summaryrefslogtreecommitdiff
path: root/man/qmail-smtpd.8
diff options
context:
space:
mode:
authorJannis Hoffmann <jannis@fehcom.de>2024-07-03 15:48:04 +0200
committerJannis Hoffmann <jannis@fehcom.de>2024-07-03 15:48:04 +0200
commit89b7b67a13ebb7965cc7f13ad0595e2194a2d34c (patch)
tree25efd77a90ae87236e6730d8ea3846bbe0fd126f /man/qmail-smtpd.8
add sqmail-4.2.29asqmail-4.2
Diffstat (limited to 'man/qmail-smtpd.8')
-rw-r--r--man/qmail-smtpd.81013
1 files changed, 1013 insertions, 0 deletions
diff --git a/man/qmail-smtpd.8 b/man/qmail-smtpd.8
new file mode 100644
index 0000000..951b0a7
--- /dev/null
+++ b/man/qmail-smtpd.8
@@ -0,0 +1,1013 @@
+.TH s/qmail: qmail-smtpd 8
+.SH "NAME"
+qmail-smtpd \- receive mail via SMTP
+.SH "SYNOPSIS"
+.B qmail-smtpd
+[
+.I checkprogram
+.I subprogram
+]
+.SH "DESCRIPTION"
+.B qmail-smtpd
+receives mail messages via the Simple Mail Transfer Protocol (SMTP)
+and invokes
+.B qmail-queue
+to deposit them into the outgoing queue.
+.B qmail-smtpd
+must be supplied with several environment variables;
+see
+.BR tcp-environ(5) .
+
+.B qmail-smtpd
+is responsible for counting hops.
+It rejects any message with 100 or more
+.B Received
+or
+.B Delivered-To
+header fields.
+
+.B qmail-smtpd
+supports ESMTP and offers 8BITMIME, DATA, PIPELINING, SIZE, AUTH, STARTTLS, and SMTPUTF8 options.
+.B qmail-smtpd
+includes a 'Mail From:' parameter parser and obeys 'Auth', 'Size', and 'SMTPUTF8' advertisements.
+.B qmail-smtpd
+supports SMTPUTF8 SMTP envelope addresses and provides 8 bit clean message transmission.
+.B qmail-smtpd
+STARTTLS and SMTPS implementation requires the use of
+.B sslserver
+from ucspi-ssl.
+
+Authentication is facilitated in case the environment variable
+SMTPAUTH is set which tells
+.B qmail-smtpd
+to accept LOGIN, PLAIN, and eventually CRAM-MD5 Auth types
+and if additionally a PAM
+.I checkprogram
+is available which reads on file descriptor 3 the username, a 0 byte,
+the password or CRAM-MD5 digest/response derived from the SMTP client,
+another 0 byte, a CRAM-MD5 challenge (if applicable to the Auth type),
+and a final 0 byte.
+.I checkprogram
+invokes
+.I subprogram
+upon successful authentication, which should return 0 to
+.BR qmail-smtpd ,
+effectively setting the environment variables RELAYCLIENT and
+TCPREMOTEINFO or TCP6REMOTEINFO
+(any supplied value replaced with the authenticated username).
+.B qmail-smtpd
+will reject the authentication attempt if it receives a nonzero return
+value from
+.I checkprogram
+or
+.IR subprogram .
+
+STARTTLS support is enabled setting the environment variable UCSPITLS.
+In this case,
+.B qmail-smtpd
+communicates with the
+.B sslserver
+program interface through a control socket, a reading and a writing pipe, dynamically
+defined during the session start to be used for transport layer encryption.
+.B qmail-smtpd
+provides mutual authentication based on X.509 client certs and relaying
+with additional SMTP Return-Path validation.
+
+.B qmail-smtpd
+may employ additional DNS look-ups for the 'Mail From:' envelope sender
+address and/or the HELO/EHLO greeting string from the MTA client.
