haraka 0.0.33 → 3.3.0

package/docs/plugins/queue/smtp_forward.md

@@ -0,0 +1,127 @@
+# queue/smtp_forward
+
+==================
+
+This plugin delivers to another mail server. This is a common setup when you want to have a mail server with a solid pedigree of outbound delivery to other hosts, and inbound delivery to users.
+
+In comparison to `queue/smtp_proxy`, this plugin waits until queue time to attempt the ongoing connection. This can be a benefit in reducing connections to your inbound mail server when you have content filtering (such as spamassassin) enabled. A possible downside is that it also delays recipient validation that the ongoing mail server may provide until queue time.
+
+## Configuration
+
+---
+
+Configuration is stored in smtp_forward.ini in the following keys:
+
+- enable_outbound=[true]
+
+  SMTP forward outbound messages (set to false to enable Haraka's separate Outbound mail routing (MX based delivery)).
+
+- host=HOST
+
+  The host to connect to.
+
+- port=PORT
+
+  The port to connect to. Default: 25
+
+- connect_timeout=SECONDS
+
+  The maximum amount of time to wait when creating a new connection to the host. Default: 30 seconds.
+
+- timeout=SECONDS
+
+  The amount of seconds to let a backend connection live idle in the connection pool. This should always be less than the global plugin timeout, which should in turn be less than the connection timeout.
+
+- max_connections=NUMBER
+
+  Maximum number of connections at any given time. Default: 1000
+
+- enable_tls=[true]
+
+  Enable opportunistic TLS with the forward host via `STARTTLS` (if the host advertises it). This plugin does not work with implicit SMTP over TLS.
+
+- auth_type=[plain\|login]
+
+  Enable PLAIN or LOGIN SMTP AUTH. This is required to enable AUTH.
+
+- auth_user=USERNAME
+
+  SMTP AUTH username to use.
+
+- auth_pass=PASSWORD
+
+  SMTP AUTH password to use.
+
+- queue
+
+  Which queue plugin to use. Default: undefined. The default bahavior is to use smtp_forward for inbound connections and outbound for relaying connections. This option is used for complex mail routes.
+
+- check_sender=false
+
+  Requires that sender domains defined in smtp_forward.ini (see Per-Domain below) have relaying privileges. This is a form of spoof prevention and assumes that any mail clients have relaying or AUTH privileges. This is usually the case.
+
+- check_recipient=false
+
+  By default, Haraka accepts no emails until a recipient plugin has been configured to accept mails for a domain. The simplest common case is the in_host_list plugin with a list of domains in config/host_list. An alternative is to set `check_recipient=true` and list each domain in a definition block in smtp_forward.ini (see Per-Domain Configuration). An example for two domains:
+
+  [example.com]
+  [example.net]
+
+- [tls]
+
+Client STARTTLS options are assembled by merging:
+
+1. `tls.ini` `[main]` — the global Haraka TLS config
+2. `smtp_forward.ini` `[tls]` — overrides. Anything set here wins.
+
+Example `smtp_forward.ini` `[tls]` section:
+
+    [tls]
+    rejectUnauthorized=true
+    minVersion=TLSv1.2
+    no_tls_hosts[]=10.0.0.5
+
+Per-domain `enable_tls=false` still disables STARTTLS for that backend. Per-domain TLS cipher/cert overrides are not currently supported.
+
+Changes to `tls.ini` require a Haraka restart to apply to the forward path; changes to `smtp_forward.ini` are picked up by the existing reload hook.
+
+# Per-Domain Configuration
+
+More specific forward routes for domains can be defined. The domain is chosen based on the value of the `domain_selector` config variable.
+
+When `domain_selector` is set to `rcpt_to` (the default), more specific routes are only honored for SMTP connections with a single recipient or SMTP connections where every recipient host is identical.
+
+When `domain_selector` is set to `mail_from`, it first searches for configuration using the complete email address, falls back to the domain if not found, then to main configuration.
+
+enable_outbound can be set or unset on a per-domain level to enable or disable forwarding for specific domains.
+
+    # default SMTP host
+    host=1.2.3.4
+    # auth_type=plain
+    # auth_user=user
+    # auth_user=pass
+
+    [example1.com]
+    host=1.2.3.5
+    # auth_type=plain
+    # auth_user=user
+    # auth_pass=pass
+
+    [email@example1.com]
+    host=1.2.3.5
+    # auth_type=plain
+    # auth_user=user
+    # auth_pass=pass
+
+    [example2.com]
+    host=1.2.3.5
+
+    [example3.com]
+    host=1.2.3.6
+
+    [example4.com]
+    enable\_outbound=false
+
+# Split host forward routing
+
+When an incoming email transaction has multiple recipients with different forward routes, recipients to subsequent forward routes are deferred. Example: an incoming email transaction has recipients user@example1.com, user@example2.com, and user@example3.com. The first two recipients will be accepted (they share the same forward destination) and the latter will be deferred. It will arrive in a future delivery attempt by the remote.

