Colour of Colour

 

Colour names

Color Names Supported by All Browsers

All modern browsers support the following 140 color names (click on a color name, or a hex value, to view the color as the background-color along with different text colors):

HEX codes

RGB codes

Shades

Names

Yellow Color Names

yellow color names

Orange Color Names

orange color names

Red Color Names

red color names

Pink Color Names

pink color names

Violet Color Names

violet color names

Blue Color Names

blue color names

Green Color Names

green color names

Brown Color Names

brown color names

Gray Color Names

Gray Color Names

Speed

That infinite space “between” what we humans feel as time is where computers spend all their time. It’s an entirely different timescale. A great table that illustrates just how enormous these time differentials are. Just translate computer time into arbitrary seconds:

A great table that illustrates just how enormous these time differentials are. Just translate computer time into arbitrary seconds:

1 CPU cycle0.3 ns1 s
Level 1 cache access0.9 ns3 s
Level 2 cache access2.8 ns9 s
Level 3 cache access12.9 ns43 s
Main memory access120 ns6 min
Solid-state disk I/O50-150 μs2-6 days
Rotational disk I/O1-10 ms1-12 months
Internet: SF to NYC40 ms4 years
Internet: SF to UK81 ms8 years
Internet: SF to Australia183 ms19 years
OS virtualization reboot4 s423 years
SCSI command time-out30 s3000 years
Hardware virtualization reboot40 s4000 years
Physical system reboot5 m32 millenia

Approximate timing for various operations on a typical PC:

execute typical instruction 1/1,000,000,000 sec = 1 nanosec
fetch from L1 cache memory 0.5 nanosec
branch misprediction 5 nanosec
fetch from L2 cache memory 7 nanosec
Mutex lock/unlock 25 nanosec
fetch from main memory 100 nanosec
send 2K bytes over 1Gbps network 20,000 nanosec
read 1MB sequentially from memory 250,000 nanosec
fetch from new disk location (seek) 8,000,000 nanosec
read 1MB sequentially from disk 20,000,000 nanosec
send packet US to Europe and back 150 milliseconds = 150,000,000 nanosec

Latency is one thing, but it’s also worth considering the cost of that bandwidth.

An interesting way of explaining this. If the CPU registers are how long it takes you to fetch data from your brain, then going to disk is the equivalent of fetching data from Pluto.

https://blog.codinghorror.com/content/images/2014/May/storage-latency-how-far-away-is-the-data.png
  • Distance to Pluto: 4.67 billion miles.
  • Latest fastest spinning HDD performance (49.7) versus latest fastest PCI Express SSD (506.8). That’s an improvement of 10x.
  • New distance: 467 million miles.
  • Distance to Jupiter: 500 million miles.

That’s disk performance over the last decade. How much faster did CPUs, memory, and networks get in the same time frame? Would a 10x or 100x improvement really make a dent in these vast infinite spaces in time that computers deal with?

To computers, we humans work on a completely different time scale, practically geologic time. Which is completely mind-bending. The faster computers get, the bigger this time disparity grows.

System Commands

System Commands

shutdown bring the system down shutdown -h now -h = Halt or poweroff after shutdown
shutdown -r now -r : Reboot after shutdown
shutdown -r -F now -F : Force fsck after reboot.
halt stop the system. halt
reboot reboot the system. reboot
init init 1 #change to single usermode
uptime Tell how long the system has been running. uptime
runlevel find the previous and current system runlevel. runlevel
printenv print all or part of environment printenv
env run a program in a modified environment env
hostname show or set the system’s host name hostname – show the system’s host name
hostname NEWHOSTNASME – set the system’s host name
uname print system information uname -a – print all information
locale Get locale-specific information. locale
locale -a |grep -i ja <- -a : –all-locales

Process Management

ps report a snapshot of the current processes. ps aux |grep httpd ← Check httpd rocess
ps aux | grep XXX | awk ‘{print $2}’ | xargs kill -9
ps auxwf
ps auxwf |grep XXX
pgrep look up processes based on name and other attributes pgrep -f ‘bash’
pgrep -lf ‘bash’ ← output with process name
pgrep -f ‘bash’ | xargs kill
pstree display a tree of processes pstree -a
pidof find the process ID of a running program pidof httpd
/bin/kill $(/sbin/pidof qmail-popup)
kill send a signal to a process kill -9 PID ← (-9 or -KILL = force-quit)
pkill signal processes based on name and other attributes pkill -f ‘bash’
pkill -u user1
pkill java
pkill -f jar
killall kill processes by name killall vi
killall -i vi ← -i = Interactively
killall -HUP kterm
killproc
lsof list open files lsof -i
lsof -i -P ← no port names
lsof -i :80,443 ← Which process is using Port 80,443
Ctrl + C Stop running process
Ctrl + Z Suspend running process Move Running Process to Background
1. ctrl + z
2. jobs
3. bg
4. disown %JOBID
jobs The first form lists the active jobs. jobs -l ← List job
fg Resume jobspec in the foreground
bg Resume each suspended job jobspec in the background
nohup run a command immune to hangups, with output to a non-tty nohup command.sh &
disown disown %jobid
nice run a program with modified scheduling priority nice -n 19 test.sh
nice -n 19 ionice -c 3 CMD
nice -n 19 ionice -c 2 -n 7 COMMAND
renice alter priority of running processes renice 19 -p PID
you can check the nice whith “top” or “ps alx”.
ionice sets or gets process io scheduling class and priority ionice -p PID ← check
ionice -c 3 -p PID
nice -n 19 ionice -c 2 -n 7 COMMAND

