linode-guix-system-configuration/opensmtpd.texi

\input texinfo    @c -*- texinfo -*-
@c %**start of header
@setfilename opensmtpd.info
@settitle OpenSMTPD Service documentation
@documentencoding UTF-8
@documentlanguage en
@c %**end of header

@finalout
@titlepage
@title OpenSMTPD Service documentation
@author Joshua Branson
@end titlepage

@contents

@ifnottex
@node Top
@top OpenSMTPD Service documentation

OpenSMTPD is an easy-to-use mail transfer agent (MTA). Its configuration file is
throughly documented in @code{man 5 smtpd.conf}. OpenSMTPD @strong{listens} for incoming
mail and @strong{matches} the mail to @strong{actions}. The following records represent those
stages:

@multitable {aaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item @strong{listens}
@tab @code{<opensmtpd-interface}
@item 
@tab @code{<opensmtpd-socket>}
@item 
@tab 
@item @strong{matches}
@tab @code{<opensmtpd-match>}
@item 
@tab 
@item @strong{actions}
@tab @code{<opensmtpd-local-delivery>}
@item 
@tab @code{<opensmtpd-relay>}
@end multitable

Additionally, each @code{<opensmtpd-interface>} and
@code{<opensmtpd-socket>} may use a list of
@code{<opensmtpd-filter>}, and/or
@code{<opensmtpd-filter-phase>} records to filter email/spam. Also
numerous records' fieldnames use @code{<opensmtpd-table>} to hold lists
or key value pairs of data.

A simple example configuration is below:

@example
(let ((smtp.gnu.org (opensmtpd-pki
                        (domain "smtp.gnu.org")
                        (cert "file.cert")
                        (key "file.key"))))
  (service opensmtpd-service-type
           (opensmtpd-configuration
            (interface (list
                         (opensmtpd-interface
                          (pki smtp.gnu.org))
                         (opensmtpd-interface
                          (pki smtp.gnu.org)
                          (secure-connection "smtps"))))
            (matches (list
                      (opensmtpd-match
                       (action
                        (opensmtpd-local-delivery
                         (name "local-delivery"))))
                      (opensmtpd-match
                       (action
                        (opensmtpd-relay
                         (name "relay")))))))))
@end example

@itemize
@item
Scheme Variable: opensmtpd-service-type

Service type for the OpenSMTPD (@uref{https://www.opensmtpd.org, https://www.opensmtpd.org}) email server. The
value for this service type is a  @code{<opensmtpd-configuration>} record.

@item
Data Type: opensmtpd-configuration

Data type representing the configuration of OpenSMTPD@.

@itemize
@item
@code{package} (default: @code{opensmtpd})

The OpenSMTPD package to use.

@item
@code{config-file} (default: @code{#f})

File-like object of the OpenSMTPD configuration file to use.  By default it
listens on the loopback network interface, and allows for mail from users
and daemons on the local machine, as well as permitting email to remote
servers.  Run @code{man smtpd.conf} for more information.

@item
@code{bounce} (default: @code{(list "4h")})

@code{bounce} is a list of strings (max length 4), which send warning messages
to the envelope sender when temporary delivery failures cause a message to
remain in the queue for longer than string delay. Each string delay
parameter consists of a string beginning with a positive decimal integer
and a unit 's', 'm', 'h', or 'd'. At most four delay parameters can be
specified.

@item
@code{interface} (default: @code{(list (opensmtpd-interface))})

@code{interface} is a list of @code{<opensmtpd-interface>} records.
This list details what interfaces and ports OpenSMTPD listens on as well as
other information.

@item
@code{socket} (default: @code{(opensmtpd-socket-configuration)})

Listens for incoming connections on the Unix domain socket.

@item
@code{includes} (default: @code{#f})

@code{includes} is a list of string filenames. Each filename's contents is
additional configuration that is inserted into the top of the configuration
file.

