Man Linux: Main Page and Category List


       policyd-weight.conf - policyd-weight configuration parameters


       Beta, Documentation incomplete


       policyd-weight  uses  a perl(1) style configuration file which it reads
       on   startup.   The   cache   re-reads    the    configuration    after
       $MAINTENANCE_LEVEL  (default:  5)  queries.  If -f is not specified, it
       searches for configuration files on following locations:



       $CACHESIZE (default: 2000)
              Set the minimum size of the SPAM cache.

       $CACHEMAXSIZE (default: 4000)
              Set the maximum size of the SPAM cache.

              (default: 550 temporarily blocked because of previous errors)"

              Set the SMTP status code and a explanatory message for  rejected
              mails due to cached results

       $NTTL (default: 1)
              The client is penalized for that many retries.

       $NTIME (default: 30)
              The  $NTTL  counter will only be decremented if the client waits
              at least $NTIME seconds.

       $POSCACHESIZE (default: 1000)
              Set the minimum size of the HAM cache.

       $POSCACHEMAXSIZE (default: 2000)
              Set the maximum size of the HAM cache.

       $PTTL (default: 60)
              After that many queries the  HAM  entry  must  succeed  one  run
              through the RBL checks again.

       $PTIME (default: 3h)
              after  $PTIME in HAM Cache the client must pass one time the RBL
              checks again.  Values must be nonfractal.  Accepted  time-units:
              s(econds), m(inutes), h(ours), d(ays)

       $TEMP_PTIME (default: 1d)
              The  client  must  pass  this time the RBL checks in order to be
              listed as  hard-HAM.  After  this  time  the  client  will  pass
              immediately  for  PTTL within PTIME. Values must be non-fractal.
              Accepted time-units: s(econds), m(inutes), h(ours), d(ays)


       $DEBUG (default: 0)
              Turn debugging on (1) or off (0)


       $DNS_RETRIES (default: 2)
              How many times a single DNS query may be repeated

       $DNS_RETRY_IVAL (default: 2)
              Retry a query without response after that many seconds

       $MAXDNSERR (default: 3)
              If  that  many  queries  fail,  the  mail   is   accepted   with
              In total DNS queries this means: $MAXDNSERR * $DNS_RETRIES


       $MAINTENANCE_LEVEL (default: 5)
              After  that  many  policy requests the cache (and in daemon mode
              childs) checks for configuration file changes

       $MAXIDLECACHE (default: 60)
              After that many seconds of  being  idle  the  cache  checks  for
              configuration file changes.

       $PIDFILE (default: /var/run/
              Path and filename to store the master pid (daemon mode)

       $LOCKPATH (default: /tmp/.policyd-weight/)
              Directory   where   policyd-weight   stores  sockets  and  lock-
              files/directories. Its argument must contain a trailing slash.

       $SPATH (default: $LOCKPATH.’/polw.sock’)
              Path and filename which the cache has to use for  communication.

       $TCP_PORT (default: 12525)
              TCP port on which the policy server listens (daemon mode)

       $BIND_ADDRESS (default: ’’)
              IP  Address on which policyd-weight binds. Currently either only
              one or all IPs are supported.  Specify  ’all’  if  you  want  to
              listen on all IPs.

       $SOMAXCONN (default: 1024)
              Maximum  connections  which  policyd-weight accepts. This is set
              high enough to cover most scenarios.

       $USER (default: polw)
              Set the user under which policyd-weight runs

       $GROUP (default: $USER)
              Set the group under which policyd-weight runs


       $ADD_X_HEADER (default: 1)
              Insert a X-policyd-weight: header with evaluation messages.
              1 = on, 0 = off

       $LOG_BAD_RBL_ONLY (default: 1)
              Insert only RBL results in logging  strings  if  the  RBL  score
              changes  the  overall  score.  Thus  RBLs with a GOOD SCORE of 0
              don’t appear in logging strings if the RBL returned no BAD  hit.
              1 = on, 0 = off

       $MAXDNSBLMSG (default: 550 Your MTA is listed in too many DNSBLs)
              The  message  sent  to  the  client  if  it  was  reject  due to
              $MAXDNSBLHITS and/or $MAXDNSBLSCORE.

       $REJECTMSG (default: 550 Mail appeared to be SPAM or forged.  Ask  your
       Mail/DNS-Adminisrator  to  correct  HELO  and DNS MX settings or to get
       removed from DNSBLs)

              Set the SMTP status code for rejected mails and  a  message  why
              the action was taken


       $CHILDIDLE (default: 120)
              How  many  seconds  a  child  may be idle before it dies (daemon

       $MAX_PROC (default: 50)
              Process limit on how many processes  policyd-weight  will  spawn
              (daemon mode)

       $MIN_PROC (default: 2)
              Minimum childs which are kept alive in idle times (daemon mode)

       $PUDP (default: 0)
              Set  persistent  UDP  connections used for DNS queries on (1) or
              off (0).


       Positive values indicate a bad (SPAM) score, negative values indicate a
       good (HAM) score.

       @bogus_mx_score (2.1, 0)
              If  the  sender  domain  has  neither  MX nor A records or these
              records resolve to a  bogus  IP-Address  (for  instance  private
              networks)   then   this   check   asigns   the   full  score  of
              bogus_mx_score. If there is no MX but an A record of the  sender
              domain then it receives a penalty only if DNSBL-listed.

