pop3-proxy — format of pop3-proxy component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the pop3-proxy component configuration.
Repeatable sections/items are marked by
the '*
' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in pop3-proxy configuration directives:
enabling
(see common(5))yes-no
(see common(5))nls
(see common(5))direction
(see common(5))ip-version
(see common(5))osi4-proto
(see common(5))time-cond
(see common(5))zip-mode
(see common(5))obligation
(see common(5))range-op
(see common(5))dbglev
(see log(5))logfail-mode
(see log(5))week-day
(see time(5))month
(see time(5))lock-type
(see ipc(5))auth-method
(see auth(5))virus-status
(see antivirus(5))source-address-mode
(see source-address(5))transparency
(see acl(5))user-auth-spec
(see acl(5))doctype-ident-method
(see acl(5))header-op
(see acl(5))listen-on-sock
(see listen-on(5))mime-header-check-type
(see mod-mail-doc(5))pop3-cmd
(name-usage obligatory)POP3 commands
UNKNOWN
command unknown to the proxy
APOP
, AUTH
, CAPA
, DELE
, LIST
, NOOP
, PASS
, QUIT
, RETR
, RSET
, STAT
, STLS
, TOP
, UIDL
, USER
pop3-capa
(name-usage obligatory)POP3 capabilities
UNKNOWN
capability unknown to the proxy
EXPIRE
, IMPLEMENTATION
, LOGIN-DELAY
, PIPELINING
, RESP-CODES
, SASL
, STLS
, TOP
, UIDL
, USER
Configuration of pop3-proxy library component consists of following prototypes:
* pop3-proxy name
{ ... }
pop3-proxy
name
{
phase ... ;
* tag ... ;
log-debug { ... }
log-stats { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
app-user ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
source-address ... ;
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
ssl-session-cache { ... }
mail-pool ... ;
* session-acl name
{ ... }
* command-acl name
{ ... }
* mail-acl name
{ ... }
* doc-acl name
{ ... }
}
POP3 proxy configuration.
pop3-proxy
section is derived from
proxy
section prototype.
For detail description of it, see application(5).
pop3-proxy
section:Section udpserver
is not valid.
MAIL-POOL must be specified.
At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).
At least one COMMAND-ACL must be specified.
monitoring
(see monitoring(5))Item aproxy-user
is not valid.
Item data
used as uri
.
listen-on.non-transparent
(see listen-on(5))Element port
is optional, default: 110.
Element proto
is optional, default: tcp.
listen-on.transparent
(see listen-on(5))Element port
is optional, default: 110.
Element proto
is optional, default: tcp.
doctype-identification.order
(see acl(5))Only DOWNLOAD direction can be used.
client-conn
{
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Connection to client options.
client-conn
section is derived from
sock-opt
section prototype.
For detail description of it, see netio(5).
client-conn
section:Item conn-timeout
is not valid.
Item recv-timeout
is not valid.
Item send-timeout
is not valid.
server-conn
{
conn-timeout ... ;
recv-bufsize ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Connection to server options.
server-conn
section is derived from
sock-opt
section prototype.
For detail description of it, see netio(5).
server-conn
section:Item recv-timeout
is not valid.
Item send-timeout
is not valid.
ssl-session-cache
{
capacity ... ;
dir ... ;
lock ... ;
}
ssl-session-cache
section is derived from
ssl-session-cache
section prototype.
For detail description of it, see ssl(5).
mail-pool
name
;Mail pool directory.
name
(type: str
)session-acl
name
{
* from ... ;
* to ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
auth ... ;
idle-timeout ... ;
source-address ... ;
plug-to ... ;
client-ssl ... ;
* client-cert-match ... ;
language ... ;
}
The first level ACL decides how to handle incoming connections.
session-acl
section is derived from
acl-1
section prototype.
For detail description of it, see acl(5).
session-acl
section:Item user
is not valid.
Item idle-timeout-peer
is not valid.
SSL/TLS required on in order to match client certificates.
IDLE-TIMEOUT has no use without SSL/TLS.
doctype-ident-order
(see acl(5))Only DOWNLOAD direction can be used.
auth
(see auth(5))Element mode
is optional, default: allowed.
