/etc/postfix-policyd_throttle.conf

1. root@1363248443-1:/etc# cat /etc/postfix-policyd_throttle.conf
2. ######################################################################
3. # POLICY DAEMON CONFIGURATION #
4. ######################################################################
5. # DATABASE CONFIG #
6. ######################################################################
7. #
8. # ip address or hostname to connect to:
9. #
10. # if you want to connect to a host/ip, enter it here.
11. # if you want to via a unix socket, set MYSQLHOST=""
12. #
13. MYSQLHOST="127.0.0.1"
14.  
15. #
16. # database name:
17. #
18. # name of database to connect to
19. #
20. MYSQLDBASE="postfixpolicyd"
21.  
22. #
23. # database username:
24. #
25. # username to connect to database as
26. #
27. MYSQLUSER="postfix-policyd"
28.  
29. #
30. # database password:
31. #
32. # password to for username
33. #
34. MYSQLPASS="yUy2wRj0xV7JhkfL3wUJuf6dc6A5Jq"
35.  
36. #
37. # connection options:
38. #
39. # what client side connections policyd will use>
40. #
41. # CLIENT_COMPRESS -> compress connection from policyd -> mysql
42. # CLIENT_SSL -> encrypt connection from policyd -> mysql
43. #
44. MYSQLOPT=""
45.  
46. #
47. # failsafe/failover mode: default: on
48. #
49. # if the database or queries fail, continue accepting mail
50. #
51. # 1=on 0=off
52. FAILSAFE=1
53.  
54. #
55. # database keep alive: default: off
56. #
57. # if you recieve very little mail, your connection to the
58. # mysql database will time out. enabling this option pings
59. # the database to ensure the database connection is alive.
60. # if it is not, it reconnects to the database. this option
61. # is not needed on mail servers that recieve more than one
62. # mail every 60 to 120 seconds. disabling this increases
63. # performance a little.
64. #
65. # 1=on 0=off
66. DATABASE_KEEPALIVE=0
67.  
68.  
69.  
70.  
71.  
72. ######################################################################
73. # DAEMON CONFIG #
74. ######################################################################
75. #
76. # debugging information: default: 3
77. #
78. # only use debugging when there are problems
79. #
80. # 0 -> off (recommended)
81. # 1 -> standard debugging
82. # 2 -> 1+mysql queries+results
83. # 3 -> 1+2+network debugging
84. # 0=off
85. DEBUG=0
86.  
87. #
88. # daemon/background mode: default: off
89. #
90. # detach policyd from terminal. enable when you're happy
91. # that things are working as they should.
92. #
93. # 1=on 0=off
94. DAEMON=1
95.  
96. #
97. # bind to ip address:
98. #
99. # ip address which the policy daemon will listen on
100. #
101. BINDHOST="127.0.0.1"
102.  
103. #
104. # port to bind to:
105. #
106. # port which the policy daemon will listen on
107. #
108. BINDPORT="10032"
109.  
110. #
111. # path to pidfile:
112. #
113. # where policyd will write its current pid to
114. #
115. PIDFILE="/var/run/policyd_throttle.pid"
116.  
117. #
118. # syslog facility
119. #
120. # what syslog facility to log to
121. #
122. SYSLOG_FACILITY="LOG_MAIL|LOG_INFO"
123.  
124.  
125.  
126.  
127. ######################################################################
128. # SECURITY #
129. ######################################################################
130. #
131. # chroot:
132. #
133. # directory to change to before binding
134. #
135. CHROOT=/home/policyd
136.  
137. #
138. # uid:
139. #
140. # userid for the policy daemon to run as
141. #
142. UID=1003
143.  
144. #
145. # gid:
146. #
147. # groupid for the policy daemon to run as
148. #
149. GID=1003
150.  
151. #
152. # connection acl:
153. #
154. # this is the list of ip addresses or networks (cidr format) that
155. # will be allowed to connect to policyd. leaving this blank causes
156. # policyd to reject all connection attempts.
