Haraka 3.0.1 → 3.0.3

package/Changes.md

@@ -1,6 +1,60 @@
 
 ### Unreleased
 
+### [3.0.3] - 2024-02-07
+
+#### Added
+
+- feat(auth_vpopmaild): when outbound, assure the envelope domain matches AUTH domain #3265
+- docs(outbound): remove example setting outbound_ip #3253
+- doc(Plugins.md): add pi-queue-kafka #3247
+- feat(rabbitmq_amqplib): configurable optional queue arguments #3239
+- feat(clamd): add x-haraka-virus header #3207
+
+#### Fixed
+
+- Fix: add empty string as param to .join() on bounce. #3237
+- Update links in documentation #3234
+- fix(ob/hmail):Add filename to the error for easy debugging
+- fix(ob/queue): Ignore 'error.' prefixed files in the queue because corrupted
+
+#### Changed
+
+- docs(outbound): remove example of outbound_ip #3253
+- transaction: simplify else condition in add_data #3252
+- q/smtp_forward: always register get_mx hook #3204
+- dep(pi-es): bump version to 8.0.2 #3206
+- dep(redis): bump version to 4.6.7 #3193
+- dep(pi-spf): bump version to 1.2.4
+- dep(net-utils): bump version to 1.5.3
+- dep(pi-redis): bump version to 2.0.6
+- dep(tld): bump version to 1.2.0
+- remove defunct config files: lookup_rdns.strict.ini, lookup_rdns.strict.timeout, lookup_rdns.strict.whitelist, lookup_rdns.strict.whitelist_regex, rcpt_to.blocklist, rdns.allow_regexps, rdns.deny_regexps
+
+
+### [3.0.2] - 2023-06-12
+
+#### Fixed
+
+- feat(q_forward): add LMTP routing handling #3199
+- chore(q_forward): tighten up queue.wants handling #3199
+- doc(q_forward): improve markdown formatting #3199
+- helo.checks: several fixes, #3191
+- q/smtp_forward: correct path to next_hop #3186
+- don't leak addr parsing errors into SMTP conversation #3185
+- connection: handle dns.reverse invalid throws on node v20 #3184
+- rename redis command setex to setEx #3181
+
+#### Changed
+
+- test(helo.checks): add regression tests for #3191 #3195
+- connection: handle dns.reverse invalid throws on node v20
+- build(deps): bump ipaddr.js from 2.0.1 to 2.1.0 #3194
+- chore: bump a few dependency versions #3184
+- dns_list_base: avoid test failure when public DNS used #3184
+- doc(outbound.ini) update link #3159
+- doc(clamd.md) fixed spelling error #3155
+
 
 ### [3.0.1] - 2023-01-19
 
@@ -1345,3 +1399,5 @@
 
 [3.0.0]: https://github.com/haraka/Haraka/releases/tag/3.0.0
 [3.0.1]: https://github.com/haraka/Haraka/releases/tag/3.0.1
+[3.0.2]: https://github.com/haraka/Haraka/releases/tag/3.0.2
+[3.0.3]: https://github.com/haraka/Haraka/releases/tag/3.0.3

package/Dockerfile

@@ -13,7 +13,7 @@
 # DOCKER-VERSION    0.5.3
 
 # See http://phusion.github.io/baseimage-docker/
-FROM phusion/baseimage:master
+FROM phusion/baseimage:focal-1.2.0
 
 MAINTAINER Justin Plock <jplock@gmail.com>
 
@@ -23,8 +23,8 @@ RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
 
 RUN sed 's/main$/main universe/' -i /etc/apt/sources.list
 RUN DEBIAN_FRONTEND=noninteractive apt-get -y -q update
-RUN DEBIAN_FRONTEND=noninteractive apt-get -y -q install python-software-properties g++ make git curl
-RUN curl -sL https://deb.nodesource.com/setup_10.x | setuser root bash -
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y -q install software-properties-common g++ make git curl
+RUN curl -sL https://deb.nodesource.com/setup_18.x | setuser root bash -
 RUN DEBIAN_FRONTEND=noninteractive apt-get -y -q install nodejs && \
     apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 

package/Plugins.md

@@ -3,7 +3,7 @@
 To create your own plugin, see:
 - the [plugin template][template] that includes all the boilerplate
 - the [Write a Plugin][write-plugin] tutorial
-- the [Plugins](plugins-doc) section of [the manual](https://haraka.github.io)
+- the [Plugins][plugins-doc] section of [the manual](https://haraka.github.io)
 
