mod-mail-doc — format of mod-mail-doc component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the mod-mail-doc component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in mod-mail-doc configuration directives:
direction (see common(5))range-op (see common(5))week-day (see time(5))month (see time(5))virus-status (see mod-antivirus(5))transparency (see acl(5))user-auth-spec (see acl(5))doctype-ident-method (see acl(5))header-op (see acl(5))mail-hdr (name-usage obligatory)STMP/MIME Headers
Unknown, Date, From, Sender, Reply-To, To, Cc, Bcc, Message-ID, In-Reply-To, References, Subject, Comments, Keywords, Resent-Date, Resent-From, Resent-Sender, Resent-Reply-To, Resent-To, Resent-Cc, Resent-Bcc, Resent-Message-ID, Return-Path, Received, MIME-Version, Content-Type, Content-Transfer-Encoding, Content-ID, Content-Description, Content-Disposition, X-Kernun-Loop-Info, X-Kernun-Spam-Score, X-Kernun-Virus-Status, X-Kernun-Virus-Name, X-Kernun-Quarantine-Tag, X-Orig-Content-Type, X-Orig-Content-Disposition
content-transfer-encoding (name-usage obligatory)MIME Content-Transfer-Encoding types.
eight-bit, quoted-printable, base64
smtp-error (name-usage obligatory)Types of SMTP command errors.
cmd-missingSMTP command missing.
arg-invalidSMTP cmd argument has invalid syntax.
too-longSMTP cmd argument exceeds RFC size limitation.
no-domainSMTP cmd argument has no domain part.
non-fqdnSMTP cmd argument has not fully qualified domain name.
unknown-permSMTP cmd argument DNS resolution failed permanently.
unknown-tempSMTP cmd argument DNS resolution failed temporarily.
Configuration of mod-mail-doc library component consists of following prototypes:
* smtp-adr-check ... ;
* mail-filter name { ... }
* mail-acl name { ... }
* mail-doc-acl name { ... }
smtp-adr-check [addrs];This item defines SMTP addresses matching conditions.
addrs (type: str-set, optional, default: *)Set of addresses matching this configuration item.
The matching rules are slightly modified for the purpose of email addresses matching:
Regular expressions are matched as usual.
Addresses defined by string ended with the '@' character match given local-part in any domain.
Addresses defined by string beginning by the '@' character match any address within given domain.
Other addresses containing the '@' character match exactly given address.
Addresses defined by string containing no '@' character match any address within given domain and any its subdomain.
mail-filter name {
stamp-limit ... ;
stamp-filter ... ;
correct-8bit-body ... ;
accept-8bit-header ... ;
correct-bad-char ... ;
correct-quoting ... ;
correct-boundary ... ;
keep-bad-header-params ... ;
keep-signed-wrapping ... ;
treat-binary-as-8bit ... ;
treat-rfc822-as-text ... ;
}
This section defines SMTP/MIME document handling attributes.
stamp-limit [number [text]];Maximum number of Received-headers in mail.
This check prevents from mail loops of three categories:
loops caused by wrong forwarding policy of a user
loops caused by DNS resolution errors or attack
loops caused by proxy of forwarder misconfiguration.
number (type: uint16, optional, default: 30)text (type: str, optional, default: <NULL>)If omitted, default text is used.
stamp-filter;SMTP stamp headers removal.
Enabling this feature causes removing 'Received:' headers (containing local-dependent information) from mails. Number of removed lines is counted and added to mail as a special header X-Kernun-Loop-Info.
correct-8bit-body;8bit mails correction.
Some MUAs ignore RFC and use non-US-ASCII characters in mail bodies or MIME documents without declaring them (in MAIL commands, MIME headers) to be 8bit ones. This item allows proxy to accept such mails and correct them before forwarding.
accept-8bit-header;8bit headers acceptation.
Some MUAs ignore RFC and use non-US-ASCII characters in mail or MIME documents headers. This item allows proxy to accept such mails.
