Difference between revisions of "Qpsmtpd/sme11"

From SME Server
Jump to navigationJump to search
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{WIP box|this is a work in progress for the new SME 11 qpsmtpd configuration}}
 
{{WIP box|this is a work in progress for the new SME 11 qpsmtpd configuration}}
 +
 +
TODO: update [[Email#qpsmtpd]] for SME11
  
 
=qpsmtpd=
 
=qpsmtpd=
Line 280: Line 282:
 
|
 
|
 
|-
 
|-
 +
|MaximumDateOffset
 +
|(0)
 +
|
 +
|
 +
|
 +
|-
 +
|MaxLoad
 +
|(7)
 +
|
 +
|
 +
|
 +
|-
 +
|SPFRejectPolicy
 +
|(0)[0-4]
 +
|
 +
|
 +
|
 +
|-
 +
|DMARCReject
 +
|<nowiki>(disabled)[enabled|disabled]</nowiki>
 +
|
 +
|
 
|
 
|
 +
|-
 +
|DMARCReporting
 +
|<nowiki>(enabled)[enabled|disabled]</nowiki>
 
|
 
|
 +
|
 +
|
 +
|-
 +
|disclaimer
 +
|<nowiki>(disabled)[enabled|disabled]</nowiki>
 
|
 
|
 
|
 
|
Line 666: Line 698:
 
|-
 
|-
 
|16resolvable_fromhost
 
|16resolvable_fromhost
|
+
|resolvable_fromhost
 
|X
 
|X
 
|
 
|
Line 674: Line 706:
 
|-
 
|-
 
|17headers
 
|17headers
|
+
|headers future $days past $days" if ($days)
 
|
 
|
 
|
 
|
Line 682: Line 714:
 
|-
 
|-
 
|19loadcheck
 
|19loadcheck
|
+
|<nowiki>loadcheck max_load { $qpsmtpd{MaxLoad} || '7' }</nowiki>
 
|X
 
|X
 
|
 
|
Line 690: Line 722:
 
|-
 
|-
 
|20rhsbl
 
|20rhsbl
|
+
|rhsbl
 
|X
 
|X
 
|
 
|
Line 698: Line 730:
 
|-
 
|-
 
|221spf
 
|221spf
|
+
|<nowiki>sender_permitted_from reject 1 no_dmarc_policy { $qpsmtpd{SPFRejectPolicy} || '0' }</nowiki>
 
|X
 
|X
 
|
 
|
 
|X
 
|X
 
|
 
|
|
+
|change default to 1
 
|-
 
|-
 
|222dkim
 
|222dkim
|
+
|dkim reject 0
 
|
 
|
 
|
 
|
Line 714: Line 746:
 
|-
 
|-
 
|223dmarc
 
|223dmarc
|
+
|<nowiki>marc reject { (( $qpsmtpd{DMARCReject} || 'disabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } reporting { (( $qpsmtpd{DMARCReporting} || 'enabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' }</nowiki>
 
|X
 
|X
 
|
 
|
Line 722: Line 754:
 
|-
 
|-
 
|22dnsbl
 
|22dnsbl
|
+
|dnsbl reject naughty
 
|X
 
|X
 
|
 
|
Line 730: Line 762:
 
|-
 
|-
 
|23naughty
 
|23naughty
|
+
|naughty reject mail
 
|X
 
|X
 
|
 
|
Line 738: Line 770:
 
|-
 
|-
 
|24uribl
 
|24uribl
|
+
|uribl action deny
 
|
 
|
 
|
 
|
Line 746: Line 778:
 
|-
 
|-
 
|30badmailfrom
 
|30badmailfrom
|
+
|badmailfrom
 
|
 
|
 
|
 
|
Line 754: Line 786:
 
|-
 
|-
 
|34badrcptto
 
|34badrcptto
|
+
|badrcptto
 
|
 
|
 
|X
 
|X
Line 762: Line 794:
 
|-
 
|-
 
|34badrcptto_ext
 
|34badrcptto_ext
|
+
|badrcptto more_badrcptto badrcptto_ext
 
|X
 
|X
 
|
 
|
Line 770: Line 802:
 
