:: RootR ::  Hosting Order Map Login   Secure Inter-Network Operations  
policyd-weight.conf(5) - phpMan

Command: man perldoc info search(apropos)  

policyd-weight.conf(5)                 File Formats Manual                 policyd-weight.conf(5)

       policyd-weight.conf - policyd-weight configuration parameters

       Beta, Documentation incomplete

       policyd-weight  uses  a  perl(1)  style  configuration file which it reads on startup. The
       cache re-reads the configuration after $MAINTENANCE_LEVEL (default: 5) queries. If  -f  is
       not specified, it searches for configuration files on following locations:


       $CACHESIZE (default: 2000)
              Set the minimum size of the SPAM cache.

       $CACHEMAXSIZE (default: 4000)
              Set the maximum size of the SPAM cache.

              (default: 550 temporarily blocked because of previous errors)"

              Set the SMTP status code and a explanatory message for rejected mails due to cached

       $NTTL (default: 1)
              The client is penalized for that many retries.

       $NTIME (default: 30)
              The $NTTL counter will only be decremented if the client waits at least $NTIME sec‐

       $POSCACHESIZE (default: 1000)
              Set the minimum size of the HAM cache.

       $POSCACHEMAXSIZE (default: 2000)
              Set the maximum size of the HAM cache.

       $PTTL (default: 60)
              After  that  many queries the HAM entry must succeed one run through the RBL checks

       $PTIME (default: 3h)
              after $PTIME in HAM Cache the client must pass one time the RBL checks again.  Val‐
              ues must be nonfractal. Accepted time-units: s(econds), m(inutes), h(ours), d(ays)

       $TEMP_PTIME (default: 1d)
              The  client  must  pass this time the RBL checks in order to be listed as hard-HAM.
              After this time the client will pass immediately for PTTL within PTIME. Values must
              be non-fractal.  Accepted time-units: s(econds), m(inutes), h(ours), d(ays)

       $DEBUG (default: 0)
              Turn debugging on (1) or off (0)

       $DNS_RETRIES (default: 2)
              How many times a single DNS query may be repeated

       $DNS_RETRY_IVAL (default: 2)
              Retry a query without response after that many seconds

       $MAXDNSERR (default: 3)
              If that many queries fail, the mail is accepted with $MAXDNSERRMSG.
              In total DNS queries this means: $MAXDNSERR * $DNS_RETRIES

       $MAINTENANCE_LEVEL (default: 5)
              After  that  many  policy  requests  the cache (and in daemon mode child processes)
              checks for configuration file changes

       $MAXIDLECACHE (default: 60)
              After that many seconds of being idle  the  cache  checks  for  configuration  file

       $PIDFILE (default: /var/run/policyd-weight.pid)
              Path and filename to store the master pid (daemon mode)

       $LOCKPATH (default: /tmp/.policyd-weight/)
              Directory where policyd-weight stores sockets and lock-files/directories. Its argu‐
              ment must contain a trailing slash.

       $SPATH (default: $LOCKPATH.'/polw.sock')
              Path and filename which the cache has to use for communication.

       $TCP_PORT (default: 12525)
              TCP port on which the policy server listens (daemon mode)

       $BIND_ADDRESS (default: '')
              IP Address on which policyd-weight binds. Currently either only one or all IPs  are
              supported. Specify 'all' if you want to listen on all IPs.

       $SOMAXCONN (default: 1024)
              Maximum  connections which policyd-weight accepts. This is set high enough to cover
              most scenarios.

       $USER (default: polw)
              Set the user under which policyd-weight runs

       $GROUP (default: $USER)
              Set the group under which policyd-weight runs

       $ADD_X_HEADER (default: 1)
              Insert a X-policyd-weight: header with evaluation messages.
              1 = on, 0 = off

       $LOG_BAD_RBL_ONLY (default: 1)
              Insert only RBL results in logging strings if the RBL  score  changes  the  overall
              score.  Thus RBLs with a GOOD SCORE of 0 don't appear in logging strings if the RBL
              returned no BAD hit.
              1 = on, 0 = off

       $MAXDNSBLMSG (default: 550 Your MTA is listed in too many DNSBLs)
              The message sent to the client  if  it  was  reject  due  to  $MAXDNSBLHITS  and/or

       $REJECTMSG  (default: 550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Adminisra‐
       tor to correct HELO and DNS MX settings or to get removed from DNSBLs)

              Set the SMTP status code for rejected mails and a message why the action was taken

       $CHILDIDLE (default: 120)
              How many seconds a child may be idle before it dies (daemon mode)

       $MAX_PROC (default: 50)
              Process limit on how many processes policyd-weight will spawn (daemon mode)

       $MIN_PROC (default: 2)
              Minimum child processes which are kept alive in idle times (daemon mode)

       $PUDP (default: 0)
              Set persistent UDP connections used for DNS queries on (1) or off (0).

       Positive values indicate a bad (SPAM) score, negative values indicate a good (HAM) score.

       @bogus_mx_score (2.1, 0)
              If the sender domain has neither MX nor A records or these  records  resolve  to  a
              bogus  IP-Address  (for  instance private networks) then this check asigns the full
              score of bogus_mx_score. If there is no MX but an A record  of  the  sender  domain
              then it receives a penalty only if DNSBL-listed.

              Log Entries:

               The sender A and MX records are bogus or empty.

               The sender domain has an empty or bogus MX record and the client is DNSBL listed.