WARNING! The proxy cannot CORRECT such a header (because the charset is not known) and must pass it without change. Use this configuration directive only for INCOMMING traffic and only if you are ABSOLUTELY sure that your forwarders and mailservers can accept such headers.
correct-bad-char;Bare CR and NUL correction.
Some MUAs ignore RFC and use NUL char (0x00) and bare CR (not followed by LF) in mail bodies or MIME documents. This item allows proxy to accept such mails and correct (encode) them before forwarding.
correct-quoting;Invalid quoting correction.
Some MUAs ignore RFC and use some characters in SMTP and MIME headers without quoting. This item allows proxy to accept such mails and correct invalid header arguments (quote values) before forwarding.
correct-boundary [len];Invalid boundary correction.
Some MUAs ignore RFC and use incorrect characters in MIME multipart boundaries. This item allows proxy to accept such mails and correct invalid boundaries (choose correct randomly generated ones) before forwarding.
len (type: uint8, optional, default: 40)Length of generated boundary string.
Value must be between 10 and 70.
New boundary length must be between 10 and 70.
keep-bad-header-params;Invalid header acceptation.
Some MUAs ignore RFC and use incorrect header parameter syntax. This item allows proxy to accept such mails and pass invalid headers to forwarders. By default, such headers are cleaned to be in conformance to the RFC while the original text is passed as another header with the X-Orig prefix.
WARNING! If you are not sure that your forwarders are able to accept such headers, do not use this item!
keep-signed-wrapping;Signed documents line wrapping.
Some MUAs ignore RFC and do not respect line length limits. In not-signed documents, the proxy corrects this and wraps too long lines. In signed documents, this corrections will corrupt integrity and signatures become not valid. This item allows proxy to pass invalid lines to forwarders.
In SMTP proxy, this directive controls wrapping of any mail line at length of 998 bytes. In all proxies, this directive controls only wrapping of any encoded line (base64 or quoted0printable at length of 76 bytes.
WARNING! If you are not sure that your forwarders are able to accept such headers, do not use this item!
treat-binary-as-8bit;Handle binary encoding as 8bit one.
Some MUAs ignore RFC and use BINARY Content-Transfer-Encoding in spite of that it makes no sense in current SMTP. This item allows proxy to accept such mails as if they were declared as 8BIT.
treat-rfc822-as-text;Handle included documents as text.
If a mailserver reports mail delivery failure it can include original mail into the report. If such a mail is incorrect the proxy will reject whole mail. This item tells proxy to read included documents as plain text and thus to avoid rejection risc.
[End of section mail-filter description.]
mail-acl name {
* from ... ;
* time ... ;
time-period-set { ... }
* parent-acl ... ;
deny ... ;
accept ... ;
direction ... ;
* size ... ;
* content-type ... ;
virus-status ... ;
* modify-header ... ;
replace ... ;
* sender ... ;
* recipient ... ;
* spam-score ... ;
* header ... ;
from-quarantine ... ;
prefix-subject ... ;
}
The first ACL on the third level decides how to treat the whole mail after finishing all checks.
mail-acl section is derived from
acl-3 section prototype.
For detail description of it, see acl(5).
mail-acl section:Item server is not valid.
Item user is not valid.
Item mime-type is not valid.
Item force-doctype-ident is not valid.
Item html-filter is not valid.
sender [addrs];Entry condition (SMTP only) - MAIL FROM address.
addrs (type: str-set, optional, default: *)Set of addresses matching this configuration item.
The matching rules are slightly modified for the purpose of email addresses matching:
Regular expressions are matched as usual.
Addresses defined by string ended with the '@' character match given local-part in any domain.
Addresses defined by string beginning by the '@' character match any address within given domain.
Other addresses containing the '@' character match exactly given address.
Addresses defined by string containing no '@' character match any address within given domain and any its subdomain.
recipient [addrs];Entry condition (SMTP only) - RCPT TO address.
addrs (type: str-set, optional, default: *)Set of addresses matching this configuration item.
