Table of Contents

ze-filter.cf

This page is under construction...

General Parameters

  • VERSION (String) - Configuration file version
    • Default : 2.3.0-100627
  • MYSELF (String) - My own names, IPs and aliases
    • Default : 127.0.0.1 HOSTNAME
  • J_HOSTNAME (Option) - How to get mailserver hostname ?
    • Values : SYSTEM/SENDMAIL/OTHER
    • Default : SYSTEM
  • PRESENCE (Option) - Show/Hide presence (presence header)
    • Values : SHOW/HIDE
    • Default : SHOW
  • FOOTER (Option) - Show/Hide ze-filter signature at warning message
    • Values : SHOW/HIDE
    • Default : SHOW
  • FILTER_URL (String) - Filter URL (to be included on X-Miltered header)
    • Default : http : / / ze-filter dot ensmp dot fr
  • POLICY_URL (String) - Policy filtering URL - appended to reply messages
    • If your domain has a web page to inform people about your email policies, you define this option, with some URL, ze-filter will append a reference - See POLICY_URL - to each reply done in SMTP session
    • Default :
  • DAEMON_FILTER_DISABLE (String) - SMTP daemons to disable filtering
    • When your MTA is listening of different IP addresses and ports, it may be useful to enable/disable filtering for some of them. E.g., if you want to filter incoming messages but not outgoing messages (this isn't yet implemented).
    • Syntax : NAME:PORT, NAME:PORT, …
    • Default :

System parameters and Resources

  • USER (String) - Filter USER ID
    • The filter will run as this user ID
    • Default : smmsp
  • GROUP (String) - Filter GROUP ID
    • The filter will run as this group IP
    • Default : smmsp
  • FILE_DESCRIPTORS (String) - Number of available file descriptors (integer value or MAX)
    • Sets a limit on the number of file descriptors available to the filter : can be any value lower than the value set by the operating system (ulimit), or MAX to use that value.
    • Default : MAX
  • FD_FREE_SOFT_LIMIT (Integer) - Available file descriptors soft lower bound
    • When the number of file descriptors available is lower than this value, the filter will rejects connections coming from unknown NetClasses
    • Default : 100
  • FD_FREE_HARD_LIMIT (Integer) - Available file descriptors hard lower bound
    • When the number of file descriptors available is lower than this value, the filter will reject all connections.
    • Default : 50
  • USE_SELECT_LIMIT (Option) - Available file descriptors limited by select function
    • Use the lower value between FILE_DESCRIPTORS and FD_SELECT. This option can be disabled if libmilter was compiled with _FFR_WORKERS_POOL or SM_CONF_POLL
    • Values : NO/YES
    • Default : YES
  • CPU_IDLE_SOFT_LIMIT (Integer) - SOFT CPU Idle threshold to accept connections
    • When the CPU idle ratio is less than this value, the filter will reject connections coming from unknown Netclasses. No control is done when this value is 0.
    • Default : 0
  • CPU_IDLE_HARD_LIMIT (Integer) - HARD CPU Idle threshold to accept connections
    • When the CPU idle ratio is less than this value, the filter will reject all connections No control is done when this value is 0.
    • Default : 0
  • MAX_OPEN_CONNECTIONS (Integer) - Maximum number of simultaneous open connections
    • This is the global number of simultaneous connections the filter will handle the same time.
    • Default : 500

MTA Communications

  • SOCKET (String) - Communication socket between sendmail and ze-filter
    • Syntax : inet:PORT@HOSTNAME | local:SOCKET_PATH
    • Default : J_SMSOCKFILE
  • SM_TIMEOUT (Integer) - Inactivity timeout (milter ↔ sendmail connection)
    • The filter will close sendmail connections inactive for this value long. Busy servers shall be configured with a much lower value (~ 600 s shall be OK)
    • Default : 600s

Control channel

This Section defines how ze-ndc command line tool communicates with ze-filter.

  • CTRL_CHANNEL_ENABLE (Option) - Enable remote control channel
    • Values : NO/YES
    • Default : YES
  • CTRL_SOCKET (String) - Control socket
    • Syntax : inet:PORT@HOSTNAME | local:SOCKET_PATH
    • Default : inet:2010@127.0.0.1
  • CTRL_ACCESS (Option) - How to do access control over control channel
    • You can disable access control (NONE) or define your rules at policy database (ACCESS). If you define the CTRL_SOCKET option listening with an IP address other than localhost you shall enable access control.
    • Values : NONE/ACCESS
    • Default : NONE

Configuration Files

  • CONFDIR (String) - ze-filter configuration directory
    • This is the directory where configuration files and tables will be put in.
    • Default : /etc/ze-filter
  • ERROR_MSG_FILE (String) - Notification template
    • This file contains templates for the notification messages sent when a virus or X-file is found inside a message.
    • Default : ze-error-msg
  • ACCESS_FILE (String) - ze-filter access data
    • Default : ze-access
  • AUTO_RELOAD_TABLES (Integer) - Periodic configuration reload interval
    • When this value is greater than 0s, ze-filter will periodically reload configuration data.
    • Default : 3600s
  • MODULES_CF (String) - Modules
    • Configuration file for dynamically loaded modules (not fully implemented)
    • Default : ze-modules

Logging

  • LOG_FACILITY (String) - syslog facility
    • Default : local5
  • LOG_LEVEL (Integer) - ze-filter log level
    • Default : 10
  • LOG_SEVERITY (Option) - Add a severity tag to syslog lines
    • When enabled, ze-filter log lines have a tag like “[ID 000000 local5.notice]”, useful in order to find lines with some specific priority (e.g. error)
    • Values : NO/YES
    • Default : NO
  • CLUSTER (Option) - Filter sharing resources inside a cluster (spool/server)
    • Values : NO/YES
    • Default : NO
  • LOG_ATTACHMENTS (Option) - Log attached files (using syslog)
    • Values : NO/YES
    • Default : NO
  • LOG_THROTTLE (Option) - Periodically log server throttle (using syslog)
    • Values : NO/YES
    • Default : YES
  • LOG_LOAD (Option) - Periodically log CPU load (using syslog)
    • Values : NO/YES
    • Default : YES
  • LOG_GREY_CLEANING (Option) - Log results of greylist database maintenance
    • Values : NO/YES
    • Default : NO
  • DUMP_COUNTERS (Option) - Periodically dump internal counters
    • Values : NO/YES
    • Default : YES
  • STATS_INTERVAL (Integer) - Time interval used to dump periodical data (load, throttle, …)
    • Default : 300
  • HISTORY_ENTRIES (Integer) - Number of entries of history (times 1024)
    • Default : 256

Spool and state Files

  • WORKROOT (String) - ze-filter root directory
    • Default : J_WORKROOT
  • WORKDIR (String) - ze-filter work directory (state and specific logs)
    • Default : J_WORKDIR
  • SPOOLDIR (String) - ze-filter message spool directory
    • Default : J_SPOOLDIR
  • PID_FILE (String) - ze-filter pid file
    • Default : J_PID_FILE
  • STATS_FILE (String) - STATS_FILE
    • Default : J_STATS_FILE

Quarantine and Archive management

  • CLEANUP_INTERVAL (Integer) - Quarantine directory clean-up interval
    • This option defined the periodicity at which the spool will be cleaned-up
    • Default : 6h
  • QUARANTINE_LIFETIME (Integer) - Quarantine
    • When the spool is cleaned-up, files older than this value will be removed
    • Default : 1d
  • QUARANTINE_ADD_FROM_LINE (Option) - Add From line to quarantine file ?
    • Values : NO/YES
    • Default : YES
  • QUARANTINE_LOG_FILE (String) - Quarantine log file
    • Default : J_QUARANTINE_LOG
  • ARCHIVE (Option) - Archiving messages
    • When this option is enabled, ze-filter will be able to save a copy of each message matching Archive policy.
    • Values : NO/YES
    • Default : NO