@item
@code{matches} default:

@example
    (list (opensmtpd-match
           (action (opensmtpd-local-delivery
                    (name "local")
                    (method "mbox")))
           (for (opensmtpd-option
                 (option "for local"))))
          (opensmtpd-match
           (action (opensmtpd-relay
                    (name "outbound")))
           (from (opensmtpd-option
                  (option "from local")))
           (for (opensmtpd-option
                 (option "for any")))))
@end example

@code{matches} is a list of @code{<opensmtpd-match>} records, which
@strong{matches} incoming mail and sends it to a correspending @strong{action}. The
match records are evaluated sequentially, with the first match winning. If
an incoming mail does not match any match records, then it is rejected.
@end itemize

@itemize
@item
@code{mta-max-deferred} (default: @code{100})

When delivery to a given host is suspended due to temporary failures, cache
at most number envelopes for that host such that they can be delivered as
soon as another delivery succeeds to that host. The default is 100.

@item
@code{queue} (default: @code{#f})

@code{queue} expects an @code{<opensmtpd-queue>} record. With it, one may
compress and encrypt queue-ed emails as well as set the default expiration
time for temporarily undeliverable messages.

@item
@code{smtp} (default: @code{#f})

@code{smtp} expects an @code{<opensmtpd-smtp>} record, which lets one
specifiy how large email may be along with other settings.

@item
@code{srs} (default: @code{#f})

@code{srs} expects an @code{<opensmtpd-srs>} record, which lets one set
up SRS, the Sender Rewritting Scheme.
@end itemize
@end itemize


@itemize
@item
Data Type: opensmtpd-interface

Data type representing the configuration of an
@code{<opensmtpd-interface>}. Listen on the fieldname @code{interface} for
incoming connections, using the same syntax as for ifconfig(8). The interface
parameter may also be an string interface group, an string IP address, or a
string domain name. Listening can optionally be restricted to a specific
address fieldname @code{family}, which can be either ``inet4'' or ``inet6''.

@itemize
@item
@code{interface} (default: ``lo'')

The string interface to listen for incoming connections. These interface can
usually be found by the command @code{ip link}.

@item
@code{family} (default: @code{#f})

The string IP family to use.  Valid strings are ``inet4'' or ``inet6''.

@item
@code{auth} (default: @code{#f})

Support SMTPAUTH: clients may only start SMTP transactions after successful
authentication. If @code{auth} is @code{#t}, then users are authenticated against
their own normal login credentials. Alternatively @code{auth} may be an
@code{<opensmtpd-table>} whose users are authenticated against
their passwords.

@item
@code{auth-optional} (default: @code{#f})

Support SMTPAUTH optionally: clients need not authenticate, but may do so.
This allows the @code{<opensmtpd-interface>} to both accept
incoming mail from untrusted senders and permit outgoing mail from
authenticated users (using @code{<opensmtpd-match>} fieldname
@code{auth}). It can be used in situations where it is not possible to listen on
a separate port (usually the submission port, 587) for users to
authenticate.

@item
@code{filters} (default: @code{#f})

A list of one or many @code{<opensmtpd-filter>} or
@code{<opensmtpd-filter-phase>} records. The filters are applied
sequentially. These records listen and filter on connections handled by this
listener.

@item
@code{hostname} (default: @code{#f})

Use string ``hostname'' in the greeting banner instead of the default server
name.

@item
@code{hostnames} (default: @code{#f})

Override the server name for specific addresses. Use a
@code{<opensmtpd-table>} containing a mapping of string IP
addresses to hostnames. If the address on which the connection arrives
appears in the mapping, the associated hostname is used.

@item
@code{mask-src} (default: @code{#f})

If @code{#t}, then omit the from part when prepending “Received” headers.

@item
@code{disable-dsn} (default: @code{#f})

When @code{#t}, then disable the DSN (Delivery Status Notification) extension.

@item
@code{pki} (default: @code{#f})

For secure connections, use an @code{<opensmtpd-pki>}
to prove a mail server's identity.

@item
@code{port} (default: @code{#f})

Listen on the integer port instead of the default port of 25.

@item
@code{proxy-v2} (default: @code{#f})

If @code{#t}, then support the PROXYv2 protocol, rewriting appropriately source
address received from proxy.

@item
@code{received-auth} (default: @code{#f})

If @code{#t}, then in “Received” headers, report whether the session was
authenticated and by which local user.

@item
@code{senders} (default: @code{#f})

Look up the authenticated user in the supplied
@code{<opensmtpd-table>} to find the email addresses that user is
allowed to submit mail as.

