postfix-policyd.conf
######################################################################
# POLICY DAEMON CONFIGURATION #
######################################################################
# DATABASE CONFIG #
######################################################################
#
# ip address or hostname to connect to:
#
# if you want to connect to a host/ip, enter it here.
# if you want to via a unix socket, set MYSQLHOST=""
#
MYSQLHOST="127.0.0.1"
#
# database name:
#
# name of database to connect to
#
MYSQLDBASE="postfixpolicyd"
#
# database username:
#
# username to connect to database as
#
MYSQLUSER="postfix-policyd"
#
# database password:
#
# password to for username
#
MYSQLPASS="X************************"
#
# connection options:
#
# what client side connections policyd will use>
#
# CLIENT_COMPRESS -> compress connection from policyd -> mysql
# CLIENT_SSL -> encrypt connection from policyd -> mysql
#
MYSQLOPT=""
#
# failsafe/failover mode: default: on
#
# if the database or queries fail, continue accepting mail
#
# 1=on 0=off
FAILSAFE=1
#
# database keep alive: default: off
#
# if you recieve very little mail, your connection to the
# mysql database will time out. enabling this option pings
# the database to ensure the database connection is alive.
# if it is not, it reconnects to the database. this option
# is not needed on mail servers that recieve more than one
# mail every 60 to 120 seconds. disabling this increases
# performance a little.
#
# 1=on 0=off
DATABASE_KEEPALIVE=0
######################################################################
# DAEMON CONFIG #
######################################################################
#
# debugging information: default: 3
#
# only use debugging when there are problems
#
# 0 -> off (recommended)
# 1 -> standard debugging
# 2 -> 1+mysql queries+results
# 3 -> 1+2+network debugging
# 0=off
DEBUG=0
#
# daemon/background mode: default: off
#
# detach policyd from terminal. enable when you're happy
# that things are working as they should.
#
# 1=on 0=off
DAEMON=1
#
# bind to ip address:
#
# ip address which the policy daemon will listen on
#
BINDHOST="127.0.0.1"
#
# port to bind to:
#
# port which the policy daemon will listen on
#
BINDPORT="10031"
#
# path to pidfile:
#
# where policyd will write its current pid to
#
PIDFILE=/var/run/policyd.pid
#
# syslog facility
#
# what syslog facility to log to
#
SYSLOG_FACILITY="LOG_MAIL|LOG_INFO"
######################################################################
# SECURITY #
######################################################################
#
# chroot:
#
# directory to change to before binding
#
CHROOT=/home/policyd
#
# uid:
#
# userid for the policy daemon to run as
#
UID=1002
#
# gid:
#
# groupid for the policy daemon to run as
#
GID=1002
#
# connection acl:
#
# this is the list of ip addresses or networks (cidr format) that
# will be allowed to connect to policyd. leaving this blank causes
# policyd to reject all connection attempts.
#
CONN_ACL="127.0.0.1"