 ## Installing NPM packaged plugins
 
@@ -40,7 +40,6 @@ Create a PR adding yours to this list.
 | [block_me][url-blockme]     | Populate block list via forwarded emails |
 | [bounce][url-bounce]        | Many options for bounce processing |
 | [clamd][url-clamd]          | Anti-Virus scanning with ClamAV |
-| [connect.p0f][url-p0f]      | TCP Fingerprinting |
 | [data.signatures][url-sigs] | Block emails whose bodies match signatures |
 | [uribl][url-uribl]          | Block based on URI blacklists |
 | [dcc][url-dcc]              | Distributed Checksum Clearinghouse |
@@ -70,6 +69,7 @@ Create a PR adding yours to this list.
 | [milter][url-milter]              | milter support |
 | [mongodb][mongo-url]              | Queue emails to MongoDB |
 | [outbound-logger][url-outbound-logger] | JSON logging of outbound email traffic. Logs useful metadata about delivered/bounced emails |
+| [p0f][url-p0f]              | TCP Fingerprinting |
 | [prevent_credential_leaks][url-creds]  | Prevent users from emailing their credentials |
 | [process_title][url-proctitle]    | Populate `ps` output with activity counters |
 | queue/[discard][url-qdisc]        | queues messages to /dev/null |
@@ -82,6 +82,7 @@ Create a PR adding yours to this list.
 | queue/[smtp_bridge][url-qbridge]   | Bridge SMTP sessions to another MTA |
 | queue/[smtp_forward][url-qforward] | Forward emails to another MTA |
 | queue/[smtp_proxy][url-qproxy]     | Proxy SMTP connections to another MTA |
+| [queue-kafka][url-kafka]           | Queue inbound mail to a Kafka topic |
 | [recipient-routes][url-rroutes]    | Route emails based on their recipient(s) |
 | [redis][url-redis]                 | multi-purpose Redis db connection(s) |
 | [rcpt_to.in_host_list][url-rhost]  | Define local email domains in a file |
@@ -109,7 +110,7 @@ Create a PR adding yours to this list.
 
 [template]: https://github.com/haraka/haraka-plugin-template
 [write-plugin]: https://github.com/haraka/Haraka/wiki/Write-a-Plugin
-[plugins-doc]: https://haraka.github.io/manual/Plugins.html
+[plugins-doc]: https://haraka.github.io/core/Plugins
 [url-access]: https://github.com/haraka/haraka-plugin-access
 [url-acc-files]: https://github.com/acharkizakaria/haraka-plugin-accounting-files/blob/master/README.md
 [url-action-mailbox]: https://guides.rubyonrails.org/action_mailbox_basics.html
@@ -192,4 +193,4 @@ Create a PR adding yours to this list.
 [url-xclient]: https://github.com/haraka/Haraka/blob/master/docs/plugins/xclient.md
 [mongo-url]: https://github.com/Helpmonks/haraka-plugin-mongodb
 [url-outbound-logger]: https://github.com/mr-karan/haraka-plugin-outbound-logger
-
+[url-kafka]: https://github.com/benjamonnguyen/haraka-plugin-queue-kafka

package/README.md

@@ -140,10 +140,10 @@ SpamAssassin and a hacker on [Qpsmtpd][13].
 [6]: https://github.com/haraka/Haraka/blob/master/docs/plugins/dkim_sign.md
 [7]: https://en.wikipedia.org/wiki/Mail_delivery_agent
 [8]: mailto:haraka-sub@harakamail.com
-[9]: https://haraka.github.io/manual/plugins/spamassassin.html
-[10]: https://haraka.github.io/manual/plugins/helo.checks.html
-[11]: https://haraka.github.io/manual/plugins/dnsbl.html
-[12]: https://github.com/haraka/Haraka/tree/master/plugins
+[9]:  https://haraka.github.io/plugins/spamassassin
+[10]: https://haraka.github.io/plugins/helo.checks
+[11]: https://haraka.github.io/plugins/dnsbl
+[12]: https://github.com/haraka/Haraka/blob/master/Plugins.md
 [13]: https://github.com/smtpd/qpsmtpd/
 [15]: https://github.com/haraka/Haraka/issues
 [16]: https://github.com/haraka/Haraka/blob/master/LICENSE

package/TODO

@@ -1,8 +1,6 @@
 - Milter support
 - Ability to modify the body of email
     - Done for banners. Modifying the rest, not so much.
-- Plugins to copy from Qpsmtpd:
-  - dspam
 
 Outbound improvements
  - Provide better command line tools for manipulating/inspecting the queue
@@ -16,29 +14,8 @@ Plugin behavior changes
    only when requested, with a sunset date.
  - data.uribl; expand short URLs before lookups, add support for uri-a (sbl.spamhaus.org), uri-ns, uri-ns-a lookup types.
 
