SOURCES: policyd.conf (NEW), policyd.cron (NEW), policyd.init (NEW...
qboosh
qboosh at pld-linux.org
Sat Dec 23 22:26:39 CET 2006
Author: qboosh Date: Sat Dec 23 21:26:39 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- readded, still used by policy.spec
---- Files affected:
SOURCES:
policyd.conf (1.4 -> 1.5) (NEW), policyd.cron (1.3 -> 1.4) (NEW), policyd.init (1.3 -> 1.4) (NEW), policyd.sysconfig (1.2 -> 1.3) (NEW)
---- Diffs:
================================================================
Index: SOURCES/policyd.conf
diff -u /dev/null SOURCES/policyd.conf:1.5
--- /dev/null Sat Dec 23 22:26:39 2006
+++ SOURCES/policyd.conf Sat Dec 23 22:26:33 2006
@@ -0,0 +1,724 @@
+######################################################################
+# POLICY DAEMON CONFIGURATION #
+######################################################################
+# DATABASE CONFIG #
+######################################################################
+#
+# ip address or hostname to connect to:
+#
+# if you want to connect to a host/ip, enter it here.
+# if you want to via a unix socket, set MYSQLHOST=""
+#
+MYSQLHOST="127.0.0.1"
+
+#
+# database name:
+#
+# name of database to connect to
+#
+MYSQLDBASE="policyd_database"
+
+#
+# database username:
+#
+# username to connect to database as
+#
+MYSQLUSER="policyd_username"
+
+#
+# database password:
+#
+# password to for username
+#
+MYSQLPASS="secret_password"
+
+#
+# failsafe/failover mode: default: on
+#
+# if the database or queries fail, continue accepting mail
+#
+# 1=on 0=off
+FAILSAFE=1
+
+#
+# database keep alive: default: off
+#
+# if you recieve very little mail, your connection to the
+# mysql database will time out. enabling this option pings
+# the database to ensure the database connection is alive.
+# if it is not, it reconnects to the database. this option
+# is not needed on mail servers that recieve more than one
+# mail every 60 to 120 seconds. disabling this increases
+# performance a little.
+#
+# 1=on 0=off
+DATABASE_KEEPALIVE=0
+
+
+
+
+
+######################################################################
+# DAEMON CONFIG #
+######################################################################
+#
+# debugging information: default: 3
+#
+# only use debugging when there are problems
+#
+# 0 -> off (recommended)
+# 1 -> standard debugging
+# 2 -> 1+mysql queries+results
+# 3 -> 1+2+network debugging
+# 0=off
+DEBUG=0
+
+#
+# daemon/background mode: default: on
+#
+# detach policyd from terminal
+#
+# 1=on 0=off
+DAEMON=1
+
+#
+# bind to ip address:
+#
+# ip address which the policy daemon will listen on
+#
+BINDHOST=127.0.0.1
+
+#
+# port to bind to:
+#
+# port which the policy daemon will listen on
+#
+BINDPORT=10031
+
+#
+# path to pidfile:
+#
+# where policyd will write its current pid to
+#
+PIDFILE=/var/run/policyd.pid
+
+#
+# syslog facility
+#
+# what syslog facility to log to
+#
+SYSLOG_FACILITY="LOG_MAIL | LOG_INFO"
+
+
+
+
+######################################################################
+# SECURITY #
+######################################################################
+#
+# chroot:
+#
+# directory to change to before binding
+#
+CHROOT=/usr/share/empty
+
+#
+# uid:
+#
+# userid for the policy daemon to run as
+#
+UID=121
+
+#
+# gid:
+#
+# groupid for the policy daemon to run as
+#
+GID=121
+
+
+
+
+#####################################################################
+# WHITELISTING (functional) #
+#####################################################################
+#
+# whitelisting: default: on
+#
+# this enables whitelisting of ip/netblocks. this is needed
+# if you want to allow any of the whitelisting features.
+#
+# 1=on 0=off
+WHITELISTING=1
+
+#
+# whitelist null sender: default: off
+#
+# null senders are normally used for bounce messages. many
+# viruses use null senders so its wise to leave this disabled.