|-
 
|-
 
|37check_smtp_forward
 
|37check_smtp_forward
 +
|check_smtp_forward
 
|
 
|
 
|
 
|
 
|
 
|
 
|
 
|
|
+
|needed for submission ?
|
 
 
|-
 
|-
 
|38check_goodrcptto
 
|38check_goodrcptto
|
+
|check_goodrcptto extn -
 
|
 
|
 
|
 
|
Line 786: Line 818:
 
|-
 
|-
 
|39rcpt_ok
 
|39rcpt_ok
|
+
|rcpt_ok
 
|
 
|
 
|
 
|
Line 794: Line 826:
 
|-
 
|-
 
|62pattern_filter
 
|62pattern_filter
|
+
|virus/pattern_filter check=patterns action=deny
 
|
 
|
 
|
 
|
Line 802: Line 834:
 
|-
 
|-
 
|62tnef2mime
 
|62tnef2mime
|
+
|tnef2mime
 
|
 
|
 
|
 
|
Line 810: Line 842:
 
|-
 
|-
 
|65disclaimer
 
|65disclaimer
|
+
|disclaimer
 
|
 
|
 
|X
 
|X
 
|
 
|
 
|X
 
|X
|
+
|missing disclaimer_file definition?
 
|-
 
|-
 
|70spamassassin
 
|70spamassassin
|
+
|spamassassin reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize}
 
|X
 
|X
 
|
 
|
Line 826: Line 858:
 
|-
 
|-
 
|71forcespamcheck
 
|71forcespamcheck
|
+
|forcespamcheck reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize}
 
|
 
|
 
|X
 
|X
Line 834: Line 866:
 
|-
 
|-
 
|80clamav
 
|80clamav
|
+
|virus/clamdscan scan_all yes clamd_socket /run/clamd/clamd.socket defer_on_error yes max_size $max_size
 
|
 
|
 
|
 
|
Line 842: Line 874:
 
|-
 
|-
 
|90queue-qmail-queue
 
|90queue-qmail-queue
 +
|queue/qmail-queue
 
|
 
|
 
|
 
|
 
|
 
|
 
|
 
|
|
+
|also content commented to remove ?
|
 
 
|-
 
|-
 
|90queue-smtp-forward
 
|90queue-smtp-forward
|
+
|# commented out
 
|
 
|
 
|
 
|
Line 859: Line 891:
  
 
==Upgrade Considerations==
 
==Upgrade Considerations==
 +
we used check_badcountries for a while, but could we switch back to ident/geoip ?
 +
 +
whitelist plugin :  adding the ip-range whitelist; add login of ip
 +
 
===A-Record DNSBL Services===
 
===A-Record DNSBL Services===
 
:Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record.  The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database.  In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma.
 
:Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record.  The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database.  In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma.
Line 887: Line 923:
  
 
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2; border:1px solid grey;">
 
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2; border:1px solid grey;">
<tt><nowiki>+  New in SME 9.2</nowiki><br>
+
<tt>+  New in SME 11<br>
 
<nowiki>*  Improved or changed in SME 9.2</nowiki><br>
 
<nowiki>*  Improved or changed in SME 9.2</nowiki><br>
 
<nowiki>U  Unused (by default) in SME Server</nowiki><br>
 
<nowiki>U  Unused (by default) in SME Server</nowiki><br>
Line 893: Line 929:
 
<nowiki>CW  Contrib or Wiki page exists that uses this plugin</nowiki><br>
 
<nowiki>CW  Contrib or Wiki page exists that uses this plugin</nowiki><br>
 
<nowiki>SM Can be configured using server-manager</nowiki><br>
 
<nowiki>SM Can be configured using server-manager</nowiki><br>
<nowiki>DB Can be configured using db variables</nowiki><br>
+
<nowiki>DB Can be configured using db variables</nowiki></tt>
 +
 
 +
<tt>X Provided by a contrib, not in qpsmtpd git<br>
 
<nowiki>AC Auto-configured by SME Server</nowiki></tt>
 
<nowiki>AC Auto-configured by SME Server</nowiki></tt>
 
</div><br>
 
</div><br>
Line 911: Line 949:
 
*[[Qpsmtpd:badrcptto|badrcptto]] (AC)
 
*[[Qpsmtpd:badrcptto|badrcptto]] (AC)
 
*[[Qpsmtpd:bcc|bcc]] (U DB)
 
