.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{ . if \nF \{ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "asmtpd.conf 5" .TH asmtpd.conf 5 "2013-07-13" "Mail Avenger 0.8.4" "Mail Avenger 0.8.4" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" asmtpd.conf \- Avenger SMTP Daemon configuration file .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIasmtpd.conf\fR is the configuration file for \fIasmtpd\fR\|(8), the Mail Avenger mail server. The file contains a series of directives, where each directive takes zero or more arguments. Blank lines and lines beginning with \f(CW\*(C`#\*(C'\fR (for comments) are ignored. If a line ends with the \f(CW\*(C`\e\*(C'\fR character, the \f(CW\*(C`\e\*(C'\fR is ignored and the following line is appended. In this way you can break a long list of argument over multiple \*(L"continuation\*(R" lines. .PP Arguments are separated by spaces. However, you can include space in an argument by surrounding the argument with double-quote (\f(CW\*(C`"\*(C'\fR) characters. A backslash (\f(CW\*(C`\e\*(C'\fR) followed by any other character is interpreted as that character. Thus, a literal \f(CW\*(C`"\*(C'\fR or \f(CW\*(C`\e\*(C'\fR character can be included as \f(CW\*(C`\e"\*(C'\fR or \f(CW\*(C`\e\e\*(C'\fR, and an alternative to putting double quotes around an argument with spaces is simply to put a \f(CW\*(C`\e\*(C'\fR before each space. .PP If you change \fIasmtpd.conf\fR while asmtpd is running, you must send it a \s-1SIGHUP\s0 signal for it to read the new changes. (Note, however, that asmtpd will re-read the \fBAliasFile\fR, \fBDomainFile\fR, or \&\fBSPFHostsFile\fR automatically if you change these.) .PP The rest of this man page details the various directives. Directives are case-insensitive. Depending on the directive, the arguments may or may not be case sensitive. .SS "\s-1GENERAL CONFIGURATION DIRECTIVES\s0" .IX Subsection "GENERAL CONFIGURATION DIRECTIVES" .IP "\fBSeparator\fR \fICharacter\fR" 4 .IX Item "Separator Character" This is the only option that probably needs to be set at all sites. \&\fICharacter\fR is a single character that separates usernames from the rest of the local part of an email address. For example, with sendmail, mail for is usually delivered to user name. Thus, a \f(CW\*(C`+\*(C'\fR should be specified for \fICharacter\fR. With qmail, it is that belongs to user name (though routing is handled differently). Thus, qmail users will want to specify \f(CW\*(C`\-\*(C'\fR. The default is not to have a separator. This is probably wrong for most sites, but is a lot less bad than selecting the wrong character! .IP "\fBHostname\fR \fIname\fR" 4 .IX Item "Hostname name" \&\f(CW\*(C`Hostname\*(C'\fR specifies the hostname that asmtpd should use in the \s-1SMTP\s0 protocol. Ordinarily, this name should map to the \s-1IP\s0 address of your server (or one of the \s-1IP\s0 addresses of your server). The default is to use the local hostname (as returned by the \f(CW\*(C`gethostname\*(C'\fR system call), with the default \s-1DNS\s0 domain name appended if your hostname does not include any \f(CW\*(C`.\*(C'\fR characters. .IP "\fBLogPriority\fR \fIpriority\fR" 4 .IX Item "LogPriority priority" This directive sets the priority with which diagnostic messages are sent to the system log. The default value is \f(CW\*(C`mail.info\*(C'\fR. .IP "\fBLogTag\fR \fItag\fR" 4 .IX Item "LogTag tag" This directive sets the tag for syslog messages generated by asmtpd. The default tag is empty. Note that by default most messages except those created by Debug options already contain \*(L"asmtpd:\*(R". .IP "\fBEtcDir\fR \fIdirectory\fR" 4 .IX Item "EtcDir directory" Sets the directory in which asmtpd will search for various configuration files, including \fIaliases\fR, \fIdomains\fR, and \fIspfhosts\fR (see below), as well as four special rule files run under the \&\fBAvengerUser\fR \s-1UID: \s0\fIdefault\fR, \fIunknown\fR, \fIsecondary\fR, and \&\fIrelay\fR. .Sp The file \fIunknown\fR consists of avenger rules that get run for any local user that does not exist in the password file, or that exists but has a \s-1UID\s0 of 0 (root), or that exists but has an invalid shell (not listed in \fI/etc/shells\fR). These rules are not run for normal users, even if those users do not have a \fI.avenger\fR directory. .Sp The \fIdefault\fR file consists of rules that are run after the rules in \&\fIunknown\fR or after the rules in a user's \fI.avenger\fR directory, so long as these rules did not immediately reject, defer, accept, redirect, or bodytest the mail. If a user does not have a \fI.avenger\fR directory, the rules in \fIdefault\fR are always run. .Sp The \fIsecondary\fR ruleset contains rules that are run if \fBMxLocalRcpt\fR has been set to 1, mail is received for \fIuser\fR\fB@\fR\fIhostname\fR, and the mail server is an \s-1MX\s0 record for \fIhostname\fR, but not the highest priority \s-1MX\s0 record. If the ruleset does not exist or simply exits, the default is to spool the mail. .Sp The \fIrelay\fR ruleset consists of rules that are run when mail is received for \fIuser\fR\fB@\fR\fIhostname\fR where \fIhostname\fR is not in the \&\fIdomains\fR file (and, if \fBMxLocalRcpt\fR is 1, the server is not an \s-1MX\s0 record for \fIhostname\fR). In such circumstances, if the sender address is local, asmtpd will first attempt to execute an appropriate \f(CW\*(C`mail\*(C'\fR (as opposed to the usual \f(CW\*(C`rcpt\*(C'\fR) ruleset in the user's \fI.avenger\fR directory. If that ruleset does not exist or simply exits, or \&\fIhostname\fR is not local, then asmtpd runs \fIrelay\fR. If the rules in \&\fIrelay\fR simply exit or the file does not exist, the default is to reject the mail. .Sp The default value of \fBEtcDir\fR is \fI/etc/avenger\fR. .SS "\s-1NETWORK CONFIGURATION PARAMETERS\s0" .IX Subsection "NETWORK CONFIGURATION PARAMETERS" .IP "\fBBindAddr\fR \fIIP-address\fR [\fIport-no\fR]" 4 .IX Item "BindAddr IP-address [port-no]" \&\f(CW\*(C`BindAddr\*(C'\fR specifies the \s-1IP\s0 address on which the server should listen. The default is 0.0.0.0 (\s-1INADDR_ANY\s0), meaning to accept incoming connections on any \s-1IP\s0 address. By default the server uses \&\s-1TCP\s0 port 25, but \fIport-no\fR can be also specified to chose a different port number. .IP "\fBMaxClients\fR \fIval\fR" 4 .IX Item "MaxClients val" Specifies the maximum number of concurrent \s-1TCP\s0 connections from clients that asmtpd should allow. The default value is 60. .IP "\fBMaxConPerIP\fR \fIval\fR" 4 .IX Item "MaxConPerIP val" Specifies the maximum number of incoming \s-1TCP\s0 connections asmtpd should accept from a single \s-1IP\s0 address. The default value is 10. .IP "\fBSMTPFilter\fR \fIprog\fR" 4 .IX Item "SMTPFilter prog" Specifies the name of a program asmtpd can invoke to enable packet filtering of incoming \s-1SYN\s0 packets from a particular \s-1IP\s0 address for the \&\s-1SMTP\s0 port (25 by default). Note that this program should filter only \&\s-1TCP\s0 packets to the \s-1SMTP\s0 port that have the \s-1TCP SYN\s0 flag set and the \&\s-1ACK\s0 flag cleared. It is very important that this rule \fBnot\fR interfere with previously established \s-1TCP\s0 connections, since asmtpd uses this to block new connections when the per-IP-address limit has been reached. .Sp The program will be run three different ways: .RS 4 .IP "\fIprog\fR \fBclear\fR" 4 .IX Item "prog clear" .PD 0 .IP "\fIprog\fR \fBadd\fR \fIIP-addr\fR" 4 .IX Item "prog add IP-addr" .IP "\fIprog\fR \fBdel\fR \fIIP-addr\fR" 4 .IX Item "prog del IP-addr" .RE .RS 4 .PD .Sp The \fBclear\fR command should cause all previously filtered \s-1IP\s0 addresses to be re-enabled. The \fBadd\fR command says to add the particular \s-1IP\s0 address to the list of filtered addresses. \fBdel\fR says to remove an \&\s-1IP\s0 address from the list of addresses. .Sp Since the details of how to filter \s-1IP\s0 packets depend entirely on the particular operating system and firewall software being run, this task is best handled by a shell script written by the system administrator. An example script for use with OpenBSD's pf packet filter can be found in \fI/usr/local/share/avenger/smtp\-filter.pf\fR. An example for use with Linux's iptables firewall can be found in \fI/usr/local/share/avenger/smtp\-filter.iptables\fR. .RE .IP "\fBMaxMsgsPerIP\fR \fImsgs-per-hour\fR [\fImsgs-max\fR]" 4 .IX Item "MaxMsgsPerIP msgs-per-hour [msgs-max]" Specifies the maximum rate at which asmtpd will allow successful \s-1SMTP RCPT\s0 commands from a particular \s-1IP\s0 address. After this limit is reached, further \s-1RCPT\s0 commands will be rejected with a temporary \s-1SMTP\s0 error code saying too much load. \fImsgs-per-hour\fR is the number of \&\s-1RCPT\s0 commands per hour. \fImsgs-max\fR is the hard limit after which further RCPTs are refused. \fImsgs-max\fR, if not specified, defaults to the same value as \fImsgs-per-hour\fR. However, it can be set to a greater value to accept bursts of traffic. .IP "\fBMaxErrorsPerIP\fR \fImsgs-per-hour\fR [\fImsgs-max\fR]" 4 .IX Item "MaxErrorsPerIP msgs-per-hour [msgs-max]" Similar to \fBMaxMsgsPerIP\fR, except this parameter specifies the maximum rate at which clients from a particular \s-1IP\s0 address can issue \&\s-1SMTP\s0 commands that return errors. If a client is issuing too many commands that cause errors (as can often happen with spambots that don't check the results of commands, or that relay spam through \s-1HTTP\s0 proxies), asmtpd will temporarily filter new connections from that client if \fBSMTPFilter\fR has been specified. Otherwise, it will immediately shutdown any incoming new \s-1TCP\s0 connections from the client with a temporary \s-1SMTP\s0 error code. .IP "\fBMaxMsgsPerUser\fR \fImsgs-per-hour\fR [\fImsgs-max\fR]" 4 .IX Item "MaxMsgsPerUser msgs-per-hour [msgs-max]" Specifies the maximum rate at which asmtpd will allow successful \s-1SMTP RCPT\s0 commands from a particular authenticated user. The name used for the check is either the username from \s-1SASL\s0 authentication, or the common name of the client certificate with \s-1SSL\s0 authentication. With this feature, you can prevent people who have legitimate relay