Mercurial > notdcc
diff dccifd.html.in @ 0:c7f6b056b673
First import of vendor version
| author | Peter Gervai <grin@grin.hu> |
|---|---|
| date | Tue, 10 Mar 2009 13:49:58 +0100 |
| parents | |
| children |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dccifd.html.in Tue Mar 10 13:49:58 2009 +0100 @@ -0,0 +1,726 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> +<HTML> +<HEAD> + <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> + <TITLE>dccifd.0.8</TITLE> + <META http-equiv="Content-Style-Type" content="text/css"> + <STYLE type="text/css"> + BODY {background-color:white; color:black} + ADDRESS {font-size:smaller} + IMG.logo {width:6em; vertical-align:middle} + </STYLE> +</HEAD> +<BODY> +<PRE> +<!-- Manpage converted by man2html 3.0.1 --> +<B><A HREF="dccifd.html">dccifd(8)</A></B> Distributed Checksum Clearinghouse <B><A HREF="dccifd.html">dccifd(8)</A></B> + + +</PRE> +<H2><A NAME="NAME">NAME</A></H2><PRE> + <B>dccifd</B> -- Distributed Checksum Clearinghouse Interface Daemon + + +</PRE> +<H2><A NAME="SYNOPSIS">SYNOPSIS</A></H2><PRE> + <B>dccifd</B> [<B>-VdbxANQ</B>] [<B>-G</B> <I>on</I> | <I>off</I> | <I>noIP</I> | <I>IPmask/xx</I>] [<B>-h</B> <I>homedir</I>] [<B>-I</B> <I>user</I>] + [<B>-p</B> <I>/sock</I> | <I>host,port,rhost/bits</I>] [<B>-o</B> <I>/sock</I> | <I>host,port</I>] + [<B>-D</B> <I>local-domain</I>] [<B>-m</B> <I>map</I>] [<B>-w</B> <I>whiteclnt</I>] [<B>-U</B> <I>userdirs</I>] + [<B>-a</B> <I>IGNORE</I> | <I>REJECT</I> | <I>DISCARD</I>] [<B>-t</B> <I>type,</I>[<I>log-thold,</I>]<I>rej-thold</I>] + [<B>-g</B> [<I>not-</I>]<I>type</I>] [<B>-S</B> <I>header</I>] [<B>-l</B> <I>logdir</I>] [<B>-R</B> <I>rundir</I>] + [<B>-r</B> <I>rejection-msg</I>] [<B>-T</B> <I>tmpdir</I>] [<B>-j</B> <I>maxjobs</I>] + [<B>-B</B> <I>dnsbl-option</I>] [<B>-L</B> <I>ltype,facility.level</I>] + + +</PRE> +<H2><A NAME="DESCRIPTION">DESCRIPTION</A></H2><PRE> + <B>dccifd</B> is a daemon intended to connect spam filters such as SpamAssasin + and mail transfer agents (MTAs) other than sendmail to DCC servers. The + MTA or filter <B>dccifd</B> which in turn reports related checksums to the near- + est DCC server and adds an <I>X-DCC</I> SMTP header line to the message. The + MTA is told to reject the message if it is unsolicited bulk. + + <B>Dccifd</B> is similar to the DCC sendmail milter interface, <B><A HREF="dccm.html">dccm(8)</A></B> and the + DCC Procmail interface, <B><A HREF="dccproc.html">dccproc(8)</A></B>. <B>Dccifd</B> is more efficient than + <B><A HREF="dccproc.html">dccproc(8)</A></B> but not restricted to use with sendmail like <B><A HREF="dccm.html">dccm(8)</A></B>. All + three send reports of checksums related to mail received by DCC clients + and queries about the total number of reports of particular checksums. + + MTA programs use a simple ASCII protocol a subset of SMTP to send a mail + message including its SMTP envelope to the daemon. <B>Dccifd</B> responds with + an indication of whether the message is unsolicited bulk and an optional + copy of the message with an <I>X-DCC</I> header added. The ASCII protocol is + described below and in the <I>include/dccif.h</I> file in the DCC source. There + is a sample C interface routine in the <I>dcclib/dccif.c</I> file in the DCC + source and the <I>dcclib.a</I> library generated from the source. A <I>Perl</I> ver- + sion of the interface routine is in <I>dccifd/dccif.pl</I>. Test or demonstra- + tion programs in the style of <B><A HREF="dccproc.html">dccproc(8)</A></B> that use those interface rou- + tines are in <I>dccifd/dccif-test</I>. + + A subset of ESMTP can be used instead of the ASCII protocol to connect + <B>dccifd</B> to postfix as a "Before-Queue Content Filter." See the <B>-o</B> flag. + + Since the checksums of messages that are whitelisted locally by the <B>-w</B> + <I>whiteclnt</I> file are not reported to the DCC server, <B>dccifd</B> knows nothing + about the total recipient counts for their checksums and so cannot add + <I>X-DCC</I> header lines to such messages. + + Enable the daemon and put its parameters in the <I>dcc</I><B>_</B><I>conf</I> file and start + the daemon with the <I>start-dccifd</I> script. + + The list of servers that <B>dccifd</B> contacts is in the memory mapped file <I>map</I> + shared by local DCC clients. The file is maintained with <B><A HREF="cdcc.html">cdcc(8)</A></B>. + + <A NAME="OPTIONS"><B>OPTIONS</B></A> + The following options are available: + + <A NAME="OPTION-V"><B>-V</B></A> displays the version of <B>dccifd</B>. + + <A NAME="OPTION-d"><B>-d</B></A> enables debugging output from the DCC client software. Additional + <B>-d</B> options increase the number of messages. A single <B>-d</B> + aborted SMTP transactions including those from some "dictionary + attacks." + + <A NAME="OPTION-b"><B>-b</B></A> causes the daemon to not detach itself from the controlling tty and + put itself into the background. + + <A NAME="OPTION-x"><B>-x</B></A> causes the daemon to try "extra hard" to contact a DCC server. + Since it is usually more important to deliver mail than to report + its checksums, <B>dccifd</B> normally does not delay too long while trying + to contact a DCC server. It will not try again for several seconds + after a failure. With <B>-x</B>, it will always try to contact the DCC + server and it will tell the MTA to answer the DATA command with a + 4yz temporary failure. + + <A NAME="OPTION-A"><B>-A</B></A> adds to existing X-DCC headers in the message instead of replacing + existing headers of the brand of the current server. + + <A NAME="OPTION-N"><B>-N</B></A> neither adds, deletes, nor replaces existing X-DCC headers in the + message. Each message is logged, rejected, and otherwise handled + the same. + + <A NAME="OPTION-Q"><B>-Q</B></A> only queries the DCC server about the checksums of messages instead + of reporting and querying. This is useful when <B>dccifd</B> is used to + filter mail that has already been reported to a DCC server by + another DCC client. No single mail message should be reported to a + DCC server more than once per recipient, because each report will + increase the apparent "bulkness" of the message. + + It is better to use <I>MXDCC</I> lines in the global <I>whiteclnt</I> file for + your MX mail servers that use DCC than <B>-Q</B>. + + <A NAME="OPTION-G"><B>-G</B></A> <I>on</I> | <I>off</I> | <I>noIP</I> | <I>IPmask/xx</I> + controls <I>greylisting</I>. At least one working greylist server must be + listed in the <I>map</I> file in the DCC home directory. If more than one + is named, they must "flood" or change checksums and they must use + the same <B>-G</B> parameters. See <B><A HREF="dccd.html">dccd(8)</A></B>. Usually all dccm or dccifd + DCC client processes use the same <B>-G</B> parameters. + + <I>IPmask/xx</I> and <I>noIP</I> remove part or all of the IP address from the + greylist triple. The CIDR block size, <I>xx</I>, must be between 1 and + 128. 96 is added to block sizes smaller than 33 to make them appro- + priate for the IPv6 addresses used by the DCC. <I>IPmask/96</I> differs + from <I>noIP</I> for IPv4 addresses, because the former retains the IPv4 to + IPv6 mapping prefix. + + <A NAME="OPTION-h"><B>-h</B></A> <I>homedir</I> + overrides the default DCC home directory, <I>@prefix@</I>. + + <A NAME="OPTION-I"><B>-I</B></A> <I>user</I> + specifies the UID and GID of the process. + + <A NAME="OPTION-p"><B>-p</B></A> <I>/sock/name</I> | <I>host,port,rhost/bits</I> + overrides the default address at which programs contact <B>dccifd</B>. The + default is a UNIX domain socket named dccifd in the DCC home direc- + tory. + + The second form specifies a local host name or IP address, a local + TCP port number, and the host names or IP addresses of computers + that can use <B>dccifd</B>. 127.0.0.1 or <I>localhost</I> are common choices for + <I>host</I>. The string <I>@</I> specifies IN_ADDRANY or all local IP addresses. + 127.0.0.0/8 is a common choice for <I>rhost/bits</I>. + + <A NAME="OPTION-o"><B>-o</B></A> <I>/sock</I> | <I>host,port</I> + enables SMTP proxy mode instead of the ASCII protocol and specifies + the output connection when <B>dccifd</B> acts as an SMTP proxy. It is the + address of the SMTP server for which <B>dccifd</B> acts as SMTP client. + When <I>/sock</I> is <I>/dev/null</I>, <B>dccifd</B> acts as if there were downstream + SMTP server that always answers "250 ok". The string <I>@</I> specifies + the same IP address as the incoming TCP connection. + + The input to <B>dccifd</B> in SMTP proxy mode is specified with <B>--p</B>. For + example, <B>-p</B> <I>127.0.0.1,10025,127.0.0.1/32</I> <B>-o</B> <I>127.0.0.1,10026</I> could be + used to connect <B>dccifd</B> with Postfix as described in the documenta- + tion in version 2.2.1 Postfix documentation. + + See below concerning the subset of ESMTP used in this mode. + + <A NAME="OPTION-m"><B>-m</B></A> <I>map</I> + specifies a name or path of the memory mapped parameter file instead + of the default <I>map</I> file in the DCC home directory. It should be + created with the <B><A HREF="cdcc.html">cdcc(8)</A></B> command. + + <A NAME="OPTION-w"><B>-w</B></A> <I>whiteclnt</I> + specifies an optional file containing filtering parameters as well + as SMTP client IP addresses, SMTP envelope values, and header values + of mail that is spam or is not spam and does not need a <I>X-DCC</I> + header, and whose checksums should not be reported to the DCC + server. + + If the pathname <I>whiteclnt</I> is not absolute, it is relative to the DCC + home directory. + + The format of the <B>dccifd</B> whiteclnt file is the same as the <I>whitelist</I> + files used by <B><A HREF="dbclean.html">dbclean(8)</A></B> and the <I>whiteclnt</I> file used by <B><A