Haraka 3.0.3 → 3.0.4

package/docs/plugins/bounce.md

@@ -1,69 +0,0 @@
-# bounce
-
-Provide options for bounce processing.
-
-## Configuration
-
-Each feature can be enabled/disabled with a true/false toggle in the [check]
-section of `config/bounce.ini`:
-
-Some features can have rejections disabled in the [reject] section.
-
-    [check]
-    reject_all=false
-    single_recipient=true
-    empty_return_path=true
-    bad_rcpt=true
-    bounce_spf=true
-    non_local_msgid=true
-
-    [reject]
-    single_recipient=true
-    empty_return_path=true
-    bounce_spf=false
-    non_local_msgid=false
-
-## Features
-
-### reject\_all
-
-When enabled, blocks all bounce messages using the simple rule of checking
-for `MAIL FROM:<>`.
-
-It is generally a bad idea to block all bounces. This option can be useful
-for mail servers at domains with frequent spoofing and few or no human users.
-
-### single\_recipient
-
-Valid bounces have a single recipient. Assure that the message really is a
-bounce by enforcing bounces to be addressed to a single recipient.
-
-This check is skipped for relays or hosts with a private IP, this is because
-Microsoft Exchange distribution lists will send messages to list members with
-a null return-path when the 'Do not send delivery reports' option is enabled
-(yes, really...).
-
-### empty\_return\_path
-
-Valid bounces should have an empty return path. Test for the presence of the
-Return-Path header in bounces and disallow.
-
-### bad\_rcpt
-
-Disallow bounces to email addresses listed in `config/bounce_bad_rcpt`.
-
-Include email addresses in that file that should *never* receive bounce
-messages. Examples of email addresses that should be listed are:
-autoresponders, do-not-reply@example.com, dmarc-feedback@example.com, and
-any other email addresses used solely for machine generated messages.
-
-### bounce\_spf
-
-Parses the message body and any MIME parts for Received: headers and
-strips out the IP addresses of each Received hop and then checks what
-the SPF result would have been if bounced message had been sent by that
-hop.
-
-If no 'Pass' result is found, then this test will fail.
-If SPF returns 'None', 'TempError' or 'PermError' then the test will 
-be skipped.

