Content-type: text/html Manpage of qmail-smtpd

qmail-smtpd

Section: Maintenance Commands (8)
Index Return to Main Contents
 

NAME

qmail-smtpd - receive mail via SMTP  

SYNOPSIS

qmail-smtpd  

DESCRIPTION

qmail-smtpd receives mail messages via the Simple Mail Transfer Protocol (SMTP) and invokes qmail-queue to deposit them into the outgoing queue. qmail-smtpd must be supplied several environment variables; see tcp-environ(5).

If the environment variable SMTPS is non-empty, qmail-smtpd starts a TLS session (to support the deprecated SMTPS protocol, normally on port 465). Otherwise, qmail-smtpd offers the STARTTLS extension to ESMTP.

qmail-smtpd is responsible for counting hops. It rejects any message with 100 or more Received or Delivered-To header fields.

qmail-smtpd supports ESMTP, including the 8BITMIME, DATA, PIPELINING, SIZE, and AUTH options. qmail-smtpd includes a 'MAIL FROM:' parameter parser and obeys 'Auth' and 'Size' advertisements. qmail-smtpd can accept LOGIN, PLAIN, and CRAM-MD5 AUTH types. It invokes checkprogram, which reads on file descriptor 3 the username, a 0 byte, the password or CRAM-MD5 digest/response derived from the SMTP client, another 0 byte, a CRAM-MD5 challenge (if applicable to the AUTH type), and a final 0 byte. checkprogram invokes subprogram upon successful authentication, which should in turn return 0 to qmail-smtpd, effectively setting the environment variables $RELAYCLIENT and $TCPREMOTEINFO (any supplied value replaced with the authenticated username). qmail-smtpd will reject the authentication attempt if it receives a nonzero return value from checkprogram or subprogram.

Binding qmail-smtpd to the SUBMISSION port ('587') instead of the standard SMTP port 25 will advice qmail-smtpd to require SMTP authention prior of accepting the 'MAIL FROM:' command. A different port can be chosen, populating the environment variable SUBMISSIONPORT.

qmail-smtpd includes a 'MAIL FROM:' parameter parser and obeys 'Auth' and 'Size' advertisements. qmail-smtpd can accept LOGIN, PLAIN, and CRAM-MD5 AUTH types. It invokes checkprogram, which reads on file descriptor 3 the username, a 0 byte, the password or CRAM-MD5 digest/response derived from the SMTP client, another 0 byte, a CRAM-MD5 challenge (if applicable to the AUTH type), and a final 0 byte. checkprogram invokes subprogram upon successful authentication, which should in turn return 0 to qmail-smtpd, effectively setting the environment variables $RELAYCLIENT and $TCPREMOTEINFO (any supplied value replaced with the authenticated username). qmail-smtpd will reject the authentication attempt if it receives a nonzero return value from checkprogram or subprogram.

 

TRANSPARENCY

qmail-smtpd converts the SMTP newline convention into the UNIX newline convention by converting CR LF into LF. It returns a temporary error and drops the connection on bare LFs; see http://pobox.com/~djb/docs/smtplf.html.

qmail-smtpd accepts messages that contain long lines or non-ASCII characters, even though such messages violate the SMTP protocol.  

CONTROL FILES

badhelo
Unacceptable HELO/EHLO host names. qmail-smtpd will reject every recipient address for a message if the host name is listed in, or matches a POSIX regular expression pattern listed in, badhelo. If the NOBADHELO environment variable is set, then the contents of badhelo will be ignored. For more information, please have a look at doc/README.qregex.
badmailfrom
Unacceptable envelope sender addresses. qmail-smtpd will reject every recipient address for a message if the envelope sender address is listed in, or matches a POSIX regular expression pattern listed in, badmailfrom. A line in badmailfrom may be of the form @host, meaning every address at host. For more information, please have a look at doc/README.qregex.
badmailfromnorelay
Functions the same as the badmailfrom control file but is read only if the RELAYCLIENT environment variable is not set. For more information, please have a look at doc/README.qregex.
badmailto
Unacceptable envelope recipient addresses. qmail-smtpd will reject every recipient address for a message if the recipient address is listed in, or matches a POSIX regular expression pattern listed in, badmailto. For more information, please have a look at doc/README.qregex.
badmailtonorelay
Functions the same as the badmailto control file but is read only if the RELAYCLIENT environment variable is not set. For more information, please have a look at doc/README.qregex.

clientca.pem
A list of Certifying Authority (CA) certificates that are used to verify the client-presented certificates during a TLS-encrypted session.

clientcrl.pem
A list of Certificate Revocation Lists (CRLs). If present it should contain the CRLs of the CAs in clientca.pem and client certs will be checked for revocation.

databytes
Maximum number of bytes allowed in a message, or 0 for no limit. Default: 0. If a message exceeds this limit, qmail-smtpd returns a permanent error code to the client; in contrast, if the disk is full or qmail-smtpd hits a resource limit, qmail-smtpd returns a temporary error code.

databytes counts bytes as stored on disk, not as transmitted through the network. It does not count the qmail-smtpd Received line, the qmail-queue Received line, or the envelope.

