smtp-gated.conf

Bartlomiej Korupczynski

2011-12-04

NAME

smtp-gated.conf - The smtp-gated configuration file.

VERSION

This manual describes smtp-gated v. 1.4.18.8

DESCRIPTION

This file defines configuration to be used by daemon.

Options are placed one per line, and consists of option name, followed by number or spaces or tabs, and option value. Empty lines, and lines starting with # or ; (hash or semicolon) are ignored.

Tags in square brackets, show additional information for each variable. See EXPLANATION later in this manual.

This manual describes configuration for 1.4.14-rc2. For previous releases, use manuals included in source archive.

MAIN OPTIONS

proxy_name STRING
Name that appears on communicates generated by daemon (usually errors, or session blocking). Use asterisk '*' to use host name as proxy_name.
bind_address IP [RESTART]
Defines IP the daemon listes on.
port PORT [RESTART]
Defines listening TCP port.
outgoing_addr IP
Defines IP for outgoing SMTP connections (this appears as source on MTA servers). This option has been renamed from source_addr.
pidfile FILE [RESTART]
Defines .pid file path.
chroot_path PATH [RESTART]
If this setting is defined, daemon chroot()'s to this path after forking. This allows to raise security.
set_user USER [RESTART]
set_group GROUP [RESTART]
Daemon changes it UID/GID to the one defined for username and groupname. This setting does not allow to specify UID/GID as numbers yet. Do NOT run proxy as root, as this will break locking.
priority INT [RESTART]
Daemon changes it's priority when it's defined. 0 means "no change". Values as in setpriority(2).
connect_queue INT
Defines listen(2) backlog.
enfile_sleep UINT
Sleep time in case ENFILE error occured.
on_takeover_cmds UINT
Limit for commands issued by MUA after session takeover.
buffer_size UINT
Defines buffer size (in bytes) to track SMTP sessions. Should be above 1500.
pipeline_size UINT
Queue size for SMTP PIPELINING extension.
pid_hash_size UINT
host_hash_size UINT
Controls hashing table size for PID and host counters. Usually there is no much sense to set it higher than max_connections.

RESOURCE CONTROL

limit_core_size INT
Set core dump file size. Helps debugging unexpected problems :) "-1" means to leave system default setting. "0" turns off core dump completely. If this can not be changed at runtime, process does not terminate, logging error instead.
limit_virt_size INT
limit_data_size INT
limit_fsize INT
Three above correspond to RLIMIT_AS, RLIMIT_DATA and RLIMIT_FSIZE in setrlimit(3). You should set this to higher values if you are getting "Not enought memory" errors (this can also happen upon memory leak).

Keep in mind, that all resource limits are inherited by child process, including action scripts.

MODE

Mode defined method, to discover destination IP addres to forward connection to. It differs obviously on different platforms, but there are couple of common modes, platform independent.

mode fixed|fixed+xclient|remote|remote-udp|getsockname|netfilter|tproxy|tproxy,netfilter|ipfw|ipfilter|pf [ONE,RESTART]
Set operating mode "remote".

Supported modes are printed as USE_NAT with:

smtp-gated -V

In all modes except remote/remote-udp proxy must be running on the NAT machine itself to be able to determine destination IP. If you need to run proxy on separate machine, it's possible to use policy routing to reroute all SMTP traffic through proxy machine. This machine should be running in NAT mode specific to OS (netfilter/ipfw/ipfilter/pf/getsockname/tproxy), and act as "router" for SMTP traffic only.

If you use Linux on your router, then it's possible to run proxy on other machine (not necessarily Linux), if you run proxy-helper on the router (see http://software.klolik.org for details).

Special mode tproxy,netfilter is runtime conditional. It is changed for every new connection to netfilter for private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16), and to tproxy for routable IPs (the rest).

FIXED MODE

In this mode, all connections are forwarded to one, fixed MTA. This may be used to filter SMTP traffic just before ISP SMTP server. Use it, if you want to protect your SMTP server from outside world.

fixed_server IP
IP of MTA to connect to.
fixed_server_port PORT
Port to connect to.

FIXED+XCLIENT MODE

Accepts the same options as FIXED MODE. Uses XCLIENT to impersonate client to MTA. Allows prefiltering for postfix (v2.3 or later) as (almost) transparent proxy.