HREF="dccproc.html">dccproc(8)</A></B>. + See <B><A HREF="dcc.html">dcc(8)</A></B> for a description of DCC white and blacklists. Because + the contents of the <I>whiteclnt</I> file are used frequently, a companion + file is automatically created and maintained. It has the same path- + name but with an added suffix of <I>.dccw</I> and contains a memory mapped + hash table of the main file. + + A whitelist entry ("OK") or two or more semi-whitelistings ("OK2") + for one of the message's checksums prevents all of the message's + checksums from being reported to the DCC server and the addition of + a <I>X-DCC</I> header line by <B>dccifd</B> A whitelist entry for a checksum also + prevents rejecting or discarding the message based on DCC recipient + counts as specified by <B>-a</B> and <B>-t</B>. Otherwise, one or more checksums + with blacklisting entries ("MANY") cause all of the message's check- + sums to be reported to the server with an addressee count of "MANY". + + If the message has a single recipient, an <I>env</I><B>_</B><I>To</I> <I>whiteclnt</I> entry of + "OK" for the checksum of its recipient address acts like any other + <I>whiteclnt</I> entry of "OK." When the SMTP message has more than one + recipient, the effects can be complicated. When a message has sev- + eral recipients with some but not all listed in the <I>whiteclnt</I> file, + <B>dccifd</B> tries comply with the wishes of the users who want filtering + as well as those who don't by silently not delivering the message to + those who want filtering (i.e. are not whitelisted) and delivering + the message to don't want filtering. + + <A NAME="OPTION-U"><B>-U</B></A> <I>userdirs</I> + enables per-user <I>whiteclnt</I> files and log directories. Each target + of a message can have a directory of log files named + <I>userdirs/addr/log</I> where <I>addr</I> is the local user or mailbox name com- + puted by the MTA. The name of each user's log directory must be + <I>log</I>. If it is not absolute, <I>userdirs</I> is relative to the DCC home + directory. The directory containing the log files must be named <I>log</I> + and it must be writable by the <B>dccifd</B> process. Each log directory + must exist or logging for the corresponding is silently disabled. + The files created in the log directory are owned by the UID of the + <B>dccifd</B> process, but they have <I>group</I> and <I>other</I> read and write permis- + sions copied from the corresponding <I>log</I> directory. To ensure the + privacy of mail, it may be good to make the directories readable + only by <I>owner</I> and <I>group</I>, and to use a cron script that changes the + owner of each file to match the grandparent <I>addr</I> directory. + + There can also be a per -user whitelist file named + <I>userdirs/addr/whiteclnt</I> for each address <I>addr.</I> Any checksum that is + not white- or blacklisted by an individual addressee's <I>whiteclnt</I> + file is checked in the main <B>-w -whiteclnt</B> file. A missing per- + addressee <I>whiteclnt</I> file is the same as an empty file. Relative + paths for files included in per-addressee files are resolved in the + DCC home directory. The <I>whiteclnt</I> files and the <I>addr</I> directories + containing them must be writable by the <B>dccifd</B> process. + + <I>Option</I> lines in per-user whiteclnt files can be used to modify many + aspects of <B>dccifd</B> filtering, as described in the main dcc man page. + For example, an <I>option</I> <I>dcc-off</I> line turns off DCC filtering for + individual mailboxes. + + <A NAME="OPTION-a"><B>-a</B></A> <I>IGNORE</I> | <I>REJECT</I> | <I>DISCARD</I> + specifies the action taken when <B>dccifd</B> is in proxy mode with <B>-o</B> and + DCC server counts or <B>-t</B> thresholds say that a message is unsolicited + and bulk. <I>IGNORE</I> causes the message to be unaffected except for + adding the <I>X-DCC</I> header line to the message. This turns off DCC + filtering. + + Spam can also be <I>REJECT</I>ed or (when in proxy mode with <B>-o</B>) accepted + and silently <I>DISCARD</I>ed without being delivered to local mailboxes. + The default is <I>REJECT</I>. + + Mail forwarded via IP addresses marked <I>MX</I> or <I>MXDCC</I> in the main + <I>whiteclnt</I> file is treated as if <B>-a</B> <I>DISCARD</I> were specified. This + prevents "bouncing" spam. + + The effects of the <B>-w</B> <I>whiteclnt</I> are not affected by <B>-a</B>. + + <A NAME="OPTION-t"><B>-t</B></A> <I>type,</I>[<I>log-thold,</I>]<I>rej-thold</I> + sets logging and "spam" thresholds for checksum <I>type</I>. The checksum + types are <I>IP</I>, <I>env</I><B>_</B><I>From</I>, <I>From</I>, <I>Message-ID</I>, <I>substitute</I>, <I>Received</I>, + <I>Body</I>, <I>Fuz1</I>, <I>Fuz2</I>, <I>rep-total</I>, and <I>rep</I>. The first six, <I>IP</I> through + <I>substitute</I>, have no effect except when a local DCC server configured + with <B>-K</B> is used. The <I>substitute</I> thresholds apply to the first sub- + stitute heading encountered in the mail message. The string <I>ALL</I> + sets thresholds for all types, but is unlikely to be useful except + for setting logging thresholds. The string <I>CMN</I> specifies the com- + monly used checksums <I>Body</I>, <I>Fuz1</I>, and <I>Fuz2</I>. <I>Rej-thold</I> and <I>log-thold</I> + must be numbers, the string <I>NEVER</I>, or the string <I>MANY</I> indicating + millions of targets. Counts from the DCC server as large as the + threshold for any single type are taken as sufficient evidence that + the message should be logged or rejected. + + <I>Log-thold</I> is the threshold at which messages are logged. It can be + handy to log messages at a lower threshold to find solicited bulk + mail sources such as mailing lists. If no logging threshold is set, + only rejected mail and messages with complicated combinations of + white and blacklisting are logged. Messages that reach at least one + of their rejection thresholds are logged regardless of logging + thresholds. + + <I>Rej-thold</I> is the threshold at which messages are considered "bulk," + and so should be rejected or discarded if not whitelisted. + + DCC Reputation thresholds in the commercial version of the DCC are + controlled by thresholds on checksum types <I>rep</I> and <I>rep-total</I>. Mes- + sages from an IP address that the DCC database says has sent more + than <B>-t</B> <I>rep-total,log-thold</I> messages are logged. A DCC Reputation + is computed for messages received from IP addresses that have sent + more than <B>-t</B> <I>rep-total,log-thold</I> messages. The DCC Reputation of an + IP address is the percentage of its messages that have been detected + as bulk or having at least 10 recipients. The defaults are equiva- + lent to <B>-t</B> <I>rep,never</I> and <B>-t</B> <I>rep-total,never,20</I>. + + Bad DCC Reputations do not reject mail unless enabled by an <I>option</I> + <I>DCC-rep-on</I> line in a <I>whiteclnt</I> file. + + The checksums of locally whitelisted messages are not checked with + the DCC server and so only the number of targets of the current copy + of a whitelisted message are compared against the thresholds. + + The default is <I>ALL,NEVER</I>, so that nothing is discarded, rejected, or + logged. A common choice is <I>CMN,25,50</I> to reject or discard mail with + common bodies except as overridden by the whitelist of the DCC + server, the sendmail <I>${dcc</I><B>_</B><I>isspam}</I> and <I>${dcc</I><B>_</B><I>notspam}</I> macros, and + <B>-g</B>, and <B>-w</B>. + + <A NAME="OPTION-g"><B>-g</B></A> [<I>not-</I>]<I>type</I> + indicates that whitelisted, <I>OK</I> or <I>OK2</I>, counts from the DCC server + for a type of checksum are to be believed. They should be ignored + if prefixed with <I>not-</I>. <I>Type</I> is one of the same set of strings as + for <B>-t</B>. Only <I>IP</I>, <I>env</I><B>_</B><I>From</I>, and <I>From</I> are likely choices. By default + all three are honored, and hence the need for <I>not-</I>. + + <A NAME="OPTION-S"><B>-S</B></A> <I>hdr</I> + adds to the list of substitute or locally chosen headers that are + checked with the <B>-w</B> <I>whiteclnt</I> file and sent to the DCC server. The + checksum of the last header of type <I>hdr</I> found in the message is + checked. <I>Hdr</I> can be <I>HELO</I> to specify the SMTP envelope HELO value. + <I>Hdr</I> can also be <I>mail</I><B>_</B><I>host</I> to specify the host name from the + Mail_from value in the SMTP envelope. As many as six different sub- + stitute headers can be specified, but only the checksum of the first + of the six will be sent to the DCC server. + + <A NAME="OPTION-l"><B>-l</B></A> <I>logdir</I> + specifies a directory in which files containing copies of messages + processed by <B>dccifd</B> are kept. They can be copied to per-user direc- + tories specified with <B>-U</B>. Information about other recipients of a + message is deleted from the per-user copies. + + See the FILES section below concerning the contents of the files. + See also the <I>option</I> <I>log-subdirectory-{day,hour,minute}</I> lines in + <I>whiteclnt</I> files described in <B><A HREF="dcc.html">dcc(8)</A></B>. + + The directory is relative to the DCC home directory if it is not + absolute + + <A NAME="OPTION-R"><B>-R</B></A> <I>rundir</I> + specifies the "run" directory where the file containing the daemon's + process ID is stored. The default value is <I>@dcc_rundir@</I>. + + <A NAME="OPTION-T"><B>-T</B></A> <I>tmpdir</I> + changes the default directory for temporary files from the default. + The default is the directory specified with <B>-l</B> or the system default + if <B>-l</B> is not used. The system default is often <I>/tmp</I>. + + <A NAME="OPTION-D"><B>-D</B></A> <I>local-domain</I> + specifies a host or domain name by which the