350
355
=item whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net
352
357
Works similarly to whitelist_from, except that in addition to matching
353
a sender address, a relay's rDNS name must match too for the whitelisting
354
rule to fire. The first parameter is an address to whitelist, and the
355
second is a string to match the relay's rDNS.
357
This string is matched against the reverse DNS lookup used during the handover
358
from the internet to your internal network's mail exchangers. It can
359
either be the full hostname, or the domain component of that hostname. In
360
other words, if the host that connected to your MX had an IP address that
361
mapped to 'sendinghost.spamassassin.org', you should specify
362
C<sendinghost.spamassassin.org> or just C<spamassassin.org> here.
364
Note that this requires that C<internal_networks> be correct. For simple cases,
365
it will be, but for a complex network you may get better results by setting that
358
a sender address, a relay's rDNS name or its IP address must match too
359
for the whitelisting rule to fire. The first parameter is a sender's e-mail
360
address to whitelist, and the second is a string to match the relay's rDNS,
361
or its IP address. Matching is case-insensitive.
363
This second parameter is matched against the TCP-info information field as
364
provided in a FROM clause of a trace information (i.e. the Received header
365
field, see RFC 5321). Only the Received header fields inserted by trusted
366
hosts are considered. This parameter can either be a full hostname, or the
367
domain component of that hostname, or an IP address in square brackets.
368
The reverse DNS lookup is done by a MTA, not by SpamAssassin.
370
In case of an IPv4 address in brackets, it may be truncated on classful
371
boundaries to cover whole subnets, e.g. C<[10.1.2.3]>, C<[10.1.2]>,
372
C<[10.1]>, C<[10]>. CIDR notation is currently not supported, nor is
373
IPv6. The matching on IP address is mainly provided to cover rare cases
374
where whitelisting of a sending MTA is desired which does not have a
375
correct reverse DNS configured.
377
In other words, if the host that connected to your MX had an IP address
378
192.0.2.123 that mapped to 'sendinghost.example.org', you should specify
379
C<sendinghost.example.org>, or C<example.org>, or C<[192.0.2.123]> or
382
Note that this requires that C<internal_networks> be correct. For simple
383
cases, it will be, but for a complex network you may get better results
384
by setting that parameter.
368
386
It also requires that your mail exchangers be configured to perform DNS
369
387
reverse lookups on the connecting host's IP address, and to record the
370
result in the generated Received: header.
388
result in the generated Received header field according to RFC 5321.
374
392
whitelist_from_rcvd joe@example.com example.com
375
393
whitelist_from_rcvd *@axkit.org sergeant.org
394
whitelist_from_rcvd *@axkit.org [192.0.2.123]
377
396
=item def_whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net
641
661
code => \&Mail::SpamAssassin::Conf::Parser::remove_addrlist_value
665
=item enlist_uri_host (listname) host ...
667
Adds one or more host names or domain names to a named list of URI domains.
668
The named list can then be consulted through a check_uri_host_listed()
669
eval rule implemented by the WLBLEval plugin, which takes the list name as
670
an argument. Parenthesis around a list name are literal - a required syntax.
672
Host names may optionally be prefixed by an exclamantion mark '!', which
673
produces false as a result if this entry matches. This makes it easier
674
to exclude some subdomains when their superdomain is listed, for example:
676
enlist_uri_host (MYLIST) !sub1.example.com !sub2.example.com example.com
678
No wildcards are supported, but subdomains do match implicitly. Lists
679
are independent. Search for each named list starts by looking up the
680
full hostname first, then leading fields are progressively stripped off
681
(e.g.: sub.example.com, example.com, com) until a match is found or we run
682
out of fields. The first matching entry (the most specific) determines if a
683
lookup yielded a true (no '!' prefix) or a false (with a '!' prefix) result.