Schedule

crontab maintain crontab files crontab -l ← -l = list user’s crontab
crontab -u USER -l
crontab -e ← -e = edit user’s crontab
crontab -u USER -e
at queue jobs for later execution echo “/sbin/shutdown -h now” |at 21:00 02/30/2009
at -t 200902302100
atq lists the user’s pending jobs atq
atrm delete jobs for later execution atrm JOBID
watch execute a program periodically, showing output fullscreen watch ntpq -p ← By default, the program is run every 2 seconds
watch -n 1 ntpq -p ← 1 seconds interval
-d : highlight the differences between successive updates

etc

alias Alias with no arguments or with the -p option prints the list of aliases
When arguments are supplied, an alias is defined for each name whose value is given.
alias ← check all alias
alias ls=’ls -la –color=auto’
alias grep=’grep –color’
unalias Remove each name from the list of defined aliases.
If -a is supplied, all alias definitions are removed.
unalias COMMAND
ntpdate set the date and time via NTP ntpdate -b -u IP
-b : Force the time (step mode)
-u : If you are running ntpd, “-u” must be added.
chronyc command-line interface for chronyd chronyc sources
chronyc sources -v
ntpq standard NTP query program ntpq -p
-p : Print a list of the peers known to the server
watch -n 1 ntpq -p
hwclock query and set the hardware clock (RTC) hwclock (-r) ← Read the Hardware Clock and print the time on standard output.
hwclock -w ← Set the Hardware Clock to the current System Time.
hwclock -s ← Set the System Time from the Hardware Clock.
man an interface to the on-line reference manuals man COMMAND
whatis display manual page descriptions whatis KEYWORD
whatis cat
whatis vi
history GNU History Library history |less
history 5 ← lists only the last 5 lines.
HISTSIZE=1000
HISTTIMEFORMAT=“%Y/%m/%d %H:%M:%S ”
which locate a command which ls
time time a simple command or give resource usage time sleep 5
strace trace system calls and signals strace -t php test.php
strace -t -o test.txt php test.php
-t : each line of the trace with the time of day.
ltrace A library call tracer lltrace -o test.txt wget http://example.com/
ltrace -p PID
ltrace -p 3365
script make typescript of terminal session script -afq $LOG

Files and Directories Commands

File Commands

ls list directory contents ls -ltrh ← -r : reverse order while sorting
-h : with -l, print sizes in human readable format
ls -ltrh |less
cp copy files and directories cp -p SRC DES
cp -pi /etc/hosts{,.`date ‘+%Y%m%d’`}
cp -pr SRC/ DES/ ← -r,-R : copy directories recursively
cp -p SRC DES ← -f, –force
mv move (rename) files mv file1 file2
mv dir1 dir2
mv file1 file2 file3 DIR
rename renames multiple files rename .htm .html *.htm ← frm .htm to .html
rename “” test *.txt ← add test
rename test “” *.txt ← delete test
rm remove files or directories rm -rf TARGET ← -r,-R : remove directories
touch change file timestamps touch file1
touch -d “2017/10/20 13:00:00” file1
ln make links between files ln -s SRC DES
unlink unlink DES
wc print newline, word, and byte counts for each file wc -l ← -l, –lines = print the line counts
tree list contents of directories in a tree-like format tree -Dpuga /etc
col filter reverse line feeds from input man ifconfig | col -bfx > test.txt

Directory Commands

pwd print name of current/working directory pwd
cd Change the current directory cd ← go to home directory
cd ~/ ← go to home directory
cd .. ← go to parent directory
pushd Adds a directory to the top of the directory stack pushd /var/log
pushd `pwd`
pushd +2 ← check pushd directory with dirs -v and go to No.2
pushd +3 ← check pushd directory with dirs -v and go to No.3
popd Removes entries from the directory stack. popd
dirs displays the list of currently remembered directories. dirs -v
mkdir make directories mkdir -p /tmp/test1/test2/ ← make parent directories as needed
mkdir -m 700 /home/user01/.ssh
rmdir remove empty directories
If you want to delete directory, you must use “rm -r DIR”.
rmdir DIR

