Joe's j-chkmail - F.A.Q. (Obsolete - use the wiki doc)

5. Configuring

Contents

5.1. How do I configure sendmail to use j-chkmail ?

Look at the smconfig directory in the j-chkmail distribution.

If you modify sendmail.cf directly (non recommended), you should insert the file smconfig/milter.cf into it.

If you're using sendmail.mc to generate your sendmail.cf, you should add the file smconfig/milter.mc into your sendmail.mc file.

5.2. How do I configure sendmail to use more than one milter ?

From libmilter documentation....

Suppose you want to use three filters : filter1, filter2 and filter3 and you want they to be called at this order.

You shall define your filters this way : 

  INPUT_MAIL_FILTER(`filter1', `S=unix:/var/run/f1.sock, F=R')
  INPUT_MAIL_FILTER(`filter2', `S=unix:/var/run/f2.sock, F=T, T=S:1s;R:1s;E:5m')
  INPUT_MAIL_FILTER(`filter3', `S=inet:999@localhost, T=C:2m')

  define(`confINPUT_MAIL_FILTERS', `filter2,filter1,filter3')

INPUT_MAIL_FILTER will define how sendmail will interact with them, and confINPUT_MAIL_FILTERS will define in which order they shall be called.

5.3. Which configuration files are used by j-chkmail?

j-chkmail uses eight configuration files :

Additionally, j-chkmail shares a file with sendmail - the file where class W is defined : usually /etc/mail/local-host-names or /etc/mail/sendmail.cw

OBS : Berkeley DB support is being integrated to j-chkmail. When this will be done, some of this files will disappear or be combined with others. But you'll always enter your data into text files and create databases in the same way you do to configure sendmail.

The interest of having j-chkmail accessing databases instead of text files is the possibility of using new data as soon as you enter them into the database. Nowadays, j-chkmail shall periodically reload configuration files to take changes into account.

5.4. How can I check if j-chkmail has correctly interpreted the configuration files ?

You can do that if you launch j-chkmail in the following ways :

j-chkmail -v will dump runtime configuration file - this show you how it interpreted your j-chkmail.cf file.

j-chkmail -t TABLE will dump the contents of data tables. TABLE is one of: networks, access, regex, users, classw, rbl.

5.5. What's the syntax of j-chkmail.cf file?

Usually, all options have the syntax: 

NAME        VALUE

Usually, when you define many times of the same option, only the last one will be taken into account. The exceptions to this rule are: FILE_EXT, FILE_REGEX and RBL, where each new definition will be appended to the previous one.

Check default j-chkmail.cf configuration file to get more info.

5.6. What's the syntax of j-nets file?

At this file you may define which host addresses and networks you can trust.

They are four trusted/neighborhood network classes:

The idea is to have less and less privileges in this order:

       LOCAL > DOMAIN > FRIEND

Examples of definitions are: 

	DOMAIN  199.199.199.0   255.255.255.0
	DOMAIN  193.54.199.0/24

	LOCAL   192.168.0.0/16
	LOCAL   10.0.0.0/8

	FRIEND  193.251.0.0     255.255.0.0
	FRIEND  212.198.2.0/24

OBS : Network classes can also be defined at j-policy database, using the NetClass prefix : 

	NetClass:199.199.199	DOMAIN
	NetClass:193.54.199     DOMAIN
	NetClass:192.168	LOCAL
	NetClass:10		LOCAL
	NetClass:193.251	FRIEND
	NetClass:212.198.2	FRIEND

5.7. What's the syntax of j-access file?

      Connect:CVALUE/From:FVALUE/To:TVALUE         VALUE
     
      At least one of "Connect / From" criteria's shall be
      present. If the criteria aren't there, all values match
     
         CVALUE is :
         - LOCAL
         - DOMAIN
         - FRIEND
         - AUTH
         - KNOWN             =     (LOCAL | DOMAIN | FRIEND | AUTH)
         - UNKNOWN           = not (LOCAL | DOMAIN | FRIEND | AUTH)
         - nnn.nnn.nnn.nnn   = IP address
         - nnn.nnn.nnn       = IP C class network
         - nnn.nnn           = IP B class network
         - nnn               = IP A class network
         - *                 = Match everything
     