685
If an URL found in a message contains an IP address in place of a host name,
686
the given list must specify the exact same IP address (instead of a host name)
689
Use the delist_uri_host directive to neutralize previous enlist_uri_host
692
Enlisting to lists named 'BLACK' and 'WHITE' have their shorthand directives
693
blacklist_uri_host and whitelist_uri_host and corresponding default rules,
694
but the names 'BLACK' and 'WHITE' are otherwise not special or reserved.
699
command => 'enlist_uri_host',
700
setting => 'uri_host_lists',
701
type => $CONF_TYPE_ADDRLIST,
703
my($conf, $key, $value, $line) = @_;
705
if ($value !~ /^ \( (.*?) \) \s+ (.*) \z/sx) {
706
return $MISSING_REQUIRED_VALUE;
708
my $listname = $1; # corresponds to arg in check_uri_host_in_wblist()
709
# note: must not factor out dereferencing, as otherwise
710
# subhashes would spring up in a copy and be lost
711
foreach my $host ( split(' ', lc $2) ) {
712
my $v = $host =~ s/^!// ? 0 : 1;
713
$conf->{uri_host_lists}{$listname}{$host} = $v;
718
=item delist_uri_host [ (listname) ] host ...
720
Removes one or more specified host names from a named list of URI domains.
721
Removing an unlisted name is ignored (is not an error). Listname is optional,
722
if specified then just the named list is affected, otherwise hosts are
723
removed from all URI host lists created so far. Parenthesis around a list
724
name are a required syntax.
726
Note that directives in configuration files are processed in sequence,
727
the delist_uri_host only applies to previously listed entries and has
728
no effect on enlisted entries in yet-to-be-processed directives.
730
For convenience (similarity to the enlist_uri_host directive) hostnames
731
may be prefixed by a an exclamation mark, which is stripped off from each
732
name and has no meaning here.
737
command => 'delist_uri_host',
738
setting => 'uri_host_lists',
739
type => $CONF_TYPE_ADDRLIST,
741
my($conf, $key, $value, $line) = @_;
743
if ($value !~ /^ (?: \( (.*?) \) \s+ )? (.*) \z/sx) {
744
return $MISSING_REQUIRED_VALUE;
746
my @listnames = defined $1 ? $1 : keys %{$conf->{uri_host_lists}};
747
my @args = split(' ', lc $2);
748
foreach my $listname (@listnames) {
749
foreach my $host (@args) {
750
my $v = $host =~ s/^!// ? 0 : 1;
751
delete $conf->{uri_host_lists}{$listname}{$host};
757
=item blacklist_uri_host host-or-domain ...
759
Is a shorthand for a directive: enlist_uri_host (BLACK) host ...
761
Please see directives enlist_uri_host and delist_uri_host for details.
766
command => 'blacklist_uri_host',
767
setting => 'uri_host_lists',
768
type => $CONF_TYPE_ADDRLIST,
770
my($conf, $key, $value, $line) = @_;
771
foreach my $host ( split(' ', lc $value) ) {
772
my $v = $host =~ s/^!// ? 0 : 1;
773
$conf->{uri_host_lists}{'BLACK'}{$host} = $v;
778
=item whitelist_uri_host host-or-domain ...
780
Is a shorthand for a directive: enlist_uri_host (BLACK) host ...
782
Please see directives enlist_uri_host and delist_uri_host for details.
787
command => 'whitelist_uri_host',
788
setting => 'uri_host_lists',
789
type => $CONF_TYPE_ADDRLIST,
791
my($conf, $key, $value, $line) = @_;
792
foreach my $host ( split(' ', lc $value) ) {
793
my $v = $host =~ s/^!// ? 0 : 1;
794
$conf->{uri_host_lists}{'WHITE'}{$host} = $v;
646
801
=head2 BASIC MESSAGE TAGGING OPTIONS
1019
1174
are not MXes or internal relays for your domain(s) they should B<only> be
1020
1175
specified in C<trusted_networks>.