privileges from sending bulk mail, as might happen if a spammer somehow stole a \s-1SASL\s0 password. .IP "\fBMaxRcpts\fR \fIval\fR" 4 .IX Item "MaxRcpts val" Specifies the maximum number of recipients on a single message. Once this number is reached, asmtpd rejects further recipients with a temporary \s-1SMTP\s0 error code, causing the sender to send a separate copy of the message to the remaining recipients. The default value is 5. (Note that this limit does not apply to trusted clients.) .IP "\fBMaxRelayRcpts\fR \fIval\fR" 4 .IX Item "MaxRelayRcpts val" If \fIval\fR is greater than the number of recipients specified for \&\fBMaxRcpts\fR, then this specifies a higher limit on the number of recipients when recipients are accepted by the \fIrelay\fR script. .IP "\fBMaxMsgSize\fR \fIbytes\fR" 4 .IX Item "MaxMsgSize bytes" The largest mail message asmtpd should accept. The default value is 104,857,600 (100 MBytes). .IP "\fBSMTPTimeout\fR \fIseconds\fR" 4 .IX Item "SMTPTimeout seconds" Determines how long asmtpd will keep an open connection from a client while awaiting an \s-1SMTP\s0 command. .IP "\fBDataTimeout\fR \fIseconds\fR" 4 .IX Item "DataTimeout seconds" Determines how long asmtpd will keep an idle connection from a client open while waiting for mail message contents (after the \s-1SMTP DATA\s0 command). It is advisable to set a reasonable \fBDataTimeout\fR even if \&\fBSMTPTimeout\fR is short, so as not to force a client behind an unreliable network connection to keep having to start over. .IP "\fB\s-1SMTPCB\s0\fR [0|1|2]" 4 .IX Item "SMTPCB [0|1|2]" If set to 2 (the default), asmtpd will attempt to verify the sender address of mail messages by going through the initial steps of sending back a bounce message, a technique known as an \*(L"\s-1SMTP\s0 callback.\*(R" If the mail cannot get through, the \fB\s-1SENDER_BOUNCERES\s0\fR environment variable will contain an \s-1SMTP\s0 error code, and \fB\s-1MAIL_ERROR\s0\fR will be set to reject the mail by default. The next several parameters (\fBClientTimeout\fR, \fBVrfyDelay\fR, \fBVrfyCacheTime\fR, and \&\fBMaxRevClients\fR) control the behavior of \s-1SMTP\s0 callbacks. .Sp If \fB\s-1SMTPCB\s0\fR is set to 0, \s-1SMTP\s0 callbacks are entirely disabled. If it is set to 1, then asmtpd still performs callbacks and sets the \&\fB\s-1SENDER_BOUNCERES\s0\fR environment variable, but does not set \fB\s-1MAIL_ERROR\s0\fR or reject mail by default if the callback fails. .IP "\fBClientTimeout\fR \fIseconds\fR" 4 .IX Item "ClientTimeout seconds" Specifies the \s-1SMTP\s0 timeout for asmtpd when it acts as an \s-1SMTP\s0 client, probing remote servers to check the validity of the sender address on incoming mail messages. The default value is 300. .IP "\fBVrfyDelay\fR \fIseconds\fR" 4 .IX Item "VrfyDelay seconds" When probing a remote \s-1SMTP\s0 server to validate an email address, asmtpd will keep the \s-1TCP\s0 connection open at least this long (after sending an \&\s-1HELO/EHLO\s0 command) before probing the address. The idea is to make bulk mailing harder by preventing remote servers from validating more than a few thousand (or a few tens of thousands of) email addresses per second. The default value for \fIseconds\fR is 2. .IP "\fBVrfyCacheTime\fR \fIseconds\fR" 4 .IX Item "VrfyCacheTime seconds" If asmtpd probes a remote server and discovers that it cannot send bounce messages to an address, it caches the result for this amount of time. If someone is mailbombing an asmtpd server from a forged address, this option prevents asmtpd from initiating too many connections to the forgery victim's mail server. (Of course, if the victim publishes an \s-1SPF\s0 record, asmtpd will never contact the server and this is not an issue.) The default vaule for \fIseconds\fR is 300. .IP "\fBMaxRevClients\fR \fIval\fR" 4 .IX Item "MaxRevClients val" The number of idle reverse \s-1SMTP\s0 connections (to remote \s-1SMTP\s0 servers) to cache when not in use. These connections are used to validate sending addresses of received mail. This number is approximate. .IP "\fBIdentTimeout\fR \fIseconds\fR" 4 .IX Item "IdentTimeout seconds" The number of seconds to wait for the client to respond to an \s-1RFC1413\s0 ident lookup. The default is 15. .IP "\fBSynFp\fR [0|1]" 4 .IX Item "SynFp [0|1]" If set to 0, disables the collection of \s-1SYN\s0 fingerprint information, which asmtpd ordinarily includes in headers of mail messages and in the \fB\s-1CLIENT_SYNFP\s0\fR environment variable of avenger processes. The default value is 1. .IP "\fBSynFpWait\fR \fImsec\fR" 4 .IX Item "SynFpWait msec" Sets the number of milliseconds after accepting a \s-1TCP\s0 connection that asmtpd should wait to receive the full \s-1SYN\s0 packet from the packet filter (bpf) device. If the time is exceeded, no \s-1SYN\s0 fingerprint will be recorded for the connection. The default value is 500. .IP "\fBSynFpBuf\fR \fIcount\fR" 4 .IX Item "SynFpBuf count" Sets the maximum number of \s-1SYN\s0 fingerprints to keep around while waiting for the corresponding connections. The default value is 100. .IP "\fBSynOsMTU\fR \fIsize\fR" 