# ---------------------------------------------------------------- # policyd-weight configuration (defaults) Version 0.1.15 beta-2 # ---------------------------------------------------------------- $DEBUG = 0; # 1 or 0 - don't comment $REJECTMSG = "550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs"; $REJECTLEVEL = 1; # Mails with scores which exceed this # REJECTLEVEL will be rejected $DEFER_STRING = 'IN_SPAMCOP= BOGUS_MX='; # A space separated case-sensitive list of # strings on which if found in the $RET # logging-string policyd-weight changes # its action to $DEFER_ACTION in case # of rejects. # USE WITH CAUTION! # DEFAULT: "IN_SPAMCOP= BOGUS_MX=" $DEFER_ACTION = '450'; # Possible values: DEFER_IF_PERMIT, # DEFER_IF_REJECT, # 4xx response codes. See also access(5) # DEFAULT: 450 $DEFER_LEVEL = 5; # DEFER mail only up to this level # scores greater than DEFER_LEVEL will be # rejected # DEFAULT: 5 $DNSERRMSG = '450 No DNS entries for your MTA, HELO and Domain. Contact YOUR administrator'; $dnsbl_checks_only = 0; # 1: ON, 0: OFF (default) # If ON request that ALL clients are only # checked against RBLs @dnsbl_checks_only_regexps = ( # qr/[^.]*(exch|smtp|mx|mail).*\..*\../, # qr/yahoo.com$/ ); # specify a comma-separated list of regexps # for client hostnames which shall only # be RBL checked. This does not work for # postfix' "unknown" clients. # The usage of this should not be the norm # and is a tool for people which like to # shoot in their own foot. # DEFAULT: empty $LOG_BAD_RBL_ONLY = 1; # 1: ON (default), 0: OFF # When set to ON it logs only RBLs which # affect scoring (positive or negative) ## DNSBL settings @dnsbl_score = ( # HOST, HIT SCORE, MISS SCORE, LOG NAME 'pbl.spamhaus.org', 3.25, 0, 'DYN_PBL_SPAMHAUS', 'sbl-xbl.spamhaus.org', 4.35, -1.5, 'SBL_XBL_SPAMHAUS', 'bl.spamcop.net', 3.75, -1.5, 'SPAMCOP', # 'dnsbl.njabl.org', 4.25, -1.5, 'BL_NJABL', 'ix.dnsbl.manitu.net', 4.35, 0, 'IX_MANITU' #'rbl.ipv6-world.net', 4.25, 0, 'IPv6_RBL' #don't use, kept for testing failures! ); $MAXDNSBLHITS = 2; # If Client IP is listed in MORE # DNSBLS than this var, it gets # REJECTed immediately $MAXDNSBLSCORE = 8; # alternatively, if the score of # DNSBLs is ABOVE this # level, reject immediately $MAXDNSBLMSG = '550 Your MTA is listed in too many DNSBLs'; ## RHSBL settings @rhsbl_score = ( 'multi.surbl.org', 4, 0, 'SURBL', 'rhsbl.ahbl.org', 4, 0, 'AHBL', # 'dsn.rfc-ignorant.org', 3.5, 0, 'DSN_RFCI', # 'postmaster.rfc-ignorant.org', 0.1, 0, 'PM_RFCI', # 'abuse.rfc-ignorant.org', 0.1, 0, 'ABUSE_RFCI' ); $BL_ERROR_SKIP = 2; # skip a RBL if this RBL had this many continuous # errors $BL_SKIP_RELEASE = 10; # skip a RBL for that many times ## cache stuff $LOCKPATH = '/tmp/.policyd-weight/'; # must be a directory (add # trailing slash) $SPATH = $LOCKPATH.'/polw.sock'; # socket path for the cache # daemon. $MAXIDLECACHE = 60; # how many seconds the cache may be idle # before starting maintenance routines # NOTE: standard maintenance jobs happen # regardless of this setting. $MAINTENANCE_LEVEL = 5; # after this number of requests do following # maintenance jobs: # checking for config changes # negative (i.e. SPAM) result cache settings ################################## $CACHESIZE = 2000; # set to 0 to disable caching for spam results. # To this level the cache will be cleaned. $CACHEMAXSIZE = 4000; # at this number of entries cleanup takes place $CACHEREJECTMSG = '550 temporarily blocked because of previous errors'; $NTTL = 1; # after NTTL retries the cache entry is deleted $NTIME = 30; # client MUST NOT retry within this seconds in order # to decrease TTL counter # positve (i.,e. HAM) result cache settings ################################### $POSCACHESIZE = 1000; # set to 0 