Provided by: mailavenger_0.8.4-4_amd64 bug


       asmtpd.conf - Avenger SMTP Daemon configuration file


       asmtpd.conf is the configuration file for asmtpd(8), the Mail Avenger mail server.  The
       file contains a series of directives, where each directive takes zero or more arguments.
       Blank lines and lines beginning with "#" (for comments) are ignored.  If a line ends with
       the "\" character, the "\" is ignored and the following line is appended.  In this way you
       can break a long list of argument over multiple "continuation" lines.

       Arguments are separated by spaces.  However, you can include space in an argument by
       surrounding the argument with double-quote (""") characters.  A backslash ("\") followed
       by any other character is interpreted as that character.  Thus, a literal """ or "\"
       character can be included as "\"" or "\\", and an alternative to putting double quotes
       around an argument with spaces is simply to put a "\" before each space.

       If you change asmtpd.conf while asmtpd is running, you must send it a SIGHUP signal for it
       to read the new changes.  (Note, however, that asmtpd will re-read the AliasFile,
       DomainFile, or SPFHostsFile automatically if you change these.)

       The rest of this man page details the various directives.  Directives are case-
       insensitive.  Depending on the directive, the arguments may or may not be case sensitive.

       Separator Character
           This is the only option that probably needs to be set at all sites.  Character is a
           single character that separates usernames from the rest of the local part of an email
           address.  For example, with sendmail, mail for <name+extra@host.domain> is usually
           delivered to user name.  Thus, a "+" should be specified for Character.  With qmail,
           it is <name-extra@host.domain> that belongs to user name (though routing is handled
           differently).  Thus, qmail users will want to specify "-".  The default is not to have
           a separator.  This is probably wrong for most sites, but is a lot less bad than
           selecting the wrong character!

       Hostname name
           "Hostname" specifies the hostname that asmtpd should use in the SMTP protocol.
           Ordinarily, this name should map to the IP address of your server (or one of the IP
           addresses of your server).  The default is to use the local hostname (as returned by
           the "gethostname" system call), with the default DNS domain name appended if your
           hostname does not include any "." characters.

       LogPriority priority
           This directive sets the priority with which diagnostic messages are sent to the system
           log.  The default value is "".

       LogTag tag
           This directive sets the tag for syslog messages generated by asmtpd.  The default tag
           is empty.  Note that by default most messages except those created by Debug options
           already contain "asmtpd:".

       EtcDir directory
           Sets the directory in which asmtpd will search for various configuration files,
           including aliases, domains, and spfhosts (see below), as well as four special rule
           files run under the AvengerUser UID:  default, unknown, secondary, and relay.

           The file unknown consists of avenger rules that get run for any local user that does
           not exist in the password file, or that exists but has a UID of 0 (root), or that
           exists but has an invalid shell (not listed in /etc/shells).  These rules are not run
           for normal users, even if those users do not have a .avenger directory.

           The default file consists of rules that are run after the rules in unknown or after
           the rules in a user's .avenger directory, so long as these rules did not immediately
           reject, defer, accept, redirect, or bodytest the mail.  If a user does not have a
           .avenger directory, the rules in default are always run.

           The secondary ruleset contains rules that are run if MxLocalRcpt has been set to 1,
           mail is received for user@hostname, and the mail server is an MX record for hostname,
           but not the highest priority MX record.  If the ruleset does not exist or simply
           exits, the default is to spool the mail.

           The relay ruleset consists of rules that are run when mail is received for
           user@hostname where hostname is not in the domains file (and, if MxLocalRcpt is 1, the
           server is not an MX record for hostname).  In such circumstances, if the sender
           address is local, asmtpd will first attempt to execute an appropriate "mail" (as
           opposed to the usual "rcpt") ruleset in the user's .avenger directory.  If that
           ruleset does not exist or simply exits, or hostname is not local, then asmtpd runs
           relay.  If the rules in relay simply exit or the file does not exist, the default is
           to reject the mail.

           The default value of EtcDir is /etc/avenger.