4 .IX Item "SynOsMTU size" Sets an additional size to try for the network's maximum transmission unit (\s-1MTU\s0) when guessing the client operating system. If \fIsize\fR is set to 0, asmtpd will only try the value in the \s-1TCP MSS\s0 option + 40 bytes. (Otherwise, when \fIsize\fR is non-zero, asmtpd tries both \s-1MSS + 40\s0 and \fIsize\fR.) The default for \fIsize\fR is 1500. .IP "\fBNetPath\fR [0|1]" 4 .IX Item "NetPath [0|1]" If set to 0, disables the collection of \s-1IP \s0\*(L"traceroute\*(R" information, which is normally included in the headers of mail messages and in the \&\fB\s-1CLIENT_NETPATH\s0\fR environment variable of avenger processes. The default value is 1. .SS "\s-1MAIL PROCESSING DIRECTIVES\s0" .IX Subsection "MAIL PROCESSING DIRECTIVES" .IP "\fBTrustedNet\fR \fIIP-addr\fR\fB/\fR\fIlen\fR" 4 .IX Item "TrustedNet IP-addr/len" If the first \fIlen\fR bits of a client's \s-1IP\s0 address match \fIIP-addr\fR, the client will be considered trusted. Trusted clients can relay mail through asmtpd to arbitrary addresses, and do not undergo any checks or processing by any avenger scripts. This option can be given multiple times to list multiple networks. .IP "\fBTrustedDomain\fR \fIdomain\fR" 4 .IX Item "TrustedDomain domain" If a client's verified \s-1DNS\s0 name is \fIdomain\fR or ends \fB.\fR\fIdomain\fR, the client will be considered trusted, and as described above will be allowed to relay mail unchecked. This option can be given multiple times to list multiple domains. .IP "\fB\s-1SASL\s0\fR [0|1|2]" 4 .IX Item "SASL [0|1|2]" This option only exists if asmtpd has been compiled with \s-1SASL\s0 support (via the \fB\-\-enable\-sasl\fR option to \f(CW\*(C`configure\*(C'\fR). If set to 0 (the default), the \s-1AUTH SMTP\s0 verb is disabled, and asmtpd performs no \s-1SASL\s0 authentication. If set to 1, asmtpd performs \s-1SASL\s0 authentication when requested by clients, but does not inherently trust SASL-authenticated users. You must check the \fB\s-1AUTH_USER\s0\fR environment variable in the system-wide \fIrelay\fR script and explicitly permit users to relay mail. .Sp If \fB\s-1SASL\s0\fR is set to 2, then clients that have authenticated via \s-1SASL\s0 can relay mail just like \fBTrustedNet\fR and \fBTrustedDomain\fR machines\*(--no further scripts are run. However, the authenticated user name is still recorded in the Received: header to track abuse, and \&\fBMaxMsgsPerUser\fR is still enforced to prevent bulk mailing. 2 is a reasonable value for ordinary usage, since users without permission to relay mail have no reason to be listed in the \s-1SASL\s0 database file. .Sp For more information on \s-1SASL,\s0 see the \s-1SASL\s0 home page at . .IP "\fBInsecureSASL\fR [0|1]" 4 .IX Item "InsecureSASL [0|1]" When set to 0, which is the default, plaintext \s-1SASL\s0 authentication is disabled unless the connection is encrypted with \s-1SSL. \s0 If set to 1, plaintext authentication is allowed even over unencrypted connections, which is insecure. .IP "\fBMxLocalRcpt\fR [0|1]" 4 .IX Item "MxLocalRcpt [0|1]" If set to 1, asmtpd will accept mail for \fIuser\fR\fB@\fR\fIhost\fR even if \&\fIhost\fR does not appear in \fBDomainFile\fR, as long as the local server's \s-1IP\s0 address corresponds to one of the \s-1DNS MX\s0 records for \&\fIhost\fR. Decisions about accepting mail will be made by the policies in the file \fIsecondary\fR in \fBEtcDir\fR. .IP "\fBAvengerUser\fR \fIusername\fR" 4 .IX Item "AvengerUser username" Specifies the user in the password file whose identity asmtpd should assume when running system-wide default rules, as well as the mail injection program specified by \fBSendmail\fR. The default value is \&\f(CW\*(C`avenger\*(C'\fR. Note that for efficiency, asmtpd will cache the user and group IDs of this user. If for instance, you change the \&\fBAvengerUser\fR's group membership, you will have to send asmtpd a \&\s-1SIGHUP\s0 signal (or restart it). .IP "\fBSendmail\fR \fIprogram\fR [\fIarg\fR ...]" 4 .IX Item "Sendmail program [arg ...]" Specifies the program to run to inject new mail messages into the system. The default value is: .Sp .Vb 1 \& sendmail \-oi \-os \-oee .Ve .Sp Whatever arguments you give, asmtpd will additionally supply the sender and recipient(s) by appending the following options: .RS 4 .Sp .RS 4 \&\-f \fIsender\fR \*(-- \fIrecipient\-1\fR [\fIrecipient\-2\fR ...] .RE .RE .RS 4 .Sp The \fB\-oee\fR flag tells sendmail always to exit cleanly even if it generated a bounce message. Without it, sometimes sendmail generates a bounce for a message and exits with an error code, which would cause asmtpd to generate an error despite the fact that the message has already been bounced. This results in multiple bounces for the same message. .Sp Note that some sendmail replacements (including Exim) do not support the \fB\-oee\fR flag. However, these systems typically behave correctly even without the \fB\-oee\fR flag, meaning their sendmail programs exit cleanly if and only if the sender no longer needs to worry about the message. If your sendmail executable rejects the argument \fB\-oee\fR, try using \fB\-oem\fR instead. .RE .IP "\fBEmptySender\fR \fIsender\fR" 4 .IX Item "EmptySender sender" In some old versions of sendmail, running .Sp .Vb 1 \& sendmail \-f \*(Aq\*(Aq .Ve .Sp (where '' is a zero-length argument) does not produce an empty envelope sender, as should happen for bounces. \fBEmptySender\fR lets you specify an alternate sender to use for the empty envelope sender. Try using the single-character string \f(CW\*(C`@\*(C'\fR\-\-that seems to produce the desired envelope sender (which turns into MAILER-DAEMON) with both old and new versions of sendmail, though it is not necessarily compatible with other MTAs. .IP "\fBSendmailPriv\fR [0|1]" 4 .IX Item "SendmailPriv [0|1]" By default, asmtpd drops privilege to run \fBSendmail\fR as \&\fBAvengerUser\fR. If, however, you specify \fBSendmailPriv 1\fR, asmtpd will instead run \fBSendmail\fR as root. One possible use of this, for users of the sendmail \s-1MTA,\s0 is to invoke sendmail with the \fB\-Am\fR flag, which requires root privileges but bypasses an extra level of queuing. (Note that with newer versions of sendmail, if you do not run sendmail as a daemon on address 127.0.0.1, you will have to configure asmtpd to use the \fB\-Am\fR flag.) .IP "\fBSendmailFromLine\fR [0|1]" 4 .IX Item "SendmailFromLine [0|1]" If you set this value to 1, the message fed to the \fBSendmail\fR program will start with a \s-1UNIX\s0 mailbox style \*(L"From \*(R" line (which is not actually part of the message header). The default value is 0. .IP "\fBAliasFile\fR \fIpath\fR" 4 .IX Item "AliasFile path" Specifies the path of the user-mapping file, which by default is the file \fIaliases\fR in the directory specified by \fBEtcDir\fR. Each line of this file is of the form: .RS 4 .Sp .RS 4 \&\fIprefix\fR\fB:\fR \fIreplacement\fR .RE .RE .RS 4 .Sp Before deciding which user's rules to process for a particular mail message, the local part of the email address is transformed based on the aliases file. An address of \fIprefix\fR is replaced by the \&\fIreplacement\fR. In addition, if the \fBSeparator\fR character has been defined, then if an address begins with \fIprefix\fR followed immediately by the separator character, \fIreplacement\fR is also substituted. If the alias file contains multiple matching prefixes, the longest one is chosen. Alias substitution continues recursively unless a loop is detected or the recursion reaches a depth of 20. .Sp Note: It is important to emphasize that the aliases mechanism only governs which user checks the validity of a particular piece of mail. It does not affect where the mail is eventually delivered, should the resulting rules accept the mail. .RE .IP "\fBDomainFile\fR \fIpath\fR" 4 .IX Item "DomainFile path" Specifies the path of the domain-mapping file, which by default is the file \fIdomains\fR in the directory specified by \fBEtcDir\fR. This file allows one to map responsibility for all users in a domain onto a particular local user. Each line of the file must have one of the following forms: .RS 4 .IP " \fIdomain\fR\fB:\fR" 4 .IX Item " domain:" .PD 0 .IP " \fIdomain\fR\fB:\fR \fIuser\fR" 4 .IX Item " domain: user" .IP " \fIdomain\fR\fB:\fR \fIuser\fR\fI\s-1SEPARATOR\s0\fR" 4 .IX Item " domain: userSEPARATOR" .RE .RS 4 .PD .Sp In the first case, when receiving mail for \fIlocal\fR\fB@\fR\fIdomain\fR, the local part \fIlocal\fR is simply taken as is and treated as a local username (with the first separator character and anything following removed). In the second case, the mail is checked by \fIuser\fR instead. In the third case, \fI\s-1SEPARATOR\s0\fR is the separator character, which must have been declared with a \fBSeparator\fR directive. Here, \fIuser\fR and the separator character are pre-pended to \fIlocal\fR. For instance, if \&\fI\s-1SEPARATOR\s0\fR is \fB\-\fR, the mail would be checked by \&\fIuser\fR\fB\-\fR\fIlocal\fR. In all cases, the result of the mapping is subject to alias substitution as described for \fBAliasFile\fR. .Sp Note: As with \fBAliasFile\fR, the domain mechanism only governs which user checks the validity of a particular piece of mail. It does not affect where the mail is eventually delivered, should the resulting rules accept the mail. .RE .IP "\fBEnv\fR \fIvar\fR[\fB=\fR\fIvalue\fR]" 4 .IX Item "Env var[=value]" Specifies an environment variable to supply when running avenger. Ordinarily, avenger is run with a clean environment, with only a few variables such as \fB\s-1PATH\s0\fR passed through. If the \fBEnv\fR directive specifies a value, the environment variable will be be set to this value. If \fB=\fR\fIvalue\fR is omitted, asmtpd will pass through the value of the environment variable it inherits, or leave the variable unset if it is not set in the environment in which asmtpd is run. .IP "\fBAvengerMaxPerUser\fR \fIval\fR" 4 .IX Item "AvengerMaxPerUser val" Specifies how many concurrent avenger processes to launch for a particular user. If a particular user already has this many avenger processes running, and another \s-1SMTP\s0 client issues an \s-1RCPT\s0 command that resolves