policyd-weight.conf(5)
NAME
policyd-weight.conf - policyd-weight configuration parameters
STATUS
Beta, Documentation incomplete
DESCRIPTION
policyd-weight uses a perl(1) style configuration file which it reads on startup. The cache re-reads the configuration after $MAINTENANCE_LEVEL (default: 5) queries. If -f is not specified, it searches for configuration files on following locations: /etc/policyd-weight.conf /usr/local/etc/policyd-weight.conf ./policyd-weight.conf
CACHE SETTINGS
$CACHESIZE (default: 2000)
Set the minimum size of the SPAM cache.
$CACHEMAXSIZE (default: 4000)
Set the maximum size of the SPAM cache.
$CACHEREJECTMSG
(default: 550 temporarily blocked because of previous errors)"
Set the SMTP status code and a explanatory message for rejected
mails due to cached results
$NTTL (default: 1)
The client is penalized for that many retries.
$NTIME (default: 30)
The $NTTL counter will only be decremented if the client waits
at least $NTIME seconds.
$POSCACHESIZE (default: 1000)
Set the minimum size of the HAM cache.
$POSCACHEMAXSIZE (default: 2000)
Set the maximum size of the HAM cache.
$PTTL (default: 60)
After that many queries the HAM entry must succeed one run
through the RBL checks again.
$PTIME (default: 3h)
after $PTIME in HAM Cache the client must pass one time the RBL
checks again. Values must be nonfractal. Accepted time-units:
s(econds), m(inutes), h(ours), d(ays)
$TEMP_PTIME (default: 1d)
The client must pass this time the RBL checks in order to be
listed as hard-HAM. After this time the client will pass
immediately for PTTL within PTIME. Values must be non-fractal.
Accepted time-units: s(econds), m(inutes), h(ours), d(ays)
DEBUG SETTINGS
$DEBUG (default: 0)
Turn debugging on (1) or off (0)
DNS SETTINGS
$DNS_RETRIES (default: 2)
How many times a single DNS query may be repeated
$DNS_RETRY_IVAL (default: 2)
Retry a query without response after that many seconds
$MAXDNSERR (default: 3)
If that many queries fail, the mail is accepted with
$MAXDNSERRMSG.
In total DNS queries this means: $MAXDNSERR * $DNS_RETRIES
$IGNORE_RFC1918_A (default: 0)
If enabled (1) A records with RFC1918 addresses aren't treated
as bogus addresses by policyd-weight and therefore
bogus_mx_score isn't added.
MISC SETTINGS
$MAINTENANCE_LEVEL (default: 5)
After that many policy requests the cache (and in daemon mode
child processes) checks for configuration file changes
$MAXIDLECACHE (default: 60)
After that many seconds of being idle the cache checks for
configuration file changes.
$PIDFILE (default: /var/run/policyd-weight.pid)
Path and filename to store the master pid (daemon mode)
$LOCKPATH (default: /tmp/.policyd-weight/)
Directory where policyd-weight stores sockets and lock-
files/directories. Its argument must contain a trailing slash.
$SPATH (default: $LOCKPATH.'/polw.sock')
Path and filename which the cache has to use for communication.
$TCP_PORT (default: 12525)
TCP port on which the policy server listens (daemon mode)
$BIND_ADDRESS (default: '127.0.0.1')
IP Address on which policyd-weight binds. Currently either only
one or all IPs are supported. Specify 'all' if you want to
listen on all IPs.
$SOMAXCONN (default: 1024)
Maximum connections which policyd-weight accepts. This is set
high enough to cover most scenarios.
$USER (default: polw)
Set the user under which policyd-weight runs
$GROUP (default: $USER)
Set the group under which policyd-weight runs
OUTPUT AND LOG SETTINGS
$ADD_X_HEADER (default: 1)
Insert a X-policyd-weight: header with evaluation messages.
1 = on, 0 = off
$LOG_BAD_RBL_ONLY (default: 1)
Insert only RBL results in logging strings if the RBL score
changes the overall score. Thus RBLs with a GOOD SCORE of 0
don't appear in logging strings if the RBL returned no BAD hit.
1 = on, 0 = off
$MAXDNSBLMSG (default: 550 Your MTA is listed in too many DNSBLs)
The message sent to the client if it was reject due to
$MAXDNSBLHITS and/or $MAXDNSBLSCORE.
$REJECTMSG (default: 550 Mail appeared to be SPAM or forged. Ask your
Mail/DNS-Adminisrator to correct HELO and DNS MX settings or to get
removed from DNSBLs)
Set the SMTP status code for rejected mails and a message why
the action was taken
RESOURCE AND OPTIMIZATIONS
$CHILDIDLE (default: 120)
How many seconds a child may be idle before it dies (daemon
mode)
$MAX_PROC (default: 50)
Process limit on how many processes policyd-weight will spawn
(daemon mode)
$MIN_PROC (default: 2)
Minimum child processes which are kept alive in idle times
(daemon mode)
$PUDP (default: 0)
Set persistent UDP connections used for DNS queries on (1) or
off (0).
SCORE SETTINGS
Positive values indicate a bad (SPAM) score, negative values indicate a
good (HAM) score.
@bogus_mx_score (2.1, 0)
If the sender domain has neither MX nor A records or these
records resolve to a bogus IP-Address (for instance private
networks) then this check asigns the full score of
bogus_mx_score. If there is no MX but an A record of the sender
domain then it receives a penalty only if DNSBL-listed.