REMOTE IDENT MODE / REMOTE-UDP IDENT MODE

In this mode, daemon is running on dedicated server, serving protection for couple of routers. For each incoming connection, lookup is performed on source IP, to discover destination IP. REMOTE requires patched ident daemon (not public yet), and therefore is useless for most users. REMOTE-UDP uses so called proxy-helper.

remote_port PORT
Port to lookup ident and destination IP.
remote_udp_retries INT
Number of retries for UDP lookup
remote_udp_secret INT
Secret used for simple authentication

GETSOCKNAME MODE

Last resort -- try it if your OS is not supported elsewhere. Should it not run, you'll receive 'avoiding loop' in your logs.

NETFILTER MODE

Linux netfilter mode. All connections are forwarded to original MTA. Netfilter connection tracking is used for destination IP lookup. This mode was formerly enabled by "use_netfilter" option.

TPROXY MODE

Linux/netfilter TPROXY module support (since 1.4.16.4) for spoofing source address. This way proxy preserves source IP of client (useful for public addresses). Please note, that all port 25 traffic needs to flow through the proxy. It's not a problem if you install smtp-gated on your "main" Linux router. If you use some external router, you need to redirect the traffic to proxy interface.

You need to have proper kernel header and modules to enable it (linux/netfilter/xt_TPROXY.h existing probably under /usr/include), and depdends on kernel version. Works for 2.6.32 and maybe earlier. See ./configure summary.

# NAT module must be loaded iptables -t nat -N placeholder # packets for proxy need to be tproxied iptables -t mangle -N divert iptables -t mangle -A divert -j MARK --set-mark 1 iptables -t mangle -A divert -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j divert iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 9199 # packets for tproxy need to be rerouted ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100

Please note that when nf_conntrack_ipv4 module is loaded on 2.6.32 (and maybe on others), I've seen delay during connection setup, and tcpdump shows double TCP SYN+ACK, with only the second being accepted, thus introducing delay during connection setup. Connection continues normally. It's probably some tproxy code fault.

Be aware, that if you use external router to redirect only SMTP traffic to proxy host, you have all the traffic seen twice. Let's say the client IP is 1.1.1.1 connects to MTA 2.2.2.2, and the proxy is 3.3.3.3: 1. client sends packet from 1.1.1.1 to 2.2.2.2 via router 2. the packet is routed through 3.3.3.3 (having source and destination intact) 3. the proxy accepts connection, does some internal magic and creates *new* connection with source 1.1.1.1 and destination 2.2.2.2 4. proxy host sends it's own version of packet from 1.1.1.1 to 2.2.2.2 through router 5. router should route the new packet to the MTA 2.2.2.2 according to normal routing table 6. MTA replies through router to proxy 7. proxy does the reverse magic and replies through router to client

So, the packet flow is like:

client <=1/7=> proxy <=3/6=> MTA

As you can see there are two kind of packets (client<=>proxy and proxy<=>MTA) that seem to be identical. It's your job, to setup the routers policy routing.

IPFW MODE

FreeBSD ipfw mode. All connections are forwarded to original MTA. ipfw connection tracking is used for destination IP lookup.

IPFILTER MODE

*BSD Packet filter mode. All connections are forwarded to original MTA. ipfilter connection tracking is used for destionation IP lookup.

PF MODE

FreeBSD PacketFilter mode. All connections are forwarded to original MTA. pf connection tracking is used for destination IP lookup. Proxy needs to have proper permissions to /dev/pf.

STATUS

statefile FILE
Defined file which will contains status.
statefile_type human|flat|slots [MULTI]
Defined status format. Flat is preferred for parsing, human is preferred to be read by humans :) By adding "slots" you can see current slot assignment and statistics for each session.

Status file is written on SIGUSR1: see smtp-gated(8).

LOCKING

When virus/SPAM is found, user's IP or IP+ident can be blocked for certain time. After that time, lock is removed, and user is allowed to use SMTP again. Lockfile has name same as IP, or IP "-" IDENT if ident is used.