package/docs/plugins/queue/smtp_proxy.md

@@ -0,0 +1,68 @@
+# queue/smtp_proxy
+
+================
+
+This plugin delivers to another mail server. This is a common setup when you want to have a mail server with a solid pedigree of outbound delivery to other hosts, and inbound delivery to users.
+
+In comparison to `queue/smtp_forward`, this plugin makes a connection at MAIL FROM time to the ongoing SMTP server. This can be a benefit in that you get any SMTP-time filtering that the ongoing server provides, in particular one important facility to some setups is recipient filtering.
+
+Be aware that other than connect and HELO-time filtering, you will have as many connections to your ongoing SMTP server as you have to Haraka.
+
+## Configuration
+
+---
+
+Configuration is stored in smtp_proxy.ini in the following keys:
+
+- enable_outbound=[true]
+
+  SMTP proxy outbound messages (set to false to enable Haraka's
+  separate Outbound mail routing (MX based delivery)).
+
+- host=HOST
+
+  The host to connect to.
+
+- port=PORT
+
+  The port to connect to.
+
+- connect_timeout=SECONDS
+
+  The maximum amount of time to wait when creating a new connection
+  to the host. Default if unspecified is 30 seconds.
+
+- timeout=SECONDS
+
+  The amount of seconds to let a backend connection live idle in the
+  proxy pool. This should always be less than the global plugin timeout,
+  which should in turn be less than the connection timeout.
+
+- max_connections=NUMBER
+
+  Maximum number of connections to create at any given time.
+
+- enable_tls=[true|yes|1]
+
+  Enable opportunistic TLS with the forward host via `STARTTLS` (if the host advertises it).
+
+- auth_type=[plain|login]
+
+  Enable PLAIN or LOGIN SMTP AUTH. This is required to enable AUTH.
+
+- auth_user=USERNAME
+
+  SMTP AUTH username to use.
+
+- auth_pass=PASSWORD
+
+  SMTP AUTH password to use.
+
+- [tls]
+
+Client STARTTLS options are assembled by merging:
+
+1. `tls.ini` `[main]` — the global Haraka TLS config.
+2. `smtp_proxy.ini` `[tls]` — overrides. Anything set here wins.
+
+Changes to `tls.ini` require a Haraka restart to apply to the proxy path; changes to `smtp_proxy.ini` are picked up by the existing reload hook.

package/docs/plugins/queue/test.md

@@ -0,0 +1,7 @@
+# queue/test
+
+This plugin saves incoming E-Mail to your temporary directory, as `mail_{message_id}.eml`, where message_id is a UUID.
+
+This plugin can be useful to quickly test if you're able to receive incoming E-Mail and just dump them to disk.
+
+The temporary directory is determined using Node's [`os.tmpdir()`](https://nodejs.org/api/os.html#ostmpdir), which respects standard platform configurations.

package/docs/plugins/rcpt_to.in_host_list.md

@@ -0,0 +1,34 @@
+# rcpt_to.in_host_list
+
+This plugin is the mainstay of an inbound Haraka server. It should list the
+domains that are local to the host. Mails that have RCPT TO not matching
+a host in the given list will be passed onto other rcpt hooks. If no rcpt
+hook accepts the connection, it will be rejected.
+
+## Configuration
+
+- host_list
+
+  Specifies the list of hosts that are local to this server.
+
+- host_list_regex
+
+  Specifies the list of regexes that are local to this server. Note
+  all these regexes are anchored with ^regex$. One can choose not to
+  anchor with .\*. There is the potential for bad regexes to be
+  too permissive if we don't anchor.
+
+- host_list.anti_spoof
+
+  When enabled, this will cause Haraka to reject any MAIL FROM where
+  the host appears within the host list but the connected host is not
+  a relay, e.g. connection.relaying is not set either by SMTP AUTH or
+  another plugin like 'relay'.
+
+## Relaying
+
+This plugin checks to see if the MAIL FROM domain is local. When
+connection.relaying is detected (haraka -h relay) and the MAIL FROM domain is
+local, this plugin will vouch for any RCPT. This limits relaying users to
+sending from local domains, which is much safer than letting relay clients
+send from any domain.

