linode-guix-system-configuration/opensmtpd-records-documentation.txt

OpenSMTPD Service .................

 -- Scheme Variable: opensmtpd-service-type
     OpenSMTPD is an easy-to-use mail transfer agent (MTA). OpenSMTPD
     *listens* for incoming mail and *matches* the mail to *actions*.
     The following records represent those stages:

     *listens*   ‘<opensmtpd-interface>’
                 ‘<opensmtpd-socket>’
     *matches*   ‘<opensmtpd-match>’
     *actions*   ‘<opensmtpd-local-delivery>’
                 ‘<opensmtpd-relay>’

   Additionally, each ‘<opensmtpd-interface>’ and ‘<opensmtpd-socket>’
   may use a list of ‘<opensmtpd-filter>’, and/or
   ‘<opensmtpd-filter-phase>’ records to filter email/spam.  Also
   numerous records’ fieldnames use ‘<opensmtpd-table>’ records to
   hold lists or key value pairs of data.  Be sure to read the
   ‘<opensmtpd-table>’ section to learn the differance between a
   ‘mapping table’ and a ‘list table’.

   Finally, both ‘<opensmtpd-match>’ and ‘<opensmtpd-filter-phase>’
   use ‘<opensmtpd-option>’ to configure various options.

    A simple example opensmtpd configuration is below:

          (let ((smtp.gnu.org (opensmtpd-pki
                                  (domain "smtp.gnu.org")
                                  (cert "file.cert")
                                  (key "file.key"))))
            (service opensmtpd-service-type
                     (opensmtpd-configuration
                      (interfaces (list
                                   (opensmtpd-interface
                                    (pki smtp.gnu.org))
                                   (opensmtpd-interface
                                    (pki smtp.gnu.org)
                                    (secure-connection "smtps"))))
                      (matches (list
                                (opensmtpd-match
                                 (action
                                  (opensmtpd-local-delivery
                                   (name "local-delivery"))))
                                (opensmtpd-match
                                 (action
                                  (opensmtpd-relay
                                   (name "relay")))))))))

 -- Data Type: opensmtpd-configuration
     Data type representing the configuration of opensmtpd.

     ‘package’ (default: OPENSMTPD)
          Package object of the OpenSMTPD server.

     ‘config-file’ (default: ‘%default-opensmtpd-config-file’)
          File-like object of the OpenSMTPD configuration file to use.
          By default it listens on the loopback network interface, and
          allows for mail from users and daemons on the local machine,
          as well as permitting email to remote servers.  Run ‘man
          smtpd.conf’ for more information.

     ‘bounce’ (default: ‘(list "4h")’)
          ‘bounce’ is a list of strings, which send warning messages to
          the envelope sender when temporary delivery failures cause a
          message to remain in the queue for longer than a specified
          delay.  Each delay option is a string parameter beginning with
          a positive decimal integer and a unit, which can be ’s’, ’m’,
          ’h’, or ’d’.  At most four delay parameters can be specified.

     ‘interfaces’ default:
               (list
                 (opensmtpd-interface
                   (interface "lo")
                   (port 25)))
          ‘interfaces’ is a list of ‘<opensmtpd-interface>’ records.
          This list details what interfaces and ports OpenSMTPD listens
          on as well as other options.

     ‘socket’ (default: ‘(opensmtpd-socket)’)
          Listens for incoming connections on the Unix domain socket.

     ‘includes’ (default: ‘#f’)
          ‘includes’ is a list of string filenames.  Each filename’s
          contents is additional configuration that is inserted into the
          top of the configuration file.  Run ‘man smtpd.conf’ for more
          information.

     ‘matches’ default:
               (list (opensmtpd-match
                      (action (opensmtpd-local-delivery
                               (name "local")
                               (method "mbox")
                               (options
                                (list
                                 (opensmtpd-option
                                  (option "for local")))))))
                     (opensmtpd-match
                      (action (opensmtpd-relay
                               (name "outbound")))
                      (options
                       (list
                        (opensmtpd-option
                         (option "from local"))
                        (opensmtpd-option
                         (option "for any"))))))
          ‘matches’ is a list of ‘<opensmtpd-match>’ records, which
          matches incoming mail and sends it to a correspending action.
          The match records are evaluated sequentially, with the first
          match winning.  Therefore _the order that you arrange your
          matches is important_.  It’s a good idea to put specific
          matches first and an all emcompassing match (like ‘(option
          "for any")’) *last*.  If an incoming mail does not match any
          match records, then it is rejected.