@item
@code{secure-connection} (default: @code{#f})

This is a string of one of these options:

@multitable {aaaaaaaaaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item ``smtps''
@tab Support SMTPS, by default on port 465.
@item 
@tab 
@item ``tls''
@tab Support STARTTLS, by default on port 25.
@item 
@tab 
@item ``tls-require-verify''
@tab Like tls, but force clients to establish
@item 
@tab a secure connection before being allowed to
@item 
@tab start an SMTP transaction.  With the verify
@item 
@tab option, clients must also provide a valid
@item 
@tab certificate to establish an SMTP session.
@end multitable

@item
@code{tag} (default: @code{#f})

Clients connecting to the listener are tagged with the given string tag.
@end itemize

@item
Data Type: opensmtpd-socket

Data type representing the configuration of an
@code{<opensmtpd-socket>}. Listen for incoming SMTP
connections on the Unix domain socket @samp{/var/run/smtpd.sock}. This is done by
default, even if the directive is absent.

@itemize
@item
@code{filters} (default: @code{#f})

A list of one or many @code{<opensmtpd-filter>} or
@code{<opensmtpd-filter-phase>} records. These filter incoming
connections handled by this listener.

@item
@code{mask-src} (default: @code{#f})

If @code{#t}, then omit the from part when prepending “Received” headers.

@item
@code{tag} (default: @code{#f})

Clients connecting to the listener are tagged with the given string tag.
@end itemize

@item
Data Type: opensmtpd-match

This data type represents the configuration of an
@code{<opensmtpd-match>} record.

If at least one mail envelope matches the options of one match record, receive
the incoming message, put a copy into each matching envelope, and atomically
save the envelopes to the mail spool for later processing by the respective
@code{<opensmtpd-action-configuration>} found in fieldname @code{action}.

@itemize
@item
@code{action} (default: @code{#f})

If mail matches this match configuration, then do this action. Valid values
include @code{<opensmtpd-local-delivery>} or
@code{<opensmtpd-relay>}.

@item
@code{options} (default: @code{#f}) @code{<opensmtpd-option>}
The fieldname 'option' is a list of unique
@code{<opensmtpd-option>} records.

Each @code{<opensmtpd-option>} record's fieldname 'option' has
some mutually exclusive options: there can be only one ``for'' and only one
``from'' option.

@multitable {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@headitem for
@tab from
@item only use one of the following:
@tab only use one of the following:
@item ``for any''
@tab ``from any''
@item ``for local''
@tab ``from auth''
@item ``for domain''
@tab ``from local''
@item ``for rcpt-to''
@tab ``from mail-from''
@item 
@tab ``from socket''
@item 
@tab ``from src''
@end multitable

Additionally, some options require additional data via their fieldname
@code{data}.  The following list will explain the below syntax.

@itemize
@item
``for any''
@example
      (opensmtpd-option
       (option "for any"))
@end example
@item
``for rcpt'' domain | <list table>
@example
      (opensmtpd-option
       (option "for rcpt")
       (data "domain"))
@end example

OR
@example
      (opensmtpd-option
       (option "for rcpt")
       (data (list "gnu.org" "fsf.org")))
@end example
@end itemize

The following matching options are supported and can all be negated (via not
#t). The options that support a table (anything surrounded with '<' and '>'
eg: <table>), also support specifying regex via (regex #t).

@itemize
@item
@code{for any}

Specify that session may address any destination.

@item
@code{for local}

Specify that session may address any local domain.  This is the default,
and may be omitted.

@item
@code{for domain _domain_ | <domain>}

Specify that session may address the string or list table domain.

@item
@code{for rcpt-to _recipient_ | <recipient>}

Specify that session may address the string or list table recipient.

@item
@code{from any}

Specify that session may originate from any source.

@item
@code{from auth}

Specify that session may originate from any authenticated user, no matter
the source IP address.

@item
@samp{from auth _user_ | <user>}

Specify that session may originate from authenticated user or user list
user, no matter the source IP address.

@item
@code{from local}

Specify that session may only originate from a local IP address, or from
the local enqueuer.  This is the default, and may be omitted.

@item
@samp{from mail-from _sender_ | <sender>}

Specify that session may originate from sender or table sender, no
matter the source IP address.

@item
@samp{from rdns}

Specify that session may only originate from an IP address that resolves
to a reverse DNS@.

@item
@samp{from rdns _hostname_ | <hostname>}

Specify that session may only originate from an IP address that resolves
to a reverse DNS matching string or list string hostname.

