The following table describes the configuration options in the sample
dp_config.lua file and indicates whether or not the policy is enabled in the default configuration. If an option is dependent upon a configuration module, that module is identified.
enabled column in this table indicates the status of a configuration option after performing the steps described in Enabling the Policy Scripts .
|whitelist||Add any suitable whitelists||ds_core (datasource)|
|early_talker||✓||Configure behavior for early talkers||conntrol|
|fcdns||✓||Perform a FCDNS check|
|concurrent_connection_limits||✓||Set the number of concurrent connections|
|mail_from_domain_validate||✓||Validate the MAIL FROM|
|recipient_validation||Validate recipients. On ‘outbound’ systems disable this option||ds_core (datasource)|
|relay_authorization||Allow SMTP-authenticated users to relay||auth_ds|
|audit_series||✓||A requirement for using any of the audit_series options||inbound_audit|
|audit_series.invalid_smtp_auth||Failed SMTP AUTH limiting||inbound_audit|
|audit_series.connections||✓||Limit the connection rate||inbound_audit|
|audit_series.mailfrom||MAIL FROM rate limiting||inbound_audit|
|audit_series.auth_user||✓||SMTP AUTH user rate limiting||inbound_audit|
|audit_series.invalid_recipients||✓||Set DHA parameters||inbound_audit|
|audit_series.messages||✓||Limit the rate of messages||inbound_audit|
|audit_series.spam_mailfrom||Spam MAIL FROM rate limiting||inbound_audit|
|audit_series.spam||✓||Spam rate limiting||inbound_audit|
|audit_series.virus||✓||Virus rate limiting||antivirus, inbound_audit|
|audit_series.virus_mailfrom||Virus MAIL FROM rate limiting||antivirus, inbound_audit|
|message_size_limits||✓||Set message size limits|
|beik||Enable if you use this scanner||beik|
|commtouch||Enable if you use this scanner||commtouch|
|cloudmark||Enable if you use this scanner||cloudmark|
|antivirus||Enable for virus scanners such as CSAPI||antivirus|
|keyword_filter||Perform a keyword search||ds_core (datasource)|
All policies can be disabled by being commented out in the Lua code. Some policies can also be enabled or disabled using a
msys.dp_config.relay_authorization is disabled—the
check element is set to
false. If you do not enable this policy and you are using the
default_policy.conf file be sure to change the value of relay_hosts. If you leave
false and you use the
default_policy.conf file (where
relay_hosts is set to
( "0.0.0.0/0" )) your MTA is effectively an open relay.
This section classifies the policies enumerated in Table 3.1, “Default policy script status”.
This policy requires customer/senders to authenticate before they are permitted to relay outbound mail. Authentication may be performed against LDAP or a database.
Use of Realtime Blacklists (RBLs) are an efficient way to detect and eliminate spam before the system performs more "expensive" policy like content filtering. Any combination of internally maintained or externally maintained RBLs, such as Spamhaus, can be implemented. This policy loads an RBL, looks up sender and takes appropriate action.
This policy limits how many concurrent connections a given Classless Inter-Domain Routing (CIDR) range may have open. You can apply different maximum concurrent connection limits based on defined CIDR blocks.
Specific trusted, high volume, senders should be whitelisted.
This policy limits The MAIL FROM rate by CIDR block. Applicable in a cluster configuration.
Specific trusted, high volume, senders should be whitelisted.
Set a threshold by CIDR block for rejection after failed SMTP AUTH. Applicable in a cluster configuration.
Perform a Full Circle DNS Check. Exempt whitelists from this policy.
This policy rejects a client that sends data before the server sends a greeting message (banner). Sloppily written spamware often sends the HELO immediately without waiting for the greeting.
This policy enforces the maximum number of messages per given time period (i.e. rolling one hour) that will be accepted from a given CIDR range. Specific trusted, high volume, senders can be whitelisted. Applicable in a cluster configuration.
Email must be sent from a valid domain. This policy verifies that the domain exists and will permanently fail the message if the domain does not exist.
This policy performs a lookup in LDAP or another relevant data source to determine if the message is addressed to a valid recipient. If the recipient does not exist, permanently fail the message.
Recipient validation is a very useful way to not only limit the messages you receive but also provide feedback to senders about recipients that are not valid. Unfortunately, this functionality can be used to traverse a directory and create a list of valid recipients to attack. This policy will transiently fail messages from a given sender for a given length of time if the sender exceeds a specified number of invalid recipients for a given time period. This policy also looks at the percentage of messages with invalid recipients over a specified time frame. Messages from senders that have exceeded a specified threshold will be temporarily failed for a specified duration. For example, if 50% or more of the recipients from a given sender in are invalid, then temporarily fail the sender for the next 24 hours. Because this threshold is percent-based, a specified minimum number of messages must be received from a given sender to ensure the counts are statistically significant before the policy will apply.
This policy enforces a specified maximum message size and permanently fails the message when this size is exceeded.
Momentum does not have any intrinsic content scanning capabilities, but instead customers may choose a third-party partner best suited to their needs. The Momentum content scanning model uses all content scanners as engines which are fed the message and its metadata, returning a verdict about the message. The mechanisms used and results returned vary from partner to partner. Policy can set whether to silently discard the message or reject it.
Similar to Anti-spam content, but message disposition is typically to silently discard the message. Applicable in a cluster configuration.
msys.dp_config.antivirus and the various partner options.
Suspend delivery when the threshold for anti-virus content is met. Applicable in a cluster configuration.
Suspend delivery when the threshold for anti-virus MAIL FROM Rate is met. Applicable in a cluster configuration.
Questionable content using specific keywords can be rejected using content filtering. Each MIME part is scanned separately.