-
Notifications
You must be signed in to change notification settings - Fork 1
/
milter.cfg
295 lines (264 loc) · 12.3 KB
/
milter.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
[milter]
# the directory with persistent data files
datadir = /var/lib/milter
logdir = /var/log/milter
# the socket used to communicate with sendmail. Must match sendmail.cf
socket=/var/run/milter/pythonsock
# where to save original copies of defanged and failed messages
tempdir = /var/log/milter/save
# how long to wait for a response from sendmail before giving up
;timeout=600
log_headers = 0
# Connection ips and hostnames are matched against this glob style list
# to recognize internal senders. You probably need to change this.
# The default is a good guess to try and prevent newbie frustration.
internal_connect = 192.168.0.0/16,127.*
# mail that is not an internal_connect and claims to be from an
# internal domain is rejected. Furthermore, internal mail that
# does not claim to be from an internal domain is rejected.
# You should enable SPF instead if you can. SPF is much more comprehensive and
# flexible. However, SPF is not currently checked for outgoing
# (internal_connect) mail because it doesn't yet handle authorizing
# internal IPs locally.
;internal_domains = mycorp.com,localhost.localdomain
# connections from a trusted relay can trust the first Received header
# SPF checks are bypassed for internal connections and trusted relays.
;trusted_relay = 1.2.3.4, 66.12.34.56
# Relaying to these domains is allowed from internal connections only.
# You might want to restrict aol.com, for instance, so that stupid
# users don't forward their spam to aol for filtering and get your MTA
# blacklisted by aol.
;private_relay = aol.com, yahoo.com
# If this is defined, internal connections not in this list are
# not allowed to send DSNs (empty MAIL FROM). We could check that
# a purported MTA accepts connections on port 25, but that could be
# time consuming with firewalls typically discarding rather than rejecting.
;internal_mta = 192.168.1.2
# Reject external senders with hello names no legit external sender would use.
# SPF will do this also, but listing your own domain and mailserver here
# will save some DNS lookups when rejecting certain viruses, and the
# connect IP is banned.
;hello_blacklist = mycorp.com, 66.12.34.56
# Reject mail for domains mentioned unless user is mentioned here also
;check_user = [email protected], [email protected], file:bigcorp.com
# Treat localparts in milter.cfg as case-sensitive. Set to false to handle
# mailers that violate RFCs by failing to preserve case. (And make
# sure sendmail is configured to ignore case.)
case_sensitive_localpart = true
# Various nasty MTA behaviours get demerits. When they reach this limit
# on a single connection, the IP is banned. Leave unset for
# "unlimited" (actually 2**31-1). I use 3.
;max_demerits = 3
# When a domain in this list would get banned, the specific mailbox
# is banned instead. These free email providers have a "whack-a-mole" problem.
email_providers = yahoo.com, gmail.com, aol.com, hotmail.com, me.com,
googlegroups.com, att.net
# features intended to filter or block incoming mail
[defang]
# do virus scanning on attached messages also
scan_rfc822 = 0
# do virus scanning on attached zipfiles also
scan_zip = 0
# Comment out scripts in HTML attachments. Can be CPU intensive.
scan_html = 0
# reject messages with asian fonts because we can't read them
block_chinese = 0
# list users who hate forwarded mail
;block_forward = [email protected], [email protected]