157. #
158. CONN_ACL="127.0.0.1"
159.  
160.  
161. #####################################################################
162. # WHITELISTING (functional) #
163. #####################################################################
164. #
165. # whitelisting: default: on
166. #
167. # this enables whitelisting of ip/netblocks. this is needed
168. # if you want to allow any of the whitelisting features.
169. #
170. # 1=on 0=off
171. WHITELISTING=0
172.  
173. #
174. # whitelist null sender: default: off
175. #
176. # null senders are normally used for bounce messages. many
177. # viruses use null senders so its wise to leave this disabled.
178. #
179. # 1=on 0=off
180. WHITELISTNULL=0
181.  
182. #
183. # whitelist sender address/domain
184. #
185. # this allows you to do whitelisting based on envelope sender
186. # address or envelope sender domain. a number of people have
187. # been asking for this. please AVOID using this as spammers
188. # forge senders and domains a lot.
189. #
190. # 1=on 0=off
191. WHITELISTSENDER=0
192.  
193. #
194. # whitelist client dns name
195. #
196. # this allows you whitelist clients that have proper resolving
197. # records. for example, i could whitelist 'bulk.scd.yahoo.com'.
198. # so any connections from n6a.bulk.scd.yahoo.com or
199. # n6b.bulk.scd.yahoo.com would be whitelisted. this type of
200. # whitelisting gives far greater power when it comes to
201. # whitelisting ISPs or big companies which you know do not
202. # house spammers. please note. this table must NOT have more
203. # than 10 000 -> 15 000 entries.
204. #
205. # 1=on 0=off
206. WHITELISTDNSNAME=0
207.  
208. #
209. # automatic whitelisting default: off
210. #
211. # this allows whitelisting of remote networks who have sent
212. # more than AUTO_WHITELIST_NUMBER of authenticated triplets.
213. #
214. # 1=on 0=off
215. AUTO_WHITE_LISTING=0
216.  
217. #
218. # auto whitelist number: default: 500
219. #
220. # how many succesfull triplets does it require before a
221. # network is automatically whitelisted
222. #
223. AUTO_WHITELIST_NUMBER=500
224.  
225. #
226. # whitelist netblock/24: default: 0
227. #
228. # when hosts get autowhitelisted, should the host be whitelisted
229. # or should the entire netblock (class C).
230. #
231. # 1=class 0=host
232. AUTO_WHITELIST_NETBLOCK=0
233.  
234. #
235. # whitelist expiry default: 7 days
236. #
237. # this allows you to specify for what period of time any
238. # host will be whitelisted for when auto whitelisted.
239. # a setting of 0 sets a permanent whitelist
240. #
241. AUTO_WHITELIST_EXPIRE=7d
242.  
243.  
244.  
245.  
246.  
247. #####################################################################
248. # BLACKLISTING (functional) #
249. #####################################################################
250. #
251. # blacklisting: default: off
252. #
253. # this enables blacklisting of ip/netblocks. this is needed
254. # if you want to allow any of the blacklisting features and
255. # the spamtrapping module. if blacklisting is disabled,
256. # the other modules still run and insert blacklisting records
257. # into the table, but it doesn't take effect untill you
258. # actually turn blacklisting on. this allows people to look
259. # and what hosts get blacklisted and see if any possible
260. # problems occured. (false-positive)
261. #
262. # 1=on 0=off
263. BLACKLISTING=0
264.  
265. #
266. # blacklist client dns name:
267. #
268. # this allows you blacklist clients that have proper resolving
269. # records. for example, i could blacklist 'spamtargeting.com'.