+#
+# 1=on 0=off
+WHITELISTNULL=0
+
+#
+# whitelist sender address/domain
+#
+# this allows you to do whitelisting based on envelope sender
+# address or envelope sender domain. a number of people have
+# been asking for this. please AVOID using this as spammers
+# forge senders and domains a lot.
+#
+# 1=on 0=off
+WHITELISTSENDER=0
+
+#
+# whitelist client dns name
+#
+# this allows you whitelist clients that have proper resolving
+# records. for example, i could whitelist 'bulk.scd.yahoo.com'.
+# so any connections from n6a.bulk.scd.yahoo.com or
+# n6b.bulk.scd.yahoo.com would be whitelisted. this type of
+# whitelisting gives far greater power when it comes to
+# whitelisting ISPs or big companies which you know do not
+# house spammers. please note. this table must NOT have more
+# than 10 000 -> 15 000 entries.
+#
+# 1=on 0=off
+WHITELISTDNSNAME=0
+
+#
+# automatic whitelisting default: off
+#
+# this allows whitelisting of remote networks who have sent
+# more than AUTO_WHITELIST_NUMBER of authenticated triplets.
+#
+# 1=on 0=off
+AUTO_WHITE_LISTING=0
+
+#
+# auto whitelist number: default: 500
+#
+# how many succesfull triplets does it require before a
+# network is automatically whitelisted
+#
+AUTO_WHITELIST_NUMBER=500
+
+#
+# whitelist netblock/24: default: 0
+#
+# when hosts get autowhitelisted, should the host be whitelisted
+# or should the entire netblock (class C).
+#
+# 1=class 0=host
+AUTO_WHITELIST_NETBLOCK=0
+
+#
+# whitelist expiry default: 7 days
+#
+# this allows you to specify for what period of time any
+# host will be whitelisted for when auto whitelisted.
+# a setting of 0 sets a permanent whitelist
+#
+AUTO_WHITELIST_EXPIRE=7d
+
+
+
+
+
+#####################################################################
+# BLACKLISTING (functional) #
+#####################################################################
+#
+# blacklisting: default: off
+#
+# this enables blacklisting of ip/netblocks. this is needed
+# if you want to allow any of the blacklisting features and
+# the the spamtrapping module. if blacklisting is disabled,
+# the other modules still run and insert blacklisting records
+# into the table, but it doesn't take effect untill you
+# actually turn blacklisting on. this allows people to look
+# and what hosts get blacklisted and see if any possible
+# problems occured. (false-positive)
+#
+# 1=on 0=off
+BLACKLISTING=1
+
+#
+# blacklist temp rejection: default: 4xx
+#
+# this allows you to either temp reject (4xx) blacklisted
+# hosts or if you're sure that blacklisted hosts are safe
+# to reject, you can hard reject (5xx) blacklisted hosts.
+#
+# 1=4xx 0=5xx
+BLACKLIST_TEMP_REJECT=0
+
+#
+# blacklist netblock/24: default: host
+#
+# when hosts get blacklisted, should the host be blacklisted
+# or should the entire netblock (class C). this applies to
+# both when a host gets blacklisted via the spamtrap module
+# or via the blacklist helo module.
+#
+# 1=class 0=host
+BLACKLIST_NETBLOCK=0
+
+#
+# blacklist rejection default: "Abuse. Go Away"
+#
+# what error message blacklisted hosts will recieve.
+#
+BLACKLIST_REJECTION="Abuse. Go away."
+
+#
+# automatic blacklisting default: off
+#
+# this allows blacklisting of remote networks who have sent
+# more than AUTO_BLACKLIST_NUMBER of unauthenticated triplets.
+#
+# 1=on 0=off
+AUTO_BLACK_LISTING=0
+
+#
+# auto blacklist number: default: 500
+#
+# how many succesfull untriplets does it require before a
+# network is automatically blacklisted
+#
+AUTO_BLACKLIST_NUMBER=500
+
+#
+# blacklist expiry default: 7 days
+#
+# this allows you to specify for what period of time any
+# host will be blacklisted for when auto blacklisted.
