imap4-proxy — format of imap4-proxy component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the imap4-proxy component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in imap4-proxy configuration directives:
enabling (see common(5))yes-no (see common(5))nls (see common(5))direction (see common(5))ip-version (see common(5))osi4-proto (see common(5))time-cond (see common(5))zip-mode (see common(5))obligation (see common(5))range-op (see common(5))dbglev (see log(5))logfail-mode (see log(5))week-day (see time(5))month (see time(5))lock-type (see ipc(5))auth-method (see auth(5))virus-status (see antivirus(5))source-address-mode (see source-address(5))transparency (see acl(5))user-auth-spec (see acl(5))doctype-ident-method (see acl(5))header-op (see acl(5))listen-on-sock (see listen-on(5))mime-header-check-type (see mod-mail-doc(5))imap4-cmd (name-usage obligatory)IMAP4 commands
UNKNOWNcommand unknown to the proxy
CAPABILITY, NOOP, LOGOUT, STARTTLS, AUTHENTICATE, LOGIN, SELECT, EXAMINE, CREATE, DELETE, RENAME, SUBSCRIBE, UNSUBSCRIBE, LIST, LSUB, STATUS, APPEND, CHECK, CLOSE, EXPUNGE, SEARCH, FETCH, STORE, COPY, UID-COPY, UID-FETCH, UID-STORE, UID-SEARCH, SETACL, DELETEACL, GETACL, LISTRIGHTS, MYRIGHTS, SETQUOTA, GETQUOTA, GETQUOTAROOT, IDLE, UID-EXPUNGE, ID, UNSELECT
imap4-capa (name-usage obligatory)IMAP4 capabilities
UNKNOWNcapability unknown to the proxy
IMAP4rev1, STARTTLS, LOGINDISABLED, AUTH-PLAIN, AUTH-GSSAPI, ACL, QUOTA, LITERALPLUS, IDLE, UIDPLUS, ID, MULTIAPPEND, BINARY, UNSELECT
Configuration of imap4-proxy library component consists of following prototypes:
* imap4-proxy name { ... }
imap4-proxy name {
phase ... ;
* tag ... ;
log-debug { ... }
log-stats { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
app-user ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
source-address ... ;
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
ssl-session-cache { ... }
mail-pool ... ;
* session-acl name { ... }
* command-acl name { ... }
* mail-acl name { ... }
* doc-acl name { ... }
}
IMAP4 proxy configuration.
imap4-proxy section is derived from
proxy section prototype.
For detail description of it, see application(5).
imap4-proxy section:Section udpserver is not valid.
MAIL-POOL must be specified.
At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).
At least one COMMAND-ACL must be specified.
monitoring (see monitoring(5))Item aproxy-user is not valid.
Item data used as uri.
listen-on.non-transparent (see listen-on(5))Element port is optional, default: 143.
Element proto is optional, default: tcp.
listen-on.transparent (see listen-on(5))Element port is optional, default: 143.
Element proto is optional, default: tcp.
client-conn {
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Connection to client options.
client-conn section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
client-conn section:Item conn-timeout is not valid.
Item recv-timeout is not valid.
Item send-timeout is not valid.
server-conn {
conn-timeout ... ;
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Connection to server options.
server-conn section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
server-conn section:Item recv-timeout is not valid.
Item send-timeout is not valid.
ssl-session-cache {
capacity ... ;
dir ... ;
lock ... ;
}
ssl-session-cache section is derived from
ssl-session-cache section prototype.
For detail description of it, see ssl(5).
mail-pool name;Mail pool directory.
name (type: str)session-acl name {
* from ... ;
* to ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
auth ... ;
idle-timeout ... ;
source-address ... ;
plug-to ... ;
client-ssl ... ;
* client-cert-match ... ;
language ... ;
}
The first level ACL decides how to handle incoming connections.
session-acl section is derived from
acl-1 section prototype.
For detail description of it, see acl(5).
session-acl section:Item user is not valid.
Item idle-timeout-peer is not valid.
SSL/TLS required on in order to match client certificates.
IDLE-TIMEOUT has no use without SSL/TLS.
auth (see auth(5))Element mode is optional, default: allowed.
Only out-of-band authentication is supported in this proxy.
client-ssl params;Use SSL/TLS on the connection from a client.
params (type: name of ssl-params, see ssl(5))client-cert-match [subject subject] [issuer issuer];Requirements for client certificate.
subject subject (type: str-set, optional, default: *)acceptable certificate subjects
issuer issuer (type: str-set, optional, default: *)acceptable certificate issuers
language [code];Language and charset of responses generated by Kernun.