     ‘mta-max-deferred’ (default: ‘100’)
          When delivery to a given host is suspended due to temporary
          failures, cache at most number envelopes for that host such
          that they can be delivered as soon as another delivery
          succeeds to that host.  The default is 100.

     ‘queue’ (default: ‘#f’)
          ‘queue’ expects an ‘<opensmtpd-queue>’ record.  With it, one
          may compress and encrypt queue-ed emails as well as set the
          default expiration time for temporarily undeliverable
          messages.

     ‘smtp’ (default: ‘#f’)
          ‘smtp’ expects an ‘<opensmtpd-smtp>’ record, which lets one
          specifiy how large email may be along with other settings.

     ‘srs’ (default: ‘#f’)
          ‘srs’ expects an ‘<opensmtpd-srs>’ record, which lets one set
          up SRS, the Sender Rewritting Scheme.

     ‘setgid-commands?’ (default: ‘#t’)
          Make the following commands setgid to ‘smtpq’ so they can be
          executed: ‘smtpctl’, ‘sendmail’, ‘send-mail’, ‘makemap’,
          ‘mailq’, and ‘newaliases’.  *Note Setuid Programs::, for more
          information on setgid programs.

   • Data Type: opensmtpd-interface Data type representing the
     configuration of an ‘<opensmtpd-interface>’.  It listens on the
     fieldname ‘interface’ for incoming connections, using the same
     syntax as ‘ifconfig’.  The interface parameter may also be an
     string interface group, an string IP address, or a string domain
     name.  Listening can optionally be restricted to a specific address
     via the fieldname ‘family’, which can be either ‘"inet4"’ or
     ‘"inet6"’.

        • ‘interface’ (default: ‘"lo"’)

          The string interface to listen for incoming connections.  This
          string may be an interface group, an IP address, or a domain
          name.  These interfaces can usually be found by the command
          ‘ip link’.

        • ‘family’ (default: ‘#f’)

          Only listen on a specific address family.  Valid strings are
          ‘"inet4"’ or ‘"inet6"’, which will only listen on IPv4 or IPv6
          respectfully.  If ‘(family #f)’, then opensmtpd will listen on
          both IPv4 and IPv6.

        • ‘auth’ (default: ‘#f’) Support SMTPAUTH: clients may only
          start SMTP transactions after successful authentication.  If
          ‘auth’ is ‘#t’, then users are authenticated against their own
          normal login credentials.  Alternatively ‘auth’ may be a
          ‘mapping table’ that maps usernames to encrypted passwords.
          The password can be encrypted via the ‘smtpctl’ ‘encrypt’
          subcommand.

        • ‘auth-optional’ (default: ‘#f’) Support SMTPAUTH optionally:
          clients need not authenticate, but may do so.  This allows the
          ‘<opensmtpd-interface>’ to both accept incoming mail from
          untrusted senders and permit outgoing mail from authenticated
          users.  It can be used in situations where it is not possible
          to listen on a separate port (usually the submission port,
          587) for users to authenticate.  This option also accepts a
          ‘mapping table’ that maps usernames to encrypted passwords.

        • ‘filters’ (default: ‘#f’) A list of one or many
          ‘<opensmtpd-filter>’ or ‘<opensmtpd-filter-phase>’ records.
          The filters are applied sequentially.  These records listen
          and filter on connections handled by this listener.

        • ‘hostname’ (default: ‘#f’) Change the default server name in
          the greeting banner instead of the default one.

        • ‘hostnames’ (default: ‘#f’) Override the server name for
          specific addresses.  Use a ‘mapping table’ that maps string IP
          addresses to string hostnames.  If the address on which the
          connection arrives appears in the mapping, the associated
          hostname is used.

        • ‘mask-src’ (default: ‘#f’) If ‘#t’, then omit the from part
          when prepending “Received” headers.

        • ‘disable-dsn’ (default: ‘#f’) When ‘#t’, then disable the DSN
          (Delivery Status Notification) extension.

        • ‘pki’ (default: ‘#f’) For secure connections, use an
          ‘<opensmtpd-pki>’ record to prove a mail server’s identity.

        • ‘port’ (default: ‘25’) Listen on the integer port instead of
          the default port of 25.

        • ‘proxy-v2’ (default: ‘#f’) If ‘#t’, then support the PROXYv2
          protocol, rewriting appropriately source address received from
          proxy.

        • ‘received-auth’ (default: ‘#f’) If ‘#t’, then in “Received”
          headers, report whether the session was authenticated and by
          which local user.