package/docs/plugins/clamd.md

@@ -1,147 +0,0 @@
-clamd
-=====
-
-This plug-in implements Anti-Virus scanning with ClamAV using the **clamd**
-daemon.
-
-The plug-in will reject any message that ClamAV considers to be a virus.
-If an error occurs (e.g. clamd not running or a timeout), the
-message will be deferred with a temporary failure.
-
-## Configuration
-
-The following options can be defined in clamd.ini;
-
-### clamd\_socket (default: localhost:3310)
-
-  N.N.N.N:port, [ipv6::literal]:port, host:port or /path/to/socket of
-  the clamd daemon.
-
-  Multiple hosts can be listed separated by comma, semi-colon or spaces.
-
-  If :port is omitted it defaults to 3310.
-
-  On connection error or timeout the next host in the list will be tried.
-  When the host list is exhausted, the message will be deferred with
-  a temporary failure.
-
-
-### randomize\_host\_order (default: false)
-
-  If this is set then the list of hosts with be randomized before a
-  connection is attempted.
-
-
-### only\_with\_attachments                         (default: false)
-
-  Set this option to only scan messages that contain non-textual
-  attachments.  This is a performance optimization, however it will
-  prevent ClamAV from detecting threats such as Phishing in plain-text
-  or HTML messages.
-
-
-### connect\_timeout                               (default: 10)
-
-  Timeout connection to host after this many seconds.  A timeout will
-  cause the next host in the list to be tried.  Once all hosts have
-  been tried then a temporary failure will be returned.
-
-
-### timeout                                       (default: 30)
-
-  Post-connection timeout if there is no activity on the socket after
-  this many seconds.  A timeout will cause the message to be rejected
-  with a tempoary failure.
-
-
-### max\_size                                      (default: 26214400)
-
-  The maximum size of message that should be sent to clamd in bytes.
-  This option should not be larger than the StreamMaxLength value in
-  clamd.conf as clamd will stop scanning once this limit is reached.
-  If the clamd limit is reached the plug-in will log a notice that
-  this has happened and will allow the message though.
-
-### [reject]
-
-An optional reject section can offer control over when to reject connections.
-The default settings are shown. ClamAV recommends that hits coming from 
-SafeBrowsing / Phishing / Heuristics, Potentially Unwanted Applications, and
-UNOFFICIAL be used only for scoring.
-
-    * virus=true
-    * error=true
-
-The following reject options are disabled by default in clamd.conf. With a
-default ClamAV install, these will have no effect. When an admin enables in
-clamd.conf, Haraka with then, by default, reject such messages. Adjust these
-settings to suit.
-
-    * Broken.Executable=true
-    * Structured=true
-    * Encrypted=true
-    * PUA=true
-    * OLE2=true
-    * Safebrowsing=true
-    * UNOFFICIAL=true
-
-The following options are enabled by default in clamd but ClamAV suggests
-using them only for scoring.
-
-    * Phishing=false
-    
-## [check]
-
-The optional check section can allow skipping ClamAV check for remote connection
-meeting following criteria.
-
-- authenticated
-
-    Default: true
-
-    If true, messages from authenticated users will be scanned.
-
-- private\_ip
-
-    Default: true
-
-    If true, messages from private IPs will be scanned.
-
-- local\_ip
-
-    Default: true
-
-    If true, messages from localhost will be scanned.
-
-- relay
-
-    Default: true
-
-    If true, messages that are to be relayed will be scanned.
-
-## clamd.excludes
-
-  This file can contain a list of virus name patterns that when matched, are
-  not rejected by this plugin. An X-Haraka-Virus: header will be inserted
-  containing the virus name. This header can then be used for scoring
-  in other plugins.
-
-  The format of the file is one pattern per line. Comments are prefixed
-  with #. Matches are case-insensitive.
-
-  Patterns are expressed using wildcards (e.g. * and ?) or
-  via regexp by enclosing the pattern in //.
-
-  To negate a match (e.g. reject if it matches), prefix the match with !.
-  Negative matches are always tested first.
-
-  Example:
-
-`````
-# Always reject test signatures
-!*.TestSig_*
-# Skip all unofficial signatures
-*.UNOFFICIAL
-# Phishing
-Heuristics.Phishing.*
-`````

package/docs/plugins/esets.md

@@ -1,8 +0,0 @@
-esets
------
-
-This plugin allows virus scanning with ESET Mail Security for Linux/BSD.
-
-Install the software as per the intructions from ESET and enable this plugin
-and it will scan each message using the "esets_cli" command which defaults to
-/opt/eset/esets/bin/esets_cli.

