both MSS + 40 and size.) The default for
size is 1500.

NetPath [0|1]
If set to 0, disables the collection of IP "traceroute" information, which is normally included in
the headers of mail messages and in the CLIENT_NETPATH environment variable of avenger processes.
The default value is 1.

MAIL PROCESSING DIRECTIVES
TrustedNet IP-addr/len
If the first len bits of a client's IP address match IP-addr, the client will be considered trusted.
Trusted clients can relay mail through asmtpd to arbitrary addresses, and do not undergo any checks
or processing by any avenger scripts. This option can be given multiple times to list multiple
networks.

TrustedDomain domain
If a client's verified DNS name is domain or ends .domain, the client will be considered trusted, and
as described above will be allowed to relay mail unchecked. This option can be given multiple times
to list multiple domains.

SASL [0|1|2]
This option only exists if asmtpd has been compiled with SASL support (via the --enable-sasl option
to "configure"). If set to 0 (the default), the AUTH SMTP verb is disabled, and asmtpd performs no
SASL authentication. If set to 1, asmtpd performs SASL authentication when requested by clients, but
does not inherently trust SASL-authenticated users. You must check the AUTH_USER environment
variable in the system-wide relay script and explicitly permit users to relay mail.

If SASL is set to 2, then clients that have authenticated via SASL can relay mail just like
TrustedNet and TrustedDomain machines--no further scripts are run. However, the authenticated user
name is still recorded in the Received: header to track abuse, and MaxMsgsPerUser is still enforced
to prevent bulk mailing. 2 is a reasonable value for ordinary usage, since users without permission
to relay mail have no reason to be listed in the SASL database file.

For more information on SASL, see the SASL home page at <http://asg.web.cmu.edu/sasl/>.

InsecureSASL [0|1]
When set to 0, which is the default, plaintext SASL authentication is disabled unless the connection
is encrypted with SSL. If set to 1, plaintext authentication is allowed even over unencrypted
connections, which is insecure.

MxLocalRcpt [0|1]
If set to 1, asmtpd will accept mail for user@host even if host does not appear in DomainFile, as
long as the local server's IP address corresponds to one of the DNS MX records for host. Decisions
about accepting mail will be made by the policies in the file secondary in EtcDir.

AvengerUser username
Specifies the user in the password file whose identity asmtpd should assume when running system-wide
default rules, as well as the mail injection program specified by Sendmail. The default value is
"avenger". Note that for efficiency, asmtpd will cache the user and group IDs of this user. If for
instance, you change the AvengerUser's group membership, you will have to send asmtpd a SIGHUP signal
(or restart it).

Sendmail program [arg ...]
Specifies the program to run to inject new mail messages into the system. The default value is:

sendmail -oi -os -oee

Whatever arguments you give, asmtpd will additionally supply the sender and recipient(s) by appending
the following options:

-f sender -- recipient-1 [recipient-2 ...]

The -oee flag tells sendmail always to exit cleanly even if it generated a bounce message. Without
it, sometimes sendmail generates a bounce for a message and exits with an error code, which would
cause asmtpd to generate an error despite the fact that the message has already been bounced. This
results in multiple bounces for the same message.

Note that some sendmail replacements (including Exim) do not support the -oee flag. However, these
systems typically behave correctly even without the -oee flag, meaning their sendmail programs exit
cleanly if and only if the sender no longer needs to worry about the message. If your sendmail
executable rejects the argument -oee, try using -oem instead.

EmptySender sender
In some old versions of sendmail, running

sendmail -f ''

(where '' is a zero-length argument) does not produce an empty envelope sender, as should happen for
bounces. EmptySender lets you specify an alternate sender to use for the empty envelope sender. Try
using the single-character string "@"--that seems to produce the desired envelope sender (which turns
into MAILER-DAEMON) with both old and new versions of sendmail, though it is not necessarily
compatible with other MTAs.

SendmailPriv [0|1]
By default, asmtpd drops privilege to run Sendmail as AvengerUser. If, however, you specify
SendmailPriv 1, asmtpd will instead run Sendmail as root. One possible use of this, for users of the
sendmail MTA, is to invoke sendmail with the -Am flag, which requires root privileges but bypasses an
extra level of queuing. (Note that with newer versions of sendmail, if you do not run sendmail as a
daemon on address 127.0.0.1, you will have to configure asmtpd to use the -Am flag.)

