Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@1363248443-1:/etc# cat /etc/postfix-policyd_throttle.conf
- ######################################################################
- # POLICY DAEMON CONFIGURATION #
- ######################################################################
- # DATABASE CONFIG #
- ######################################################################
- #
- # ip address or hostname to connect to:
- #
- # if you want to connect to a host/ip, enter it here.
- # if you want to via a unix socket, set MYSQLHOST=""
- #
- MYSQLHOST="127.0.0.1"
- #
- # database name:
- #
- # name of database to connect to
- #
- MYSQLDBASE="postfixpolicyd"
- #
- # database username:
- #
- # username to connect to database as
- #
- MYSQLUSER="postfix-policyd"
- #
- # database password:
- #
- # password to for username
- #
- MYSQLPASS="yUy2wRj0xV7JhkfL3wUJuf6dc6A5Jq"
- #
- # connection options:
- #
- # what client side connections policyd will use>
- #
- # CLIENT_COMPRESS -> compress connection from policyd -> mysql
- # CLIENT_SSL -> encrypt connection from policyd -> mysql
- #
- MYSQLOPT=""
- #
- # failsafe/failover mode: default: on
- #
- # if the database or queries fail, continue accepting mail
- #
- # 1=on 0=off
- FAILSAFE=1
- #
- # database keep alive: default: off
- #
- # if you recieve very little mail, your connection to the
- # mysql database will time out. enabling this option pings
- # the database to ensure the database connection is alive.
- # if it is not, it reconnects to the database. this option
- # is not needed on mail servers that recieve more than one
- # mail every 60 to 120 seconds. disabling this increases
- # performance a little.
- #
- # 1=on 0=off
- DATABASE_KEEPALIVE=0
- ######################################################################
- # DAEMON CONFIG #
- ######################################################################
- #
- # debugging information: default: 3
- #
- # only use debugging when there are problems
- #
- # 0 -> off (recommended)
- # 1 -> standard debugging
- # 2 -> 1+mysql queries+results
- # 3 -> 1+2+network debugging
- # 0=off
- DEBUG=0
- #
- # daemon/background mode: default: off
- #
- # detach policyd from terminal. enable when you're happy
- # that things are working as they should.
- #
- # 1=on 0=off
- DAEMON=1
- #
- # bind to ip address:
- #
- # ip address which the policy daemon will listen on
- #
- BINDHOST="127.0.0.1"
- #
- # port to bind to:
- #
- # port which the policy daemon will listen on
- #
- BINDPORT="10032"
- #
- # path to pidfile:
- #
- # where policyd will write its current pid to
- #
- PIDFILE="/var/run/policyd_throttle.pid"
- #
- # syslog facility
- #
- # what syslog facility to log to
- #
- SYSLOG_FACILITY="LOG_MAIL|LOG_INFO"
- ######################################################################
- # SECURITY #
- ######################################################################
- #
- # chroot:
- #
- # directory to change to before binding
- #
- CHROOT=/home/policyd
- #
- # uid:
- #
- # userid for the policy daemon to run as
- #
- UID=1003
- #
- # gid:
- #
- # groupid for the policy daemon to run as
- #
- GID=1003
- #
- # connection acl:
- #
- # this is the list of ip addresses or networks (cidr format) that
- # will be allowed to connect to policyd. leaving this blank causes
- # policyd to reject all connection attempts.
- #
- CONN_ACL="127.0.0.1"
- #####################################################################
- # WHITELISTING (functional) #
- #####################################################################
- #
- # whitelisting: default: on
- #
- # this enables whitelisting of ip/netblocks. this is needed
- # if you want to allow any of the whitelisting features.
- #
- # 1=on 0=off
- WHITELISTING=0
- #
- # whitelist null sender: default: off
- #
- # null senders are normally used for bounce messages. many
- # viruses use null senders so its wise to leave this disabled.
- #
- # 1=on 0=off
- WHITELISTNULL=0
- #
- # whitelist sender address/domain
- #
- # this allows you to do whitelisting based on envelope sender
- # address or envelope sender domain. a number of people have
- # been asking for this. please AVOID using this as spammers
- # forge senders and domains a lot.