system is known. There + can be several <B>-D</B> settings. + + To find the per-user log directory and whitelist for each mail + recipient, <B>dccifd</B> must know each recipient's user name. The ASCII + protocol used between and the MTA includes an optional user name + with each SMTP recipient address. When the user name is absent when + the ASCII protocol is used or when the subset of ESMTP enabled with + <B>-o</B> is used, and when the SMTP recipient address includes an <I>at</I> <I>sign</I> + (@) each mail address is checked against the list of <I>local-domain</I>s. + The part of the recipient address remaining after longest matching + <I>local-domain</I> (if any) is taken as the user name. The match is + anchored at the right or the end of the recipient address. It must + start at a period (.) or <I>at</I> <I>sign</I> (@) in the domain name part of the + address. + + If <I>local-domain</I> starts with an asterisk (*) indicating a wildcard, + preceding sub-domain names are discarded to compute the user name. + Otherwise, the computed user name will include any unmatched sub- + domain names. + + The default value of <I>local-domain</I> when there are no <B>-D</B> settings is + the host name of the system. + + <A NAME="OPTION-r"><B>-r</B></A> <I>rejection-msg</I> + specifies the rejection message in <B>-o</B> proxy mode for unsolicited + bulk mail or for mail temporarily blocked by <I>greylisting</I> when <B>-G</B> is + specified. The first <B>-r</B> <I>rejection-msg</I> replaces the default bulk + mail rejection message, "5.7.1 550 mail %ID from %CIP rejected by + DCC". The second replaces "4.2.1 452 mail %ID from %CIP temporary + greylist embargoed". The third <B>-r</B> <I>rejection-msg</I> replaces the + default SMTP rejection message "5.7.1 550 %ID bad reputation; see + http://commercial-dcc.rhyolite.com/cgi-bin/reps.cgi?tgt=%CIP" for + mail with bad DCC Reputations. If <I>rejection-msg</I> is the zero-length + string, the <B>-r</B> setting is counted but the corresponding message is + not changed. + + <I>Rejection-msg</I> can contain specific information about the mail mes- + sage. The following strings starting with % are replaced with the + corresponding values: + %ID message ID such as the unique part of log file name or + sendmail queue ID + %CIP SMTP client IP address + %BTYPE type of DNS blacklist hit, such as "SMTP client", + "mail_host", or "URL NS" + %BTGT IP address or name declared bad by DNS blacklist + %BPROBE domain name found in DNS blacklist such as + 4.3.2.10.example.com + %BRESULT value of the %BPROBE domain name found in DNS black- + list + + A common alternate for the bulk mail rejection message is "4.7.1 451 + Access denied by DCC" to tell the sending mail system to continue + trying. Use a 4yz response with caution, because it is likely to + delay for days a delivery failure message for false positives. If + the rejection message does not start with an RFC 1893 status code + and RFC 2821 reply code, 5.7.1 and 550 or 4.2.1 and 452 are used. + + See also <B>-B</B> <I>set:rej-msg=rejection-msg</I> to set the status message for + mail rejected by DNS blacklists. + + <A NAME="OPTION-j"><B>-j</B></A> <I>maxjobs</I> + limits the number of simultaneous requests that will be processed. + The default value is the maximum number that seems to be possible + given system limits on open files, select() bit masks, and so forth. + Start <B>dccifd</B> with <B>-d</B> and see the starting message in the system log + to see the limit. + + <A NAME="OPTION-B"><B>-B</B></A> <I>dnsbl-option</I> + enables DNS blacklist checks of the SMTP client IP address, SMTP + envelope Mail_From sender domain name, and of host names in URLs in + the message body. Body URL blacklisting has too many false posi- + tives to use on abuse mailboxes. It is less effective than + greylisting with <B><A HREF="dccm.html">dccm(8)</A></B> or <B><A HREF="dccifd.html">dccifd(8)</A></B> but can be useful in situa- + tions where greylisting cannot be used. + + <I>Dnsbl-option</I> is either one of the <B>-B</B> <I>set:option</I> forms or + <B>-B</B> <I>domain</I>[<I>,IPaddr</I>[<I>/xx</I>[<I>,bltype</I>]]] + <I>Domain</I> is a DNS blacklist domain such as example.com that will be + searched. <I>IPaddr</I>[<I>/xxx</I>] is the string "any" an IP address in the DNS + blacklist that indicates that the mail message should be rejected, + or a CIDR block covering results from the DNS blacklist. + "127.0.0.2" is assumed if <I>IPaddr</I> is absent. IPv6 addresses can be + specified with the usual colon (:) notation. Names can be used + instead of numeric addresses. The type of DNS blacklist is speci- + fied by <I>bltype</I> as <I>name</I>, <I>IPv4</I>, or <I>IPv6</I>. Given an envelope sender + domain name or a domain name in a URL of spam.domain.org and a + blacklist of type <I>name</I>, spam.domain.org.example.com will be