       BindAddr IP-address [port-no]
           "BindAddr" specifies the IP address on which the server should listen.  The default is
  (INADDR_ANY), meaning to accept incoming connections on any IP address.  By
           default the server uses TCP port 25, but port-no can be also specified to chose a
           different port number.

       MaxClients val
           Specifies the maximum number of concurrent TCP connections from clients that asmtpd
           should allow.  The default value is 60.

       MaxConPerIP val
           Specifies the maximum number of incoming TCP connections asmtpd should accept from a
           single IP address.  The default value is 10.

       SMTPFilter prog
           Specifies the name of a program asmtpd can invoke to enable packet filtering of
           incoming SYN packets from a particular IP address for the SMTP port (25 by default).
           Note that this program should filter only TCP packets to the SMTP port that have the
           TCP SYN flag set and the ACK flag cleared.  It is very important that this rule not
           interfere with previously established TCP connections, since asmtpd uses this to block
           new connections when the per-IP-address limit has been reached.

           The program will be run three different ways:

           prog clear
           prog add IP-addr
           prog del IP-addr

           The clear command should cause all previously filtered IP addresses to be re-enabled.
           The add command says to add the particular IP address to the list of filtered
           addresses.  del says to remove an IP address from the list of addresses.

           Since the details of how to filter IP packets depend entirely on the particular
           operating system and firewall software being run, this task is best handled by a shell
           script written by the system administrator.  An example script for use with OpenBSD's
           pf packet filter can be found in /usr/local/share/avenger/  An example
           for use with Linux's iptables firewall can be found in

       MaxMsgsPerIP msgs-per-hour [msgs-max]
           Specifies the maximum rate at which asmtpd will allow successful SMTP RCPT commands
           from a particular IP address.  After this limit is reached, further RCPT commands will
           be rejected with a temporary SMTP error code saying too much load.  msgs-per-hour is
           the number of RCPT commands per hour.  msgs-max is the hard limit after which further
           RCPTs are refused.  msgs-max, if not specified, defaults to the same value as msgs-
           per-hour.  However, it can be set to a greater value to accept bursts of traffic.

       MaxErrorsPerIP msgs-per-hour [msgs-max]
           Similar to MaxMsgsPerIP, except this parameter specifies the maximum rate at which
           clients from a particular IP address can issue SMTP commands that return errors.  If a
           client is issuing too many commands that cause errors (as can often happen with
           spambots that don't check the results of commands, or that relay spam through HTTP
           proxies), asmtpd will temporarily filter new connections from that client if
           SMTPFilter has been specified.  Otherwise, it will immediately shutdown any incoming
           new TCP connections from the client with a temporary SMTP error code.

       MaxMsgsPerUser msgs-per-hour [msgs-max]
           Specifies the maximum rate at which asmtpd will allow successful SMTP RCPT commands
           from a particular authenticated user.  The name used for the check is either the
           username from SASL authentication, or the common name of the client certificate with
           SSL authentication.  With this feature, you can prevent people who have legitimate
           relay privileges from sending bulk mail, as might happen if a spammer somehow stole a
           SASL password.

       MaxRcpts val
           Specifies the maximum number of recipients on a single message.  Once this number is
           reached, asmtpd rejects further recipients with a temporary SMTP error code, causing
           the sender to send a separate copy of the message to the remaining recipients.  The
           default value is 5.  (Note that this limit does not apply to trusted clients.)

       MaxRelayRcpts val
           If val is greater than the number of recipients specified for MaxRcpts, then this
           specifies a higher limit on the number of recipients when recipients are accepted by
           the relay script.

       MaxMsgSize bytes
           The largest mail message asmtpd should accept.  The default value is 104,857,600 (100

       SMTPTimeout seconds
           Determines how long asmtpd will keep an open connection from a client while awaiting
           an SMTP command.

       DataTimeout seconds
           Determines how long asmtpd will keep an idle connection from a client open while
           waiting for mail message contents (after the SMTP DATA command).  It is advisable to
           set a reasonable DataTimeout even if SMTPTimeout is short, so as not to force a client
           behind an unreliable network connection to keep having to start over.

       SMTPCB [0|1|2]
           If set to 2 (the default), asmtpd will attempt to verify the sender address of mail
           messages by going through the initial steps of sending back a bounce message, a
           technique known as an "SMTP callback."  If the mail cannot get through, the
           SENDER_BOUNCERES environment variable will contain an SMTP error code, and MAIL_ERROR
           will be set to reject the mail by default.  The next several parameters
           (ClientTimeout, VrfyDelay, VrfyCacheTime, and MaxRevClients) control the behavior of
           SMTP callbacks.

           If SMTPCB is set to 0, SMTP callbacks are entirely disabled.  If it is set to 1, then
           asmtpd still performs callbacks and sets the SENDER_BOUNCERES environment variable,
           but does not set MAIL_ERROR or reject mail by default if the callback fails.

       ClientTimeout seconds
           Specifies the SMTP timeout for asmtpd when it acts as an SMTP client, probing remote
           servers to check the validity of the sender address on incoming mail messages.  The
           default value is 300.

       VrfyDelay seconds
           When probing a remote SMTP server to validate an email address, asmtpd will keep the
           TCP connection open at least this long (after sending an HELO/EHLO command) before
           probing the address.  The idea is to make bulk mailing harder by preventing remote
           servers from validating more than a few thousand (or a few tens of thousands of) email
           addresses per second.  The default value for seconds is 2.

       VrfyCacheTime seconds
           If asmtpd probes a remote server and discovers that it cannot send bounce messages to
           an address, it caches the result for this amount of time.  If someone is mailbombing
           an asmtpd server from a forged address, this option prevents asmtpd from initiating
           too many connections to the forgery victim's mail server.  (Of course, if the victim
           publishes an SPF record, asmtpd will never contact the server and this is not an
           issue.)  The default vaule for seconds is 300.

       MaxRevClients val
           The number of idle reverse SMTP connections (to remote SMTP servers) to cache when not
           in use.  These connections are used to validate sending addresses of received mail.
           This number is approximate.

       IdentTimeout seconds
           The number of seconds to wait for the client to respond to an RFC1413 ident lookup.
           The default is 15.

       SynFp [0|1]
           If set to 0, disables the collection of SYN fingerprint information, which asmtpd
           ordinarily includes in headers of mail messages and in the CLIENT_SYNFP environment
           variable of avenger processes.  The default value is 1.

       SynFpWait msec
           Sets the number of milliseconds after accepting a TCP connection that asmtpd should
           wait to receive the full SYN packet from the packet filter (bpf) device.  If the time
           is exceeded, no SYN fingerprint will be recorded for the connection.  The default
           value is 500.

       SynFpBuf count
           Sets the maximum number of SYN fingerprints to keep around while waiting for the
           corresponding connections.  The default value is 100.

       SynOsMTU size
           Sets an additional size to try for the network's maximum transmission unit (MTU) when
           guessing the client operating system.  If size is set to 0, asmtpd will only try the
           value in the TCP MSS option + 40 bytes.  (Otherwise, when size is non-zero, asmtpd
           tries both MSS + 40 and size.)  The default for size is 1500.

       NetPath [0|1]
           If set to 0, disables the collection of IP "traceroute" information, which is normally
           included in the headers of mail messages and in the CLIENT_NETPATH environment
           variable of avenger processes.  The default value is 1.

       TrustedNet IP-addr/len
           If the first len bits of a client's IP address match IP-addr, the client will be
           considered trusted.  Trusted clients can relay mail through asmtpd to arbitrary
           addresses, and do not undergo any checks or processing by any avenger scripts.  This
           option can be given multiple times to list multiple networks.

       TrustedDomain domain
           If a client's verified DNS name is domain or ends .domain, the client will be
           considered trusted, and as described above will be allowed to relay mail unchecked.
           This option can be given multiple times to list multiple domains.

       SASL [0|1|2]
           This option only exists if asmtpd has been compiled with SASL support (via the
           --enable-sasl option to "configure").  If set to 0 (the default), the AUTH SMTP verb
           is disabled, and asmtpd performs no SASL authentication.  If set to 1, asmtpd performs
           SASL authentication when requested by clients, but does not inherently trust SASL-
           authenticated users.  You must check the AUTH_USER environment variable in the system-
           wide relay script and explicitly permit users to relay mail.