1022
If a C</mask> is specified, it's considered a CIDR-style 'netmask', specified
1023
in bits. If it is not specified, but less than 4 octets are specified with a
1024
trailing dot, that's considered a mask to allow all addresses in the remaining
1025
octets. If a mask is not specified, and there is not trailing dot, then just
1026
the single IP address specified is used, as if the mask was C</32>.
1028
If a network or host address is prefaced by a C<!> the network or host will be
1029
excluded (or included) in a first listed match fashion.
1031
Note: 127/8 and ::1 are always included in trusted_networks, regardless of
1177
The C<IPaddress> can be an IPv4 address (in a dot-quad form), or an IPv6
1178
address optionally enclosed in square brackets. Scoped link-local IPv6
1179
addresses are syntactically recognized but the interface scope is currently
1180
ignored (e.g. [fe80::1234%eth0] ) and should be avoided.
1182
If a C</masklen> is specified, it is considered a CIDR-style 'netmask' length,
1183
specified in bits. If it is not specified, but less than 4 octets of an IPv4
1184
address are specified with a trailing dot, an implied netmask length covers
1185
all addresses in remaining octets (i.e. implied masklen is /8 or /16 or /24).
1186
If masklen is not specified, and there is not trailing dot, then just a single
1187
IP address specified is used, as if the masklen were C</32> with an IPv4
1188
address, or C</128> in case of an IPv6 address.
1190
If a network or host address is prefaced by a C<!> the matching network or
1191
host will be excluded from the list even if a less specific (shorter netmask
1192
length) subnet is later specified in the list. This allows a subset of
1193
a wider network to be exempt. In case of specifying overlapping subnets,
1194
specify more specific subnets first (tighter matching, i.e. with a longer
1195
netmask length), followed by less specific (shorter netmask length) subnets
1196
to get predictable results regarless of the search algorithm used - when
1197
Net::Patricia module is installed the search finds the tightest matching
1198
entry in the list, while a sequential search as used in absence of the
1199
module Net::Patricia will find the first matching entry in the list.
1201
Note: 127.0.0.0/8 and ::1 are always included in trusted_networks, regardless
1036
trusted_networks 192.168/16 # all in 192.168.*.*
1206
trusted_networks 192.168.0.0/16 # all in 192.168.*.*
1207
trusted_networks 192.168. # all in 192.168.*.*
1037
1208
trusted_networks 212.17.35.15 # just that host
1038
1209
trusted_networks !10.0.1.5 10.0.1/24 # all in 10.0.1.* but not 10.0.1.5
1039
trusted_networks DEAD:BEEF::/32 # all in that ipv6 prefix
1210
trusted_networks 2001:db8:1::1 !2001:db8:1::/64 2001:db8::/32
1211
# 2001:db8::/32 and 2001:db8:1::1/128, except the rest of 2001:db8:1::/64
1041
1213
This operates additively, so a C<trusted_networks> line after another one
1042
1214
will append new entries to the list of trusted networks. To clear out the
1280
1456
type => $CONF_TYPE_BOOL,
1283
=item dns_available { yes | test[: name1 name2...] | no } (default: test)
1285
By default, SpamAssassin will query some default hosts on the internet to
1286
attempt to check if DNS is working or not. The problem is that it can
1287
introduce some delay if your network connection is down, and in some cases it
1288
can wrongly guess that DNS is unavailable because the test connections failed.
1289
SpamAssassin includes a default set of 13 servers, among which 3 are picked
1292
You can however specify your own list by specifying
1294
dns_available test: domain1.tld domain2.tld domain3.tld
1296
Please note, the DNS test queries for NS records.
1459
=item dns_available { yes | no | test[: domain1 domain2...] } (default: yes)
1461
Tells SpamAssassin whether DNS resolving is available or not. A value I<yes>
1462
indicates DNS resolving is available, a value I<no> indicates DNS resolving
1463
is not available - both of these values apply unconditionally and skip initial
1464
DNS tests, which can be slow or unreliable.