Modules

  • MODDIR (String) - Modules
    • Default : /usr/lib/ze-filter

Databases

  • WDBDIR (String) - ze-filter working databases directory
    • Default : J_WDBDIR

Constant Databases

  • CDBDIR (String) - ze-filter constant databases directory
    • Path of the directory where constant databases are installed
    • Default : J_CDBDIR
  • DB_CACHE_SIZE (Integer) - BerkeleyDB constant databases cache size
    • Size of memory cache used by constant databases
    • Default : 32M
  • DB_POLICY (String) - Policy database path
    • File name of policy database
    • Default : ze-policy.db
  • POLICY_CONFLICT (Option) - What to do if users policy conflit
    • This option defines how to decide which policy shall be applied when a message is sent to more than one recipient with incompatible policies.
    • Values : DEFAULT/ONE_WIN/MAJORITY_WIN
    • Default : DEFAULT
  • FROM_PASS_TOKEN (String) - Token
    • Not yet implemented
    • Default :
  • TO_PASS_TOKEN (String) - Token
    • Not yet implemented
    • Default :

Resolve cache database

  • RESOLVE_CACHE_ENABLE (Option) - Address resolution (IP address / hostname) cache
    • The address resolution cache is used to avoid DNS queries to resolve address resolutions when quering the filter for some statistics.
    • Values : NO/YES
    • Default : YES
  • RESOLVE_CACHE_SYNC (Integer) - Interval between cache synchronization
    • Default : 1m
  • RESOLVE_CACHE_CHECK (Integer) - Interval between cache maintenance
    • When enabled, this option defines the periodicity at which maintenance operations will take place.
    • Default : 1h
  • RESOLVE_CACHE_EXPIRE (Integer) - Expiration age of non refreshed entries
    • During maintenance, entries older than the value defined
    • Default : 2d

Sending Notification Messages

  • NOTIFY_SENDER (Option) - Enable sender notification
    • When this option is enabled, notifications after virus or X-Files are sent to the message sender. This is, most of the time, a bad idea as virus are usually spread using forged addresses.
    • Values : NO/YES
    • Default : NO
  • NOTIFY_RCPT (Option) - Enable recipient notification
    • When this option is enabled, notifications after virus or X-Files are sent to recipients
    • Values : NO/YES
    • Default : YES
  • J_SENDER (Option) - Sender address used for notification message
    • This option defines the sender of notifications appearing in headers and, for some versions of the MTA, the enveloppe. If the special value SENDER is used, the sender will be preserved.
    • Values : SENDER/OTHER
    • Default : SENDER
  • J_SUBJECT (Option) - Subject of replacement notification message
    • This option defines which will be the subject of the notification. If the special value SUBJECT is used then the message subject is preserved.
    • Values : SUBJECT/OTHER
    • Default : SUBJECT

Built-in X-File scanner

  • XFILES (Option) - What to do with X-files ? (OK, REJECT, NOTIFY, DISCARD)
    • Values : OK/REJECT/NOTIFY/DISCARD/X-HEADER
    • Default : OK
  • XFILES_FILE (String) - X-Files (file extension + MIME type) configuration
    • Default : ze-xfiles
  • XFILE_SAVE_MSG (Option) - Shall quarantine messages containing X-Files ?
    • Values : NO/YES
    • Default : YES
  • XFILE_SUBJECT_TAG (String) - Tag to be inserted on Subject
    • Default :
  • XFILES_LOG_FILE (String) - Detected X-Files log file
    • Default : J_XFILES_LOG

External virus scanner

This section contains the options to connect ze-filter to an external virus scanner and what to do with the results

  • SCANNER_ACTION (Option) -
    • This option enables the scanner and defines the action to perform whan a virus is found
    • Values : OK/REJECT/NOTIFY/DISCARD/X-HEADER
    • Default : OK
  • SCANNER_SOCK (String) - Communication socket between ze-filter and external scanner
    • This option defines the socket used by ze-filter to connect to the external scanner.
    • Syntax : inet:PORT@HOSTNAME | local:SOCKET_PATH
    • Default : inet:2002@localhost
  • SCANNER_PROTOCOL (Option) - Protocol
    • This option defines the protocol to be used with the scanner : CLAMAV or INTERNAL. The latter protocol type can be used by a generic scanner (see example at contrib directory).
    • Values : INTERNAL/CLAMAV
    • Default : CLAMAV
  • SCANNER_TIMEOUT (Integer) - Timeout waiting for the scanner answer
    • This option defines the communication timeout between ze-filter and the scanner. After this delay, if the scanner doesn't answer, ze-filter will drop the scanner answer.
    • Default : 15s
  • SCANNER_REJECT_ON_ERROR (Option) - Reject messages when scanner call returns an error
    • This option defines the appropriate ze-filter action when the scanner isn't available or times out : Reject (YES) or Temporary failure (NO).
    • Values : NO/YES
    • Default : NO
  • SCANNER_MAX_MSG_SIZE (Integer) - Max message size to pass to scanner
    • Only messages smaller than this size will be scanned.
    • Default : 100K
  • SCANNER_SAVE (Option) - Shall messages be quarantined ???
    • When this option is enabled, messages with virus detected by the scanner will be left in quarantine directory after the transaction ends.
    • Values : NO/YES
    • Default : YES
  • VIRUS_LOG_FILE (String) - Detected Virus log file
    • Virus found will be logged in this file.
    • Syntax : file:filename or udp:port@hostname
    • Default : J_VIRUS_LOG

Antispam checks (bayesian filter)

  • BAYESIAN_FILTER (Option) - Enable Bayesian filter
    • Values : NO/YES
    • Default : NO
  • BAYES_MAX_MESSAGE_SIZE (Integer) - Max message size
    • Default : 100K
  • BAYES_MAX_PART_SIZE (Integer) - Max message part size
    • Default : 30K
  • BAYES_HAM_SPAM_RATIO (Integer) - Ratio HAM/SPAM (times 1000)
    • Default : 1000
  • BAYES_NB_TOKENS (Integer) - Number of tokens to consider
    • Default : 64
  • BAYES_UNKNOWN_TOKEN_PROB (Integer) - Probability assigned to unknown tokens (times 1000)
    • Default : 500
  • DB_BAYES (String) - Path of bayes tokens database
    • Default : ze-bayes.db

Antispam content check - URL Filtering (URLBL)

  • SPAM_URLBL (Option) - Do pattern matching
    • Values : NO/YES
    • Default : NO
  • DB_URLBL (String) - Database Real-Time URL Blacklist (used for content checking)
    • Default : ze-urlbl.db
  • DNS_URLBL (String) - DNS Real-Time URL Blacklist (used for content checking)
    • Syntax : RBL[/CODE[/SCORE]] - multi.surbl.org/127.0.0.1/10
    • Default : ze-tables:DNS-URLBL

Antispam content check - Pattern Matching (REGEX)