           If SASL is set to 2, then clients that have authenticated via SASL can relay mail just
           like TrustedNet and TrustedDomain machines--no further scripts are run.  However, the
           authenticated user name is still recorded in the Received: header to track abuse, and
           MaxMsgsPerUser is still enforced to prevent bulk mailing.  2 is a reasonable value for
           ordinary usage, since users without permission to relay mail have no reason to be
           listed in the SASL database file.

           For more information on SASL, see the SASL home page at

       InsecureSASL [0|1]
           When set to 0, which is the default, plaintext SASL authentication is disabled unless
           the connection is encrypted with SSL.  If set to 1, plaintext authentication is
           allowed even over unencrypted connections, which is insecure.

       MxLocalRcpt [0|1]
           If set to 1, asmtpd will accept mail for user@host even if host does not appear in
           DomainFile, as long as the local server's IP address corresponds to one of the DNS MX
           records for host.  Decisions about accepting mail will be made by the policies in the
           file secondary in EtcDir.

       AvengerUser username
           Specifies the user in the password file whose identity asmtpd should assume when
           running system-wide default rules, as well as the mail injection program specified by
           Sendmail.  The default value is "avenger".  Note that for efficiency, asmtpd will
           cache the user and group IDs of this user.  If for instance, you change the
           AvengerUser's group membership, you will have to send asmtpd a SIGHUP signal (or
           restart it).

       Sendmail program [arg ...]
           Specifies the program to run to inject new mail messages into the system.  The default
           value is:

               sendmail -oi -os -oee

           Whatever arguments you give, asmtpd will additionally supply the sender and
           recipient(s) by appending the following options:

               -f sender -- recipient-1 [recipient-2 ...]

           The -oee flag tells sendmail always to exit cleanly even if it generated a bounce
           message.  Without it, sometimes sendmail generates a bounce for a message and exits
           with an error code, which would cause asmtpd to generate an error despite the fact
           that the message has already been bounced.  This results in multiple bounces for the
           same message.

           Note that some sendmail replacements (including Exim) do not support the -oee flag.
           However, these systems typically behave correctly even without the -oee flag, meaning
           their sendmail programs exit cleanly if and only if the sender no longer needs to
           worry about the message.  If your sendmail executable rejects the argument -oee, try
           using -oem instead.

       EmptySender sender
           In some old versions of sendmail, running

               sendmail -f ''

           (where '' is a zero-length argument) does not produce an empty envelope sender, as
           should happen for bounces.  EmptySender lets you specify an alternate sender to use
           for the empty envelope sender.  Try using the single-character string "@"--that seems
           to produce the desired envelope sender (which turns into MAILER-DAEMON) with both old
           and new versions of sendmail, though it is not necessarily compatible with other MTAs.

       SendmailPriv [0|1]
           By default, asmtpd drops privilege to run Sendmail as AvengerUser.  If, however, you
           specify SendmailPriv 1, asmtpd will instead run Sendmail as root.  One possible use of
           this, for users of the sendmail MTA, is to invoke sendmail with the -Am flag, which
           requires root privileges but bypasses an extra level of queuing.  (Note that with
           newer versions of sendmail, if you do not run sendmail as a daemon on address
 , you will have to configure asmtpd to use the -Am flag.)

       SendmailFromLine [0|1]
           If you set this value to 1, the message fed to the Sendmail program will start with a
           UNIX mailbox style "From " line (which is not actually part of the message header).
           The default value is 0.

       AliasFile path
           Specifies the path of the user-mapping file, which by default is the file aliases in
           the directory specified by EtcDir.  Each line of this file is of the form:

               prefix: replacement

           Before deciding which user's rules to process for a particular mail message, the local
           part of the email address is transformed based on the aliases file.  An address of
           prefix is replaced by the replacement.  In addition, if the Separator character has
           been defined, then if an address begins with prefix followed immediately by the
           separator character, replacement is also substituted.  If the alias file contains
           multiple matching prefixes, the longest one is chosen.  Alias substitution continues
           recursively unless a loop is detected or the recursion reaches a depth of 20.