Log Entries:
BOGUS_MX
The sender A and MX records are bogus or empty.
BAD_MX
The sender domain has an empty or bogus MX record and the
client is DNSBL listed.
Related RFCs:
[1918] Address Allocation for Private Internets
[2821] Simple Mail Transfer Protocol (Sect 3.6 and Sect 5)
@client_ip_eq_helo_score (1.5, -1.25)
Define scores for the match of the reverse record (hostname)
against the HELO argument. Reverse lookups are done, if the
forward lookups failed and are not trusted.
Log Entries:
REV_IP_EQ_HELO
The Client's PTR matched the HELO argument.
REV_IP_EQ_HELO_DOMAIN
Domain portions of Client PTR and HELO argument matched.
RESOLVED_IP_IS_NOT_HELO
Client PTRs found but did not match HELO argument.
@helo_score (1.5, -2)
Define scores for the match of the Client IP and its /24 subnet
against the A records of HELO or MAIL FROM domain/host. It also
holds the bad score for MX verifications.
Log Entries:
CL_IP_EQ_HELO_NUMERIC
Client IP matches the [IPv4] HELO.
CL_IP_EQ_FROM_IP
Client IP matches the A record of the MAIL FROM sender
domain/host.
CL_IP_EQ_HELO_IP
Client IP matches the A record of the HELO argument.
CL_IP_NE_HELO
The IP and the /24 subnet did not match A/MX records of
HELO and MAIL FROM arguments and their subdomains.
@helo_from_mx_eq_ip_score (1.5, -3.1)
Define scores for the match of Client IP against MX records.
Positive (SPAM) values are used in case the MAIL FROM matches
not the HELO argument AND the client seems to be dynamic AND the
client is no MX for HELO and MAIL FROM arguments. The total
DNSBL score is added to its bad score.
Log Entries:
CL_IP_EQ_FROM_MX
Client IP matches the MAIL FROM domain/host MX record
CL_IP_EQ_HELO_MX
Client IP matches the HELO domain/host MX record
CLIENT_NOT_MX/A_FROM_DOMAIN
Client is not a verified HELO and doesn't match A/MX records
of MAIL FROM argument
CLIENT/24_NOT_MX/A_FROM_DOMAIN
Client's subnet does not match A/MX records of the MAIL FROM
argument
$dnsbl_checks_only (default: 0)
Disable HELO/RHSBL verifications and the like. Do only RBL
checks.
1 = on, 0 = off
@dnsbl_score (default: see below)
A list of RBLs to be checked. If you want that a host is not
being evaluated any further if it is listed on several lists or
a very trustworthy list you can control a immediate REJECT with
$MAXDNSBLHITS and/or $MAXDNSBLSCORE. A list of RBLs must be
build as follows:
@dnsbl_score = (
RBLHOST1, HIT SCORE, MISS SCORE, LOG NAME,
RBLHOST2, HIT SCORE, MISS SCORE, LOG NAME,
...
);
The default is:
@dnsbl_score = (
"pbl.spamhaus.org", 3.25, 0, "DYN_PBL_SPAMHAUS",
"sbl-xbl.spamhaus.org", 4.35, -1.5, "SBL_XBL_SPAMHAUS",
"bl.spamcop.net", 3.75, -1.5, "SPAMCOP",
"ix.dnsbl.manitu.net", 4.35, 0, "IX_MANITU"
);
@rhsbl_score (default: see below)
Define a list of RHSBL host which are queried for the sender
domain. Results get additionally scores of 0.5 * DNSBL results
and @rhsbl_penalty_score. A list of RHSBL hosts to be queried
must be build as follows:
@rhsbl_score = (
RHSBLHOST1, HIT SCORE, MISS SCORE, LOG NAME,
RHSBLHOST2, HIT SCORE, MISS SCORE, LOG NAME,
...
);
The default is:
@rhsbl_score = (
"multi.surbl.org", 4, 0, "SURBL"
);
@rhsbl_penalty_score (3.1, 0)
This score will be added to each RHSBL hit if following criteria
are met:
Sender has a random local-part (i.e. yztrzgb@example.tld)
or MX records of sender domain are bogus
or FROM matches not HELO
or HELO is untrusted (Forward record matched, reverse record
did not match)
$MAXDNSBLHITS (default: 2)
If the client is listed in more than $MAXDNSBLHITS RBLs it will
be rejected immediately with $MAXDNSBLMSG and without further
evaluation. Results are cached by default.
$MAXDNSBLSCORE (default: 8)
If the BAD SCOREs of @dnsbl_score listed RBLs reach a level
greater than $MAXDNSBLSCORE the client will be rejected
immediately with $MAXDNSBLMSG and without further evaluation.
Results are cached by default.
$REJECTLEVEL (default: 1)
Score results equal or greater than this level will be rejected
with $REJECTMSG
SEE ALSO
policyd-weight(8), Policyd-weight daemon perl(1), Practical Extraction and Report Language perlsyn(1), Perl syntax access(5), Postfix SMTP access control table
LICENSE
GNU General Public License
AUTHOR
Robert Felber <r.felber@ek-muc.de>
Autohaus Erich Kuttendreier
81827 Munich, Germany
Aug 25th, 2006 policyd-weight.conf(5)
Opportunity
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
Free Books
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Education
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.