Administrator can prevent locking some IP (IP+ident), by creating corresponding lock file with owner other than daemon runs on. This lock file is not automatically deleted. Contents is ignored, so it can be description, or sth else.

lock_on virus|spam|maxhost|maxident|dnsbl|regex|earlytalk|never [MULTI]
Set events locking occurs for. See max_per_host, max_per_ident.
lock_duration INT [s]
Time the lock persists. 0 disables locking, -1 means lock forever (or: until manually unlocked).
lock_path PATH
Directory for lock files.
lock_perm OCTAL
Lock files permissions as for open(2). Octal value must be preceded by zero.

NOTE: Lock files are checked (and eventually removed) for every incoming connection. This means that they will exist after expiration, until next connection from its "owner". In particular, they can be left forever, if user won't use SMTP any more. You can use crontab to remove stale locks like this (though it's not necessary for proxy to funcion properly):

find /var/spool/smtp-gated/lock -type f -user smtpgw -mtime +30 -exec rm {} \;

ACTION SCRIPT

Action script is called when virus or spam is found, and if host/ident limit is reached. If locking is used, action_script is called only when lock is created (once until unblocked). This makes sure, that script is called only once for a specified period (until lock expires). Script is obviously called with proxy UID/GID.

Despite of actions taken by script (i.e. firewall-level user lock), you should set lock_duration high enough (i.e. 15 seconds), to prevent connection-flood translate to action-flood (scripting is as expensive as fork() and shell expansions).

If you have strange problems with action scripts (ENOMEM or ENFILE), that seem to work well when executed manually, read about resource control above. This will have impact especially on language interpreters like perl.

action_script FILE
Defines path to script called when virus/spam is found.

All parameters for action_script are passed via environment variables:

PROXY_NAME
proxy name as defined in proxy_name in config file [>=1.4.12-rc7]
FOUND
contains word "VIRUS" or "SPAM", "MAX_HOST", "MAX_IDENT".
VIRUS_NAME
virus name if virus found.
SPAM_SCORE
spam score if spam found.
SOURCE_IP
source IP.
SOURCE_PORT
source port.
TARGET_IP
target (SMTP server) IP.
TARGET_PORT
target (SMTP server) port.
LOCAL_IP
local (proxy) IP as redirected.
LOCAL_PORT
local (proxy) port as redirected.
IDENT
source ident [REMOTE].
IDENT_COUNT
connections count from particular host+ident [REMOTE].
HELO
HELO/EHLO string.
MAIL_FROM
SMTP "MAIL FROM" line, stripped.
RCPTS_TOTAL
total number of mail recipients in session (not transaction).
SIZE
message size [bytes].
TRANSACTION
transaction number, starting from 1.
AUTH
authentication flags bitmap: 1=supported, 2=accepted, 4=rejected; see AUTH_FLAG_* in src/smtp-gated.h
SPOOL_NAME
spool file name.
LOCK_FILE
lock file name.
TIME
time of connection start, human readable text.
UNIXTIME
time of connection start, unix timestamp.

SPOOLING

spool_path PATH
Directory for temporary message files.
spool_perm OCTAL
Temporary files permissions as for open(2). Octal value must be preceded by zero.
spool_leave_on error|spam|virus|never|always [MULTI]
Set events, spool file is left for. If set to "never", spool is always deleted. If you choose "always" please note that for multi-transactional session, only the last mail is saved. Spools are also removed if they exceed size limit or if there's error during file write (including but not limited to drive full).

TIMEOUTS

All timeouts are specified in seconds.

timeout_direct UINT
Timeout for direct proxy session. This type of session is used on TLS connections.
timeout_lookup UINT [REMOTE]
Timeout for lookup.
timeout_scanner UINT
Timeout for antivirus scanner engine.
timeout_spam UINT
Timeout for antispam scanner engine.
timeout_session UINT
Timeout for fake session (when virus/SPAM is blocked).
timeout_idle UINT
Timeout for idle sessions. Prevents stale connections.
timeout_connect UINT
Timeout for connecting to remote MTA.

AUTHENTICATION CONTROL

Proxy can limit access to MTA, according to SMTP AUTH support and state. For now, there is no way to whitelist host or MTA.

auth_require no|ifsupported|mandatory [ONE]
Set authorization requirements:
no do not require any authorization, pass all messages.
ifsupported require authorization if MTA advertises support for it. If authorization is not advertised, mail is passed. If authorization is advertised, mail is passed only if client has authorized successfully.
mandatory require authorization for all connections. It MTA does not support authorization, no mail is passed.