270. # so any connections from mail1.spamtargeting.com or
271. # mail2.spamtargeting.com would be blacklisted. this type of
272. # blacklisting gives far greater power when it comes to
273. # blacklisting ISPs or big companies which you know do
274. # house spammers, or e.g. ADSL home users when their ISPs
275. # give an easily identifiable reverse DNS to them like
276. # adsl-*.revip.thisisp.com. please note. this table must
277. # NOT have more than 10 000 -> 15 000 entries.
278. # 1=on 0=off
279. BLACKLISTDNSNAME=0
280.  
281. #
282. # blacklist temp rejection: default: 4xx
283. #
284. # this allows you to either temp reject (4xx) blacklisted
285. # hosts or if you're sure that blacklisted hosts are safe
286. # to reject, you can hard reject (5xx) blacklisted hosts.
287. #
288. # 1=4xx 0=5xx
289. BLACKLIST_TEMP_REJECT=1
290.  
291. #
292. # blacklist netblock/24: default: host
293. #
294. # when hosts get blacklisted, should the host be blacklisted
295. # or should the entire netblock (class C). this applies to
296. # both when a host gets blacklisted via the spamtrap module
297. # or via the blacklist helo module.
298. #
299. # 1=class 0=host
300. BLACKLIST_NETBLOCK=0
301.  
302. #
303. # blacklist rejection default: "Abuse. Go Away"
304. #
305. # what error message blacklisted hosts will recieve.
306. #
307. BLACKLIST_REJECTION="Abuse. Go away."
308.  
309. #
310. # automatic blacklisting default: off
311. #
312. # this allows blacklisting of remote networks who have sent
313. # more than AUTO_BLACKLIST_NUMBER of unauthenticated triplets.
314. #
315. # 1=on 0=off
316. AUTO_BLACK_LISTING=0
317.  
318. #
319. # auto blacklist number: default: 500
320. #
321. # how many succesfull untriplets does it require before a
322. # network is automatically blacklisted
323. #
324. AUTO_BLACKLIST_NUMBER=500
325.  
326. #
327. # blacklist expiry default: 7 days
328. #
329. # this allows you to specify for what period of time any
330. # host will be blacklisted for when auto blacklisted.
331. # a setting of 0 sets a permanent blacklist
332. #
333. AUTO_BLACKLIST_EXPIRE=7d
334.  
335.  
336.  
337.  
338.  
339. #####################################################################
340. # BLACKLISTING HELO (functional) #
341. #####################################################################
342. #
343. # blacklisting helo: default: off
344. #
345. # this enables blacklisting of ip/netblocks who attempt to
346. # identify themselve as you. no legit MTA should be using
347. # your helo identity when connecting to your machines.
348. #
349. # 1=on 0=off
350. BLACKLIST_HELO=0
351.  
352. #
353. # blacklist helo auto expire: default: permanent
354. #
355. # this allows you to specify for what period of time any
356. # host will be blacklisted for when it has been caught
357. # using your HELO to identify itself. (a setting of 0
358. # sets a permanent blacklist)
359. #
360. BLACKLIST_HELO_AUTO_EXPIRE=0
361.  
362.  
363.  
364. #####################################################################
365. # BLACKLIST SENDER (functional) #
366. #####################################################################
367. #
368. # blacklist sender: default: off
369. #
370. # this allows you to use policyd to block domains and/or
371. # email addresses.
372. # 1=on 0=off
373. BLACKLISTSENDER=0
374.  
375.  
376.  
377. #####################################################################
378. # HELO_CHECK (functional) #
379. #####################################################################
380. #
381. # helo unique checking default: off
382. #
383. # (legit) hosts that connect to your mail servers 99% of
384. # the time use static HELO information. spammers randomize
385. # their helo. enabling this will cut down the amount of
386. # spam entering your network.
387. # 1=on 0=off
388. HELO_CHECK=0
389.  
390. #
391. # helo max number count:
392. #
393. # this allows you to specify how many unique/different
394. # helo names a connecting host/ip is allowed to send.
395. # spammers randomize their helo information in big
396. # numbers. legit MTAs with floating ips also do this,
397. # but the number of them is fairly small.
