[milter] # the socket used to communicate with sendmail. Must match sendmail.cf socket=/var/run/milter/pythonsock # where to save original copies of defanged and failed messages tempdir = /var/log/milter/save # how long to wait for a response from sendmail before giving up ;timeout=600 log_headers = 0 # connection ips and hostnames are matched against this glob style list # to recognize internal senders. ;internal_connect = 192.168.*.*,127.* # mail that is not an internal_connect and claims to be from an # internal domain is rejected. Furthermore, internal mail that # does not claim to be from an internal domain is rejected. # You should enable SPF instead if you can. SPF is much more comprehensive and # flexible. However, SPF is not currently checked for outgoing # (internal_connect) mail because it doesn't yet handle authorizing # internal IPs locally. ;internal_domains = mycorp.com,localhost.localdomain # connections from a trusted relay can trust the first Received header # SPF checks are bypassed for internal connections and trusted relays. ;trusted_relay = 1.2.3.4, 66.12.34.56 # Reject external senders with hello names no legit external sender would use. # SPF will do this also, but listing your own domain and mailserver here # will save some DNS lookups when rejecting certain viruses. ;hello_blacklist = mycorp.com, 66.12.34.56 # Reject mail for domains mentioned unless user is mentioned here also ;check_user = joe@mycorp.com, mary@mycorp.com, file:bigcorp.com # features intended to filter or block incoming mail [defang] # do virus scanning on attached messages also scan_rfc822 = 1 # do virus scanning on attached zipfiles also scan_zip = 0 # Comment out scripts in HTML attachments. Can be CPU intensive. scan_html = 0 # reject messages with asian fonts because we can't read them block_chinese = 1 # list users who hate forwarded mail ;block_forward = egghead@mycorp.com, busybee@mycorp.com # reject mail with these case insensitive strings in the subject porn_words = penis, breast, pussy, horse cock, porn, xenical, diet pill, d1ck, vi*gra, vi-a-gra, viag, tits, p0rn, hunza, horny, sexy, c0ck, xanaax, p-e-n-i-s, hydrocodone, vicodin, xanax, vicod1n, x@nax, diazepam, v1@gra, xan@x, cialis, ci@lis, frëe, xănax, valíum, vălium, via-gra, x@n3x, vicod3n, penís, c0d1n, phentermine, en1arge, dip1oma, v1codin, valium, rolex, sexual, fuck, adv1t # reject mail with these case sensitive strings in the subject spam_words = $$$, !!!, XXX, FREE, HGH # attachments with these extensions will be replaced with a warning # message. A copy of the original will be saved. banned_exts = ade,adp,asd,asx,asp,bas,bat,chm,cmd,com,cpl,crt,dll,exe,hlp,hta, inf,ins,isp,js,jse,lnk,mdb,mde,msc,msi,msp,mst,ocx,pcd,pif,reg,scr,sct, shs,url,vb,vbe,vbs,wsc,wsf,wsh # See http://bmsi.com/python/pysrs.html for details [srs] config=/etc/mail/pysrs.cfg # SRS options can be set here also, but must match the sendmail plugin ;secret="shhhh!" ;maxage=21 ;hashlength=4 ;database=/var/log/milter/srsdata ;fwdomain = mydomain.com # turn this on after a grace period to reject spoofed DSNs reject_spoofed = 0 # Many braindead MTAs send DSNs with a non-DSN MFROM (e.g. to report that # some virus claiming to be sent by you). This heuristic # refuses mail from user names commonly abused in that way. ;banned_users = postmaster, mailer-daemon, clamav # See http://spf.pobox.com for more info on SPF. [spf] # namespace where SPF records can be supplied for domains without one # records are searched for under _spf.domain.com ;delegate = domain.com # domains where a neutral SPF result should cause mail to be rejected ;reject_neutral = aol.com # use a default (v=spf1 a/24 mx/24 ptr) when no SPF records are published ;best_guess = 0 # Reject senders that have neither PTR nor valid HELO nor SPF records, or send # DSN otherwise ;reject_noptr = 0 # always accept softfail from these domains, or send DSN otherwise ;accept_softfail = bounces.amazon.com # Treat fail from these domains like