SSL started immediately

SSL started after STARTTLS command

No TLS.

Opportunistic TLS.

Mandatory TLS encryption.

Opportunistic DANE TLS.

Mandatory DANE TLS.

Certificate fingerprint verification.

Mandatory server certificate verification.

Secure-channel TLS.

No transport maps used.

All forwarder domains mapped to the relay host.

All forwarder domains mapped to the relay host, rest of the world to the fallback socket.

External (unhashed) map.

Not enough information for checking available.

Domain owner stated no decision about this client.

Client is authorized.

Client is not authorized.

Client is neither authorized nor strongly rejected.

Temporary error occured while checking client.

SPF record cannot be correctly interpreted.

Check only sender domain.

Try to check sender domain and in case of no SPF, check domain of the highest priority sender MX.

Try to check sender domain and in case of no SPF, check all alternate domains from the list.

Try to check sender domain and in case of no SPF, check domain of the highest priority sender MX that matches any of the domains in the list.

Soft-limit.

Reaching this limit causes error state (response to client).

Hard-limit.

Reaching this limit causes immediate session termination.

Relayhost must be defined for automatic transport maps.

MASTER-CF must be specified.

Application Startup Phase.

Configuration factorization tag.

This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).

Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.

MTA next-hop relay.

If omitted, MTA will deliver mail according to RCPTs DNS resolution.

Source address of connections outgoing from forwarder to next MTA.

Official hostname.

This value is copied to the main.cf 'myhostname' variable. If omitted, the regular hostname is used.

Name used in HELO/EHLO command.

This value is copied to the main.cf 'smtp_helo_name' variable. If omitted, the regular hostname is used instead.

Host name used for locally posted mails.

This value is copied to the main.cf 'myorigin' variable. If omitted, the regular hostname is used.

Internet protocol version support.

If omitted, IPv4 is enabled and IPv6 too, if supported.

Destinations for which this agent relays mails to.

Destinations for which this agent accepts mails.

List of trusted remote SMTP clients.

If omitted, the 127.0.0.0/8 network is used.

MTA mail size limit.

MTA DSN message size limit.

MTA queue lifetime.

MTA delay warning time.

Client TLS parameters.

[End of section smtp-agent.tls description.]

Postfix main.cf variables setting.

Postfix master.cf configuration file.

This file serves as the source for the master.cf files copied into etc/postfix.NAME directories. The referenced file can be the master.cf file from the Postfix distribution, because the CML modifies this file according to its purpose, i.e.

- for the LOCAL-MAILER, CML comments off all listening modules

- for SMTP-FORWARDERs, CML comments off local delivery module (if LOCAL-MAILER is used).

Additional option to smtpd call from master.cf file.

Transport map definition.

At least one server must be specified.

At most 31 servers can be used.

SSL/TLS required on connection in order to match server certificates.

Forwarding MTA description.

Relaying by local MTA.

If used, this section defines parameters of a local agent listening on 'server' addresses and delivering mails sent by smtp-proxy.

This section defines several timeouts for server reply.

[End of section smtp-forwarder.timeouts description.]

Hostname to introduce myself to server.

If omitted, global smtp-proxy.hostname is used.

Usage of SIZE ESMTP extension to the server.

This item defines, whether smtp-proxy uses SIZE extension to MAIL command. Possible values are:

Source address for outgoing connections to servers.

If omitted, the proper address of the proxy will be used, i.e. in the case of a cluster, the cluster address will be used.

If not specified by the SOURCE-PORT item, a generic port will be used.

The elements entered within this item will be used by the proxy until the first of them is applicable:

- The CLIENT keyword means the original client IP address is used. This mode will be succesful in all cases except mismatch of IP address families.

- The ADDR4/ADDR6 keyword-value pairs mean that the specified address is used for a connection of corresponding address family.

- The CLUSTER keyword means that one of cluster addresses will be used. By default, the main address of the bridge is used, however, any preferred alias address can be listed in the cluster list.- The PHYSICAL option means that the address of the physical interface is used instead of the cluster one.

- The DEFAULT option means the default behavior - i.e. using of the physical address.

- The NO-FALLBACK option means that if no other way of setting the address is acceptable, the session is rejected. Without this option, the system tries to find a suitable source IP address automatically.

List of mail server domain names handled by this forwarder.

These items are used when smtp-proxy needs to send either a copy of a mail, or a DSN message, for choosing the right forwarder. The first forwarder section with matching DOMAIN item(s) is used. More occurences of item are treated as a disjunction (OR-mode).

Use SSL/TLS on the connection to a server.

Requirements for server certificate.

ALTQ queues for data sent to forwarder.

Maximum length of local part (default set by RFC2821).