  • SPAM_REGEX (Option) - Do pattern matching
    • Values : NO/YES
    • Default : NO
  • REGEX_FILE (String) - Regular expressions configuration file
    • Default : ze-regex
  • REGEX_MAX_SCORE (Integer) - Stop doing pattern matching when score is reached
    • Default : 50
  • SPAM_REGEX_MAX_MSG_SIZE (Integer) - Max message size to do pattern matching
    • Default : 40000
  • SPAM_REGEX_MAX_MIME_SIZE (Integer) - Max message size to do pattern matching
    • Default : 15000
  • DUMP_FOUND_REGEX (Option) - Log founded regular expressions to file
    • Values : NO/YES
    • Default : YES
  • REGEX_LOG_FILE (String) - Matched pattern log file
    • Default : J_REGEX_LOG

Antispam content check - Heuristic filtering (ORACLE)

  • SPAM_ORACLE (Option) - Do heuristic filtering
    • Values : NO/YES
    • Default : NO
  • ORACLE_SCORES_FILE (String) - Oracle scores
    • Default : ze-oracle:ORACLE-SCORES
  • ORACLE_DATA_FILE (String) - Some oracle definitions
    • Default : ze-oracle:ORACLE-DATA
  • LOG_LEVEL_ORACLE (Integer) - Heuristic filter log level (0, 1 or 2)
    • Default : 1
  • ORACLE_STATS_FILE (String) - Statistics for Oracle (dumped each STATISTICS_INTERVAL seconds)
    • Default : oracle-stats.log
  • ORACLE_COUNTERS_FILE (String) - Persistent state of Oracle
    • Default : oracle-counters.log

Antispam content check - Resulting score handling

  • SCORE_ON_SUBJECT (Option) - Shall message score be inserted on Subject Header ?
    • Values : NO/YES
    • Default : NO
  • SCORE_ON_SUBJECT_TAG (String) - Tag to be inserted on Subject ?
    • Default :
  • XSTATUS_HEADER (String) - Status header
    • Default : X-ze-filter-Status
  • XSTATUS_HEADER_HI_CONDITION (String) - When to add a 'X-ze-filter-Status: HI' Header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default : score > 0.75
  • XSTATUS_HEADER_LO_CONDITION (String) - When to add a 'X-ze-filter-Status: LO' Header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default : score > 0.65
  • XSTATUS_HEADER_UNSURE_CONDITION (String) - When to add a 'X-ze-filter-Status: UNSURE' Header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default : score > 0.25
  • XSTATUS_HEADER_HAM_CONDITION (String) - When to add a 'X-ze-filter-Status: HAM' Header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default : score < 0.25
  • XSTATUS_REJECT_CONDITION (String) - Reject message if this regular expression matches X-ze-filter-score header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default :
  • XSTATUS_REJECT_ONLY_UNKNOWN (Option) -
    • Values : NO/YES
    • Syntax :
    • Default : YES
  • XSTATUS_QUARANTINE_CONDITION (String) - If this regular expression matches X-ze-filter-score header, the message is quarantined
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default :
  • REMOVE_HEADERS (String) - List of headers to remove
    • X-ze-filter-Status,X-Spam-Flag,X-Spam-Status
    • Syntax : NONE | List of comma separated headers
    • Default : NONE
  • REMOVE_SCORES (String) - List of headers to remove
    • X-ze-filter-Status,X-Spam-Flag,X-Spam-Status
    • Syntax : NONE | List of comma separated servers
    • Default : NONE

DNS Realtime Black/White Lists

  • DNS_IPRBWL (String) - Real-Time Black/White Lists
    • Syntax :
    • Default : ze-tables:DNS-IP-RBWL

Antispam checks (SMTP client behaviour)

  • CHECK_CONN_RATE (Option) - Enable connection rate limiting
    • When enabled, ze-filter will limit the number of connections, per SMTP client, evaluated on a sliding window of size 10 minutes
    • Values : NO/YES
    • Default : NO
  • MAX_CONN_RATE (Integer) - Max connection rate (can be redefined at ze-policy database)
    • This option defines the default max connection rate. This value can be overriden by those defined at policy database.
    • Default : 15
  • CHECK_OPEN_CONNECTIONS (Option) - Enable simultaneous connections limiting
    • When this feature is enabled, ze-filter will limit the number of simultaneous connections, per SMTP client.
    • Values : NO/YES
    • Default : NO
  • MAX_CONN_OPEN (Integer) - Max open connections for a single IP on unknown network
    • This option defines the default max number of simultaneous connections per SMTP client. This value can be overriden by those defined at policy database
    • Default : 10
  • CHECK_EMPTY_CONNECTIONS (Option) - Check the number of empty connections
    • Values : NO/YES
    • Default : NO
  • MAX_EMPTY_CONN (Integer) - Maximum number of empty connections over 4 hours
    • Default : 20
  • DELAY_CHECKS (Option) - Delay reject decisions
    • When this option is enabled, reject decisions based on client behaviour (rate limits, too many errors, …) are reported till the first SMTP MAIL command, when client authentication information may be available.
    • Values : NO/YES
    • Syntax :
    • Default : NO

Recipient checks

  • CHECK_BADRCPTS (Option) - Check the number or Bad Recipients
    • Values : NO/YES
    • Default : NO
  • MAX_BADRCPTS (Integer) - Maximum number of Bad Recipients over 4 hours
    • Default : 10
  • CHECK_RCPT_ACCESS (Option) - Recipient Access and validation
    • Values : NO/YES
    • Default : NO
  • DB_RCPT (String) - Recipient database path
    • Default : ze-rcpt.db
  • SPAMTRAP_RESULT (Option) - Result from SPAM TRAP check
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK
  • CHECK_SPAMTRAP_HISTORY (Option) - Reject connections from clients sending messages to spam traps
    • Values : NO/YES
    • Default : NO
  • CHECK_RCPT_RATE (Option) - Limit recipient rate for each SMTP client
    • Values : NO/YES
    • Default : NO
  • MAX_RCPT_RATE (Integer) - Max recipient rate (can be redefined at ze-policy database)
    • Default : 100
  • CHECK_NB_RCPT (Option) - Check the number of recipients for each message
    • Values : NO/YES
    • Default : NO
  • MAX_RCPT (Integer) - Max recipient per message for connections coming from unknown network
    • Default : 200
  • CHECK_MSG_RATE (Option) - Limit recipient rate for each SMTP client
    • Values : NO/YES
    • Default : NO
  • MAX_MSG_RATE (Integer) - Max message rate (can be redefined at ze-policy database)
    • Default : 100
  • CHECK_NB_MSGS (Option) - Limit the number of messages per connection
    • Values : NO/YES
    • Default : NO
  • MAX_MSGS (Integer) - Maximum number of messages per connection
    • Default : 100

Envelope checks

  • REJECT_BADEHLO (Option) - Check EHLO parameters
    • Enable verification of EHLO contents.
    • Values : NO/YES
    • Syntax :
    • Default : NO
  • BADEHLO_CHECKS (String) - EHLO parameter checks
    • This option defines which verifications shall be done on EHLO parameter.
    • Syntax : InvalidChar,ForgedIP,NotBracketedIP,NotFQDN,IdentityTheft,Regex,All
    • Default : All
  • REJECT_BAD_NULL_SENDER (Option) - Check Bad '<>' Sender Address
    • When this option is enabled, messages which sender is the NULL SENDER (<>) and sent to more than one recipient and the connection come from a SMTP client which NetClass isn't KNOWN
    • Values : NO/YES
    • Default : NO
  • CHECK_BAD_SENDER_MX (Option) - Check Bad Sender MX
    • Enabling this option makes the filter check if the MX of the domain of the sender address is unreacheable, checking if the domain, hostname or IP address matches an entry at ze-policy database.
    • Values : NO/YES
    • Default : NO
  • DEFAULT_BAD_MX_REPLY (String) - Default BAD MX reply.
    • SMTP reply for this option.
    • Default : 421:4.5.1:Unreacheable domain. Try again later !