to the same local user (or another local user with the same numeric \s-1UID\s0), then asmtpd will wait for one of the existing avenger processes to exit before launching a new avenger to evaluate the new \&\s-1RCPT\s0 command. The default for \fIval\fR is 5. This limit does not apply to the system-wide \fIunknown\fR, \fIdefault\fR, and \fIrelay\fR files processed under the \fBAvengerUser\fR \s-1UID. \s0(Note that bodytests run for a particular user are also included in that user's count of avenger processes.) .IP "\fBAvengerTimeout\fR \fIseconds\fR" 4 .IX Item "AvengerTimeout seconds" Specifies a timeout value after which asmtpd will attempt to kill an avenger process, in case the process has somehow gotten stuck. asmtpd does this, before launching avenger, by setting an alarm for the process. The default for \fIseconds\fR is 600. .IP "\fBNoCheck\fR \fIuser\fR[<@>\fIhost\fR]" 4 .IX Item "NoCheck user[<@>host]" Specifies that asmtpd's internal checks for email validity should be bypassed for email to a particular email address. If \fIhost\fR is not specified, then this applies to \fIuser\fR at any acceptable local host (asmtpd still will not allow relaying, of course). It is a good idea to enable this for usernames specified in \s-1RFC 2142,\s0 such as \&\fBpostmaster\fR and \fBabuse\fR. .IP "\fB\s-1RBL\s0\fR [\fB\-i\fR] [\fB\-p\fR] [\fB\-f\fR] \fB\-s\fR \fIscore\fR \fIdomain\fR" 4 .IX Item "RBL [-i] [-p] [-f] -s score domain" Checks real-time blackhole list \fIdomain\fR. If \fB\-i\fR is present, looks up the client's \s-1IP\s0 address reversed (i.e., for client 1.2.3.4, this will match when \s-1DNS\s0 name 4.3.2.1.\fIdomain\fR exists). If \fB\-p\fR is present, the name of the client (as specified by a verified \s-1PTR DNS\s0 record) will be looked up. If \fB\-f\fR is present, the hostname from the envelope sender (the address in the \s-1SMTP MAIL\s0) command will be looked up (i.e., mail from \fIuser\fR\fB@\fR\fIhost\fR matches if \fIhost\fR\fB.\fR\fIdomain\fR exists). If none of \fB\-i\fR, \fB\-p\fR, or \fB\-f\fR is specified, \fB\-i\fR is assumed by default. .Sp \&\fIscore\fR is an integer (which can be negative). The scores of all matching RBLs are added together, and a message is rejected if the total is greater than or equal to 100. .IP "\fBUserMail\fR [0|1]" 4 .IX Item "UserMail [0|1]" If set to 0, asmtpd will not chack \fImail*\fR files in users' \&\fI.avenger\fR directories, but will always use the system-wide \fIrelay\fR file (and \fIsecondary\fR file) to decide whether to relay mail. The default value is 0. .IP "\fBUserRcpt\fR [0|1]" 4 .IX Item "UserRcpt [0|1]" If set to 0, asmtpd will not chack \fIrcpt*\fR files in users' \&\fI.avenger\fR directories, but will always use the system-wide \&\fIdefault\fR file. The default value is 1. .IP "\fBAllowPercent\fR [0|1]" 4 .IX Item "AllowPercent [0|1]" If set to 0 (the default), asmtpd will reject any email whose local part contains a \f(CW\*(C`%\*(C'\fR character. This is because many MTAs will relay mail for users of the form \fBuser%host1@host2\fR to \fBuser@host1\fR. While of course it is possible to reject such messages with the \&\fI/etc/avenger/unknown\fR file, it is easy to forget to do so. Failing to do so can get your site listed in various spam source lists, which will have some serious consequences. For that reason, \fBAllowPercent\fR is 0 by default. Set it to 1 if you really do want mail for users with \f(CW\*(C`%\*(C'\fR characters. .IP "\fBAllowDNSFail\fR [0|1|2]" 4 .IX Item "AllowDNSFail [0|1|2]" Upon accepting a connection from a client, asmtpd attempts to resolve the client's \s-1IP\s0 address to a hostname. If a temporary \s-1DNS\s0 error occurs and \fBAllowDNSFail\fR is set to 0 (the default), asmtpd will reject the connection immediately. If \fBAllowDNSFail\fR is set to 1, however, then asmtpd will accept the connection and continue. However, in this case that the \fB\s-1CLIENT_DNSFAIL\s0\fR environment variable will be set to an error message, and mail will still be rejected by default unless an rcpt script explicitly calls \fBaccept\fR. If \&\fBAllowDNSFail\fR is set to 2, then \fB\s-1CLIENT_DNSFAIL\s0\fR will still be set, but by default mail will be accepted unless explicitly rejected. .Sp Note that this option has no effect on \s-1IP\s0 addresses that don't resolve to a domain name (e.g., where a lookup of the in\-addr.arpa domain returns an empty result or the \s-1NXDOMAIN\s0 error). .SS "\s-1SSL CONFIGURATION PARAMETERS\s0" .IX Subsection "SSL CONFIGURATION PARAMETERS" .IP "\fB\s-1SSL\s0\fR [0|1|2]" 4 .IX Item "SSL [0|1|2]" This and the following options are supported if Mail Avenger has been compiled with support for the \s-1STARTTLS\s0 command (using the \&\fB\-\-enable\-ssl\fR option to \f(CW\*(C`configure\*(C'\fR). If \fB\s-1SSL\s0\fR is set to 0, then the \s-1STARTTLS\s0 command will be disabled. .Sp If \fB\s-1SSL\s0\fR is set to 1 (the default), then \s-1STARTTLS\s0 will be enabled profiled the private key and certificate files can be found. (Since these files will not exist by default, \s-1STARTTLS\s0 is still disabled by