398. #
399. #
400. HELO_MAX_COUNT=10
401.  
402. #
403. # helo blacklist auto expire:
404. #
405. # this allows you to specify for what period of time any
406. # host will be blacklisted for when it has been caught
407. # randomizing their helo information. (a setting of 0
408. # sets a permanent blacklist)
409. #
410. HELO_BLACKLIST_AUTO_EXPIRE=14d
411.  
412. #
413. # helo auto expire:
414. #
415. # this allows you to specify for what period of time any
416. # HELO identity will remain in the database for before it
417. # gets expired. (a setting of 0 ensures that all HELO
418. # information stays stored and is never expired).
419. #
420. HELO_AUTO_EXPIRE=7d
421.  
422.  
423.  
424.  
425.  
426. #####################################################################
427. # SPAMTRAP (functional) #
428. #####################################################################
429. #
430. # enable spamtrap default: off
431. #
432. # the idea of this module is to allow you to capture
433. # hosts that mail to your spamtraps without having to
434. # resort to parsing the mails to identify senders. you
435. # now have the ability to blacklist the host/netblock
436. # for a period of time (definable in SPAMTRAP_AUTO_EXPIRE).
437. #
438. # 1=on 0=off
439. SPAMTRAPPING=0
440.  
441. #
442. # spamtrap rejection: default: "Abuse. Go Away."
443. #
444. # what error message the connecting host will recieve
445. # when a message is directly sent to your spamtraps
446. #
447. SPAMTRAP_REJECTION="Abuse. Go away."
448.  
449. #
450. # spamtrap auto expire: default: 7 days
451. #
452. # this allows you to specify for what period of time any
453. # host will be blacklisted for when it has been caught
454. # mailing to your spamtrap addresses. (a setting of 0
455. # sets a permanent blacklist)
456. #
457. SPAMTRAP_AUTO_EXPIRE=7d
458.  
459.  
460.  
461.  
462.  
463. #####################################################################
464. # GREYLISTING (functional) #
465. #####################################################################
466. #
467. # enable greylisting default: on
468. #
469. # whether greylisting should be enabled or disabled.
470. #
471. # 1=on 0=off
472. GREYLISTING=0
473.  
474. #
475. # greylist rejection: default: "Please try later"
476. #
477. # what error message the connecting host will recieve
478. # when a new triplet has been created.
479. #
480. GREYLIST_REJECTION="Please try later."
481.  
482. #
483. # greylist x-header: default: off
484. #
485. # you now have the functionality of tagging all mail
486. # that has passed greylisting.
487. #
488. # 1=on 0=off
489. GREYLIST_X_HEADER=0
490.  
491. #
492. # greylist host address: default: off
493. #
494. # by default policyd will only use 3 octets when dealing
495. # with greylisting information. this allows policyd to
496. # work around roaming MTAs which are known to move mail
497. # between different queues after a 450/temp rejection.
498. #
499. # some dont want this functionality and wish to be more
500. # aggressive when receiving mail. example of the format
501. # of the ips stored:
502. #
503. # 1=192
504. # 2=192.168
505. # 3=192.168.0 <- default/recommended
506. # 4=192.168.0.1
507. #
508. GREYLIST_HOSTADDR=3
509.  
510. #
511. # train database: default: off
512. #
513. # this is very usefull for people would want to build
514. # up a collection of triplets before they start rejecting
515. # mail. training mode allows the collection of triplets
516. # to mature to a stage that when greylisting is actually
517. # enabled, they impact caused is far far less.
518. #
519. # 1=on 0=off
520. TRAINING_MODE=0
521.  
522. #
523. # training policy duration/timeout default: 0d
524. #
525. # when you have run TRAINING_MODE for your all your domains
526. # and are running greylisting across the board, adding new
527. # domains and subjecting them to greylisting without a
528. # training period can bring unnessasary hassles. this feature
529. # allows you to specify for how long 'new domains' are to be
530. # trained for before being subjected to greylisting.