SendmailFromLine [0|1]
If you set this value to 1, the message fed to the Sendmail program will start with a UNIX mailbox
style "From " line (which is not actually part of the message header). The default value is 0.

AliasFile path
Specifies the path of the user-mapping file, which by default is the file aliases in the directory
specified by EtcDir. Each line of this file is of the form:

prefix: replacement

Before deciding which user's rules to process for a particular mail message, the local part of the
email address is transformed based on the aliases file. An address of prefix is replaced by the
replacement. In addition, if the Separator character has been defined, then if an address begins
with prefix followed immediately by the separator character, replacement is also substituted. If the
alias file contains multiple matching prefixes, the longest one is chosen. Alias substitution
continues recursively unless a loop is detected or the recursion reaches a depth of 20.

Note: It is important to emphasize that the aliases mechanism only governs which user checks the
validity of a particular piece of mail. It does not affect where the mail is eventually delivered,
should the resulting rules accept the mail.

DomainFile path
Specifies the path of the domain-mapping file, which by default is the file domains in the directory
specified by EtcDir. This file allows one to map responsibility for all users in a domain onto a
particular local user. Each line of the file must have one of the following forms:

domain:
domain: user
domain: userSEPARATOR

In the first case, when receiving mail for local@domain, the local part local is simply taken as is
and treated as a local username (with the first separator character and anything following removed).
In the second case, the mail is checked by user instead. In the third case, SEPARATOR is the
separator character, which must have been declared with a Separator directive. Here, user and the
separator character are pre-pended to local. For instance, if SEPARATOR is -, the mail would be
checked by user-local. In all cases, the result of the mapping is subject to alias substitution as
described for AliasFile.

Note: As with AliasFile, the domain mechanism only governs which user checks the validity of a
particular piece of mail. It does not affect where the mail is eventually delivered, should the
resulting rules accept the mail.

Env var[=value]
Specifies an environment variable to supply when running avenger. Ordinarily, avenger is run with a
clean environment, with only a few variables such as PATH passed through. If the Env directive
specifies a value, the environment variable will be be set to this value. If =value is omitted,
asmtpd will pass through the value of the environment variable it inherits, or leave the variable
unset if it is not set in the environment in which asmtpd is run.

AvengerMaxPerUser val
Specifies how many concurrent avenger processes to launch for a particular user. If a particular
user already has this many avenger processes running, and another SMTP client issues an RCPT command
that resolves to the same local user (or another local user with the same numeric UID), then asmtpd
will wait for one of the existing avenger processes to exit before launching a new avenger to
evaluate the new RCPT command. The default for val is 5. This limit does not apply to the system-
wide unknown, default, and relay files processed under the AvengerUser UID. (Note that bodytests run
for a particular user are also included in that user's count of avenger processes.)

AvengerTimeout seconds
Specifies a timeout value after which asmtpd will attempt to kill an avenger process, in case the
process has somehow gotten stuck. asmtpd does this, before launching avenger, by setting an alarm
for the process. The default for seconds is 600.

NoCheck user[<@>host]
Specifies that asmtpd's internal checks for email validity should be bypassed for email to a
particular email address. If host is not specified, then this applies to user at any acceptable
local host (asmtpd still will not allow relaying, of course). It is a good idea to enable this for
usernames specified in RFC 2142, such as postmaster and abuse.

RBL [-i] [-p] [-f] -s score domain
Checks real-time blackhole list domain. If -i is present, looks up the client's IP address reversed
(i.e., for client 1.2.3.4, this will match when DNS name 4.3.2.1.domain exists). If -p is present,
the name of the client (as specified by a verified PTR DNS record) will be looked up. If -f is
present, the hostname from the envelope sender (the address in the SMTP MAIL) command will be looked
up (i.e., mail from user@host matches if host.domain exists). If none of -i, -p, or -f is specified,
-i is assumed by default.

score is an integer (which can be negative). The scores of all matching RBLs are added together, and
a message is rejected if the total is greater than or equal to 100.

UserMail [0|1]
If set to 0, asmtpd will not chack mail* files in users' .avenger directories, but will always use
the system-wide relay file (and secondary file) to decide whether to relay mail. The default value
is 0.

UserRcpt [0|1]
If set to 0, asmtpd will not chack rcpt* files in users' .avenger directories, but will always use
the system-wide default file. The default value is 1.