         FVALUE is something like  (without brackets) :
         - john.smith@example.com
     
      Valid values are :
      - NO_PATTERN_CHECK
      - NO_ORACLE
      - NO_SPAM_CHECK        = (NO_CONTENT_CHECK and NO_ORACLE)
     
      - SPAMTRAP             = Defining Spam Trap
      - CHECK_DOMAIN_ADDRESS
     
      - NO_DNS_RESOLVE_CHECK - not yet implemented - this
                  will allow us to remove j-host-access file
        REM : only the "Connect" part of the key is taken into
              account when using this value

Examples : 

      # SPAM Check
      Connect:KNOWN/From:domain.com           NO_ORACLE
      Connect:1.2.3.4/From:Joe                NO_CONTENT_CHECK 
      Connect:1.2.3.4                         NO_RESOLVE_CHECK
      From:postmaster@                        NO_SPAM_CHECK
      From:example.com                        CHECK_DOMAIN_ADDRESS
      Connect:UNKNOWN/To:spamtrap@domain.com  SPAMTRAP

You'll find more complex examples at the default configuration file.

5.8. What's the syntax of j-regex file?

The syntax is: 

     WHERE       SCORE       REGULAR EXPRESSION

     ANYWHERE      5         viagra
     BODY         10         http://.{,20}porno.{,20}\.biz
     SUBJECT      15         WINNING NOTIFICATION
     HEADER       20         girls

5.9. What's the syntax of j-local-users file ?

5.10. What's the syntax of j-oradata file?

This file allows defining some unwanted objects on usual messages.

Below are default "unwanted objects": 

#
# Adding unwanted...
#
# Syntax:
# TYPE       value
#
# where TYPE = ( CHARSET | BOUNDARY | MAILER | HTML-TAG )
#
MAILER          ^[a-z]+ [a-z]+ [a-z]+[0-9]{4,4}
MAILER          UFOMarketingPro Circulation
MAILER          Advanced Maillist Organizer
 
BOUNDARY        ^--ALT--[A-Z0-9]{14,}
 
HTML-TAG        <iframe[^>]*>
HTML-TAG        <script[^>]*>
HTML-TAG        <form[^>]+action[^>]*>
HTML-TAG        <input[^>]*>
HTML-TAG        <img[^>]+src=[^>]*>
HTML-TAG        <a[^>]+href[^>]+http://[^>]+http://[^>]+>

CHARSET         ^big5$
CHARSET         ^gb18030$
CHARSET         ^gb2312$
CHARSET         ^gbk$
CHARSET         ^big5-hkscs$

You'll find more complex examples at the default configuration file.

5.11. What's the syntax of j-xfiles file ?

#
# X-FILES definition
#
#
#  Syntax :
#  MIME;conditions   FILENAME
# where
#  MIME       ::=    ( [!]MIMETYPE | ALL [;sizeof=min,max] )
#  FILENAME   ::=    (regular expression | TAG)
#  TAG        ::=    ( DEFAULT | TNEF | CLSID )

 
# Examples :
#
# All zip files whose mime type is different from x-zip-compressed
!x-zip-compressed       \.zip$
#
# All zip files which filename (without extension)
# is less than 16 characters long
ALL                     ^.{0,15}\.zip$
# All messages with attached zip files, whose size
# is smaller than 250000 bytes
ALL;size=0,250000     \.zip$
#
#
# To get default behaviour and also reject CLSID
# and TNEF files, and RFC2046 partial messages, add :
 
# default behaviour
ALL                   DEFAULT
 
# TNEF
ALL                   TNEF
 
# CLSID
ALL                   CLSID
 
# RFC 2046 tricky messages
message/partial       ALL
message/external      ALL

5.12. What's the syntax of j-error-file file?

This file contains the replacement message to send to sender/recipients when an X-File or a Virus is found at the message.

The message content is bounded by the tags <XFILE>, <VIRUS> or <POLICY>.

Inside the message, you can use any one of these variables, whose value will replace the template line containing the variable.

5.13. How can I recreate a clean configuration file?

There are two ways to recreate a clean configuration file.

Launch j-chkmail -n to get one clean configuration file with the default options.

Launch j-chkmail -m to get one clean configuration file with current runtime options.

5.14. How do I update configuration file after updating j-chkmail version ?

After you compile new j-chkmail version, you can launch it *before installation* with the command : 

$ src/j-chkmail -m > j-chkmail.cf.new

to see how new j-chkmail version will interpret old configuration file. You shall edit j-chkmail.cf.new to meet your configuration wishes, and replace old configuration file with the new one.