Authentication state is logged in "CLOSE by=... auth=N", where N is bitwise OR for following values:

1 MTA supports auth (advertised in EHLO response)
2 user authenticated successfuly
4 user authentication failed (rejected by MTA)
auth_skip none|antivir|antispam|dnsbl|regex [MULTI]
Skip checking/scanning if session is authenticated. Note that 'auth_skip dnsbl' delays dnsbl rejection to MAIL FROM stage (as opposite to connect stage).

LIMITS

All sizes are specified in bytes. Loadavg limits can be disabled by specyfing zero, but this is not recommended.

max_connections UINT [RESTART]
Total maximum connections.
max_per_host UINT
Maximum connections per source IP (see also: lock_on maxhost).
max_per_ident UINT [REMOTE]
maximum connections per IP+ident (see also: lock_on maxident).
max_load FLOAT
Reject connections if load is above this setting.
size_limit UINT
Limit maximum message size. 0=disabled (default).
scan_max_size UINT
av-scan messages with size up to this limit.
spam_max_size INT
SPAM-scan messages with size up to this limit. Should spam scanning be turned off, set it to 0 (default).
spam_max_load FLOAT
Don't SPAM-scan messages if load above this setting.
spam_threshold FLOAT
Treat message as SPAM if it's score is equal/greater than this value.

MISCELLANOUS

ignore_errors BOOL
Continue when possible even if error occured (i.e. virus scanner failure).

LOGGING

Daemon logs messages via syslog, facility daemon.

log_helo BOOL
Logs HELO/EHLO issued by client.
log_mail_from accepted|rejected|base64|off [MULTI]
Client MAIL FROM logging options:
off do not accepted log if address is accepted by MTA rejected log if address is rejected by MTA base64 log as base64 encoded md5 hash of e-mail
log_rcpt_to [MULTI]
Client RCPT TO logging mask. (see log_mail_from).
email_length UINT
MAIL FROM/RCPT TO email length limit (before optional md5 encoding).
log_level debug|info|notice|warning|err|alert|emerg|crit [ONE,RESTART]
Defined log level, as used by syslog(3):
crit Emergency messages (highest priority) emerg Critical, requires intervention alert Critical messages err Errors warning Warnings notice Normal, but significiant messages info Informational messages debug Debugging messages (lowest priority)
log_facility user|mail|daemon|auth|news|authpriv|local0|local1|local2|local3|local4|local5|local6|local7 [ONE,RESTART]
Defined log facility, as used by syslog(3).

MANGLING

nat_header
Header injected into message stream header (sent to MTA); default is "X-NAT-Received" [>=1.4.12-rc5]
nat_header_type none|simple|ip-only ONE, OLD:
Turns on/off injecting X-NAT-Received headers to messages. [>=1.4.12-rc5]
none no ip-only include only source IP in header generic generic header (MTA-like)
spool_header
Header injected into message spool header (not sent to MTA, visible in AV-scanner and AS-scanner), default is "X-Proxy-Spool-Info" [>=1.4.12-rc5]
abuse STRING
Sets "abuse" info in full X-NAT-Received header.

SCANNERS

scanner_path FILE
not used.
antivirus_type off|clamd|mksd [ONE]
Choose antivirus to use. "off" means no scanning.
antivirus_path SOCKET
Path for clamd socket.
antispam_type off|spamassassin [ONE]
Choose antispam to use. "off" means no scanning.
antispam_path SOCKET
Path for spamd socket.
dspam_storage PATH
DSPAM storage home.

DNSBL

dnsbl zone,zone,[...]
Check incoming connections on specified DNSBL lists. Probably makes sense for FIXED MODE only. See also: lock_on dnsbl

SPF

Check messages against SPF. IP used for SPF verification depends on spf option.

spf none|incoming|outgoing|fixed [ONE]
Enables SPF checking.
none SPF turned off
incoming check against client incoming-IP, probably useful for mode fixed only.
outgoing check against proxy outgoing-IP (outgoing_addr), probably useful for NAT-mode only.
fixed check against static IP defined by spf_fixed_ip
spf_log_only yes|no
Logging only of SPF results, no mail rejection.

spf_fixed_ip IP
Static IP used by spf fixed only. Useful if proxy is behind NAT.