Antispam checks (Miscelaneous)

  • REJECT_DATE_IN_FUTURE (Option) - Check if message date is far in the future (> 24 hours)
    • Sometimes, spammers date the message in the future to make it appear at the top of unread messages.
    • Values : NO/YES
    • Default : NO
  • REJECT_DATE_IN_PAST (Option) - Check if message date is far in the past (> 1 year)
    • This option can detect spams with malformed date. But this option can reject old legitimate bounced messages
    • Values : NO/YES
    • Default : NO
  • REJECT_SHORT_BODIES (Option) - Reject messages whose body length is too short
    • Reject messages which body length is too short. Body length is evaluated on the raw body, including attached files, MIME tags, HTML tags, … In other words, all chars from since the end of the last header till the end of the message. OBS : this feature doesn't reject messages coming from known networks, nor messages typically sent by mail list manager software.
    • Values : NO/YES
    • Default : NO
  • MIN_BODY_LENGTH (Integer) - Minimum body length
    • This option defines the minimum message body length to accept.
    • Default : 10
  • DROP_DELIVERY_NOTIFICATION_REQUEST (Option) - Drop headers requesting delivery notification
    • When this option is enabled, existing headers asking for delivery notification are removed.
    • Values : NO/YES
    • Default : NO
  • ENCODING_BINARY (Option) - Full Binary encoded message (deprecated)
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK
  • NO_TO_HEADERS (Option) - Messages without To header (deprecated)
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK
  • NO_FROM_HEADERS (Option) - Messages without From header (deprecated)
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK
  • NO_HEADERS (Option) - Messages with no header (deprecated)
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK

Reverse resolution of SMTP client IP address

  • CHECK_RESOLVE_FAIL (Option) - What to do if client DNS resolution fails
    • Enable verification if client IP address has reverse resolution.
    • Values : NO/YES
    • Default : NO
  • CHECK_RESOLVE_FORGED (Option) - What to do if client DNS resolution is forged
    • Enable verification if client IP address is forged (direct and reverse resolution matches).
    • Values : NO/YES
    • Default : NO
  • MAX_BAD_RESOLVE (Integer) - —-
    • Maximum number of connections accepted on a temporal sliding window of length 4 hours, if SMTP client doesn't
    • Default : 10
  • RESOLVE_FAIL_NETCLASS (String) - Resolve Fail NetClass
    • This option defines, if its value isn't empty, a network class (NetClass) to assign to unknown SMTP clients without reverse IP address resolution.
    • Default :
  • RESOLVE_FORGED_NETCLASS (String) - Resolve Forged NetClass
    • This option defines, if its value isn't empty, a network class (NetClass) to assign to unknown SMTP clients which reverse and direct IP address resolutin doesn't doesn't match.
    • Default :

Greylisting

  • GREY_CHECK (Option) - Enable greylisting filter
    • Values : NO/YES
    • Default : NO
  • GREY_MODE (Option) - Greylist mode
    • This option defines if the filter is autonomous with its own data or if it's also access data in a ze-greyd greylisting server
    • Values : STANDALONE/CLIENT
    • Default : STANDALONE
  • GREY_SOCKET (String) - Remote Greylist Server Socket when running in CLIENT mode
    • When configured to access a ze-greyd server, this option defines the IP address and port where ze-greyd listens.
    • Default : inet:2012@127.0.0.1
  • GREY_CONNECT_TIMEOUT (Integer) - Timeout to connect go ze-grey server when running in CLIENT mode
    • Default : 10s
  • GREY_MIN_DELAY_NORMAL (Integer) - Greylist delay for normal messages
    • Default : 10m
  • GREY_MIN_DELAY_NULLSENDER (Integer) - Greylist delay for null sender messages
    • Default : 10m
  • GREY_MAX_DELAY_NORMAL (Integer) - Lifetime for pending entries (normal messages)
    • Default : 3d
  • GREY_MAX_DELAY_NULLSENDER (Integer) - Lifetime for pending entries (null sender messages)
    • Default : 6h
  • GREY_VALIDLIST_LIFETIME (Integer) - Lifetime for inactive whitelisted entries
    • Default : 1w
  • GREY_WHITELIST_LIFETIME (Integer) - Lifetime for inactive whitelisted entries
    • Default : 2w
  • GREY_BLACKLIST_LIFETIME (Integer) - Lifetime for blacklisted entries
    • Default : 1d
  • GREY_MAX_PENDING_NORMAL (Integer) - Max normal pending messages
    • The value of this option defines the maximum of entries waiting to be validated, per SMTP client, before adding new entries. Setting this option to 0 means no limit.
    • Syntax :
    • Default : 0
  • GREY_MAX_PENDING_NULLSENDER (Integer) - Max null sender pending messages
    • This option has the same meaning than GREY_MAX_PENDING_NORMAL, but applied to NULLSENDER.
    • Syntax :
    • Default : 0
  • GREY_COMPAT_DOMAIN_CHECK (Option) - Enable/disable domain compatibility (sender domain/SMTP client domain)
    • Values : NO/YES
    • Default : YES
  • GREY_IP_COMPONENT (String) - How to construct IP part of ntuple
    • Syntax : NONE | FULL | NET
    • Default : NET
  • GREY_FROM_COMPONENT (String) - How to construct FROM part of ntuple
    • Syntax : NONE | FULL | HOST | USER
    • Default : HOST
  • GREY_TO_COMPONENT (String) - How to construct TO part of ntuple
    • Syntax : NONE | FULL | HOST | USER
    • Default : FULL
  • GREY_REPLY (String) - Greylisting reply
    • When the greylisting filter rejects a message, this defines the reply codes and message to be sent back.
    • Syntax : 4nn:4.x.y:message
    • Default : 451:4.3.2:Temporary failure ! Come back later, please !
  • GREY_CLEANUP_INTERVAL (Integer) - Greylist database cleanup interval
    • Default : 10m
  • GREY_DEWHITE_FLAGS (String) - Which criteria utilise to purge greylisting databases ???
    • Syntax : None BadResolve DomainMatch BadRCPT SpamTrap BadMX BadClient Spammer All
    • Default : DomainMatch
  • GREY_LOG_FILE (String) - The expired entries log file
    • This is the file where expired entries can be logged. Don't enable this feature on busy servers
    • Syntax :
    • Default : J_GREY_LOG

Greylisting - ze-greyd specific

This section presents parameters which are exclusive to ze-greyd greylisting server.