If omitted in SESSION-ACL, English is used.If omitted in higer layer ACLs, settings from lower layer is used.
code (type: nls, optional, default: EN)[End of section imap4-proxy.session-acl description.]
command-acl name {
* from ... ;
* server ... ;
* user ... ;
* time ... ;
time-period-set { ... }
* session-acl ... ;
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
source-address ... ;
plug-to ... ;
* client-cert-match ... ;
server-ssl ... ;
* server-cert-match ... ;
language ... ;
max-bytes-in ... ;
max-bytes-out ... ;
max-mail-in ... ;
max-mail-out ... ;
max-time ... ;
idle-timeout ... ;
commands ... ;
capabilities ... ;
upload { ... }
download { ... }
client-altq ... ;
server-altq ... ;
}
The second level ACL sets parameters of the connection to the server and decides about handling individual commands.
command-acl section is derived from
acl-2 section prototype.
For detail description of it, see acl(5).
command-acl section:Item parent-acl used as session-acl.
SSL/TLS required on in order to match server certificates.
source-address [client] [addr4 addr4] [addr6 addr6] cluster [cluster];source-address [client] [addr4 addr4] [addr6 addr6] [physical];source-address [client] [addr4 addr4] [addr6 addr6] no-fallback;Source address for outgoing connections to servers.
If omitted, the proper address of the proxy will be used, i.e. in the case of a cluster, the cluster address will be used.
If not specified by the SOURCE-PORT item, a generic port will be used.
The elements entered within this item will be used by the proxy until the first of them is applicable:
- The CLIENT keyword means the original client IP address is used. This mode will be succesful in all cases except mismatch of IP address families.
- The ADDR4/ADDR6 keyword-value pairs mean that the specified address is used for a connection of corresponding address family.
- The CLUSTER keyword means that one of cluster addresses will be used. By default, the main address of the bridge is used, however, any preferred alias address can be listed in the cluster list.- The PHYSICAL option means that the address of the physical interface is used instead of the cluster one.
- The DEFAULT option means the default behavior - i.e. using of the physical address.
- The NO-FALLBACK option means that if no other way of setting the address is acceptable, the session is rejected. Without this option, the system tries to find a suitable source IP address automatically.
client (type: key, optional)addr4 addr4 (type: host, optional, default: [0.0.0.0])addr6 addr6 (type: host, optional, default: [::])source-address-mode, optional, default: physical)cluster (type: host-list, optional, default: {})Address family must respect the element's address family..
plug-to addr;Final destination server.
addr (type: sock)Address/port of final destination server.
If port is zero, then original port is used.
client-cert-match [subject subject] [issuer issuer];Select an ACL according to a client certificate.
subject subject (type: str-set, optional, default: *)acceptable certificate subjects
issuer issuer (type: str-set, optional, default: *)acceptable certificate issuers
server-ssl params;Use SSL/TLS on the connection to a server.
params (type: name of ssl-params, see ssl(5))server-cert-match [subject subject] [issuer issuer];Requirements for server certificate.
subject subject (type: str-set, optional, default: *)acceptable certificate subjects
issuer issuer (type: str-set, optional, default: *)acceptable certificate issuers
language code;Language and charset of responses generated by Kernun.
If omitted in SESSION-ACL, English is used.If omitted in higer layer ACLs, settings from lower layer is used.
code (type: nls)max-bytes-in bytes;Maximum number of bytes from server to client in a session.
bytes (type: uint64)max-bytes-out bytes;Maximum number of bytes from client to server in a session.
bytes (type: uint64)max-mail-in bytes;Maximum size of any single mail transferred from client to server.
bytes (type: uint64)max-mail-out bytes;Maximum size of any single mail transferred from server to client.
bytes (type: uint64)max-time seconds;Maximum time of session
seconds (type: uint32)idle-timeout [seconds];If no data transmitted for this session in the period of idle-timeout seconds, connection is closed.
If omitted, value of proxy session-acl.idle-timeout is used.
seconds (type: uint32, optional, default: 0)commands [cmd];Set of allowed IMAP4 commands.
cmd (type: imap4-cmd-set, optional, default: *)capabilities [cap];Set of allowed IMAP4 capabilities (sent in response to command.
cap (type: imap4-capa-set, optional, default: *)upload {
mail-filter ... ;
use-antispam ... ;
use-antivirus ... ;
no-mail-scanning ... ;
}
Settings for uploading mail from client to server.