531. #
532. # a value of 0 disables this feature.
533. #
534. TRAINING_POLICY_TIMEOUT=0
535.  
536. #
537. #
538. # triplet timeout: default: 4 minutes
539. #
540. # when a triplet is created from the first mail delivery
541. # attempt, what period of time should go by before we
542. # allow the 'final delivery'. a study shows that there
543. # is no difference between 1 minute and 1 hour for spam
544. # at this point in time. a sane limit would be 5 minutes.
545. #
546. TRIPLET_TIME=4m
547.  
548. #
549. # opt in and opt out: default: off
550. #
551. # some people are fairly irate when it comes to mail and
552. # refuse wanting to have any type of delay. this feature
553. # enables each and every person the ability to not subject
554. # themselves to greylisting. this feature is also VERY
555. # usefull when you dont want to subject EVERY person to
556. # greylisting at once but instead allows you to enable
557. # it in batches/groups of users so you get a feel on the
558. # type of complaints or praise from your users.
559. #
560. # 1=on 0=off
561. OPTINOUT=0
562.  
563. #
564. # optinoutall: default: off
565. #
566. # this allows you to either opt everyone in, or opt every
567. # one out and only has any effect if OPTINOUT is enabled.
568. #
569. # 1=on 0=off
570. OPTINOUTALL=0
571.  
572. #
573. # triplet authenticated cleanup default: 30d
574. #
575. # if a triplet has been successfully updated (retried and
576. # delivered), this is what is considered an 'authenticated'
577. # triplet. this options allows some sanity so you do not
578. # keep these triplets forever. specify the amount of days
579. # that we keep authenticated triplets since it was last updated.
580. #
581. TRIPLET_AUTH_TIMEOUT=30d
582.  
583. #
584. # triplet unauthenticated cleanup default: 2d
585. #
586. # if a triplet has NOT been successfully updated (no retry
587. # attempt), this is what is considered as an 'unathenticated'
588. # triplet. this option allows some sanity so you do not
589. # keep these triplets forever. specify the amount of days
590. # that we keep unauthenticated triplets since being inserted
591. # into the database
592. #
593. TRIPLET_UNAUTH_TIMEOUT=2d
594.  
595.  
596.  
597.  
598. #####################################################################
599. # SENDER THROTTLE (functional) #
600. #####################################################################
601. #
602. # throttle senders default: off
603. #
604. # sender throttling allows per-user limits of all
605. # mail that passes the policy daemon. any envelope
606. # sender that is not found in the database will
607. # fall back to the config defaults listed below.
608. #
609. # 1=on 0=off
610. SENDERTHROTTLE=1
611.  
612. #
613. # throttle SASL users default=on
614. #
615. # throttling based upon envelope sender addresses does
616. # not work very well as it can of course be easily forged.
617. # if your users are forced to authenticate via SASL, enable
618. # this option so that quotas stick like glue regardless of
619. # what they try.
620. #
621. # if this option is enabled, and a remote client connects
622. # WITHOUT sasl, it will then use the clients sending/FROM
623. # address.
624. # 1=on 0=off
625. SENDER_THROTTLE_SASL=1
626.  
627. #
628. # throttle IP addresses default=on
629. #
630. # throttling based upon the ip address of the sender
631. # will ensure that the host does not send more than
632. # their allowed quota. you may only enable
633. # SENDER_THROTTLE_SASL or SENDER_THROTTLE_HOST but
634. # *NOT* both.
635. # 1=on 0=off
636. SENDER_THROTTLE_HOST=0
637.  
638. #
639. # quota exceeded temp rejection: default: 5xx
640. #
641. # select temp reject (4xx) or hard reject (5xx) on quota exceeded
642. #
643. # 1=4xx 0=5xx
644. QUOTA_EXCEEDED_TEMP_REJECT=0
645.  