to disable caching of HAM. To this number # of entries the cache will be cleaned $POSCACHEMAXSIZE = 2000; # at this number of entries cleanup takes place $POSCACHEMSG = 'using cached result'; $PTTL = 60; # after PTTL requests the HAM entry must # succeed one time the RBL checks again $PTIME = '3h'; # after $PTIME in HAM Cache the client # must pass one time the RBL checks again. # Values must be nonfractal. Accepted # time-units: s, m, h, d $TEMP_PTIME = '1d'; # The client must pass this time the RBL # checks in order to be listed as hard-HAM # After this time the client will pass # immediately for PTTL within PTIME ## DNS settings $DNS_RETRIES = 2; # Retries for ONE DNS-Lookup $DNS_RETRY_IVAL = 2; # Retry-interval for ONE DNS-Lookup $MAXDNSERR = 3; # max error count for unresponded queries # in a complete policy query $MAXDNSERRMSG = 'passed - too many local DNS-errors'; $PUDP = 0; # persistent udp connection for DNS queries. # broken in Net::DNS version 0.51. Works with # Net::DNS 0.53; DEFAULT: off $USE_NET_DNS = 0; # Force the usage of Net::DNS for RBL lookups. # Normally policyd-weight tries to use a faster # RBL lookup routine instead of Net::DNS $NS = ''; # A list of space separated NS IPs # This overrides resolv.conf settings # Example: $NS = '1.2.3.4 1.2.3.5'; # DEFAULT: empty $IPC_TIMEOUT = 2; # timeout for receiving from cache instance $TRY_BALANCE = 0; # If set to 1 policyd-weight closes connections # to smtpd clients in order to avoid too many # established connections to one policyd-weight # child # scores for checks, WARNING: they may manipulate eachother # or be factors for other scores. # HIT score, MISS Score @client_ip_eq_helo_score = (1.5, -1.25 ); @helo_score = (1.5, -2 ); @helo_from_mx_eq_ip_score = (1.5, -3.1 ); @helo_numeric_score = (2.5, 0 ); @from_match_regex_verified_helo = (1, -2 ); @from_match_regex_unverified_helo = (1.6, -1.5 ); @from_match_regex_failed_helo = (2.5, 0 ); @helo_seems_dialup = (1.5, 0 ); @failed_helo_seems_dialup = (2, 0 ); @helo_ip_in_client_subnet = (0, -1.2 ); @helo_ip_in_cl16_subnet = (0, -0.41 ); @client_seems_dialup_score = (3.75, 0 ); @from_multiparted = (1.09, 0 ); @from_anon = (1.17, 0 ); @bogus_mx_score = (2.1, 0 ); @random_sender_score = (0.25, 0 ); @rhsbl_penalty_score = (3.1, 0 ); @enforce_dyndns_score = (3, 0 ); $VERBOSE = 0; $ADD_X_HEADER = 1; # Switch on or off an additional # X-policyd-weight: header # DEFAULT: on $DEFAULT_RESPONSE = 'DUNNO default'; # Fallback response in case # the weighted check didn't # return any response (should never # appear). # # Syslogging options for verbose mode and for fatal errors. # NOTE: comment out the $syslog_socktype line if syslogging does not # work on your system. # $syslog_socktype = 'unix'; # inet, unix, stream, console $syslog_facility = "mail"; $syslog_options = "pid"; $syslog_priority = "info"; $syslog_ident = "postfix/policyd-weight"; # # Process Options # $USER = "polw"; # User must be a username, no UID $GROUP = ""; # specify GROUP if necessary # DEFAULT: empty, will be initialized as # $USER $MAX_PROC = 50; # Upper limit if child processes $MIN_PROC = 3; # keep that minimum processes alive $TCP_PORT = 12525; # The TCP port on which policyd-weight # listens for policy requests from postfix $BIND_ADDRESS = '127.0.0.1'; # IP-Address on which policyd-weight will # listen for requests. # You may only list ONE IP here, if you want # to listen on all IPs you need to say 'all' # here. Default is '127.0.0.1'. # You need to restart policyd-weight if you # change this. $SOMAXCONN = 1024; # Maximum of client connections # policyd-weight accepts # Default: 1024 $CHILDIDLE = 240; # how many seconds a child may be idle before # it dies. $PIDFILE = "/var/run/policyd-weight.pid";