Current File : //var/qmail/man/man8/qmail-smtpd.8

.TH qmail-smtpd 8
.SH NAME
qmail-smtpd \- receive mail via SMTP
.SH SYNOPSIS
.B qmail-smtpd
.SH DESCRIPTION
.B qmail-smtpd
receives mail messages via the Simple Mail Transfer Protocol (SMTP)
and invokes
.B qmail-queue
to deposit them into the outgoing queue.
.B qmail-smtpd
must be supplied several environment variables;
see
.BR tcp-environ(5) .

If the environment variable
.B SMTPS
is non-empty,
.B qmail-smtpd
starts a TLS session (to support the deprecated SMTPS protocol,
normally on port 465). Otherwise,
.B qmail-smtpd
offers the STARTTLS extension to ESMTP.

.B qmail-smtpd
is responsible for counting hops.
It rejects any message with 100 or more 
.B Received
or
.B Delivered-To
header fields.

.B qmail-smtpd
supports ESMTP, including the 8BITMIME, DATA, PIPELINING, SIZE, and AUTH options.
.B qmail-smtpd
includes a \'MAIL FROM:\' parameter parser and obeys \'Auth\' and \'Size\' advertisements.
.B qmail-smtpd
can accept LOGIN, PLAIN, and CRAM-MD5 AUTH types. It invokes
.IR checkprogram ,
which reads on file descriptor 3 the username, a 0 byte, the password
or CRAM-MD5 digest/response derived from the SMTP client,
another 0 byte, a CRAM-MD5 challenge (if applicable to the AUTH type),
and a final 0 byte.
.I checkprogram
invokes
.I subprogram
upon successful authentication, which should in turn return 0 to
.BR qmail-smtpd ,
effectively setting the environment variables $RELAYCLIENT and $TCPREMOTEINFO
(any supplied value replaced with the authenticated username).
.B qmail-smtpd
will reject the authentication attempt if it receives a nonzero return
value from
.I checkprogram
or
.IR subprogram .

.SH TRANSPARENCY
.B qmail-smtpd
converts the SMTP newline convention into the UNIX newline convention
by converting CR LF into LF.
It returns a temporary error and drops the connection on bare LFs;
see
.BR http://pobox.com/~djb/docs/smtplf.html .

.B qmail-smtpd
accepts messages that contain long lines or non-ASCII characters,
even though such messages violate the SMTP protocol.
.SH "CONTROL FILES"
.TP 5
.I badhelo
Unacceptable HELO/EHLO host names.
.B qmail-smtpd
will reject every recipient address for a message if
the host name is listed in, 
or matches a POSIX regular expression pattern listed in,
.IR badhelo .
If the 
.B NOBADHELO 
environment variable is set, then the contents of 
.IR badhelo 
will be ignored.
For more information, please have a look at doc/README.qregex.
.TP 5
.I badmailfrom
Unacceptable envelope sender addresses.
.B qmail-smtpd
will reject every recipient address for a message
if the envelope sender address is listed in, or matches a POSIX regular expression
pattern listed in,
.IR badmailfrom .
A line in
.I badmailfrom
may be of the form
.BR @\fIhost ,
meaning every address at
.IR host .
For more information, please have a look at doc/README.qregex.
.TP 5
.I badmailfromnorelay
Functions the same as the
.IR badmailfrom
control file but is read only if the 
.B RELAYCLIENT 
environment variable is not set.
For more information, please have a look at doc/README.qregex.
.TP 5
.I badmailto
Unacceptable envelope recipient addresses.
.B qmail-smtpd
will reject every recipient address for a message if the recipient address
is listed in,
or matches a POSIX regular expression pattern listed in,
.IR badmailto .
For more information, please have a look at doc/README.qregex.
.TP 5
.I badmailtonorelay
Functions the same as the
.IR badmailto
control file but is read only if the
.B RELAYCLIENT
environment variable is not set.
For more information, please have a look at doc/README.qregex.

.TP 5
.I clientca.pem
A list of Certifying Authority (CA) certificates that are used to verify
the client-presented certificates during a TLS-encrypted session.

.TP 5
.I clientcrl.pem
A list of Certificate Revocation Lists (CRLs). If present it
should contain the CRLs of the CAs in 
.I clientca.pem 
and client certs will be checked for revocation.

.TP 5
.I databytes
Maximum number of bytes allowed in a message,
or 0 for no limit.
Default: 0.
If a message exceeds this limit,
.B qmail-smtpd
returns a permanent error code to the client;
in contrast, if
the disk is full or
.B qmail-smtpd
hits a resource limit,
.B qmail-smtpd
returns a temporary error code.

.I databytes
counts bytes as stored on disk, not as transmitted through the network.
It does not count the
.B qmail-smtpd
Received line, the
.B qmail-queue
Received line, or the envelope.

If the environment variable
.B DATABYTES
is set, it overrides
.IR databytes .

