Name

pop3-proxy — format of pop3-proxy component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the pop3-proxy component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in pop3-proxy configuration directives:

enabling (see common(5))

yes-no (see common(5))

nls (see common(5))

direction (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

obligation (see common(5))

range-op (see common(5))

dbglev (see log(5))

logfail-mode (see log(5))

week-day (see time(5))

month (see time(5))

lock-type (see ipc(5))

auth-method (see auth(5))

virus-status (see antivirus(5))

source-address-mode (see source-address(5))

transparency (see acl(5))

user-auth-spec (see acl(5))

doctype-ident-method (see acl(5))

header-op (see acl(5))

listen-on-sock (see listen-on(5))

mime-header-check-type (see mod-mail-doc(5))

pop3-cmd (name-usage obligatory)

POP3 commands

UNKNOWN

command unknown to the proxy

APOP, AUTH, CAPA, DELE, LIST, NOOP, PASS, QUIT, RETR, RSET, STAT, STLS, TOP, UIDL, USER

pop3-capa (name-usage obligatory)

POP3 capabilities

UNKNOWN

capability unknown to the proxy

EXPIRE, IMPLEMENTATION, LOGIN-DELAY, PIPELINING, RESP-CODES, SASL, STLS, TOP, UIDL, USER

ITEMS AND SECTIONS

Configuration of pop3-proxy library component consists of following prototypes:


* pop3-proxy name { ... }
    

Description:

pop3-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  ssl-session-cache { ... }
  mail-pool ... ;
* session-acl name { ... }
* command-acl name { ... }
* mail-acl name { ... }
* doc-acl name { ... }
}

        

POP3 proxy configuration.

The pop3-proxy section is derived from proxy section prototype. For detail description of it, see application(5).

Changes to the pop3-proxy section:

Section udpserver is not valid.

MAIL-POOL must be specified.

At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).

At least one COMMAND-ACL must be specified.

Section monitoring (see monitoring(5))

Item aproxy-user is not valid.

Item data used as uri.

Item listen-on.non-transparent (see listen-on(5))

Element port is optional, default: 110.

Element proto is optional, default: tcp.

Item listen-on.transparent (see listen-on(5))

Element port is optional, default: 110.

Element proto is optional, default: tcp.

Item doctype-identification.order (see acl(5))

Only DOWNLOAD direction can be used.

Added items & subsections:

client-conn {


  recv-bufsize ... ;
  close-timeout ... ;
  send-bufsize ... ;
  log-limit ... ;
}

            

Connection to client options.

The client-conn section is derived from sock-opt section prototype. For detail description of it, see netio(5).

Changes to the client-conn section:

Item conn-timeout is not valid.

Item recv-timeout is not valid.

Item send-timeout is not valid.

server-conn {


  conn-timeout ... ;
  recv-bufsize ... ;
  close-timeout ... ;
  send-bufsize ... ;
  log-limit ... ;
}

            

Connection to server options.

The server-conn section is derived from sock-opt section prototype. For detail description of it, see netio(5).

Changes to the server-conn section:

Item recv-timeout is not valid.

Item send-timeout is not valid.

ssl-session-cache {


  capacity ... ;
  dir ... ;
  lock ... ;
}

            

The ssl-session-cache section is derived from ssl-session-cache section prototype. For detail description of it, see ssl(5).

mail-pool name;

Mail pool directory.

name (type: str)

session-acl name {


* from ... ;
* to ... ;
* time ... ;
  time-period-set { ... }
  deny ... ;
  accept ... ;
* doctype-ident-order ... ;
  rule ... ;
  auth ... ;
  idle-timeout ... ;
  source-address ... ;
  plug-to ... ;
  client-ssl ... ;
* client-cert-match ... ;
  language ... ;
}

            

The first level ACL decides how to handle incoming connections.

The session-acl section is derived from acl-1 section prototype. For detail description of it, see acl(5).

Changes to the session-acl section:

Item user is not valid.

Item idle-timeout-peer is not valid.

SSL/TLS required on in order to match client certificates.

IDLE-TIMEOUT has no use without SSL/TLS.

Item doctype-ident-order (see acl(5))

Only DOWNLOAD direction can be used.

Item auth (see auth(5))

Element mode is optional, default: allowed.

Only out-of-band authentication is supported in this proxy.