Only out-of-band authentication is supported in this proxy.
client-ssl
params
;Use SSL/TLS on the connection from a client.
params
(type: name
of ssl-params
, see ssl(5))client-cert-match
[subject
subject
] [issuer
issuer
];Requirements for client certificate.
subject
subject
(type: str-set
, optional, default: *)acceptable certificate subjects
issuer
issuer
(type: str-set
, optional, default: *)acceptable certificate issuers
language
[code
];Language and charset of responses generated by Kernun.
If omitted in SESSION-ACL, English is used.If omitted in higer layer ACLs, settings from lower layer is used.
code
(type: nls
, optional, default: EN)[End of section pop3-proxy.session-acl
description.]
command-acl
name
{
* from ... ;
* server ... ;
* user ... ;
* time ... ;
time-period-set { ... }
* session-acl ... ;
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
source-address ... ;
plug-to ... ;
* client-cert-match ... ;
server-ssl ... ;
* server-cert-match ... ;
language ... ;
max-bytes-in ... ;
max-bytes-out ... ;
max-mail-in ... ;
max-time ... ;
idle-timeout ... ;
commands ... ;
capabilities ... ;
cmd-line-len ... ;
resp-line-len ... ;
mail-filter ... ;
use-antispam ... ;
use-antivirus ... ;
no-mail-scanning ... ;
client-altq ... ;
server-altq ... ;
}
The second level ACL sets parameters of the connection to the server and decides about handling individual commands.
command-acl
section is derived from
acl-2
section prototype.
For detail description of it, see acl(5).
command-acl
section:Item parent-acl
used as session-acl
.
SSL/TLS required on in order to match server certificates.
MAIL-FILTER, USE-ANTISPAM, and USE-ANTIVIRUS cannot be used together with NO-MAIL-SCANNING.
doctype-ident-order
(see acl(5))Only DOWNLOAD direction can be used.
source-address
[client
] [addr4
addr4
] [addr6
addr6
] cluster
[cluster
];source-address
[client
] [addr4
addr4
] [addr6
addr6
] [physical
];source-address
[client
] [addr4
addr4
] [addr6
addr6
] no-fallback
;Source address for outgoing connections to servers.
If omitted, the proper address of the proxy will be used, i.e. in the case of a cluster, the cluster address will be used.
If not specified by the SOURCE-PORT item, a generic port will be used.
The elements entered within this item will be used by the proxy until the first of them is applicable:
- The CLIENT keyword means the original client IP address is used. This mode will be succesful in all cases except mismatch of IP address families.
- The ADDR4/ADDR6 keyword-value pairs mean that the specified address is used for a connection of corresponding address family.
- The CLUSTER keyword means that one of cluster addresses will be used. By default, the main address of the bridge is used, however, any preferred alias address can be listed in the cluster list.- The PHYSICAL option means that the address of the physical interface is used instead of the cluster one.
- The DEFAULT option means the default behavior - i.e. using of the physical address.
- The NO-FALLBACK option means that if no other way of setting the address is acceptable, the session is rejected. Without this option, the system tries to find a suitable source IP address automatically.
client
(type: key
, optional)addr4
addr4
(type: host
, optional, default: [0.0.0.0])addr6
addr6
(type: host
, optional, default: [::])source-address-mode
, optional, default: physical)cluster
(type: host-list
, optional, default: {})Address family must respect the element's address family..
plug-to
addr
;Final destination server.
addr
(type: sock
)Address/port of final destination server.
If port is zero, then original port is used.
client-cert-match
[subject
subject
] [issuer
issuer
];Entry condition - select an ACL according to a client certificate.
subject
subject
(type: str-set
, optional, default: *)acceptable certificate subjects
issuer
issuer
(type: str-set
, optional, default: *)acceptable certificate issuers
server-ssl
params
;Use SSL/TLS on the connection to a server.
params
(type: name
of ssl-params
, see ssl(5))server-cert-match
[subject
subject
] [issuer
issuer
];Requirements for server certificate.
subject
subject
(type: str-set
, optional, default: *)acceptable certificate subjects
issuer
issuer
(type: str-set
, optional, default: *)acceptable certificate issuers
language
code
;Language and charset of responses generated by Kernun.