# reject mail with these case insensitive strings in the subject
porn_words = penis, pussy, horse cock, porn, xenical, diet pill, d1ck,
vi*gra, vi-a-gra, viag, tits, p0rn, hunza, horny, sexy, c0ck, xanaax,
p-e-n-i-s, hydrocodone, vicodin, xanax, vicod1n, x@nax, diazepam,
v1@gra, xan@x, cialis, ci@lis, frëe, xãnax, valíum, vãlium, via-gra,
x@n3x, vicod3n, penís, c0d1n, phentermine, en1arge, dip1oma, v1codin,
valium, rolex, sexual, fuck, adv1t, vgaira, medz, acai berry
# reject mail with these case sensitive strings in the subject
spam_words = $$$, !!!, XXX, HGH
# Experimental: Reject mail with these case sensitive strings in the human
# readable part of the From header field. Also, ban the domain if it gets
# a pass from SPF or best_guess and is a "new" domain according to
# pygossip. This helps generate a list of "throwaway" spam domains.
;from_words = Stimulus, Diabetes, Trivia, Age Quiz, Detox, White Teeth
# attachments with these extensions will be replaced with a warning
# message. A copy of the original will be saved.
banned_exts = ade,adp,asd,asx,asp,bas,bat,chm,cmd,com,cpl,crt,dll,exe,hlp,hta,
inf,ins,isp,js,jse,lnk,mdb,mde,msc,msi,msp,mst,ocx,pcd,pif,reg,scr,sct,
shs,url,vb,vbe,vbs,wsc,wsf,wsh
# See http://bmsi.com/python/pysrs.html for details
[srs]
config=/etc/mail/pysrs.cfg
# SRS options can be set here also, but must match the sendmail plugin
;secret="shhhh!"
;maxage=21
;hashlength=4
;database=/var/log/milter/srsdata
;fwdomain = mydomain.com
# turn this on after a grace period to reject spoofed DSNs
reject_spoofed = 0
# Many braindead MTAs send DSNs with a non-DSN MFROM (e.g. to report that
# some virus claiming to be sent by you). This heuristic
# refuses mail from user names commonly abused in that way.
;banned_users = postmaster, mailer-daemon, clamav
# See http://www.openspf.com for more info on SPF.
[spf]
# namespace where SPF records can be supplied for domains without one
# records are searched for under _spf.domain.com
;delegate = domain.com
# domains where a neutral SPF result should cause mail to be rejected
;reject_neutral = aol.com
# use a default (v=spf1 a/24 mx/24 ptr) when no SPF records are published
;best_guess = 0
# Reject senders that have neither PTR nor valid HELO nor SPF records, or send
# DSN otherwise
;reject_noptr = 0
# always accept softfail from these domains, or send DSN otherwise
;accept_softfail = bounces.amazon.com
# Treat fail from these domains like softfail: because their SPF record
# or an important sender is screwed up. Must have valid HELO, however.
;accept_fail = custhelp.com
# Use sendmail access map or similar format for detailed spf policy.
# SPF entries in the access map will override any defaults set above.
# Uncomment to activate.
;access_file = /etc/mail/access.db
# Set to true if the access file keys have nulls appended. This is a
# configuration option for the map on sendmail and postfix. On RHEL,
# postfix postmap defaults to nulls (postmap -N) and sendmail makemap defaults
# to no nulls.
;access_file_nulls = false
# Set to false if ':' separates key from value. May be able to deduce
# from common entries as a default. Sendmail requires colon in access keys.
access_file_colon = true
# Add MAIL FROM as Sender when Sender is missing and From domain
# doesn't match MAIL FROM. Outlook and other email clients will then display
# something like: "Sent by [email protected] on behalf of [email protected]"
;supply_sender = 0
# Connections that get an SPF pass for a pretend MAIL FROM of
# [email protected] skip SPF checks for the real MAIL FROM.
# This is for non-SRS forwarders. It is a simple implementation that
# is inefficient for more than a few entries.
;trusted_forwarder = careerbuilder.com
# features intended to clean up outgoing mail
[scrub]
# domains that block visible private nodes
;hide_path = jcpenney.com
# reject, don't just replace with warning, viruses from these domains
;reject_virus_from = mycorp.com
# Apply SPF-Pass policy to internal mail, to check CBV, for instance.
;internal_policy = false
# features intended for spying on users and coworkers
[wiretap]
blind = 1
#
# wiretap lets you surreptitiously monitor a users outgoing email
# (sendmail aliases let you monitor incoming mail)
#
;users = [email protected], [email protected]
# multiple destinations can use smart_alias
;dest = [email protected]
# discard outgoing mail without alerting sender
# can be used in conjunction with wiretap to censor outgoing mail
;discard = [email protected]
# archive copies all delivered mail to a file
;mail_archive = /var/log/mail_archive
#
# smart aliases trigger on both sender and recipient
# alias = sender, recipient[, destination]
#
[smart_alias]
