summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGilles Chehade <gilles@cvs.openbsd.org>2019-08-11 13:57:38 +0000
committerGilles Chehade <gilles@cvs.openbsd.org>2019-08-11 13:57:38 +0000
commit80c6e19f791a1ad40dba0d13995ff8062209ba8b (patch)
tree63eda4a0f17fcc3572618bf769e2b379a20167b4
parentff96dfd5ec52f665d71ba9cf419764a2df89b4d6 (diff)
start documenting the builtin filters
-rw-r--r--usr.sbin/smtpd/smtpd.conf.5103
1 files changed, 99 insertions, 4 deletions
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index c5580bba752..8605fc91e2b 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: smtpd.conf.5,v 1.215 2019/08/10 18:11:52 gilles Exp $
+.\" $OpenBSD: smtpd.conf.5,v 1.216 2019/08/11 13:57:37 gilles Exp $
.\"
.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -17,7 +17,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"
-.Dd $Mdocdate: August 10 2019 $
+.Dd $Mdocdate: August 11 2019 $
.Dt SMTPD.CONF 5
.Os
.Sh NAME
@@ -329,11 +329,41 @@ or set using either
or using the
.Ic hostname
directive.
-.It Ic filter Ar name Ic proc\-exec Ar command
+.It Ic filter Ar filter\-name Ic phase Ar phase\-name Ic match Ar conditions Ic disconnect Ar message
+Register builtin filter
+.Ar filter\-name
+matching
+.Ar conditions
+to disconnect session with
+.Ar message .
+Phase and matching conditions are documented in a specific section,
+see
+.Sx BUILTIN FILTERING .
+.It Ic filter Ar filter\-name Ic phase Ar phase\-name Ic match Ar conditions Ic reject Ar message
+Register builtin filter
+.Ar filter\-name
+matching
+.Ar conditions
+to reject session with
+.Ar message .
+Phase and matching conditions are documented in a specific section,
+see
+.Sx BUILTIN FILTERING .
+.It Ic filter Ar filter\-name Ic phase Ar phase\-name Ic match Ar conditions Ic rewrite Ar value
+Register builtin filter
+.Ar filter\-name
+matching
+.Ar conditions
+to rewrite phase parameter with new
+.Ar value .
+Phase and matching conditions are documented in a specific section,
+see
+.Sx BUILTIN FILTERING .
+.It Ic filter Ar filter\-name Ic proc\-exec Ar command
Register and execute
.Qq proc
filter
-.Ar name
+.Ar filter\-name
from
.Ar command .
.It Ic include Qq Ar pathname
@@ -793,6 +823,71 @@ pairs.
The table must contain at least one key-value pair and may declare
multiple pairs as a comma-separated (whitespace optional) list.
.El
+.Ss BUILTIN FILTERING
+In a regular workflow,
+.Xr smtpd 8
+may accept or reject a message based only on the content of envelopes.
+Its decisions are about the handling of the message,
+not about the handling of an active session.
+.Pp
+Filtering extends the decision making process by allowing
+.Xr smtpd 8
+to stop at each phase of an SMTP session,
+check that conditions are met,
+then decide if a session is allowed to move forward.
+.Pp
+With filtering,
+a session may be interrupted at any phase before an envelope is complete.
+A message may also be rejected after being submitted,
+disregarding if the envelope was accepted or not.
+.Pp
+The following phases are currently supported:
+.Bl -column mail\-from -offset indent
+.It connect Ta upon connection, before a banner is displayed
+.It helo Ta after HELO command is submitted
+.It ehlo Ta after EHLO command is submitted
+.It mail\-from Ta after MAIL FROM command is submitted
+.It rcpt\-to Ta after RCPT TO command is submitted
+.It data Ta after DATA command is submitted
+.It commit Ta after message is fully is submitted
+.El
+.Pp
+At each phase,
+multiple criterias may be checked:
+.Bl -column XXXXXXXXXXXXXXXXXXXXX -offset indent
+.It fcrdns Ta forward-confirmed reverse DNS is valid
+.It rdns Ta session has a reverse DNS
+.It rdns Pf < Ar table Ns > Ta session has a reverse DNS in table
+.It src Pf < Ar table Ns > Ta source address is in table
+.It helo Pf < Ar table Ns > Ta helo name is in table
+.It mail\-from Pf < Ar table Ns > Ta sender address is in table
+.It rcpt\-to Pf < Ar table Ns > Ta recipient address is in table
+.El
+.Pp
+All criterias from previous phases are available to subsequent phases,
+so while the helo criteria is not available before the helo or ehlo phase,
+the fcrdns criteria is available in all phases.
+.Pp
+Criterias may all be negated by prefixing them with an exclamation mark:
+.Bl -column XXXXXXXXXXXXXXXXXXXXX -offset indent
+.It ! fcrdns Ta forward-confirmed reverse DNS is invalid
+.El
+.Pp
+Any criteria using a table may indicate that tables hold regex by
+prefixing the table name with the keyword regex.
+.Bl -column XXXXXXXXXXXXXXXXXXXXX -offset indent
+.It helo regex Pf < Ar table Ns > Ta helo name matches a regex in table
+.El
+Finally,
+three decisions may be taken at each phase:
+.Bl -column XXXXXXXXXXXXXXXXXXXXX -offset indent
+.It disconnect Ar message Ta the session is disconnected with message
+.It reject Ar message Ta the command is rejected with message
+.It rewrite Ar value Ta the command parameter is rewritten with value
+.El
+.Pp
+Decisions that involve a message require that the message be RFC valid,
+meaning that they should either start with a 4xx or 5xx status code.
.Ss FORMAT SPECIFIERS
Some configuration directives support expansion of their parameters at runtime.
Such directives (for example