-
-Remove the following deprecated plugins
- - rdns.regexp
- - data.nomsgid         (subsumed into data.headers.js)
- - data.noreceived               ""
- - data.rfc5322_header_checks    ""
- - daemonize
- - mail_from.nobounces  (subsumed into bounce.js)
- - mail_from.blocklist
- - rcpt_to.blocklist
- - lookup_rdns_strict
- - mail_from.access     (replaced by access.js)
- - rcpt_to.access                 ""
- - connect.rdns_access            ""
- - relay_acl            (replaced by relay.js)
- - relay_all                      ""
- - relay_force_routing            ""
-
-Move the following plugins:
- - test_queue   -> queue/test_queue
-
 Built-in HTTP server
-- uses the same TLS/SSL certs as smtpd
+- use the same TLS/SSL certs as smtpd
 - auth against SMTP-AUTH provider
 
 Update tests to detect HARAKA_NETWORK_TESTS and skip network tests unless it's set

package/config/access.domains

@@ -10,4 +10,4 @@
 # aol.com
 # !friend@aol.com
 #
-# See full docs for details:  http://haraka.github.io/manual/plugins/access.html
+# See full docs for details:  http://haraka.github.io/plugins/access

package/config/auth_flat_file.ini

@@ -1,5 +1,6 @@
 [core]
 methods=CRAM-MD5
+; constrain_sender=true
 
 [users]
 ; matt=test

package/config/auth_vpopmaild.ini

@@ -1,7 +1,9 @@
+[main]
 host=127.0.0.6
 port=89
-;sysadmin=postmaster@example.com:sekret
+; sysadmin=postmaster@example.com:sekret
+; constrain_sender=true
 
 [example.com]
 host=127.0.0.10
-;sysadmin=postmaster@example.com:sekret
+; sysadmin=postmaster@example.com:sekret

package/config/helo.checks.ini

@@ -1,6 +1,6 @@
 ; disable checks or reject for each test if you are worried about strictness
 
-;dns_timeout=30
+;dns_timeout=28
 
 [check]
 ; match_re=true

package/config/outbound.ini

@@ -1,4 +1,4 @@
-; see http://haraka.github.io/manual/Outbound.html
+; see http://haraka.github.io/core/Outbound
 ;
 ; disabled (default: false)
 ; disabled=true

package/config/rabbitmq_amqplib.ini

@@ -9,4 +9,11 @@ queueName = emails
 deliveryMode = 2
 confirm = true
 durable = true
-autoDelete = false
+autoDelete = false
+
+; Optional queue arguments
+; [queue_args]
+; x-dead-letter-exchange =
+; x-dead-letter-routing-key = emails_dlq
+; x-overflow = reject-publish
+; x-queue-type = quorum

package/connection.js

@@ -15,7 +15,7 @@ const constants   = require('haraka-constants');
 const net_utils   = require('haraka-net-utils');
 const Notes       = require('haraka-notes');
 const utils       = require('haraka-utils');
-const { Address }     = require('address-rfc2821');
+const { Address } = require('address-rfc2821');
 const ResultStore = require('haraka-results');
 