@item
@samp{from socket}

Specify that session may only originate from the local enqueuer.

@item
@samp{from src _address_ | <address>}

Specify that session may only originate from string or list table address
which can be a specific address or a subnet expressed in CIDR-notation.

@item
@samp{auth}

Matches transactions which have been authenticated.

@item
@samp{auth _username_ | <username>}

Matches transactions which have been authenticated for user or user list
username.

@item
@samp{helo _helo-name_ | <helo-name>}

Specify that session's HELO / EHLO should match the string or list table
helo-name.

@item
@samp{mail-from _sender_ | <sender>}

Specify that transactions's MAIL FROM should match the string or list
table sender.

@item
@samp{rcpt-to _recipient_ | <recipient>}

Specify that transaction's RCPT TO should match the string or list table
recipient.

@item
@samp{tag tag}
Matches transactions tagged with the given tag.

@item
@samp{tls}
Specify that transaction should take place in a TLS channel.
@end itemize

Here is a simple example that rejects email from the domains @samp{gnu.org}
or @samp{dismail.de}:
,#+BEGIN@math{_SRC} scheme
(opensmtpd-option
 (not #t)
 (regex #f)
 (option ``for domain'')
 (data (opensmtpd-table
        (name ``domain-table'')
        (data (list ``gnu.org'' ``dismail.de'')))))
#+END@math{_SRC}
@end itemize
@end itemize


@itemize
@item
Data Type: opensmtpd-local-delivery

This data type represents the configuration of an
@code{<opensmtpd-local-delivery>} record.

@itemize
@item
@code{name} (default: @code{#f})

@code{name} is the string name of the relay action.

@item
@code{method} (default: @code{"mbox"})

The email delivery option.  Valid options are:

@itemize
@item
@code{"mbox"}

Deliver the message to the user's mbox with mail.local(8).

@item
@code{"expand-only"}

Only accept the message if a delivery method was specified in an aliases
or .forward file.

@item
@code{"forward-only"}

Only accept the message if the recipient results in a remote address after
the processing of aliases or forward file.

@item
@code{<opensmtpd-lmtp-configuration>}

Deliver the message to an LMTP server at
@code{<opensmtpd-lmtp-configuration>}'s fieldname @code{destination}. The location
may be expressed as string host:port or as a UNIX socket. Optionally,
@code{<opensmtpd-lmtp-configuration>}'s fieldname @code{rcpt-to} might be specified
to use the recipient email address (after expansion) instead of the local
user in the LMTP session as RCPT TO@.

@item
@code{<opensmtpd-maildir>}

Deliver the message to the maildir in
@code{<opensmtpd-maildir>}'s fieldname @code{pathname} if specified,
or by default to @samp{~/Maildir}.

The pathname may contain format specifiers that are expanded before use
(see the below section about Format Specifiers).

If @code{<opensmtpd-maildir>}'s record fieldname @code{junk} is @code{#t},
then message will be moved to the ‘Junk’ folder if it contains a positive
‘X-Spam’ header. This folder will be created under fieldname @code{pathname} if
it does not yet exist.

@item
@code{<opensmtpd-mda>}

Delegate the delivery to the @code{<opensmtpd-mda>}'s fieldname
@code{command} (type string) that receives the message on its standard input.

The @code{command} may contain format specifiers that are expanded before use
(see Format Specifiers).
@end itemize

@item
@code{alias} (default: @code{#f})

Use the mapping table for aliases expansion. @code{alias} is an
@code{<opensmtpd-table>}.

@item
@code{ttl} (default: @code{#f})

@code{ttl} is a string specify how long a message may remain in the queue.  It's
format is @samp{n@{s|m|h|d@}}.  eg: ``4m'' is four minutes.

@item
@code{user} (default: @code{#f} )

@code{user} is the string username for performing the delivery, to be looked up
with getpwnam(3).

This is used for virtual hosting where a single username is in charge of
handling delivery for all virtual users.

This option is not usable with the mbox delivery method.

@item
@code{userbase} (default: @code{#f})

@code{userbase} is an @code{<opensmtpd-table>} record for mapping user
lookups instead of the getpwnam(3) function.

The fieldnames @code{user} and @code{userbase} are mutually exclusive.