REGEX

regex_enforce_helo REGEX
regex_enforce_mail_from REGEX
regex_enforce_rcpt_to REGEX

Rejects HELO/MAIL FROM/RCPT TO if don't match regex_enforce_*.

regex_reject_helo REGEX
regex_reject_mail_from REGEX
regex_reject_rcpt_to REGEX

Rejects HELO/MAIL FROM/RCPT TO if they match regex_reject_*.

Please note, regex matching occurs only when corresponding command is given. As a result, it is not possible to check if there was no HELO/EHLO. See also: auth_skip regex, lock_on regex.

EARLYTALK

Earlytalker means MUA which starts to send SMTP commands before the greeting from MTA. This is SMTP protocol violation and all legitimate mail software should not do that.

earlytalker BOOLEAN
Enable/disable earlytalker rejection.
lock_on earlytalker
Enable locking earlytalkers.

RATE LIMIT

Limits for client per time-period. Experimental.

ratelimit_path PATH
Path for ratelimit files ("database"). If rate limiting is enabled, these get rewritten for every connection, so it's probably a bad idea to put them on any kind of Flash (SSD) drive.

ratelimit_period SECONDS
Time period for limits. 0 disables rate limiting entirely.

ratelimit_generation UINT
Generation is saved in ratelimiting structures together with ratelimit_* limits. Limits are updated only if this generation is increased. Recomended format is YYYYMMDDHHMMSS. To setup personalised limit, write them with really high generation (no tool for this yet).

ratelimit_connections INT
ratelimit_sessions INT
ratelimit_recipients INT
ratelimit_bytes INT
Limit per duration limits for each client (host or host+ident). Limit database is saved into ratelimit_path directory. Setting any limit to 0 disables that limit, and setting duration to 0 disables all limits.

EARLYTALK

If client sends any command before MTA greeting, gets kicked. Current implementation does not delay the greeting by itself, but relies on the MTA.

earlytalk BOOL
enable/disable earlytalk check (enabled by default) See also: lock_on earlytalk

MESSAGES

All messages sent to user are customisable.

locale NAME
Changes locale of system errors from strerror(3). See setlocale(3). Does not change messages generated by daemon itself.

MESSAGES MAIN

msg_virus_found
Virus found in message.
msg_virus_locked
User locked, virus or SPAM found before.
msg_spam_found
SPAM found in message.
msg_unknown_virus
Virus name substituted, when it's unknown.
msg_spool_problem
Spooling file name problem.
msg_spool_open_fail
Spool creation failed.
msg_pipeline_full
Pipeline queue full.
msg_scanner_failed
Scanner has failed.
msg_cannot_connect
Cannot connect to MTA.
msg_connect_timeout
Connection to MTA timed out.
msg_nomem
Out of memory

MESSAGES FAKE MTA SESSION

msg_hello
Hello message.
msg_sign_off
Signing off.
msg_virus_no_more
Virus found, please end the session.
msg_session_timeout
Session timed out.
msg_proto_error
Protocol error.
msg_transaction_failed
Fake MTA transaction failed.
msg_unimpl_command
Unimplemented command (SMTP verb).
msg_temp_unavail
Service temporarily unavailable.

MESSAGES LIMITS

msg_max_reached
Total connections limit reached, try again later.
msg_max_per_host
Connections limit for IP reached, try again later.
msg_max_per_ident
Connections limit for IP+ident reached, try again later.
msg_system_load
System load too high, try again later.

MESSAGES FOR REMOTE IDENT MODE

msg_malformed_ip [REMOTE]
Malformed IP received
msg_lookup_failed
Lookup failed.
msg_lookup_timeout
Lookup timed out.
msg_lookup_mismatch
Invalid lookup response format.
msg_lookup_nomem
Lookup failed, not enough memory.

FAQ

These are popular Questions and Answers:

Q1: Antispam is not working! What is wrong?
You must change max_spam_size to something above 0 to turn on antispam scanning. It's set to 0 by default, and this means turning antispam off. Also, set antispam_type.