              Log Entries:

               The sender A and MX records are bogus or empty.

               The  sender  domain  has  an  empty  or bogus MX record and the
               client is DNSBL listed.

              Related RFCs:

              [1918] Address Allocation for Private Internets
              [2821] Simple Mail Transfer Protocol (Sect 3.6 and Sect 5)

       @client_ip_eq_helo_score (1.5, -1.25)
              Define scores for the match of  the  reverse  record  (hostname)
              against  the  HELO  argument.  Reverse  lookups are done, if the
              forward lookups failed and are not trusted.

              Log Entries:

               The  Client’s  PTR  matched  the  HELO  argument.

               Domain portions  of Client PTR and HELO argument matched.

               Client  PTRs  found   but  did  not  match  HELO argument.

       @helo_score (1.5, -2)
              Define scores for the match of the Client IP and its /24  subnet
              against  the A records of HELO or MAIL FROM domain/host. It also
              holds the bad score for MX verifications.

              Log Entries:

               Client IP matches the [IPv4] HELO.

               Client IP matches   the  A  record  of  the  MAIL  FROM  sender

               Client  IP  matches  the  A  record  of the HELO argument.

               The  IP  and   the /24  subnet did  not  match A/MX records  of
               HELO  and MAIL FROM  arguments and their subdomains.

       @helo_from_mx_eq_ip_score (1.5, -3.1)
              Define scores for the match of Client  IP  against  MX  records.
              Positive  (SPAM)  values  are used in case the MAIL FROM matches
              not the HELO argument AND the client seems to be dynamic AND the
              client  is  no  MX  for  HELO and MAIL FROM arguments. The total
              DNSBL score is added to its bad score.

              Log Entries:

               Client IP  matches  the MAIL FROM domain/host MX record

               Client IP matches the HELO domain/host MX record

               Client is not a verified  HELO and doesn’t match  A/MX  records
               of MAIL FROM argument

               Client’s  subnet does  not  match A/MX records of the MAIL FROM

       $dnsbl_checks_only (default: 0)
              Disable HELO/RHSBL verifications  and  the  like.  Do  only  RBL
              1 = on, 0 = off

       @dnsbl_score (default: see below)
              A  list  of  RBLs  to be checked. If you want that a host is not
              being evaluated any further if it is listed on several lists  or
              a  very trustworthy list you can control a immediate REJECT with
              $MAXDNSBLHITS and/or $MAXDNSBLSCORE. A  list  of  RBLs  must  be
              build as follows:

              @dnsbl_score = (
                  RBLHOST1,   HIT SCORE,  MISS SCORE,     LOG NAME,
                  RBLHOST2,   HIT SCORE,  MISS SCORE,     LOG NAME,
              The default is:

              @dnsbl_score = (
                  "",     3.25,   0,      "DYN_PBL_SPAMHAUS",
                  "",      4.25,   -1.5,   "BL_NJABL",
                  "",       1.75,   -1.5,   "SPAMCOP",
                  "", 4.35,   -1.5,   "SBL_XBL_SPAMHAUS",
                  "",        4.35,   0,      "DSBL_ORG",
                  "",  4.35,   0,      "IX_MANITU",
                  "",      3.25,   0,      "ORDB_ORG"

       @rhsbl_score (default: see below)
              Define  a  list  of  RHSBL host which are queried for the sender
              domain. Results get additionaly scores of 0.5  *  DNSBL  results
              and  @rhsbl_penalty_score.   A list of RHSBL hosts to be queried
              must be build as follows:

              @rhsbl_score = (
                  RHSBLHOST1,  HIT SCORE,  MISS SCORE,     LOG NAME,
                  RHSBLHOST2,  HIT SCORE,  MISS SCORE,     LOG NAME,
              The default is:

              @rhsbl_score = (
                  "",              1.8,     0,  "AHBL",
                  "",        3.2,     0,  "DSN_RFCI",
                  "", 1 ,      0,  "PM_RFCI",
                  "",      1,       0,  "ABUSE_RFCI"

       @rhsbl_penalty_score (3.1, 0)
              This score  will  be  added  to  each  RHSBL  hit  if  following
              criterias are met:

                  Sender has a random local-part (i.e. yztrzgb@example.tld)

               or MX records of sender domain are bogus

               or FROM matches not HELO

               or HELO is untrusted (Forward record matched, reverse record
                  did not match)

       $MAXDNSBLHITS (default: 2)
              If  the client is listed in more than $MAXDNSBLHITS RBLs it will
              be rejected immediately with $MAXDNSBLMSG  and  without  further
              evaluation. Results are cached by default.

       $MAXDNSBLSCORE (default: 8)
              If  the  BAD  SCOREs  of  @dnsbl_score listed RBLs reach a level
              greater  than  $MAXDNSBLSCORE  the  client  will   be   rejected
              immediately  with  $MAXDNSBLMSG  and without further evaluation.
              Results are cached by default.

       $REJECTLEVEL (default: 1)
              Score results equal or greater than this level will be  rejected
              with $REJECTMSG


       policyd-weight(8), Policyd-weight daemon
       perl(1), Practical Extraction and Report Language
       perlsyn(1), Perl syntax
       access(5), Postfix SMTP access control table


       GNU General Public License


       Robert Felber <>
       Autohaus Erich Kuttendreier
       81827 Munich, Germany

                                Aug 25th, 2006          policyd-weight.conf(5)