1466
When the option value is a I<test> (with or without arguments), SpamAssassin
1467
will query some domain names on the internet during initialization, attempting
1468
to determine if DNS resolving is working or not. A space-separated list
1469
of domain names may be specified explicitly, or left to a built-in default
1470
of a dozen or so domain names. From an explicit or a default list a subset
1471
of three domain names is picked randomly for checking. The test queries for
1472
NS records of these domain: if at least one query returns a success then
1473
SpamAssassin considers DNS resolving as available, otherwise not.
1475
The problem is that the test can introduce some startup delay if a network
1476
connection is down, and in some cases it can wrongly guess that DNS is
1477
unavailable because a test connection failed, what causes disabling several
1478
DNS-dependent tests.
1480
Please note, the DNS test queries for NS records, so specify domain names,
1483
Since version 3.4.0 of SpamAssassin a default setting for option
1484
I<dns_available> is I<yes>. A default in older versions was I<test>.
1301
1489
setting => 'dns_available',
1303
1491
type => $CONF_TYPE_STRING,
1305
1493
my ($self, $key, $value, $line) = @_;
1306
if ($value =~ /^test(?::\s+.+)?$/) {
1494
if ($value =~ /^test(?::\s*\S.*)?$/) {
1307
1495
$self->{dns_available} = $value;
1309
1497
elsif ($value =~ /^(?:yes|1)$/) {
1509
=item dns_server ip-addr-port (default: entries provided by Net::DNS)
1511
Specifies an IP address of a DNS server, and optionally its port number.
1512
The I<dns_server> directive may be specified multiple times, each entry
1513
adding to a list of available resolving name servers. The I<ip-addr-port>
1514
argument can either be an IPv4 or IPv6 address, optionally enclosed in
1515
brackets, and optionally followed by a colon and a port number. In absence
1516
of a port number a standard port number 53 is assumed. When an IPv6 address
1517
is specified along with a port number, the address B<must> be enclosed in
1518
brackets to avoid parsing ambiguity regarding a colon separator,
1521
dns_server 127.0.0.1
1522
dns_server 127.0.0.1:53
1523
dns_server [127.0.0.1]:53
1526
In absence of I<dns_server> directives, the list of name servers is provided
1527
by Net::DNS module, which typically obtains the list from /etc/resolv.conf,
1528
but this may be platform dependent. Please consult the Net::DNS::Resolver
1529
documentation for details.
1534
setting => 'dns_server',
1535
type => $CONF_TYPE_STRING,
1537
my ($self, $key, $value, $line) = @_;
1538
my($address,$port); local($1,$2,$3);
1539
if ($value =~ /^(?: \[ ([^\]]*) \] | ([^:]*) ) : (\d+) \z/sx) {
1540
$address = defined $1 ? $1 : $2; $port = $3;
1541
} elsif ($value =~ /^(?: \[ ([^\]]*) \] | ([0-9a-fA-F.:]+) ) \z/sx) {
1542
$address = defined $1 ? $1 : $2; $port = '53';
1544
return $INVALID_VALUE;
1546
my $IP_ADDRESS = IP_ADDRESS;
1547
if ($address =~ /$IP_ADDRESS/ && $port >= 1 && $port <= 65535) {
1548
$self->{dns_servers} = [] if !$self->{dns_servers};
1549
# checked, untainted, stored in a normalized form
1550
push(@{$self->{dns_servers}}, untaint_var("[$address]:$port"));
1552
return $INVALID_VALUE;
1557
=item clear_dns_servers
1559
Empty the list of explicitly configured DNS servers through a I<dns_server>
1560
directive, falling back to Net::DNS -supplied defaults.