*[[Qpsmtpd:bcc|bcc]] (U DB)
*[[Qpsmtpd:bogus_bounce|bogus_bounce]] (+ DB)
+
*[[Qpsmtpd:bogus_bounce|bogus_bounce]] (DB)
 +
*check_badcountries (X [[GeoIP|CW]])
 
*[[Qpsmtpd:check_goodrcptto|check_goodrcptto]] (AC)
 
*[[Qpsmtpd:check_goodrcptto|check_goodrcptto]] (AC)
 
*[[Qpsmtpd:check_smtp_forward|check_smtp_forward]] (AC)
 
*[[Qpsmtpd:check_smtp_forward|check_smtp_forward]] (AC)
Line 921: Line 960:
 
*[[Qpsmtpd:dkim|dkim]] (+ DB E)
 
*[[Qpsmtpd:dkim|dkim]] (+ DB E)
 
*[[Qpsmtpd:dkim_sign|dkim_sign]] (+ DB E)
 
*[[Qpsmtpd:dkim_sign|dkim_sign]] (+ DB E)
*[[Qpsmtpd:dmarc|dmarc]] (+ DB E)
+
*[[Qpsmtpd:dmarc|dmarc]] (DB E)
 
*[[Email#Real-time_Blackhole_List_.28RBL.29|dnsbl]] (* DB CW)
 
*[[Email#Real-time_Blackhole_List_.28RBL.29|dnsbl]] (* DB CW)
 
*[[Qpsmtpd:dns_whitelist_soft|dns_whitelist_soft]] (U)
 
*[[Qpsmtpd:dns_whitelist_soft|dns_whitelist_soft]] (U)
Line 927: Line 966:
 
*[[Qpsmtpd:dont_require_anglebrackets|dont_require_anglebrackets]] (U)
 
*[[Qpsmtpd:dont_require_anglebrackets|dont_require_anglebrackets]] (U)
 
*[[Qpsmtpd:dspam|dspam]] (U)
 
*[[Qpsmtpd:dspam|dspam]] (U)
*[[Qpsmtpd_check_earlytalker|earlytalker]] (AC CW)
+
*[[Qpsmtpd_check_earlytalker|earlytalker]] (AC [[Qpsmtpd check earlytalker|CW]])
 
*[[Qpsmtpd:exe_filter|exe_filter]] (U AC)
 
*[[Qpsmtpd:exe_filter|exe_filter]] (U AC)
 
*[[Qpsmtpd:fcrdns|fcrdns]] (U)
 
*[[Qpsmtpd:fcrdns|fcrdns]] (U)
Line 946: Line 985:
 
*[[Qpsmtpd:loop|loop]] (U)
 
*[[Qpsmtpd:loop|loop]] (U)
 
*[[Qpsmtpd:milter|milter]] (U)
 
*[[Qpsmtpd:milter|milter]] (U)
*[[Qpsmtpd:naughty|naughty]] (+)
+
*[[Qpsmtpd:naughty|naughty]] ()
 
*[[Qpsmtpd:noop_counter|noop_counter]] (U)
 
*[[Qpsmtpd:noop_counter|noop_counter]] (U)
 
*[[Qpsmtpd:parse_addr_withhelo|parse_addr_withhelo]] (U)
 
*[[Qpsmtpd:parse_addr_withhelo|parse_addr_withhelo]] (U)
Line 962: Line 1,001:
 
*[[Qpsmtpd:resolvable_fromhost|resolvable_fromhost]] (AC)
 
*[[Qpsmtpd:resolvable_fromhost|resolvable_fromhost]] (AC)
 
*[[Email#Real-time_Blackhole_List_.28RBL.29|rhsbl]] (* DB CW)
 
*[[Email#Real-time_Blackhole_List_.28RBL.29|rhsbl]] (* DB CW)
*[[Qpsmtpd:sender_permitted_from|sender_permitted_from]] (+?)
+
*[[Qpsmtpd:sender_permitted_from|sender_permitted_from]] (?)
 