        • ‘senders’ (default: ‘#f’) Look up the authenticated user in
          the supplied ‘mapping table’ to find the email addresses that
          user is allowed to submit mail as.

        • ‘masquerade’ (default: ‘#f’) ‘masquerade’, is used in
          conjunction with ‘senders’.  If ‘#t’, then the From header is
          rewritten to match the sender provided in the SMTP session.
          If ‘senders’ is ‘#false’, then ‘masquerade’ cannot be ‘#t’.

        • ‘secure-connection’ (default: ‘#f’) This is a string of one of
          these options:

          ‘"smtps"’              Support SMTPS, by default on port 465.
          ‘"tls"’                Support STARTTLS, by default on port 25.
          ‘"tls-require"’        Like ‘"tls"’, but force clients to
                                 establish a secure connection before being
                                 allowed to start an SMTP transaction.
          ‘"tls-require-verify"’ Like ‘"tls-require"’, but clients must
                                 also provide a valid certificate
                                 to establish an SMTP session.

        • ‘tag’ (default: ‘#f’) Clients connecting to the listener are
          tagged with the given string tag.

   • Data Type: opensmtpd-socket Data type representing the
     configuration of an ‘<opensmtpd-socket>’.  Listen for incoming SMTP
     connections on the Unix domain socket ‘/var/run/smtpd.sock’.  This
     is done by default, even if the record is absent.

        • ‘filters’ (default: ‘#f’) A list of one or many
          ‘<opensmtpd-filter>’ or ‘<opensmtpd-filter-phase>’ records.
          These filter incoming connections handled by this listener.

        • ‘mask-src’ (default: ‘#f’) If ‘#t’, then omit the from part
          when prepending “Received” headers.

        • ‘tag’ (default: ‘#f’) Clients connecting to the listener are
          tagged with the given string tag.

   • Data Type: opensmtpd-match This data type represents the
     configuration of an ‘<opensmtpd-match>’ record.

     If at least one mail envelope matches the options of one match
     record, receive the incoming message, put a copy into each matching
     envelope, and atomically save the envelopes to the mail spool for
     later processing by the respective ‘<opensmtpd-action>’ found in
     fieldname ‘action’.  Here is an example ‘opensmtpd-match’ record.

          (opensmtpd-match
           (action (opensmtpd-local-delivery
                    (name "receive")
                    (method (opensmtpd-maildir
                             (pathname "/home/%{rcpt.user}/Maildir")
                             (junk #t)))
                    (virtual (opensmtpd-table
                              (name "virt")
                              (data '(("carmen" . "carmen@gnu.org")))))))
           (options (list (opensmtpd-option
                           (option "from any"))
                          (opensmtpd-option
                           (option "for domain")
                           (data (opensmtpd-table
                                  (name "domain-table")
                                  (data (list "gnu.org" "fsf.org"))))))))

        • ‘action’ (default: ‘#f’)

          If mail matches this match configuration, then do this action.
          Valid values include ‘<opensmtpd-local-delivery>’ or
          ‘<opensmtpd-relay>’.

        • ‘options’ (default: ‘#f’) The fieldname ‘option’ is a list of
          unique ‘<opensmtpd-option>’ records.

          There are some mutually exclusive options: there can be only
          one “for” and only one “from” option.

          for                         from
          -------------------------------------------------------------
          only use one of the         only use one of the following:
          following:
          ‘"for any"’                 ‘"from any"’
          ‘"for local"’               ‘"from auth"’
          ‘"for domain"’              ‘"from local"’
          ‘"for rcpt-to"’             ‘"from mail-from"’
                                      ‘"from socket"’
                                      ‘"from src"’

          Additionally, some options require additional data via
          ‘<opensmtpd-option>’’s fieldname ‘data’.  The following list
          will explain the below syntax.

             • ‘"for any"’ This option only requires fieldname ‘option’
               to have the string ‘"for any"’:

                          (opensmtpd-option
                           (option "for any"))

             • ‘"tag"’ _tag_ This option only requires fieldname
               ‘option’ to have the string ‘"tag"’ with a string in
               fieldname ‘data’:

                          (opensmtpd-option
                           (option "tag")
                           (data "this-tag"))

             • ‘"for rcpt"’ _domain_ | <list table> This option requires
               fieldname ‘data’ to have a string domain or ‘list table’:

                          (opensmtpd-option
                           (option "for rcpt")
                           (data "gnu.org"))

               OR

                          (opensmtpd-option
                           (option "for rcpt")
                           (data (list "gnu.org" "fsf.org")))

          The following matching options are supported and can all be
          negated (via not #t).  The options that support a table
          (anything surrounded with ’<’ and ’>’ eg: <table>), also
          support specifying regex via (regex #t).