Q2: Spammers don't get locked! What is wrong?
If you want to block spammers, set "lock_on spam[,...]", and see Question#1.

Q3: I wanted to block some user by creating lockfile manually, but now his traffic is not even scanned!
Creating lockfile with owner other than proxy process runs with, will protect that host from being locked. The contents of file does not matter.

Q4: My header is invalid after upgrading!
nat_header changed into nat_header_type since 1.4.12-rc5, so after upgrade header will not be injected unless you rename it in configuration file.

Q5: I don't have idents in my logs or headers, why?
It simple -- ident is used in REMOTE IDENT mode, which is currently not available.

Q6: I don't see X-NAT-Received header in mails, why?
Please remember, that mail sent with TLS is not scanned. Also, check nat_header_type directive in your config file, and nat_header (see MANGLING above).

Q7: When X-Virus-Scan and/or X-Spam-Status headers will be supported?
The answer is: never. Reason is simple -- proxy is passing-thru email headers and body. Because headers are sent first, we can't predict spam-score or virus presence. The main assumption for this project was not to buffer mail before forwarding, so this option won't appear.

Q8: I have many locks left, even if they should be gone long time ago!
Please see note for the LOCKING.

Q9: Host gets locked, lock file appears, but he can still send e-mails!
Please *do not* run proxy as root, and set set_user properly. If you do, remove all locks manually.

Q10: action_script does not work!
Please read about ACTION SCRIPT. Script will not be called once the lock exists. If you were testing "by hand" by writing some text to some log file, make sure the script has permissions to write to it too, i.e. by temporarily doing chmod a+rw on that log file. You should also check if disabling limit_* variables will do the trick, and if the answer is yes, try to set them high enough for script needs.

Q11: spamassassin gets timeout
Please check if "spamd -L" resolves this issue.

Q12: clamd fails with: SCAN:FAILED [...] result=lstat() failed.
Antispam and antivirus scanners need to have access to spool files (spool_path, spool_perm). If you want to seal your setup, you can add clamav user smtpgw group, and deny other to access the spool directory.

Q13: action script does not seem to work well when executed by smtp-gated, possibly failing with ENFILE or ENOMEM
Read notes about resource control and action scripts.

CHANGES

1.4.16-rc2: spf:

changed: source -> incoming
added: fixed

1.4.16-rc1:

added options:
dnsbl
spf
spf_log_only
regex_*
renamed options:
source_addr -> outgoing_addr
changed options:
nat_header_type
auth_require
auth_skip: "regex", "dnsbl" added
lock_on: "regex", "dnsbl" added

1.4.14-rc2: renamed options:

dumpfile -> statefile
dumpfile_perm -> statefile_perm

1.4.14-rc1: Changed many configuration options. Please review your previous configuration using:

smtp-gated -t /path/to/smtp-gated.conf

REPORTING BUGS

If you are willing to sent me a bug report, please check manuals first to ensure you have configured properly. In report, please include:

  1. output of "smtp-gated -V"
  2. config file (as attachment if big)
  3. full logs related to e-mails sent, with "log_level debug"
  4. optional mail header (as sent from proxy).

    If you get 'unknown option' or 'invalid value' errors, you can list all supported options with supported values by running:
smtp-gated -T

EXPLANATION

INT
Signed integer
UINT
Unsigned number; can be specified as decimal, octal (beginning with 0), or hexadecimal (beginning with 0x or 0X)
BOOL
Boolean (0, 1)
FLOAT
Floating-point number
IP
Valid IP address
PORT
Valid IP port
STRING
Arbitrary text string
PATH
Valid directory name
FILE
Valid file name
SOCKET
UNIX socket or TCP socket. UNIX socket must begin with backslash ("/"), otherwise path is considered TCP socket and must be submitted in following form: ip:port (i.e. 127.0.0.1:1097)
[ONE]
Only one value allowed.
[MULTI]
Multiple values allowed, comma separated (do NOT insert any white space before comma).
[RESTART]
This option needs full restart to take effect.
[REMOTE]
This option affects REMOTE IDENT MODE only.

SEE ALSO

smtp-gated(8)

HOMEPAGE

http://smtp-proxy.klolik.org

AUTHOR

Bartlomiej Korupczynski