+
+.B qmail-smtpd
+implements a SPF record check for the domain part of the received
+.I Mail-From:\ <return-path>
+address or
+the
+.I HELO/EHLO
+statement in case the domain information is missing.
+This behavior is triggered by the environment variable
+.BR SPF .
+
+.B qmail-smtpd
+can be advised to communicate with a Greylisting server prior of acceptance, like
+.BR postgrey ,
+submitting the connection information
+.IR Mail\ From: ,
+.IR Rcpt\ To: ,
+.IR TCPREMOTEIP
+and
+.I TCPREMOTEHOST
+given its IPv4/IPv6 address as environment variable
+.IR POSTGREY
+and potentially including the port number (60000 is default)
+following the IP address separated by a semi-colon.
+For IPv6 LLU addresses the interface name followwing a percent sign can be included:
+.IR fe80::1%eth0;60000 .
+A return value of
+.I 10
+will advise
+.B qmail-smtpd
+to defer the SMTP connection providing a
+.I 450\ greylisted\ (#4.3.0)
+response to the connecting MTA, which can be tailored (see below).
+This mechanism shall not be used for SMTP connections on the
+.I Submission
+port.
+Setting
+.I POSTGREY='-'
+disables the lookup.
+
+.SH "TRANSPARENCY"
+.B qmail-smtpd
+converts the SMTP newline convention into the UNIX newline convention
+by converting CR LF into LF.
+Usually, it returns a temporary error and drops the connection on bare LFs.
+
+.B qmail-smtpd
+accepts messages that contain long lines or non-ASCII characters
+and thus is initially capable for SMTPUTF8 support.
+
+.SH "CONTROL FILES"
+.TP 5
+.IR badhelo
+Unacceptable HELO/EHLO greeting strings.
+.B qmail-smtpd
+will reject every connection attempt
+if the client MTA's HELO/EHLO greeting compares with
+a wildmat pattern provided in
+.IR badhelo
+in case the environment variable
+.B HELOCHECK
+is set.
+.IR badhelo
+checks have precedence over DNS lookups.
+DNS lookups can be avoided, if the announced
+HELO/EHLO greeting string is concatinated
+with a trailing '!' and included in
+.IR badhelo :
+
+.EX
+ localhost
+ localhost.localdomain
+ 127.0.0.1
+ mygreetingstring
+ [192.168.1.2]!
+.EE
+
+.TP 5
+.I badmailfrom
+Unacceptable envelope sender addresses.
+.B qmail-smtpd
+will reject every recipient address for a message
+if the envelope sender address is listed in
+.IR badmailfrom .
+A line in
+.I badmailfrom
+may be of the form
+.BR @\fIhost ,
+meaning every address at
+.IR host .
+Additionally, any envelope sender address can be filtered
+with a wildmat check:
+
+.EX
+ *@earthlink.net
+ !fred@earthlink.net
+ [0-9][0-9][0-9][0-9][0-9]@[0-9][0-9][0-9].com
+ answerme@save*
+ *%*
+ @yahoo.com-
+ @hotmail.com=
+ @mydomain.tld+
+ ~yahoo.com
+ ?nobody@example.com
+.EE
+
+A
+.I badmailfrom
+file with this contents reject all mail from Earthlink except from
+fred@earthlink.net. It also rejects all mail with addresses like:
+12345@123.com and answerme@savetrees.com. Further, any mail with
+a sender address containing a percent sign (%) is rejected.
+
+This implementation recognises 'extended' addresss in
+.I badmailfrom
+allowing to reject mails with particluar spoofed domain addresses:
+
+(1) The address is appended with a '-'.
+Now, if
+.I TCP(6)REMOTEHOST
+equals 'unknown', mails with the corresponding address are rejected
+(badmailfromunknown).
+
+(2) The address is appended with a '='.
+In case
+.I TCP(6)REMEOTEHOST
+is set mails, whose domain part of the envelope addresses
+.B not
+matching
+the corresponding entry are rejected (badmailfromwellknown).
