Table of Contents

ze-ndc

ze-ndc is a command line tool which allows you to interact directly with the filter - verify its internal state, get some statistics, modify its configuration or send commands to it without having to stop and restart it.

ze-filter has a telnet like server listening on some INET port. ze-ndc is a simple telnet like client which helps you to communicate with the filter.

Examples
  • To list all SMTP connections currently being handled by ze-filter :
ze-ndc stats connopen
  • To modify the value of some configuration option, e.g. disable XFILEs checking, without stopping and restarting the filter :
ze-ndc setcf XFILES OK
  • To reload configuration files
ze-ndc reconfig

ze-ndc configuration file

ze-ndc looks for its ze-ndc.cf configuration file, in this order, inside /etc/ze-filter and /etc. You can use it to define which address and port number, if the instance of ze-filter to be contacted isn't the default one : 127.0.0.1:2010. 

# Default address
#HOST       = 127.0.0.1
#
# Default listening port
#PORT       = 2010

ze-filter configuration file

You can configure ze-filter to enable or not it's control channel - unless you have a very good reason to do not enable it, this feature shall be enabled. ze-filter does a very simple access control, based on IP addresses. 

CTRL_CHANNEL_ENABLE            YES
CTRL_SOCKET                    inet:2010@localhost
CTRL_ACCESS                    NONE

If you set the option CTRL_ACCESS to the value ACCESS, then you can define, at ze-policy database (see below) which IP addresses will be able to connect the the filter control channel.

The channel access control is based only on IP address. If the control channel is configured to listen only on localhost IP address, you can eventually disable access control. But this also means that any user being able to log in into the mail server have access to the filter control channel. You shall not disable access control if the control channel is listening on any address other than localhost.

Access control

If you configure the control channel to listen only on IP address 127.0.0.1, you can disable access control. If this isn't the case, you shall list which hosts can connect into the control channel (ze-policy database). 
CtrlChan:DEFAULT               REJECT
CtrlChan:127.0.0.1             OK
CtrlChan:194.214.168.176       OK

Getting help

ze-ndc can print some limited help information, which explain only how to launch it.

-h
$ ze-ndc -h
* Trying /etc/ze-filter/ze-ndc.cf
Usage:
   ze-ndc [-h] [-s server] [-p port] command
     Use the ze-ndc script to send a command to the filter.
   Options :
     -h    : This message
     -s    : Server name/address
     -p    : Server port
     -d    : debug
   Commands :
     HELP
     ...
     To know the list of all available commandes type :
            ze-ndc help

If you can launch it, ze-ndc can connect to the filter and ask him for help on the features available on the filter.

help
$ ze-ndc help
...
$ ze-ndc help setcf
* Trying /etc/ze-filter/ze-ndc.cf
# [Connected to localhost:2010]
200 OK - Waiting for commands !
200 Joe's ze-filter v2.0.0-090131
  SETCF
    * Modify running configuration (overrides ze-filter values)
    * Syntax :
      ze-ndc SETCF option value
200 OK !!

Although it may seen too complicated to create a connection to the filter to get help, it's useful if you're using ze-ndc on network where more than one filter is running and they don't have the same configuration or even the same version.