5.15. What type of socket shall I choose to do filter/sendmail communications: inet or local ?

inet sockets are simple to manage - the listening socket disappears when the daemon terminates, but connections take much longer to completely shutdown: For example - 1 to 4 minutes (TCP protocol timeouts).

local sockets management is a little bit more complicated, as they may remain in the file system even if the application or the server crashes. So, each time you launch the filter, you need to manage old sockets. But they're much faster.

local sockets are much faster and you should prefer this kind of socket if performance is an issue.

5.16. How to create j-urlbl.db (URL database) - Version 1.7 and newers

When you install j-chkmail, two files will be installed at /etc/mail/jchkmail directory :

You should probably launch this file by cron twice a day. But before doing that, you shall try it by hand to be sure everything is working file.

IMPORTANT - get-urlbl makes use of rsync. You shall install it if your system doesn't have it. You can get it at http://rsync.samba.org/. Some OS bundled versions of rsync may not have the same syntax used by get-urlbl. You can adapt this script or install above version of rsync.

5.17. How to create j-policy.db (policy database) - Version 1.8 and newers

You need to create the text file with your rules : /etc/mail/jchkmail/j-policy, and define it to /etc/mail/jchkmail/Makefile.db : 

    $ more Makefile.db
    ...
    OBJ = j-urlbl.db j-policy.db
    ...

If you've already configured your system to automatically get URL database from our site, the policy database will be automatically updated. To force database update, you may launch : 

    # make -f Makefile.db
    /usr/bin/j-makemap -b j-policy.db -m e < j-policy.txt
    * Total :     68 records read
                  67 records added
                   0 errors
    #

HINT :j-policy.txt is composed of entries from a common part (which are valid for all sites using j-chkmail) and other entries which are valid only for your site. The common part can be found at j-chkmail distribution or at j-chkmail web site. Instead of using a single big file, you can use smaller files and concatenate them. At /etc/mail/jchkmail/Makefile.db, you'll have to define : 


POLICYSRC = j-policy.grey.txt j-policy.badmx.txt j-policy.site.txt

j-policy.txt : $(POLICYSRC)
        cat  $(POLICYSRC) > $@

if you're using GNU make, you can replace POLICYSRC line by : 

POLICYSRC = $(wildcard j-policy.*.txt)

When using Sun make, the same results are got with : 

POLICYSRC:sh =ls j-policy.*.txt

This way, you can add or remove files without modifying Makefile, provided their filename follows the rule j-policy.*.txt.

5.18. What's the syntax of j-urlbl.txt file ?

The syntax is : 

     URLBL:domain                  value

     URLBL:123-good-health.com     20:1096537749:127.2.0.1:j-chkmail
Where domain is the domain part of the hostname of some URL, and value is a set of values separed by ":". These values are :
  • The score of this entry
  • The date this entry was added (seconds since epoch)
  • An IP code for this entry at the BL
  • The name of the blacklist this entry comes from

5.19. What's the content of j-policy.txt file ?

Beginning with j-chkmail release 1.8, many configuration data is being moved to j-policy database. The idea is almost the same of sendmail access database.

Roughly speaking, most data which may be vary depending on the situation, and may be defined with a couple (key, value) will be put in this database.

Tipically, data in this file are :

  • Limits associated to some parameters, e.g., maximum connection rate allowed for some IP networks or domains, or the class to be associated to some IP network.
  • Actions associated to some bad situations, e.g., reply codes when the domain part of the sender address is unreacheable (BadMX).
  • Access rules or conditions allowing to evaluate if some check shall be done, e.g., entries allowing to check if some message shall be checked against viruses. This kind of data may have three kind of keys (Connect, From, To), as some situations need to combine all these three values to define the rule.

5.20. What's the syntax of j-policy.txt file ?

The syntax of this file is very simple but flexible and strong. It's idea is very similar to that found at sendmail access database. At the moment, all possibilities aren't yet exploited.