+
+(3) The address is appended with a '+'.
+If
+.I RELAYCLIENT
+is not set and the sender address matches a corresponding entry
+(anti-spoofing for internal addresses).
+
+(4) The address is enhanced with a leading '~'.
+This requires a (left to right partial) matching of
+.I TCP(6)REMOTEHOST
+with the domain part of the envelope address.
+Thus, this specific entry in
+.I badmailfrom
+uses
+.I TCP(6)REMOTEHOST
+in the first place (badmailfrommismachteddomains).
+
+(5) The address is enhanced with a leading '?'.
+Emails with the corresponding sender address pass by all further
+.I badmailfrom
+tests including the
+.I MFDNSCHECK
+check.
+
+Note: The 'enhanced' addresses are not subject of the wildmat check
+and are evaluated in lower-case.
+
+The wildmat check is done in the order:
+Least significant to most significant.
+Example:
+
+.EX
+ *
+ !
+ !*@*.*
+ *viagra*
+.EE
+
+.TP 5
+.I badloadertypes.cdb
+Unacceptable base64 loader types in the message.
+.B qmail-smtpd
+will reject every message if 5 significant
+characters (eg.
+.BR Mi5kb)
+anyware in the base64 encoded attachment is identical
+to those compiled into
+.IR badloadertypes.cdb .
+Use
+.B qmail-badloadertypes
+to derive
+.I badloadertypes.cdb
+from
+.IR badloadertypes .
+In order to make the search efficient, all bad loader
+types have to start with the same character (eg. 'M').
+The control file
+.I badloadertypes.cdb
+is evaluated if the environment variable BADLOADERTYPE
+is set to the first character according to the contents of
+.IR badloadertypes .
+.TP
+.I badmimetypes.cdb
+Unacceptable base64 encoded MIME types in message.
+.B qmail-smtpd
+will reject every message if the first 9 significant
+characters (eg.
+.BR TVqQAAMAA )
+of any of it's embedded MIME types is identical with one
+compiled into
+.IR badmimetypes.cdb .
+Use
+.B qmail-badmimetypes
+to derive
+.I badmimetypes.cdb
+from
+.IR badmimetypes .
+The control file
+.I badmimetypes.cdb
+is evaluated if the environment variable
+.I BADMIMETYPE
+is set.
+In addition, irregular BASE64 attachments carrying whitespaces can
+be rejected defining
+.IR BADMIMETYPE='!' .
+.TP 5
+.I badrcptto
+Unacceptable envelope recipient addresses.
+.B qmail-smtpd
+will reject every incoming message
+if the envelope recipient address is listed in
+.IR badrcptto .
+This control file is complementary to
+.IR badmailfrom .
+A line in
+.I badrcptto
+may be of the form
+.BR @\fIhost ,
+meaning every address at
+.IR host .
+.I badrcptto
+employes the same filtering logic for the envelope recipient as
+.IR badmailfrom .
+Effectively,
+.IR badrcptto
+allows a 'whitelisting' of envelope recipient addresses:
+
+.EX
+ *
+ !user1@mydomain.com
+ !user2@mydomain.com
+ !*@anotherdomain.com
+.EE
+
+.IR badrcptto
+allows to tag recipient addresses to be reachable from
+authorized clients only (aka relayclients), prepending it
+in
+.IR badrcptto
+with
+.IR + .
+
+.EX
+ +localaddress@mydomain.com
+.EE
+
+.TP 5
+.I databytes
+Maximum number of bytes allowed in a message,
+or 0 for no limit.
+Default: 0.
+If a message exceeds this limit,
+.B qmail-smtpd
+returns a permanent error code to the client;
+in contrast, if
+the disk is full or
+.B qmail-smtpd
+hits a resource limit,
+.B qmail-smtpd
+returns a temporary error code.