- #
- # 1=on 0=off
- WHITELISTSENDER=0
- #
- # whitelist client dns name
- #
- # this allows you whitelist clients that have proper resolving
- # records. for example, i could whitelist 'bulk.scd.yahoo.com'.
- # so any connections from n6a.bulk.scd.yahoo.com or
- # n6b.bulk.scd.yahoo.com would be whitelisted. this type of
- # whitelisting gives far greater power when it comes to
- # whitelisting ISPs or big companies which you know do not
- # house spammers. please note. this table must NOT have more
- # than 10 000 -> 15 000 entries.
- #
- # 1=on 0=off
- WHITELISTDNSNAME=0
- #
- # automatic whitelisting default: off
- #
- # this allows whitelisting of remote networks who have sent
- # more than AUTO_WHITELIST_NUMBER of authenticated triplets.
- #
- # 1=on 0=off
- AUTO_WHITE_LISTING=0
- #
- # auto whitelist number: default: 500
- #
- # how many succesfull triplets does it require before a
- # network is automatically whitelisted
- #
- AUTO_WHITELIST_NUMBER=500
- #
- # whitelist netblock/24: default: 0
- #
- # when hosts get autowhitelisted, should the host be whitelisted
- # or should the entire netblock (class C).
- #
- # 1=class 0=host
- AUTO_WHITELIST_NETBLOCK=0
- #
- # whitelist expiry default: 7 days
- #
- # this allows you to specify for what period of time any
- # host will be whitelisted for when auto whitelisted.
- # a setting of 0 sets a permanent whitelist
- #
- AUTO_WHITELIST_EXPIRE=7d
- #####################################################################
- # BLACKLISTING (functional) #
- #####################################################################
- #
- # blacklisting: default: off
- #
- # this enables blacklisting of ip/netblocks. this is needed
- # if you want to allow any of the blacklisting features and
- # the spamtrapping module. if blacklisting is disabled,
- # the other modules still run and insert blacklisting records
- # into the table, but it doesn't take effect untill you
- # actually turn blacklisting on. this allows people to look
- # and what hosts get blacklisted and see if any possible
- # problems occured. (false-positive)
- #
- # 1=on 0=off
- BLACKLISTING=0
- #
- # blacklist client dns name:
- #
- # this allows you blacklist clients that have proper resolving
- # records. for example, i could blacklist 'spamtargeting.com'.
- # so any connections from mail1.spamtargeting.com or
- # mail2.spamtargeting.com would be blacklisted. this type of
- # blacklisting gives far greater power when it comes to
- # blacklisting ISPs or big companies which you know do
- # house spammers, or e.g. ADSL home users when their ISPs
- # give an easily identifiable reverse DNS to them like
- # adsl-*.revip.thisisp.com. please note. this table must
- # NOT have more than 10 000 -> 15 000 entries.
- # 1=on 0=off
- BLACKLISTDNSNAME=0
- #
- # blacklist temp rejection: default: 4xx
- #
- # this allows you to either temp reject (4xx) blacklisted
- # hosts or if you're sure that blacklisted hosts are safe
- # to reject, you can hard reject (5xx) blacklisted hosts.
- #
- # 1=4xx 0=5xx
- BLACKLIST_TEMP_REJECT=1
- #
- # blacklist netblock/24: default: host
- #
- # when hosts get blacklisted, should the host be blacklisted
- # or should the entire netblock (class C). this applies to
- # both when a host gets blacklisted via the spamtrap module
- # or via the blacklist helo module.
- #
- # 1=class 0=host
- BLACKLIST_NETBLOCK=0
- #
- # blacklist rejection default: "Abuse. Go Away"
- #
- # what error message blacklisted hosts will recieve.
- #
- BLACKLIST_REJECTION="Abuse. Go away."
- #
- # automatic blacklisting default: off
- #
- # this allows blacklisting of remote networks who have sent
- # more than AUTO_BLACKLIST_NUMBER of unauthenticated triplets.