+# a setting of 0 sets a permanent blacklist
+#
+AUTO_BLACKLIST_EXPIRE=7d
+
+
+
+
+
+#####################################################################
+# BLACKLISTING HELO (functional) #
+#####################################################################
+#
+# blacklisting helo: default: off
+#
+# this enables blacklisting of ip/netblocks who attempt to
+# identify themselve as you. no legit MTA should be using
+# your helo identity when connecting to your machines.
+#
+# 1=on 0=off
+BLACKLIST_HELO=1
+
+#
+# blacklist helo auto expire: default: permanent
+#
+# this allows you to specify for what period of time any
+# host will be blacklisted for when it has been caught
+# using your HELO to identify itself. (a setting of 0
+# sets a permanent blacklist)
+#
+BLACKLIST_HELO_AUTO_EXPIRE=7d
+
+
+
+#####################################################################
+# BLACKLIST SENDER (functional) #
+#####################################################################
+#
+# blacklist sender: default: off
+#
+# this allows you to use policyd to block domains and/or
+# email addresses.
+# 1=on 0=off
+BLACKLISTSENDER=1
+
+
+
+#####################################################################
+# HELO_CHECK (functional) #
+#####################################################################
+#
+# helo unique checking default: off
+#
+# (legit) hosts that connect to your mail servers 99% of
+# the time use static HELO information. spammers randomize
+# their helo. enabling this will cut down the amount of
+# spam entering your network.
+# 1=on 0=off
+HELO_CHECK=1
+
+#
+# helo max number count:
+#
+# this allows you to specify how many unique/different
+# helo names a connecting host/ip is allowed to send.
+# spammers randomize their helo information in big
+# numbers. legit MTAs with floating ips also do this,
+# but the number of them is fairly small.
+#
+#
+HELO_MAX_COUNT=10
+
+#
+# helo blacklist auto expire:
+#
+# this allows you to specify for what period of time any
+# host will be blacklisted for when it has been caught
+# randomizing their helo information. (a setting of 0
+# sets a permanent blacklist)
+#
+HELO_BLACKLIST_AUTO_EXPIRE=14d
+
+#
+# helo auto expire:
+#
+# this allows you to specify for what period of time any
+# HELO identity will remain in the database for before it
+# gets expired. (a setting of 0 ensures that all HELO
+# information stays stored and is never expired).
+#
+HELO_AUTO_EXPIRE=7d
+
+
+
+
+
+#####################################################################
+# SPAMTRAP (functional) #
+#####################################################################
+#
+# enable spamtrap default: off
+#
+# the idea of this module is to allow you to capture
+# hosts that mail to your spamtraps without having to
+# resort to parsing the mails to identify senders. you
+# now have the ability to blacklist the host/netblock
+# for a period of time (definable in SPAMTRAP_AUTO_EXPIRE).
+#
+# 1=on 0=off
+SPAMTRAPPING=1
+
+#
+# spamtrap rejection: default: "Abuse. Go Away."
+#
+# what error message the connecting host will recieve
+# when a message is directly sent to your spamtraps
+#
+SPAMTRAP_REJECTION="Abuse. Go away."
+
+#
+# spamtrap auto expire: default: 7 days
+#
+# this allows you to specify for what period of time any
+# host will be blacklisted for when it has been caught
+# mailing to your spamtrap addresses. (a setting of 0
+# sets a permanent blacklist)
+#
+SPAMTRAP_AUTO_EXPIRE=7d
+
+
+
+
+
+#####################################################################
+# GREYLISTING (functional) #
+#####################################################################
+#
+# enable greylisting default: on
+#
+# whether greylisting should be enabled or disabled.
+#
+# 1=on 0=off
+GREYLISTING=1
+
+#
+# greylist rejection: default: "Please try later"
+#
+# what error message the connecting host will recieve
+# when a new triplet has been created.
+#
+GREYLIST_REJECTION="Please try later."
+
+#
+# greylist x-header: default: off
+#
+# you now have the functionality of tagging all mail
+# that has passed greylisting.