1565
setting => 'clear_dns_servers',
1566
type => $CONF_TYPE_NOARGS,
1568
my ($self, $key, $value, $line) = @_;
1569
unless (!defined $value || $value eq '') {
1570
return $INVALID_VALUE;
1572
undef $self->{dns_servers};
1576
=item dns_local_ports_permit ranges...
1578
Add the specified ports or ports ranges to the set of allowed port numbers
1579
that can be used as local port numbers when sending DNS queries to a resolver.
1581
The argument is a whitespace-separated or a comma-separated list of
1582
single port numbers n, or port number pairs (i.e. m-n) delimited by a '-',
1583
representing a range. Allowed port numbers are between 1 and 65535.
1585
Directives I<dns_local_ports_permit> and I<dns_local_ports_avoid> are processed
1586
in order in which they appear in configuration files. Each directive adds
1587
(or subtracts) its subsets of ports to a current set of available ports.
1588
Whatever is left in the set by the end of configuration processing
1589
is made available to a DNS resolving client code.
1591
If the resulting set of port numbers is empty (see also the directive
1592
I<dns_local_ports_none>), then SpamAssassin does not apply its ports
1593
randomization logic, but instead leaves the operating system to choose
1594
a suitable free local port number.
1596
The initial set consists of all port numbers in the range 1024-65535.
1597
Note that system config files already modify the set and remove all the
1598
IANA registered port numbers and some other ranges, so there is rarely
1599
a need to adjust the ranges by site-specific directives.
1601
See also directives I<dns_local_ports_permit> and I<dns_local_ports_none>.
1606
setting => 'dns_local_ports_permit',
1607
type => $CONF_TYPE_STRING,
1610
my($self, $key, $value, $line) = @_;
1611
my(@port_ranges); local($1,$2);
1612
foreach my $range (split(/[ \t,]+/, $value)) {
1613
if ($range =~ /^(\d{1,5})\z/) {
1614
# don't allow adding a port number 0
1615
if ($1 < 1 || $1 > 65535) { return $INVALID_VALUE }
1616
push(@port_ranges, [$1,$1]);
1617
} elsif ($range =~ /^(\d{1,5})-(\d{1,5})\z/) {
1618
if ($1 < 1 || $1 > 65535) { return $INVALID_VALUE }
1619
if ($2 < 1 || $2 > 65535) { return $INVALID_VALUE }
1620
push(@port_ranges, [$1,$2]);
1622
return $INVALID_VALUE;
1625
foreach my $p (@port_ranges) {
1626
undef $self->{dns_available_portscount}; # invalidate derived data
1627
set_ports_range(\$self->{dns_available_ports_bitset},
1628
$p->[0], $p->[1], 1);
1633
=item dns_local_ports_avoid ranges...
1635
Remove specified ports or ports ranges from the set of allowed port numbers
1636
that can be used as local port numbers when sending DNS queries to a resolver.
1638
Please see directive I<dns_local_ports_permit> for details.
1643
setting => 'dns_local_ports_avoid',
1644
type => $CONF_TYPE_STRING,
1647
my($self, $key, $value, $line) = @_;
1648
my(@port_ranges); local($1,$2);
1649
foreach my $range (split(/[ \t,]+/, $value)) {
1650
if ($range =~ /^(\d{1,5})\z/) {
1651
if ($1 > 65535) { return $INVALID_VALUE }
1652
# don't mind clearing also the port number 0
1653
push(@port_ranges, [$1,$1]);
1654
} elsif ($range =~ /^(\d{1,5})-(\d{1,5})\z/) {
1655
if ($1 > 65535 || $2 > 65535) { return $INVALID_VALUE }
1656
push(@port_ranges, [$1,$2]);
1658
return $INVALID_VALUE;
1661
foreach my $p (@port_ranges) {
1662
undef $self->{dns_available_portscount}; # invalidate derived data
1663
set_ports_range(\$self->{dns_available_ports_bitset},
1664
$p->[0], $p->[1], 0);
1669
=item dns_local_ports_none
1671
Is a fast shorthand for:
1673
dns_local_ports_avoid 1-65535
1675
leaving the set of available DNS query local port numbers empty. In all
1676
respects (apart from speed) it is equivalent to the shown directive, and can
1677
be freely mixed with I<dns_local_ports_permit> and I<dns_local_ports_avoid>.