  • GREYD_SOCKET_LISTEN (String) - ze-greyd Listen Socket
    • This is the ze-greyd server listening socket.
    • Default : inet:2012@0.0.0.0
  • GREYD_LOG_FACILITY (String) - syslog facility
    • Default : local6
  • GREYD_LOG_LEVEL (Integer) - ze-greyd log level
    • Default : 10
  • GREYDDIR (String) - ze-greyd working directory
    • The directory where ze-greyd will save its databases.
    • Default : J_GREYDDIR
  • GREYD_PID_FILE (String) - ze-greyd pid file
    • Default : J_GREYD_PID_FILE
  • GREYD_CLIENT_IDLE_MAX (Integer) - Maximum inactivity time (after this connection will be closed)
    • ze-greyd server will disconnect clients inactive longer than this delay.
    • Default : 300

Headline

General Parameters

  • VERSION (String) - Configuration file version
    • Default : 2.1.0-090520
  • MYSELF (String) - My own names, IPs and aliases
    • Default : 127.0.0.1 HOSTNAME
  • J_HOSTNAME (Option) - How to get mailserver hostname ?
    • Values : SYSTEM/SENDMAIL/OTHER
    • Default : SYSTEM
  • PRESENCE (Option) - Show/Hide presence (presence header)
    • Values : SHOW/HIDE
    • Default : SHOW
  • FOOTER (Option) - Show/Hide ze-filter signature at warning message
    • Values : SHOW/HIDE
    • Default : SHOW
  • FILTER_URL (String) - Filter URL (to be included on X-Miltered header)
    • Default : http : / / ze-filter dot ensmp dot fr
  • POLICY_URL (String) - Policy filtering URL - appended to reply messages
    • If your domain has a web page to inform people about your email policies, you define this option, with some URL, ze-filter will append a reference - See POLICY_URL - to each reply done in SMTP session
    • Default :
  • DAEMON_FILTER_DISABLE (String) - SMTP daemons to disable filtering
    • When your MTA is listening of different IP addresses and ports, it may be useful to enable/disable filtering for some of them. E.g., if you want to filter incoming messages but not outgoing messages (this isn't yet implemented).
    • Syntax : NAME:PORT, NAME:PORT, …
    • Default :

System parameters and Resources

  • USER (String) - Filter USER ID
    • The filter will run as this user ID
    • Default : smmsp
  • GROUP (String) - Filter GROUP ID
    • The filter will run as this group IP
    • Default : smmsp
  • FILE_DESCRIPTORS (String) - Number of available file descriptors (integer value or MAX)
    • Sets a limit on the number of file descriptors available to the filter : can be any value lower than the value set by the operating system (ulimit), or MAX to use that value.
    • Default : MAX
  • FD_FREE_SOFT_LIMIT (Integer) - Available file descriptors soft lower bound
    • When the number of file descriptors available is lower than this value, the filter will rejects connections coming from unknown NetClasses
    • Default : 100
  • FD_FREE_HARD_LIMIT (Integer) - Available file descriptors hard lower bound
    • When the number of file descriptors available is lower than this value, the filter will reject all connections.
    • Default : 50
  • USE_SELECT_LIMIT (Option) - Available file descriptors limited by select function
    • Use the lower value between FILE_DESCRIPTORS and FD_SELECT. This option can be disabled if libmilter was compiled with _FFR_WORKERS_POOL or SM_CONF_POLL
    • Values : NO/YES
    • Default : YES
  • CPU_IDLE_SOFT_LIMIT (Integer) - SOFT CPU Idle threshold to accept connections
    • When the CPU idle ratio is less than this value, the filter will reject connections coming from unknown Netclasses. No control is done when this value is 0.
    • Default : 0
  • CPU_IDLE_HARD_LIMIT (Integer) - HARD CPU Idle threshold to accept connections
    • When the CPU idle ratio is less than this value, the filter will reject all connections No control is done when this value is 0.
    • Default : 0
  • MAX_OPEN_CONNECTIONS (Integer) - Maximum number of simultaneous open connections
    • This is the global number of simultaneous connections the filter will handle the same time.
    • Default : 500

MTA Communications

  • SOCKET (String) - Communication socket between sendmail and ze-filter
    • Syntax : inet:PORT@HOSTNAME | local:SOCKET_PATH
    • Default : local:/var/run/ze-filter/ze-filter.sock
  • SM_TIMEOUT (Integer) - Inactivity timeout (milter ↔ sendmail connection)
    • The filter will close sendmail connections inactive for this value long. Busy servers shall be configured with a much lower value (~ 600 s shall be OK)
    • Default : 7200s

Control channel

This Section defines how ze-ndc command line tool communicates with ze-filter.

  • CTRL_CHANNEL_ENABLE (Option) - Enable remote control channel
    • Values : NO/YES
    • Default : YES
  • CTRL_SOCKET (String) - Control socket
    • Syntax : inet:PORT@HOSTNAME | local:SOCKET_PATH
    • Default : inet:2010@localhost
  • CTRL_ACCESS (Option) - How to do access control over control channel
    • You can disable access control (NONE) or define your rules at policy database (ACCESS). If you define the CTRL_SOCKET option listening with an IP address other than localhost you shall enable access control.
    • Values : NONE/ACCESS
    • Default : NONE

Configuration Files

  • CONFDIR (String) - ze-filter configuration directory
    • This is the directory where configuration files and tables will be put in.
    • Default : /etc/ze-filter
  • ERROR_MSG_FILE (String) - Notification template
    • This file contains templates for the notification messages sent when a virus or X-file is found inside a message.
    • Default : ze-error-msg
  • ACCESS_FILE (String) - ze-filter access data
    • Default : ze-access
  • AUTO_RELOAD_TABLES (Integer) - Periodic configuration reload interval
    • When this value is greater than 0s, ze-filter will periodically reload configuration data.
    • Default : 3600s
  • MODULES_CF (String) - Modules
    • Configuration file for dynamically loaded modules (not fully implemented)
    • Default : ze-modules

Logging

  • LOG_FACILITY (String) - syslog facility
    • Default : local5
  • LOG_LEVEL (Integer) - ze-filter log level
    • Default : 10
  • LOG_SEVERITY (Option) - Add a severity tag to syslog lines
    • When enabled, ze-filter log lines have a tag like “[ID 000000 local5.notice]”, useful in order to find lines with some specific priority (e.g. error)
    • Values : NO/YES
    • Default : NO
  • CLUSTER (Option) - Filter sharing resources inside a cluster (spool/server)
    • Values : NO/YES
    • Default : NO
  • LOG_ATTACHMENTS (Option) - Log attached files (using syslog)
    • Values : NO/YES
    • Default : NO
  • LOG_THROTTLE (Option) - Periodically log server throttle (using syslog)
    • Values : NO/YES
    • Default : YES
  • LOG_LOAD (Option) - Periodically log CPU load (using syslog)
    • Values : NO/YES
    • Default : YES
  • LOG_GREY_CLEANING (Option) - Log results of greylist database maintenance
    • Values : NO/YES
    • Default : NO
  • DUMP_COUNTERS (Option) - Periodically dump internal counters
    • Values : NO/YES
    • Default : YES
  • STATS_INTERVAL (Integer) - Time interval used to dump periodical data (load, throttle, …)
    • Default : 300
  • HISTORY_ENTRIES (Integer) - Number of entries of history (times 1024)
    • Default : 256

Spool and state Files

  • WORKROOT (String) - ze-filter root directory
    • Default : /var/ze-filter
  • WORKDIR (String) - ze-filter work directory (state and specific logs)
    • Default : /var/ze-filter/files
  • SPOOLDIR (String) - ze-filter message spool directory
    • Default : /var/spool/ze-filter
  • PID_FILE (String) - ze-filter pid file
    • Default : /var/run/ze-filter/ze-filter.pid
  • STATS_FILE (String) - STATS_FILE
    • Default : file:ze-stats

Quarantine and Archive management

  • CLEANUP_INTERVAL (Integer) - Quarantine directory clean-up interval
    • This option defined the periodicity at which the spool will be cleaned-up
    • Default : 6h
  • QUARANTINE_LIFETIME (Integer) - Quarantine
    • When the spool is cleaned-up, files older than this value will be removed
    • Default : 1d
  • QUARANTINE_ADD_FROM_LINE (Option) - Add From line to quarantine file ?
    • Values : NO/YES
    • Default : YES
  • QUARANTINE_LOG_FILE (String) - Quarantine log file
    • Default : file:ze-quarantine
  • ARCHIVE (Option) - Archiving messages
    • When this option is enabled, ze-filter will be able to save a copy of each message matching Archive policy.
    • Values : NO/YES
    • Default : NO