- #
- # 1=on 0=off
- AUTO_BLACK_LISTING=0
- #
- # auto blacklist number: default: 500
- #
- # how many succesfull untriplets does it require before a
- # network is automatically blacklisted
- #
- AUTO_BLACKLIST_NUMBER=500
- #
- # blacklist expiry default: 7 days
- #
- # this allows you to specify for what period of time any
- # host will be blacklisted for when auto blacklisted.
- # a setting of 0 sets a permanent blacklist
- #
- AUTO_BLACKLIST_EXPIRE=7d
- #####################################################################
- # BLACKLISTING HELO (functional) #
- #####################################################################
- #
- # blacklisting helo: default: off
- #
- # this enables blacklisting of ip/netblocks who attempt to
- # identify themselve as you. no legit MTA should be using
- # your helo identity when connecting to your machines.
- #
- # 1=on 0=off
- BLACKLIST_HELO=0
- #
- # blacklist helo auto expire: default: permanent
- #
- # this allows you to specify for what period of time any
- # host will be blacklisted for when it has been caught
- # using your HELO to identify itself. (a setting of 0
- # sets a permanent blacklist)
- #
- BLACKLIST_HELO_AUTO_EXPIRE=0
- #####################################################################
- # BLACKLIST SENDER (functional) #
- #####################################################################
- #
- # blacklist sender: default: off
- #
- # this allows you to use policyd to block domains and/or
- # email addresses.
- # 1=on 0=off
- BLACKLISTSENDER=0
- #####################################################################
- # HELO_CHECK (functional) #
- #####################################################################
- #
- # helo unique checking default: off
- #
- # (legit) hosts that connect to your mail servers 99% of
- # the time use static HELO information. spammers randomize
- # their helo. enabling this will cut down the amount of
- # spam entering your network.
- # 1=on 0=off
- HELO_CHECK=0
- #
- # helo max number count:
- #
- # this allows you to specify how many unique/different
- # helo names a connecting host/ip is allowed to send.
- # spammers randomize their helo information in big
- # numbers. legit MTAs with floating ips also do this,
- # but the number of them is fairly small.
- #
- #
- HELO_MAX_COUNT=10
- #
- # helo blacklist auto expire:
- #
- # this allows you to specify for what period of time any
- # host will be blacklisted for when it has been caught
- # randomizing their helo information. (a setting of 0
- # sets a permanent blacklist)
- #
- HELO_BLACKLIST_AUTO_EXPIRE=14d
- #
- # helo auto expire:
- #
- # this allows you to specify for what period of time any
- # HELO identity will remain in the database for before it
- # gets expired. (a setting of 0 ensures that all HELO
- # information stays stored and is never expired).
- #
- HELO_AUTO_EXPIRE=7d
- #####################################################################
- # SPAMTRAP (functional) #
- #####################################################################
- #
- # enable spamtrap default: off
- #
- # the idea of this module is to allow you to capture
- # hosts that mail to your spamtraps without having to
- # resort to parsing the mails to identify senders. you
- # now have the ability to blacklist the host/netblock
- # for a period of time (definable in SPAMTRAP_AUTO_EXPIRE).
- #
- # 1=on 0=off
- SPAMTRAPPING=0
- #
- # spamtrap rejection: default: "Abuse. Go Away."
- #
- # what error message the connecting host will recieve
- # when a message is directly sent to your spamtraps
- #
- SPAMTRAP_REJECTION="Abuse. Go away."
- #
- # spamtrap auto expire: default: 7 days
- #
- # this allows you to specify for what period of time any
- # host will be blacklisted for when it has been caught
- # mailing to your spamtrap addresses. (a setting of 0
- # sets a permanent blacklist)
- #
- SPAMTRAP_AUTO_EXPIRE=7d
- #####################################################################
- # GREYLISTING (functional) #
- #####################################################################
- #
- # enable greylisting default: on
- #
- # whether greylisting should be enabled or disabled.
- #
- # 1=on 0=off
- GREYLISTING=0
- #
- # greylist rejection: default: "Please try later"
- #
- # what error message the connecting host will recieve
- # when a new triplet has been created.
- #
- GREYLIST_REJECTION="Please try later."
