3,250
edits
Changes
Jump to navigation
Jump to search
Line 254:
Line 254: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 502:
Line 562: − + Line 521:
Line 581: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
→Upgrade Considerations
|x
|x
|x
|x
|
|-
|
|
|
|
|
|-
|KarmaNegative
|(2)
|
|
|
|-
|KarmaStrikes
|(3)
|
|
|
|-
|HeloPolicy
|<nowiki>(lenient)[lenient | rfc | strict]</nowiki>
|
|
|
|-
|MaximumDateOffset
|(0)
|
|
|
|-
|MaxLoad
|(7)
|
|
|
|-
|SPFRejectPolicy
|(0)[0-4]
|
|
|
|-
|DMARCReject
|<nowiki>(disabled)[enabled|disabled]</nowiki>
|
|
|
|-
|DMARCReporting
|<nowiki>(enabled)[enabled|disabled]</nowiki>
|
|
|
|-
|disclaimer
|<nowiki>(disabled)[enabled|disabled]</nowiki>
|
|
|
|
|}
|}
$uqpsmtpd{TlsBeforeAuth}
$uqpsmtpd{TlsBeforeAuth}
|sqpsmtpd default to uqpsmtpd
|sqpsmtpd default to uqpsmtpd
global default is $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
global default is $modSSL{CipherSuite}
|-
|-
|tls_protocols
|tls_protocols
|
|
|$qpsmtpd{UBLList}
|$qpsmtpd{UBLList}
|
|}
==Peer plugin configuration==
SME Server uses a plugin call peers, that set the plugins used depending on the client IP, i.e. 2 configurations are presents one for LAN and another for WAN.
{| class="wikitable"
|+
X for not present/overriden
!plugin
!config
!qp local
!qp 0
!sqp /uqp
local
!sqp/uqp
0
!TODO
|-
|00setup
|set bounce_unknown_user
|
|
|
|
|
|-
|02logterse
|logging/logterse
|
|
|
|
|
|-
|04tls
|tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem
|
|
|
|
|
|-
|05auth_cvm_unix_local
|
|
|
|
|
|To remove
|-
|06auth_imap
|auth/auth_imap 127.0.0.1 143
|
|
|
|
|
|-
|09karma
|karma negative $negative strikes $strikes reject naughty db_dir /var/lib/qpsmtpd/karma
|X
|
|X
|
|enabled by default ?
|-
|10earlytalker
|earlytalker
|X
|
|X
|
|<nowiki>add wait and check-at [ CONNECT | DATA ] options</nowiki>
|-
|11bogus_bounce
|bogus_bounce
|
|
|
|
|
|-
|12count_unrecognized_commands
|count_unrecognized_commands 4
|X
|
|X
|
|
|-
|13bcc
|bcc mode $qpsmtpd{BccMode} all $user
|
|
|
|
|add possibility to set direction (all/incoming/outgoing)
|-
|14relay
|relay
|
|
|
|
|should we remove from 465 and 581 or set RELAY ONLY ?
|-
|15helo
|<nowiki>helo policy { $qpsmtpd{HeloPolicy} || 'lenient' } reject naughty</nowiki>
|X
|
|X
|
|
|-
|16resolvable_fromhost
|resolvable_fromhost
|X
|
|X
|
|
|-
|17headers
|headers future $days past $days" if ($days)
|
|
|
|
|
|-
|19loadcheck
|<nowiki>loadcheck max_load { $qpsmtpd{MaxLoad} || '7' }</nowiki>
|X
|
|X
|
|
|-
|20rhsbl
|rhsbl
|X
|
|X
|
|
|-
|221spf
|<nowiki>sender_permitted_from reject 1 no_dmarc_policy { $qpsmtpd{SPFRejectPolicy} || '0' }</nowiki>
|X
|
|X
|
|change default to 1
|-
|222dkim
|dkim reject 0
|
|
|
|
|
|-
|223dmarc
|<nowiki>marc reject { (( $qpsmtpd{DMARCReject} || 'disabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } reporting { (( $qpsmtpd{DMARCReporting} || 'enabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' }</nowiki>
|X
|
|X
|
|
|-
|22dnsbl
|dnsbl reject naughty
|X
|
|X
|
|
|-
|23naughty
|naughty reject mail
|X
|
|X
|
|
|-
|24uribl
|uribl action deny
|
|
|
|
|
|-
|30badmailfrom
|badmailfrom
|
|
|
|
|
|-
|34badrcptto
|badrcptto
|
|X
|
|X
|
|-
|34badrcptto_ext
|badrcptto more_badrcptto badrcptto_ext
|X
|
|X
|
|
|-
|37check_smtp_forward
|check_smtp_forward
|
|
|
|
|needed for submission ?
|-
|38check_goodrcptto
|check_goodrcptto extn -
|
|
|
|
|
|-
|39rcpt_ok
|rcpt_ok
|
|
|
|
|
|-
|62pattern_filter
|virus/pattern_filter check=patterns action=deny
|
|
|
|
|
|-
|62tnef2mime
|tnef2mime
|
|
|
|
|
|-
|65disclaimer
|disclaimer
|
|X
|
|X
|missing disclaimer_file definition?
|-
|70spamassassin
|spamassassin reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize}
|X
|
|X
|
|
|-
|71forcespamcheck
|forcespamcheck reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize}
|
|X
|
|X
|
|-
|80clamav
|virus/clamdscan scan_all yes clamd_socket /run/clamd/clamd.socket defer_on_error yes max_size $max_size
|
|
|
|
|
|-
|90queue-qmail-queue
|queue/qmail-queue
|
|
|
|
|also content commented to remove ?
|-
|90queue-smtp-forward
|# commented out
|
|
|
|
|
|
|}
|}
==Upgrade Considerations==
==Upgrade Considerations==
we used check_badcountries for a while, but could we switch back to ident/geoip ?
===A-Record DNSBL Services===
===A-Record DNSBL Services===
:Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma.
:Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma.