diff options
author | Jannis Hoffmann <jannis@fehcom.de> | 2024-07-09 11:44:11 +0200 |
---|---|---|
committer | Jannis Hoffmann <jannis@fehcom.de> | 2024-07-09 11:44:11 +0200 |
commit | f1b71c9fe7dbb4886588a036399cf5ebe16b7c47 (patch) | |
tree | e07786aa479c9fb6ee3e537078470aaab5454f80 /man/qmail-smtpd.8 | |
parent | a293489ee83c8b05d845a162dc2a4de026f3775d (diff) |
removed top level directory
Diffstat (limited to 'man/qmail-smtpd.8')
-rw-r--r-- | man/qmail-smtpd.8 | 1018 |
1 files changed, 1018 insertions, 0 deletions
diff --git a/man/qmail-smtpd.8 b/man/qmail-smtpd.8 new file mode 100644 index 0000000..393ec28 --- /dev/null +++ b/man/qmail-smtpd.8 @@ -0,0 +1,1018 @@ +.TH s/qmail: qmail-smtpd 8 +.SH "NAME" +qmail-smtpd \- receive mail via SMTP +.SH "SYNOPSIS" +.B qmail-smtpd +[ +.I checkprogram +.I subprogram +] +.SH "DESCRIPTION" +.B qmail-smtpd +receives mail messages via the Simple Mail Transfer Protocol (SMTP) +and invokes +.B qmail-queue +to deposit them into the outgoing queue. +.B qmail-smtpd +must be supplied with several environment variables; +see +.BR tcp-environ(5) . + +.B qmail-smtpd +is responsible for counting hops. +It rejects any message with 100 or more +.B Received +or +.B Delivered-To +header fields. + +.B qmail-smtpd +supports ESMTP and offers 8BITMIME, DATA, PIPELINING, SIZE, AUTH, STARTTLS, and SMTPUTF8 options. +.B qmail-smtpd +includes a 'Mail From:' parameter parser and obeys 'Auth', 'Size', and 'SMTPUTF8' advertisements. +.B qmail-smtpd +supports SMTPUTF8 SMTP envelope addresses and provides 8 bit clean message transmission. +.B qmail-smtpd +STARTTLS and SMTPS implementation requires the use of +.B sslserver +from ucspi-ssl. + +Authentication is facilitated in case the environment variable +SMTPAUTH is set which tells +.B qmail-smtpd +to accept LOGIN, PLAIN, and eventually CRAM-MD5 Auth types +and if additionally a PAM +.I checkprogram +is available which reads on file descriptor 3 the username, a 0 byte, +the password or CRAM-MD5 digest/response derived from the SMTP client, +another 0 byte, a CRAM-MD5 challenge (if applicable to the Auth type), +and a final 0 byte. +.I checkprogram +invokes +.I subprogram +upon successful authentication, which should return 0 to +.BR qmail-smtpd , +effectively setting the environment variables RELAYCLIENT and +TCPREMOTEINFO or TCP6REMOTEINFO +(any supplied value replaced with the authenticated username). +.B qmail-smtpd +will reject the authentication attempt if it receives a nonzero return +value from +.I checkprogram +or +.IR subprogram . + +STARTTLS support is enabled setting the environment variable UCSPITLS. +In this case, +.B qmail-smtpd +communicates with the +.B sslserver +program interface through a control socket, a reading and a writing pipe, dynamically +defined during the session start to be used for transport layer encryption. +.B qmail-smtpd +provides mutual authentication based on X.509 client certs and relaying +with additional SMTP Return-Path validation. + +.B qmail-smtpd +may employ additional DNS look-ups for the 'Mail From:' envelope sender +address and/or the HELO/EHLO greeting string from the MTA client. + +.B qmail-smtpd +implements a SPF record check for the domain part of the received +.I Mail-From:\ <return-path> +address or +the +.I HELO/EHLO +statement in case the domain information is missing. +This behavior is triggered by the environment variable +.BR SPF . + +.B qmail-smtpd +can be advised to communicate with a Greylisting server prior of acceptance, like +.BR postgrey , +submitting the connection information +.IR Mail\ From: , +.IR Rcpt\ To: , +.IR TCPREMOTEIP +and +.I TCPREMOTEHOST +given its IPv4/IPv6 address as environment variable +.IR POSTGREY +and potentially including the port number (60000 is default) +following the IP address separated by a semi-colon. +For IPv6 LLU addresses the interface name followwing a percent sign can be included: +.IR fe80::1%eth0;60000 . +A return value of +.I 10 +will advise +.B qmail-smtpd +to defer the SMTP connection providing a +.I 450\ greylisted\ (#4.3.0) +response to the connecting MTA, which can be tailored (see below). +This mechanism shall not be used for SMTP connections on the +.I Submission +port. +Setting +.I POSTGREY='-' +disables the lookup. + +.SH "TRANSPARENCY" +.B qmail-smtpd +converts the SMTP newline convention into the UNIX newline convention +by converting CR LF into LF. +Usually, it returns a temporary error and drops the connection on bare LFs. + +.B qmail-smtpd +accepts messages that contain long lines or non-ASCII characters +and thus is initially capable for SMTPUTF8 support. + +.SH "CONTROL FILES" +.TP 5 +.IR badhelo +Unacceptable HELO/EHLO greeting strings. +.B qmail-smtpd +will reject every connection attempt +if the client MTA's HELO/EHLO greeting compares with +a wildmat pattern provided in +.IR badhelo +in case the environment variable +.B HELOCHECK +is set. +.IR badhelo +checks have precedence over DNS lookups. +DNS lookups can be avoided, if the announced +HELO/EHLO greeting string is concatinated +with a trailing '!' and included in +.IR badhelo : + +.EX + localhost + localhost.localdomain + 127.0.0.1 + mygreetingstring + [192.168.1.2]! +.EE + +.TP 5 +.I badmailfrom +Unacceptable envelope sender addresses. +.B qmail-smtpd +will reject every recipient address for a message +if the envelope sender address is listed in +.IR badmailfrom . +A line in +.I badmailfrom +may be of the form +.BR @\fIhost , +meaning every address at +.IR host . +Additionally, any envelope sender address can be filtered +with a wildmat check: + +.EX + *@earthlink.net + !fred@earthlink.net + [0-9][0-9][0-9][0-9][0-9]@[0-9][0-9][0-9].com + answerme@save* + *%* + @yahoo.com- + @hotmail.com= + @mydomain.tld+ + ~yahoo.com + ?nobody@example.com +.EE + +A +.I badmailfrom +file with this contents reject all mail from Earthlink except from +fred@earthlink.net. It also rejects all mail with addresses like: +12345@123.com and answerme@savetrees.com. Further, any mail with +a sender address containing a percent sign (%) is rejected. + +This implementation recognises 'extended' addresss in +.I badmailfrom +allowing to reject mails with particluar spoofed domain addresses: + +(1) The address is appended with a '-'. +Now, if +.I TCP(6)REMOTEHOST +equals 'unknown', mails with the corresponding address are rejected +(badmailfromunknown). + +(2) The address is appended with a '='. +In case +.I TCP(6)REMEOTEHOST +is set mails, whose domain part of the envelope addresses +.B not +matching +the corresponding entry are rejected (badmailfromwellknown). + +(3) The address is appended with a '+'. +If +.I RELAYCLIENT +is not set and the sender address matches a corresponding entry +(anti-spoofing for internal addresses). + +(4) The address is enhanced with a leading '~'. +This requires a (left to right partial) matching of +.I TCP(6)REMOTEHOST +with the domain part of the envelope address. +Thus, this specific entry in +.I badmailfrom +uses +.I TCP(6)REMOTEHOST +in the first place (badmailfrommismachteddomains). + +(5) The address is enhanced with a leading '?'. +Emails with the corresponding sender address pass by all further +.I badmailfrom +tests including the +.I MFDNSCHECK +check. + +Note: The 'enhanced' addresses are not subject of the wildmat check +and are evaluated in lower-case. + +The wildmat check is done in the order: +Least significant to most significant. +Example: + +.EX + * + ! + !*@*.* + *viagra* +.EE + +.TP 5 +.I badloadertypes.cdb +Unacceptable base64 loader types in the message. +.B qmail-smtpd +will reject every message if 5 significant +characters (eg. +.BR Mi5kb) +anyware in the base64 encoded attachment is identical +to those compiled into +.IR badloadertypes.cdb . +Use +.B qmail-badloadertypes +to derive +.I badloadertypes.cdb +from +.IR badloadertypes . +In order to make the search efficient, all bad loader +types have to start with the same character (eg. 'M'). +The control file +.I badloadertypes.cdb +is evaluated if the environment variable BADLOADERTYPE +is set to the first character according to the contents of +.IR badloadertypes . +.TP +.I badmimetypes.cdb +Unacceptable base64 encoded MIME types in message. +.B qmail-smtpd +will reject every message if the first 9 significant +characters (eg. +.BR TVqQAAMAA ) +of any of it's embedded MIME types is identical with one +compiled into +.IR badmimetypes.cdb . +Use +.B qmail-badmimetypes +to derive +.I badmimetypes.cdb +from +.IR badmimetypes . +The control file +.I badmimetypes.cdb +is evaluated if the environment variable +.I BADMIMETYPE +is set. +In addition, irregular BASE64 attachments carrying whitespaces can +be rejected defining +.IR BADMIMETYPE='!' . +.TP 5 +.I badrcptto +Unacceptable envelope recipient addresses. +.B qmail-smtpd +will reject every incoming message +if the envelope recipient address is listed in +.IR badrcptto . +This control file is complementary to +.IR badmailfrom . +A line in +.I badrcptto +may be of the form +.BR @\fIhost , +meaning every address at +.IR host . +.I badrcptto +employes the same filtering logic for the envelope recipient as +.IR badmailfrom . +Effectively, +.IR badrcptto +allows a 'whitelisting' of envelope recipient addresses: + +.EX + * + !user1@mydomain.com + !user2@mydomain.com + !*@anotherdomain.com +.EE + +.IR badrcptto +allows to tag recipient addresses to be reachable from +authorized clients only (aka relayclients), prepending it +in +.IR badrcptto +with +.IR + . + +.EX + +localaddress@mydomain.com +.EE + +.TP 5 +.I databytes +Maximum number of bytes allowed in a message, +or 0 for no limit. +Default: 0. +If a message exceeds this limit, +.B qmail-smtpd +returns a permanent error code to the client; +in contrast, if +the disk is full or +.B qmail-smtpd +hits a resource limit, +.B qmail-smtpd +returns a temporary error code. + +.I databytes +counts bytes as stored on disk, not as transmitted through the network. +It does not count the +.B qmail-smtpd +Received line, the +.B qmail-queue +Received line, or the envelope. + +If the environment variable DATABYTES +is set, it overrides +.IR databytes . +.TP 5 +.I localiphost +Replacement host name for local IP addresses. +Default: +.IR me , +if that is supplied. +.B qmail-smtpd +is responsible for recognizing native IPv4/IPv6 addresses for the +current host. +When it sees a recipient address of the form +.I box@[d.d.d.d] +or +.IR box@[a:b:c:d:e:f:g:h] , +where +.I d.d.d.d +or +.IR a:b:c:d:e:f:g:h +is a local IPv4/IPv6 address, +it replaces +.I [d.d.d.d] +or +.IR [a:b:c:d:e:f:g:h] +with +.IR localiphost . +This is done before +.IR rcpthosts . +.TP 5 +.I morercpthosts +Extra allowed RCPT domains. +If +.I rcpthosts +and +.I morercpthosts +both exist, +.I morercpthosts +is effectively appended to +.IR rcpthosts . + +You must run +.B qmail-newmrh +whenever +.I morercpthosts +changes. + +Rule of thumb for large sites: +Put your 50 most commonly used domains into +.IR rcpthosts , +and the rest into +.IR morercpthosts . +.TP 5 +.I mailfromrules +Acceptable 'Mail From:' addresses for +RELAYCLIENTs are included here. Use +.B qmail-mfrules +to derive +.TP 5 +.I mailfromrules.cdb +from +.IR mailfromrules . +.TP 5 +.I rcpthosts +Allowed RCPT domains. +If +.I rcpthosts +is supplied, +.B qmail-smtpd +will reject +any envelope recipient address with a domain not listed in +.IR rcpthosts . + +Exception: +If the environment variable RELAYCLIENT is set, +.B qmail-smtpd +will ignore +.IR rcpthosts , +and will append the value of RELAYCLIENT +to each incoming recipient address. + +.I rcpthosts +may include wildcards: + +.EX + heaven.af.mil + .heaven.af.mil +.EE + +Envelope recipient addresses without @ signs are +always allowed through. +.TP 5 +.I recipients +List of external resources providing acceptable, +full-qualified envelope addresses +(\'RCPT to: <recip@domain>\') +to be used for recipient verification +during the SMTP session. + +The external sources can be either +.B fastforward +compliant cdbs including the envelope addresses, +where the path to a cdb has to be referenced +relative to Qmail's home directory, or a +.B qmail-users +build cdb available as +.IR users/assign.cdb , +or a +.B checkpassword +compatible Plugable Authentication Modules +(PAM), receiving the envelope address on FD 3 +as 'recip@domain\\0\\0\\0' and returning '0' +in a case of success and '1' in case of failure. +The use of a PAM is indicated with a delimiting '|' and +it will be called with up to five additional parameters; +while a cdb follows a ':', which can be omitted. + +The list of external sources is consulted line-by-line for each +recipient envelope address until the first positive answer, +or a final negative response is encountered. +Which external source to be queried, depends on the domain part of the +recipient envelope address specified on the left side of the +.I recipients +file, while the external resource is provided right from the delimitor. + +The addresses' domain part is evaluated in lower-case. +An exact domain match can be encompassed by means of a leading '@'. +The '*' is a generic wildcard for all domains. +Specific domains can be excluded from the lookup by means of a +leading '!'; thus all recipient addresses are accepted for this domain. +Additionally, a '!*' can be used as wildcard for all domains not encountered +before in +.I recipients +(pass-thru). + +A +.I recipients +file is always constructed like 'domain:cdb','domain|pam', +or simply 'cdb': + +.EX + !nocheck.com + mydomain.com:users/recipients.cdb + @mx.mydomain.com:= + example.com|bin/qmail-smtpam mx.example.com + *:etc/fastforward.cdb + *|PATH/ldapam ldapserver host port DN passwd + !* +.EE + +.B qmail-smtpd +will semi-automatically consult +.I users/assign.cdb +generated by +.B qmail-newu +in case the domain name is +followed by a colon and the equal sign '='. +Now, the received \'Rcpt to:\' address +is compared against each local part address +(starting with a '=') in +.IR users/assign.cdb . +However, no VERP addresses are considered, +which are indicated therein via a '+'. + +Lagacy format: + +.EX + users/recipients.cdb + etc/fastforward.cdb +.EE + +Note: Excluded domains starting with a '!' +should be placed in the beginning of the +.I recipients +file for performance reasons, while the pass-thru +statement '!*' has to be on the last line. +The recipients check is applied after the +.I rcpthosts +evaluation. + +.B qmail-recipients +may be used to construct a +.I users/recipients.cdb +from +.IR users/recipients . + +The +.B qmail-smtpd +recipients mechanism supports Qmail's address extension (VERP). +Unqualified envelope recipients are appended with \'@localhost\'. +.TP 5 +.I smtpgreeting +SMTP greeting message. +Default: +.IR me , +if that is supplied; +otherwise +.B qmail-smtpd +will refuse to run. +The first word of +.I smtpgreeting +should be the current host's name. +.TP 5 +.I spfexplain +An additional SPF explanation can be given here to provide more +specific information for the sender in case of a reject. +SPF macro expansion is possible. It will override the default one, e.g.: + +.EE +See https://example.com/spfrules.html (#5.7.1) +.EX +.TP 5 +.I spflocalrules +As 'last resort', it is possible to include SPF local rules here +(on one line), that will be applied before other SPF rules would fail. +This can be used to allow certain MX to send mails anyway. Example: + +.EE +include:spf.trusted-forwarder.org +.EX +.TP 5 +.I timeoutsmtpd +Number of seconds +.B qmail-smtpd +will wait for each new buffer of data from the remote SMTP client. +Default: 1200. + +.SH "CONDITIONAL CONTROL FILES" +The control files \fIrcpthosts\fR, \fImorecpthosts\fR, +\fIrecipients\fR, \fIbadhelo\fR +are 'conditional' control files and evaluated +only if the environment variable RELAYCLIENT is not set. +On the other hand, +\fImailfromrules.cdb\fR is only taken into account, if +RELAYCLIENT is set. +This allows +.B qmail-smtpd +to relay mail messages from local clients and to filter +mails with certain SMTP envelope conditions +originating from particular clients ('Split Horizon'). +Other conditional control files are +\fIbadloadertypes\fR, +\fIbadmimetypes\fR +which depend on the setting of the corresponding +environment variables. + +Further, the control files \fIspfexplain\fR and +\fIspflocalrules\fR are only evaluated if the +environment variable +.I SPF +is defined and greater than 0 and +.I RELAYCLIENT +is not set. + +.SH "ENVIRONMENT VARIABLES READ" +Environment variables may be defined globally in the +.B qmail-smtpd +startup script and/or individually as part of the +.BR sslserver 's +cdb database. +The environment variables may be quoted ("variable", or 'variable') and +in case of global use, have to be exported. +.B qmail-smtpd +supports the following legacy environment variables, typically +provided by +.B sslserver +or +.B tcpserver: +.IR TCP(6)REMOTEIP , +.IR TCP(6)REMOTEHOST +.IR TCP(6)REMOTEINFO +and +.IR TCPLOCALPORT +as well as +.IR RELAYCLIENT . +Additionally, +.B qmail-smtpd +may use several environment variables for different purposes. +.P +Controlling the SMTP HELO/EHLO: +.IP +.TP 5 +.I HELOCHECK='' +enables a check of the provided HELO/EHLO greeting against +the content of the control file +.IR badhelo . +In case no HELO/EHLO greeting is given, SMTP +connections can be rejected, if +.I HELOCHECK='!' +is set. Checks on the presence and the content of +the HELO/EHLO greeting string is facilitated, setting +.IR HELOCHECK='.' . +To enforce the match of the HELO/EHLO greeting with +the remote host's FQDN ( +.IR TCP(6)REMOTEHOST ), +use +.IR HELOCHECK='=' . +.TP 5 +.I HELOCHECK='A' | HELOCHECK='M' +enable DNS A/MX lookup for the HELO/EHLO greeting string. +In addition, the HELO/EHLO string is checked against +the content of +.IR badhelo . +.TP 5 +.I UTF8 +display the +.I SMTPUTF8 +greeting string. This is off by default. +.p +Since +.B qmail-smtpd +is 8 bit clean, setting of +.I UTF8 +has no real consequences except for displaying this +setting in the log as +.IR ESMTP[SA]UTF8 . +.P +Controlling the SMTP Mail From: +.IP +.TP 5 +.I LOCALMFCHECK +is used to enable a 'Mail From:' address Verification (MAV) for RELAYCLIENTs. +Thus, the domain part of the 'Mail From:' envelope sender address +has to match an entry in +.IR rcpthosts +or +.IR morercpthosts +control files, if not explicitly defined otherwise. + +If LOCALMFCHECK='!' is set, the control file +.I mailfromrules.cdb +is evaluated and the MAV is facilitated employing the environment variables +.IR TCP(6)REMOTEINFO , +.IR TCP(6)REMOTIP , +or +.I TCP(6)REMOTEHOST +as a key. +However, if LOCALMFCHECK='=' is provided, +.IR TCP(6)REMOTEINFO +(i.e. set by Auth) has to match the 'Mail From:' +envelope address (case insensitive). +Alternativley, using LOCALMFCHECK='?' the email address +embedded in the DN of a X.509 client is used and compared +against the 'Mail From:' envelope address. +Of course, this requires +.B sslserver +to request a client cert for mutual authentication. + +Note: Adding a qualifier to LOCALMFCHCEK, +the domain part of the 'Mail From:' address is compared +against the provided string. +.TP 5 +.IR MFDNSCHECK +enable DNS MX lookup for the domain part of the 'Mail From:' envelope sender address. +.TP 5 +.I SPF='0'|'1'|'2'|'3'|'4'|'5'|'6' +SPF Records will be evaluated for the current SMTP session in case +.B SPF +is defined. The value of +.B SPF +may be given between 1 and 6 to enable SPF checks. +.I 1 +selects 'annotate-only' mode, where +.B qmail-smtpd +will annotate incoming email with a +.B Received-SPF +header, but will not reject any messages. +.I 2 +will produce temporary failures on DNS lookup problems +so you can be sure always to have a meaningful Received-SPF header. +.I 3 +selects 'reject' mode, where incoming mail will be rejected +if the SPF record says 'fail'. +.I 4 +selects a more stricter rejection mode, which is like 'reject' mode, +except that incoming mail will also be rejected, when the SPF record +says 'softfail'. Further, +.I 5 +will reject when the SPF record says 'neutral', and +.I 6 +rejects, if no SPF records are available at all +(or a syntax error was encountered). +If +.B SPF +is given as +.IR 0 , +SPF checks are disabled. + +Note: Additional control files are +.I spfexplain +and +.IR spflocalrules . + +.P +Controlling the SMTP RCPT TO: +.IP +.TP 5 +.I MAXRECIPIENTS +is the number of Rcpt To:'s +.B qmail-smtpd +will accept in a SMTP session. +If MAXRECIPIENTS ist not set, any number is allowed. +.TP 5 +.IR TARPITCOUNT +is the number of Rcpt To: +.B qmail-smtpd +accepts before it starts tarpitting. +Default: 0 which means no tarpitting. +.TP 5 +.IR TARPITDELAY +tarpitdelay is the time in seconds of delay +to be introduced after each subsequent Rcpt To:. + +Smart Rejection Notes: +If +.IR TARPITCOUNT +is set and +.IR TARPITDELAY += 0 (default) +.B qmail-smtpd +will issue after recognising +.IR TARPITCOUNT +invalid Rcpt To: a Recipient failure; +thus additional Rcpt Tos will not be accepted. +If, however +.IR TARPITCOUNT +is set and +.IR TARPITDELAY += 999 +.B qmail-smtpd +will issue after +.IR TARPITCOUNT +invalid Rcpt To: a Recipient failure +.TP 5 +.I RECIPIENTS450 +tells +.b qmail-smtpd +to issue a SMTP reply '450' (temporary rejection) +instead the default '550' +in case the recipient was not listed in any +.I recipients +cdb. + +.P +Controlling the email body: +.IP +.TP 5 +.I BADLOADERTYPE='c' +tells +.B qmail-smtpd +to evaluate the control file +.I badloadertypes.cdb +with the starting string 'c'. +If +.I BADLOADERTYPE='-' +is set, the check is disabled. +In case +.I BADLOADERTYPE='+' +is defined, the check is disabled for +.IR RELAYCLIENTS . +.TP 5 +.I BADMIMETYPE +see control file +.IR badmimetypes.cdb . +In case +.I BADMIMETYPE='-' +is set; +.I badmimetypes.cdb +is not considered; thus the check is disabled. +Setting +.I BADMIMTETYPE='!' +the mime type is rejected if it includes whitespaces; +even without the control file +.IR badmimetypes.cdb . +Providing +.I BADMIMTETYPE='+' +the check is disabled if in addition +.IR RELAYCLIENTS +are recognized. + +.TP 5 +.I BASE64 +tells QHPSI to enable virus checking only if a base64 encoded +attachment was identified. +.TP 5 +.I DATABYTES +see control file +.IR databytes . +.TP 5 +.I QHPSI +is used by +.B qmail-smtpd +to supply the name of the virus scanner and it's path. +.P +Environment variables for SMTP authentication: +.IP +.TP 5 +.I SMTPAUTH +is used to enable SMTP Authentication for the +Auth types +LOGIN and PLAIN. +In case +.TP 5 +.I SMTPAUTH='+cram' +is defined, +.B qmail-smtpd +honors LOGIN, PLAIN, and additionally CRAM-MD5 authentication. +Simply +.TP 5 +.I SMTPAUTH='cram' +restricts authentication just to CRAM-MD5. +If however +.TP 5 +.I SMTPAUTH='!' +starts with an exclamation mark, Auth is required. +You can enforce 'Submission' using this option +and binding +.B qmail-smtpd +to the SUBMISSION port \'587'\. +In particular, +.TP 5 +.I SMTPAUTH='!cram' +may be useful. +In opposite, if +.TP 5 +.I SMTPAUTH='-' +starts with a dash, Auth disabled for particular +connections. +Note: The use of 'cram' requires a CRAM-MD5 enabled PAM. +.P +Setting up the TLS/STARTTLS environment: +.IP +.TP 5 +.I UCSPITLS +enables encrypted SMTP communication +via STARTTLS in case +.B sslserver +is provided. +If +.I UCSPITLS='!' +is set, STARTTLS is required; while setting +.I UCSPITLS='-' +disables STARTTLS. +Further, +.I UCSPITLS='?' +may be used to force the client to present a X.509 cert +for authentication purpose which may be refined +requesting +.I UCSPITLS='@' +to additionally fetch the email address +from the client's cert to be perhaps subject of +.IR LOCALMFCHECK . +.P +Other environment variables used: +.IP +.TP 5 +.I DELIVERTO +mail address for special recipients. +.TP 5 +.I RBLSMTPD +feed from +.B rblsmtpd +including the information received from the +inquired RBL hosts and displayed as +.I X-RBL-Info: +message header. +.TP 5 +.I POSTGREY +triggering the call of +.B qmail-postgrey +and feeding it with the IP address and port of the +.I greylisting +server. If +.I POSTGREY +is set to +.I - +no lookup is performed. + +.SH "CUSTOMIZABLE RETURN MESSAGES" +In case of rejected or defered SMTP connections +.B qmail-smtpd +can provide additional informations in the SMTP reply message +which are sandwiched between the reply code and the EMMSC. +.B qmail-smtpd +recognizes these environment variables: +.TP 5 +.I REPLY_GREYLISTED +following 450 greylisting +.TP 5 +.I REPLY_HELO +following 550 Bad Helo +.TP 5 +.I REPLY_MAILBOX +following 550 mailbox not existing +.TP 5 +.I REPLY_MAXSIZE +following 552 message size to large +.TP 5 +.I REPLY_BADMAILFROM +following 553 badmail from +.TP 5 +.I REPLY_BADRCPTTO +following 553 badrcpt to +.TP 5 +.I REPLY_SENDEREXIST +following 553 SMTP sender DNS +.TP 5 +.I REPLY_NOGATEWAY +following 553 No gateway +.TP 5 +.I REPLY_SENDERINVALID +following 553 SMTP sender invalid +.TP 5 +.I REPLY_CONTENT +following 554 Message content invalid + +.SH "ENVIRONMENT VARIABLES SET" +By means of the following environment variables, +the SMTP session can be interrogated: +.TP 5 +.I HELOHOST +the HELO/EHLO greeting of the SMTP client. +.TP 5 +.I AUTHPROTOCOL +the ESMTPA protocol used for authentication. +.TP 5 +.I AUTHUSER +the supplied username for authentication. +.TP 5 +.I MAILFROM +containes the received 'Mail From:' address. +.TP 5 +.I RCPTTO +containes all received 'Rcpt To:' addresses separated by blanks. +.TP 5 +.I TCP(6)REMOTEINFO +in authentication mode set to the accepted username. +.TP 5 +.I SSL_* +information from +.BR sslserver , +if applicable. + +.SH "SEE ALSO" +tcp-environ(5), +qmail-control(5), +qmail-inject(8), +qmail-newmrh(8), +qmail-newbmt(8), +qmail-authuser(8), +qmail-recipients(8), +qmail-postgrey(8), +qmail-smtpam(8), +qmail-mfrules(8), +qmail-queue(8), +qmail-remote(8), +qmail-send(8), +qmail-log(8), +tcpserver(8), +sslserver(8). + |