tried. + Blacklist types of <I>IPv4</I> and <I>IPv6</I> require that the domain name in a + URL sender address be resolved into an IPv4 or IPv6 address. The + address is then written as a reversed string of decimal octets to + check the DNS blacklist, as in 2.0.0.127.example.com, + + More than one blacklist can be specified and blacklists can be + grouped. All searching within a group is stopped at the first posi- + tive result. + + Positive results are ignored after being logged unless an + <I>option</I> <I>DNSBL-on</I> line appears in the global or per-user <I>whiteclnt</I> + file. + + <B>-B</B> <I>set:no-client</I> + says that SMTP client IP addresses and reverse DNS domain names + should not be checked in the following blacklists. + <B>-B</B> <I>set:client</I> restores the default for the following black- + lists. + + <B>-B</B> <I>set:no-mail</I><B>_</B><I>host</I> + says that SMTP envelope Mail_From sender domain names should + not be checked in the following blacklists. <B>-B</B> <I>set:mail</I><B>_</B><I>host</I> + restores the default. + + <B>-B</B> <I>set:no-URL</I> + says that URLs in the message body should not be checked in the + in the following blacklists. <B>-B</B> <I>set:URL</I> restores the default. + + <B>-B</B> <I>set:no-MX</I> + says MX servers of sender Mail_From domain names and host names + in URLs should not be checked in the following blacklists. + <B>-B</B> <I>set:MX</I> restores the default. + + <B>-B</B> <I>set:no-NS</I> + says DNS servers of sender Mail_From domain names and host + names in URLs should not be checked in the following black- + lists. <B>-B</B> <I>set:NS</I> restores the default. + + <B>-B</B> <I>set:defaults</I> + is equivalent to all of <B>-B</B> <I>set:no-temp-fail</I> <B>-B</B> <I>set:client</I> + <B>-B</B> <I>set:mail</I><B>_</B><I>host</I> <B>-B</B> <I>set:URL</I> <B>-B</B> <I>set:MX</I> and <B>-B</B> <I>set:NS</I> + + <B>-B</B> <I>set:group=X</I> + adds later DNS blacklists specified with + <B>-B</B> <I>domain</I>[<I>,IPaddr</I>[<I>/xx</I>[<I>,bltype</I>]]] + to group 1, 2, or 3. + + <B>-B</B> <I>set:debug=X</I> + sets the DNS blacklist logging level + + <B>-B</B> <I>set:msg-secs=S</I> + limits <B>dccifd</B> to <I>S</I> seconds total for checking all DNS black- + lists. The default is 25. + + <B>-B</B> <I>set:URL-secs=S</I> + limits <B>dccifd</B> to at most <I>S</I> seconds resolving and checking any + single URL. The default is 11. Some spam contains dozens of + URLs and that some "spamvertised" URLs contain host names that + need minutes to resolve. Busy mail systems cannot afford to + spend minutes checking each incoming mail message. + + <B>-B</B> <I>set:rej-msg=rejection-msg</I> + sets the SMTP rejection message for the following blacklists. + <I>Rejection-msg</I> must be in the same format as for <B>-r</B>. If + <I>rejection-msg</I> is null, the default is restored. The default + DNS blacklist rejection message is the first message set with + <B>-r</B>. + + <B>-B</B> <I>set:temp-fail</I> + causes <B>dccifd</B> to the MTA to answer the SMTP DATA command with + 452 4.2.1 mail %ID from %CIP temporary delayed for DNSBL + if any DNS answer required for a DNSBL in the current group + times out, including resolving names in URLs. + + <B>-B</B> <I>set:no-temp-fail</I> + restores the default of assuming a negative answer for DNS + responses that take too long. + + <B>-B</B> <I>set:maxjobs=X</I> + sets maximum number of helper processes to <I>X</I>. In order to use + typical single-threaded DNS resolver libraries, <B>dccifd</B> uses + fleets of helper processes. It is rarely a good idea to change + the default, which is the same as the maximum number of simul- + taneous jobs set with <B>-j</B>. + + <B>-B</B> <I>set:progpath=@libexecdir@/dns-helper</I> + changes the path to the helper program. + + <A NAME="OPTION-L"><B>-L</B></A> <I>ltype,facility.level</I> + specifies how messages should be logged. <I>Ltype</I> must be <I>error</I>, <I>info</I>, + or <I>off</I> to indicate which of the two types of messages are being con- + trolled or to turn off all <B>syslog(3)</B> messages from <B>dccifd</B>. <I>Level</I> + must be a <B>syslog(3)</B> level among <I>EMERG</I>, <I>ALERT</I>, <I>CRIT</I>, <I>ERR</I>, <I>WARNING</I>, + <I>NOTICE</I>, <I>INFO</I>, and <I>DEBUG</I>. <I>Facility</I> must be among <I>AUTH</I>, <I>AUTHPRIV</I>, + <I>CRON</I>, <I>DAEMON</I>, <I>FTP</I>, <I>KERN</I>, <I>LPR</I>, <I>MAIL</I>, <I>NEWS</I>, <I>USER</I>, <I>UUCP</I>, and <I>LOCAL0</I> + through <I>LOCAL7</I>. The default is equivalent to + <B>-L</B> <I>info,MAIL.NOTICE</I> <B>-L</B> <I>error,MAIL.ERR</I> + + <B>dccifd</B> normally sends counts of mail rejected and so forth to the system + log at midnight. The SIGUSR1 signal sends an immediate report to the + system log. The reports will be repeated every 24 hours at the same + minute as the signal instead of at midnight. + + <A