646. #
647. # throttle rejection: default: "Quota Exceeded"
648. #
649. # what error message the connecting host will recieve
650. # when they have exceeded any of their quotas.
651. #
652. SENDER_QUOTA_REJECTION="Quota Exceeded."
653.  
654. #
655. # throttle max message size reject message default: Message size too big
656. #
657. #
658. #
659. SENDER_SIZE_REJECTION="Message size too big."
660.  
661. #
662. # maximum mail sent per time period default: 5000
663. #
664. # how many messages a user is allowed to send out
665. # before the time limit has expired.
666. #
667. SENDERMSGLIMIT=50
668.  
669. #
670. # maximum mail recipients per time period default: 5000
671. #
672. # how many recipients a user is allowed to send out
673. # before the time limit has expired.
674. #
675. SENDERRCPTLIMIT=50
676.  
677. #
678. # maximum mail quota/size per time period default: 250 meg
679. #
680. # how much mail will be allowed from a user (in megs)
681. # which will be accepted before the timelimit has expired.
682. # note: the maximum supported size is 2gig
683. #
684. SENDERQUOTALIMIT=250000000
685.  
686. #
687. # sender time limit: default: 24 hours
688. #
689. # after how long does all quota last before counters
690. # are reset back to to zero.
691. #
692. SENDERTIMELIMIT=1h
693.  
694. #
695. # sender message size: default: 10 meg
696. #
697. # this is the maximum sender mail size
698. #
699. SENDERMSGSIZE=15728640
700.  
701. #
702. # sender "warning" threshold
703. #
704. # this is the threshold (in percentage) that will trigger a
705. # a warning to syslog. valid percentages are 1 -> 99
706. #
707. SENDERMSGSIZE_WARN=50
708.  
709. #
710. # sender "panic" threshold
711. #
712. # this is the threshold (in percentage) that will trigger a
713. # a warning to syslog. valid percentages are 1 -> 99
714. #
715. SENDERMSGSIZE_PANIC=90
716.  
717. #
718. # inactive sender database record cleanup default: 31 days
719. #
720. # this allows you to specify how long the throttling
721. # records of inactive senders kept in the database.
722. # this allows to keep the database small. a setting
723. # of 0 keeps all entries.
724. #
725. SENDER_INACTIVE_EXPIRE=31d
726.  
727.  
728.  
729.  
730. #####################################################################
731. # RECIPIENT THROTTLE (functional) #
732. #####################################################################
733. #
734. # throttle recipients default: off
735. #
736. # recipient throttling allows per-user limits of all
737. # mail that passes the policy daemon. any envelope
738. # recipient that is not found in the database will
739. # fall back to the config defaults listed below.
740. #
741. # 1=on 0=off
742. RECIPIENTTHROTTLE=0
743.  
744. #
745. # maximum mail sent per time period default: 5000
746. #
747. # how many messages a user is allowed to send out
748. # before the time limit has expired.
749. #
750. RECIPIENTMSGLIMIT=64
751.  
752. #
753. # recipient time limit: default: 24 hours
754. #
755. # after how long does all quota last before counters
756. # are reset back to to zero.
757. #
758. RECIPIENTTIMELIMIT=1h
759.  
760. # throttle recipient rejection: default: "Quota Exceeded"
761. #
762. # what error message the connecting host will recieve
763. # when they have exceeded any of their quotas.
764. #
765. RECIPIENT_QUOTA_REJECTION="Quota Exceeded."
766.  
767. #
768. # inactive recipients database record cleanup default: 31 days
769. #
770. # this allows you to specify how long the throttling
771. # records of inactive recipients are kept in the database.
772. # this allows to keep the database small. a setting
773. # of 0 keeps all entries.
774. #
775. RECIPIENT_INACTIVE_EXPIRE=31d
776.  
777.  
778.  
779. #######
780. # EOF #
781. #######