             • ‘"for any"’ Specify that session may address any
               destination.

             • ‘"for local"’ Specify that session may address any local
               domain.  This is the default, and may be omitted.

             • ‘"for domain"’ _domain_ | <domain> Specify that session
               may address the string _domain_ or ‘list table’ <domain>.

             • ‘"for rcpt-to"’ _recipient_ | <recipient> Specify that
               session may address the string _recipient_ or list table
               <recipient>.

             • ‘"from any"’ Specify that session may originate from any
               source.

             • ‘"from auth"’ Specify that session may originate from any
               authenticated user, no matter the source IP address.

             • ‘"from auth"’ _user_ | <user> Specify that the session
               may originate from authenticated _user_ or ‘list table’
               <user>, no matter the source IP address.

             • ‘"from local"’ Specify that session may only originate
               from a local IP address, or from the local enqueuer.
               This is the default, and may be omitted.

             • ‘"from mail-from"’ _sender_ | <sender> Specify that
               session may originate from _sender_ or ‘list table’
               <sender>, no matter the source IP address.

             • ‘"from rdns"’ Specify that session may only originate
               from an IP address that resolves to a reverse DNS.

             • ‘"from rdns"’ _hostname_ | <hostname> Specify that
               session may only originate from an IP address that
               resolves to a reverse DNS matching string _hostname_ or
               ‘list table’ <hostname>.

             • ‘"from socket"’ Specify that session may only originate
               from the local enqueuer.

             • ‘"from src"’ _address_ | <address> Specify that session
               may only originate from string _address_ or ‘list table’
               <address> which can be a specific address or a subnet
               expressed in CIDR-notation.

             • ‘"auth"’ Matches transactions which have been
               authenticated.

             • ‘"auth"’ _username_ | <username> Matches transactions
               which have been authenticated for string _user_ or ‘list
               table’ <username>.

             • ‘"helo"’ _helo-name_ | <helo-name> Specify that session’s
               HELO / EHLO should match the string _helo-name_ or ‘list
               table’ <helo-name>.

             • ‘"mail-from"’ _sender_ | <sender> Specify that
               transactions’s MAIL FROM should match the string _sender_
               or ‘list table’ <sender>.

             • ‘"rcpt-to"’ _recipient_ | <recipient> Specify that
               transaction’s RCPT TO should match the string _recipient_
               or ‘list table’ <recipient>.

             • ‘"tag"’ _tag_ Matches transactions tagged with the given
               tag.

             • ‘"tls"’ Specify that transaction should take place in a
               TLS channel.

   • Data Type: opensmtpd-local-delivery This data type represents the
     configuration of an ‘<opensmtpd-local-delivery>’ record.

        • ‘name’ (default: ‘#f’) ‘name’ is the string name of the relay
          action.

        • ‘method’ (default: ‘"mbox"’) The email delivery option.  Valid
          options are:

             • ‘"mbox"’ Deliver the message to the user’s mbox with
               mail.local(8).

             • ‘"expand-only"’ Only accept the message if a delivery
               method was specified in an aliases or .forward file.

             • ‘"forward-only"’ Only accept the message if the recipient
               results in a remote address after the processing of
               aliases or forward file.

             • ‘<opensmtpd-lmtp>’ Deliver the message to an LMTP server
               at ‘<opensmtpd-lmtp>’’s fieldname ‘destination’.  The
               location may be expressed as string host:port or as a
               UNIX socket.  Optionally, ‘<opensmtpd-lmtp>’’s fieldname
               ‘rcpt-to’ might be specified to use the recipient email
               address (after expansion) instead of the local user in
               the LMTP session as RCPT TO.

             • ‘<opensmtpd-maildir>’ Deliver the message to the maildir
               in ‘<opensmtpd-maildir>’’s fieldname ‘pathname’ if
               specified, or by default to ‘"~/Maildir"’.

               The pathname may contain format specifiers that are
               expanded before use (see the below section about Format
               Specifiers).

               If ‘<opensmtpd-maildir>’’s record fieldname ‘junk’ is
               ‘#t’, then message will be moved to the ‘Junk’ folder if
               it contains a positive ‘X-Spam’ header.  This folder will
               be created under fieldname ‘pathname’ if it does not yet
               exist.

             • ‘<opensmtpd-mda>’ Delegate the delivery to the
               ‘<opensmtpd-mda>’’s fieldname ‘command’ (type string)
               that receives the message on its standard input.