#####################################################################
# WHITELISTING (functional) #
#####################################################################
#
# whitelisting: default: on
#
# this enables whitelisting of ip/netblocks. this is needed
# if you want to allow any of the whitelisting features.
#
# 1=on 0=off
WHITELISTING=1
#
# whitelist null sender: default: off
#
# null senders are normally used for bounce messages. many
# viruses use null senders so its wise to leave this disabled.
#
# 1=on 0=off
WHITELISTNULL=0
#
# whitelist sender address/domain
#
# this allows you to do whitelisting based on envelope sender
# address or envelope sender domain. a number of people have
# been asking for this. please AVOID using this as spammers
# forge senders and domains a lot.
#
# 1=on 0=off
WHITELISTSENDER=1
#
# whitelist client dns name
#
# this allows you whitelist clients that have proper resolving
# records. for example, i could whitelist 'bulk.scd.yahoo.com'.
# so any connections from n6a.bulk.scd.yahoo.com or
# n6b.bulk.scd.yahoo.com would be whitelisted. this type of
# whitelisting gives far greater power when it comes to
# whitelisting ISPs or big companies which you know do not
# house spammers. please note. this table must NOT have more
# than 10 000 -> 15 000 entries.
#
# 1=on 0=off
WHITELISTDNSNAME=0
#
# automatic whitelisting default: off
#
# this allows whitelisting of remote networks who have sent
# more than AUTO_WHITELIST_NUMBER of authenticated triplets.
#
# 1=on 0=off
AUTO_WHITE_LISTING=1
#
# auto whitelist number: default: 500
#
# how many succesfull triplets does it require before a
# network is automatically whitelisted
#
AUTO_WHITELIST_NUMBER=10
#
# whitelist netblock/24: default: 0
#
# when hosts get autowhitelisted, should the host be whitelisted
# or should the entire netblock (class C).
#
# 1=class 0=host
AUTO_WHITELIST_NETBLOCK=0
#
# whitelist expiry default: 7 days
#
# this allows you to specify for what period of time any
# host will be whitelisted for when auto whitelisted.
# a setting of 0 sets a permanent whitelist
#
AUTO_WHITELIST_EXPIRE=7d
#####################################################################
# BLACKLISTING (functional) #
#####################################################################
#
# blacklisting: default: off
#
# this enables blacklisting of ip/netblocks. this is needed
# if you want to allow any of the blacklisting features and
# the spamtrapping module. if blacklisting is disabled,
# the other modules still run and insert blacklisting records
# into the table, but it doesn't take effect untill you
# actually turn blacklisting on. this allows people to look
# and what hosts get blacklisted and see if any possible
# problems occured. (false-positive)
#
# 1=on 0=off
BLACKLISTING=1
#
# blacklist client dns name:
#
# this allows you blacklist clients that have proper resolving
# records. for example, i could blacklist 'spamtargeting.com'.
# so any connections from mail1.spamtargeting.com or
# mail2.spamtargeting.com would be blacklisted. this type of
# blacklisting gives far greater power when it comes to
# blacklisting ISPs or big companies which you know do
# house spammers, or e.g. ADSL home users when their ISPs
# give an easily identifiable reverse DNS to them like
# adsl-*.revip.thisisp.com. please note. this table must
# NOT have more than 10 000 -> 15 000 entries.
# 1=on 0=off
BLACKLISTDNSNAME=0
#
# blacklist temp rejection: default: 4xx
#
# this allows you to either temp reject (4xx) blacklisted
# hosts or if you're sure that blacklisted hosts are safe
# to reject, you can hard reject (5xx) blacklisted hosts.
#
# 1=4xx 0=5xx
BLACKLIST_TEMP_REJECT=0
#
# blacklist netblock/24: default: host
#
# when hosts get blacklisted, should the host be blacklisted
# or should the entire netblock (class C). this applies to
# both when a host gets blacklisted via the spamtrap module
# or via the blacklist helo module.
#
# 1=class 0=host
BLACKLIST_NETBLOCK=0
#
# blacklist rejection default: "Abuse. Go Away"
#
# what error message blacklisted hosts will recieve.
#
BLACKLIST_REJECTION="Abuse. Go away."