package/docs/plugins/rcpt_to.max_count.md

@@ -0,0 +1,3 @@
+# rcpt_to.max_count
+
+The functionality of this plugin was integrated in to [haraka-plugin-limit](https://github.com/haraka/haraka-plugin-limit).

package/docs/plugins/record_envelope_addresses.md

@@ -0,0 +1,20 @@
+# record_envelope_addresses
+
+This plugin adds two new header lines.
+
+- X-Envelope-To: the envelope RCPT TO address
+- X-Envelope-From: the envelope MAIL FROM address
+
+It is useful if you need to know the exact addresses used to send an email, e.g. when
+the email was sent to you as BCC or if it is a newsletter. In both cases the recipient
+address is normally not recorded in the headers.
+
+## Caveats
+
+If you enable this plugin you may introduce a possible information leak, i.e. disclosure
+of BCC recipients. So you never want to use this on an outgoing mail server and maybe also
+not if this server is used as a relay.
+
+## Configuration
+
+This plugin has no configuration.

package/docs/plugins/relay.md

@@ -0,0 +1,3 @@
+# relay
+
+Repackaged as [haraka-plugin-relay](https://github.com/haraka/haraka-plugin-relay).

package/docs/plugins/reseed_rng.md

@@ -0,0 +1,16 @@
+# reseed_rng
+
+Reseeds `Math.random()` in each cluster worker at start-up using
+`crypto.randomBytes(256)`. Without this, workers forked at nearly the
+same time can end up with correlated PRNG state, which can produce
+UUID collisions and other "this should be impossible" bugs.
+
+The plugin relies on [seedrandom](https://www.npmjs.com/package/seedrandom)
+being loaded so that `Math.seedrandom()` is available.
+
+Anyone running with `nodes=...` in `smtp.ini` (i.e. cluster mode) should
+consider enabling this plugin.
+
+## Configuration
+
+No configuration.

package/docs/plugins/status.md

@@ -0,0 +1,41 @@
+# Status
+
+This plugin allows to get internal status of queues and pools with SMTP commands sent from localhost.
+
+## Communication
+
+- **Request** &rarr; `STATUS <CMD> [param1] [param2]....`
+- **Response** &larr; _&lt;SMTP code 211 or 500>&lt;space>&lt;json encoded response>\r\n_
+
+### Example
+
+```
+< 220 example.com ESMTP Haraka ready
+> STATUS QUEUE INSPECT
+< 211 {"delivery_queue":[],"temp_fail_queue":[]}
+```
+
+## Available commands list
+
+- `STATUS POOL LIST` - map of active outbound connection pools, keyed by `host:port`
+- `STATUS QUEUE STATS` - queue statistics in format `"<in_progress>/<delivery_queue length>/<temp_fail_queue length>"`
+- `STATUS QUEUE LIST` - list of queue files on disk with _uuid, domain, mail_from, rcpt_to_ attributes
+- `STATUS QUEUE INSPECT` - returns merged content of `outbound.delivery_queue` and `outbound.temp_fail_queue` across all workers
+- `STATUS QUEUE DISCARD file` - stop delivering email file
+- `STATUS QUEUE PUSH file` - try to re-deliver email immediately
+
+## Notes
+
+### Live data only
+
+`POOL LIST`, `QUEUE STATS`, and `QUEUE INSPECT` reflect live in-memory state. They show only messages currently being processed or waiting in the retry queue. `QUEUE LIST` reads queue files from disk and may show messages that have already been delivered if they haven't been cleaned up yet.
+
+### Cluster mode
+
+In cluster mode, `POOL LIST`, `QUEUE STATS`, and `QUEUE INSPECT` aggregate results from all worker processes into a single response:
+
+- `POOL LIST` — pool maps from all workers are merged into one object
+- `QUEUE STATS` — counters from all workers are summed into a single `"N/N/N"` string
+- `QUEUE INSPECT` — `delivery_queue` and `temp_fail_queue` arrays from all workers are concatenated
+
+`QUEUE LIST` always runs on the master process since it reads shared queue files from disk.

package/docs/plugins/tarpit.md

@@ -0,0 +1,50 @@
+# tarpit
+
+This plugin is designed to introduce deliberate delays on the response
+of every hook in order to slow down a connection. It has no
+configuration and is designed to be used only by other plugins.
+
+It must be loaded early in config/plugins (e.g. before any plugins
+that accept recipients or that return OK) but must be loaded _after_
+any plugins that wish to use it.
+
+## Usage
+
+To use this plugin in another plugin set:
+
+    connection.notes.tarpit = <seconds to delay>;
+
+or
+
+    connection.transaction.notes.tarpit = <seconds to delay>;
+
+## Configuration
+
+The configuration file for tarpit is config/tarpit.ini.
+
+- hooks_to_delay - a list of hooks to delay at. This setting can be used to
+  override the default list in the plugin. For example, if you notice that
+  malware is disconnecting after delaying rcpt_ok, you can remove just that
+  hook from the list:
+
+hooks_to_delay=connect,helo,ehlo,mail,rcpt,data,data_post,queue,unrecognized_command,vrfy,noop,rset,quit
+
+## Plugin Timeout
+
+config/tarpit.timeout (Default: 0)
+
+All Haraka plugins can configure a _name_.timeout file. The timeout specifies
+how long Haraka lets the plugin do nothing before it times out. When zero,
+there is no timeout. When non-zero and _seconds to delay_ is longer than
+tarpit.timeout (default: 1s), you'll get errors like this in your log files:
+
+    [core] Plugin tarpit timed out on hook rcpt - make sure it calls the callback
+    [core] Plugin tarpit timed out on hook quit - make sure it calls the callback
+
+The solution is to set the contents of config/tarpit.timeout to zero or
+**seconds to delay** + 1.
+
+## Logging
+
+When tarpitting a command it will log 'tarpitting response for Ns' to
+the INFO facility where N is the number of seconds.

package/docs/plugins/tls.md

@@ -0,0 +1,235 @@
+# tls
+
+This plugin enables the use of TLS (via `STARTTLS`) in Haraka.
+
+For this plugin to work you must have SSL certificates installed correctly.
+
+Haraka has [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) support. When the remote MUA/MTA presents a servername during the TLS handshake and a TLS certificate with that Common Name matches, that certificate will be presented. If no match is found, the default certificate (see Certificate Files) is presented.
+
+## Certificate Files
+
+Defaults settings are shown and can be overridden in `config/tls.ini`.
+
+```ini
+key=tls_key.pem
+cert=tls_cert.pem
+dhparam=dhparams.pem
+```
+
+## Certificate Directory
+
+If the directory `config/tls` exists, files within the directory are PEM encoded TLS files in one of two formats: bundles or Wild Wild West.
+
+### Certificate bundles
+
+Generate PEM bundles in The Usual Way[TM] by concatenating the key, certificate, and CA/chain certs in that order. Example:
+
+```sh
+cat example.com.key example.com.crt ca-int.crt > haraka/config/tls/example.com.pem
+```
+
+An example [acme.sh](https://acme.sh) deployment [script](https://github.com/msimerson/Mail-Toaster-6/blob/master/provision/letsencrypt.sh) installs [Let's Encrypt](https://letsencrypt.org) certificate bundles to the Haraka `config/tls`directory.
+
+### Wild Wild West
+
+PEM encoded TLS certificates and keys can be stored in files in `config/tls`. The certificate loader is recursive, so TLS files can be in subdirs like `config/tls/mx1.example.com`. The certificate names are parsed from the 1st cert in each file and indexed by the certs Common Name(s). Subject Alternate Names are supported. The file name containing the certificates does _not_ matter. Additional certificates within each file are presumed to be CA chain (intermediate) certificates.
+
+If the TLS key is stored in the same file as the matching certificate, then the name of the file does not matter. If the TLS key is alone in a file, the file MUST be named with the keys Common Name. The file extension does not matter, `.pem` and `.key` are common. If the key is used for multiple CNs, the key must be stored in a file name matching each CN. Examples of working TLS key/cert file pairs for the Common Name mx1.example.com:
+
+1. certificate bundle (see above), key & cert in same file
+   - config/tls/mx1.example.com.pem (recommended)
+   - config/tls/any-unique-name.pem (CN is extracted from 1st cert)
+2. files in TLS dir
+   - config/tls/mx1.example.com.crt
+   - config/tls/mx1.example.com.key
+3. files in subdir
+   - config/tls/example.com/mx1.cert
+   - config/tls/example.com/mx1.example.com.key
+4. wildcard bundle on Windows platform (\* is not allowed in file names)
+   - config/tls/\_.example.com.pem
+
+## Purchased Certificate
+
+For purchased certificate, append any intermediate/chained/ca-cert files to the certificate in this order:
+
+1. The CA signed SSL cert
+2. Any intermediate certificates
+3. The CA root certificate
+
+See also [Setting Up TLS](https://github.com/haraka/Haraka/wiki/Setting-up-TLS-with-CA-certificates)
+
+## Self Issued (unsigned) Certificate
+
+Create a certificate and key file in the config directory with the following command:
+
+    openssl req -x509 -nodes -days 2190 -newkey rsa:2048 \
+            -keyout config/tls_key.pem -out config/tls_cert.pem
+
+You will be prompted to provide details of your organization. Make sure the
+Common Name is set to your servers Fully Qualified Domain Name, which should
+be the same as the contents of your `config/me` file.
+
+## Configuration
+
+The following settings can be specified in `config/tls.ini`.
+
+### key
+
+Specifies an alternative location for the key file. For multiple keys, use `key[]=` assignment for each. Non-absolute paths are relative to the `config/` directory.
+
+To configure a single key and a cert chain, located in the `config/`
+directory, use the following in `tls.ini`:
+
+```ini
+key=example.com.key.pem
+cert=example.com.crt-chain.pem
+```
+
+To use multiple pairs of key and cert chain files outside of the haraka
+`config/` directory, configure instead:
+
+```ini
+key[]=/etc/ssl/private/example.com.rsa.key.pem
+cert[]=/etc/ssl/private/example.com.rsa.crt-chain.pem
+key[]=/etc/ssl/private/example.com.ecdsa.key.pem
+cert[]=/etc/ssl/private/example.com.ecdsa.crt-chain.pem
+```
+
+### cert
+
+Specifies the location(s) for the certificate chain file. For multiple certificate chains, use `cert[]=` assignment for each. Non-absolute paths are relative to the `config/` directory. See the description of the `key` parameter for specific use.
+
+### no_tls_hosts
+
+If needed, add this section to the `config/tls.ini` file and list any IP ranges that have broken TLS hosts. Ex:
+
+```ini
+[no_tls_hosts]
+192.168.1.3
+172.16.0.0/16
+```
+
+Note: `[no_tls_hosts]` section applies to inbound only. For outbound mail, this feature is implemented as an array like `force_tls_hosts`:
+
+```ini
+[outbound]
+no_tls_hosts[]=192.168.1.3
+no_tls_hosts[]=172.16.0.0/16
+```
+
+The [Node.js TLS](http://nodejs.org/api/tls.html) page has additional information about the following options.
+
+### no_starttls_ports
+
+An array of incoming ports on which Haraka will not advertise STARTTLS capability.
+
+```ini
+no_starttls_ports[]=2525
+```
+
+### force_tls_hosts
+
+For known good TLS hosts, it's possible to force that the outbound mailer will only connect via secure sockets. This makes Haraka use _forced TLS_ instead of _opportunistic TLS_. For forced TLS, the STARTTLS upgrade must succeed with a valid certificate (overriding `rejectUnauthorized`). The list is matched both against the host (MX record or `nexthop` in `relay_dest_domains.ini`), and the domain name of the email address.
+
+Note: unlike `no_tls_hosts`, this feature is implemented as an array:
+
+```ini
+[outbound]
+force_tls_hosts[]=172.17.123.1
+force_tls_hosts[]=172.17.124.0/24
+force_tls_hosts[]=mx.example.org
+force_tls_hosts[]=example.com
+```
+
+### ciphers
+
+A list of allowable ciphers to use. Example:
+
+    ciphers=EECDH+AESGCM:EDH+aRSA+AESGCM:EECDH+AES256:EDH+aRSA+AES256:EECDH+AES128:EDH+aRSA+AES128:RSA+AES:RSA+3DES
+
+See also: [Mozilla SSL configuration generator](https://ssl-config.mozilla.org/) and the [SSLlabs Test Page](https://www.ssllabs.com/ssltest/index.html)
+
+### minVersion
+
+Specifies minimum allowable TLS protocol version to use. Example:
+
+     minVersion=TLSv1.1
+
+If unset, the default is Node's `tls.DEFAULT_MIN_VERSION` constant
+(currently `'TLSv1.2'`). Valid values: `'TLSv1.3'`, `'TLSv1.2'`,
+`'TLSv1.1'`, `'TLSv1'`.
+
+### honorCipherOrder
+
+If specified, the list of configured ciphers is treated as the cipher priority from highest to lowest. The first matching cipher will be used, instead of letting the client choose. The default is `true`.
+
+### ecdhCurve
+
+Specifies the elliptic curve used for ECDH or ECDHE ciphers.
+Only one curve can be specified. The default is `prime256v1` (NIST P-256).
+
+### dhparam
+
+Specifies the file containing the diffie-hellman parameters to use for DH or DHE key exchange. If this param or file is missing, it will be generated automatically. Default: `dhparams.pem`.
+
+### requestCert
+
+Whether Haraka should request a certificate from a connecting client.
+
+    requestCert=[true|false]  (default: true)
+
+### rejectUnauthorized
+
+Reject connections from clients without a CA validated TLS certificate.
+
+    rejectUnauthorized=[true|false]  (default: false)
+
+### requireAuthorized
+
+When `rejectUnauthorized=false`, require validated TLS certificates on just the specified ports.
+
+```ini
+requireAuthorized[]=465
+;requireAuthorized[]=587
+```
+
+### secureProtocol
+
+Legacy. Specifies the OpenSSL API function used to negotiate TLS — see
+the [OpenSSL API page](https://www.openssl.org/docs/manmaster/ssl/ssl.html).
+Prefer `minVersion` for modern setups; `secureProtocol` is only useful
+to lock to a specific historic protocol.
+
+### requestOCSP
+
+Specifies that OCSP Stapling should be enabled, according to RFC 6066.
+Stapling of OCSP messages allows the client to receive these along the
+TLS session setup instead of delaying the session setup by requiring a
+separate http connection to the OCSP server.
+
+    requestOCSP=[true|false]  (default: false)
+
+OCSP responses from the OCSP server are cached in memory for as long as
+they are valid, and get refreshed after that time. A server restart
+requires the OCSP responses to be fetched again upon the first client
+connection.
+
+## Inbound Specific Configuration
+
+By default the above options are shared with outbound mail (either
+using `smtp_forward`, `smtp_proxy` or plain outbound mail heading to
+an external destination). To make these options specific to inbound
+mail, put them under an `[inbound]` parameter group. Outbound options
+can go under an `[outbound]` parameter group, and plugins that use
+SMTP tls for queueing such as `smtp_proxy` and `smtp_forward` can
+use that plugin name for plugin specific options.
+
+## `[redis]` section
+
+This section is mainly used to enable so called _TLS NO-GO_ feature that essentially stops advertising/using TLS if there was a problem setting it up previously. We use `no_tls|ip.add.re.ss` key to store the flag in redis. There are a couple of settings that control the behavior:
+
+`disable_for_failed_hosts = true` to enable the feature
+
+`disable_expiry = 604800` to set for how long we disable TLS for failing host, in seconds
+
+`disable_inbound_expiry = 3600` same as above, but applies to inbound (aka STARTTLS capability) only

package/docs/plugins/toobusy.md

@@ -0,0 +1,27 @@
+# toobusy
+
+This plugin will stop Haraka accepting new connections when the event loop
+latency is too high.
+
+See https://github.com/STRML/node-toobusy for details.
+
+To use this plugin you must install the [`toobusy-js`](https://www.npmjs.com/package/toobusy-js)
+module — it is not bundled with Haraka. From your Haraka install
+directory:
+
+```sh
+npm install toobusy-js
+```
+
+This plugin registers on the `connect` hook with priority `-100`, so it
+runs ahead of other `connect`/`lookup_rdns` plugins. Listing it near the
+top of `config/plugins` is still a good idea for clarity.
+
+## Configuration
+
+If you wish to override the default maxLag value of 70ms then add the desired
+value to config/toobusy.maxlag. This can be set and changed at runtime and
+no restart is required.
+
+Note that if you set the maxLag value to <10 then this will cause the toobusy
+module to raise an exception which will cause Haraka to stop.

package/docs/plugins/xclient.md

@@ -0,0 +1,10 @@
+# xclient
+
+Implements the [XCLIENT](http://www.postfix.org/XCLIENT_README.html) protocol.
+
+## configuration
+
+- xclient.hosts
+
+  A list of IP addresses, one per line that should be allowed to use the
+  XCLIENT protocol. Localhost (127.0.0.1 or ::1) is allowed implicitly.