AllowPercent [0|1]
If set to 0 (the default), asmtpd will reject any email whose local part contains a "%" character.
This is because many MTAs will relay mail for users of the form user%host1@host2 to user@host1.
While of course it is possible to reject such messages with the /etc/avenger/unknown file, it is easy
to forget to do so. Failing to do so can get your site listed in various spam source lists, which
will have some serious consequences. For that reason, AllowPercent is 0 by default. Set it to 1 if
you really do want mail for users with "%" characters.

AllowDNSFail [0|1|2]
Upon accepting a connection from a client, asmtpd attempts to resolve the client's IP address to a
hostname. If a temporary DNS error occurs and AllowDNSFail is set to 0 (the default), asmtpd will
reject the connection immediately. If AllowDNSFail is set to 1, however, then asmtpd will accept the
connection and continue. However, in this case that the CLIENT_DNSFAIL environment variable will be
set to an error message, and mail will still be rejected by default unless an rcpt script explicitly
calls accept. If AllowDNSFail is set to 2, then CLIENT_DNSFAIL will still be set, but by default
mail will be accepted unless explicitly rejected.

Note that this option has no effect on IP addresses that don't resolve to a domain name (e.g., where
a lookup of the in-addr.arpa domain returns an empty result or the NXDOMAIN error).

SSL CONFIGURATION PARAMETERS
SSL [0|1|2]
This and the following options are supported if Mail Avenger has been compiled with support for the
STARTTLS command (using the --enable-ssl option to "configure"). If SSL is set to 0, then the
STARTTLS command will be disabled.

If SSL is set to 1 (the default), then STARTTLS will be enabled profiled the private key and
certificate files can be found. (Since these files will not exist by default, STARTTLS is still
disabled by default.) Relaying based on client certificates can be enabled by checking the
SSL_ISSUER and SSL_SUBJECT environment variables in the relay script.

If SSL is set to 2, then authentication with any valid client certificate will allow mail relaying
with no further checks. This value makes sense only if your organization runs a private certificate
authority and you only place your local CA key in the SSLCAcert file, as otherwise you will have no
control over who can relay mail through your machine.

SSLCAcert path
SSLCAcert specifies the certificate authorities allowed to sign client certificates. path must be a
file containing one or more trusted CA certificates in PEM format. If <path> is not an absolute path
name, asmtpd will look for the file in EtcDir. The default path is cacert.pem.

SSLCRL path
If SSL is in use, path specifies a PEM-format certificate revocation list. The default value is
crl.pem.

SSLkey path
If SSL is in use, path specifies a PEM-format file containing the server's private key. If the file
is not present, the STARTTLS command will be disabled. The default path is privkey.pem.

SSLcert path
If SSL is in use, path specifies a PEM-format file containing a certificate for the public key
corresponding to private key SSLkey. If the file is not present, the STARTTLS command will be
disabled. The default path is cert.pem.

SSLciphers string
string specifies the preference for ciphers with SSL. For example, to allow all ciphers except
anonymous Diffie-Hellman, low key sizes, exportable ciphers, and MD%-based MAC, and to sort ciphers
by strength, you might use the following string>:

ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

By default, asmtpd just uses the OpenSSL library's default cipher preferences.

SPF CONFIGURATION PARAMETERS
SPFfail [SPF-rule ...]
SPF (Sender Policy Framework) is a mechanism to prevent forgery of email sender addresses. (More
information is available at <http://www.openspf.org/> and in the forthcoming RFC 4408.) asmtpd
always runs SPF checks on incoming email. An SPF check returns one of seven possible results: none,
neutral, pass, fail, softfail, error, or unknown. asmtpd will reject mail if the result is fail (and
defer mail if the result is error).

The SPFfail directive provides a second chance to mail that would otherwise resolve to fail. If SPF
rules are provided with this directive, and the SPF check on a message resolves to fail, then asmtpd
will re-evaluate the message with the rules from the SPFfail directive. If the SPFfail rules
evaluate to none, neutral, or unknown, then the original fail result will remain. Otherwise, the
result of the SPFfail rules overrides the fail result.