+
+.I databytes
+counts bytes as stored on disk, not as transmitted through the network.
+It does not count the
+.B qmail-smtpd
+Received line, the
+.B qmail-queue
+Received line, or the envelope.
+
+If the environment variable DATABYTES
+is set, it overrides
+.IR databytes .
+.TP 5
+.I localiphost
+Replacement host name for local IP addresses.
+Default:
+.IR me ,
+if that is supplied.
+.B qmail-smtpd
+is responsible for recognizing native IPv4/IPv6 addresses for the
+current host.
+When it sees a recipient address of the form
+.I box@[d.d.d.d]
+or
+.IR box@[a:b:c:d:e:f:g:h] ,
+where
+.I d.d.d.d
+or
+.IR a:b:c:d:e:f:g:h
+is a local IPv4/IPv6 address,
+it replaces
+.I [d.d.d.d]
+or
+.IR [a:b:c:d:e:f:g:h]
+with
+.IR localiphost .
+This is done before
+.IR rcpthosts .
+.TP 5
+.I morercpthosts
+Extra allowed RCPT domains.
+If
+.I rcpthosts
+and
+.I morercpthosts
+both exist,
+.I morercpthosts
+is effectively appended to
+.IR rcpthosts .
+
+You must run
+.B qmail-newmrh
+whenever
+.I morercpthosts
+changes.
+
+Rule of thumb for large sites:
+Put your 50 most commonly used domains into
+.IR rcpthosts ,
+and the rest into
+.IR morercpthosts .
+.TP 5
+.I mailfromrules
+Acceptable 'Mail From:' addresses for
+RELAYCLIENTs are included here. Use
+.B qmail-mfrules
+to derive
+.TP 5
+.I mailfromrules.cdb
+from
+.IR mailfromrules .
+.TP 5
+.I rcpthosts
+Allowed RCPT domains.
+If
+.I rcpthosts
+is supplied,
+.B qmail-smtpd
+will reject
+any envelope recipient address with a domain not listed in
+.IR rcpthosts .
+
+Exception:
+If the environment variable RELAYCLIENT is set,
+.B qmail-smtpd
+will ignore
+.IR rcpthosts ,
+and will append the value of RELAYCLIENT
+to each incoming recipient address.
+
+.I rcpthosts
+may include wildcards:
+
+.EX
+ heaven.af.mil
+ .heaven.af.mil
+.EE
+
+Envelope recipient addresses without @ signs are
+always allowed through.
+.TP 5
+.I recipients
+List of external resources providing acceptable,
+full-qualified envelope addresses
+(\'RCPT to: <recip@domain>\')
+to be used for recipient verification
+during the SMTP session.
+
+The external sources can be either
+.B fastforward
+compliant cdbs including the envelope addresses,
+where the path to a cdb has to be referenced
+relative to Qmail's home directory, or a
+.B qmail-users
+build cdb available as
+.IR users/assign.cdb ,
+or a
+.B checkpassword
+compatible Plugable Authentication Modules
+(PAM), receiving the envelope address on FD 3
+as 'recip@domain\\0\\0\\0' and returning '0'
+in a case of success and '1' in case of failure.
+The use of a PAM is indicated with a delimiting '|' and
+it will be called with up to five additional parameters;
+while a cdb follows a ':', which can be omitted.
+
+The list of external sources is consulted line-by-line for each
+recipient envelope address until the first positive answer,
+or a final negative response is encountered.
+Which external source to be queried, depends on the domain part of the
+recipient envelope address specified on the left side of the
+.I recipients
+file, while the external resource is provided right from the delimitor.
+
+The addresses' domain part is evaluated in lower-case.
+An exact domain match can be encompassed by means of a leading '@'.
+The '*' is a generic wildcard for all domains.
+Specific domains can be excluded from the lookup by means of a
+leading '!'; thus all recipient addresses are accepted for this domain.
+Additionally, a '!*' can be used as wildcard for all domains not encountered
+before in
+.I recipients
+(pass-thru).