 // Haraka libs
@@ -734,9 +734,16 @@ class Connection {
                 });
                 break;
             default:
-                dns.reverse(this.remote.ip, (err, domains) => {
-                    this.rdns_response(err, domains);
-                });
+                // BUG: dns.reverse throws on invalid input (and sometimes valid
+                // input nodejs/node#47847). Also throws when empty results
+                try {
+                    dns.reverse(this.remote.ip, (err, domains) => {
+                        this.rdns_response(err, domains);
+                    })
+                }
+                catch (err) {
+                    this.rdns_response(err, []);
+                }
         }
     }
     rdns_response (err, domains) {
@@ -1319,16 +1326,15 @@ class Connection {
             this.errors++;
             return this.respond(503, 'Use EHLO/HELO before MAIL');
         }
-        // Require authentication on connections to port 587 & 465
+        // Require authentication on ports 587 & 465
         if (!this.relaying && [587,465].includes(this.local.port)) {
             this.errors++;
             return this.respond(550, 'Authentication required');
         }
+
         let results;
-        let from;
         try {
             results = rfc1869.parse('mail', line, this.cfg.main.strict_rfc1869 && !this.relaying);
-            from    = new Address (results.shift());
         }
         catch (err) {
             this.errors++;
@@ -1343,9 +1349,18 @@ class Connection {
                 return this.respond(452, 'Internal Server Error');
             }
             else {
-                return this.respond(501, ["Command parsing failed", err]);
+                return this.respond(501, ['Command parsing failed', err]);
             }
         }
+
+        let from;
+        try {
+            from = new Address(results.shift());
+        }
+        catch (err) {
+            return this.respond(501, `Invalid MAIL FROM address`);
+        }
+
         // Get rest of key=value pairs
         const params = {};
         results.forEach(param => {
@@ -1382,10 +1397,8 @@ class Connection {
         }
 
         let results;
-        let recip;
         try {
             results = rfc1869.parse('rcpt', line, this.cfg.main.strict_rfc1869 && !this.relaying);
-            recip   = new Address(results.shift());
         }
         catch (err) {
             this.errors++;
@@ -1403,6 +1416,15 @@ class Connection {
                 return this.respond(501, ["Command parsing failed", err]);
             }
         }
+
+        let recip;
+        try {
+            recip = new Address(results.shift());
+        }
+        catch (err) {
+            return this.respond(501, `Invalid RCPT TO address`);
+        }
+
         // Get rest of key=value pairs
         const params = {};
         results.forEach((param) => {

package/docs/Connection.md

@@ -63,5 +63,5 @@ For low level use.  This value is set when the remote host drops the connection.
 
 * connection.results
 
-Store results of processing in a structured format. See [docs/Results](http://haraka.github.io/manual/Results.html)
+Store results of processing in a structured format. See [haraka-results](https://github.com/haraka/haraka-results)
 

package/docs/Outbound.md

@@ -38,9 +38,9 @@ of CPUs that you have.
 
 Default: true. Switch to false to disable TLS for outbound mail.
 
-This uses the same `tls_key.pem` and `tls_cert.pem` files that the `tls`
-plugin uses, along with other values in `tls.ini`. See the [tls plugin
-docs](http://haraka.github.io/manual/plugins/tls.html) for information on generating those files.
+This uses the same `tls_key.pem` and `tls_cert.pem` files that the `TLS`
+plugin uses, along with other values in `tls.ini`. See the [TLS plugin
+docs](http://haraka.github.io/plugins/tls) for information on generating those files.
 
 Within `tls.ini` you can specify global options for the values `ciphers`, `minVersion`, `requestCert` and `rejectUnauthorized`, alternatively you can provide separate values by putting them under a key: `[outbound]`, such as:
 
@@ -117,7 +117,7 @@ you may be interested in are:
 * domain - the domain this mail is going to (see `always_split` above)
 * notes - the original transaction.notes for this mail, also contains the
   following useful keys:
-** outbound_ip - the IP address to bind to (note do not set this manually,
+** outbound_ip - the IP address to bind to (do not set manually,
   use the `get_mx` hook)
 ** outbound_helo - the EHLO domain to use (again, do not set manually)
 * queue_time - the epoch milliseconds time when this mail was queued
@@ -240,19 +240,10 @@ different IP addresses based on sender, domain or some other identifier.
 To do this, the IP address that you want to use *must* be bound to an 
 interface (or alias) on the local system.
 
-As described above the outbound IP can be set using the `bind` parameter
+As described above, the outbound IP can be set using the `bind` parameter
 and also the outbound helo for the IP can be set using the `bind_ehlo` 
-parameter returned by the `get_mx` hook or during the reception of the message 
-you can set a transaction note in a plugin to tell Haraka which outbound IP 
-address you would like it to use when it tries to deliver the message:
+parameter returned by the `get_mx` hook.
 
-`````
-connection.transaction.notes.outbound_ip = '1.2.3.4';
-connection.transaction.notes.outbound_helo = 'mail-2.example.com';
-`````
-
-Note: if the `get_mx` hook returns a `bind` and `bind_helo` parameter, then
-this will be used in preference to the transaction note.
 