If omitted in SESSION-ACL, English is used.If omitted in higer layer ACLs, settings from lower layer is used.
code
(type: nls
)max-bytes-in
bytes
;Maximum number of bytes from server to client in a session.
bytes
(type: uint64
)max-bytes-out
bytes
;Maximum number of bytes from client to server in a session.
bytes
(type: uint64
)max-mail-in
bytes
;Maximum size of any single mail transferred from client to server.
bytes
(type: uint64
)max-time
seconds
;Maximum time of session
seconds
(type: uint32
)idle-timeout
[seconds
];If no data transmitted for this session in the period of idle-timeout seconds, connection is closed.
If omitted, value of proxy session-acl.idle-timeout is used.
seconds
(type: uint32
, optional, default: 0)commands
[cmd
];Set of allowed POP3 commands.
cmd
(type: pop3-cmd-set
, optional, default: *)capabilities
[cap
];Set of allowed POP3 capabilities (sent in response to command.
cap
(type: pop3-capa-set
, optional, default: *)cmd-line-len
[bytes
];Maximum length of a command line (including CRLF).
bytes
(type: uint32
, optional, default: 255)resp-line-len
[bytes
];Maximum length of a response line (including CRLF).
bytes
(type: uint32
, optional, default: 512)mail-filter
name
;Filter for mails
name
(type: name
of mail-filter
, see mod-mail-doc(5))use-antispam
disable
;use-antispam
enable
channel
[limit
];Antispam usage.
This section defines type of antispam daemon used and mode of antispam checking operation.
enabling
)channel
(type: name
of antispam
, see mod-antispam(5))Name of antispam global section used.
Referred section defines the way how to communicate with the antispam daemon (see above).
limit
(type: uint64
, optional, default: 0)Size limit (in bytes) for antispam check.
Antispam checking used to be very exhausting operation, and typical spam mails used to be not very large (both for passing by size limit filters and for being able to send a lot of copies). That's why it can be desired to avoid checking of very large mails.
Setting of this limit says antispam module not to check mails larger than given limit and declare their spam score to zero.
Setting this limit to zero disables this feature and enables using of antispam to all mails. Be prepared for high machine load and noticeable delay in delivery if used so.
use-antivirus
disable
;use-antivirus
enable
channel
;Antivirus usage mode.
If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any MAIL-ACL and DOC-ACL can have VIRUS item specified.
enabling
)channel
(type: name-list
of antivirus
, see antivirus(5))no-mail-scanning
;Pass mail to the client without checking.
client-altq
altq
[paltq
paltq
];ALTQ queues for data sent to client.
altq
(type: name
of pf-queue
, see pf-queue(5))queue name
paltq
paltq
(type: name
of pf-queue
, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
server-altq
altq
[paltq
paltq
];ALTQ queues for data sent to server.
altq
(type: name
of pf-queue
, see pf-queue(5))queue name
paltq
paltq
(type: name
of pf-queue
, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
[End of section pop3-proxy.command-acl
description.]
mail-acl
name
{
* from ... ;
* time ... ;
time-period-set { ... }
* command-acl ... ;
deny ... ;
accept ... ;
rule ... ;
* content-type ... ;
virus-status ... ;
* modify-header ... ;
replace ... ;
* spam-score ... ;
* header ... ;
prefix-subject ... ;
}
The first ACL on the third level decides how to handle the whole mail.
mail-acl
section is derived from
mail-acl
section prototype.
For detail description of it, see mod-mail-doc(5).
mail-acl
section:Item parent-acl
used as command-acl
.
Item direction
is not valid.
Item size
is not valid.
Item sender
is not valid.
Item recipient
is not valid.
Item recipients
is not valid.
Item from-quarantine
is not valid.
doc-acl
name
{
* from ... ;
* time ... ;
time-period-set { ... }
* command-acl ... ;
deny ... ;
accept ... ;
rule ... ;
* size ... ;
* content-type ... ;
* mime-type ... ;
virus-status ... ;
* modify-header ... ;
force-doctype-ident ... ;
replace ... ;
html-filter ... ;
* spam-score ... ;
* header ... ;
* filename ... ;
add-virus-names ... ;
}
doc-acl
section is derived from
mail-doc-acl
section prototype.
For detail description of it, see mod-mail-doc(5).
doc-acl
section:Item parent-acl
used as command-acl
.
Item direction
is not valid.
Item sender
is not valid.
Item recipient
is not valid.
Item from-quarantine
is not valid.
[End of section pop3-proxy
description.]