File: policyd-weight.conf.sample

package info (click to toggle)
policyd-weight 0.1.15.2-12
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 1,824 kB
  • ctags: 275
  • sloc: perl: 2,832; sh: 201; makefile: 35
file content (264 lines) | stat: -rw-r--r-- 11,825 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
# ----------------------------------------------------------------
#  policyd-weight configuration (defaults) Version 0.1.15 beta-2 
# ----------------------------------------------------------------


   $DEBUG        = 0;               # 1 or 0 - don't comment

   $REJECTMSG    = "550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs";

   $REJECTLEVEL  = 1;               # Mails with scores which exceed this
                                    # REJECTLEVEL will be rejected

   $DEFER_STRING = 'IN_SPAMCOP= BOGUS_MX='; 
                                    # A space separated case-sensitive list of
                                    # strings on which if found in the $RET
                                    # logging-string policyd-weight changes
                                    # its action to $DEFER_ACTION in case
                                    # of rejects.
                                    # USE WITH CAUTION!
                                    # DEFAULT: "IN_SPAMCOP= BOGUS_MX="


   $DEFER_ACTION = '450';           # Possible values: DEFER_IF_PERMIT,
                                    # DEFER_IF_REJECT, 
                                    # 4xx response codes. See also access(5)
                                    # DEFAULT: 450

   $DEFER_LEVEL  = 5;               # DEFER mail only up to this level
                                    # scores greater than DEFER_LEVEL will be
                                    # rejected
                                    # DEFAULT: 5

   $DNSERRMSG         = '450 No DNS entries for your MTA, HELO and Domain. Contact YOUR administrator';

   $dnsbl_checks_only = 0;          # 1: ON, 0: OFF (default)
                                    # If ON request that ALL clients are only
                                    # checked against RBLs

   @dnsbl_checks_only_regexps = (
    # qr/[^.]*(exch|smtp|mx|mail).*\..*\../,
    # qr/yahoo.com$/
);                                  # specify a comma-separated list of regexps
                                    # for client hostnames which shall only
                                    # be RBL checked. This does not work for
                                    # postfix' "unknown" clients.
                                    # The usage of this should not be the norm
                                    # and is a tool for people which like to
                                    # shoot in their own foot.
                                    # DEFAULT: empty
                                    

   $LOG_BAD_RBL_ONLY  = 1;          # 1: ON (default), 0: OFF
                                    # When set to ON it logs only RBLs which
                                    # affect scoring (positive or negative)
                                    
## DNSBL settings
   @dnsbl_score = (
#    HOST,                    HIT SCORE,  MISS SCORE,  LOG NAME
    'pbl.spamhaus.org',       3.25,          0,        'DYN_PBL_SPAMHAUS',
    'sbl-xbl.spamhaus.org',   4.35,       -1.5,        'SBL_XBL_SPAMHAUS',
    'bl.spamcop.net',         3.75,       -1.5,        'SPAMCOP',
    'dnsbl.njabl.org',        4.25,       -1.5,        'BL_NJABL',
    'ix.dnsbl.manitu.net',    4.35,          0,        'IX_MANITU'
    #'rbl.ipv6-world.net',     4.25,          0,        'IPv6_RBL'  #don't use, kept for testing failures!
);

   $MAXDNSBLHITS  = 2;  # If Client IP is listed in MORE
                        # DNSBLS than this var, it gets
                        # REJECTed immediately

   $MAXDNSBLSCORE = 8;  # alternatively, if the score of
                        # DNSBLs is ABOVE this
                        # level, reject immediately

   $MAXDNSBLMSG   = '550 Your MTA is listed in too many DNSBLs';

## RHSBL settings
   @rhsbl_score = (
    'multi.surbl.org',             4,        0,        'SURBL',
    'rhsbl.ahbl.org',              4,        0,        'AHBL',
    'dsn.rfc-ignorant.org',        3.5,      0,        'DSN_RFCI',
    'postmaster.rfc-ignorant.org', 0.1,      0,        'PM_RFCI',
    'abuse.rfc-ignorant.org',      0.1,      0,        'ABUSE_RFCI'
);

   $BL_ERROR_SKIP     = 2;  # skip a RBL if this RBL had this many continuous
                            # errors

   $BL_SKIP_RELEASE   = 10; # skip a RBL for that many times

## cache stuff
   $LOCKPATH          = '/tmp/.policyd-weight/';    # must be a directory (add
                                                    # trailing slash)

   $SPATH             = $LOCKPATH.'/polw.sock';     # socket path for the cache
                                                    # daemon. 

   $MAXIDLECACHE      = 60; # how many seconds the cache may be idle
                            # before starting maintenance routines
                            # NOTE: standard maintenance jobs happen
                            # regardless of this setting.

   $MAINTENANCE_LEVEL = 5;  # after this number of requests do following
                            # maintenance jobs:
                            # checking for config changes

# negative (i.e. SPAM) result cache settings ##################################

   $CACHESIZE       = 2000; # set to 0 to disable caching for spam results. 
                            # To this level the cache will be cleaned.