.TP 5
.I dh1024.pem
If these 1024 bit DH parameters are provided,
.B qmail-smtpd
will use them for TLS sessions instead of generating one on-the-fly 
(which is very timeconsuming).
.TP 5
.I dh512.pem
512 bit counterpart for 
.B dh1024.pem. 

.TP 5
.I localiphost
Replacement host name for local IP addresses.
Default:
.IR me ,
if that is supplied.
.B qmail-smtpd
is responsible for recognizing dotted-decimal addresses for the
current host.
When it sees a recipient address of the form
.IR box@[d.d.d.d] ,
where
.I d.d.d.d
is a local IP address,
it replaces
.IR [d.d.d.d]
with
.IR localiphost .
This is done before
.IR rcpthosts .
.TP 5
.I morercpthosts
Extra allowed RCPT domains.
If
.I rcpthosts
and
.I morercpthosts
both exist,
.I morercpthosts
is effectively appended to
.IR rcpthosts .

You must run
.B qmail-newmrh
whenever
.I morercpthosts
changes.

Rule of thumb for large sites:
Put your 50 most commonly used domains into
.IR rcpthosts ,
and the rest into
.IR morercpthosts .
.TP 5
.I rcpthosts
Allowed RCPT domains.
If
.I rcpthosts
is supplied,
.B qmail-smtpd
will reject
any envelope recipient address with a domain not listed in
.IR rcpthosts .

Exception:
If the environment variable
.B RELAYCLIENT
is set,
.B qmail-smtpd
will ignore
.IR rcpthosts ,
and will append the value of
.B RELAYCLIENT
to each incoming recipient address.

.I rcpthosts
may include wildcards:

.EX
   heaven.af.mil
   .heaven.af.mil
.EE

Envelope recipient addresses without @ signs are
always allowed through.

.TP 5
.I rsa512.pem
If this 512 bit RSA key is provided,
.B qmail-smtpd
will use it for TLS sessions instead of generating one on-the-fly.

.TP 5
.I servercert.pem
SSL certificate to be presented to clients in TLS-encrypted sessions. 
Should contain both the certificate and the private key. Certifying Authority
(CA) and intermediate certificates can be added at the end of the file.

.TP 5
.I smtpgreeting
SMTP greeting message.
Default:
.IR me ,
if that is supplied;
otherwise
.B qmail-smtpd
will refuse to run.
The first word of
.I smtpgreeting
should be the current host's name.
.TP 5
.I timeoutsmtpd
Number of seconds
.B qmail-smtpd
will wait for each new buffer of data from the remote SMTP client.
Default: 1200.
.TP 5
.I spfbehavior
Set to a value between 1 and 6 to enable SPF checks; 0 to disable.
1 selects 'annotate-only' mode, where
.B qmail-smtpd
will annotate incoming email with
.B Received-SPF
fields, but will not reject any messages.  2 will produce temporary
failures on DNS lookup problems so you can make sure you always have
meaningful Received-SPF headers.  3 selects 'reject' mode,
where incoming mail will be rejected if the SPF record says 'fail'.  4
selects a more stricter rejection mode, which is like 'reject' mode,
except that incoming mail will also be rejected when the SPF record
says 'softfail'.  5 will also reject when the SPF record says 'neutral',
and 6 if no SPF records are available at all (or a syntax error was
encountered). The contents of this file are overridden by the value of
the
.B SPFBEHAVIOR
environment variable, if set.
Default: 0.
.TP 5
.I spfexp
You can add a line with a an SPF explanation that will be shown to the
sender in case of a reject. It will override the default one. You can
use SPF macro expansion.
.TP 5
.I spfguess
You can add a line with SPF rules that will be checked if a sender
domain doesn't have a SPF record. The local rules will also be used
in this case.
.TP 5
.I spfrules
You can add a line with SPF rules that will be checked before other SPF
rules would fail.  This can be used to always allow certain machines to
send certain mails.
.TP 5
.I spamt
The spam throttle parameters file.  See
.BR qmail-newst (8)
and
.BR qmail-spamt (5)
for details.



.TP 5
.I tlsclients
A list of email addresses. When relay rules would reject an incoming message,
.B qmail-smtpd
can allow it if the client presents a certificate that can be verified against
the CA list in
.I clientca.pem
and the certificate email address is in
.IR tlsclients .

.TP 5
.I tlsserverciphers
A set of OpenSSL cipher strings. Multiple ciphers contained in a
string should be separated by a colon. If the environment variable
.B TLSCIPHERS
is set to such a string, it takes precedence.

.SH "SEE ALSO"
tcp-env(1),
tcp-environ(5),
qmail-control(5),
qmail-spamt(5),
qmail-spamthrottle(5)
qmail-inject(8),
qmail-newmrh(8),
qmail-newst(8),
qmail-queue(8),
qmail-remote(8)