default.) Relaying based on client certificates can be enabled by checking the \fB\s-1SSL_ISSUER\s0\fR and \fB\s-1SSL_SUBJECT\s0\fR environment variables in the \fIrelay\fR script. .Sp If \fB\s-1SSL\s0\fR is set to 2, then authentication with \fIany\fR valid client certificate will allow mail relaying with no further checks. This value makes sense only if your organization runs a private certificate authority and you only place your local \s-1CA\s0 key in the \fBSSLCAcert\fR file, as otherwise you will have no control over who can relay mail through your machine. .IP "\fBSSLCAcert\fR \fIpath\fR" 4 .IX Item "SSLCAcert path" \&\fBSSLCAcert\fR specifies the certificate authorities allowed to sign client certificates. \fIpath\fR must be a file containing one or more trusted \s-1CA\s0 certificates in \s-1PEM\s0 format. If is not an absolute path name, asmtpd will look for the file in \fBEtcDir\fR. The default \&\fIpath\fR is \fIcacert.pem\fR. .IP "\fB\s-1SSLCRL\s0\fR \fIpath\fR" 4 .IX Item "SSLCRL path" If \s-1SSL\s0 is in use, \fIpath\fR specifies a PEM-format certificate revocation list. The default value is \fIcrl.pem\fR. .IP "\fBSSLkey\fR \fIpath\fR" 4 .IX Item "SSLkey path" If \s-1SSL\s0 is in use, \fIpath\fR specifies a PEM-format file containing the server's private key. If the file is not present, the \s-1STARTTLS\s0 command will be disabled. The default \fIpath\fR is \fIprivkey.pem\fR. .IP "\fBSSLcert\fR \fIpath\fR" 4 .IX Item "SSLcert path" If \s-1SSL\s0 is in use, \fIpath\fR specifies a PEM-format file containing a certificate for the public key corresponding to private key \fBSSLkey\fR. If the file is not present, the \s-1STARTTLS\s0 command will be disabled. The default \fIpath\fR is \fIcert.pem\fR. .IP "\fBSSLciphers\fR \fIstring\fR" 4 .IX Item "SSLciphers string" \&\fIstring\fR specifies the preference for ciphers with \s-1SSL. \s0 For example, to allow all ciphers except anonymous Diffie-Hellman, low key sizes, exportable ciphers, and MD%\-based \s-1MAC,\s0 and to sort ciphers by strength, you might use the following \fIstring\fR>: .Sp .Vb 1 \& ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH .Ve .Sp By default, asmtpd just uses the OpenSSL library's default cipher preferences. .SS "\s-1SPF CONFIGURATION PARAMETERS\s0" .IX Subsection "SPF CONFIGURATION PARAMETERS" .IP "\fBSPFfail\fR [\fISPF-rule\fR ...]" 4 .IX Item "SPFfail [SPF-rule ...]" \&\s-1SPF \s0(Sender Policy Framework) is a mechanism to prevent forgery of email sender addresses. (More information is available at and in the forthcoming \s-1RFC 4408.\s0) asmtpd always runs \s-1SPF\s0 checks on incoming email. An \s-1SPF\s0 check returns one of seven possible results: \fBnone\fR, \fBneutral\fR, \fBpass\fR, \fBfail\fR, \&\fBsoftfail\fR, \fBerror\fR, or \fBunknown\fR. asmtpd will reject mail if the result is \fBfail\fR (and defer mail if the result is \fBerror\fR). .Sp The SPFfail directive provides a second chance to mail that would otherwise resolve to \fBfail\fR. If \s-1SPF\s0 rules are provided with this directive, and the \s-1SPF\s0 check on a message resolves to \fBfail\fR, then asmtpd will re-evaluate the message with the rules from the SPFfail directive. If the SPFfail rules evaluate to \fBnone\fR, \fBneutral\fR, or \&\fBunknown\fR, then the original \fBfail\fR result will remain. Otherwise, the result of the SPFfail rules overrides the \fBfail\fR result. .Sp This directive can be used to work-around the problem of sites, such as evite.com, that forge email, but do not actually send spam. trusted\-forwarder.org maintains a white-list of such sites, and it is highly recommended that you use this whitelist until \s-1SPF\s0 is more widely deployed. To do so, you can use the configuration line: .Sp .Vb 1 \& SPFfail include:spf.trusted\-forwarder.org .Ve .IP "\fBSPFnone\fR [\fISPF-rule\fR ...]" 4 .IX Item "SPFnone [SPF-rule ...]" This directive is similar to SPFfail, but supplies additional \s-1SPF\s0 rules to be run in the event that the \s-1SPF\s0 result for a message resolves to \fBnone\fR\-\-meaning that the domain from which the mail comes does not publish an \s-1SPF\s0 record. One possible use might be the following: .Sp .Vb 1 \& SPFnone a/24 mx/24 ptr .Ve .Sp This rule says that if the sending domain does not publish an \s-1SPF\s0 record, consider its result to be \fBpass\fR nonetheless as long as the sending host shares a 24\-bit \s-1IP\s0 prefix with the address of the domain, or the address of any of the mail exchangers (\s-1DNS MX\s0 records) for the domain, or if the domain name of the sending machine has the sender domain name as a suffix. .IP "\fBSPFlocal\fR [\fISPF-rule\fR ...]" 4 .IX Item "SPFlocal [SPF-rule ...]" Unlike the previous two rules, which provide hooks to run after an \s-1SPF\s0 result has been determined, SPFlocal supplies \s-1SPF\s0 rules to be run before even attempting \s-1SPF\s0 rules for the domain. If the local rules return \fBpass\fR, \fBfail\fR, \fBsoftfail\fR, or \fBerror\fR, this reult becomes the \s-1SPF\s0 result for the message. Otherwise, asmtpd evaluates the appropriate rules for the domain as usual. .Sp An example use might be to reject mail from a real-time black hole list (\s-1RBL\s0), such as spamcop: .Sp .Vb 1 \& SPFlocal \-exists:%{ir}.bl.spamcop.net .Ve .IP "\fBSPFexp\fR [\fIexplanation\fR ...]" 