 AUTH
 ----

package/docs/Plugins.md

@@ -20,7 +20,6 @@ Display the help text for a plugin by running:
 ## Overview
 
 
-
 ## Anatomy of a Plugin
 
 Plugins in Haraka are JS files in the `plugins` directory (legacy) and npm
@@ -42,37 +41,43 @@ There are two ways for plugins to register hooks. Both examples register a funct
 
 1. The `register_hook` function in register():
 
-    exports.register = function() {
-        this.register_hook('rcpt', 'my_rcpt_validate');
-    };
+```js
+exports.register = function () {
+    this.register_hook('rcpt', 'my_rcpt_validate')
+};
 
-    exports.my_rcpt_validate = function (next, connection, params) {
-        // do processing
-        next();
-    };
+exports.my_rcpt_validate = function (next, connection, params) {
+    // do processing
+    next()
+};
+```
 
 2. The hook_[$name] syntax:
 
-    exports.hook_rcpt = function (next, connection, params) {
-        // do processing
-        next();
-    };
+```js
+exports.hook_rcpt = function (next, connection, params) {
+    // do processing
+    next()
+}
+```
 
 The register_hook function within `register()` offers a few advantages:
 
-    1. register a hook multiple times (see below)
-    2. a unique function name in stack traces
-    3. [a better function name](https://google.com/search?q=programming%20good%20function%20names)
-    4. hooks can be registered conditionally (ie, based on a config setting)
+1. register a hook multiple times (see below)
+2. a unique function name in stack traces
+3. [a better function name](https://google.com/search?q=programming%20good%20function%20names)
+4. hooks can be registered conditionally (ie, based on a config setting)
 
 ### Register a Hook Multiple Times
 
 To register the same hook more than once, call `register_hook()` multiple times with the same hook name:
 
-    exports.register = function() {
-        this.register_hook('queue', 'try_queue_my_way');
-        this.register_hook('queue', 'try_queue_highway');
-    };
+```js
+exports.register = function () {
+    this.register_hook('queue', 'try_queue_my_way')
+    this.register_hook('queue', 'try_queue_highway')
+};
+```
 
 When `try_queue_my_way()` calls `next()`, the next function registered on hook *queue* will be called, in this case, `try_queue_highway()`.
 
@@ -81,17 +86,18 @@ When `try_queue_my_way()` calls `next()`, the next function registered on hook *
 When a single function runs on multiple hooks, the function can check the
 *hook* property of the *connection* or *hmail* argument to determine which hook it is running on:
 
-    exports.register = function() {
-        this.register_hook('rcpt',    'my_rcpt');
-        this.register_hook('rcpt_ok', 'my_rcpt');
-    };
-     
-    exports.my_rcpt = function (next, connection, params) {
-        var hook_name = connection.hook; // rcpt or rcpt_ok
-        // email address is in params[0]
-        // do processing
-    }
-
+```js
+exports.register = function () {
+    this.register_hook('rcpt',    'my_rcpt')
+    this.register_hook('rcpt_ok', 'my_rcpt')
+};
+ 
+exports.my_rcpt = function (next, connection, params) {
+    const hook_name = connection.hook; // rcpt or rcpt_ok
+    // email address is in params[0]
+    // do processing
+}
+```
 
 ### Next()
 
@@ -252,12 +258,11 @@ This is important as some plugins might rely on `results` or `notes` that have b
 
 If you are writing a complex plugin, you may have to split it into multiple plugins to run in a specific order e.g. you want hook_deny to run last after all other plugins and hook_lookup_rdns to run first, then you can explicitly register your hooks and provide a `priority` value which is an integer between -100 (highest priority) to 100 (lowest priority) which defaults to 0 (zero) if not supplied.  You can apply a priority to your hook in the following way:
 
-````
-exports.register = function() {
-    var plugin = this;
-    plugin.register_hook('connect',  'hook_connect', -100);
+```js
+exports.register = function () {
+    this.register_hook('connect',  'hook_connect', -100);
 }
-````
+```
 
 This would ensure that your hook_connect function will run before any other
 plugins registered on the `connect` hook, regardless of the order it was
@@ -370,9 +375,11 @@ to remote servers. See [Issue 2024](https://github.com/haraka/Haraka/issues/2024
 
 e.g.
 