           Note:  It is important to emphasize that the aliases mechanism only governs which user
           checks the validity of a particular piece of mail.  It does not affect where the mail
           is eventually delivered, should the resulting rules accept the mail.

       DomainFile path
           Specifies the path of the domain-mapping file, which by default is the file domains in
           the directory specified by EtcDir.  This file allows one to map responsibility for all
           users in a domain onto a particular local user.  Each line of the file must have one
           of the following forms:

               domain: user
               domain: userSEPARATOR

           In the first case, when receiving mail for local@domain, the local part local is
           simply taken as is and treated as a local username (with the first separator character
           and anything following removed).  In the second case, the mail is checked by user
           instead.  In the third case, SEPARATOR is the separator character, which must have
           been declared with a Separator directive.  Here, user and the separator character are
           pre-pended to local.  For instance, if SEPARATOR is -, the mail would be checked by
           user-local.  In all cases, the result of the mapping is subject to alias substitution
           as described for AliasFile.

           Note:  As with AliasFile, the domain mechanism only governs which user checks the
           validity of a particular piece of mail.  It does not affect where the mail is
           eventually delivered, should the resulting rules accept the mail.

       Env var[=value]
           Specifies an environment variable to supply when running avenger.  Ordinarily, avenger
           is run with a clean environment, with only a few variables such as PATH passed
           through.  If the Env directive specifies a value, the environment variable will be be
           set to this value.  If =value is omitted, asmtpd will pass through the value of the
           environment variable it inherits, or leave the variable unset if it is not set in the
           environment in which asmtpd is run.

       AvengerMaxPerUser val
           Specifies how many concurrent avenger processes to launch for a particular user.  If a
           particular user already has this many avenger processes running, and another SMTP
           client issues an RCPT command that resolves to the same local user (or another local
           user with the same numeric UID), then asmtpd will wait for one of the existing avenger
           processes to exit before launching a new avenger to evaluate the new RCPT command.
           The default for val is 5.  This limit does not apply to the system-wide unknown,
           default, and relay files processed under the AvengerUser UID.  (Note that bodytests
           run for a particular user are also included in that user's count of avenger

       AvengerTimeout seconds
           Specifies a timeout value after which asmtpd will attempt to kill an avenger process,
           in case the process has somehow gotten stuck.  asmtpd does this, before launching
           avenger, by setting an alarm for the process.  The default for seconds is 600.

       NoCheck user[<@>host]
           Specifies that asmtpd's internal checks for email validity should be bypassed for
           email to a particular email address.  If host is not specified, then this applies to
           user at any acceptable local host (asmtpd still will not allow relaying, of course).
           It is a good idea to enable this for usernames specified in RFC 2142, such as
           postmaster and abuse.

       RBL [-i] [-p] [-f] -s score domain
           Checks real-time blackhole list domain.  If -i is present, looks up the client's IP
           address reversed (i.e., for client, this will match when DNS name
  exists).  If -p is present, the name of the client (as specified by a
           verified PTR DNS record) will be looked up.  If -f is present, the hostname from the
           envelope sender (the address in the SMTP MAIL) command will be looked up (i.e., mail
           from user@host matches if host.domain exists).  If none of -i, -p, or -f is specified,
           -i is assumed by default.

           score is an integer (which can be negative).  The scores of all matching RBLs are
           added together, and a message is rejected if the total is greater than or equal to

       UserMail [0|1]
           If set to 0, asmtpd will not chack mail* files in users' .avenger directories, but
           will always use the system-wide relay file (and secondary file) to decide whether to
           relay mail.  The default value is 0.

       UserRcpt [0|1]
           If set to 0, asmtpd will not chack rcpt* files in users' .avenger directories, but
           will always use the system-wide default file.  The default value is 1.