1679
If the resulting set of port numbers is empty, then SpamAssassin does not
1680
apply its ports randomization logic, but instead leaves the operating system
1681
to choose a suitable free local port number.
1683
See also directives I<dns_local_ports_permit> and I<dns_local_ports_avoid>.
1688
setting => 'dns_local_ports_none',
1689
type => $CONF_TYPE_NOARGS,
1692
my ($self, $key, $value, $line) = @_;
1693
unless (!defined $value || $value eq '') {
1694
return $INVALID_VALUE;
1696
undef $self->{dns_available_portscount}; # invalidate derived data
1697
wipe_ports_range(\$self->{dns_available_ports_bitset}, 0);
1321
1701
=item dns_test_interval n (default: 600 seconds)
1323
If dns_available is set to 'test' (which is the default), the dns_test_interval
1324
time in number of seconds will tell SpamAssassin how often to retest for working DNS.
1703
If dns_available is set to I<test>, the dns_test_interval time in number
1704
of seconds will tell SpamAssassin how often to retest for working DNS.
1705
A numeric value is optionally suffixed by a time unit (s, m, h, d, w,
1706
indicating seconds (default), minutes, hours, days, weeks).
1329
1711
setting => 'dns_test_interval',
1330
1712
default => 600,
1331
type => $CONF_TYPE_NUMERIC,
1333
my ($self, $key, $value, $line) = @_;
1334
if ($value !~ /^\d+$/) { return $INVALID_VALUE; }
1335
$self->{dns_test_interval} = $value;
1713
type => $CONF_TYPE_DURATION,
1339
=item dns_options rotate (default: empty)
1341
If set to 'rotate', this causes SpamAssassin to choose a DNS server at random
1342
from all servers listed in C</etc/resolv.conf> every 'dns_test_interval'
1716
=item dns_options opts (default: norotate, nodns0x20, edns=4096)
1718
Provides a (whitespace or comma -separated) list of options applying
1719
to DNS resolving. Available options are: I<rotate>, I<dns0x20> and
1720
I<edns> (or I<edns0>). Option name may be negated by prepending a I<no>
1721
(e.g. I<norotate>, I<NoEDNS>) to counteract a previously enabled option.
1722
Option names are not case-sensitive. The I<dns_options> directive may
1723
appear in configuration files multiple times, the last setting prevails.
1725
Option I<edns> (or I<edsn0>) may take a value which specifies a requestor's
1726
acceptable UDP payload size according to EDNS0 specifications (RFC 6891,
1727
ex RFC 2671) e.g. I<edns=4096>. When EDNS0 is off (I<noedns> or I<edns=512>)
1728
a traditional implied UDP payload size is 512 bytes, which is also a minimum
1729
allowed value for this option. When the option is specified but a value
1730
is not provided, a conservative default of 1220 bytes is implied. It is
1731
recommended to keep I<edns> enabled when using a local recursive DNS server
1732
which supports EDNS0 (like most modern DNS servers do), a suitable setting
1733
in this case is I<edns=4096>, which is also a default. Allowing UDP payload
1734
size larger than 512 bytes can avoid truncation of resource records in large
1735
DNS responses (like in TXT records of some SPF and DKIM responses, or when
1736
an unreasonable number of A records is published by some domain). The option
1737
should be disabled when a recursive DNS server is only reachable through
1738
non- RFC 6891 compliant middleboxes (such as some old-fashioned firewall)
1739
which bans DNS UDP payload sizes larger than 512 bytes. A suitable value
1740
when a non-local recursive DNS server is used and a middlebox B<does> allow
1741
EDNS0 but blocks fragmented IP packets is perhaps 1220 bytes, allowing a
1742
DNS UDP packet to fit within a single IP packet in most cases (a slightly
1743
less conservative range would be 1280-1410 bytes).