#
# automatic blacklisting default: off
#
# this allows blacklisting of remote networks who have sent
# more than AUTO_BLACKLIST_NUMBER of unauthenticated triplets.
#
# 1=on 0=off
AUTO_BLACK_LISTING=1
#
# auto blacklist number: default: 500
#
# how many succesfull untriplets does it require before a
# network is automatically blacklisted
#
AUTO_BLACKLIST_NUMBER=500
#
# blacklist expiry default: 7 days
#
# this allows you to specify for what period of time any
# host will be blacklisted for when auto blacklisted.
# a setting of 0 sets a permanent blacklist
#
AUTO_BLACKLIST_EXPIRE=7d
#####################################################################
# BLACKLISTING HELO (functional) #
#####################################################################
#
# blacklisting helo: default: off
#
# this enables blacklisting of ip/netblocks who attempt to
# identify themselve as you. no legit MTA should be using
# your helo identity when connecting to your machines.
#
# 1=on 0=off
BLACKLIST_HELO=0
#
# blacklist helo auto expire: default: permanent
#
# this allows you to specify for what period of time any
# host will be blacklisted for when it has been caught
# using your HELO to identify itself. (a setting of 0
# sets a permanent blacklist)
#
BLACKLIST_HELO_AUTO_EXPIRE=0
#####################################################################
# BLACKLIST SENDER (functional) #
#####################################################################
#
# blacklist sender: default: off
#
# this allows you to use policyd to block domains and/or
# email addresses.
# 1=on 0=off
BLACKLISTSENDER=1
#####################################################################
# HELO_CHECK (functional) #
#####################################################################
#
# helo unique checking default: off
#
# (legit) hosts that connect to your mail servers 99% of
# the time use static HELO information. spammers randomize
# their helo. enabling this will cut down the amount of
# spam entering your network.
# 1=on 0=off
HELO_CHECK=1
#
# helo max number count:
#
# this allows you to specify how many unique/different
# helo names a connecting host/ip is allowed to send.
# spammers randomize their helo information in big
# numbers. legit MTAs with floating ips also do this,
# but the number of them is fairly small.
#
#
HELO_MAX_COUNT=10
#
# helo blacklist auto expire:
#
# this allows you to specify for what period of time any
# host will be blacklisted for when it has been caught
# randomizing their helo information. (a setting of 0
# sets a permanent blacklist)
#
HELO_BLACKLIST_AUTO_EXPIRE=14d
#
# helo auto expire:
#
# this allows you to specify for what period of time any
# HELO identity will remain in the database for before it
# gets expired. (a setting of 0 ensures that all HELO
# information stays stored and is never expired).
#
HELO_AUTO_EXPIRE=7d
#####################################################################
# SPAMTRAP (functional) #
#####################################################################
#
# enable spamtrap default: off
#
# the idea of this module is to allow you to capture
# hosts that mail to your spamtraps without having to
# resort to parsing the mails to identify senders. you
# now have the ability to blacklist the host/netblock
# for a period of time (definable in SPAMTRAP_AUTO_EXPIRE).
#
# 1=on 0=off
SPAMTRAPPING=1
#
# spamtrap rejection: default: "Abuse. Go Away."
#
# what error message the connecting host will recieve
# when a message is directly sent to your spamtraps
#
SPAMTRAP_REJECTION="Abuse. Go away."
#
# spamtrap auto expire: default: 7 days
#
# this allows you to specify for what period of time any
# host will be blacklisted for when it has been caught
# mailing to your spamtrap addresses. (a setting of 0
# sets a permanent blacklist)
#
SPAMTRAP_AUTO_EXPIRE=7d
#####################################################################
# GREYLISTING (functional) #
#####################################################################
#
# enable greylisting default: on
#
# whether greylisting should be enabled or disabled.
#
# 1=on 0=off
GREYLISTING=0
#
# greylist rejection: default: "Please try later"
#
# what error message the connecting host will recieve
# when a new triplet has been created.
#
GREYLIST_REJECTION="Please try later."