- #
- # greylist x-header: default: off
- #
- # you now have the functionality of tagging all mail
- # that has passed greylisting.
- #
- # 1=on 0=off
- GREYLIST_X_HEADER=0
- #
- # greylist host address: default: off
- #
- # by default policyd will only use 3 octets when dealing
- # with greylisting information. this allows policyd to
- # work around roaming MTAs which are known to move mail
- # between different queues after a 450/temp rejection.
- #
- # some dont want this functionality and wish to be more
- # aggressive when receiving mail. example of the format
- # of the ips stored:
- #
- # 1=192
- # 2=192.168
- # 3=192.168.0 <- default/recommended
- # 4=192.168.0.1
- #
- GREYLIST_HOSTADDR=3
- #
- # train database: default: off
- #
- # this is very usefull for people would want to build
- # up a collection of triplets before they start rejecting
- # mail. training mode allows the collection of triplets
- # to mature to a stage that when greylisting is actually
- # enabled, they impact caused is far far less.
- #
- # 1=on 0=off
- TRAINING_MODE=0
- #
- # training policy duration/timeout default: 0d
- #
- # when you have run TRAINING_MODE for your all your domains
- # and are running greylisting across the board, adding new
- # domains and subjecting them to greylisting without a
- # training period can bring unnessasary hassles. this feature
- # allows you to specify for how long 'new domains' are to be
- # trained for before being subjected to greylisting.
- #
- # a value of 0 disables this feature.
- #
- TRAINING_POLICY_TIMEOUT=0
- #
- #
- # triplet timeout: default: 4 minutes
- #
- # when a triplet is created from the first mail delivery
- # attempt, what period of time should go by before we
- # allow the 'final delivery'. a study shows that there
- # is no difference between 1 minute and 1 hour for spam
- # at this point in time. a sane limit would be 5 minutes.
- #
- TRIPLET_TIME=4m
- #
- # opt in and opt out: default: off
- #
- # some people are fairly irate when it comes to mail and
- # refuse wanting to have any type of delay. this feature
- # enables each and every person the ability to not subject
- # themselves to greylisting. this feature is also VERY
- # usefull when you dont want to subject EVERY person to
- # greylisting at once but instead allows you to enable
- # it in batches/groups of users so you get a feel on the
- # type of complaints or praise from your users.
- #
- # 1=on 0=off
- OPTINOUT=0
- #
- # optinoutall: default: off
- #
- # this allows you to either opt everyone in, or opt every
- # one out and only has any effect if OPTINOUT is enabled.
- #
- # 1=on 0=off
- OPTINOUTALL=0
- #
- # triplet authenticated cleanup default: 30d
- #
- # if a triplet has been successfully updated (retried and
- # delivered), this is what is considered an 'authenticated'
- # triplet. this options allows some sanity so you do not
- # keep these triplets forever. specify the amount of days
- # that we keep authenticated triplets since it was last updated.
- #
- TRIPLET_AUTH_TIMEOUT=30d
- #
- # triplet unauthenticated cleanup default: 2d
- #
- # if a triplet has NOT been successfully updated (no retry
- # attempt), this is what is considered as an 'unathenticated'
- # triplet. this option allows some sanity so you do not
- # keep these triplets forever. specify the amount of days
- # that we keep unauthenticated triplets since being inserted
- # into the database
- #
- TRIPLET_UNAUTH_TIMEOUT=2d
- #####################################################################
- # SENDER THROTTLE (functional) #
- #####################################################################
- #
- # throttle senders default: off
- #
- # sender throttling allows per-user limits of all
- # mail that passes the policy daemon. any envelope
- # sender that is not found in the database will
- # fall back to the config defaults listed below.
- #
- # 1=on 0=off
- SENDERTHROTTLE=1
- #
- # throttle SASL users default=on
- #
- # throttling based upon envelope sender addresses does
- # not work very well as it can of course be easily forged.
- # if your users are forced to authenticate via SASL, enable
- # this option so that quotas stick like glue regardless of
- # what they try.
- #
- # if this option is enabled, and a remote client connects
- # WITHOUT sasl, it will then use the clients sending/FROM
- # address.