Modules

  • MODDIR (String) - Modules
    • Default : /usr/lib/ze-filter

Databases

  • WDBDIR (String) - ze-filter working databases directory
    • Default : /var/ze-filter/wdb

Constant Databases

  • CDBDIR (String) - ze-filter constant databases directory
    • Path of the directory where constant databases are installed
    • Default : /var/ze-filter/cdb
  • DB_CACHE_SIZE (Integer) - BerkeleyDB constant databases cache size
    • Size of memory cache used by constant databases
    • Default : 32M
  • DB_POLICY (String) - Policy database path
    • File name of policy database
    • Default : ze-policy.db
  • POLICY_CONFLICT (Option) - What to do if users policy conflit
    • This option defines how to decide which policy shall be applied when a message is sent to more than one recipient with incompatible policies.
    • Values : DEFAULT/ONE_WIN/MAJORITY_WIN
    • Default : DEFAULT
  • FROM_PASS_TOKEN (String) - Token
    • Not yet implemented
    • Default :
  • TO_PASS_TOKEN (String) - Token
    • Not yet implemented
    • Default :

Resolve cache database

  • RESOLVE_CACHE_ENABLE (Option) - Address resolution (IP address / hostname) cache
    • The address resolution cache is used to avoid DNS queries to resolve address resolutions when quering the filter for some statistics.
    • Values : NO/YES
    • Default : YES
  • RESOLVE_CACHE_SYNC (Integer) - Interval between cache synchronization
    • Default : 1m
  • RESOLVE_CACHE_CHECK (Integer) - Interval between cache maintenance
    • When enabled, this option defines the periodicity at which maintenance operations will take place.
    • Default : 1h
  • RESOLVE_CACHE_EXPIRE (Integer) - Expiration age of non refreshed entries
    • During maintenance, entries older than the value defined
    • Default : 2d

Sending Notification Messages

  • NOTIFY_SENDER (Option) - Enable sender notification
    • When this option is enabled, notifications after virus or X-Files are sent to the message sender. This is, most of the time, a bad idea as virus are usually spread using forged addresses.
    • Values : NO/YES
    • Default : NO
  • NOTIFY_RCPT (Option) - Enable recipient notification
    • When this option is enabled, notifications after virus or X-Files are sent to recipients
    • Values : NO/YES
    • Default : YES
  • J_SENDER (Option) - Sender address used for notification message
    • This option defines the sender of notifications appearing in headers and, for some versions of the MTA, the enveloppe. If the special value SENDER is used, the sender will be preserved.
    • Values : SENDER/OTHER
    • Default : SENDER
  • J_SUBJECT (Option) - Subject of replacement notification message
    • This option defines which will be the subject of the notification. If the special value SUBJECT is used then the message subject is preserved.
    • Values : SUBJECT/OTHER
    • Default : SUBJECT

Built-in X-File scanner

  • XFILES (Option) - What to do with X-files ? (OK, REJECT, NOTIFY, DISCARD)
    • Values : OK/REJECT/NOTIFY/DISCARD/X-HEADER
    • Default : OK
  • XFILES_FILE (String) - X-Files (file extension + MIME type) configuration
    • Default : ze-xfiles
  • XFILE_SAVE_MSG (Option) - Shall quarantine messages containing X-Files ?
    • Values : NO/YES
    • Default : YES
  • XFILE_SUBJECT_TAG (String) - Tag to be inserted on Subject
    • Default :
  • XFILES_LOG_FILE (String) - Detected X-Files log file
    • Default : file:ze-files

External virus scanner

This section contains the options to connect ze-filter to an external virus scanner and what to do with the results

  • SCANNER_ACTION (Option) -
    • This option enables the scanner and defines the action to perform whan a virus is found
    • Values : OK/REJECT/NOTIFY/DISCARD/X-HEADER
    • Default : OK
  • SCANNER_SOCK (String) - Communication socket between ze-filter and external scanner
    • This option defines the socket used by ze-filter to connect to the external scanner.
    • Syntax : inet:PORT@HOSTNAME | local:SOCKET_PATH
    • Default : inet:2002@localhost
  • SCANNER_PROTOCOL (Option) - Protocol
    • This option defines the protocol to be used with the scanner : CLAMAV or INTERNAL. The latter protocol type can be used by a generic scanner (see example at contrib directory).
    • Values : INTERNAL/CLAMAV
    • Default : CLAMAV
  • SCANNER_TIMEOUT (Integer) - Timeout waiting for the scanner answer
    • This option defines the communication timeout between ze-filter and the scanner. After this delay, if the scanner doesn't answer, ze-filter will drop the scanner answer.
    • Default : 15s
  • SCANNER_REJECT_ON_ERROR (Option) - Reject messages when scanner call returns an error
    • This option defines the appropriate ze-filter action when the scanner isn't available or times out : Reject (YES) or Temporary failure (NO).
    • Values : NO/YES
    • Default : NO
  • SCANNER_MAX_MSG_SIZE (Integer) - Max message size to pass to scanner
    • Only messages smaller than this size will be scanned.
    • Default : 100K
  • SCANNER_SAVE (Option) - Shall messages be quarantined ???
    • When this option is enabled, messages with virus detected by the scanner will be left in quarantine directory after the transaction ends.
    • Values : NO/YES
    • Default : YES
  • VIRUS_LOG_FILE (String) - Detected Virus log file
    • Virus found will be logged in this file.
    • Syntax : file:filename or udp:port@hostname
    • Default : file:ze-virus

Antispam checks (bayesian filter)

  • BAYESIAN_FILTER (Option) - Enable Bayesian filter
    • Values : NO/YES
    • Default : NO
  • BAYES_MAX_MESSAGE_SIZE (Integer) - Max message size
    • Default : 100K
  • BAYES_MAX_PART_SIZE (Integer) - Max message part size
    • Default : 30K
  • BAYES_HAM_SPAM_RATIO (Integer) - Ratio HAM/SPAM (times 1000)
    • Default : 1000
  • BAYES_NB_TOKENS (Integer) - Number of tokens to consider
    • Default : 64
  • BAYES_UNKNOWN_TOKEN_PROB (Integer) - Probability assigned to unknown tokens (times 1000)
    • Default : 500
  • DB_BAYES (String) - Path of bayes tokens database
    • Default : ze-bayes.db

Antispam content check - URL Filtering (URLBL)

  • SPAM_URLBL (Option) - Do pattern matching
    • Values : NO/YES
    • Default : NO
  • DB_URLBL (String) - Database Real-Time URL Blacklist (used for content checking)
    • Default : ze-urlbl.db
  • DNS_URLBL (String) - DNS Real-Time URL Blacklist (used for content checking)
    • Syntax : RBL[/CODE[/SCORE]] - multi.surbl.org/127.0.0.1/10
    • Default : ze-tables:DNS-URLBL

Antispam content check - Pattern Matching (REGEX)

