smtpd – SMTP listener configuration
implements the slave side of the SMTP protocol
to accept incoming mail on TCP port 25.
are sufficient for internal systems
on protected networks, but external or
gateway systems require additional
containing configuration parameters,
banished addresses, provide the means to
exercise these facilities.
In both files input lines
consist of a verb followed by one or more
parameters. These tokens are separated by white space or
commas and all characters following a
are comments. A
cannot be escaped. Continuation lines are
not supported, but verbs that take multiple parameters
can be restated on many lines and the associated
parameters accumulate into a single set.
All token processing is case-insensitive.
Many parameters are
either numeric IP addresses in CIDR notation
in UUCP-style format.
An IP address in CIDR notation has the form
consisting of a four octet IP address, a slash,
specifying the number of significant high-order bits.
The lower the mask length, the larger the
range of addresses covered by the CIDR address;
see RFC 1878 for a discussion of mask lengths.
Missing low-order octets are assumed to be zero.
If a mask length is not given, a mask length of
16, 24, or 32 is assumed for addresses containing
two, three, or four octets, respectively. These
mask lengths select a class B, class C or Class D
address block. Notice that this convention differs
from the standard treatment, where the default mask length
depends on the allocation class of the network
block containing the address.
are specified in UUCP notation as
It is seldom necessary to specify more than one domain.
is missing or
the address selects the specified user in all domains.
of the form
selects the domain and all of its sub-domains.
only matches the account
selects that account in
and all of its sub-domains.
is omitted or
the address selects all users in the specified domain.
is the last character of the user name it is a wild-card
matching all user names beginning with
This limited pattern matching capability should be used with care.
For safety, the sender addresses
This file contains configuration options
and parameters describing the local domain.
Many of the options can also be specified on the command
line; command line options always override the values in
Configuration options are:
The name of the local domain; it is appended to addresses
lacking a domain qualification.
This is identical to the
command line option.
is specified, relaying is prohibited
from unauthorized networks to external domains.
Authorized networks and domains must be specified
verbs described below. Setting this option on is equivalent to specifying the
command line flag, but the list of
networks and domains can only be specified in
verifies that the first domain of the sender’s address
exists. The test is cursory; it checks only that
there is a DNS delegation for the domain.
Setting the option on is equivalent to specifying the
command line option and
is useful for detecting some unreturnable
messages as well as messages with randomly
generated domain names.
causes copies of blocked messages to be saved
in subdirectories of
Directories are named with the date and file names
are random numbers.
If this option is
blocked messages are discarded.
Setting this option on is equivalent to specifying the
command line option.
ournets IP address [, IP address, ..., IP address]
This option specifies trusted
source networks that are allowed to relay mail to external domains.
These are usually the internal networks of the local domain, but they
can also include friendly
external networks. Addresses
are in CIDR notation.
ourdomains domain [, domain, ..., domain]
This option specifies destination domains that are allowed
to receive relayed mail. These are usually the domains
served by a gateway system.
Domain specifications conform to the format
for sender addresses given above.
option is enabled or the
command line option given,
relaying is allowed only if the source IP address is in
or the destination domain is specified in
for a list of banned addresses.
Messages received from these addresses are
rejected with a 5xx-series SMTP error code.
There is no option
to turn blocking on or off; if
will use it, even for connections from trusted networks.
The command line format and address specifications
conform to the notation described above. If the parameters
of the verb is sender addresses in UUCP format, the line
must begin with an
character; if the parameters are one or more IP addresses,
must precede the verb. Most
verbs cause messages to be rejected; verbs
of this class generally select different error
messages. The remaining verbs specify addresses that
are always accepted, in effect overriding blocked addresses.
The file is processed in order, so an override must
precede its associated blocked address.
Supported verbs are:
dial IP address [,..., IP address]
The parameters are IP addresses associated with
dial-up ports. The rejection message states
that connections from dial-up ports are not accepted. Copies
of messages are never saved.
block address [, ... address]
Messages from addresses
matching the parameters
are rejected with an error message saying
that spam is not accepted. The message is saved if
the option is enabled.
relay address [, ... address]
This verb is identical to
but the error message states that
the message is rejected because the sending
system is being used as a spam relay.
deny address [, ... address]
command rejects a message when the
sender address matches one of its parameters.
The rejection message asks the sender to
for further information.
This verb is usually used to block
inadvertently abusive traffic, for example,
mail loops and stuck senders. Messages are
allow address [, ... address]
verb negates the effect of subsequent blocking commands.
It is useful when a large range of addresses contains
a few legitimate addresses, for example, when
a mail server is in a Class C network block
of modem ports. Rather than enumerate the dial ports, it is
easier to block the entire Class C with a
command, and precede it with an override for
the address of the mail server. Similarly,
it is possible to block mail from an entire
domain while accepting mail from a few friendly
senders in the domain.
is a synonym for
describes spam detection
software that works well with
the capabilities described here
command line arguments applicable
to exposed systems.