+
+A
+.I recipients
+file is always constructed like 'domain:cdb','domain|pam',
+or simply 'cdb':
+
+.EX
+ !nocheck.com
+ mydomain.com:users/recipients.cdb
+ @mx.mydomain.com:=
+ example.com|bin/qmail-smtpam mx.example.com
+ *:etc/fastforward.cdb
+ *|PATH/ldapam ldapserver host port DN passwd
+ !*
+.EE
+
+.B qmail-smtpd
+will semi-automatically consult
+.I users/assign.cdb
+generated by
+.B qmail-newu
+in case the domain name is
+followed by a colon and the equal sign '='.
+Now, the received \'Rcpt to:\' address
+is compared against each local part address
+(starting with a '=') in
+.IR users/assign.cdb .
+However, no VERP addresses are considered,
+which are indicated therein via a '+'.
+
+Lagacy format:
+
+.EX
+ users/recipients.cdb
+ etc/fastforward.cdb
+.EE
+
+Note: Excluded domains starting with a '!'
+should be placed in the beginning of the
+.I recipients
+file for performance reasons, while the pass-thru
+statement '!*' has to be on the last line.
+The recipients check is applied after the
+.I rcpthosts
+evaluation.
+
+.B qmail-recipients
+may be used to construct a
+.I users/recipients.cdb
+from
+.IR users/recipients .
+
+The
+.B qmail-smtpd
+recipients mechanism supports Qmail's address extension (VERP).
+Unqualified envelope recipients are appended with \'@localhost\'.
+.TP 5
+.I smtpgreeting
+SMTP greeting message.
+Default:
+.IR me ,
+if that is supplied;
+otherwise
+.B qmail-smtpd
+will refuse to run.
+The first word of
+.I smtpgreeting
+should be the current host's name.
+.TP 5
+.I spfexplain
+An additional SPF explanation can be given here to provide more
+specific information for the sender in case of a reject.
+SPF macro expansion is possible. It will override the default one, e.g.:
+
+.EE
+See https://example.com/spfrules.html (#5.7.1)
+.EX
+.TP 5
+.I spflocalrules
+As 'last resort', it is possible to include SPF local rules here
+(on one line), that will be applied before other SPF rules would fail.
+This can be used to allow certain MX to send mails anyway. Example:
+
+.EE
+include:spf.trusted-forwarder.org
+.EX
+.TP 5
+.I timeoutsmtpd
+Number of seconds
+.B qmail-smtpd
+will wait for each new buffer of data from the remote SMTP client.
+Default: 1200.
+
+.SH "CONDITIONAL CONTROL FILES"
+The control files \fIrcpthosts\fR, \fImorecpthosts\fR,
+\fIrecipients\fR, \fIbadhelo\fR
+are 'conditional' control files and evaluated
+only if the environment variable RELAYCLIENT is not set.
+On the other hand,
+\fImailfromrules.cdb\fR is only taken into account, if
+RELAYCLIENT is set.
+This allows
+.B qmail-smtpd
+to relay mail messages from local clients and to filter
+mails with certain SMTP envelope conditions
+originating from particular clients ('Split Horizon').
+Other conditional control files are
+\fIbadloadertypes\fR,
+\fIbadmimetypes\fR
+which depend on the setting of the corresponding
+environment variables.
+
+Further, the control files \fIspfexplain\fR and
+\fIspflocalrules\fR are only evaluated if the
+environment variable
+.I SPF
+is defined and greater than 0 and
+.I RELAYCLIENT
+is not set.
+
+.SH "ENVIRONMENT VARIABLES READ"
+Environment variables may be defined globally in the
+.B qmail-smtpd
+startup script and/or individually as part of the
+.BR sslserver 's
+cdb database.
+The environment variables may be quoted ("variable", or 'variable') and
+in case of global use, have to be exported.