               The ‘command’ may contain format specifiers that are
               expanded before use (see Format Specifiers).

        • ‘alias’ (default: ‘#f’) Use the ‘mapping table’ for aliases
          expansion.

        • ‘ttl’ (default: ‘#f’) ‘ttl’ is a string specify how long a
          message may remain in the queue.  It’s format is ‘n{s|m|h|d}’.
          eg: ‘"4m"’ is four minutes.

        • ‘user’ (default: ‘#f’ ) ‘user’ is the string username for
          performing the delivery, to be looked up with getpwnam(3).

          This is used for virtual hosting where a single username is in
          charge of handling delivery for all virtual users.

          This option is not usable with the mbox delivery method.

        • ‘userbase’ (default: ‘#f’) ‘userbase’ is an
          ‘<opensmtpd-table>’ record for mapping user lookups instead of
          the getpwnam(3) function.

          The fieldnames ‘user’ and ‘userbase’ are mutually exclusive.

        • ‘virtual’ (default: ‘#f’) ‘virtual’ is an ‘<opensmtpd-table>’
          record is used for virtual expansion.

   • Data Type: opensmtpd-relay This data type represents the
     configuration of an ‘<opensmtpd-relay>’ record.

        • ‘name’ (default: ‘#f’) ‘name’ is the string name of the relay
          action.

        • ‘backup’ (default: ‘#f’) When ‘#t’, operate as a backup mail
          exchanger delivering messages to any mail exchanger with
          higher priority.

        • ‘backup-mx’ (default: ‘#f’) Operate as a backup mail exchanger
          delivering messages to any mail exchanger with higher priority
          than mail exchanger identified as string name.

        • ‘helo’ (default: ‘#f’) Advertise string heloname as the
          hostname to other mail exchangers during the HELO phase.

        • ‘helo-src’ (default: ‘#f’ ) Use the mapping
          ‘<opensmtpd-table>’ to look up a hostname matching the source
          address, to advertise during the HELO phase.

        • ‘domain’ (default: ‘#f’) Do not perform MX lookups but look up
          destination domain in an ‘<opensmtpd-table>’ and use matching
          relay url as relay host.

        • ‘host’ (default: ‘#f’) Do not perform MX lookups but relay
          messages to the relay host described by the string relay-url.
          The format for relay-url is ‘[proto://[label@]]host[:port]’.
          The following protocols are available:

          ‘smtp’       Normal SMTP session with opportunistic STARTTLS (the default).
          ‘smtp+tls’   Normal SMTP session with mandatory STARTTLS.
          ‘smtp+notls’ Plain text SMTP session without TLS.
          ‘lmtp’       LMTP session.  port is required.
          ‘smtps’      SMTP session with forced TLS on connection, default port is
                       465.

          Unless noted, port defaults to 25.

          The label corresponds to an entry in a credentials table, as
          documented in ‘man table’.  It is used with the ‘"smtp+tls"’
          and ‘"smtps"’ protocols for authentication.  Server
          certificates for those protocols are verified by default.

        • ‘pki’ (default: ‘#f’) For secure connections, use the
          certificate associated with ‘<opensmtpd-pki>’ (declared in a
          pki directive) to prove the client’s identity to the remote
          mail server.

        • ‘srs’ (default: ‘#f’) If ‘#t’, then when relaying a mail
          resulting from a forward, use the Sender Rewriting Scheme to
          rewrite sender address.

        • ‘tls’ (default: ‘#f’) boolean or string “no-verify” When ‘#t’,
          Require TLS to be used when relaying, using mandatory STARTTLS
          by default.  When used with a smarthost, the protocol must not
          be ‘"smtp+notls://"’.  When string ‘"no-verify"’, then do not
          require a valid certificate.

        • ‘auth’ (default: ‘#f’) ‘<opensmtpd-table>’ Use the alist
          ‘<opensmtpd-table>’ for connecting to relay-url using
          credentials.  This option is usable only with fieldname ‘host’
          option.

        • ‘mail-from’ (default: ‘#f’) string Use the string mailaddress
          as MAIL FROM address within the SMTP transaction.

        • ‘src’ (default: ‘#f’) string | ‘<opensmtpd-table>’ Use the
          string or ‘<opensmtpd-table>’ sourceaddr for the source IP
          address, which is useful on machines with multiple interfaces.
          If the list contains more than one address, all of them are
          used in such a way that traffic is routed as efficiently as
          possible.

