mtpolicyd - a modular policy daemon for postfix
mtpolicyd is a policy daemon for postfix access delegation.
It can be configured to accept connections on several ports from a postfix mta. For each port a VirtualHost can be configured and for each VirtualHost several Plugins can be configured.
For more info, mailing list, see:
In postfix
smtpd_recipient_restrictions = check_policy_service inet:
In mtpolicyd.conf:
# listen on port 12345 (multiple ports can be separated by ',')
# defined host for this port
<VirtualHost 12345>
<Plugin spamhaus_bl>
This check will execute a simple RBL lookup against
- -h --help
Show available command line options.
- -c --config=<file> (default: /etc/mtpolicyd/mtpolicyd.conf)
Specifiy the path to the configuration file.
- -f --foreground
Do not fork to background and log to stdout.
- -l --loglevel=<level>
Overwrite the log level specified in the configuration with the specified level.
- -d --dump_vhosts
Parse VirtualHosts configuration, print it to stdout and exit.
The configuration file is implementend with Config::General which allows apache style configuration files.
mtpolicyd accepts global configuration parameters in the style:
Comments begin with '#'.
VirtualHosts must be configured with VirtualHost sections:
<VirtualHost <portnumber>>
name=<name of the vhost>
Each VirtualHost should contain at least on Plugin.
<VirtualHost <portnumber>>
name=<name of the vhost>
<Plugin <name of check> >
module = "<name of plugin>"
# plugin options
For individual plugin configuration options see the man page of the plugin:
Mail::MtPolicyd::Plugin::<name of plugin>
- user
user id to run as
- group
group id to run as
- pid_file
location of the pid file
- ldap_host (default: empty)
Hostname or address of an LDAP server if you want to use LDAP plugins.
- ldap_port (default: 389)
Port or the LDAP server.
- ldap_keepalive (default: 1)
Activate keepalive for the LDAP connection.
Set to 0 to disable.
- ldap_timeout (default: 120)
Timeout for LDAP connection.
- ldap_binddn (default: empty)
The binddn user if the LDAP server requires authentication.
If the binddn is empty no bind will be performed and the connection will be used anonymously.
- ldap_password
Password of the binddn user.
- ldap_starttls (default: 1)
Use of TLS encryption for LDAP.
- log_level
Verbosity of logging: 0=>'err', 1=>'warning', 2=>'notice', 3=>'info', 4=>'debug'
- host
ip address to bind to.
- port
comma separated list of ports to listen on.
- min_servers (default: 4)
The minimum number of client processes to start.
- min_spare_servers (default: 4)
The minimum number of client processes that should hanging around idle and wait for new connections.
If the number of free processes is below this threshold mtpolicyd will start to create new child processes.
- max_spare_servers (default: 12)
The maximum number of idle processes.
If the number of idle processes is over this threshold mtpolicyd will start to shutdown child processes.
- max_servers (default: 25)
The absolute maximum number of child processes to start.
- max_requests (default: 1000)
- max_keepalive (default: 0)
Number of requests after that mtpolicyd closes the connection or no limit if set to zero.
Should be the same value as smtpd_policy_service_reuse_count_limit (postfix >2.12) in postfix/smtpd configuration.
- vhost_by_policy_context (default: 0)
Select VirtualHost by 'policy_context' request field.
The policy_context will be matched against the 'name' field of the VirtualHost.
For example in postfix use advanced syntax:
check_policy_service { inet:localhost:12345, policy_context=reputation } ... check_policy_service { inet:localhost:12345, policy_context=accounting }
In mtpolicyd.conf:
port="" # only 1 port vhost_by_policy_context=1 <VirtualHost 12345> name=reputation ... plugins ... </VirtualHost> <VirtualHost 12345> name=accounting ... plugins ... </VirtualHost>
The policy_context feature will be available in postfix 3.1 and later.
If you just need small differentiations consider using the Mail::MtPolicyd::Plugin::Condition plugin to match against plugin_context field.
- request_timeout
Maximum total time for one request.
- db_dsn
Connection string for the database in perl-DBI format. See DBI.
- db_user
Name of database user.
- db_password
Password of database user.
- memcached_servers
A comma separated list of memcached servers used for session tracking.
- memcached_namespace (default: mt-)
Use a namespace for storing sessions in memcached
- memcached_expire (default: 300 seconds)
Expire time for memcached entries.
- session_lock_wait (default: 50 usec)
Time to wait before retry to acquire lock on a session object.
Will be increased with every try. (50,100,150,...)
- session_lock_max_retry (default: 50 times)
Number of maximum retries for acquiring a session lock.
- session_lock_timeout (default: 10 seconds)
After this timeout the lock will destroy itself.
mtpolicyd uses a session managemend based on memcached.
mtpolicy will generate a session for each mail passed to it and store it within memcached. The attached session information will be available to all following plugins across child processes, virtual hosts and ports.
Plugins will use this session information to cache lookup etc. across multiple requests for the same mail. Postfix will send a query for each recipient and for each configured check_policy_service call.
The policy daemon will process all plugins in the order they appear in the configuration file. It will stop as soon as a plugin returns an action and will return this action to the MTA.
Most plugins can be configured to not return an action if the performed check matched.
For example the RBL module could be set to passive mode and instead a score could be applied to the request:
<Plugin spamhaus>
module = "RBL"
mode = "passive"
Check the documentation of the plugin for certain score/mode parameters. Plugin may provide more than one mode/score parameters if the do several checks.
Now if you configure more than one RBL check the score will add up. Later an action can be taken based on the score. The ScoreAction plugin will return an action based on the score and the AddScoreHeader plugin will prepend the score as a header to the mail:
<Plugin ScoreReject>
module = "ScoreAction"
threshold = 15
action = "reject sender ip %IP% is blocked (score=%SCORE%%SCORE_DETAIL%)"
<Plugin ScoreTag>
module = "AddScoreHeader"
If you configure a database this database connection will be available to plugins. For example the SqlList plugin can be used to implement a black or white list based on an SQL query. Or the SqlUserConfig plugin could be used to query a database for additional configuration options.