+.B qmail-smtpd
+supports the following legacy environment variables, typically
+provided by
+.B sslserver
+or
+.B tcpserver:
+.IR TCP(6)REMOTEIP ,
+.IR TCP(6)REMOTEHOST
+.IR TCP(6)REMOTEINFO
+and
+.IR TCPLOCALPORT
+as well as
+.IR RELAYCLIENT .
+Additionally,
+.B qmail-smtpd
+may use several environment variables for different purposes.
+.P
+Controlling the SMTP HELO/EHLO:
+.IP
+.TP 5
+.I HELOCHECK=''
+enables a check of the provided HELO/EHLO greeting against
+the content of the control file
+.IR badhelo .
+In case no HELO/EHLO greeting is given, SMTP
+connections can be rejected, if
+.I HELOCHECK='!'
+is set. Checks on the presence and the content of
+the HELO/EHLO greeting string is facilitated, setting
+.IR HELOCHECK='.' .
+To enforce the match of the HELO/EHLO greeting with
+the remote host's FQDN (
+.IR TCP(6)REMOTEHOST ),
+use
+.IR HELOCHECK='=' .
+.TP 5
+.I HELOCHECK='A' | HELOCHECK='M'
+enable DNS A/MX lookup for the HELO/EHLO greeting string.
+In addition, the HELO/EHLO string is checked against
+the content of
+.IR badhelo .
+.TP 5
+.I UTF8
+display the
+.I SMTPUTF8
+greeting string. This is off by default.
+.p
+Since
+.B qmail-smtpd
+is 8 bit clean, setting of
+.I UTF8
+has no real consequences except for displaying this
+setting in the log as
+.IR ESMTP[SA]UTF8 .
+.P
+Controlling the SMTP Mail From:
+.IP
+.TP 5
+.I LOCALMFCHECK
+is used to enable a 'Mail From:' address Verification (MAV) for RELAYCLIENTs.
+Thus, the domain part of the 'Mail From:' envelope sender address
+has to match an entry in
+.IR rcpthosts
+or
+.IR morercpthosts
+control files, if not explicitly defined otherwise.
+
+If LOCALMFCHECK='!' is set, the control file
+.I mailfromrules.cdb
+is evaluated and the MAV is facilitated employing the environment variables
+.IR TCP(6)REMOTEINFO ,
+.IR TCP(6)REMOTIP ,
+or
+.I TCP(6)REMOTEHOST
+as a key.
+However, if LOCALMFCHECK='=' is provided,
+.IR TCP(6)REMOTEINFO
+(i.e. set by Auth) has to match the 'Mail From:'
+envelope address (case insensitive).
+Alternativley, using LOCALMFCHECK='?' the email address
+embedded in the DN of a X.509 client is used and compared
+against the 'Mail From:' envelope address.
+Of course, this requires
+.B sslserver
+to request a client cert for mutual authentication.
+
+Note: Adding a qualifier to LOCALMFCHCEK,
+the domain part of the 'Mail From:' address is compared
+against the provided string.
+.TP 5
+.IR MFDNSCHECK
+enable DNS MX lookup for the domain part of the 'Mail From:' envelope sender address.
+.TP 5
+.I SPF='0'|'1'|'2'|'3'|'4'|'5'|'6'
+SPF Records will be evaluated for the current SMTP session in case
+.B SPF
+is defined. The value of
+.B SPF
+may be given between 1 and 6 to enable SPF checks.
+.I 1
+selects 'annotate-only' mode, where
+.B qmail-smtpd
+will annotate incoming email with a
+.B Received-SPF
+header, but will not reject any messages.
+.I 2
+will produce temporary failures on DNS lookup problems
+so you can be sure always to have a meaningful Received-SPF header.
+.I 3
+selects 'reject' mode, where incoming mail will be rejected
+if the SPF record says 'fail'.