#
# greylist x-header: default: off
#
# you now have the functionality of tagging all mail
# that has passed greylisting.
#
# 1=on 0=off
GREYLIST_X_HEADER=0
#
# greylist host address: default: off
#
# by default policyd will only use 3 octets when dealing
# with greylisting information. this allows policyd to
# work around roaming MTAs which are known to move mail
# between different queues after a 450/temp rejection.
#
# some dont want this functionality and wish to be more
# aggressive when receiving mail. example of the format
# of the ips stored:
#
# 1=192
# 2=192.168
# 3=192.168.0 <- default/recommended
# 4=192.168.0.1
#
GREYLIST_HOSTADDR=3
#
# train database: default: off
#
# this is very usefull for people would want to build
# up a collection of triplets before they start rejecting
# mail. training mode allows the collection of triplets
# to mature to a stage that when greylisting is actually
# enabled, they impact caused is far far less.
#
# 1=on 0=off
TRAINING_MODE=0
#
# training policy duration/timeout default: 0d
#
# when you have run TRAINING_MODE for your all your domains
# and are running greylisting across the board, adding new
# domains and subjecting them to greylisting without a
# training period can bring unnessasary hassles. this feature
# allows you to specify for how long 'new domains' are to be
# trained for before being subjected to greylisting.
#
# a value of 0 disables this feature.
#
TRAINING_POLICY_TIMEOUT=0
#
#
# triplet timeout: default: 4 minutes
#
# when a triplet is created from the first mail delivery
# attempt, what period of time should go by before we
# allow the 'final delivery'. a study shows that there
# is no difference between 1 minute and 1 hour for spam
# at this point in time. a sane limit would be 5 minutes.
#
TRIPLET_TIME=5m
#
# opt in and opt out: default: off
#
# some people are fairly irate when it comes to mail and
# refuse wanting to have any type of delay. this feature
# enables each and every person the ability to not subject
# themselves to greylisting. this feature is also VERY
# usefull when you dont want to subject EVERY person to
# greylisting at once but instead allows you to enable
# it in batches/groups of users so you get a feel on the
# type of complaints or praise from your users.
#
# 1=on 0=off
OPTINOUT=0
#
# optinoutall: default: off
#
# this allows you to either opt everyone in, or opt every
# one out and only has any effect if OPTINOUT is enabled.
#
# 1=on 0=off
OPTINOUTALL=0
#
# triplet authenticated cleanup default: 30d
#
# if a triplet has been successfully updated (retried and
# delivered), this is what is considered an 'authenticated'
# triplet. this options allows some sanity so you do not
# keep these triplets forever. specify the amount of days
# that we keep authenticated triplets since it was last updated.
#
TRIPLET_AUTH_TIMEOUT=7d
#
# triplet unauthenticated cleanup default: 2d
#
# if a triplet has NOT been successfully updated (no retry
# attempt), this is what is considered as an 'unathenticated'
# triplet. this option allows some sanity so you do not
# keep these triplets forever. specify the amount of days
# that we keep unauthenticated triplets since being inserted
# into the database
#
TRIPLET_UNAUTH_TIMEOUT=2d
#####################################################################
# SENDER THROTTLE (functional) #
#####################################################################
#
# throttle senders default: off
#
# sender throttling allows per-user limits of all
# mail that passes the policy daemon. any envelope
# sender that is not found in the database will
# fall back to the config defaults listed below.
#
# 1=on 0=off
SENDERTHROTTLE=0
#
# throttle SASL users default=on
#
# throttling based upon envelope sender addresses does
# not work very well as it can of course be easily forged.
# if your users are forced to authenticate via SASL, enable
# this option so that quotas stick like glue regardless of
# what they try.
#
# if this option is enabled, and a remote client connects
# WITHOUT sasl, it will then use the clients sending/FROM
# address.
# 1=on 0=off
SENDER_THROTTLE_SASL=0
#
# throttle IP addresses default=on
#
# throttling based upon the ip address of the sender
# will ensure that the host does not send more than
# their allowed quota. you may only enable
# SENDER_THROTTLE_SASL or SENDER_THROTTLE_HOST but
# *NOT* both.
# 1=on 0=off
SENDER_THROTTLE_HOST=0
#
# quota exceeded temp rejection: default: 5xx
#
# select temp reject (4xx) or hard reject (5xx) on quota exceeded
#
# 1=4xx 0=5xx
QUOTA_EXCEEDED_TEMP_REJECT=1
#
# throttle rejection: default: "Quota Exceeded"
#
# what error message the connecting host will recieve
# when they have exceeded any of their quotas.
#
SENDER_QUOTA_REJECTION="Quota Exceeded."
#
# throttle max message size reject message default: Message size too big
#
#
#
SENDER_SIZE_REJECTION="Message size too big."
#
# maximum mail sent per time period default: 5000
#
# how many messages a user is allowed to send out
# before the time limit has expired.
#
SENDERMSGLIMIT=512
#
# maximum mail recipients per time period default: 5000
#
# how many recipients a user is allowed to send out
# before the time limit has expired.
#
SENDERRCPTLIMIT=3600
#
# maximum mail quota/size per time period default: 250 meg
#
# how much mail will be allowed from a user (in megs)
# which will be accepted before the timelimit has expired.
# note: the maximum supported size is 2gig
#
SENDERQUOTALIMIT=250000000
#
# sender time limit: default: 24 hours
#
# after how long does all quota last before counters
# are reset back to to zero.
#
SENDERTIMELIMIT=1h
#
# sender message size: default: 10 meg
#
# this is the maximum sender mail size
#
SENDERMSGSIZE=10240000
#
# sender "warning" threshold
#
# this is the threshold (in percentage) that will trigger a
# a warning to syslog. valid percentages are 1 -> 99
#
SENDERMSGSIZE_WARN=50
#
# sender "panic" threshold
#
# this is the threshold (in percentage) that will trigger a
# a warning to syslog. valid percentages are 1 -> 99
#
SENDERMSGSIZE_PANIC=90
#
# inactive sender database record cleanup default: 31 days
#
# this allows you to specify how long the throttling
# records of inactive senders kept in the database.
# this allows to keep the database small. a setting
# of 0 keeps all entries.
#
SENDER_INACTIVE_EXPIRE=31d
#####################################################################
# RECIPIENT THROTTLE (functional) #
#####################################################################
#
# throttle recipients default: off
#
# recipient throttling allows per-user limits of all
# mail that passes the policy daemon. any envelope
# recipient that is not found in the database will
# fall back to the config defaults listed below.
#
# 1=on 0=off
RECIPIENTTHROTTLE=0
#
# maximum mail sent per time period default: 5000
#
# how many messages a user is allowed to send out
# before the time limit has expired.
#
RECIPIENTMSGLIMIT=64
#
# recipient time limit: default: 24 hours
#
# after how long does all quota last before counters
# are reset back to to zero.
#
RECIPIENTTIMELIMIT=1h
# throttle recipient rejection: default: "Quota Exceeded"
#
# what error message the connecting host will recieve
# when they have exceeded any of their quotas.
#
RECIPIENT_QUOTA_REJECTION="Quota Exceeded."
#
# inactive recipients database record cleanup default: 31 days
#
# this allows you to specify how long the throttling
# records of inactive recipients are kept in the database.
# this allows to keep the database small. a setting
# of 0 keeps all entries.
#
RECIPIENT_INACTIVE_EXPIRE=31d
#######
# EOF #
#######