   $CACHEMAXSIZE    = 4000; # at this number of entries cleanup takes place

   $CACHEREJECTMSG  = '550 temporarily blocked because of previous errors';

   $NTTL            = 1;    # after NTTL retries the cache entry is deleted

   $NTIME           = 30;   # client MUST NOT retry within this seconds in order
                            # to decrease TTL counter


# positve (i.,e. HAM) result cache settings ###################################

   $POSCACHESIZE    = 1000; # set to 0 to disable caching of HAM. To this number
                            # of entries the cache will be cleaned

   $POSCACHEMAXSIZE = 2000; # at this number of entries cleanup takes place

   $POSCACHEMSG     = 'using cached result';

   $PTTL            = 60;   # after PTTL requests the HAM entry must
                            # succeed one time the RBL checks again

   $PTIME           = '3h'; # after $PTIME in HAM Cache the client
                            # must pass one time the RBL checks again.
                            # Values must be nonfractal. Accepted
                            # time-units: s, m, h, d

   $TEMP_PTIME      = '1d'; # The client must pass this time the RBL
                            # checks in order to be listed as hard-HAM
                            # After this time the client will pass
                            # immediately for PTTL within PTIME


## DNS settings
   $DNS_RETRIES     = 2;    # Retries for ONE DNS-Lookup

   $DNS_RETRY_IVAL  = 2;    # Retry-interval for ONE DNS-Lookup

   $MAXDNSERR       = 3;    # max error count for unresponded queries
                            # in a complete policy query

   $MAXDNSERRMSG    = 'passed - too many local DNS-errors';

   $PUDP            = 0;    # persistent udp connection for DNS queries.
                            # broken in Net::DNS version 0.51. Works with
                            # Net::DNS 0.53; DEFAULT: off

   $USE_NET_DNS     = 0;    # Force the usage of Net::DNS for RBL lookups.
                            # Normally policyd-weight tries to use a faster
                            # RBL lookup routine instead of Net::DNS


   $NS              = '';   # A list of space separated NS IPs
                            # This overrides resolv.conf settings
                            # Example: $NS = '1.2.3.4 1.2.3.5';
                            # DEFAULT: empty


   $IPC_TIMEOUT     = 2;    # timeout for receiving from cache instance

   $TRY_BALANCE     = 0;    # If set to 1 policyd-weight closes connections
                            # to smtpd clients in order to avoid too many
                            # established connections to one policyd-weight
                            # child

   $IGNORE_RFC1918_A = 0;   # If enabled (1) A records with RFC1918 addresses
                            # aren't treated as bogus addresses by policyd-weight
                            # and therefore bogus_mx_score isn't added.

# scores for checks, WARNING: they may manipulate eachother
# or be factors for other scores.
#                                       HIT score, MISS Score
   @client_ip_eq_helo_score          = (1.5,       -1.25 );
   @helo_score                       = (1.5,       -2    );
   @helo_from_mx_eq_ip_score         = (1.5,       -3.1  );
   @helo_numeric_score               = (2.5,        0    );
   @from_match_regex_verified_helo   = (1,         -2    );
   @from_match_regex_unverified_helo = (1.6,       -1.5  );
   @from_match_regex_failed_helo     = (2.5,        0    );
   @helo_seems_dialup                = (1.5,        0    );
   @failed_helo_seems_dialup         = (2,          0    );
   @helo_ip_in_client_subnet         = (0,         -1.2  );
   @helo_ip_in_cl16_subnet           = (0,         -0.41 );
   @client_seems_dialup_score        = (3.75,       0    );
   @from_multiparted                 = (1.09,       0    );
   @from_anon                        = (1.17,       0    );
   @bogus_mx_score                   = (2.1,        0    );
   @random_sender_score              = (0.25,       0    );
   @rhsbl_penalty_score              = (3.1,        0    );
   @enforce_dyndns_score             = (3,          0    );


   $VERBOSE = 0;

   $ADD_X_HEADER        = 1;    # Switch on or off an additional 
                                # X-policyd-weight: header
                                # DEFAULT: on


   $DEFAULT_RESPONSE    = 'DUNNO default'; # Fallback response in case
                                           # the weighted check didn't
                                           # return any response (should never
                                           # appear).



#
# Syslogging options for verbose mode and for fatal errors.
# NOTE: comment out the $syslog_socktype line if syslogging does not
# work on your system.
#

   $syslog_socktype = 'unix';   # inet, unix, stream, console

   $syslog_facility = "mail";
   $syslog_options  = "pid";
   $syslog_priority = "info";
   $syslog_ident    = "postfix/policyd-weight";


#
# Process Options
#
   $USER            = "polw";      # User must be a username, no UID

   $GROUP           = "";          # specify GROUP if necessary
                                   # DEFAULT: empty, will be initialized as 
                                   # $USER

   $MAX_PROC        = 50;          # Upper limit if child processes
   $MIN_PROC        = 3;           # keep that minimum processes alive

   $TCP_PORT        = 12525;       # The TCP port on which policyd-weight 
                                   # listens for policy requests from postfix

   $BIND_ADDRESS    = '127.0.0.1'; # IP-Address on which policyd-weight will
                                   # listen for requests.
                                   # You may only list ONE IP here, if you want
                                   # to listen on all IPs you need to say 'all'
                                   # here. Default is '127.0.0.1'.
                                   # You need to restart policyd-weight if you
                                   # change this.

   $SOMAXCONN       = 1024;        # Maximum of client connections 
                                   # policyd-weight accepts
                                   # Default: 1024
                                   

   $CHILDIDLE       = 240;         # how many seconds a child may be idle before
                                   # it dies.

   $PIDFILE         = "/var/run/policyd-weight.pid";