1745
Option I<rotate> causes SpamAssassin to choose a DNS server at random
1746
from all servers listed in C</etc/resolv.conf> every I<dns_test_interval>
1343
1747
seconds, effectively spreading the load over all currently available DNS
1344
1748
servers when there are many spamd workers.
1750
Option I<dns0x20> enables randomization of letters in a DNS query label
1751
according to draft-vixie-dnsext-dns0x20, decreasing a chance of collisions
1752
of responses (by chance or by a malicious intent) by increasing spread
1753
as provided by a 16-bit query ID and up to 16 bits of a port number,
1754
with additional bits as encoded by flipping case (upper/lower) of letters
1755
in a query. The number of additional random bits corresponds to the number
1756
of letters in a query label. Should work reliably with all mainstream
1757
DNS servers - do not turn on if you see frequent info messages
1758
"dns: no callback for id:" in the log, or if RBL or URIDNS lookups
1759
do not work for no apparent reason.
1350
1765
type => $CONF_TYPE_HASH_KEY_VALUE,
1352
1767
my ($self, $key, $value, $line) = @_;
1353
my $allowed_opts = "rotate";
1355
foreach my $option (split (/\s+/, $value)) {
1356
if ($allowed_opts !~ /^$option$/) { return $INVALID_VALUE; }
1357
else { $self->{dns_options}->{$option} = 1; }
1768
foreach my $option (split (/[\s,]+/, lc $value)) {
1770
if ($option =~ /^no(rotate|dns0x20)\z/) {
1771
$self->{dns_options}->{$1} = 0;
1772
} elsif ($option =~ /^no(edns)0?\z/) {
1773
$self->{dns_options}->{$1} = 0;
1774
} elsif ($option =~ /^(rotate|dns0x20)\z/) {
1775
$self->{dns_options}->{$1} = 1;
1776
} elsif ($option =~ /^(edns)0? (?: = (\d+) )? \z/x) {
1777
# RFC 6891 (ex RFC 2671) - EDNS0, value is a requestor's UDP payload
1778
# size, defaults to some UDP packet size likely to fit into a single
1779
# IP packet which is more likely to pass firewalls which choke on IP
1780
# fragments. RFC 2460: min MTU is 1280 for IPv6, minus 40 bytes for
1781
# basic header, yielding 1240. RFC 3226 prescribes a min of 1220 for
1782
# RFC 2535 compliant servers. RFC 6891: choosing between 1280 and
1783
# 1410 bytes for IP (v4 or v6) over Ethernet would be reasonable.
1785
$self->{dns_options}->{$1} = $2 || 1220;
1786
return $INVALID_VALUE if $self->{dns_options}->{$1} < 512;
1788
return $INVALID_VALUE;
1794
=item dns_query_restriction (allow|deny) domain1 domain2 ...
1796
Option allows disabling of rules which would result in a DNS query to one of
1797
the listed domains. The first argument must be a literal C<allow> or C<deny>,
1798
remaining arguments are domains names.
1800
Most DNS queries (with some exceptions) are subject to dns_query_restriction.
1801
A domain to be queried is successively stripped-off of its leading labels
1802
(thus yielding a series of its parent domains), and on each iteration a
1803
check is made against an associative array generated by dns_query_restriction
1804
options. Search stops at the first match (i.e. the tightest match), and the
1805
matching entry with its C<allow> or C<deny> value then controls whether a
1806
DNS query is allowed to be launched.
1808
If no match is found an implicit default is to allow a query. The purpose of
1809
an explicit C<allow> entry is to be able to override a previously configured
1810
C<deny> on the same domain or to override an entry (possibly yet to be
1811
configured in subsequent config directives) on one of its parent domains.