       AllowPercent [0|1]
           If set to 0 (the default), asmtpd will reject any email whose local part contains a
           "%" character.  This is because many MTAs will relay mail for users of the form
           user%host1@host2 to user@host1.  While of course it is possible to reject such
           messages with the /etc/avenger/unknown file, it is easy to forget to do so.  Failing
           to do so can get your site listed in various spam source lists, which will have some
           serious consequences.  For that reason, AllowPercent is 0 by default.  Set it to 1 if
           you really do want mail for users with "%" characters.

       AllowDNSFail [0|1|2]
           Upon accepting a connection from a client, asmtpd attempts to resolve the client's IP
           address to a hostname.  If a temporary DNS error occurs and AllowDNSFail is set to 0
           (the default), asmtpd will reject the connection immediately.  If AllowDNSFail is set
           to 1, however, then asmtpd will accept the connection and continue.  However, in this
           case that the CLIENT_DNSFAIL environment variable will be set to an error message, and
           mail will still be rejected by default unless an rcpt script explicitly calls accept.
           If AllowDNSFail is set to 2, then CLIENT_DNSFAIL will still be set, but by default
           mail will be accepted unless explicitly rejected.

           Note that this option has no effect on IP addresses that don't resolve to a domain
           name (e.g., where a lookup of the domain returns an empty result or the
           NXDOMAIN error).

       SSL [0|1|2]
           This and the following options are supported if Mail Avenger has been compiled with
           support for the STARTTLS command (using the --enable-ssl option to "configure").  If
           SSL is set to 0, then the STARTTLS command will be disabled.

           If SSL is set to 1 (the default), then STARTTLS will be enabled profiled the private
           key and certificate files can be found.  (Since these files will not exist by default,
           STARTTLS is still disabled by default.)  Relaying based on client certificates can be
           enabled by checking the SSL_ISSUER and SSL_SUBJECT environment variables in the relay

           If SSL is set to 2, then authentication with any valid client certificate will allow
           mail relaying with no further checks.  This value makes sense only if your
           organization runs a private certificate authority and you only place your local CA key
           in the SSLCAcert file, as otherwise you will have no control over who can relay mail
           through your machine.

       SSLCAcert path
           SSLCAcert specifies the certificate authorities allowed to sign client certificates.
           path must be a file containing one or more trusted CA certificates in PEM format.  If
           <path> is not an absolute path name, asmtpd will look for the file in EtcDir.  The
           default path is cacert.pem.

       SSLCRL path
           If SSL is in use, path specifies a PEM-format certificate revocation list.  The
           default value is crl.pem.

       SSLkey path
           If SSL is in use, path specifies a PEM-format file containing the server's private
           key.  If the file is not present, the STARTTLS command will be disabled.  The default
           path is privkey.pem.

       SSLcert path
           If SSL is in use, path specifies a PEM-format file containing a certificate for the
           public key corresponding to private key SSLkey.  If the file is not present, the
           STARTTLS command will be disabled.  The default path is cert.pem.

       SSLciphers string
           string specifies the preference for ciphers with SSL.  For example, to allow all
           ciphers except anonymous Diffie-Hellman, low key sizes, exportable ciphers, and
           MD%-based MAC, and to sort ciphers by strength, you might use the following string>:


           By default, asmtpd just uses the OpenSSL library's default cipher preferences.

       SPFfail [SPF-rule ...]
           SPF (Sender Policy Framework) is a mechanism to prevent forgery of email sender
           addresses.  (More information is available at <> and in the
           forthcoming RFC 4408.)  asmtpd always runs SPF checks on incoming email.  An SPF check
           returns one of seven possible results:  none, neutral, pass, fail, softfail, error, or
           unknown.  asmtpd will reject mail if the result is fail (and defer mail if the result
           is error).

           The SPFfail directive provides a second chance to mail that would otherwise resolve to
           fail.  If SPF rules are provided with this directive, and the SPF check on a message
           resolves to fail, then asmtpd will re-evaluate the message with the rules from the
           SPFfail directive.  If the SPFfail rules evaluate to none, neutral, or unknown, then
           the original fail result will remain.  Otherwise, the result of the SPFfail rules
           overrides the fail result.