  • SPAM_REGEX (Option) - Do pattern matching
    • Values : NO/YES
    • Default : NO
  • REGEX_FILE (String) - Regular expressions configuration file
    • Default : ze-regex
  • REGEX_MAX_SCORE (Integer) - Stop doing pattern matching when score is reached
    • Default : 50
  • SPAM_REGEX_MAX_MSG_SIZE (Integer) - Max message size to do pattern matching
    • Default : 40000
  • SPAM_REGEX_MAX_MIME_SIZE (Integer) - Max message size to do pattern matching
    • Default : 15000
  • DUMP_FOUND_REGEX (Option) - Log founded regular expressions to file
    • Values : NO/YES
    • Default : YES
  • REGEX_LOG_FILE (String) - Matched pattern log file
    • Default : file:ze-regex

Antispam content check - Heuristic filtering (ORACLE)

  • SPAM_ORACLE (Option) - Do heuristic filtering
    • Values : NO/YES
    • Default : NO
  • ORACLE_SCORES_FILE (String) - Oracle scores
    • Default : ze-oracle:ORACLE-SCORES
  • ORACLE_DATA_FILE (String) - Some oracle definitions
    • Default : ze-oracle:ORACLE-DATA
  • LOG_LEVEL_ORACLE (Integer) - Heuristic filter log level (0, 1 or 2)
    • Default : 1
  • ORACLE_STATS_FILE (String) - Statistics for Oracle (dumped each STATISTICS_INTERVAL seconds)
    • Default : oracle-stats.log
  • ORACLE_COUNTERS_FILE (String) - Persistent state of Oracle
    • Default : oracle-counters.log

Antispam content check - Resulting score handling

  • SCORE_ON_SUBJECT (Option) - Shall message score be inserted on Subject Header ?
    • Values : NO/YES
    • Default : NO
  • SCORE_ON_SUBJECT_TAG (String) - Tag to be inserted on Subject ?
    • Default :
  • XSTATUS_HEADER (String) - Status header
    • Default : X-ze-filter-Status
  • XSTATUS_HEADER_HI_CONDITION (String) - When to add a 'X-ze-filter-Status: HI' Header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default : score > 0.75
  • XSTATUS_HEADER_LO_CONDITION (String) - When to add a 'X-ze-filter-Status: LO' Header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default : score > 0.7
  • XSTATUS_HEADER_UNSURE_CONDITION (String) - When to add a 'X-ze-filter-Status: UNSURE' Header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default : score > 0.25
  • XSTATUS_HEADER_HAM_CONDITION (String) - When to add a 'X-ze-filter-Status: HAM' Header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default : score < 0.25
  • XSTATUS_REJECT_CONDITION (String) - Reject message if this regular expression matches X-ze-filter-score header
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default :
  • XSTATUS_REJECT_ONLY_UNKNOWN (Option) -
    • Values : NO/YES
    • Syntax :
    • Default : YES
  • XSTATUS_QUARANTINE_CONDITION (String) - If this regular expression matches X-ze-filter-score header, the message is quarantined
    • Syntax : Ex : (U=####|B=0.9|B=0.8|XXXX.*B=0.7)
    • Default :
  • PRESERVE_OLD_SCORES (String) - Preserve score headers added by previous ze-filter filters
    • Syntax : ALL | NONE | List of SMTP gateways
    • Default : ALL
  • REMOVE_OLD_SCORES (String) - Remove score headers added by previous ze-filter filters
    • Syntax : ALL | NONE | List of SMTP gateways
    • Default : NONE

DNS Realtime Black/White Lists

  • DNS_IPRBWL (String) - Real-Time Black/White Lists
    • Syntax :
    • Default : ze-tables:DNS-IP-RBWL

Antispam checks (SMTP client behaviour)

  • CHECK_CONN_RATE (Option) - Enable connection rate limiting
    • When enabled, ze-filter will limit the number of connections, per SMTP client, evaluated on a sliding window of size 10 minutes
    • Values : NO/YES
    • Default : NO
  • MAX_CONN_RATE (Integer) - Max connection rate (can be redefined at ze-policy database)
    • This option defines the default max connection rate. This value can be overriden by those defined at policy database.
    • Default : 15
  • CHECK_OPEN_CONNECTIONS (Option) - Enable simultaneous connections limiting
    • When this feature is enabled, ze-filter will limit the number of simultaneous connections, per SMTP client.
    • Values : NO/YES
    • Default : NO
  • MAX_CONN_OPEN (Integer) - Max open connections for a single IP on unknown network
    • This option defines the default max number of simultaneous connections per SMTP client. This value can be overriden by those defined at policy database
    • Default : 10
  • CHECK_EMPTY_CONNECTIONS (Option) - Check the number of empty connections
    • Values : NO/YES
    • Default : NO
  • MAX_EMPTY_CONN (Integer) - Maximum number of empty connections over 4 hours
    • Default : 20
  • DELAY_REJECT (Option) - Delay reject decisions
    • When this option is enabled, reject decisions based on client behaviour (rate limits, too many errors, …) are reported till the first SMTP MAIL command, when client authentication information may be available.
    • Values : NO/YES
    • Default : NO

Recipient checks

  • CHECK_BADRCPTS (Option) - Check the number or Bad Recipients
    • Values : NO/YES
    • Default : NO
  • MAX_BADRCPTS (Integer) - Maximum number of Bad Recipients over 4 hours
    • Default : 10
  • CHECK_RCPT_ACCESS (Option) - Recipient Access and validation
    • Values : NO/YES
    • Default : NO
  • DB_RCPT (String) - Recipient database path
    • Default : ze-rcpt.db
  • SPAMTRAP_RESULT (Option) - Result from SPAM TRAP check
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK
  • CHECK_SPAMTRAP_HISTORY (Option) - Reject connections from clients sending messages to spam traps
    • Values : NO/YES
    • Default : NO
  • CHECK_RCPT_RATE (Option) - Limit recipient rate for each SMTP client
    • Values : NO/YES
    • Default : NO
  • MAX_RCPT_RATE (Integer) - Max recipient rate (can be redefined at ze-policy database)
    • Default : 100
  • CHECK_NB_RCPT (Option) - Check the number of recipients for each message
    • Values : NO/YES
    • Default : NO
  • MAX_RCPT (Integer) - Max recipient per message for connections coming from unknown network
    • Default : 200
  • CHECK_MSG_RATE (Option) - Limit recipient rate for each SMTP client
    • Values : NO/YES
    • Default : NO
  • MAX_MSG_RATE (Integer) - Max message rate (can be redefined at ze-policy database)
    • Default : 100
  • CHECK_NB_MSGS (Option) - Limit the number of messages per connection
    • Values : NO/YES
    • Default : NO
  • MAX_MSGS (Integer) - Maximum number of messages per connection
    • Default : 100

Envelope checks

  • CHECK_BADEHLO (Option) - Check EHLO parameters
    • Enable verification of EHLO contents.
    • Values : NO/YES
    • Default : NO
  • BADEHLO_CHECKS (String) - EHLO parameter checks
    • This option defines which verifications shall be done on EHLO parameter.
    • Syntax : InvalidChar,ForgedIP,NonBracketedIP,NonFQDN,IdentityTheft,All
    • Default : All
  • CHECK_BAD_NULL_SENDER (Option) - Check Bad '<>' Sender Address
    • When this option is enabled, messages which sender is the NULL SENDER (<>) and sent to more than one recipient and the connection come from a SMTP client which NetClass isn't KNOWN
    • Values : NO/YES
    • Default : NO
  • CHECK_BAD_SENDER_MX (Option) - Check Bad Sender MX
    • Enabling this option makes the filter check if the MX of the domain of the sender address is unreacheable, checking if the domain, hostname or IP address matches an entry at ze-policy database.
    • Values : NO/YES
    • Default : NO
  • DEFAULT_BAD_MX_REPLY (String) - Default BAD MX reply.
    • SMTP reply for this option.
    • Default : 421:4.5.1:Unreacheable domain. Try again later !