The matching rules are slightly modified for the purpose of email addresses matching:
Regular expressions are matched as usual.
Addresses defined by string ended with the '@' character match given local-part in any domain.
Addresses defined by string beginning by the '@' character match any address within given domain.
Other addresses containing the '@' character match exactly given address.
Addresses defined by string containing no '@' character match any address within given domain and any its subdomain.
spam-score unknown;spam-score lt limit;spam-score le limit;spam-score eq limit;spam-score ne limit;spam-score gt limit;spam-score ge limit;spam-score in lower upper;spam-score ni lower upper;Entry condition - antispam check score.
For score interpretation, see mod-antispam(5).
range-op)limit (type: uint64)Tested value limitation.
lower (type: uint64)Tested value lower bound.
upper (type: uint64)Tested value upper bound.
header name value;Entry condition (MIME only) - header content.
name (type: str)Header name
value (type: str-set)Matching values
from-quarantine [tags];Entry condition (SMTP only) - mail sent by admin from quarantine.
This item is valid in smtp-proxy only. If omitted, any mail can match this ACL.
tags (type: str-set, optional, default: *)Allowed X-Kernun-Quarantine-Tag header values
prefix-subject prefix;Change Subject: mail header.
prefix (type: str)String to be written before the original Subject.
Subject prefix must comply with RFC.
[End of section mail-acl description.]
mail-doc-acl name {
* from ... ;
* time ... ;
time-period-set { ... }
* parent-acl ... ;
deny ... ;
accept ... ;
direction ... ;
* size ... ;
* content-type ... ;
* mime-type ... ;
virus-status ... ;
* modify-header ... ;
force-doctype-ident ... ;
replace ... ;
html-filter ... ;
* sender ... ;
* recipient ... ;
* spam-score ... ;
from-quarantine ... ;
add-virus-names ... ;
}
The second ACL on the third level decides how to process particular document(s) contained in the mail.
mail-doc-acl section is derived from
acl-3 section prototype.
For detail description of it, see acl(5).
mail-doc-acl section:Item server is not valid.
Item user is not valid.
Item ADD-VIRUS-NAMES is not allowed if DENY is on.
sender [addrs];Entry condition (SMTP only) - MAIL FROM address.
addrs (type: str-set, optional, default: *)Set of addresses matching this configuration item.
The matching rules are slightly modified for the purpose of email addresses matching:
Regular expressions are matched as usual.
Addresses defined by string ended with the '@' character match given local-part in any domain.
Addresses defined by string beginning by the '@' character match any address within given domain.
Other addresses containing the '@' character match exactly given address.
Addresses defined by string containing no '@' character match any address within given domain and any its subdomain.
recipient [addrs];Entry condition (SMTP only) - RCPT TO address.
addrs (type: str-set, optional, default: *)Set of addresses matching this configuration item.
The matching rules are slightly modified for the purpose of email addresses matching:
Regular expressions are matched as usual.
Addresses defined by string ended with the '@' character match given local-part in any domain.
Addresses defined by string beginning by the '@' character match any address within given domain.
Other addresses containing the '@' character match exactly given address.
Addresses defined by string containing no '@' character match any address within given domain and any its subdomain.
spam-score unknown;spam-score lt limit;spam-score le limit;spam-score eq limit;spam-score ne limit;spam-score gt limit;spam-score ge limit;spam-score in lower upper;spam-score ni lower upper;Entry condition - antispam check score.
For score interpretation, see mod-antispam(5).
range-op)limit (type: uint64)Tested value limitation.
lower (type: uint64)Tested value lower bound.
upper (type: uint64)Tested value upper bound.
from-quarantine [tags];Entry condition (SMTP only) - mail sent by admin from quarantine.
This item is valid in smtp-proxy only. If omitted, any mail can match this ACL.
tags (type: str-set, optional, default: *)Allowed X-Kernun-Quarantine-Tag header values
add-virus-names;Add X-Kernun-Virus-Name header for each virus found.
[End of section mail-doc-acl description.]