   • Data Type: opensmtpd-filter This data type represents the
     configuration of an ‘<opensmtpd-filter>’.  This is the filter
     record one should use if they want to use an external package to
     filter email eg: rspamd or spamassassin.

        • ‘name’ (default: ‘#f’) The string name of the filter.

        • ‘proc’ (default: ‘#f’) The string command or process name.  If
          ‘proc-exec’ is ‘#t’, ‘proc’ is treated as a command to
          execute.  Otherwise, it is a process name.

        • ‘proc-exec’ (default: ‘#f’) If ‘#t’, then execute the command
          in ‘proc’.

   • Data Type: opensmtpd-filter-phase This data type represents the
     configuration of an ‘<opensmtpd-filter-phase>’.

     In a regular workflow, ‘smtpd(8)’ may accept or reject a message
     based only on the content of envelopes.  Its decisions are about
     the handling of the message, not about the handling of an active
     session.

     Filtering extends the decision making process by allowing
     ‘smtpd(8)’ to stop at each phase of an SMTP session, check that
     options are met, then decide if a session is allowed to move
     forward.

     With filtering via an ‘<opensmtpd-filter-phase>’ record, a session
     may be interrupted at any phase before an envelope is complete.  A
     message may also be rejected after being submitted, regardless of
     whether the envelope was accepted or not.

        • ‘name’ (default: ‘#f’)

          The string name of the filter phase.

        • ‘phase-name’ (default: ‘#f’) The string name of the phase.
          Valid values are:

          ‘"connect"’   upon connection, before a banner is displayed
          ‘"helo"’      after HELO command is submitted
          ‘"ehlo"’      after EHLO command is submitted
          ‘"mail-from"’ after MAIL FROM command is submitted
          ‘"rcpt-to"’   after RCPT TO command is submitted
          ‘"data"’      after DATA command is submitted
          ‘"commit"’    after message is fully is submitted

        • ‘options’ (default ‘#f’) A list of unique ‘<opensmtpd-option>’
          records.

          At each phase, various options, specified by a list of
          ‘<opensmtpd-option>’, may be checked.  The
          ‘<opensmtpd-option>’’s fieldname ‘option’ values of:
          ‘"fcrdns"’, ‘"rdns"’, and ‘"src"’ data are available in all
          phases, but other data must have been already submitted before
          they are available.  Options with a ‘<table>’ next to them
          require the ‘<opensmtpd-option>’’s fieldname ‘data’ to be an
          ‘<opensmtpd-table>’.  There are the available options:

          ‘"fcrdns"’                  forward-confirmed reverse DNS is
                                      valid
          ‘"rdns"’                    session has a reverse DNS
          ‘"rdns"’ <table>            session has a reverse DNS in table
          ‘"src"’ <table>             source address is in table
          ‘"helo"’ <table>            helo name is in table
          ‘"auth"’                    session is authenticated
          ‘"auth"’ <table>            session username is in table
          ‘"mail-from"’ <table>       sender address is in table
          ‘"rcpt-to"’ <table>         recipient address is in table

          These conditions may all be negated by setting
          ‘(opensmtpd-option (bool #f))’.

          Any conditions that require a table may indicate that tables
          include regexs setting ‘(opensmtpd-option (regex #t))’.

        • ‘decision’ A string decision to be taken.  Some decisions
          require an ‘message’ or ‘value’.  The value and message may be
          put in the ‘<opensmtpd-option>’’s fieldname ‘data’.  Valid
          strings are:

          ‘"bypass"’               the session or transaction bypasses
                                   filters
          ‘"disconnect"’ message   the session is disconnected with message
          ‘"junk"’                 the session or transaction is junked,
                                   i.e., an ‘X-Spam: yes’ header is added to
                                   any messages
          ‘"reject"’ message       the command is rejected with message
          ‘"rewrite"’ value        the command parameter is rewritten with
                                   value

          Decisions that involve a message require that the message be
          RFC valid, meaning that they should either start with a 4xx or
          5xx status code.  Descisions can be taken at any phase, though
          junking can only happen before a message is committed.

        • ‘message’ (default ‘#f’) A string message beginning with a 4xx
          or 5xx status code.

        • ‘value’ (default: ‘#f’) A number value.  ‘value’ and ‘message’
          are mutually exclusive.

   • Data Type: opensmtpd-option This data type represents the
     configuration of an ‘<opensmtpd-option>’, which is used by
     ‘<opensmtpd-filter-phase>’ and ‘<opensmtpd-match>’ to match various
     options for email.