4 .IX Item "SPFexp [explanation ...]" Provides a default explanation for an \s-1SPF\s0 failure, if the sender domain does not have one. The default is: .Sp .Vb 1 \& SPFexp See http://www.openspf.org/why.html?sender=%{S}&ip=%{I} .Ve .IP "\fBSPFHostsFile\fR \fIpath\fR" 4 .IX Item "SPFHostsFile path" This specifies the pathname of a file that contains \*(L"fallback\*(R" \s-1SPF\s0 records for domains that fail to supply \s-1SPF\s0 records themselves. This file effectively achieves the same result as \fBSPFNone\fR, but on a per-hostname basis. The default \fIpath\fR is \fIspfhosts\fR in the directory specified by \fBEtcDir\fR (or \fI/etc/avenger\fR by default). Each line of the file has the form: .RS 4 .Sp .RS 4 \&\fIdomain\fR\fB:\fR \fISPF-rules\fR .RE .RE .RS 4 .Sp \&\fIdomain\fR is the domain name for which the \fISPF-rules\fR apply. If \&\fIdomain\fR starts with a \f(CW\*(C`.\*(C'\fR, then the rule matches all host names with \fIdomain\fR as a suffix. In other words, \f(CW\*(C`.yahoo.com\*(C'\fR matches \&\f(CW\*(C`mail.yahoo.com\*(C'\fR, \f(CW\*(C`mx.yahoo.com\*(C'\fR, but not \f(CW\*(C`yahoo.com\*(C'\fR. Note that if a domain publishes an \s-1SPF\s0 record through \s-1DNS,\s0 the record in \s-1DNS\s0 overrides the record specified in this file. .Sp As an example, suppose Microsoft does not publish an \s-1SPF\s0 record in \&\s-1DNS,\s0 but you happen to know that all mail from users at \&\f(CW\*(C`microsoft.com\*(C'\fR comes from machines whose reverse \s-1DNS\s0 mapping ends either \f(CW\*(C`microsoft.com\*(C'\fR or \f(CW\*(C`msft.com\*(C'\fR, or else whose \s-1IP\s0 addresses share a 16\-bit prefix with one of the mail exchangers for \&\f(CW\*(C`microsoft.com\*(C'\fR. You might place the following line in your \&\fIspfhosts\fR file: .Sp .Vb 1 \& microsoft.com: ptr ptr:msft.com mx/16 ~all .Ve .Sp Here \f(CW\*(C`~all\*(C'\fR resorts to \fBsoftfail\fR when the sender does not match, which tags the message but does not reject it. Use \f(CW\*(C`\-all\*(C'\fR to reject the mail outright. Note that if Microsoft ever starts publishing an \&\s-1SPF\s0 record in \s-1DNS,\s0 it will override the above line. .RE .SS "\s-1DEBUG PARAMETERS\s0" .IX Subsection "DEBUG PARAMETERS" .IP "\fBDebugSMTP\fR [0|1]" 4 .IX Item "DebugSMTP [0|1]" When set to 1, causes asmtpd to log a complete trace of all \s-1SMTP\s0 traffic to and from connecting clients. Produces a large amount of data, but can be useful for debugging. Each trace line list the name of the connecting client and asmtpd's file descriptor number in parentheses. .IP "\fBDebugSMTPc\fR [0|1]" 4 .IX Item "DebugSMTPc [0|1]" When receiving mail, asmtpd connects to remote mail servers to ensure the envelope sender addresses of incoming messages are valid email addresses, and in particular that they can receive bounces. When \&\fBDebugSMTPc\fR is set to 1, all outgoing \s-1SMTP\s0 connection traffic from SMTPc is logged. The output format is similar to \fBDebugSMTP\fR, but file descriptor numbers are prefixed with \f(CW\*(C`R\*(C'\fR to indicate this is a reverse connection. .IP "\fBDebugAvenger\fR [0|1]" 4 .IX Item "DebugAvenger [0|1]" Prints a trace of input and output to all avenger processes run. The name also has a file descriptor number prefixed with \f(CW\*(C`a\*(C'\fR for avenger. .SH "FILES" .IX Header "FILES" .IP "\fI/etc/avenger/asmtpd.conf\fR" 4 .IX Item "/etc/avenger/asmtpd.conf" default location of file .IP "\fI/etc/avenger\fR" 4 .IX Item "/etc/avenger" default for \fBEtcDir\fR, location of other configuration files .IP "\fIaliases\fR, \fIdomains\fR, \fIspfhosts\fR" 4 .IX Item "aliases, domains, spfhosts" see the descriptions of \fBAliasFile\fR, \fBDomainFile\fR, and \&\fBSPFHostsFile\fR above .IP "\fIunknown\fR, \fIdefault\fR, \fIsecondary\fR, \fIrelay\fR" 4 .IX Item "unknown, default, secondary, relay" avenger rules to be run by the \fBAvengerUser\fR under different circumstances; see the description of \fBEtcDir\fR above, and the manual page for \fIavenger\fR\|(1) .IP "\fI/var/run/asmtpd.pid\fR" 4 .IX Item "/var/run/asmtpd.pid" File containing the process \s-1ID\s0 of a running asmtpd process. You must send this process a \s-1SIGHUP\s0 signal for it to re-read the \fIasmtpd.conf\fR file. .IP "\fI/usr/local/share/avenger/asmtpd.conf\fR" 4 .IX Item "/usr/local/share/avenger/asmtpd.conf" .PD 0 .IP "\fI/usr/local/share/avenger/unknown\fR" 4 .IX Item "/usr/local/share/avenger/unknown" .PD Example configuration files. .IP "\fI/usr/local/share/avenger/smtp\-filter.pf\fR" 4 .IX Item "/usr/local/share/avenger/smtp-filter.pf" .PD 0 .IP "\fI/usr/local/share/avenger/smtp\-filter.iptables\fR" 4 .IX Item "/usr/local/share/avenger/smtp-filter.iptables" .PD Example scripts for the \fBSMTPFilter\fR directive. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIasmtpd\fR\|(8), \&\fIavenger\fR\|(1) .PP The Mail Avenger home page: . .SH "AUTHOR" .IX Header "AUTHOR" David Mazie\*`res