Antispam checks (Miscelaneous)

  • CHECK_DATE_IN_FUTURE (Option) - Check if message date is far in the future (> 24 hours)
    • Sometimes, spammers date the message in the future to make it appear at the top of unread messages.
    • Values : NO/YES
    • Default : NO
  • CHECK_DATE_IN_PAST (Option) - Check if message date is far in the past (> 1 year)
    • This option can detect spams with malformed date. But this option can reject old legitimate bounced messages
    • Values : NO/YES
    • Default : NO
  • REJECT_SHORT_BODIES (Option) - Reject messages whose body length is too short
    • Reject messages which body length is too short. Body length is evaluated on the raw body, including attached files, MIME tags, HTML tags, … In other words, all chars from since the end of the last header till the end of the message. OBS : this feature doesn't reject messages coming from known networks, nor messages typically sent by mail list manager software.
    • Values : NO/YES
    • Default : NO
  • MIN_BODY_LENGTH (Integer) - Minimum body length
    • This option defines the minimum message body length to accept.
    • Default : 10
  • DROP_DELIVERY_NOTIFICATION_REQUEST (Option) - Drop headers requesting delivery notification
    • When this option is enabled, existing headers asking for delivery notification are removed.
    • Values : NO/YES
    • Default : NO
  • ENCODING_BINARY (Option) - Full Binary encoded message (deprecated)
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK
  • NO_TO_HEADERS (Option) - Messages without To header (deprecated)
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK
  • NO_FROM_HEADERS (Option) - Messages without From header (deprecated)
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK
  • NO_HEADERS (Option) - Messages with no header (deprecated)
    • Values : OK/REJECT/TEMPFAIL
    • Default : OK

Reverse resolution of SMTP client IP address

  • CHECK_RESOLVE_FAIL (Option) - What to do if client DNS resolution fails
    • Enable verification if client IP address has reverse resolution.
    • Values : NO/YES
    • Default : NO
  • CHECK_RESOLVE_FORGED (Option) - What to do if client DNS resolution is forged
    • Enable verification if client IP address is forged (direct and reverse resolution matches).
    • Values : NO/YES
    • Default : NO
  • MAX_BAD_RESOLVE (Integer) - —-
    • Maximum number of connections accepted on a temporal sliding window of length 4 hours, if SMTP client doesn't
    • Default : 10
  • RESOLVE_FAIL_NETCLASS (String) - Resolve Fail NetClass
    • This option defines, if its value isn't empty, a network class (NetClass) to assign to unknown SMTP clients without reverse IP address resolution.
    • Default :
  • RESOLVE_FORGED_NETCLASS (String) - Resolve Forged NetClass
    • This option defines, if its value isn't empty, a network class (NetClass) to assign to unknown SMTP clients which reverse and direct IP address resolutin doesn't doesn't match.
    • Default :

Greylisting

  • GREY_CHECK (Option) - Enable greylisting filter
    • Values : NO/YES
    • Default : NO
  • GREY_MODE (Option) - Greylist mode
    • This option defines if the filter is autonomous with its own data or if it's also access data in a ze-greyd greylisting server
    • Values : STANDALONE/CLIENT
    • Default : STANDALONE
  • GREY_SOCKET (String) - Remote Greylist Server Socket when running in CLIENT mode
    • When configured to access a ze-greyd server, this option defines the IP address and port where ze-greyd listens.
    • Default : inet:2012@127.0.0.1
  • GREY_CONNECT_TIMEOUT (Integer) - Timeout to connect go ze-grey server when running in CLIENT mode
    • Default : 10s
  • GREY_MIN_DELAY_NORMAL (Integer) - Greylist delay for normal messages
    • Default : 10m
  • GREY_MIN_DELAY_NULLSENDER (Integer) - Greylist delay for null sender messages
    • Default : 10m
  • GREY_MAX_DELAY_NORMAL (Integer) - Lifetime for pending entries (normal messages)
    • Default : 3d
  • GREY_MAX_DELAY_NULLSENDER (Integer) - Lifetime for pending entries (null sender messages)
    • Default : 6h
  • GREY_VALIDLIST_LIFETIME (Integer) - Lifetime for inactive whitelisted entries
    • Default : 1w
  • GREY_WHITELIST_LIFETIME (Integer) - Lifetime for inactive whitelisted entries
    • Default : 2w
  • GREY_BLACKLIST_LIFETIME (Integer) - Lifetime for blacklisted entries
    • Default : 1d
  • GREY_MAX_PENDING_NORMAL (Integer) - Max normal pending messages
    • The value of this option defines the maximum of entries waiting to be validated, per SMTP client, before adding new entries. Setting this option to 0 means no limit.
    • Syntax :
    • Default : 0
  • GREY_MAX_PENDING_NULLSENDER (Integer) - Max null sender pending messages
    • This option has the same meaning than GREY_MAX_PENDING_NORMAL, but applied to NULLSENDER.
    • Syntax :
    • Default : 0
  • GREY_COMPAT_DOMAIN_CHECK (Option) - Enable/disable domain compatibility (sender domain/SMTP client domain)
    • Values : NO/YES
    • Default : YES
  • GREY_IP_COMPONENT (String) - How to construct IP part of ntuple
    • Syntax : NONE | FULL | NET
    • Default : NET
  • GREY_FROM_COMPONENT (String) - How to construct FROM part of ntuple
    • Syntax : NONE | FULL | HOST | USER
    • Default : HOST
  • GREY_TO_COMPONENT (String) - How to construct TO part of ntuple
    • Syntax : NONE | FULL | HOST | USER
    • Default : FULL
  • GREY_REPLY (String) - Greylisting reply
    • When the greylisting filter rejects a message, this defines the reply codes and message to be sent back.
    • Syntax : 4nn:4.x.y:message
    • Default : 451:4.3.2:Temporary failure ! Come back later, please !
  • GREY_CLEANUP_INTERVAL (Integer) - Greylist database cleanup interval
    • Default : 10m
  • GREY_DEWHITE_FLAGS (String) - Which criteria utilise to purge greylisting databases ???
    • Syntax : None BadResolve DomainMatch BadRCPT SpamTrap BadMX BadClient Spammer All
    • Default : DomainMatch
  • GREY_LOG_FILE (String) - The expired entries log file
    • This is the file where expired entries can be logged. Don't enable this feature on busy servers
    • Default : file:ze-grey-expire

Greylisting - ze-greyd specific

This section presents parameters which are exclusive to ze-greyd greylisting server.

  • GREYD_SOCKET_LISTEN (String) - ze-greyd Listen Socket
    • This is the ze-greyd server listening socket.
    • Default : inet:2012@0.0.0.0
  • GREYD_LOG_FACILITY (String) - syslog facility
    • Default : local6
  • GREYD_LOG_LEVEL (Integer) - ze-greyd log level
    • Default : 10
  • GREYDDIR (String) - ze-greyd working directory
    • The directory where ze-greyd will save its databases.
    • Default : /var/ze-filter/jgreydb
  • GREYD_PID_FILE (String) - ze-greyd pid file
    • Default : /var/run/ze-filter/ze-greyd.pid
  • GREYD_CLIENT_IDLE_MAX (Integer) - Maximum inactivity time (after this connection will be closed)
    • ze-greyd server will disconnect clients inactive longer than this delay.
    • Default : 300
doc/reference/cffiles/ze_filter.txt · Last modified: 2017/12/01 13:21 by 127.0.0.1
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0