        • ‘option’ (default ‘#f’) string

          A string option to be taken.  Some options require the
          fieldname ‘data’ to have a string or an ‘<opensmtpd-table>’.
          When the option record is used inside of an
          ‘<opensmtpd-filter-phase>’, then valid strings for fieldname
          ‘option’ are:

             • ‘"fcrdns"’
             • ‘"rdns"’
             • ‘"src"’
             • ‘"helo"’
             • ‘"auth"’
             • ‘"mail-from"’
             • ‘"rcpt-to"’

          When ‘<opensmtpd-option>’ is used inside of an
          ‘<opensmtpd-match>’, then valid strings for fieldname ‘option’
          are:

             • ‘"for"’
             • ‘"for any"’
             • ‘"for local"’
             • ‘"for domain"’
             • ‘"for rcpt-to"’
             • ‘"from any"’
             • ‘"from auth"’
             • ‘"from local"’
             • ‘"from mail-from"’
             • ‘"from rdns"’
             • ‘"from socket"’
             • ‘"from src"’
             • ‘"auth"’
             • ‘"helo"’
             • ‘"mail-from"’
             • ‘"rcpt-to"’
             • ‘"tag"’
             • ‘"tls"’

        • ‘data’ (default ‘#f’) string | ‘<opensmtpd-table>’ Some
          options require a string or ‘<opensmtpd-table>’ to be present.
          One would specify that table here.

        • ‘regex’ (default: ‘#f’) boolean Any options using a table may
          indicate that tables hold regular expressions by setting this
          option to ‘#t’.

        • ‘bool’ (default: ‘#t’) boolean When ‘(bool #f)’, this option
          record is negated.

   • Data Type: opensmtpd-table This data type represents the
     configuration of an ‘<opensmtpd-table>’.

        • ‘name’ (default ‘#f’) ‘name’ is the name of the
          ‘<opensmtpd-table>’ record.

        • ‘data’ (default: ‘#f’) string | list | alist | nested-list
          ‘data’ expects a string, a list of strings, an alist of
          strings, or a nested list of strings.  eg:

             • string
                    (data "dev@gnu.org")

               A table of this type is called a ‘string table’.

             • list
                    (data (list ("gnu.org" "fsf.org")))

               A table of this type is called a ‘list table’.

             • alist
                    (data '(("james" . "$encryptedPassword")
                            ("jennifer" . "$encryptedPassword2)))

               A table of this type is called a ‘mapping table’.

             • nested-list
                    (data '(("user1" "root@gnu.org" "admin@gnu.org")
                            ("user2" "james@guix.gnu.org" "sarah@fsf.org")))

               A table of this type is also called a ‘mapping table’.

   • Data Type: opensmtpd-pki This data type represents the
     configuration of an ‘<opensmtpd-pki>’.

        • ‘domain’ (default ‘#f’) ‘domain’ is the string name of the
          ‘<opensmtpd-pki>’ record.

        • ‘cert’ (default: ‘#f’) ‘cert’ (default: ‘#f’)

          ‘cert’ is the string certificate filename to use for this pki.

        • ‘key’ (default: ‘#f’) ‘key’ is the string certificate falename
          to use for this pki.

        • ‘dhe’ (default: ‘"none"’) Specify the DHE string parameter to
          use for DHE cipher suites with host pkiname.  Valid parameter
          values are ‘"none"’, ‘"legacy"’, or ‘"auto"’.  For ‘"legacy"’,
          a fixed key length of 1024 bits is used, whereas for ‘"auto"’,
          the key length is determined automatically.  The default is
          ‘"none"’, which disables DHE cipher suites.

   • Data Type: opensmtpd-maildir
        • ‘pathname’ (default: ‘"~/Maildir"’) Deliver the message to the
          maildir if pathname if specified, or by default to
          ‘"~/Maildir"’.

          The pathname may contain format specifiers that are expanded
          before use (see FORMAT SPECIFIERS).

        • ‘junk’ (default: ‘#f’) If the junk argument is ‘#t’, then the
          message will be moved to the ‘‘Junk’’ folder if it contains a
          positive ‘‘X-Spam’’ header.  This folder will be created under
          pathname if it does not yet exist.

   • Data Type: opensmtpd-mda This record lets you delegate the delivery
     to a command that receives the message on its standard input.

        • ‘name’ The string name for this MDA command.

        • ‘command’ The command to that delivers the mail.

          The command may contain format specifiers that are expanded
          before use (see FORMAT SPECIFIERS).

   • Data Type: opensmtpd-queue
        • ‘compression’ (default ‘#f’) Store queue files in a compressed
          format.  This may be useful to save disk space.