softfail: because their SPF record # or an important sender is screwed up. Must have valid HELO, however. ;accept_fail = custhelp.com # Use sendmail access map or similar format for detailed spf policy. # SPF entries in the access map will override any defaults set above. ;access_file = /etc/mail/access.db # Add MAIL FROM as Sender when Sender is missing and From domain # doesn't match MAIL FROM. Outlook and other email clients will then display # something like: "Sent by sender@domain.com on behalf of from@example.com" ;supply_sender = 0 # features intended to clean up outgoing mail [scrub] # domains that block visible private nodes ;hide_path = jcpenney.com # reject, don't just replace with warning, viruses from these domains ;reject_virus_from = mycorp.com # features intended for spying on users and coworkers [wiretap] blind = 1 # # wiretap lets you surreptitiously monitor a users outgoing email # (sendmail aliases let you monitor incoming mail) # ;users = disloyal@bigcorp.com, bigmouth@bigcorp.com # multiple destinations can use smart_alias ;dest = spy@bigcorp.com # discard outgoing mail without alerting sender # can be used in conjunction with wiretap to censor outgoing mail ;discard_users = canned@bigcorp.com # # smart aliases trigger on both sender and recipient # ;smart_alias = copycust,walter,spy1,spy2 # multiple wiretap monitors ;spy1 = disloyal@bigcorp.com,spy@bigcorp.com ;spy2 = bigmouth@bigcorp.com,spy@bigcorp.com # mail from client@clientcorp.com to sue@bigcorp.com is redirected to # local alias copycust ;copycust = client@clientcorp.com,sue@bigcorp.com # mail from cust@othercorp.com to walter@bigcorp.com is redirected to # boss@bigcorp.com ;walter = cust@othercorp.com,walter@bigcorp.com,boss@bigcorp.com # additional copies can be added ;walter1 = cust@othercorp.com,walter@bigcorp.com,boss@bigcorp.com, ; walter@bigcorp.com ;bulk = soruce@telex.com,bob@jsconnor.com ;bulk = soruce@telex.com,larry@jsconnor.com # See http://bmsi.com/python/dspam.html [dspam] # Select a well moderated dspam dictionary to reject spammy headers. # To filter on the entire message, use the full setup below. # only EXTERNAL messages are dspam filtered ;dspam_dict=/var/lib/dspam/moderator.dict # Recipients of mail sent from these senders are added to the auto_whitelist. # Auto_whitelisted senders with an SPF PASS are never rejected by dspam, and # messages from auto_whitelisted senders will be used to train screener # dictionaries as innocent mail. ;whitelist_senders = @mycorp.com # Opt-out recipients entirely from dspam screening and header triage ;dspam_exempt=getitall@mycorp.com # Do not scan mail (ostensibly) from these senders ;dspam_whitelist=getitall@sender.com # Reject spam to these domains instead of quarantining it. ;dspam_reject=othercorp.com # Scan internal mail - often a good source of stats on legit mail. ;dspam_internal=1 # directory for dspam user quarantine, signature db, and dictionaries # defining this activates the dspam application # dspam and dspam-python must be installed ;dspam_userdir=/var/lib/dspam # do not dspam messages larger than this ;dspam_sizelimit=180000 # Map email addresses and aliases to dspam users ;dspam_users=david,goliath,spam,falsepositive ;david=david@foocorp.com,david.yelnetz@foocorp.com,david@bar.foocorp.com ;goliath=giant@foocorp.com,goliath.philistine@foocorp.com # address to forward spam to. milter will process these and not deliver ;spam=spam@foocorp.com # address to forward false positives to. milter will process and not deliver ;falsepositive=ham@foocorp.com # account which receives only spam: all received messages are marked as spam. ;honeypot=spam-me@example.com # the dspam_screener is a list of dspam users who screen mail for all # recipients who are not dspam_users. Spam goes to the screeners quarantine, # and the original recipients are saved so that false positives can be properly # delivered. ;dspam_screener=david,goliath # The dspam CGI can also be used: logins must match dspam users