# multiple wiretap monitors. Smart aliases are applied after wiretap.
;spy1 = [email protected],[email protected]
;spy2 = [email protected],[email protected]
# mail from [email protected] to [email protected] is redirected to
# local alias copycust
;copycust = [email protected],[email protected]
# mail from [email protected] to [email protected] is redirected to
# additional copies can be added
;bulk = [email protected],[email protected]
;bulk1 = [email protected],[email protected],bulk
# See http://bmsi.com/python/dspam.html
[dspam]
# Select a well moderated dspam dictionary to reject spammy headers.
# To filter on the entire message, use the full setup below.
# only EXTERNAL messages are dspam filtered
;dspam_dict=/var/lib/dspam/moderator.dict
# Recipients of mail sent from these senders are added to the auto_whitelist.
# Auto_whitelisted senders with an SPF PASS are never rejected by dspam, and
# messages from auto_whitelisted senders will be used to train screener
# dictionaries as innocent mail.
;whitelist_senders = @mycorp.com
# Also send auto_whitelist recipients to these MXes. This is not currently
# parallelized, so list just one, or at most two.
;whitelist_mx = mail.mycorp.com,mail2.mycorp.com
# Opt-out recipients entirely from dspam screening and header triage
# Do not scan mail (ostensibly) from these senders
# Reject spam to these domains instead of quarantining it.
;dspam_reject=othercorp.com
# Scan internal mail - often a good source of stats on legit mail.
;dspam_internal=1
# directory for dspam user quarantine, signature db, and dictionaries
# defining this activates the dspam application
# dspam and dspam-python must be installed
;dspam_userdir=/var/lib/dspam
# do not dspam messages larger than this
;dspam_sizelimit=180000
# Map email addresses and aliases to dspam users
;dspam_users=david,goliath,spam,falsepositive
# List dspam users which train on all delivered messages, as opposed to
# "train on error" which trains only when a spam or falsepositive is reported.
# Training mode will build the dictionary faster, but requires close attention
# so as not to miss any spam or false positives.
;dspam_train=goliath
# address to forward spam to. milter will process these and not deliver
# Spam forwarded to bandom will ban the domain after training as spam.
# This helps deal with "throw-away" domains. The ban1 localpart
# uses a wildcard for the first part of the banned domain, so that
# instead of banning mx2.spammer.com, it bans *.spammer.com.
# See email_providers above.
# address to forward false positives to. milter will process and not deliver
# account which receives only spam: all received messages are marked as spam.
# the dspam_screener is a list of dspam users who screen mail for all
# recipients who are not dspam_users. Spam goes to the screeners quarantine,
# and the original recipients are saved so that false positives can be properly
# delivered.
;dspam_screener=david,goliath
# The dspam CGI can also be used: logins must match dspam users
# Optional pygossip interface
#
# GOSSiP tracks reputation of domain:qualifier pairs. For instance,
# the reputation of example.com:SPF is tracked separately from
# example.com:neutral. Currently qualifiers are
# SPF,neutral,softfail,fail,permerror,GUESS,HELO
[gossip]
# Use a dedicated GOSSiP server. If not specified, a local database
# will be used.
;server=host:11900
# To include peers of a peer in reputation, set ttl=2
;ttl=1
# If a local database is used, also consult these GOSSiP servers about
# domains. Peer reputation is also tracked as to how often they
# agree with us, and weighted accordingly.
;peers=host1:port,host2
[greylist]
dbfile=greylist.db
# mins (Google retries in 5 mins)
time=5
# hours (some legit sites don't retry for 6 hours)
expire=6
# days (keep "first monday" type mailings on file)
retain=36
[dkim]
privkey = dkim_rsa
;domain = example.com
;selector = default