*[[Email#Spamassassin|spamassassin]] (DB SM AC CW)
 
*[[Email#Spamassassin|spamassassin]] (DB SM AC CW)
 
*[[Qpsmtpd:stunnel|stunnel]] (U)
 
*[[Qpsmtpd:stunnel|stunnel]] (U)
Line 968: Line 1,007:
 
*[[Qpsmtpd:tls_cert|tls_cert]]
 
*[[Qpsmtpd:tls_cert|tls_cert]]
 
*[[Qpsmtpd:tnef2mime|tnef2mime]] (AC)
 
*[[Qpsmtpd:tnef2mime|tnef2mime]] (AC)
*[[Qpsmtpd:uribl|uribl]] (+ DB)
+
*[[Qpsmtpd:uribl|uribl]] (DB)
 
*[[Qpsmtpd:user_config|user_config]] (U)
 
*[[Qpsmtpd:user_config|user_config]] (U)
 
*[[Virus:Email_Attachment_Blocking|virus]] (DB SM CW)
 
*[[Virus:Email_Attachment_Blocking|virus]] (DB SM CW)

Latest revision as of 22:45, 28 April 2024

Warning.png Work in Progress:
this is a work in progress for the new SME 11 qpsmtpd configuration has marked this page as a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.


TODO: update Email#qpsmtpd for SME11

qpsmtpd

qpsmtpd has been a core component of SME Server since SME 7, providing advanced spam fighting capabilities.

SME Server 9.2 introduced qpsmtpd 0.96 with several new capabilities. At the same time, smeserver-qpsmtpd has been updated to provide additional SME Server configuration options.

SME Server 10 start moving the services to systemd.

SME Server 11 will upgrade to qpsmtpd 1.0. At the same time, smeserver-qpsmtpd has been updated providing separate configuration for each running deamons and introducing a third running deamon now covering all usual SMTP ports 25 (qpsmtpd), 587 (new uqpsmtpd) and 465 (sqpsmtpd). Also SME11 provides a full systemd implementaiton of the services without runit. Softlimit has been increased from 50MB to 150MB.

Systemd Configuration

Some of the setting that were previously arranged using runit run script and multiple called script are all now present in systemd unit, with a dropin file to override default. The dropin file is templated

# /usr/lib/systemd/system/uqpsmtpd.service
[Unit]
Description=qpsmtpd on submission port
After=network.target network-online.target qpsmtpd.service

[Service]
Type=simple
LimitDATA=150000000
LimitSTACK=150000000
LimitMEMLOCK=150000000
Environment=PORT=587 INSTANCES=40 INSTANCES_PER_IP=5 QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=me
WorkingDirectory=/var/service/qpsmtpd/

ExecStartPre=/sbin/e-smith/service-status uqpsmtpd
ExecStartPre=/sbin/e-smith/systemd/qpsmtpd-init %N
ExecStart=/usr/bin/qpsmtpd-forkserver \
        -u qpsmtpd \
        -l 0.0.0.0 \
        -p $PORT \
        -c $INSTANCES \
        -m $INSTANCES_PER_IP
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=20s
SyslogIdentifier=uqpsmtpd

[Install]
WantedBy=sme-server.target

# /usr/lib/systemd/system/uqpsmtpd.service.d/50koozali.conf
#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
[Service]
LimitDATA=150000000
LimitSTACK=150000000
LimitMEMLOCK=150000000
Environment=
Environment=QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PORT=587 INSTANCES=10 INSTANCES_PER_IP=5 PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=sme11.example.com

Services folders

/var/service/qpsmtpd
/var/service/qpsmtpd/config
/var/service/qpsmtpd/config/dkim
/var/service/qpsmtpd/config/peers
/var/service/qpsmtpd/peers
/var/service/qpsmtpd/ssl
/var/service/sqpsmtpd
/var/service/sqpsmtpd/supervise
/var/service/sqpsmtpd/config
/var/service/sqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim
/var/service/sqpsmtpd/config/peers
/var/service/sqpsmtpd/peers
/var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl
/var/service/uqpsmtpd
/var/service/uqpsmtpd/config
/var/service/uqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim
/var/service/uqpsmtpd/config/peers
/var/service/uqpsmtpd/peers
/var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl

Properties in configuration db

x: use the value of qpsmtpd key property for this key too.
property qpsmtpd sqpsmtpd uqpsmtpd information
Authentication enabled enabled enabled
Bcc disabled x x
BccMode cc x x
BccUser maillog x x
DNSBL disabled x x
Instances 40 10 10
InstancesPerIP 5 5 5
LogLevel 6 x x
MaxScannerSize 25000000 x x
MaximumDateOffset 0 x x
PatternsScan disabled x x
Proxy blocked x x
RBLList bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org x x
RHSBL disabled x x
RelayRequiresAuth enabled x x
SoftLimit 150000000 150000000 150000000
SBLList multi.surbl.org,black.uribl.com,rhsbl.sorbs.net x x
TCPPort 25 465 587
TCPProxyPort 25 x x
TlsBeforeAuth 1 1 (hardcoded) 1 (hardcoded)
UBLList multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net x x
URIBL disabled x x
VirusScan enabled x x
access public public public
qplogsumm disabled x x
status enabled enabled enabled
tnef2mime enabled x x
KarmaNegative (2)
KarmaStrikes (3)
HeloPolicy (lenient)[lenient | rfc | strict]
MaximumDateOffset (0)
MaxLoad (7)
SPFRejectPolicy (0)[0-4]
DMARCReject (disabled)[enabled|disabled]
DMARCReporting (enabled)[enabled|disabled]
disclaimer (disabled)[enabled|disabled]

Config files

template: is templated individually ; metadata: use another template via a metadata file.
config file qpsmtpd sqpsmtpd uqpsmtpd plugin related properties information
badhelo template metadata metadata helo
badmailfrom template metadata metadata badmailfrom

badmailfromto

badrcptto

badrcptto template metadata metadata badrcptto

check_goodrcptto

fixed output
badrcptto_ext template metadata metadata badrcptto hide emails when db accounts setprop ACCOUNT Visible internal
dkim folder folder folder not in use
dnsbl_allow template metadata metadata dnsbl
dnsbl_zones template metadata metadata dnsbl

per_user_config

$qpsmtpd{RBLList}
forcespamcheck template metadata metadata forcespamcheck empty file, plugin set in peers
goodrcptto template metadata metadata check_goodrcptto
invalid_resolvable_fromhost template metadata metadata resolvable_fromhost fixed output
IP template metadata metadata IP for tcpserver to bind to , 0 for all, fixed to 0
loglevel template metadata metadata logterse (...) $qpsmtpd{LogLevel}
memory_threshold template metadata metadata fixed to 1
norelayclients template metadata metadata relay $GatewayIP if set
peers folder folder folder peers see peers section
plugin_dirs template metadata metadata fixed output /usr/share/qpsmtpd/plugins
plugins x x x x x has a copy of peers fragments, hidden by metadata
relayclients template metadata : to remove? metadata: to remove? greylisting

relay

spamassassin

IP allowed for relay without auth
rhsbl_zones template metadata metadata rhsbl $qpsmtpd{SBLList}
signatures_patterns template metadata metadata uses db mailpatterns
smtpgreeting template metadata metadata $qpsmtpd{Greeting} default to host.domain
spool_dir template metadata metadata fixed output /var/spool/qpsmtpd
spool_perms x x x file, do not alter
subject_prefix template metadata metadata $spamassassin{Subject}
timeout template metadata metadata $qpsmtpd{timeout} 120 as default
timeoutsmtpd template metadata metadata $qpsmtpd{timeoutsmtpd} 120 as default
tls_before_auth template template template $qpsmtpd{TlsBeforeAuth} hardcoded for uqpsmtpd and sqpsmtpd
tls_ciphers template template template tls $qpsmtpd{TlsBeforeAuth}

$sqpsmtpd{TlsBeforeAuth}

$uqpsmtpd{TlsBeforeAuth}

sqpsmtpd default to uqpsmtpd

global default is $modSSL{CipherSuite}

tls_protocols template template template tls SSLv2, SLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 TLS1.2 minimum for uqpsmtpd and sqpsmtpd

TLS1.1 minimum for qpsmtpd

properties are set individually for each service

uribl_zones template metadata metadata $qpsmtpd{UBLList}

Peer plugin configuration

SME Server uses a plugin call peers, that set the plugins used depending on the client IP, i.e. 2 configurations are presents one for LAN and another for WAN.