Added items & subsections:

client-ssl params;

Use SSL/TLS on the connection from a client.

params (type: name of ssl-params, see ssl(5))

client-cert-match [subject subject] [issuer issuer];

Requirements for client certificate.

subject subject (type: str-set, optional, default: *)

acceptable certificate subjects

issuer issuer (type: str-set, optional, default: *)

acceptable certificate issuers

language [code];

Language and charset of responses generated by Kernun.

If omitted in SESSION-ACL, English is used.If omitted in higer layer ACLs, settings from lower layer is used.

code (type: nls, optional, default: EN)

[End of section pop3-proxy.session-acl description.]

command-acl name {


* from ... ;
* server ... ;
* user ... ;
* time ... ;
  time-period-set { ... }
* session-acl ... ;
  deny ... ;
  accept ... ;
* doctype-ident-order ... ;
  rule ... ;
  source-address ... ;
  plug-to ... ;
* client-cert-match ... ;
  server-ssl ... ;
* server-cert-match ... ;
  language ... ;
  max-bytes-in ... ;
  max-bytes-out ... ;
  max-mail-in ... ;
  max-time ... ;
  idle-timeout ... ;
  commands ... ;
  capabilities ... ;
  cmd-line-len ... ;
  resp-line-len ... ;
  mail-filter ... ;
  use-antispam ... ;
  use-antivirus ... ;
  no-mail-scanning ... ;
  client-altq ... ;
  server-altq ... ;
}

            

The second level ACL sets parameters of the connection to the server and decides about handling individual commands.

The command-acl section is derived from acl-2 section prototype. For detail description of it, see acl(5).

Changes to the command-acl section:

Item parent-acl used as session-acl.

SSL/TLS required on in order to match server certificates.

MAIL-FILTER, USE-ANTISPAM, and USE-ANTIVIRUS cannot be used together with NO-MAIL-SCANNING.

Item doctype-ident-order (see acl(5))

Only DOWNLOAD direction can be used.

Added items & subsections:

source-address [client] [addr4 addr4] [addr6 addr6] cluster [cluster];

source-address [client] [addr4 addr4] [addr6 addr6] [physical];

source-address [client] [addr4 addr4] [addr6 addr6] no-fallback;

Source address for outgoing connections to servers.

If omitted, the proper address of the proxy will be used, i.e. in the case of a cluster, the cluster address will be used.

If not specified by the SOURCE-PORT item, a generic port will be used.

The elements entered within this item will be used by the proxy until the first of them is applicable:

- The CLIENT keyword means the original client IP address is used. This mode will be succesful in all cases except mismatch of IP address families.

- The ADDR4/ADDR6 keyword-value pairs mean that the specified address is used for a connection of corresponding address family.

- The CLUSTER keyword means that one of cluster addresses will be used. By default, the main address of the bridge is used, however, any preferred alias address can be listed in the cluster list.- The PHYSICAL option means that the address of the physical interface is used instead of the cluster one.

- The DEFAULT option means the default behavior - i.e. using of the physical address.

- The NO-FALLBACK option means that if no other way of setting the address is acceptable, the session is rejected. Without this option, the system tries to find a suitable source IP address automatically.

client (type: key, optional)

addr4 addr4 (type: host, optional, default: [0.0.0.0])

addr6 addr6 (type: host, optional, default: [::])

<branching element> (type: source-address-mode, optional, default: physical)

cluster (type: host-list, optional, default: {})

Constraints:

Address family must respect the element's address family..

plug-to addr;

Final destination server.

addr (type: sock)

Address/port of final destination server.

If port is zero, then original port is used.

client-cert-match [subject subject] [issuer issuer];

Entry condition - select an ACL according to a client certificate.

subject subject (type: str-set, optional, default: *)

acceptable certificate subjects

issuer issuer (type: str-set, optional, default: *)

acceptable certificate issuers

server-ssl params;

Use SSL/TLS on the connection to a server.

params (type: name of ssl-params, see ssl(5))

server-cert-match [subject subject] [issuer issuer];

Requirements for server certificate.

subject subject (type: str-set, optional, default: *)

acceptable certificate subjects

issuer issuer (type: str-set, optional, default: *)

acceptable certificate issuers

language code;

Language and charset of responses generated by Kernun.

If omitted in SESSION-ACL, English is used.If omitted in higer layer ACLs, settings from lower layer is used.

code (type: nls)

max-bytes-in bytes;

Maximum number of bytes from server to client in a session.

bytes (type: uint64)

max-bytes-out bytes;

Maximum number of bytes from client to server in a session.

bytes (type: uint64)

max-mail-in bytes;

Maximum size of any single mail transferred from client to server.

bytes (type: uint64)

max-time seconds;

Maximum time of session

seconds (type: uint32)

idle-timeout [seconds];

If no data transmitted for this session in the period of idle-timeout seconds, connection is closed.