+.I 4
+selects a more stricter rejection mode, which is like 'reject' mode,
+except that incoming mail will also be rejected, when the SPF record
+says 'softfail'. Further,
+.I 5
+will reject when the SPF record says 'neutral', and
+.I 6
+rejects, if no SPF records are available at all
+(or a syntax error was encountered).
+If
+.B SPF
+is given as
+.IR 0 ,
+SPF checks are disabled.
+
+Note: Additional control files are
+.I spfexplain
+and
+.IR spflocalrules .
+
+.P
+Controlling the SMTP RCPT TO:
+.IP
+.TP 5
+.I MAXRECIPIENTS
+is the number of Rcpt To:'s
+.B qmail-smtpd
+will accept in a SMTP session.
+If MAXRECIPIENTS ist not set, any number is allowed.
+.TP 5
+.IR TARPITCOUNT
+is the number of Rcpt To:
+.B qmail-smtpd
+accepts before it starts tarpitting.
+Default: 0 which means no tarpitting.
+.TP 5
+.IR TARPITDELAY
+tarpitdelay is the time in seconds of delay
+to be introduced after each subsequent Rcpt To:.
+
+Smart Rejection Notes:
+If
+.IR TARPITCOUNT
+is set and
+.IR TARPITDELAY
+= 0 (default)
+.B qmail-smtpd
+will issue after recognising
+.IR TARPITCOUNT
+invalid Rcpt To: a Recipient failure;
+thus additional Rcpt Tos will not be accepted.
+If, however
+.IR TARPITCOUNT
+is set and
+.IR TARPITDELAY
+= 999
+.B qmail-smtpd
+will issue after
+.IR TARPITCOUNT
+invalid Rcpt To: a Recipient failure
+.TP 5
+.I RECIPIENTS450
+tells
+.b qmail-smtpd
+to issue a SMTP reply '450' (temporary rejection)
+instead the default '550'
+in case the recipient was not listed in any
+.I recipients
+cdb.
+
+.P
+Controlling the email body:
+.IP
+.TP 5
+.I BADLOADERTYPE='c'
+tells
+.B qmail-smtpd
+to evaluate the control file
+.I badloadertypes.cdb
+with the starting string 'c'.
+If
+.I BADLOADERTYPE='-'
+is set, the check is disabled.
+In case
+.I BADLOADERTYPE='+'
+is defined, the check is disabled for
+.IR RELAYCLIENTS .
+.TP 5
+.I BADMIMETYPE
+see control file
+.IR badmimetypes.cdb .
+In case
+.I BADMIMETYPE='-'
+is set;
+.I badmimetypes.cdb
+is not considered; thus the check is disabled.
+Providing
+.I BADMIMTETYPE='+'
+the check is disabled if in addition
+.IR RELAYCLIENTS
+are recognized.
+
+.TP 5
+.I BASE64
+tells QHPSI to enable virus checking only if a base64 encoded
+attachment was identified.
+.TP 5
+.I DATABYTES
+see control file
+.IR databytes .
+.TP 5
+.I QHPSI
+is used by
+.B qmail-smtpd
+to supply the name of the virus scanner and it's path.
+.P
+Environment variables for SMTP authentication:
+.IP
+.TP 5
+.I SMTPAUTH
+is used to enable SMTP Authentication for the
+Auth types
+LOGIN and PLAIN.
+In case
+.TP 5
+.I SMTPAUTH='+cram'
+is defined,
+.B qmail-smtpd
+honors LOGIN, PLAIN, and additionally CRAM-MD5 authentication.
+Simply
+.TP 5
+.I SMTPAUTH='cram'
+restricts authentication just to CRAM-MD5.
+If however
+.TP 5
+.I SMTPAUTH='!'
+starts with an exclamation mark, Auth is required.
+You can enforce 'Submission' using this option
+and binding
+.B qmail-smtpd
+to the SUBMISSION port \'587'\.
+In particular,
+.TP 5
+.I SMTPAUTH='!cram'
+may be useful.