This directive can be used to work-around the problem of sites, such as evite.com, that forge email,
but do not actually send spam. trusted-forwarder.org maintains a white-list of such sites, and it is
highly recommended that you use this whitelist until SPF is more widely deployed. To do so, you can
use the configuration line:

SPFfail include:spf.trusted-forwarder.org

SPFnone [SPF-rule ...]
This directive is similar to SPFfail, but supplies additional SPF rules to be run in the event that
the SPF result for a message resolves to none--meaning that the domain from which the mail comes does
not publish an SPF record. One possible use might be the following:

SPFnone a/24 mx/24 ptr

This rule says that if the sending domain does not publish an SPF record, consider its result to be
pass nonetheless as long as the sending host shares a 24-bit IP prefix with the address of the
domain, or the address of any of the mail exchangers (DNS MX records) for the domain, or if the
domain name of the sending machine has the sender domain name as a suffix.

SPFlocal [SPF-rule ...]
Unlike the previous two rules, which provide hooks to run after an SPF result has been determined,
SPFlocal supplies SPF rules to be run before even attempting SPF rules for the domain. If the local
rules return pass, fail, softfail, or error, this reult becomes the SPF result for the message.
Otherwise, asmtpd evaluates the appropriate rules for the domain as usual.

An example use might be to reject mail from a real-time black hole list (RBL), such as spamcop:

SPFlocal -exists:%{ir}.bl.spamcop.net

SPFexp [explanation ...]
Provides a default explanation for an SPF failure, if the sender domain does not have one. The
default is:

SPFexp See http://www.openspf.org/why.html?sender=%{S}&ip=%{I}

SPFHostsFile path
This specifies the pathname of a file that contains "fallback" SPF records for domains that fail to
supply SPF records themselves. This file effectively achieves the same result as SPFNone, but on a
per-hostname basis. The default path is spfhosts in the directory specified by EtcDir (or
/etc/avenger by default). Each line of the file has the form:

domain: SPF-rules

domain is the domain name for which the SPF-rules apply. If domain starts with a ".", then the rule
matches all host names with domain as a suffix. In other words, ".yahoo.com" matches
"mail.yahoo.com", "mx.yahoo.com", but not "yahoo.com". Note that if a domain publishes an SPF record
through DNS, the record in DNS overrides the record specified in this file.

As an example, suppose Microsoft does not publish an SPF record in DNS, but you happen to know that
all mail from users at "microsoft.com" comes from machines whose reverse DNS mapping ends either
"microsoft.com" or "msft.com", or else whose IP addresses share a 16-bit prefix with one of the mail
exchangers for "microsoft.com". You might place the following line in your spfhosts file:

microsoft.com: ptr ptr:msft.com mx/16 ~all

Here "~all" resorts to softfail when the sender does not match, which tags the message but does not
reject it. Use "-all" to reject the mail outright. Note that if Microsoft ever starts publishing an
SPF record in DNS, it will override the above line.

DEBUG PARAMETERS
DebugSMTP [0|1]
When set to 1, causes asmtpd to log a complete trace of all SMTP traffic to and from connecting
clients. Produces a large amount of data, but can be useful for debugging. Each trace line list the
name of the connecting client and asmtpd's file descriptor number in parentheses.

DebugSMTPc [0|1]
When receiving mail, asmtpd connects to remote mail servers to ensure the envelope sender addresses
of incoming messages are valid email addresses, and in particular that they can receive bounces.
When DebugSMTPc is set to 1, all outgoing SMTP connection traffic from SMTPc is logged. The output
format is similar to DebugSMTP, but file descriptor numbers are prefixed with "R" to indicate this is
a reverse connection.

DebugAvenger [0|1]
Prints a trace of input and output to all avenger processes run. The name also has a file descriptor
number prefixed with "a" for avenger.

FILES

       /etc/avenger/asmtpd.conf
           default location of file

       /etc/avenger
           default for EtcDir, location of other configuration files

       aliases, domains, spfhosts
           see the descriptions of AliasFile, DomainFile, and SPFHostsFile above

       unknown, default, secondary, relay
           avenger rules to be run by the AvengerUser under different circumstances; see the description of
           EtcDir above, and the manual page for avenger(1)

       /var/run/asmtpd.pid
           File containing the process ID of a running asmtpd process.  You must send this process a SIGHUP
           signal for it to re-read the asmtpd.conf file.

       /usr/local/share/avenger/asmtpd.conf
       /usr/local/share/avenger/unknown
           Example configuration files.

       /usr/local/share/avenger/smtp-filter.pf
       /usr/local/share/avenger/smtp-filter.iptables
           Example scripts for the SMTPFilter directive.

AUTHOR

       David Mazieres

NAME

DESCRIPTION

FILES

SEE ALSO

AUTHOR