.TH qmail-smtpd 8 .SH NAME qmail-smtpd \- receive mail via SMTP .SH SYNOPSIS .B qmail-smtpd .SH DESCRIPTION .B qmail-smtpd receives mail messages via the Simple Mail Transfer Protocol (SMTP) and invokes .B qmail-queue to deposit them into the outgoing queue. .B qmail-smtpd must be supplied several environment variables; see .BR tcp-environ(5) . If the environment variable .B SMTPS is non-empty, .B qmail-smtpd starts a TLS session (to support the deprecated SMTPS protocol, normally on port 465). Otherwise, .B qmail-smtpd offers the STARTTLS extension to ESMTP. .B qmail-smtpd is responsible for counting hops. It rejects any message with 100 or more .B Received or .B Delivered-To header fields. .B qmail-smtpd supports ESMTP, including the 8BITMIME, DATA, PIPELINING, SIZE, and AUTH options. .B qmail-smtpd includes a \'MAIL FROM:\' parameter parser and obeys \'Auth\' and \'Size\' advertisements. .B qmail-smtpd can accept LOGIN, PLAIN, and CRAM-MD5 AUTH types. It invokes .IR checkprogram , which reads on file descriptor 3 the username, a 0 byte, the password or CRAM-MD5 digest/response derived from the SMTP client, another 0 byte, a CRAM-MD5 challenge (if applicable to the AUTH type), and a final 0 byte. .I checkprogram invokes .I subprogram upon successful authentication, which should in turn return 0 to .BR qmail-smtpd , effectively setting the environment variables $RELAYCLIENT and $TCPREMOTEINFO (any supplied value replaced with the authenticated username). .B qmail-smtpd will reject the authentication attempt if it receives a nonzero return value from .I checkprogram or .IR subprogram . .SH TRANSPARENCY .B qmail-smtpd converts the SMTP newline convention into the UNIX newline convention by converting CR LF into LF. It returns a temporary error and drops the connection on bare LFs; see .BR http://pobox.com/~djb/docs/smtplf.html . .B qmail-smtpd accepts messages that contain long lines or non-ASCII characters, even though such messages violate the SMTP protocol. .SH "CONTROL FILES" .TP 5 .I badhelo Unacceptable HELO/EHLO host names. .B qmail-smtpd will reject every recipient address for a message if the host name is listed in, or matches a POSIX regular expression pattern listed in, .IR badhelo . If the .B NOBADHELO environment variable is set, then the contents of .IR badhelo will be ignored. For more information, please have a look at doc/README.qregex. .TP 5 .I badmailfrom Unacceptable envelope sender addresses. .B qmail-smtpd will reject every recipient address for a message if the envelope sender address is listed in, or matches a POSIX regular expression pattern listed in, .IR badmailfrom . A line in .I badmailfrom may be of the form .BR @\fIhost , meaning every address at .IR host . For more information, please have a look at doc/README.qregex. .TP 5 .I badmailfromnorelay Functions the same as the .IR badmailfrom control file but is read only if the .B RELAYCLIENT environment variable is not set. For more information, please have a look at doc/README.qregex. .TP 5 .I badmailto Unacceptable envelope recipient addresses. .B qmail-smtpd will reject every recipient address for a message if the recipient address is listed in, or matches a POSIX regular expression pattern listed in, .IR badmailto . For more information, please have a look at doc/README.qregex. .TP 5 .I badmailtonorelay Functions the same as the .IR badmailto control file but is read only if the .B RELAYCLIENT environment variable is not set. For more information, please have a look at doc/README.qregex. .TP 5 .I clientca.pem A list of Certifying Authority (CA) certificates that are used to verify the client-presented certificates during a TLS-encrypted session. .TP 5 .I clientcrl.pem A list of Certificate Revocation Lists (CRLs). If present it should contain the CRLs of the CAs in .I clientca.pem and client certs will be checked for revocation. .TP 5 .I databytes Maximum number of bytes allowed in a message, or 0 for no limit. Default: 0. If a message exceeds this limit, .B qmail-smtpd returns a permanent error code to the client; in contrast, if the disk is full or .B qmail-smtpd hits a resource limit, .B qmail-smtpd returns a temporary error code. .I databytes counts bytes as stored on disk, not as transmitted through the network. It does not count the .B qmail-smtpd Received line, the .B qmail-queue Received line, or the envelope. If the environment variable .B DATABYTES