              Related RFCs:

              [1918] Address Allocation for Private Internets
              [2821] Simple Mail Transfer Protocol (Sect 3.6 and Sect 5)

       @client_ip_eq_helo_score (1.5, -1.25)
              Define scores for the match of the reverse record (hostname) against the HELO argu‐
              ment. Reverse lookups are done, if the forward lookups failed and are not trusted.

              Log Entries:

               The  Client's  PTR  matched  the  HELO  argument.

               Domain portions  of Client PTR and HELO argument matched.

               Client  PTRs  found   but  did  not  match  HELO argument.

       @helo_score (1.5, -2)
              Define scores for the match of the Client IP and  its  /24  subnet  against  the  A
              records  of HELO or MAIL FROM domain/host. It also holds the bad score for MX veri‐

              Log Entries:

               Client IP matches the [IPv4] HELO.

               Client IP matches  the A record of the MAIL FROM sender domain/host.

               Client  IP  matches  the  A  record  of the HELO argument.

               The IP and  the /24  subnet did  not  match A/MX records  of  HELO  and MAIL  FROM
               arguments and their subdomains.

       @helo_from_mx_eq_ip_score (1.5, -3.1)
              Define scores for the match of Client IP against MX records. Positive (SPAM) values
              are used in case the MAIL FROM matches not the HELO argument AND the  client  seems
              to  be  dynamic AND the client is no MX for HELO and MAIL FROM arguments. The total
              DNSBL score is added to its bad score.

              Log Entries:

               Client IP  matches  the MAIL FROM domain/host MX record

               Client IP matches the HELO domain/host MX record

               Client is not a verified  HELO and doesn't match A/MX records of MAIL  FROM  argu‐

               Client's subnet does  not  match A/MX records of the MAIL FROM argument

       $dnsbl_checks_only (default: 0)
              Disable HELO/RHSBL verifications and the like. Do only RBL checks.
              1 = on, 0 = off

       @dnsbl_score (default: see below)
              A  list  of  RBLs to be checked. If you want that a host is not being evaluated any
              further if it is listed on several lists or a very trustworthy list you can control
              a immediate REJECT with $MAXDNSBLHITS and/or $MAXDNSBLSCORE. A list of RBLs must be
              build as follows:

              @dnsbl_score = (
                  RBLHOST1,   HIT SCORE,  MISS SCORE,     LOG NAME,
                  RBLHOST2,   HIT SCORE,  MISS SCORE,     LOG NAME,
              The default is:

              @dnsbl_score = (
                  "dynablock.njabl.org",  3.25,   0,      "DYN_NJABL",
                  "dnsbl.njabl.org",      4.25,   -1.5,   "BL_NJABL",
                  "bl.spamcop.net",       1.75,   -1.5,   "SPAMCOP",
                  "sbl-xbl.spamhaus.org", 4.35,   -1.5,   "SBL_XBL_SPAMHAUS",
                  "list.dsbl.org",        4.35,   0,      "DSBL_ORG",
                  "ix.dnsbl.manitu.net",  4.35,   0,      "IX_MANITU",
                  "relays.ordb.org",      3.25,   0,      "ORDB_ORG"

       @rhsbl_score (default: see below)
              Define a list of RHSBL host which are queried for the sender  domain.  Results  get
              additionally  scores  of  0.5  * DNSBL results and @rhsbl_penalty_score.  A list of
              RHSBL hosts to be queried must be build as follows:

              @rhsbl_score = (
                  RHSBLHOST1,  HIT SCORE,  MISS SCORE,     LOG NAME,
                  RHSBLHOST2,  HIT SCORE,  MISS SCORE,     LOG NAME,
              The default is:

              @rhsbl_score = (
                  "rhsbl.ahbl.org",              1.8,     0,  "AHBL",
                  "dsn.rfc-ignorant.org",        3.2,     0,  "DSN_RFCI",
                  "postmaster.rfc-ignorant.org", 1 ,      0,  "PM_RFCI",
                  "abuse.rfc-ignorant.org",      1,       0,  "ABUSE_RFCI"

       @rhsbl_penalty_score (3.1, 0)
              This score will be added to each RHSBL hit if following criterias are met:

                  Sender has a random local-part (i.e. yztrzgb AT example.tld)

               or MX records of sender domain are bogus

               or FROM matches not HELO

               or HELO is untrusted (Forward record matched, reverse record
                  did not match)

       $MAXDNSBLHITS (default: 2)
              If the client is listed in more than $MAXDNSBLHITS RBLs it will be rejected immedi‐
              ately  with  $MAXDNSBLMSG  and  without  further  evaluation. Results are cached by

       $MAXDNSBLSCORE (default: 8)
              If the BAD SCOREs of @dnsbl_score listed RBLs reach a level greater  than  $MAXDNS‐
              BLSCORE  the client will be rejected immediately with $MAXDNSBLMSG and without fur‐
              ther evaluation. Results are cached by default.

       $REJECTLEVEL (default: 1)
              Score results equal or greater than this level will be rejected with $REJECTMSG

       policyd-weight(8), Policyd-weight daemon
       perl(1), Practical Extraction and Report Language
       perlsyn(1), Perl syntax
       access(5), Postfix SMTP access control table

       GNU General Public License

       Robert Felber <r.felber AT ek-muc.de>
       Autohaus Erich Kuttendreier
       81827 Munich, Germany

                                          Aug 25th, 2006                   policyd-weight.conf(5)

rootr.net - man pages