It's syntax is : 

   Tag:Key          Value
where,
  • Tag - is the kind of information we're looking for.
  • Key - is the key of the information
  • Value - is the value associated with the Tag and Key

An example of already implemented kind of entries follows : 

     CtrlChan:DEFAULT           REJECT
     CtrlChan:127.0.0.1         OK
     CtrlChan:194.21.16.16      OK
     #
     ConnRate:DEFAULT           15
     ConnRate:127.0.0.1         1000
     ConnRate:LOCAL             500
     ConnRate:DOMAIN            300
     #
     NetClass:199.199.123       DOMAIN
     NetClass:192.168           LOCAL
     #
     BadMX:192.168              ERROR:421:4.5.1:DNS problems... Try later !
     BadMX:192.168.128.200      OK
     BadMX:saveinternet.net     ERROR:421:4.5.1:Too busy now... Try later !
     #
     ReplyMsg:TOO_MUCH_BADRCPT  *** Harvesting ???

5.21. How key values are matched against database entries ?

There are three cases : IP addresses, host names and e-mail addresses.

Matching logic is : 

   if (key is e-mail)
     query full key
     if found return result
   end if

   extract domain part
   if (domain part is IP address)
     query IP address and network addresses
     if found return best matching result
   else 
     query domains and sub domains
     if found return best matching result
   end if

   if (key is e-mail)
     query user part
     if found return result
   end if

   query default value
   if found return result

5.22. How are triplets access rules evaluated from j-policy database ?

When used with triplets, the tags will have three values : prefixConnect, prefixFrom, and prefixTo.

The function used to evaluate the access function uses four parameters :

  • Client IP address - used with Connect prefix
  • Client hostname - used with Connect prefix
  • Enveloppe From address - used with From prefix
  • Enveloppe To Address - used with To prefix
The client hostname is used only when the IP address isn't found.

Values which may be associated to each entry are : YES, NO, YES-QUICK and NO-QUICK.

When YES-QUICK or NO-QUICK are found, evaluation stops immediately.

Databases entries keys are formed as follows : 

    prefix + Connect + : + IP           -> GreyCheckConnect:1.2.3           YES
    prefix + Connect + : + Hostname     -> GreyCheckConnect:yahoo.com       NO
    prefix + From    + : + From address -> GreyCheckFrom:joe@j-chkmail.org  YES-QUICK
    prefix + To      + : + To address   -> GreyCheckTo:joe@                 NO

The evaluation algorithm looks like 

  result = NO
  if queryDatabase(prefix, "Connect", IP, &value)
    result = value
    if result == YES-QUICK  return YES
    if result == NO-QUICK   return NO
  else
    if queryDatabase(prefix, "Connect", Hostname, &value)
      result = value
      if result == YES-QUICK  return YES
      if result == NO-QUICK   return NO
    else
      if queryDatabase(prefix, "Connect", "DEFAULT", &value)
        result = value
        if result == YES-QUICK  return YES
        if result == NO-QUICK   return NO
      endif
    endif
  endif
      
  if queryDatabase(prefix, "From", From, &value)
    result = value
    if result == YES-QUICK  return YES
    if result == NO-QUICK   return NO
  else
    if queryDatabase(prefix, "From", "DEFAULT", &value)
      result = value
      if result == YES-QUICK  return YES
      if result == NO-QUICK   return NO
    endif
  endif

  if queryDatabase(prefix, "To", To, &value)
    result = value
     if result == YES-QUICK  return YES
     if result == NO-QUICK   return NO
   else
     if queryDatabase(prefix, "To", DEFAULT, &value)
       result = value
       if result == YES-QUICK  return YES
       if result == NO-QUICK   return NO
     endif
  endif

  if result == YES-QUICK  result = YES
  if result == NO-QUICK   result =  NO

  return result

5.23. Does j-chkmail use environnement variables and how can I define them ?

Yes ! Since version 1.7, j-chkmail can use some environnement variables, if they are defined. Variables defined at environnement overrides values defined as command line options or configuration file.

Here is a list of variables. This list will be augmented for each new release.

  • JCHKMAIL_LOG_LEVEL - this corresponds to the LOG_LEVEL configuration variable
  • MILTER_DEBUG_LEVEL - this corresponds to the libmilter library log level
  • JCHKMAIL_SOCKET - this corresponds to the SOCKET configuration variable - the communication socket between sendmail and j-chkmail
  • DB_CACHE_SIZE - this corresponds to the memory amount dedicated to database cache (per database).
  • FILE_EXT - this corresponds to the the file extensions used to define XFILES.