is set, it overrides .IR databytes . .TP 5 .I dh1024.pem If these 1024 bit DH parameters are provided, .B qmail-smtpd will use them for TLS sessions instead of generating one on-the-fly (which is very timeconsuming). .TP 5 .I dh512.pem 512 bit counterpart for .B dh1024.pem. .TP 5 .I localiphost Replacement host name for local IP addresses. Default: .IR me , if that is supplied. .B qmail-smtpd is responsible for recognizing dotted-decimal addresses for the current host. When it sees a recipient address of the form .IR box@[d.d.d.d] , where .I d.d.d.d is a local IP address, it replaces .IR [d.d.d.d] with .IR localiphost . This is done before .IR rcpthosts . .TP 5 .I morercpthosts Extra allowed RCPT domains. If .I rcpthosts and .I morercpthosts both exist, .I morercpthosts is effectively appended to .IR rcpthosts . You must run .B qmail-newmrh whenever .I morercpthosts changes. Rule of thumb for large sites: Put your 50 most commonly used domains into .IR rcpthosts , and the rest into .IR morercpthosts . .TP 5 .I rcpthosts Allowed RCPT domains. If .I rcpthosts is supplied, .B qmail-smtpd will reject any envelope recipient address with a domain not listed in .IR rcpthosts . Exception: If the environment variable .B RELAYCLIENT is set, .B qmail-smtpd will ignore .IR rcpthosts , and will append the value of .B RELAYCLIENT to each incoming recipient address. .I rcpthosts may include wildcards: .EX heaven.af.mil .heaven.af.mil .EE Envelope recipient addresses without @ signs are always allowed through. .TP 5 .I rsa512.pem If this 512 bit RSA key is provided, .B qmail-smtpd will use it for TLS sessions instead of generating one on-the-fly. .TP 5 .I servercert.pem SSL certificate to be presented to clients in TLS-encrypted sessions. Should contain both the certificate and the private key. Certifying Authority (CA) and intermediate certificates can be added at the end of the file. .TP 5 .I smtpgreeting SMTP greeting message. Default: .IR me , if that is supplied; otherwise .B qmail-smtpd will refuse to run. The first word of .I smtpgreeting should be the current host's name. .TP 5 .I timeoutsmtpd Number of seconds .B qmail-smtpd will wait for each new buffer of data from the remote SMTP client. Default: 1200. .TP 5 .I spfbehavior Set to a value between 1 and 6 to enable SPF checks; 0 to disable. 1 selects 'annotate-only' mode, where .B qmail-smtpd will annotate incoming email with .B Received-SPF fields, but will not reject any messages. 2 will produce temporary failures on DNS lookup problems so you can make sure you always have meaningful Received-SPF headers. 3 selects 'reject' mode, where incoming mail will be rejected if the SPF record says 'fail'. 4 selects a more stricter rejection mode, which is like 'reject' mode, except that incoming mail will also be rejected when the SPF record says 'softfail'. 5 will also reject when the SPF record says 'neutral', and 6 if no SPF records are available at all (or a syntax error was encountered). The contents of this file are overridden by the value of the .B SPFBEHAVIOR environment variable, if set. Default: 0. .TP 5 .I spfexp You can add a line with a an SPF explanation that will be shown to the sender in case of a reject. It will override the default one. You can use SPF macro expansion. .TP 5 .I spfguess You can add a line with SPF rules that will be checked if a sender domain doesn't have a SPF record. The local rules will also be used in this case. .TP 5 .I spfrules You can add a line with SPF rules that will be checked before other SPF rules would fail. This can be used to always allow certain machines to send certain mails. .TP 5 .I spamt The spam throttle parameters file. See .BR qmail-newst (8) and .BR qmail-spamt (5) for details. .TP 5 .I tlsclients A list of email addresses. When relay rules would reject an incoming message, .B qmail-smtpd can allow it if the client presents a certificate that can be verified against the CA list in .I clientca.pem and the certificate email address is in .IR tlsclients . .TP 5 .I tlsserverciphers A set of OpenSSL cipher strings. Multiple ciphers contained in a string should be separated by a colon. If the environment variable .B TLSCIPHERS is set to such a string, it takes precedence. .SH "SEE ALSO" tcp-env(1), tcp-environ(5), qmail-control(5), qmail-spamt(5), qmail-spamthrottle(5) qmail-inject(8), qmail-newmrh(8), qmail-newst(8), qmail-queue(8), qmail-remote(8)