NAME="Protocol"><B>Protocol</B></A> + <B>Dccifd</B> uses a simple ASCII protocol to receive mail messages to be + checked and to return results. For each message, the MTA must open a + connection to the interface daemon, send options, envelope recipients, + and the message, receive the results, and close the connection. + + Instead of the ASCII protocol, a subset of ESMTP is enabled by <B>-o</B>. Only + the familiar HELO, EHLO, Mail, Rcpt, DATA, RSET, and QUIT commands and + the Postfix extensions XFORWARD and XCLIENT are honored. Since SMTP has + no provisions for user names, the protocol enabled by <B>-o</B> depends on a + list of local domain names specified with <B>-D</B> to find per-user log direc- + tories and whitelist files. If neither XFORWARD nor XCLIENT are used, + <B>dccifd</B> uses the IP address of the MTA and the value of the HELO command. + + In the ASCII protocol, each of the following lines are sent in order to + <B>dccifd</B>. Each ends with a newline ('\n') character. + options zero or more blank-separated strings among: + <I>spam</I> the message is already known to be spam + <I>body</I> return all of the headers with the added + <I>X-DCC</I> header line and the body + <I>header</I> return the <I>X-DCC</I> header + <I>query</I> ask the DCC server about the message without + reporting it, as if <B>dccifd</B> were running with + <B>-Q</B>. + <I>grey-query</I> only query the greylist server for this mes- + sage. <B>-G</B> <I>on</I> must be in use. + <I>no-reject</I> suppress the overall, one character line 'R' + result. This can be useful when using <B>dccifd</B> + only for greylisting. + <I>log</I> ensure that this message is logged as if + <B>dccifd</B> were running with <B>-t -all,0,</B> + client IP address of the SMTP client in a "dotted" or "coloned" + ASCII string and reverse-DNS host name. If the host name + is present, it must follow a carriage return character + ('\r') after the IP address. The client IP address must be + present and non-null if the host name is present. The + string "0.0.0.0\n" is understood the same as the null + string, meaning that both the IP address and host name are + absent. If the client IP address is absent, then the IP + address and host name are taken from the first non-local + Received header if it has the standard "name (name [IP + address])..." format. Non-standard Received headers com- + monly added by qmail as well as Received headers specifying + IP addresses marked <I>MX</I> or <I>MXDCC</I> in the global <B>-w</B> <I>whiteclnt</I> + file are skipped. + HELO SMTP HELO value or nothing, followed by a newline ('\n') + character. If the HELO value is null and the IP address of + the SMTP client are not supplied, they will be taken from + the same Received: header that supplies the IP address. + sender or SMTP <I>Mail</I> <I>From</I> command value for the env_from checksum. + If the sender is null, the contents of the first Return- + Path: or UNIX style From_ header is used. + recipients or SMTP <I>Rcpt</I> <I>To</I> recipient mailboxes followed by correspond- + ing local user names, one (mailbox,user) pair to a line. + Each optional local user name is separated from the corre- + sponding mailbox recipient address by a carriage return + ('\r'). A local user name can be null if it is not known, + but each recipient mailbox must be non-null. If there are + no lines of (mailbox,user) pairs and if the <I>spam</I> option is + not included, then the <I>query</I> is assumed. Mailboxes without + user names will lack per-user log files and will not invoke + a per-user whitelist. + + The last recipient-user name pair is followed by an empty line and the + headers and body of the message. The end of the body of the mail message + is signaled by the MTA half-closing the connection. See <B>shutdown(2)</B>. + + <B>Dccifd</B> responds with three things. First is a one character line of the + overall result advising the MTA: + A accept the message for all recipients and answer the SMTP DATA + command with a 2yz result. + G answer with a 4yz result to embargo the message for greylisting. + R reject the message and answer the DATA command with a 5yz result. + S accept the message for some recipients and so answer the DATA com- + mand with a 2yz result. + T temporary failure by the DCC system and so answer with a 4yz + result. + + Second is a line of characters indicating the disposition of the message + for each corresponding recipient: + A deliver the message + G discard the message during a greylist embargo + R discard the message as spam + The SMTP protocol allows only a single result for the DATA command for + all recipients that were not rejected before body of the message was + offered with the DATA command. To accept the message for some recipients + and reject it for others, the MTA must tell the SMTP client it is accept- + ing the message for all