Line 254: |
Line 254: |
| |x | | |x |
| |x | | |x |
| + | | |
| + | |- |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |KarmaNegative |
| + | |(2) |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |KarmaStrikes |
| + | |(3) |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |HeloPolicy |
| + | |<nowiki>(lenient)[lenient | rfc | strict]</nowiki> |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |MaximumDateOffset |
| + | |(0) |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |MaxLoad |
| + | |(7) |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |SPFRejectPolicy |
| + | |(0)[0-4] |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |DMARCReject |
| + | |<nowiki>(disabled)[enabled|disabled]</nowiki> |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |DMARCReporting |
| + | |<nowiki>(enabled)[enabled|disabled]</nowiki> |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |disclaimer |
| + | |<nowiki>(disabled)[enabled|disabled]</nowiki> |
| + | | |
| + | | |
| | | | | |
| |} | | |} |
Line 502: |
Line 562: |
| $uqpsmtpd{TlsBeforeAuth} | | $uqpsmtpd{TlsBeforeAuth} |
| |sqpsmtpd default to uqpsmtpd | | |sqpsmtpd default to uqpsmtpd |
− | global default is $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' | + | global default is $modSSL{CipherSuite} |
| |- | | |- |
| |tls_protocols | | |tls_protocols |
Line 521: |
Line 581: |
| | | | | |
| |$qpsmtpd{UBLList} | | |$qpsmtpd{UBLList} |
| + | | |
| + | |} |
| + | |
| + | ==Peer plugin configuration== |
| + | SME Server uses a plugin call peers, that set the plugins used depending on the client IP, i.e. 2 configurations are presents one for LAN and another for WAN. |
| + | {| class="wikitable" |
| + | |+ |
| + | X for not present/overriden |
| + | !plugin |
| + | !config |
| + | !qp local |
| + | !qp 0 |
| + | !sqp /uqp |
| + | local |
| + | !sqp/uqp |
| + | 0 |
| + | !TODO |
| + | |- |
| + | |00setup |
| + | |set bounce_unknown_user |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |02logterse |
| + | |logging/logterse |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |04tls |
| + | |tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |05auth_cvm_unix_local |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |To remove |
| + | |- |
| + | |06auth_imap |
| + | |auth/auth_imap 127.0.0.1 143 |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |09karma |
| + | |karma negative $negative strikes $strikes reject naughty db_dir /var/lib/qpsmtpd/karma |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | |enabled by default ? |
| + | |- |
| + | |10earlytalker |
| + | |earlytalker |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | |<nowiki>add wait and check-at [ CONNECT | DATA ] options</nowiki> |
| + | |- |
| + | |11bogus_bounce |
| + | |bogus_bounce |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |12count_unrecognized_commands |
| + | |count_unrecognized_commands 4 |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |13bcc |
| + | |bcc mode $qpsmtpd{BccMode} all $user |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |add possibility to set direction (all/incoming/outgoing) |
| + | |- |
| + | |14relay |
| + | |relay |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |should we remove from 465 and 581 or set RELAY ONLY ? |
| + | |- |
| + | |15helo |
| + | |<nowiki>helo policy { $qpsmtpd{HeloPolicy} || 'lenient' } reject naughty</nowiki> |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |16resolvable_fromhost |
| + | |resolvable_fromhost |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |17headers |
| + | |headers future $days past $days" if ($days) |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |19loadcheck |
| + | |<nowiki>loadcheck max_load { $qpsmtpd{MaxLoad} || '7' }</nowiki> |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |20rhsbl |
| + | |rhsbl |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |221spf |
| + | |<nowiki>sender_permitted_from reject 1 no_dmarc_policy { $qpsmtpd{SPFRejectPolicy} || '0' }</nowiki> |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | |change default to 1 |
| + | |- |
| + | |222dkim |
| + | |dkim reject 0 |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |223dmarc |
| + | |<nowiki>marc reject { (( $qpsmtpd{DMARCReject} || 'disabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } reporting { (( $qpsmtpd{DMARCReporting} || 'enabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' }</nowiki> |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |22dnsbl |
| + | |dnsbl reject naughty |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |23naughty |
| + | |naughty reject mail |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |24uribl |
| + | |uribl action deny |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |30badmailfrom |
| + | |badmailfrom |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |34badrcptto |
| + | |badrcptto |
| + | | |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | |- |
| + | |34badrcptto_ext |
| + | |badrcptto more_badrcptto badrcptto_ext |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |37check_smtp_forward |
| + | |check_smtp_forward |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |needed for submission ? |
| + | |- |
| + | |38check_goodrcptto |
| + | |check_goodrcptto extn - |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |39rcpt_ok |
| + | |rcpt_ok |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |62pattern_filter |
| + | |virus/pattern_filter check=patterns action=deny |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |62tnef2mime |
| + | |tnef2mime |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |65disclaimer |
| + | |disclaimer |
| + | | |
| + | |X |
| + | | |
| + | |X |
| + | |missing disclaimer_file definition? |
| + | |- |
| + | |70spamassassin |
| + | |spamassassin reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize} |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | | |
| + | |- |
| + | |71forcespamcheck |
| + | |forcespamcheck reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize} |
| + | | |
| + | |X |
| + | | |
| + | |X |
| + | | |
| + | |- |
| + | |80clamav |
| + | |virus/clamdscan scan_all yes clamd_socket /run/clamd/clamd.socket defer_on_error yes max_size $max_size |
| + | | |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |- |
| + | |90queue-qmail-queue |
| + | |queue/qmail-queue |
| + | | |
| + | | |
| + | | |
| + | | |
| + | |also content commented to remove ? |
| + | |- |
| + | |90queue-smtp-forward |
| + | |# commented out |
| + | | |
| + | | |
| + | | |
| + | | |
| | | | | |
| |} | | |} |
| | | |
| ==Upgrade Considerations== | | ==Upgrade Considerations== |
| + | we used check_badcountries for a while, but could we switch back to ident/geoip ? |
| + | |
| ===A-Record DNSBL Services=== | | ===A-Record DNSBL Services=== |
| :Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma. | | :Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma. |