+#
+# 1=on 0=off
+GREYLIST_X_HEADER=0
+
+#
+# greylist host address: default: off
+#
+# by default policyd will only use 3 octets when dealing
+# with greylisting information. this allows policyd to
+# work around roaming MTAs which are known to move mail
+# between different queues after a 450/temp rejection.
+#
+# some dont want this functionality and wish to be more
+# aggressive when receiving mail. example of the format
+# of the ips stored:
+#
+# 1=192
+# 2=192.168
+# 3=192.168.0 <- default/recommended
+# 4=192.168.0.1
+#
+GREYLIST_HOSTADDR=3 <- default/recommended
+
+#
+# train database: default: off
+#
+#
+# train database: default: off
+#
+# this is very usefull for people would want to build
+# up a collection of triplets before they start accepting
+# mail. training mode allows the collection of triplets
+# to mature to a stage that when greylisting is actually
+# enabled, they impact caused is far far less.
+#
+# 1=on 0=off
+TRAINING_MODE=0
+
+#
+# training policy duration/timeout default: 0d
+#
+# when you have run TRAINING_MODE for your all your domains
+# and are running greylisting across the board, adding new
+# domains and subjecting them to greylisting without a
+# training period can bring unnessasary hassles. this feature
+# allows you to specify for how long 'new domains' are to be
+# trained for before being subjected to greylisting.
+#
+# a value of 0 disables this feature.
+#
+TRAINING_POLICY_TIMEOUT=5d
+
+#
+#
+# triplet timeout: default: 5 minutes
+#
+# when a triplet is created from the first mail delivery
+# attempt, what period of time should go by before we
+# allow the 'final delivery'. a study shows that there
+# is no difference between 1 minute and 1 hour for spam
+# at this point in time. a sane limit would be 5 minutes.
+#
+TRIPLET_TIME=15m
+
+#
+# opt in and opt out: default: off
+#
+# some people are fairly irate when it comes to mail and
+# refuse wanting to have any type of delay. this feature
+# enables each and every person the ability to not subject
+# themselves to greylisting. this feature is also VERY
+# usefull when you dont want to subject EVERY person to
+# greylisting at once but instead allows you to enable
+# it in batches/groups of users so you get a feel on the
+# type of complaints or praise from your users.
+#
+# 1=on 0=off
+OPTINOUT=0
+
+#
+# optinoutall: default: off
+#
+# this allows you to either opt everyone in, or opt every
+# one out and only has any effect if OPTINOUT is enabled.
+#
+# 1=on 0=off
+OPTINOUTALL=0
+
+#
+# triplet authenticated cleanup default: 30d
+#
+# if a triplet has been successfully updated (retried and
+# delivered), this is what is considered an 'authenticated'
+# triplet. this options allows some sanity so you do not
+# keep these triplets forever. specify the amount of days
+# that we keep authenticated triplets since it was last updated.
+#
+TRIPLET_AUTH_TIMEOUT=30d
+
+#
+# triplet unauthenticated cleanup default: 2d
+#
+# if a triplet has NOT been successfully updated (no retry
+# attempt), this is what is considered as an 'unathenticated'
+# triplet. this option allows some sanity so you do not
+# keep these triplets forever. specify the amount of days
+# that we keep unauthenticated triplets since being inserted
+# into the database
+#
+TRIPLET_UNAUTH_TIMEOUT=2d
+
+
+
+
+#####################################################################
+# SENDER THROTTLE (functional) #
+#####################################################################
+#
+# throttle senders default: off
+#
+# sender throttling allows per-user limits of all
+# mail that passes the policy daemon. any envelope
+# sender that is not found in the database will
+# fall back to the config defaults listed below.
+#
+# 1=on 0=off
+SENDERTHROTTLE=0
+
+#
+# throttle SASL users default=on
+#
+# throttling based upon envelope sender addresses does
+# not work very well as it can ofcourse be easily forged.
+# if your users are forced to authenticate via SASL, enable
+# this option so that quotas stick like glue regardless of
+# what they try.
+#
+# if this option is enabled, and a remote client connects
+# WITHOUT sasl, it will then use the clients sending/FROM
+# address.
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list