qSheff configurations files are PREFIX/qsheff.*. PREFIX is /usr/local by default.
qsheff.conf
qSheff's main configuration file. You can enable or disable different features here.
QSHEFFDIR: qSheff data directory which includes backup, quarantine, spool, tmp. Don't touch spool and tmp.
LOGFILE: Name of the qSheff log file.
debug_level: The log level. qSheff will log entries has debug level less than this value. It is 99 by default, so qsheff logs everything. Levels are below:
level Identifier Comment 0 ERR Internal error. 3 VIRUS Antivirus software found a virus. 5 CUSTOM Custom filter program caught a spam pattern. 7 WBLIST White/black list module caught a spam pattern. 11 SPAM Spam found in header or body. 13 ATTACH An prohibited attach file is caught. 15 HEADER Problem with header. 17 EMPTY Mail header is empty. 21 QUEUE Succeed/safe email.
enable_blackhole: If set to 1, qSheff won't let qmail to return a REJECT message when a virus or spam has been found. Nowadays, viruses generates random from adresses and spread. This kepts the e-mail server too busy to send error messages to unreal addresses. This feature allows you to silence qmail when a spam or virus has been identified.
paronia_level: This is a feature not applicable to 2.0 version but it is reserved for the next version. It defines how qSheff will react when an error occurs. The values can be 0, 1 or 2. If set to 0, if a problem occurs in any module (e.g spam scanning), it acts like nothing has happened and moves along to the next module continuing its process. If set to 1, only errors in antivirus modules will cause a termination and a TEMPORARY error return. If set to 2 (paronia_level) any error will cause a TEMPORARY error return.
drop_empty_line: Drop mails, if the From or To is empty.
enable_quarantine: When set to 1, spam or virus containing e-mails will be stored in WORKDIRPREFIX.
enable_wblist: When set to 1, enables the White/Black list module.
enable_header_filter: When set to 1, enables the internal filter engine for header lines.
enable_body_filter: When set to 1, enables the internal filter engine for body.
enable_clamd: When set to 1, enables internal client for clamd antivirus.
enable_custom_prog: When set to 1, enables the custom program in the specified path to scan e-mails.
enable_attach_filter: When set to 1, filters attachments by extensions (qsheff.attach)
PROG variables define the software, its parameters and the job it will be run for. Here, you can choose your alternative softwares. You should learn and write the normal runtime, error and spam/virus identification return values here. You can learn the return values of your own softwares from the software vendor or its official web site.
qsheff.rules
The rules for qSheff's internal filter engine are defined here. An example file :
type:(rule1)(rule2)...(ruleN)
b:(mature woman)(hot)
h:( important)
h:(^Subject: [Vv][aA@]gra)
a:(hot)(teen)
b is for .body., h is for .header. and a is for .all.. These specify filter type.
qSheff supports regular expressions. http://www.enderunix.org/qsheff/docs/regular.expressions.txt
Rules in same line are connected with AND logical operation. Each line is connected with OR logical operation. This is more flexible and more sensitive scan engine. For example: sex may be innocent in a form asks for age, sex, occupation and so... You can define multilevel and selective rule like:
b:(hot)(sex)
qSheff will only stop emails contain 'sex' and 'hot' words in the subject line. You can use more level to get more sensitive filter. I recommend that, define level 2,3 or maximum 4 rules.
IMPORTANT: To primarily identify the spam e-mail by its subject or header line is important for performance. Because the internal filter only scans the 256 character-wide subject line. If the e-mail is cut off at that point, it will not be scanned by a spam or antivirus software which scans the whole message and its attachments. This results in a big performance improvement. For instance, a virus has a distinctive subject line, appending it to the rule file would be better. Because it will be identified and stopped at the internal filter stage. If you don't; the internal filter and then the spam program will scan it. At the end the antivirus program will run and identify the virus. All of these programs will scan the whole content and result in a performance loss. Thus improving the internal filter rules is more important than improving the spam database. qSheff is designed to first filter the subject and then scan the whole content for you to benefit from this performance increase.
qsheff.wblist
File format:
WBL_COMMAND WBL_RULE DIRECTION
There are three different commands : ACCEPT, DISCARD ve REJECT.
E-mails matching an ACCEPT rule are only scanned for viruses. email enable_subject_filter and enable_spam_prog values are assumed as 0 for them.
E-mails matching a REJECT rule are sent back to the sender with a PERMANENTLY REJECTED error.
E-mails matching a DISCARD rule are deleted and nothing is returned to the sender.
The rules may be written in the 4 forms below :
1. user@domain.com
2. @domain.com
3. 192.168.22.10
4. 10.45.
First and second rules are applied to the from and to headers of the e-mail. If there is a match, the specified command is executed. The first rule matches an exact e-mail address. The second rule matches a partial address after the @ symbol. Meaning, all the e-mails from or to the given domain name are matched.
Third and fourth rules are for IP addresses and are applied to the recvfrom (the IP of the server which delivered the e-mail) part of the e-mail. Third rule matches an exact IP address. Fourth rule matches all the IPs in the network.
IMPORTANT: Don't forget that there is a dot '.' symbol suffix in the fourth rule. A "10.15" rule includes a "10.154.1.1" IP too. However "10.15." only includes IPs in the "10.15.X.Y" network.
Examples:
ACCEPT 192.168.135.166 OUT ACCEPT 192.168. OUT ACCEPT 212.6 IN ACCEPT user1@domain.com IN DISCARD @domain2.com IN DISCARD 81.213.179.56 IN DISCARD 81.3 IN DISCARD 81.113. IN REJECT user2@domain3.com IN REJECT 81.213.80.72 OUT