           This directive can be used to work-around the problem of sites, such as,
           that forge email, but do not actually send spam. maintains a
           white-list of such sites, and it is highly recommended that you use this whitelist
           until SPF is more widely deployed.  To do so, you can use the configuration line:


       SPFnone [SPF-rule ...]
           This directive is similar to SPFfail, but supplies additional SPF rules to be run in
           the event that the SPF result for a message resolves to none--meaning that the domain
           from which the mail comes does not publish an SPF record.  One possible use might be
           the following:

               SPFnone a/24 mx/24 ptr

           This rule says that if the sending domain does not publish an SPF record, consider its
           result to be pass nonetheless as long as the sending host shares a 24-bit IP prefix
           with the address of the domain, or the address of any of the mail exchangers (DNS MX
           records) for the domain, or if the domain name of the sending machine has the sender
           domain name as a suffix.

       SPFlocal [SPF-rule ...]
           Unlike the previous two rules, which provide hooks to run after an SPF result has been
           determined, SPFlocal supplies SPF rules to be run before even attempting SPF rules for
           the domain.  If the local rules return pass, fail, softfail, or error, this reult
           becomes the SPF result for the message.  Otherwise, asmtpd evaluates the appropriate
           rules for the domain as usual.

           An example use might be to reject mail from a real-time black hole list (RBL), such as

               SPFlocal -exists:%{ir}

       SPFexp [explanation ...]
           Provides a default explanation for an SPF failure, if the sender domain does not have
           one.  The default is:

               SPFexp See{S}&ip=%{I}

       SPFHostsFile path
           This specifies the pathname of a file that contains "fallback" SPF records for domains
           that fail to supply SPF records themselves.  This file effectively achieves the same
           result as SPFNone, but on a per-hostname basis.  The default path is spfhosts in the
           directory specified by EtcDir (or /etc/avenger by default).  Each line of the file has
           the form:

               domain: SPF-rules

           domain is the domain name for which the SPF-rules apply.  If domain starts with a ".",
           then the rule matches all host names with domain as a suffix.  In other words,
           "" matches "", "", but not "".  Note that
           if a domain publishes an SPF record through DNS, the record in DNS overrides the
           record specified in this file.

           As an example, suppose Microsoft does not publish an SPF record in DNS, but you happen
           to know that all mail from users at "" comes from machines whose reverse
           DNS mapping ends either "" or "", or else whose IP addresses
           share a 16-bit prefix with one of the mail exchangers for "".  You might
           place the following line in your spfhosts file:

          ptr mx/16 ~all

           Here "~all" resorts to softfail when the sender does not match, which tags the message
           but does not reject it.  Use "-all" to reject the mail outright.  Note that if
           Microsoft ever starts publishing an SPF record in DNS, it will override the above

       DebugSMTP [0|1]
           When set to 1, causes asmtpd to log a complete trace of all SMTP traffic to and from
           connecting clients.  Produces a large amount of data, but can be useful for debugging.
           Each trace line list the name of the connecting client and asmtpd's file descriptor
           number in parentheses.

       DebugSMTPc [0|1]
           When receiving mail, asmtpd connects to remote mail servers to ensure the envelope
           sender addresses of incoming messages are valid email addresses, and in particular
           that they can receive bounces.  When DebugSMTPc is set to 1, all outgoing SMTP
           connection traffic from SMTPc is logged.  The output format is similar to DebugSMTP,
           but file descriptor numbers are prefixed with "R" to indicate this is a reverse

       DebugAvenger [0|1]
           Prints a trace of input and output to all avenger processes run.  The name also has a
           file descriptor number prefixed with "a" for avenger.


           default location of file

           default for EtcDir, location of other configuration files

       aliases, domains, spfhosts
           see the descriptions of AliasFile, DomainFile, and SPFHostsFile above

       unknown, default, secondary, relay
           avenger rules to be run by the AvengerUser under different circumstances; see the
           description of EtcDir above, and the manual page for avenger(1)

           File containing the process ID of a running asmtpd process.  You must send this
           process a SIGHUP signal for it to re-read the asmtpd.conf file.

           Example configuration files.

           Example scripts for the SMTPFilter directive.


       asmtpd(8), avenger(1)

       The Mail Avenger home page: <>.


       David Mazieres