If the environment variable DATABYTES is set, it overrides databytes.

dh1024.pem
If these 1024 bit DH parameters are provided, qmail-smtpd will use them for TLS sessions instead of generating one on-the-fly (which is very timeconsuming).
dh512.pem
512 bit counterpart for dh1024.pem.

localiphost
Replacement host name for local IP addresses. Default: me, if that is supplied. qmail-smtpd is responsible for recognizing dotted-decimal addresses for the current host. When it sees a recipient address of the form box@[d.d.d.d], where d.d.d.d is a local IP address, it replaces [d.d.d.d] with localiphost. This is done before rcpthosts.
morercpthosts
Extra allowed RCPT domains. If rcpthosts and morercpthosts both exist, morercpthosts is effectively appended to rcpthosts.

You must run qmail-newmrh whenever morercpthosts changes.

Rule of thumb for large sites: Put your 50 most commonly used domains into rcpthosts, and the rest into morercpthosts.

rcpthosts
Allowed RCPT domains. If rcpthosts is supplied, qmail-smtpd will reject any envelope recipient address with a domain not listed in rcpthosts.

Exception: If the environment variable RELAYCLIENT is set, qmail-smtpd will ignore rcpthosts, and will append the value of RELAYCLIENT to each incoming recipient address.

rcpthosts may include wildcards:


   heaven.af.mil
   .heaven.af.mil

Envelope recipient addresses without @ signs are always allowed through.

rsa512.pem
If this 512 bit RSA key is provided, qmail-smtpd will use it for TLS sessions instead of generating one on-the-fly.

servercert.pem
SSL certificate to be presented to clients in TLS-encrypted sessions. Should contain both the certificate and the private key. Certifying Authority (CA) and intermediate certificates can be added at the end of the file.

smtpgreeting
SMTP greeting message. Default: me, if that is supplied; otherwise qmail-smtpd will refuse to run. The first word of smtpgreeting should be the current host's name.
timeoutsmtpd
Number of seconds qmail-smtpd will wait for each new buffer of data from the remote SMTP client. Default: 1200.
spfbehavior
Set to a value between 1 and 6 to enable SPF checks; 0 to disable. 1 selects 'annotate-only' mode, where qmail-smtpd will annotate incoming email with Received-SPF fields, but will not reject any messages. 2 will produce temporary failures on DNS lookup problems so you can make sure you always have meaningful Received-SPF headers. 3 selects 'reject' mode, where incoming mail will be rejected if the SPF record says 'fail'. 4 selects a more stricter rejection mode, which is like 'reject' mode, except that incoming mail will also be rejected when the SPF record says 'softfail'. 5 will also reject when the SPF record says 'neutral', and 6 if no SPF records are available at all (or a syntax error was encountered). The contents of this file are overridden by the value of the SPFBEHAVIOR environment variable, if set. Default: 0.
spfexp
You can add a line with a an SPF explanation that will be shown to the sender in case of a reject. It will override the default one. You can use SPF macro expansion.
spfguess
You can add a line with SPF rules that will be checked if a sender domain doesn't have a SPF record. The local rules will also be used in this case.
spfrules
You can add a line with SPF rules that will be checked before other SPF rules would fail. This can be used to always allow certain machines to send certain mails.
spamt
The spam throttle parameters file. See qmail-newst(8) and qmail-spamt(5) for details.

tlsclients
A list of email addresses. When relay rules would reject an incoming message, qmail-smtpd can allow it if the client presents a certificate that can be verified against the CA list in clientca.pem and the certificate email address is in tlsclients.

tlsserverciphers
A set of OpenSSL cipher strings. Multiple ciphers contained in a string should be separated by a colon. If the environment variable TLSCIPHERS is set to such a string, it takes precedence.

 

SEE ALSO

tcp-env(1), tcp-environ(5), qmail-control(5), qmail-spamt(5), qmail-spamthrottle(5) qmail-inject(8), qmail-newmrh(8), qmail-newst(8), qmail-queue(8), qmail-remote(8)


 

Index

NAME
SYNOPSIS
DESCRIPTION
TRANSPARENCY
CONTROL FILES
SEE ALSO

This document was created by man2html, using the manual pages.
Time: 02:14:49 GMT, October 23, 2009