+In opposite, if
+.TP 5
+.I SMTPAUTH='-'
+starts with a dash, Auth disabled for particular
+connections.
+Note: The use of 'cram' requires a CRAM-MD5 enabled PAM.
+.P
+Setting up the TLS/STARTTLS environment:
+.IP
+.TP 5
+.I UCSPITLS
+enables encrypted SMTP communication
+via STARTTLS in case
+.B sslserver
+is provided.
+If
+.I UCSPITLS='!'
+is set, STARTTLS is required; while setting
+.I UCSPITLS='-'
+disables STARTTLS.
+Further,
+.I UCSPITLS='?'
+may be used to force the client to present a X.509 cert
+for authentication purpose which may be refined
+requesting
+.I UCSPITLS='@'
+to additionally fetch the email address
+from the client's cert to be perhaps subject of
+.IR LOCALMFCHECK .
+.P
+Other environment variables used:
+.IP
+.TP 5
+.I DELIVERTO
+mail address for special recipients.
+.TP 5
+.I RBLSMTPD
+feed from
+.B rblsmtpd
+including the information received from the
+inquired RBL hosts and displayed as
+.I X-RBL-Info:
+message header.
+.TP 5
+.I POSTGREY
+triggering the call of
+.B qmail-postgrey
+and feeding it with the IP address and port of the
+.I greylisting
+server. If
+.I POSTGREY
+is set to
+.I -
+no lookup is performed.
+
+.SH "CUSTOMIZABLE RETURN MESSAGES"
+In case of rejected or defered SMTP connections
+.B qmail-smtpd
+can provide additional informations in the SMTP reply message
+which are sandwiched between the reply code and the EMMSC.
+.B qmail-smtpd
+recognizes these environment variables:
+.TP 5
+.I REPLY_GREYLISTED
+following 450 greylisting
+.TP 5
+.I REPLY_HELO
+following 550 Bad Helo
+.TP 5
+.I REPLY_MAILBOX
+following 550 mailbox not existing
+.TP 5
+.I REPLY_MAXSIZE
+following 552 message size to large
+.TP 5
+.I REPLY_BADMAILFROM
+following 553 badmail from
+.TP 5
+.I REPLY_BADRCPTTO
+following 553 badrcpt to
+.TP 5
+.I REPLY_SENDEREXIST
+following 553 SMTP sender DNS
+.TP 5
+.I REPLY_NOGATEWAY
+following 553 No gateway
+.TP 5
+.I REPLY_SENDERINVALID
+following 553 SMTP sender invalid
+.TP 5
+.I REPLY_CONTENT
+following 554 Message content invalid
+
+.SH "ENVIRONMENT VARIABLES SET"
+By means of the following environment variables,
+the SMTP session can be interrogated:
+.TP 5
+.I HELOHOST
+the HELO/EHLO greeting of the SMTP client.
+.TP 5
+.I AUTHPROTOCOL
+the ESMTPA protocol used for authentication.
+.TP 5
+.I AUTHUSER
+the supplied username for authentication.
+.TP 5
+.I MAILFROM
+containes the received 'Mail From:' address.
+.TP 5
+.I RCPTTO
+containes all received 'Rcpt To:' addresses separated by blanks.
+.TP 5
+.I TCP(6)REMOTEINFO
+in authentication mode set to the accepted username.
+.TP 5
+.I SSL_*
+information from
+.BR sslserver ,
+if applicable.
+
+.SH "SEE ALSO"
+tcp-environ(5),
+qmail-control(5),
+qmail-inject(8),
+qmail-newmrh(8),
+qmail-newbmt(8),
+qmail-authuser(8),
+qmail-recipients(8),
+qmail-postgrey(8),
+qmail-smtpam(8),
+qmail-mfrules(8),
+qmail-queue(8),
+qmail-remote(8),
+qmail-send(8),
+qmail-log(8),
+tcpserver(8),
+sslserver(8).
+