This element controls which parsing results match this item:

Set of errors matching this configuration item.

Set of addresses matching this configuration item.

The matching rules are slightly modified for the purpose of email addresses matching:

Warning: in case of ARG-INVALID error, an empty string (instead of the errorneous address) is being matched against the list.

The 3-digit response code; the first digit is also used as the first sub-code (class) of ESC (Enhanced Status Code).

If omitted, the default response code is used.

The second sub-code (subject) of ESC (Enhanced Status Code).

If omitted, the default sub-code is used.

The third sub-code (detail) of ESC (Enhanced Status Code).

If omitted, the default sub-code is used.

Response message text.

Reply-code must be 4xx or 5xx.

Deliver mail to this address, using SMTP-FORWARDER chosen by comparing the address domain name with forwarder DOMAIN(s).

E-mail must comply with RFC.

Default refusal response code and text.

Timeout for blocking of newly seen triplets.

Total time of waiting for triplet delivery retrying.

Within this time (after the initial BLOCK-TIME period), the triplet is normally processed.

After this time, the triplet is set into initial state.

Time of guarded delivery for a triplet.

If the triplet was retried to deliver by the client (and the triplet is thereby enabled), all mails for the triplet are normally processed for the GUARD-TIME period. Every new mail resets this period.

Database wide client netmask.

Clients are stored into the database using this mask. This feature allows correct function of grey-listing even for MTAs using a cluster of several machines with several IP addresses.

Triplet database file name.

This file must be set at smtp-proxy level because it is common for the whole proxy.

Section udpserver is not valid.

Item source-address is not valid.

MAIL-POOL must be specified.

POSTMASTER must be specified.

At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).

At least one DELIVERY-ACL must be specified.

At least one MAIL-ACL must be specified.

At least one DOC-ACL must be specified.

USE-ANTIVIRUS must be configured if VIRUS-STATUS used.

QUARANTINE must be configured at proxy level if used in ACLs.

Proxy must listen on QUARANTINE.PORT if used.

GREY-LISTING must be configured if used in DELIVERY-ACL.

WHITE-LISTING must be configured if SPF used in DELIVERY-ACL.

Item aproxy-user is not valid.

Item data used as rcpts.

Element seconds is optional, default: 300.

Element port is optional, default: 25.

Element proto is optional, default: tcp.

Element port is optional, default: 25.

Element proto is optional, default: tcp.

Only UPLOAD direction can be used.

Client connection options.

Server connection options.

In particular, output buffer size must be large enough to hold all lines of maximal allowed SMTP document header.

Mail pool directory.

The directory is used for temporary storing of incoming mails.

Quarantine directory and resend-port.

Postmaster address.

Mails for <postmaster> are forwarded to this address.

Hostname used instead of regular host name.

Timeout for initial command reception.

Maximum of rejected SMTP commands per session.

Maximum of rejected RCPT commands per mail.

Sending of original mail copy in DSN messages.

Delivery Status Notification (DSN) messages (RFC1894, RFC1982) optionally contain portion of the original mail, delivery status of which is being reported. By default, smtp-proxy sends original mail headers and portion of mail body.

This item allows to disable this behavior, or declare the size limit of mail body portion being sent. When enabled, mail headers are sent always complete.

Antivirus usage mode.

If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any MAIL-ACL and DOC-ACL can have VIRUS item specified.

Antispam usage.

This section defines type of antispam daemon used and mode of antispam checking operation.

Grey-listing global default parameters.

Most of these parameters can be redefined in DELIVERY-ACL.

The first level of ACL decides whether to accept incoming connection.

[End of section smtp-proxy.session-acl description.]

The second level of ACL decides about reply to particular RCPT command and way how to deliver mail.

[End of section smtp-proxy.delivery-acl description.]

The first ACL on the third level decides how to handle the mail as whole.

In fact, one more decision for the whole mail can be made - in DOC-ACL corresponding to the root of MIME tree.For particular recipient, all denial actions from the third level ACL are collected, the one with highest severity (abort > reject > discard > cancel) from all DOC-ACLs is chosen. Some actions (discard, cancel) have per-recipient impact and no influence to sending mail to other recipients. However, other actions (abort, reject) have per-mail impact and the one with highest severity from all recipients is executed.

If no ACL is found, ABORT action is preformed.

[End of section smtp-proxy.mail-acl description.]

The second ACL on the third level decides how to process particular documents (or precisely: MIME tree nodes) contained in the mail.

Denial actions (if any) concern whole mail-copy for particular recipient, not only a single document. The one with highest severity (abort > reject > discard > cancel) from all DOC-ACLs is executed.

If no ACL is found, ABORT action is preformed.

[End of section smtp-proxy.doc-acl description.]