        • ‘encryption’ (default ‘#f’) Encrypt queue files with
          EVP_aes_256_gcm(3).  If no key is specified, it is read with
          getpass(3).  If the string stdin or a single dash (‘-’) is
          given instead of a key, the key is read from the standard
          input.

        • ‘ttl-delay’ (default ‘#f’) Set the default expiration time for
          temporarily undeliverable messages, given as a positive
          decimal integer followed by a unit s, m, h, or d.  The default
          is four days (‘"4d"’).

   • Data Type: opensmtpd-smtp Data type representing an
     ‘<opensmtpd-smtp>’ record.

        • ‘ciphers’ (default: ‘#f’) Set the control string for
          SSL_CTX_set_cipher_list(3).  The default is
          “HIGH:!aNULL:!MD5”.

        • ‘limit-max-mails’ (default: ‘100’) Limit the number of
          messages to count for each sessio

        • ‘limit-max-rcpt’ (default: ‘1000’) Limit the number of
          recipients to count for each transaction.

        • ‘max-message-size’ (default: ‘35M’) Reject messages larger
          than size, given as a positive number of bytes or as a string
          to be parsed with scan_scaled(3).

        • ‘sub-addr-delim character’ (default: ‘+’) When resolving the
          local part of a local email address, ignore the ASCII
          character and all characters following it.  This is helpful
          for email filters.  ‘"admin+bills@gnu.org"’ is the same email
          address as ‘"admin@gnu.org"’.  BUT an email filter can filter
          emails addressed to first email address into a ’Bills’ email
          folder.

   • Data Type: opensmtpd-srs Use this record to set up the Sender
     Rewriting Scheme (SRS).

        • ‘key’ (default: ‘#f’) Set the secret key to use for SRS, the
          Sender Rewriting Scheme.

        • ‘backup-key’ (default: ‘#f’) Set a backup secret key to use as
          a fallback for SRS.  This can be used to implement SRS key
          rotation.

        • ‘ttl-delay’ (default: ‘"4d"’) Set the time-to-live delay for
          SRS envelopes.  After this delay, a bounce reply to the SRS
          address will be discarded to limit risks of forged addresses.

   • Format Specifiers Some configuration records support expansion of
     their parameters at runtime.  Such records (for example
     ‘<opensmtpd-maildir>’, ‘<opensmtpd-mda>’) may use format specifiers
     which are expanded before delivery or relaying.  The following
     formats are currently supported:

     ‘%{sender}’           sender email address, may be empty string
     ‘%{sender.user}’      user part of the sender email address, may be empty
     ‘%{sender.domain}’    domain part of the sender email address, may be empty
     ‘%{rcpt}’             recipient email address
     ‘%{rcpt.user}’        user part of the recipient email address
     ‘%{rcpt.domain}’      domain part of the recipient email address
     ‘%{dest}’             recipient email address after expansion
     ‘%{dest.user}’        user part after expansion
     ‘%{dest.domain}’      domain part after expansion
     ‘%{user.username}’    local user
     ‘%{user.directory}’   home directory of the local user
     ‘%{mbox.from}’        name used in mbox From separator lines
     ‘%{mda}’              mda command, only available for mda wrappers

     Expansion formats also support partial expansion using the optional
     bracket notations with substring offset.  For example, with
     recipient domain ‘“example.org”’:

     ‘%{rcpt.domain[0]}’      expands to “e”
     ‘%{rcpt.domain[1]}’      expands to “x”
     ‘%{rcpt.domain[8:]}’     expands to “org”
     ‘%{rcpt.domain[-3:]}’    expands to “org”
     ‘%{rcpt.domain[0:6]}’    expands to “example”
     ‘%{rcpt.domain[0:-4]}’   expands to “example”

     In addition, modifiers may be applied to the token.  For example,
     with recipient ‘“User+Tag@Example.org”’:

     ‘%{rcpt:lowercase}’        expands to “user+tag@example.org”
     ‘%{rcpt:uppercase}’        expands to “USER+TAG@EXAMPLE.ORG”
     ‘%{rcpt:strip}’            expands to “User@Example.org”
     ‘%{rcpt:lowercasestrip}’   expands to “user@example.org”

     For security concerns, expanded values are sanitized and
     potentially dangerous characters are replaced with ‘:’.  In
     situations where they are desirable, the “raw” modifier may be
     applied.  For example, with recipient ‘“user+t?g@example.org”’:

     ‘%{rcpt}’       expands to “user+t:g@example.org”
     ‘%{rcpt:raw}’   expands to “user+t?g@example.org”