1812
Thus an 'allow zen.spamhaus.org' with a 'deny spamhaus.org' would permit
1813
DNS queries on a specific DNS BL zone but deny queries to other zones under
1814
the same parent domain.
1816
Domains are matched case-insensitively, no wildcards are recognized,
1817
there should be no leading or trailing dot.
1819
Specifying a block on querying a domain name has a similar effect as setting
1820
a score of corresponding DNSBL and URIBL rules to zero, and can be a handy
1821
alternative to hunting for such rules when a site policy does not allow
1822
certain DNS block lists to be queried.
1825
dns_query_restriction deny dnswl.org surbl.org
1826
dns_query_restriction allow zen.spamhaus.org
1827
dns_query_restriction deny spamhaus.org mailspike.net spamcop.net
1832
setting => 'dns_query_restriction',
1833
type => $CONF_TYPE_STRING,
1835
my ($self, $key, $value, $line) = @_;
1836
defined $value && $value =~ s/^(allow|deny)\s+//i
1837
or return $INVALID_VALUE;
1838
my $blocked = lc($1) eq 'deny' ? 1 : 0;
1839
foreach my $domain (split(' ', $value)) {
1840
$domain =~ s/^\.//; $domain =~ s/\.\z//; # strip dots
1841
$self->{dns_query_blocked}{lc $domain} = $blocked;
1846
=item clear_dns_query_restriction
1848
The option removes any entries entered by previous 'dns_query_restriction'
1849
options, leaving the list empty, i.e. allowing DNS queries for any domain
1850
(including any DNS BL zone).
1855
setting => 'clear_dns_query_restriction',
1856
aliases => ['clear_dns_query_restrictions'],
1857
type => $CONF_TYPE_NOARGS,
1859
my ($self, $key, $value, $line) = @_;
1860
return $INVALID_VALUE if defined $value && $value ne '';
1861
delete $self->{dns_query_blocked};
1603
2107
type => $CONF_TYPE_BOOL,
2110
=item bayes_token_ttl (default: 3w, i.e. 3 weeks)
2112
Time-to-live / expiration time in seconds for tokens kept in a Bayes database.
2113
A numeric value is optionally suffixed by a time unit (s, m, h, d, w,
2114
indicating seconds (default), minutes, hours, days, weeks).
2116
If bayes_auto_expire is true and a Bayes datastore backend supports it
2117
(currently only Redis), this setting controls deletion of expired tokens
2118
from a bayes database. The value is observed on a best-effort basis, exact
2119
timing promises are not necessarily kept. If a bayes datastore backend
2120
does not implement individual key/value expirations, the setting is silently
2126
setting => 'bayes_token_ttl',
2127
default => 3*7*24*60*60, # seconds (3 weeks)
2128
type => $CONF_TYPE_DURATION,
2131
=item bayes_seen_ttl (default: 8d, i.e. 8 days)
2133
Time-to-live / expiration time in seconds for 'seen' entries
2134
(i.e. mail message digests with their status) kept in a Bayes database.
2135
A numeric value is optionally suffixed by a time unit (s, m, h, d, w,
2136
indicating seconds (default), minutes, hours, days, weeks).
2138
If bayes_auto_expire is true and a Bayes datastore backend supports it
2139
(currently only Redis), this setting controls deletion of expired 'seen'
2140
entries from a bayes database. The value is observed on a best-effort basis,
2141
exact timing promises are not necessarily kept. If a bayes datastore backend
2142
does not implement individual key/value expirations, the setting is silently
2148
setting => 'bayes_seen_ttl',
2149
default => 8*24*60*60, # seconds (8 days)
2150
type => $CONF_TYPE_DURATION,
1606
2153
=item bayes_learn_to_journal (default: 0)
1608
2155
If this option is set, whenever SpamAssassin does Bayes learning, it