@item
@code{virtual} (default: @code{#f})

@code{virtual} is an @code{<opensmtpd-table>} record is used for virtual
expansion.
@end itemize

@item
Data Type: opensmtpd-relay

This data type represents the configuration of an
@code{<opensmtpd-relay>} record.

@itemize
@item
@code{name} (default: @code{#f})

@code{name} is the string name of the relay action.

@item
@code{backup} (default: @code{#f})

When @code{#t}, operate as a backup mail exchanger delivering messages to any
mail exchanger with higher priority.

@item
@code{backup-mx} (default: @code{#f})

Operate as a backup mail exchanger delivering messages to any mail exchanger
with higher priority than mail exchanger identified as string name.

@item
@code{helo} (default: @code{#f})

Advertise string heloname as the hostname to other mail exchangers during
the HELO phase.

@item
@code{helo-src} (default: @code{#f})

 Use the mapping @code{<openmstpd-table-configuration>} to look up a hostname
matching the source address, to advertise during the HELO phase.

@item
@code{domain} (default: @code{#f})

Do not perform MX lookups but look up destination domain in an
@code{<opensmtpd-table>} and use matching relay url as relay host.

@item
@code{host} (default: @code{#f})

Do not perform MX lookups but relay messages to the relay host described by
the string relay-url. The format for relay-url is
@samp{[proto://[label@@]]host[:port]}. The following protocols are available:

@multitable {aaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item smtp
@tab Normal SMTP session with opportunistic STARTTLS (the default).
@item smtp+tls
@tab Normal SMTP session with mandatory STARTTLS@.
@item smtp+notls
@tab Plain text SMTP session without TLS@.
@item lmtp
@tab LMTP session.  port is required.
@item smtps
@tab SMTP session with forced TLS on connection, default port is
@item 
@tab 465.
@end multitable

Unless noted, port defaults to 25.

The label corresponds to an entry in a credentials table, as documented in
@samp{table(5)}. It is used with the @samp{"smtp+tls"} and @samp{"smtps"} protocols for
authentication. Server certificates for those protocols are verified by
default.

@item
@code{pki} (default: @code{#f})

For secure connections, use the certificate associated with
@code{<opensmtpd-pki>} (declared in a pki directive) to prove the
client's identity to the remote mail server.

@item
@code{srs} (default: @code{#f})

If @code{#t}, then when relaying a mail resulting from a forward, use the Sender
Rewriting Scheme to rewrite sender address.

@item
@code{tls} (default: @code{#f}) boolean or string ``no-verify''

When @code{#t}, Require TLS to be used when relaying, using mandatory STARTTLS by
default. When used with a smarthost, the protocol must not be
@samp{"smtp+notls://"}. When string @code{"no-verify"}, then do not require a valid
certificate.

@item
@code{auth} (default: @code{#f}) @code{<opensmtpd-table>}

Use the alist @code{<opensmtpd-table>} for connecting to relay-url
using credentials. This option is usable only with fieldname @code{host} option.

@item
@code{mail-from} (default: @code{#f}) string

Use the string mailaddress as MAIL FROM address within the SMTP transaction.

@item
@code{src} (default: @code{#f}) string | @code{<opensmtpd-table>}

Use the string or @code{<opensmtpd-table>} sourceaddr for the
source IP address, which is useful on machines with multiple interfaces. If
the list contains more than one address, all of them are used in such a way
that traffic is routed as efficiently as possible.
@end itemize

@item
Data Type: opensmtpd-filter
@@c The code does NOT actually support these things yet.

This data type represents the configuration of an
@code{<opensmtpd-filter>}. This is the filter record one should use
if they want to use an external package to filter email eg: rspamd or
spamassassin.

@itemize
@item
@code{name} (default: @code{#f})

The string name of the filter.

@item
@code{proc} (default: @code{#f})

The string command or process name.  If @code{proc-exec} is @code{#t}, @code{proc} is
treated as a command to execute.  Otherwise, it is a process name.

@item
@code{proc-exec} (default: @code{#f})
@end itemize

@item
Data Type: opensmtpd-filter-phase

This data type represents the configuration of an
@code{<opensmtpd-filter-phase>}.

In a regular workflow, smtpd(8) may accept or reject a message based only on
the content of envelopes. Its decisions are about the handling of the message,
not about the handling of an active session.

Filtering extends the decision making process by allowing smtpd(8) to stop at
each phase of an SMTP session, check that options are met, then decide if a
session is allowed to move forward.

With filtering via an @code{<opensmtpd-filter-phase>} record, a
session may be interrupted at any phase before an envelope is complete. A
message may also be rejected after being submitted, regardless of whether the
envelope was accepted or not.

@itemize
@item
@code{name} (default: @code{#f})

The string name of the filter phase.

@item
@code{phase-name} (default: @code{#f})

The string name of the phase. Valid values are:

@multitable {aaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item ``connect''
@tab upon connection, before a banner is displayed
@item ``helo''
@tab after HELO command is submitted
@item ``ehlo''
@tab after EHLO command is submitted
@item ``mail-from''
@tab after MAIL FROM command is submitted
@item ``rcpt-to''
@tab after RCPT TO command is submitted
@item ``data''
@tab after DATA command is submitted
@item ``commit''
@tab after message is fully is submitted
@end multitable

@item
@code{options} (default @code{#f})

A list of unique @code{<opensmtpd-option>} records.

At each phase, various options, specified by a list of
@code{<opensmtpd-option>}, may be checked. The
@code{<opensmtpd-option>}'s fieldname 'option' values of: ``fcrdns'',
``rdns'', and ``src'' data are available in all phases, but other data must have
been already submitted before they are available. Options with a @samp{<table>}
next to them require the @code{<opensmtpd-option>}'s fieldname
@code{data} to be an @code{<opensmtpd-table>}. These are the available
options:

@multitable {aaaaaaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item fcrdns
@tab forward-confirmed reverse DNS is valid
@item rdns
@tab session has a reverse DNS
@item rdns <table>
@tab session has a reverse DNS in table
@item src <table>
@tab source address is in table
@item helo <table>
@tab helo name is in table
@item auth
@tab session is authenticated
@item auth <table>
@tab session username is in table
@item mail-from <table>
@tab sender address is in table
@item rcpt-to <table>
@tab recipient address is in table
@end multitable

These conditions may all be negated by setting
@code{<opensmtpd-option>}'s fieldname @code{not} to @code{#t}.

Any conditions that require a table may indicate that tables include regexs
setting @code{<opensmtpd-option>}'s fieldname @code{regex} to @code{#t}.

@item
@code{decision}

A string decision to be taken. Some decisions require an @code{message} or
@code{value}. Valid strings are:

@multitable {aaaaaaaaaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@headitem ``bypass''
@tab the session or transaction bypasses filters
@item ``disconnect'' message
@tab the session is disconnected with message
@item ``junk''
@tab the session or transaction is junked, i.e., an
@item 
@tab ‘X-Spam: yes’ header is added to any messages
@item ``reject'' message
@tab the command is rejected with message
@item ``rewrite'' value
@tab the command parameter is rewritten with value
@end multitable

Decisions that involve a message require that the message be RFC valid,
meaning that they should either start with a 4xx or 5xx status code.
Descisions can be taken at any phase, though junking can only happen before
a message is committed.

@item
@code{message} (default @code{#f})

A string message beginning with a 4xx or 5xx status code.

@item
@code{value} (default: @code{#f})

A number value.  @code{value} and @code{message} are mutually exclusive.
@end itemize

@item
Data Type: opensmtpd-option

This data type represents the configuration of an
@code{<opensmtpd-option>}, which is used by
@code{<opensmtpd-filter-phase>} and @code{<opensmtpd-match>}
to match various options for email.

@itemize
@item
@code{conditition} (default @code{#f})

A string option to be taken. Some options require a string or an
@code{<opensmtpd-table>} via the fieldname data. When the option
record is used inside of an @code{<opensmtpd-filter-phase>}, then
valid strings are:

At each phase, various options may be matched. The fcrdns, rdns, and src
data are available in all phases, but other data must have been already
submitted before they are available.

@multitable {aaaaaaaaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item ``fcrdns''
@tab forward-confirmed reverse DNS is valid
@item ``rdns''
@tab session has a reverse DNS
@item ``rdns'' <table>
@tab session has a reverse DNS in table
@item ``src'' <table>
@tab source address is in table
@item ``helo'' <table>
@tab helo name is in table
@item ``auth''
@tab session is authenticated
@item ``auth'' <table>
@tab session username is in table
@item ``mail-from'' <table>
@tab sender address is in table
@item ``rcpt-to'' <table>
@tab recipient address is in table
@end multitable

When @code{<opensmtpd-option>} is used inside of an
@code{<opensmtpd-match>}, then valid strigs for fieldname @code{option}
are: ``for'', ``for any'', ``for local'', ``for domain'', ``for rcpt-to'', ``from any''
``from auth'', ``from local'', ``from mail-from'', ``from rdns'', ``from socket'',
``from src'', ``auth'', ``helo'', ``mail-from'', ``rcpt-to'', ``tag'', or ``tls''.

@item
@code{data} (default @code{#f}) @code{<opensmtpd-table>}

Some options require a table to be present. One would specify that table
here.
@item
@code{regex} (default: @code{#f}) boolean

Any options using a table may indicate that tables hold regex by
prefixing the table name with the keyword regex.
@item
@code{not} (default: @code{#f}) boolean

When @code{#t}, this option record is negated.
@end itemize

@item
Data Type: opensmtpd-table

This data type represents the configuration of an
@code{<opensmtpd-table>}.

@itemize
@item
@code{name} (default @code{#f})

@code{name} is the name of the @code{<opensmtpd-table>} record.

@item
@code{data} (default: @code{#f})

@code{data} expects a list of strings or an alist, which is a list of
cons cells.  eg: @code{(data (list ("james" . "password")))} OR
@code{(data (list ("gnu.org" "fsf.org")))}.
@end itemize

@item
Data Type: opensmtpd-pki

This data type represents the configuration of an
@code{<opensmtpd-pki>}.

@itemize
@item
@code{domain} (default @code{#f})

@code{domain} is the string name of the @code{<opensmtpd-pki>} record.

@item
@code{cert} (default: @code{#f})

@code{cert} (default: @code{#f})

@code{cert} is the string certificate filename to use for this pki.

@item
@code{key} (default: @code{#f})

@code{key} is the string certificate falename to use for this pki.

@item
@code{dhe} (default: @code{"none"})

Specify the DHE string parameter to use for DHE cipher suites with host
pkiname. Valid parameter values are ``none'', ``legacy'', or ``auto''. For ``legacy'', a
fixed key length of 1024 bits is used, whereas for ``auto'', the key length is
determined automatically. The default is ``none'', which disables DHE cipher
suites.
@end itemize

@item
Data Type: opensmtpd-maildir

@itemize
@item
@code{pathname} (default: @code{"~/Maildir"})

Deliver the message to the maildir if pathname if specified, or by default
to @samp{~/Maildir}.

The pathname may contain format specifiers that are expanded before use
(see FORMAT SPECIFIERS).

@item
@code{junk} (default: @code{#f})

If the junk argument is @code{#t}, then the message will be moved to the @samp{‘Junk’}
folder if it contains a positive @samp{‘X-Spam’} header. This folder will be
created under pathname if it does not yet exist.
@end itemize

@item
Data Type: opensmtpd-mda

@itemize
@item
@code{name}

The string name for this MDA command.

@item
@code{command}

Delegate the delivery to a command that receives the message on its standard
input.

The command may contain format specifiers that are expanded before use (see
FORMAT SPECIFIERS).
@end itemize

@item
Data Type: opensmtpd-queue

@itemize
@item
@code{compression} (default @code{#f})

Store queue files in a compressed format. This may be useful to save disk
space.

@item
@code{encryption} (default @code{#f})

Encrypt queue files with EVP@math{_aes}@math{_256}@math{_gcm}(3). If no key is specified, it is
read with getpass(3). If the string stdin or a single dash (‘-’) is given
instead of a key, the key is read from the standard input.

@item
@code{ttl-delay} (default @code{#f})

Set the default expiration time for temporarily undeliverable messages,
given as a positive decimal integer followed by a unit s, m, h, or d. The
default is four days (``4d'').
@end itemize
@end itemize


@itemize
@item
Data Type: opensmtpd-smtp

Data type representing an @code{<opensmtpd-smtp>} record.

@itemize
@item
@code{ciphers} (default: @code{#f})

Set the control string for SSL@math{_CTX}@math{_set}@math{_cipher}@math{_list}(3).  The default is
         ``HIGH:!aNULL:!MD5''.

@item
@code{limit-max-mails} (default: @code{100})

Limit the number of messages to count for each sessio
@end itemize
@end itemize


@itemize
@item
@code{limit-max-rcpt} (default: @code{1000})

Limit the number of recipients to count for each transaction.

@item
@code{max-message-size} (default: @code{35M})

Reject messages larger than size, given as a positive number of bytes or as
a string to be parsed with scan@math{_scaled}(3).

@item
@code{sub-addr-delim character} (default: @code{+})

When resolving the local part of a local email address, ignore the ASCII
character and all characters following it. This is helpful for email
filters. @samp{"admin+bills@@gnu.org"} is the same email address as
@samp{"admin@@gnu.org"}. BUT an email filter can filter emails addressed to first
email address into a 'Bills' email folder.
@end itemize


@itemize
@item
Data Type: opensmtpd-srs

@itemize
@item
@code{key} (default: @code{#f})

Set the secret key to use for SRS, the Sender Rewriting Scheme.

@item
@code{backup-key} (default: @code{#f})

Set a backup secret key to use as a fallback for SRS@. This can be used to
implement SRS key rotation.
@item
@code{ttl-delay} (default: @code{"4d"})

Set the time-to-live delay for SRS envelopes. After this delay, a bounce
reply to the SRS address will be discarded to limit risks of forged
addresses.
@end itemize

@item
Format Specifiers

Some configuration records support expansion of their parameters at
runtime. Such records (for example
@code{<opensmtpd-maildir>}, @code{<opensmtpd-mda>}) may use
format specifiers which are expanded before delivery or relaying. The
following formats are currently supported:

@multitable {aaaaaaaaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item @samp{%@{sender@}}
@tab sender email address, may be empty string
@item @samp{%@{sender.user@}}
@tab user part of the sender email address, may be empty
@item @samp{%@{sender.domain@}}
@tab domain part of the sender email address, may be empty
@item @samp{%@{rcpt@}}
@tab recipient email address
@item @samp{%@{rcpt.user@}}
@tab user part of the recipient email address
@item @samp{%@{rcpt.domain@}}
@tab domain part of the recipient email address
@item @samp{%@{dest@}}
@tab recipient email address after expansion
@item @samp{%@{dest.user@}}
@tab user part after expansion
@item @samp{%@{dest.domain@}}
@tab domain part after expansion
@item @samp{%@{user.username@}}
@tab local user
@item @samp{%@{user.directory@}}
@tab home directory of the local user
@item @samp{%@{mbox.from@}}
@tab name used in mbox From separator lines
@item @samp{%@{mda@}}
@tab mda command, only available for mda wrappers
@end multitable

Expansion formats also support partial expansion using the optional bracket notations
with substring offset.  For example, with recipient domain @samp{“example.org”}:

@multitable {aaaaaaaaaaaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaa}
@item @samp{%@{rcpt.domain[0]@}}
@tab expands to “e”
@item @samp{%@{rcpt.domain[1]@}}
@tab expands to “x”
@item @samp{%@{rcpt.domain[8:]@}}
@tab expands to “org”
@item @samp{%@{rcpt.domain[-3:]@}}
@tab expands to “org”
@item @samp{%@{rcpt.domain[0:6]@}}
@tab expands to “example”
@item @samp{%@{rcpt.domain[0:-4]@}}
@tab expands to “example”
@end multitable

In addition, modifiers may be applied to the token.  For example, with recipient
@samp{“User+Tag@@Example.org”}:

@multitable {aaaaaaaaaaaaaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item @samp{%@{rcpt:lowercase@}}
@tab expands to “user+tag@@example.org”
@item @samp{%@{rcpt:uppercase@}}
@tab expands to “USER+TAG@@EXAMPLE.ORG”
@item @samp{%@{rcpt:strip@}}
@tab expands to “User@@Example.org”
@item @samp{%@{rcpt:lowercasestrip@}}
@tab expands to “user@@example.org”
@end multitable

For security concerns, expanded values are sanitized and potentially dangerous
characters are replaced with ‘:’. In situations where they are desirable, the
“raw” modifier may be applied. For example, with recipient
@samp{“user+t?g@@example.org”}:

@multitable {aaaaaaaaaaaaa} {aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
@item @samp{%@{rcpt@}}
@tab expands to “user+t:g@@example.org”
@item @samp{%@{rcpt:raw@}}
@tab expands to “user+t?g@@example.org”
@end multitable
@end itemize
@end ifnottex



@bye