MAIL-FILTER, USE-ANTISPAM, and USE-ANTIVIRUS cannot be used together with NO-MAIL-SCANNING.
mail-filter name;Filter for mails
name (type: name of mail-filter, see mod-mail-doc(5))use-antispam disable;use-antispam enable channel [limit];Antispam usage.
This section defines type of antispam daemon used and mode of antispam checking operation.
enabling)channel (type: name of antispam, see mod-antispam(5))Name of antispam global section used.
Referred section defines the way how to communicate with the antispam daemon (see above).
limit (type: uint64, optional, default: 0)Size limit (in bytes) for antispam check.
Antispam checking used to be very exhausting operation, and typical spam mails used to be not very large (both for passing by size limit filters and for being able to send a lot of copies). That's why it can be desired to avoid checking of very large mails.
Setting of this limit says antispam module not to check mails larger than given limit and declare their spam score to zero.
Setting this limit to zero disables this feature and enables using of antispam to all mails. Be prepared for high machine load and noticeable delay in delivery if used so.
use-antivirus disable;use-antivirus enable channel;Antivirus usage mode.
If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any MAIL-ACL and DOC-ACL can have VIRUS item specified.
enabling)channel (type: name-list of antivirus, see antivirus(5))no-mail-scanning;Pass mail to the client without checking.
[End of section imap4-proxy.command-acl.upload description.]
download {
mail-filter ... ;
use-antispam ... ;
use-antivirus ... ;
no-mail-scanning ... ;
}
Settings for downloading mail from server to client.
MAIL-FILTER, USE-ANTISPAM, and USE-ANTIVIRUS cannot be used together with NO-MAIL-SCANNING.
mail-filter name;Filter for mails
name (type: name of mail-filter, see mod-mail-doc(5))use-antispam disable;use-antispam enable channel [limit];Antispam usage.
This section defines type of antispam daemon used and mode of antispam checking operation.
enabling)channel (type: name of antispam, see mod-antispam(5))Name of antispam global section used.
Referred section defines the way how to communicate with the antispam daemon (see above).
limit (type: uint64, optional, default: 0)Size limit (in bytes) for antispam check.
Antispam checking used to be very exhausting operation, and typical spam mails used to be not very large (both for passing by size limit filters and for being able to send a lot of copies). That's why it can be desired to avoid checking of very large mails.
Setting of this limit says antispam module not to check mails larger than given limit and declare their spam score to zero.
Setting this limit to zero disables this feature and enables using of antispam to all mails. Be prepared for high machine load and noticeable delay in delivery if used so.
use-antivirus disable;use-antivirus enable channel;Antivirus usage mode.
If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any MAIL-ACL and DOC-ACL can have VIRUS item specified.
enabling)channel (type: name-list of antivirus, see antivirus(5))no-mail-scanning;Pass mail to the client without checking.
[End of section imap4-proxy.command-acl.download description.]
client-altq altq [paltq paltq];ALTQ queues for data sent to client.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
server-altq altq [paltq paltq];ALTQ queues for data sent to server.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
[End of section imap4-proxy.command-acl description.]
mail-acl name {
* from ... ;
* time ... ;
time-period-set { ... }
* command-acl ... ;
deny ... ;
accept ... ;
rule ... ;
direction ... ;
* content-type ... ;
virus-status ... ;
* modify-header ... ;
replace ... ;
* spam-score ... ;
* header ... ;
prefix-subject ... ;
}
The first ACL on the third level decides how to handle the whole mail.
mail-acl section is derived from
mail-acl section prototype.
For detail description of it, see mod-mail-doc(5).
mail-acl section:Item parent-acl used as command-acl.
Item size is not valid.
Item sender is not valid.
Item recipient is not valid.
Item recipients is not valid.
Item from-quarantine is not valid.
doc-acl name {
* from ... ;
* time ... ;
time-period-set { ... }
* command-acl ... ;
deny ... ;
accept ... ;
rule ... ;
direction ... ;
* size ... ;
* content-type ... ;
* mime-type ... ;
virus-status ... ;
* modify-header ... ;
force-doctype-ident ... ;
replace ... ;
html-filter ... ;
* spam-score ... ;
* header ... ;
* filename ... ;
add-virus-names ... ;
}
doc-acl section is derived from
mail-doc-acl section prototype.
For detail description of it, see mod-mail-doc(5).
doc-acl section:Item parent-acl used as command-acl.
Item sender is not valid.
Item recipient is not valid.
Item from-quarantine is not valid.
[End of section imap4-proxy description.]