-    exports.shutdown = function () {
-        clearInterval(this._interval);
-    }
+```js
+exports.shutdown = function () {
+    clearInterval(this._interval);
+}
+```
 
 If you don't implement this in your plugin and have a connection open or a
 timer running then Haraka will take 30 seconds to shut down and have to

package/docs/Transaction.md

@@ -160,6 +160,6 @@ body in the same encoding.
 
 * transaction.results
 
-Store results of processing in a structured format. See [docs/Results](http://haraka.github.io/manual/Results.html)
+Store results of processing in a structured format. See [haraka-results](https://github.com/haraka/haraka-results)
 
 [1]: `Address` objects are address-rfc2821 objects. See https://github.com/haraka/node-address-rfc2821

package/docs/{plugins → deprecated}/connect.rdns_access.md

@@ -1,6 +1,6 @@
 ## DEPRECATION NOTICE
 
-See the [access](http://haraka.github.io/manual/plugins/access.html) plugin
+See [haraka-plugin-access](https://github.com/haraka/haraka-plugin-access)
 for upgrade instructions.
 
 

package/docs/{plugins → deprecated}/mail_from.access.md

@@ -1,6 +1,6 @@
 ## DEPRECATION NOTICE
 
-See the [access](http://haraka.github.io/manual/plugins/access.html) plugin
+See [haraka-plugin-access](https://github.com/haraka/haraka-plugin-access)
 for upgrade instructions.
 
 

package/docs/{plugins → deprecated}/rcpt_to.access.md

@@ -1,6 +1,6 @@
 ## DEPRECATION NOTICE
 
-See the [access](http://haraka.github.io/manual/plugins/access.html) plugin
+See [haraka-plugin-access](https://github.com/haraka/haraka-plugin-access)
 for upgrade instructions.
 
 

package/docs/plugins/auth/auth_vpopmaild.md

@@ -1,26 +1,20 @@
-auth/auth\_vpopmaild
-===============
+# auth/auth\_vpopmaild
 
-The `auth/vpopmaild` plugin allows you to authenticate against a vpopmaild
-daemon.
+The `auth/vpopmaild` plugin allows SMTP users to authenticate against a vpopmaild daemon.
 
 ## Configuration
 
-Configuration is stored in `config/auth_vpopmaild.ini` and uses INI
-style formatting.
+The configuration file is stored in `config/auth_vpopmaild.ini`.
 
-There are three configuration settings:
+### settings
 
 * host: The host/IP that vpopmaild is listening on (default: localhost).
 
 * port: The TCP port that vpopmaild is listening on (default: 89).
 
-* sysadmin: A colon separated username:password of a vpopmail user with
-    SYSADMIN privileges (see vpopmail/bin/vmoduser -S). This is **only**
-    necessary to support CRAM-MD5 which requires access to the clear text
-    password. On new installs, it's best not to use CRAM-MD5, as it requires
-    storing clear text passwords. Legacy clients with MUAs configured
-    to authenticate with CRAM-MD5 will need this enabled.
+* sysadmin: A colon separated username:password of a vpopmail user with SYSADMIN privileges (see vpopmail/bin/vmoduser -S). This is **only** necessary to support CRAM-MD5 which requires access to the clear text password. On new installs, it's best not to use CRAM-MD5, as it requires storing clear text passwords. Legacy clients with MUAs configured to authenticate with CRAM-MD5 will need this enabled.
+
+* constrain_sender: (default: true). For outbound messages (due to successful AUTH), constrain the envelope sender (MAIL FROM) to the same domain as the authenticated user. This setting, combined with `rate_rcpt_sender` in the [limit](https://github.com/haraka/haraka-plugin-limit) plugin can dramatically reduce the amount of backscatter and spam sent when an email account is compromised.
 
 
 ### Per-domain Configuration
@@ -29,10 +23,12 @@ Additionally, domains can each have their own configuration for connecting
 to vpopmaild. The defaults are the same, so only the differences needs to
 be declared. Example:
 
-    [example.com]
-    host=192.168.0.1
-    port=999
+```ini
+[example.com]
+host=192.168.0.1
+port=999
 
-    [example2.com]
-    host=192.168.0.2
-    sysadmin=postmaster@example2.com:sekret
+[example2.com]
+host=192.168.0.2
+sysadmin=postmaster@example2.com:sekret
+```