X for not present/overriden
plugin config qp local qp 0 sqp /uqp

local

sqp/uqp

0

TODO
00setup set bounce_unknown_user
02logterse logging/logterse
04tls tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem
05auth_cvm_unix_local To remove
06auth_imap auth/auth_imap 127.0.0.1 143
09karma karma negative $negative strikes $strikes reject naughty db_dir /var/lib/qpsmtpd/karma X X enabled by default ?
10earlytalker earlytalker X X add wait and check-at [ CONNECT | DATA ] options
11bogus_bounce bogus_bounce
12count_unrecognized_commands count_unrecognized_commands 4 X X
13bcc bcc mode $qpsmtpd{BccMode} all $user add possibility to set direction (all/incoming/outgoing)
14relay relay should we remove from 465 and 581 or set RELAY ONLY ?
15helo helo policy { $qpsmtpd{HeloPolicy} || 'lenient' } reject naughty X X
16resolvable_fromhost resolvable_fromhost X X
17headers headers future $days past $days" if ($days)
19loadcheck loadcheck max_load { $qpsmtpd{MaxLoad} || '7' } X X
20rhsbl rhsbl X X
221spf sender_permitted_from reject 1 no_dmarc_policy { $qpsmtpd{SPFRejectPolicy} || '0' } X X change default to 1
222dkim dkim reject 0
223dmarc marc reject { (( $qpsmtpd{DMARCReject} || 'disabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } reporting { (( $qpsmtpd{DMARCReporting} || 'enabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } X X
22dnsbl dnsbl reject naughty X X
23naughty naughty reject mail X X
24uribl uribl action deny
30badmailfrom badmailfrom
34badrcptto badrcptto X X
34badrcptto_ext badrcptto more_badrcptto badrcptto_ext X X
37check_smtp_forward check_smtp_forward needed for submission ?
38check_goodrcptto check_goodrcptto extn -
39rcpt_ok rcpt_ok
62pattern_filter virus/pattern_filter check=patterns action=deny
62tnef2mime tnef2mime
65disclaimer disclaimer X X missing disclaimer_file definition?
70spamassassin spamassassin reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize} X X
71forcespamcheck forcespamcheck reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize} X X
80clamav virus/clamdscan scan_all yes clamd_socket /run/clamd/clamd.socket defer_on_error yes max_size $max_size
90queue-qmail-queue queue/qmail-queue also content commented to remove ?
90queue-smtp-forward # commented out

Upgrade Considerations

we used check_badcountries for a while, but could we switch back to ident/geoip ?

whitelist plugin : adding the ip-range whitelist; add login of ip

A-Record DNSBL Services

Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma.
You can now configure b.barracudacentral.org using (note the single quotes):
config setprop qpsmtpd RBLList server1,server2,'b.barracudacentral.org:Blocked - see <http://bbl.barracudacentral.com/q.cgi?ip=%IP%>'

DKIM & DMARC

DKIM & DMARC are now supported natively by SME Server. To enable these you will need to configure appropriate DNS records in your public DNS server.
There are forum reports of problems for users who had DKIM enabled using the DKIM contrib.

URIBL

qpsmtpd now supports URIBL - the ability to block emails that contain known malicious URLs within the body of the email. This service is disabled by default.
Enable URIBL with the default services using:
config setprop qpsmtpd URIBL enabled
  signal-event email-update
Note: If your SME server is using high traffic external DNS forwarders like google (8.8.8.8 / 8.8.4.4), opendns (208.67.222.222 / 208.67.220.220), or any large ISP's (Cox, Comcast, Verizon), enabling URIBL may block all incoming email. This will only affect you if you have configured a DNS forwarder in server-manager -- a default SME server installation does its own direct DNS lookups and would not be affected unless you receive over 250,000 emails per day.
Read more at http://uribl.com/refused.shtml

"Naughty" plugin

SME Server is now using the 'naughty' plugin which allows early plugins like dnsbl, earlytalker, etc to indicate that the email should be rejected at a later point in the interaction. This allows the server to log extra information for denied emails. Specifically, emails denied by dnsbl will now show the sender and recipient email addresses in the qpsmtpd log

Plugins

Below is a list of all the plugins from /usr/share/qpsmtpd/plugins on a freshly updated SME 9.2 server.

+ New in SME 11
* Improved or changed in SME 9.2
U Unused (by default) in SME Server
E Extra / External Configuration Required
CW Contrib or Wiki page exists that uses this plugin
SM Can be configured using server-manager
DB Can be configured using db variables

X Provided by a contrib, not in qpsmtpd git
AC Auto-configured by SME Server


Retrieved from "https://wiki.koozali.org/index.php?title=Qpsmtpd/sme11&oldid=42937"