- # 1=on 0=off
- SENDER_THROTTLE_SASL=1
- #
- # throttle IP addresses default=on
- #
- # throttling based upon the ip address of the sender
- # will ensure that the host does not send more than
- # their allowed quota. you may only enable
- # SENDER_THROTTLE_SASL or SENDER_THROTTLE_HOST but
- # *NOT* both.
- # 1=on 0=off
- SENDER_THROTTLE_HOST=0
- #
- # quota exceeded temp rejection: default: 5xx
- #
- # select temp reject (4xx) or hard reject (5xx) on quota exceeded
- #
- # 1=4xx 0=5xx
- QUOTA_EXCEEDED_TEMP_REJECT=0
- #
- # throttle rejection: default: "Quota Exceeded"
- #
- # what error message the connecting host will recieve
- # when they have exceeded any of their quotas.
- #
- SENDER_QUOTA_REJECTION="Quota Exceeded."
- #
- # throttle max message size reject message default: Message size too big
- #
- #
- #
- SENDER_SIZE_REJECTION="Message size too big."
- #
- # maximum mail sent per time period default: 5000
- #
- # how many messages a user is allowed to send out
- # before the time limit has expired.
- #
- SENDERMSGLIMIT=50
- #
- # maximum mail recipients per time period default: 5000
- #
- # how many recipients a user is allowed to send out
- # before the time limit has expired.
- #
- SENDERRCPTLIMIT=50
- #
- # maximum mail quota/size per time period default: 250 meg
- #
- # how much mail will be allowed from a user (in megs)
- # which will be accepted before the timelimit has expired.
- # note: the maximum supported size is 2gig
- #
- SENDERQUOTALIMIT=250000000
- #
- # sender time limit: default: 24 hours
- #
- # after how long does all quota last before counters
- # are reset back to to zero.
- #
- SENDERTIMELIMIT=1h
- #
- # sender message size: default: 10 meg
- #
- # this is the maximum sender mail size
- #
- SENDERMSGSIZE=15728640
- #
- # sender "warning" threshold
- #
- # this is the threshold (in percentage) that will trigger a
- # a warning to syslog. valid percentages are 1 -> 99
- #
- SENDERMSGSIZE_WARN=50
- #
- # sender "panic" threshold
- #
- # this is the threshold (in percentage) that will trigger a
- # a warning to syslog. valid percentages are 1 -> 99
- #
- SENDERMSGSIZE_PANIC=90
- #
- # inactive sender database record cleanup default: 31 days
- #
- # this allows you to specify how long the throttling
- # records of inactive senders kept in the database.
- # this allows to keep the database small. a setting
- # of 0 keeps all entries.
- #
- SENDER_INACTIVE_EXPIRE=31d
- #####################################################################
- # RECIPIENT THROTTLE (functional) #
- #####################################################################
- #
- # throttle recipients default: off
- #
- # recipient throttling allows per-user limits of all
- # mail that passes the policy daemon. any envelope
- # recipient that is not found in the database will
- # fall back to the config defaults listed below.
- #
- # 1=on 0=off
- RECIPIENTTHROTTLE=0
- #
- # maximum mail sent per time period default: 5000
- #
- # how many messages a user is allowed to send out
- # before the time limit has expired.
- #
- RECIPIENTMSGLIMIT=64
- #
- # recipient time limit: default: 24 hours
- #
- # after how long does all quota last before counters
- # are reset back to to zero.
- #
- RECIPIENTTIMELIMIT=1h
- # throttle recipient rejection: default: "Quota Exceeded"
- #
- # what error message the connecting host will recieve
- # when they have exceeded any of their quotas.
- #
- RECIPIENT_QUOTA_REJECTION="Quota Exceeded."
- #
- # inactive recipients database record cleanup default: 31 days
- #
- # this allows you to specify how long the throttling
- # records of inactive recipients are kept in the database.
- # this allows to keep the database small. a setting
- # of 0 keeps all entries.
- #
- RECIPIENT_INACTIVE_EXPIRE=31d
- #######
- # EOF #
- #######
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement