Man Linux: Main Page and Category List


       asmtpd.conf - Avenger SMTP Daemon configuration file


       asmtpd.conf is the configuration file for asmtpd(8), the Mail Avenger
       mail server.  The file contains a series of directives, where each
       directive takes zero or more arguments.  Blank lines and lines
       beginning with "#" (for comments) are ignored.  If a line ends with the
       "\" character, the "\" is ignored and the following line is appended.
       In this way you can break a long list of argument over multiple
       "continuation" lines.

       Arguments are separated by spaces.  However, you can include space in
       an argument by surrounding the argument with double-quote (""")
       characters.  A backslash ("\") followed by any other character is
       interpreted as that character.  Thus, a literal """ or "\" character
       can be included as "\"" or "\\", and an alternative to putting double
       quotes around an argument with spaces is simply to put a "\" before
       each space.

       If you change asmtpd.conf while asmtpd is running, you must send it a
       SIGHUP signal for it to read the new changes.  (Note, however, that
       asmtpd will re-read the AliasFile, DomainFile, or SPFHostsFile
       automatically if you change these.)

       The rest of this man page details the various directives.  Directives
       are case-insensitive.  Depending on the directive, the arguments may or
       may not be case sensitive.

       Separator Character
           This is the only option that probably needs to be set at all sites.
           Character is a single character that separates usernames from the
           rest of the local part of an email address.  For example, with
           sendmail, mail for <name+extra@host.domain> is usually delivered to
           user name.  Thus, a "+" should be specified for Character.  With
           qmail, it is <name-extra@host.domain> that belongs to user name
           (though routing is handled differently).  Thus, qmail users will
           want to specify "-".  The default is not to have a separator.  This
           is probably wrong for most sites, but is a lot less bad than
           selecting the wrong character!

       Hostname name
           "Hostname" specifies the hostname that asmtpd should use in the
           SMTP protocol.  Ordinarily, this name should map to the IP address
           of your server (or one of the IP addresses of your server).  The
           default is to use the local hostname (as returned by the
           "gethostname" system call), with the default DNS domain name
           appended if your hostname does not include any "." characters.

       LogPriority priority
           This directive sets the priority with which diagnostic messages are
           sent to the system log.  The default value is "".

       LogTag tag
           This directive sets the tag for syslog messages generated by
           asmtpd.  The default tag is empty.  Note that by default most
           messages except those created by Debug options already contain

       EtcDir directory
           Sets the directory in which asmtpd will search for various
           configuration files, including aliases, domains, and spfhosts (see
           below), as well as four special rule files run under the
           AvengerUser UID:  default, unknown, secondary, and relay.

           The file unknown consists of avenger rules that get run for any
           local user that does not exist in the password file, or that exists
           but has a UID of 0 (root), or that exists but has an invalid shell
           (not listed in /etc/shells).  These rules are not run for normal
           users, even if those users do not have a .avenger directory.

           The default file consists of rules that are run after the rules in
           unknown or after the rules in a user’s .avenger directory, so long
           as these rules did not immediately reject, defer, accept, redirect,
           or bodytest the mail.  If a user does not have a .avenger
           directory, the rules in default are always run.

           The secondary ruleset contains rules that are run if MxLocalRcpt
           has been set to 1, mail is received for user@hostname, and the mail
           server is an MX record for hostname, but not the highest priority
           MX record.  If the ruleset does not exist or simply exits, the
           default is to spool the mail.

           The relay ruleset consists of rules that are run when mail is
           received for user@hostname where hostname is not in the domains
           file (and, if MxLocalRcpt is 1, the server is not an MX record for
           hostname).  In such circumstances, if the sender address is local,
           asmtpd will first attempt to execute an appropriate "mail" (as
           opposed to the usual "rcpt") ruleset in the user’s .avenger
           directory.  If that ruleset does not exist or simply exits, or
           hostname is not local, then asmtpd runs relay.  If the rules in
           relay simply exit or the file does not exist, the default is to
           reject the mail.

           The default value of EtcDir is /etc/avenger.

       BindAddr IP-address [port-no]
           "BindAddr" specifies the IP address on which the server should
           listen.  The default is (INADDR_ANY), meaning to accept
           incoming connections on any IP address.  By default the server uses
           TCP port 25, but port-no can be also specified to chose a different
           port number.

       MaxClients val
           Specifies the maximum number of concurrent TCP connections from
           clients that asmtpd should allow.  The default value is 60.

       MaxConPerIP val
           Specifies the maximum number of incoming TCP connections asmtpd
           should accept from a single IP address.  The default value is 10.

       SMTPFilter prog
           Specifies the name of a program asmtpd can invoke to enable packet
           filtering of incoming SYN packets from a particular IP address for
           the SMTP port (25 by default).  Note that this program should
           filter only TCP packets to the SMTP port that have the TCP SYN flag
           set and the ACK flag cleared.  It is very important that this rule
           not interfere with previously established TCP connections, since
           asmtpd uses this to block new connections when the per-IP-address
           limit has been reached.

           The program will be run three different ways:

           prog clear
           prog add IP-addr
           prog del IP-addr

           The clear command should cause all previously filtered IP addresses
           to be re-enabled.  The add command says to add the particular IP
           address to the list of filtered addresses.  del says to remove an
           IP address from the list of addresses.

           Since the details of how to filter IP packets depend entirely on
           the particular operating system and firewall software being run,
           this task is best handled by a shell script written by the system
           administrator.  An example script for use with OpenBSD’s pf packet
           filter can be found in /usr/local/share/avenger/  An
           example for use with Linux’s iptables firewall can be found in

       MaxMsgsPerIP msgs-per-hour [msgs-max]
           Specifies the maximum rate at which asmtpd will allow successful
           SMTP RCPT commands from a particular IP address.  After this limit
           is reached, further RCPT commands will be rejected with a temporary
           SMTP error code saying too much load.  msgs-per-hour is the number
           of RCPT commands per hour.  msgs-max is the hard limit after which
           further RCPTs are refused.  msgs-max, if not specified, defaults to
           the same value as msgs-per-hour.  However, it can be set to a
           greater value to accept bursts of traffic.

       MaxErrorsPerIP msgs-per-hour [msgs-max]
           Similar to MaxMsgsPerIP, except this parameter specifies the
           maximum rate at which clients from a particular IP address can
           issue SMTP commands that return errors.  If a client is issuing too
           many commands that cause errors (as can often happen with spambots
           that don’t check the results of commands, or that relay spam
           through HTTP proxies), asmtpd will temporarily filter new
           connections from that client if SMTPFilter has been specified.
           Otherwise, it will immediately shutdown any incoming new TCP
           connections from the client with a temporary SMTP error code.

       MaxMsgsPerUser msgs-per-hour [msgs-max]
           Specifies the maximum rate at which asmtpd will allow successful
           SMTP RCPT commands from a particular authenticated user.  The name
           used for the check is either the username from SASL authentication,
           or the common name of the client certificate with SSL
           authentication.  With this feature, you can prevent people who have
           legitimate relay privileges from sending bulk mail, as might happen
           if a spammer somehow stole a SASL password.

       MaxRcpts val
           Specifies the maximum number of recipients on a single message.
           Once this number is reached, asmtpd rejects further recipients with
           a temporary SMTP error code, causing the sender to send a separate
           copy of the message to the remaining recipients.  The default value
           is 5.  (Note that this limit does not apply to trusted clients.)

       MaxRelayRcpts val
           If val is greater than the number of recipients specified for
           MaxRcpts, then this specifies a higher limit on the number of
           recipients when recipients are accepted by the relay script.

       MaxMsgSize bytes
           The largest mail message asmtpd should accept.  The default value
           is 104,857,600 (100 MBytes).

       SMTPTimeout seconds
           Determines how long asmtpd will keep an open connection from a
           client while awaiting an SMTP command.

       DataTimeout seconds
           Determines how long asmtpd will keep an idle connection from a
           client open while waiting for mail message contents (after the SMTP
           DATA command).  It is advisable to set a reasonable DataTimeout
           even if SMTPTimeout is short, so as not to force a client behind an
           unreliable network connection to keep having to start over.

       SMTPCB [0|1|2]
           If set to 2 (the default), asmtpd will attempt to verify the sender
           address of mail messages by going through the initial steps of
           sending back a bounce message, a technique known as an "SMTP
           callback."  If the mail cannot get through, the SENDER_BOUNCERES
           environment variable will contain an SMTP error code, and
           MAIL_ERROR will be set to reject the mail by default.  The next
           several parameters (ClientTimeout, VrfyDelay, VrfyCacheTime, and
           MaxRevClients) control the behavior of SMTP callbacks.

           If SMTPCB is set to 0, SMTP callbacks are entirely disabled.  If it
           is set to 1, then asmtpd still performs callbacks and sets the
           SENDER_BOUNCERES environment variable, but does not set MAIL_ERROR
           or reject mail by default if the callback fails.

       ClientTimeout seconds
           Specifies the SMTP timeout for asmtpd when it acts as an SMTP
           client, probing remote servers to check the validity of the sender
           address on incoming mail messages.  The default value is 300.

       VrfyDelay seconds
           When probing a remote SMTP server to validate an email address,
           asmtpd will keep the TCP connection open at least this long (after
           sending an HELO/EHLO command) before probing the address.  The idea
           is to make bulk mailing harder by preventing remote servers from
           validating more than a few thousand (or a few tens of thousands of)
           email addresses per second.  The default value for seconds is 2.

       VrfyCacheTime seconds
           If asmtpd probes a remote server and discovers that it cannot send
           bounce messages to an address, it caches the result for this amount
           of time.  If someone is mailbombing an asmtpd server from a forged
           address, this option prevents asmtpd from initiating too many
           connections to the forgery victim’s mail server.  (Of course, if
           the victim publishes an SPF record, asmtpd will never contact the
           server and this is not an issue.)  The default vaule for seconds is

       MaxRevClients val
           The number of idle reverse SMTP connections (to remote SMTP
           servers) to cache when not in use.  These connections are used to
           validate sending addresses of received mail.  This number is

       IdentTimeout seconds
           The number of seconds to wait for the client to respond to an
           RFC1413 ident lookup.  The default is 15.

       SynFp [0|1]
           If set to 0, disables the collection of SYN fingerprint
           information, which asmtpd ordinarily includes in headers of mail
           messages and in the CLIENT_SYNFP environment variable of avenger
           processes.  The default value is 1.

       SynFpWait msec
           Sets the number of milliseconds after accepting a TCP connection
           that asmtpd should wait to receive the full SYN packet from the
           packet filter (bpf) device.  If the time is exceeded, no SYN
           fingerprint will be recorded for the connection.  The default value
           is 500.

       SynFpBuf count
           Sets the maximum number of SYN fingerprints to keep around while
           waiting for the corresponding connections.  The default value is

       SynOsMTU size
           Sets an additional size to try for the network’s maximum
           transmission unit (MTU) when guessing the client operating system.
           If size is set to 0, asmtpd will only try the value in the TCP MSS
           option + 40 bytes.  (Otherwise, when size is non-zero, asmtpd tries
           both MSS + 40 and size.)  The default for size is 1500.

       NetPath [0|1]
           If set to 0, disables the collection of IP "traceroute"
           information, which is normally included in the headers of mail
           messages and in the CLIENT_NETPATH environment variable of avenger
           processes.  The default value is 1.

       TrustedNet IP-addr/len
           If the first len bits of a client’s IP address match IP-addr, the
           client will be considered trusted.  Trusted clients can relay mail
           through asmtpd to arbitrary addresses, and do not undergo any
           checks or processing by any avenger scripts.  This option can be
           given multiple times to list multiple networks.

       TrustedDomain domain
           If a client’s verified DNS name is domain or ends .domain, the
           client will be considered trusted, and as described above will be
           allowed to relay mail unchecked.  This option can be given multiple
           times to list multiple domains.

       SASL [0|1|2]
           This option only exists if asmtpd has been compiled with SASL
           support (via the --enable-sasl option to "configure").  If set to 0
           (the default), the AUTH SMTP verb is disabled, and asmtpd performs
           no SASL authentication.  If set to 1, asmtpd performs SASL
           authentication when requested by clients, but does not inherently
           trust SASL-authenticated users.  You must check the AUTH_USER
           environment variable in the system-wide relay script and explicitly
           permit users to relay mail.

           If SASL is set to 2, then clients that have authenticated via SASL
           can relay mail just like TrustedNet and TrustedDomain machines--no
           further scripts are run.  However, the authenticated user name is
           still recorded in the Received: header to track abuse, and
           MaxMsgsPerUser is still enforced to prevent bulk mailing.  2 is a
           reasonable value for ordinary usage, since users without permission
           to relay mail have no reason to be listed in the SASL database

           For more information on SASL, see the SASL home page at

       InsecureSASL [0|1]
           When set to 0, which is the default, plaintext SASL authentication
           is disabled unless the connection is encrypted with SSL.  If set to
           1, plaintext authentication is allowed even over unencrypted
           connections, which is insecure.

       MxLocalRcpt [0|1]
           If set to 1, asmtpd will accept mail for user@host even if host
           does not appear in DomainFile, as long as the local server’s IP
           address corresponds to one of the DNS MX records for host.
           Decisions about accepting mail will be made by the policies in the
           file secondary in EtcDir.

       AvengerUser username
           Specifies the user in the password file whose identity asmtpd
           should assume when running system-wide default rules, as well as
           the mail injection program specified by Sendmail.  The default
           value is "avenger".  Note that for efficiency, asmtpd will cache
           the user and group IDs of this user.  If for instance, you change
           the AvengerUser’s group membership, you will have to send asmtpd a
           SIGHUP signal (or restart it).

       Sendmail program [arg ...]
           Specifies the program to run to inject new mail messages into the
           system.  The default value is:

               sendmail -oi -os -oee

           Whatever arguments you give, asmtpd will additionally supply the
           sender and recipient(s) by appending the following options:

               -f sender -- recipient-1 [recipient-2 ...]

           The -oee flag tells sendmail always to exit cleanly even if it
           generated a bounce message.  Without it, sometimes sendmail
           generates a bounce for a message and exits with an error code,
           which would cause asmtpd to generate an error despite the fact that
           the message has already been bounced.  This results in multiple
           bounces for the same message.

           Note that some sendmail replacements (including Exim) do not
           support the -oee flag.  However, these systems typically behave
           correctly even without the -oee flag, meaning their sendmail
           programs exit cleanly if and only if the sender no longer needs to
           worry about the message.  If your sendmail executable rejects the
           argument -oee, try using -oem instead.

       EmptySender sender
           In some old versions of sendmail, running

               sendmail -f ''

           (where ’’ is a zero-length argument) does not produce an empty
           envelope sender, as should happen for bounces.  EmptySender lets
           you specify an alternate sender to use for the empty envelope
           sender.  Try using the single-character string "@"--that seems to
           produce the desired envelope sender (which turns into MAILER-
           DAEMON) with both old and new versions of sendmail, though it is
           not necessarily compatible with other MTAs.

       SendmailPriv [0|1]
           By default, asmtpd drops privilege to run Sendmail as AvengerUser.
           If, however, you specify SendmailPriv 1, asmtpd will instead run
           Sendmail as root.  One possible use of this, for users of the
           sendmail MTA, is to invoke sendmail with the -Am flag, which
           requires root privileges but bypasses an extra level of queuing.
           (Note that with newer versions of sendmail, if you do not run
           sendmail as a daemon on address, you will have to
           configure asmtpd to use the -Am flag.)

       SendmailFromLine [0|1]
           If you set this value to 1, the message fed to the Sendmail program
           will start with a UNIX mailbox style "From " line (which is not
           actually part of the message header).  The default value is 0.

       AliasFile path
           Specifies the path of the user-mapping file, which by default is
           the file aliases in the directory specified by EtcDir.  Each line
           of this file is of the form:

               prefix: replacement

           Before deciding which user’s rules to process for a particular mail
           message, the local part of the email address is transformed based
           on the aliases file.  An address of prefix is replaced by the
           replacement.  In addition, if the Separator character has been
           defined, then if an address begins with prefix followed immediately
           by the separator character, replacement is also substituted.  If
           the alias file contains multiple matching prefixes, the longest one
           is chosen.  Alias substitution continues recursively unless a loop
           is detected or the recursion reaches a depth of 20.

           Note:  It is important to emphasize that the aliases mechanism only
           governs which user checks the validity of a particular piece of
           mail.  It does not affect where the mail is eventually delivered,
           should the resulting rules accept the mail.

       DomainFile path
           Specifies the path of the domain-mapping file, which by default is
           the file domains in the directory specified by EtcDir.  This file
           allows one to map responsibility for all users in a domain onto a
           particular local user.  Each line of the file must have one of the
           following forms:

               domain: user
               domain: userSEPARATOR

           In the first case, when receiving mail for local@domain, the local
           part local is simply taken as is and treated as a local username
           (with the first separator character and anything following
           removed).  In the second case, the mail is checked by user instead.
           In the third case, SEPARATOR is the separator character, which must
           have been declared with a Separator directive.  Here, user and the
           separator character are pre-pended to local.  For instance, if
           SEPARATOR is -, the mail would be checked by user-local.  In all
           cases, the result of the mapping is subject to alias substitution
           as described for AliasFile.

           Note:  As with AliasFile, the domain mechanism only governs which
           user checks the validity of a particular piece of mail.  It does
           not affect where the mail is eventually delivered, should the
           resulting rules accept the mail.

       Env var[=value]
           Specifies an environment variable to supply when running avenger.
           Ordinarily, avenger is run with a clean environment, with only a
           few variables such as PATH passed through.  If the Env directive
           specifies a value, the environment variable will be be set to this
           value.  If =value is omitted, asmtpd will pass through the value of
           the environment variable it inherits, or leave the variable unset
           if it is not set in the environment in which asmtpd is run.

       AvengerMaxPerUser val
           Specifies how many concurrent avenger processes to launch for a
           particular user.  If a particular user already has this many
           avenger processes running, and another SMTP client issues an RCPT
           command that resolves to the same local user (or another local user
           with the same numeric UID), then asmtpd will wait for one of the
           existing avenger processes to exit before launching a new avenger
           to evaluate the new RCPT command.  The default for val is 5.  This
           limit does not apply to the system-wide unknown, default, and relay
           files processed under the AvengerUser UID.  (Note that bodytests
           run for a particular user are also included in that user’s count of
           avenger processes.)

       AvengerTimeout seconds
           Specifies a timeout value after which asmtpd will attempt to kill
           an avenger process, in case the process has somehow gotten stuck.
           asmtpd does this, before launching avenger, by setting an alarm for
           the process.  The default for seconds is 600.

       NoCheck user[<@>host]
           Specifies that asmtpd’s internal checks for email validity should
           be bypassed for email to a particular email address.  If host is
           not specified, then this applies to user at any acceptable local
           host (asmtpd still will not allow relaying, of course).  It is a
           good idea to enable this for usernames specified in RFC 2142, such
           as postmaster and abuse.

       RBL [-i] [-p] [-f] -s score domain
           Checks real-time blackhole list domain.  If -i is present, looks up
           the client’s IP address reversed (i.e., for client, this
           will match when DNS name exists).  If -p is present,
           the name of the client (as specified by a verified PTR DNS record)
           will be looked up.  If -f is present, the hostname from the
           envelope sender (the address in the SMTP MAIL) command will be
           looked up (i.e., mail from user@host matches if host.domain
           exists).  If none of -i, -p, or -f is specified, -i is assumed by

           score is an integer (which can be negative).  The scores of all
           matching RBLs are added together, and a message is rejected if the
           total is greater than or equal to 100.

       UserMail [0|1]
           If set to 0, asmtpd will not chack mail* files in users’ .avenger
           directories, but will always use the system-wide relay file (and
           secondary file) to decide whether to relay mail.  The default value
           is 0.

       UserRcpt [0|1]
           If set to 0, asmtpd will not chack rcpt* files in users’ .avenger
           directories, but will always use the system-wide default file.  The
           default value is 1.

       AllowPercent [0|1]
           If set to 0 (the default), asmtpd will reject any email whose local
           part contains a "%" character.  This is because many MTAs will
           relay mail for users of the form user%host1@host2 to user@host1.
           While of course it is possible to reject such messages with the
           /etc/avenger/unknown file, it is easy to forget to do so.  Failing
           to do so can get your site listed in various spam source lists,
           which will have some serious consequences.  For that reason,
           AllowPercent is 0 by default.  Set it to 1 if you really do want
           mail for users with "%" characters.

       AllowDNSFail [0|1|2]
           Upon accepting a connection from a client, asmtpd attempts to
           resolve the client’s IP address to a hostname.  If a temporary DNS
           error occurs and AllowDNSFail is set to 0 (the default), asmtpd
           will reject the connection immediately.  If AllowDNSFail is set to
           1, however, then asmtpd will accept the connection and continue.
           However, in this case that the CLIENT_DNSFAIL environment variable
           will be set to an error message, and mail will still be rejected by
           default unless an rcpt script explicitly calls accept.  If
           AllowDNSFail is set to 2, then CLIENT_DNSFAIL will still be set,
           but by default mail will be accepted unless explicitly rejected.

           Note that this option has no effect on IP addresses that don’t
           resolve to a domain name (e.g., where a lookup of the
           domain returns an empty result or the NXDOMAIN error).

       SSL [0|1|2]
           This and the following options are supported if Mail Avenger has
           been compiled with support for the STARTTLS command (using the
           --enable-ssl option to "configure").  If SSL is set to 0, then the
           STARTTLS command will be disabled.

           If SSL is set to 1 (the default), then STARTTLS will be enabled
           profiled the private key and certificate files can be found.
           (Since these files will not exist by default, STARTTLS is still
           disabled by default.)  Relaying based on client certificates can be
           enabled by checking the SSL_ISSUER and SSL_SUBJECT environment
           variables in the relay script.

           If SSL is set to 2, then authentication with any valid client
           certificate will allow mail relaying with no further checks.  This
           value makes sense only if your organization runs a private
           certificate authority and you only place your local CA key in the
           SSLCAcert file, as otherwise you will have no control over who can
           relay mail through your machine.

       SSLCAcert path
           SSLCAcert specifies the certificate authorities allowed to sign
           client certificates.  path must be a file containing one or more
           trusted CA certificates in PEM format.  If <path> is not an
           absolute path name, asmtpd will look for the file in EtcDir.  The
           default path is cacert.pem.

       SSLCRL path
           If SSL is in use, path specifies a PEM-format certificate
           revocation list.  The default value is crl.pem.

       SSLkey path
           If SSL is in use, path specifies a PEM-format file containing the
           server’s private key.  If the file is not present, the STARTTLS
           command will be disabled.  The default path is privkey.pem.

       SSLcert path
           If SSL is in use, path specifies a PEM-format file containing a
           certificate for the public key corresponding to private key SSLkey.
           If the file is not present, the STARTTLS command will be disabled.
           The default path is cert.pem.

       SSLciphers string
           string specifies the preference for ciphers with SSL.  For example,
           to allow all ciphers except anonymous Diffie-Hellman, low key
           sizes, exportable ciphers, and MD%-based MAC, and to sort ciphers
           by strength, you might use the following string>:


           By default, asmtpd just uses the OpenSSL library’s default cipher

       SPFfail [SPF-rule ...]
           SPF (Sender Policy Framework) is a mechanism to prevent forgery of
           email sender addresses.  (More information is available at
           <> and in the forthcoming RFC 4408.)  asmtpd
           always runs SPF checks on incoming email.  An SPF check returns one
           of seven possible results:  none, neutral, pass, fail, softfail,
           error, or unknown.  asmtpd will reject mail if the result is fail
           (and defer mail if the result is error).

           The SPFfail directive provides a second chance to mail that would
           otherwise resolve to fail.  If SPF rules are provided with this
           directive, and the SPF check on a message resolves to fail, then
           asmtpd will re-evaluate the message with the rules from the SPFfail
           directive.  If the SPFfail rules evaluate to none, neutral, or
           unknown, then the original fail result will remain.  Otherwise, the
           result of the SPFfail rules overrides the fail result.

           This directive can be used to work-around the problem of sites,
           such as, that forge email, but do not actually send spam.
  maintains a white-list of such sites, and it
           is highly recommended that you use this whitelist until SPF is more
           widely deployed.  To do so, you can use the configuration line:


       SPFnone [SPF-rule ...]
           This directive is similar to SPFfail, but supplies additional SPF
           rules to be run in the event that the SPF result for a message
           resolves to none--meaning that the domain from which the mail comes
           does not publish an SPF record.  One possible use might be the

               SPFnone a/24 mx/24 ptr

           This rule says that if the sending domain does not publish an SPF
           record, consider its result to be pass nonetheless as long as the
           sending host shares a 24-bit IP prefix with the address of the
           domain, or the address of any of the mail exchangers (DNS MX
           records) for the domain, or if the domain name of the sending
           machine has the sender domain name as a suffix.

       SPFlocal [SPF-rule ...]
           Unlike the previous two rules, which provide hooks to run after an
           SPF result has been determined, SPFlocal supplies SPF rules to be
           run before even attempting SPF rules for the domain.  If the local
           rules return pass, fail, softfail, or error, this reult becomes the
           SPF result for the message.  Otherwise, asmtpd evaluates the
           appropriate rules for the domain as usual.

           An example use might be to reject mail from a real-time black hole
           list (RBL), such as spamcop:

               SPFlocal -exists:%{ir}

       SPFexp [explanation ...]
           Provides a default explanation for an SPF failure, if the sender
           domain does not have one.  The default is:

               SPFexp See{S}&ip=%{I}

       SPFHostsFile path
           This specifies the pathname of a file that contains "fallback" SPF
           records for domains that fail to supply SPF records themselves.
           This file effectively achieves the same result as SPFNone, but on a
           per-hostname basis.  The default path is spfhosts in the directory
           specified by EtcDir (or /etc/avenger by default).  Each line of the
           file has the form:

               domain: SPF-rules

           domain is the domain name for which the SPF-rules apply.  If domain
           starts with a ".", then the rule matches all host names with domain
           as a suffix.  In other words, "" matches
           "", "", but not "".  Note that
           if a domain publishes an SPF record through DNS, the record in DNS
           overrides the record specified in this file.

           As an example, suppose Microsoft does not publish an SPF record in
           DNS, but you happen to know that all mail from users at
           "" comes from machines whose reverse DNS mapping ends
           either "" or "", or else whose IP addresses
           share a 16-bit prefix with one of the mail exchangers for
           "".  You might place the following line in your
           spfhosts file:

          ptr mx/16 ~all

           Here "~all" resorts to softfail when the sender does not match,
           which tags the message but does not reject it.  Use "-all" to
           reject the mail outright.  Note that if Microsoft ever starts
           publishing an SPF record in DNS, it will override the above line.

       DebugSMTP [0|1]
           When set to 1, causes asmtpd to log a complete trace of all SMTP
           traffic to and from connecting clients.  Produces a large amount of
           data, but can be useful for debugging.  Each trace line list the
           name of the connecting client and asmtpd’s file descriptor number
           in parentheses.

       DebugSMTPc [0|1]
           When receiving mail, asmtpd connects to remote mail servers to
           ensure the envelope sender addresses of incoming messages are valid
           email addresses, and in particular that they can receive bounces.
           When DebugSMTPc is set to 1, all outgoing SMTP connection traffic
           from SMTPc is logged.  The output format is similar to DebugSMTP,
           but file descriptor numbers are prefixed with "R" to indicate this
           is a reverse connection.

       DebugAvenger [0|1]
           Prints a trace of input and output to all avenger processes run.
           The name also has a file descriptor number prefixed with "a" for


           default location of file

           default for EtcDir, location of other configuration files

       aliases, domains, spfhosts
           see the descriptions of AliasFile, DomainFile, and SPFHostsFile

       unknown, default, secondary, relay
           avenger rules to be run by the AvengerUser under different
           circumstances; see the description of EtcDir above, and the manual
           page for avenger(1)

           File containing the process ID of a running asmtpd process.  You
           must send this process a SIGHUP signal for it to re-read the
           asmtpd.conf file.

           Example configuration files.

           Example scripts for the SMTPFilter directive.


       asmtpd(8), avenger(1)

       The Mail Avenger home page: <>.


       David Mazieres