recipients and then discard it for those that + would reject it. + + Finally, if the <I>body</I> or <I>header</I> strings are in the first line of <I>options</I> + sent by the MTA to the daemon, then the <I>X-DCC</I> header line or the entire + body with the <I>X-DCC</I> header line follows. + + +</PRE> +<H2><A NAME="FILES">FILES</A></H2><PRE> + <A NAME="FILE-@prefix@">@prefix@</A> is the DCC home directory in which other files are found. + <A NAME="FILE-@libexecdir@/start">@libexecdir@/start</A>-dccifd + and + <A NAME="FILE-@libexecdir@/rcDCC">@libexecdir@/rcDCC</A> + are scripts used to start the daemon. + <A NAME="FILE-dcc/dcc_conf">dcc/dcc_conf</A> + contains parameters used by the scripts to start DCC daemons + and cron jobs. + <A NAME="FILE-logdir">logdir</A> is an optional directory specified with <B>-l</B> and containing + marked mail. Each file in the directory contains one mes- + sage, at least one of whose checksums reached its <B>-t</B> thresh- + olds or that is interesting for some other reason. Each file + starts with lines containing the date when the message was + received, the IP address of the SMTP client, and SMTP enve- + lope values. Those lines are followed by the body of the + SMTP message including its header as it was received. Only + approximately the first 32 KBytes of the body are recorded + unless modified by <I>./configure</I> <I>--with-max-log-size=xx</I> The + checksums for the message follow the body. They are followed + by lines indicate that one of the checksums is white- or + blacklisted by the <B>-w</B> <I>whiteclnt</I> file. Each log file ends + with the <I>X-DCC</I> header line added to the message and the dis- + position of the message. + <A NAME="FILE-map">map</A> is the memory mapped file of information concerning DCC + servers in the DCC home directory. + <A NAME="FILE-whiteclnt">whiteclnt</A> contains the client whitelist in the format described in + <B><A HREF="dcc.html">dcc(8)</A></B>. + <A NAME="FILE-whiteclnt.dccw">whiteclnt.dccw</A> + is a memory mapped hash table of the <I>whiteclnt</I> file. + <A NAME="FILE-dccifd.pid">dccifd.pid</A> in the <B>-R</B> <I>rundir</I> directory contains daemon's process ID. + + +</PRE> +<H2><A NAME="EXAMPLES">EXAMPLES</A></H2><PRE> + Dccifd can be used as Postfix Before-Queue Content filter. In some tests + these values for <B>-p</B> and <B>-o</B> in <I>dcc</I><B>_</B><I>conf</I>. + + DCCIFD_ENABLE=on + DCCIFD_ARGS="-p 127.0.0.1,10025,127.0.0.1/32 -o 127.0.0.1,10026 + + worked with these lines in /etc/postfix/master.cf + + smtp inet n - n - - smtpd + -o smtpd_proxy_filter=127.0.0.1:10025 + 127.0.0.1:10026 inet n - n - - smtpd + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o smtpd_client_restrictions= + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions= + -o mynetworks=127.0.0.0/8 + -o receive_override_options=no_unknown_recipient_checks + + +</PRE> +<H2><A NAME="SEE-ALSO">SEE ALSO</A></H2><PRE> + <B><A HREF="cdcc.html">cdcc(8)</A></B>, <B><A HREF="dbclean.html">dbclean(8)</A></B>, <B><A HREF="dcc.html">dcc(8)</A></B>, <B><A HREF="dccd.html">dccd(8)</A></B>, <B><A HREF="dblist.html">dblist(8)</A></B>, <B><A HREF="dccm.html">dccm(8)</A></B>, <B><A HREF="dccproc.html">dccproc(8)</A></B>, + <B><A HREF="dccsight.html">dccsight(8)</A></B>, + + +</PRE> +<H2><A NAME="HISTORY">HISTORY</A></H2><PRE> + Implementation of <B>dccifd</B> Distributed Checksum Clearinghouses are based on + an idea of Paul Vixie with code designed and written at Rhyolite Software + starting in 2000. was started at Rhyolite Software in 2002. This docu- + ment describes version 1.3.103. + + +</PRE> +<H2><A NAME="BUGS">BUGS</A></H2><PRE> + <B>dccifd</B> uses <B>-t</B> where <B><A HREF="dccproc.html">dccproc(8)</A></B> uses <B>-c</B>. + + By default <B>dccifd</B> look for its UNIX domain socket in the DCC home direc- + tory, but <B><A HREF="dccm.html">dccm(8)</A></B> looks in its <B>-R</B> <I>rundir</I>. + + Systems without <B>setrlimit(2)</B> and <B>getrlimit(2)</B> RLIMIT_NOFILE can have + problems with the default limit on the number of simultaneous jobs, the + value of <B>-j</B>. Every job requires four open files. These problems are + usually seen with errors messages that say something like + dccifd[24448]: DCC: accept(): Result too large + A fix is to use a smaller value for <B>-j</B> or to allow <B>dccifd</B> to open more + files. + + February 26, 2009 +</PRE> +<HR> +<ADDRESS> +Man(1) output converted with +<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a> +modified for the DCC $Date 2001/04/29 03:22:18 $ +<BR> +<A HREF="http://www.dcc-servers.net/dcc/"> + <IMG SRC="http://logos.dcc-servers.net/border.png" + class=logo ALT="DCC logo"> + </A> +<A HREF="http://validator.w3.org/check?uri=referer"> + <IMG class=logo ALT="Valid HTML 4.01 Strict" + SRC="http://www.w3.org/Icons/valid-html401"> + </A> +</ADDRESS> +</BODY> +</HTML>