package/docs/plugins/greylist.md

@@ -1,90 +0,0 @@
-# Greylist
-
-Basic greylisting plugin that follows common practices found on internets.
-
-## Principles of work
-
-### Notation
-
-The so-called _tuple_ consists of the following:
-
-* First subdomain of rDNS is stripped off (but no shorter than the domain boundary). This is considered a _hostid_.
-* Envelope sender is the _sender_.
-* RCPT TO would supply the _recipient_.
-
-_hostid_ in above notation is chosen unless:
-
-1. The connecting host has no PTR record, a.k.a. reverse DNS (rDNS). [gl]
-1. The rDNS record contains the first two or last two octets of the IP address. [fcrdns]
-1. The rDNS record contains the ‘short’, decimal, or hex representation of the full IP address. [fcrdns] [gl]
-1. Multiple rDNS records are returned. [gl]
-1. The rDNS record cannot be verified by forward confirmation (e.g. FCrDNS). [fcrdns]
-1. The top-level-domain (TLD) used is not valid. [gl]
-
-In other cases, it's set to be the remote party's IP address.
-
-We define the following time periods:
-
-* _black_:  between first connect and start of _gray_. Defer.
-* _gray_:   between _black_ and start of _white_. Allow. Host must re-try within this window.
-* _white_:  comes after _gray_. Allow up until the end of period, then let the record expire in case no connections were made.
-
-### Algorithm
-
-The greylist algo is as following:
-
-  * Party connects. All FcrDNS & DNSWL checks are run by earlier plugins.
-  * Party sends _recipient_
-    * If not already whitelisted
-        * Check _tuple_ color (compare current TS against record creation TS)
-            * _black_?
-                * Create if no record exists. Defer.
-            * _gray_?
-                * Allow. Promote record to _white_ status.
-            * _white_?
-                * Allow. Update record TS.
-  * In special case, _data_ hook runs above algo for all recipients. If any matched, all inherit the action.
-
-### DB schema
-
-We store in Redis.
-
-Key format for greylisting entries:
-
-  * grey:${hostid}:${sender}:${recipient} - grey record
-  * white:${hostid} - white record
-
-
-For _white_:
-
-    { first_connect: TS, whitelisted: TS, updated: TS, lifetime: TTL, tried: Integer, tried_when_greylisted: Integer }
-
-  Where
-    _first_connect_: TS of first connection (sender)
-    _whitelisted_: basically the TS of this entry creation
-    _updated_: last update TS
-    _lifetime_: seconds for this entry to exist (== TTL)
-    _tried_: number of checks against this entry
-    _tried_when_greylisted_: number of checks while the host was +grey+ (sender).
-
-For _grey_:
-
-    { created: TS, updated: TS, lifetime: TTL, tried: Integer }
-
-  Where
-    _created_: TS of first connection (copied to _first_connect_ of _white_ after promotion)
-    _updated_: last update TS
-    _lifetime_: seconds for this entry to exist (== TTL)
-    _tried_: number of checks against this entry (copied to _tried_when_greylisted_ of _white_ after promotion)
-
-### Whitelisting
-
-It's possible to whitelist hosts using the following section in greylist.ini config file:
-
-  * ip\_whitelist               IP or subnet (prefix notation)
-  * envelope\_whitelist         MAIL FROM (email or domain)
-  * recipient\_whitelist        RCPT TO  (email or domain)
-
-List of known dynamic hosts, to use the IP instead of the domain:
-
-  * special\_dynamic\_domains    Domain

package/docs/plugins/helo.checks.md

@@ -1,135 +0,0 @@
-# helo.checks
-
-This plugin performs a number of checks on the HELO string.
-
-HELO strings are very often forged or dubious in spam and so this can be a
-highly effective and false-positive free anti-spam measure.
-
-
-## Usage
-
-helo.checks results can be accessed by subsequent plugins:
-
-    var h = connection.results.get('helo.checks');
-    if (h.pass && h.pass.length > 5) {
-        // nice job, you passed 6+ tests
-    }
-    if (h.fail && h.fail.length > 3) {
-        // yikes, you failed 4+ tests!
-    }
-    if (connection.results.has('helo.checks','pass', /^forward_dns/) {
-        // the HELO hostname is valid
-    }
-
-
-## Configuration
-
-* helo.checks.regexps
-
-  List of regular expressions to match against the HELO string. The regular
-  expressions are automatically wrapped in `^` and `$` so they always match
-  the entire string.
-
-* helo.checks.ini
-
-  INI file which controls enabling of certain checks:
-
-    * dns\_timeout=30
-
-      How many seconds to wait for DNS queries to timeout.
-
-
-### [check]
-
-
-    * valid\_hostname=true
-
-      Checks that the HELO has at least one '.' in it and the organizational
-      name is possible (ie, a host within a Public Suffix).
-
-    * bare\_ip=true
-
-      Checks for HELO <IP> where the IP is not surrounded by square brackets.
-      This is an RFC violation so should always be enabled.
-
-    * dynamic=true
-
-      Checks to see if all or part the connecting IP address appears within
-      the HELO argument to indicate that the client has a dynamic IP address.
-
-    * literal\_mismatch=1|2|3
-
-      Checks to see if the IP literal used matches the connecting IP address.
-      If set to 1, the full IP must match.  If set to 2, the /24 must match.
-      If set to 3, the /24 may match, or the IP can be private (RFC 1918).
-
-    * match\_re=true
-
-      See above. This is merely an on/off toggle.
-
-    * big\_company=true
-
-      See below. This is merely an on/off toggle.
-
-    * forward\_dns=true
-
-      Perform a DNS lookup of the HELO hostname and validate that the IP of
-      the remote is included in the IP(s) of the HELO hostname.
-
-      This test requires that the valid\_hostname check is also enabled.
-
-    * rdns\_match=true
-
-      Sees if the HELO hostname (or at least the domain) match the rDNS
-      hostname(s).
-
-    * host\_mismatch=true
-
-      If HELO is called multiple times, checks if the hostname differs between
-      EHLO invocations.
-
-    * proto\_mismatch=true
-
-      If EHLO was sent and the host later tries to then send HELO or vice-versa.
-
-### [reject]
-
-    For all of the checks included above, a matching key in the reject section
-    controls whether messages that fail the test are rejected.
-
-    Defaults shown:
-
-    [reject]
-    host_mismatch=false
-    literal_mismatch=false
-    proto_mismatch=false
-    rdns_match=false
-    dynamic=false
-    bare_ip=false
-    valid_hostname=false
-    forward_dns=false
-    big_company=false
-
-### [skip]
-
-    * private\_ip=true
-
-      Bypasses checks for clients within RFC1918, Loopback or APIPA IP address ranges.
-
-    * relaying
-
-      Bypass checks for clients who have relaying privileges (whitelisted IP,
-      SMTP-AUTH, etc).
-
-
-### [bigco]
-
-      A list of <helo>=<rdns>[,<rdns>...] to match against. If the HELO matches
-      what's on the left hand side, the reverse-DNS must match one of the
-      entries on the right hand side or the mail is blocked.
-
-      Example:
-
-            yahoo.com=yahoo.com,yahoo.co.jp
-            aol.com=aol.com
-            gmail.com=google.com

package/docs/plugins/messagesniffer.md

@@ -1,163 +0,0 @@
-messagesniffer
-==============
-
-This plugin provides integration with the commerical Anti-Spam product [MessageSniffer](http://armresearch.com/products/sniffer.jsp) by Arm Research Labs using its XML Client interface [XCI](http://armresearch.com/support/articles/software/snfServer/xci/) over TCP.
-
-Installation
-------------
-
-Install the SNF Client/Server package for your platform as per the instructions on the MessageSniffer website.
-
-Modify your SNFServer.xml file and under the 'xheaders' section set:
-
-* output mode='api'
-
-This prevents MessageSniffer from adding additional headers to the temporary file used to send it the message data which is 
-unnecessary as Haraka reads the headers from the XCI response.
-
-* rulebase on-off='on'
-* result on-off='on'
-* black on-off='on'
-* while on-off='on'
-* clean on-off='on'
-* all symbol on-off='on'
-
-These cause SNFServer to send Haraka additional headers that are inserted into all messages scanned by MessageSniffer and 
-will aid debugging and troubleshooting.
-
-Once this is done start/restart the SNF server.
-
-Configuration
--------------
-
-This plugin uses `messagesniffer.ini` for configuration.  The `[main]` section is for global configuration, the `[gbudb]` 
-section is used to specify the action that should be taken based on the GBUdb result which is checked at the start of the 
-connection and the `[message]` section is used to specify the action to be taken based on the main scan result.
-
-`[main]`
-
-- port
-
-    Default: 9001
-    TCP port to use when communicating to the SNFServer daemon.
-    This needs to match the `<xci on-off='on' port='9001'/>` value in the SNFServer.xml file.
-    
-- tmpdir
-
-    Default: /tmp
-    Temporary directory used to write temporary message files to that are read by the SNFServer daemon.
-    This directory and the files within need to be readable by the user that SNFServer is running as.
-
-- gbudb\_report\_deny = [ true | false | 0 | 1 ]
-
-    Default: false
-    This is an experimental option that will record a GBUdb 'bad' encounter for a connected IP address when a client 
-    disconnects with no message having been sent or seen by MessageSniffer but Haraka has recorded a hard rejection at 
-    some point during the session.  The idea behind this option is that it allows other Haraka plugins rejections influence 
-    GBUdb IP reputation where MessageSniffer isn't seeing the actual message because it is being rejected pre-DATA.
-
-- tag\_string
-
-    Default: [SPAM]
-    String to prepend to the Subject line if the 'tag' action is applied.
-
-`[gbudb]`
-
-- white = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Default: accept
-    Action to take when GBUdb reports a 'white' result.
-
-- caution = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Default: continue
-    Action to take when GBUdb reports a 'caution' result.
-    
-- black = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Default: continue
-    Action to take when GBUdb reports a 'black' result.
-    
-- truncate = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-    
-    Default: reject
-    Action to take when GBUdb reports a 'truncate' result.
-
-`[message]`
-
-- white = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Default: continue
-    Action to take when MessageSniffer reports a 'white' result (result code: 0).
-
-- local\_white = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Default: accept
-    Action to take when MessageSniffer reports a local whitelist result (result code: 1).
-    NOTE: You will not see this result unless you Arm support have customized your rulebase and added white rules for you.
-
-- truncate = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Default: reject
-    Action to take when MessageSniffer reports a GBUdb result of 'truncate' (result code: 20).
-    NOTE: GBUdb IP lookups during the data phase can be different than the connecting IP address if you have configured 
-    Source and DrillDown options in the Training section of SNFServer.xml.
-
-- caution = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Default: continue
-    Action to take when MessageSniffer reports a GBUdb result of 'caution' (result code: 40).
-    NOTE: GBUdb IP lookups during the data phase can be different than the connecting IP address if you have configured 
-    Source and DrillDown options in the Training section of SNFServer.xml.
-    
-- black = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Default: continue
-    Action to take when MessageSniffer reports a GBUdb result of 'black' (result code: 63).
-    NOTE: GBUdb IP lookups during the data phase can be different than the connecting IP address if you have configured 
-    Source and DrillDown options in the Training section of SNFServer.xml.
-
-- code\_NN = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    NOTE: replace NN with the numeric MessageSniffer [result code](http://armresearch.com/support/articles/software/snfServer/core.jsp)
-    Action to take when MessageSniffer reports a result code other than those explicitly defined above.
-
-- nonzero = [ accept | allow | continue | retry | tempfail | reject | quarantine | tag ]
-
-    Defalt: reject
-    Action to take for any non-zero result code other than those explicity defined above.  This is a catch-all result that 
-    is checked last after all other settings have been checked so you can define a code\_NN value to prevent this action from 
-    being taken.
-
-Actions
--------
-
-* accept
-
-    Accept the message and skip further plugins (whitelist).
-    
-* allow | continute
-
-    Continue to the next plugin.
-    
-* retry | tempfail
-
-    Reject the message with a temporary failure message (DENYSOFT).
-    
-* reject
-
-    Reject the message with a permanent failure message (DENY).
-    
-* quarantine
-
-    Continue to the next plugin.  If the message isn't rejected by another plugin - it will cause the message to be quarantined
-    and the message will not be delivered to the recipient(s).
-    
-    NOTE: this option requires the queue/quarantine plugin in your config/plugins files and it must be listed before any 
-    other queue plugins.
-
-* tag
-
-    Tag the subject with the default 'tag\_string' defined in the `main` section above, this will also set X-Spam-Flag: YES in 
-    the message headers.   Once tagged, processing will continue to the next plugin.
-