To define environnement variables you can put them at environnement, if you're launching j-chkmail by hand, or depending on your operating system, you can define them at some file read before launching j-chkmail. Usual files are : /etc/default/jchkmail or /etc/sysconfig/jchkmail. An exemple of the contents of this file is : 

  #
  JCHKMAIL_LOG_LEVEL=10
  #
  FILE_EXT="exe pif zip cpl"
  #
  JCHKMAIL_SOCKET=unix:/var/tmp/jchkmail.sock

5.24. What's the content of j-rcpt.txt file ?

This file is used to define recipient access (both local and remote recipients). Recipient access means :

  • Valid recipients
  • Spam traps
  • Recipients accepting messages only from local networks

5.25. What's the syntax of j-rcpt.txt file, and how do I fill it ?

There are two kind of records :

  • Domain records - These records allow you to configure for which domains you want to do recipient access. Syntax for these entries are as follows : 
    	CheckRcptDomain:KEY		VALUE
    KEY may be something like domain.com or .domain.com. The first entry matches only domain.com and the second one matches all subdomains of domain.com.

    VALUE may be one of :

    • NO - No check for this domain
    • YES - Access check will be done for this domain.
    • LOCAL - Access check will be done for this domain, for the full address and for the recipient part only. This option is useful if you're checking user access for many domains and the same user exists in all domains. This option is useful if you're lazy and you absolutely know what you're doing.
    • REJECT - All messages for this domain will be rejected.

  • Recipient records - These records allow you to configure access for each recipient.

    • OK - This is a normal recipient
    • REJECT - Reject all messages for this recipient
    • SPAMTRAP - This is a fake recipient
    • IGNORE - This is a normal recipient, but don't apply any other filtering check at this SMTP command step : filtering will be reconducted for this recipient, for DATA content.
    • LOCAL-NET - Accept messages for this recipient only if the connection comes from the LOCAL network.
    • DOMAIN-NET - Accept messages for this recipient only if the connection comes from a LOCAL or DOMAIN network..
    • FRIEND-NET - Accept messages for this recipient only if the connection comes from a LOCAL or DOMAIN or FRIEND network.
    • KNOWN-NET - Accept messages for this recipient only if the connection comes from any defined and known network.
    • USER-UNKNOWN - This is an unknown or inexistent recipient.

5.26. How can I get the list of valid addresses and how to convert it to j-rcpt.txt format ?


	#! /bin/sh

	cp /dev/null j-rcpt.base.txt

	getent passwd | awk '{print $1}' >> j-rcpt.base.txt

	for db in /etc/mail/aliases*.db
        do
	  makemap -u hash $db | awk '{printf "RcptAccess:%s OK\n", $1}' >> j-rcpt.base.txt
	done

	db=/etc/mail/virtusertable.db
        makemap -u hash $db | awk '{printf "RcptAccess:%s OK\n", $1}' >> j-rcpt.base.txt

5.27. Give me some examples of j-rcpt.txt content !

  1. Checking access for local users. This kind of configuration is useful when it's possible to enumerate all valid users. 

    # Check recipient access for domain.com ...
CheckRcptDomain:domain.com               LOCAL
#
# ... and for all sub domains of this domain
CheckRcptDomain:.domain.com              LOCAL
#
# default is "Unknown user" if not defined
RcptAccess:domain.com                    USER-UNKNOWN
#
# toto exists in domain.com and all sub domains
RcptAccess:toto@                         OK
#
# titi exists only in domain.com
RcptAccess:titi@domain.com               OK
#
# this is a spamtrap
RcptAccess:spam@domain.com               SPAMTRAP
#
# accept messages for everybody only if the connection comes from a known network
RcptAccess:everybody@domain.com          KNOWN-NET

  2. Checking recipient access for some users of some directions. This configuration is useful when it isn't possible to list all valid users. 

    #
CheckRcptDomain:domain.com               YES
#
# default access is "OK"
RcptAccess:domain.com                    OK
#
# this is a spamtrap
RcptAccess:spam@domain.com               SPAMTRAP
#
# accept messages for everybody only if the connection comes from a known network
RcptAccess:everybody@domain.com          KNOWN-NET


Maintainers : Jose-Marcio Martins da Cruz
Last modified: Mon Nov 12 15:53:59 CET 2007
Generated with bristol2html - Copyright 2003 - Ecole des Mines de Paris