If omitted, value of proxy session-acl.idle-timeout is used.

seconds (type: uint32, optional, default: 0)

commands [cmd];

Set of allowed POP3 commands.

cmd (type: pop3-cmd-set, optional, default: *)

capabilities [cap];

Set of allowed POP3 capabilities (sent in response to command.

cap (type: pop3-capa-set, optional, default: *)

cmd-line-len [bytes];

Maximum length of a command line (including CRLF).

bytes (type: uint32, optional, default: 255)

resp-line-len [bytes];

Maximum length of a response line (including CRLF).

bytes (type: uint32, optional, default: 512)

mail-filter name;

Filter for mails

name (type: name of mail-filter, see mod-mail-doc(5))

use-antispam disable;

use-antispam enable channel [limit];

Antispam usage.

This section defines type of antispam daemon used and mode of antispam checking operation.

<branching element> (type: enabling)

channel (type: name of antispam, see mod-antispam(5))

Name of antispam global section used.

Referred section defines the way how to communicate with the antispam daemon (see above).

limit (type: uint64, optional, default: 0)

Size limit (in bytes) for antispam check.

Antispam checking used to be very exhausting operation, and typical spam mails used to be not very large (both for passing by size limit filters and for being able to send a lot of copies). That's why it can be desired to avoid checking of very large mails.

Setting of this limit says antispam module not to check mails larger than given limit and declare their spam score to zero.

Setting this limit to zero disables this feature and enables using of antispam to all mails. Be prepared for high machine load and noticeable delay in delivery if used so.

use-antivirus disable;

use-antivirus enable channel;

Antivirus usage mode.

If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any MAIL-ACL and DOC-ACL can have VIRUS item specified.

<branching element> (type: enabling)

channel (type: name-list of antivirus, see antivirus(5))

no-mail-scanning;

Pass mail to the client without checking.

client-altq altq [paltq paltq];

ALTQ queues for data sent to client.

altq (type: name of pf-queue, see pf-queue(5))

queue name

paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)

priority queue name (if set, used for TCP ACK without data)

server-altq altq [paltq paltq];

ALTQ queues for data sent to server.

altq (type: name of pf-queue, see pf-queue(5))

queue name

paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)

priority queue name (if set, used for TCP ACK without data)

[End of section pop3-proxy.command-acl description.]

mail-acl name {


* from ... ;
* time ... ;
  time-period-set { ... }
* command-acl ... ;
  deny ... ;
  accept ... ;
  rule ... ;
* content-type ... ;
  virus-status ... ;
* modify-header ... ;
  replace ... ;
* spam-score ... ;
* header ... ;
  prefix-subject ... ;
}

            

The first ACL on the third level decides how to handle the whole mail.

The mail-acl section is derived from mail-acl section prototype. For detail description of it, see mod-mail-doc(5).

Changes to the mail-acl section:

Item parent-acl used as command-acl.

Item direction is not valid.

Item size is not valid.

Item sender is not valid.

Item recipient is not valid.

Item recipients is not valid.

Item from-quarantine is not valid.

doc-acl name {


* from ... ;
* time ... ;
  time-period-set { ... }
* command-acl ... ;
  deny ... ;
  accept ... ;
  rule ... ;
* size ... ;
* content-type ... ;
* mime-type ... ;
  virus-status ... ;
* modify-header ... ;
  force-doctype-ident ... ;
  replace ... ;
  html-filter ... ;
* spam-score ... ;
* header ... ;
* filename ... ;
  add-virus-names ... ;
}

            

The doc-acl section is derived from mail-doc-acl section prototype. For detail description of it, see mod-mail-doc(5).

Changes to the doc-acl section:

Item parent-acl used as command-acl.

Item direction is not valid.

Item sender is not valid.

Item recipient is not valid.

Item from-quarantine is not valid.

[End of section pop3-proxy description.]

SEE ALSO

configuration(7), acl(5), antivirus(5), application(5), auth(5), common(5), ipc(5), listen-on(5), log(5), mod-antispam(5), mod-mail-doc(5), monitoring(5), netio(5), pf-queue(5), source-address(5), ssl(5), time(5)