Commands to Access File Contents

more file perusal filter for crt viewing
less opposite of more crontab -l |less
view Start in read-only mode.
cat concatenate files and print on the standard output cat /dev/null > access.log
tail output the last part of files tail -n 50 aaa.txt ← output the last N lines
head output the first part of files head -n 100 aaa.txt ← -n , –lines
head * |more ← View the beginning of the file in the directory.
diff compare files line by line diff –suppress-common-lines –side-by-side File1 File2
diff /etc/test{,.`date ‘+%Y%m%d’`}
diff -r dir1 dir2 ← When comparing directories, recursively compare
sdiff side-by-side merge of file differences sdiff -s File1 File2 ← -s : Do not print common lines.
sdiff -s -w 200 File1 File2
colordiff
vimdiff vimdiff file1 file2
vim -d file1 file2

Searching

grep print lines matching a pattern grep WORD FILE |less
grep -Ev “^#|^$” xxx.txt
grep -Ev “^$|^#|^\s*#” file.txt
grep “” ifcfg-eth* ← check filename and contents
grep -r PATTERN –include=”*.txt” DIRECTORY ← -r : recursive
egrep egrep is the same as grep -E egrep “aaa|bbb” file
find , xargs search for files in a directory hierarchy find . -name “*txt*”
find /dir -type f -name “*.log*” -mtime +7 -exec rm -rf {} \;
← “-mtime +7” is 7 days ago

File Compression

tar The GNU version of the tar archiving utility
tar warn the order of target and destination.
tar zcvf test.tar.gz Dir ← Create, Verbose, File
tar ztvf test.tar.gz ← Test, Verbose, File
tar zxvf test.tar.gz ← eXtract, Verbose, File
tar jcvf test.tar.bz2 DIR ← Create, Verbose, File
tar jxvf test.tar.bz2
tar zcvf /tmp/user01.tar.gz user01
tar zxvf user01.tar.gz -C /home
gzip
gunzip
compress or expand files gzip file1
gunzip file1.gz
gzip access_log.2011-[0][5-8]*.txt ←wild card
compress
uncompress
package and compress (archive) files compress file1
uncompress file1.Z
bzip2
bunzip2
bz2cat
a block-sorting file compressor bzip2 file1
bunzip2 file1.gz2
bz2cat file1.gz2
zip
unzip
package and compress (archive) files zip file.zip file1 file2
zip -l file.zip ← -l = list for check
unzip file.zip
unzip -t file.zip ← -t = test
lha lha a file.lzh file1 file2
lha t file.lzh
lha x file.lzh
gzcat gzcat file.gz
gzcat file.Z
zcat zcat file.Z
zless file perusal filter for crt viewing of compressed text zless file.gz
zgrep search possibly compressed files for a regular expression zgrep PATTERN file.gz
zegrep search possibly compressed files for a regular expression zegrep “new” test.txt.gz
zdiff compare compressed files zdiff file1.gz file2.gz

Character

lv a Powerful Multilingual File Viewer / Grep
qkc
nkf Network Kanji Filter
iconv Convert encoding of given files from one encoding to another iconv -f utf-8 -t sjis test.utf8 > test.sjis

User Administration

User

useradd create a new user or update default new user information useradd -u UID -g GROUP -G GROUP1,GROUP2 -s /bin/bash -d HOME_DIR LOGIN
whoami print effective userid whoami
w Show who is logged on and what they are doing. w
who show who is logged on who
who –all
userdel delete a user account and related files userdel -r USER
← (-r, –remove : Files in the user’s home directory will be removed)
vipw edit the password, group, shadow-password or shadow-group file vipw ← edit /etc/passwd
vipw -s ← edit /etc/shadow
passwd change user password echo “password01” | passwd –stdin user01
passwd -S user1 ← check about the status of the password
passwd -l user01 ← Lock the user
passwd -u user01 ← Unlock
chpasswd update passwords in batch mode echo user01:password | chpasswd
echo ‘USER:PASS’ > tmp.txt ; chpasswd < tmp.txt ; rm -f tmp.txt
mkpasswd
chage change user password expiry information chage -l USER ← check
chage -M 90 USER ← the password expires day set 90days
usermod modify a user account usermod -g GROUP USER
usermod -g GROUP -G SUBGROUP USER
usermod -G SUBGROUP USER
usermod -G SUBGROUP1,SUBGROUP2 USER
usermod -G “” USER
usermod -l USER_NAME_NEW USERNAME_OLD ← change username
usermod -d HOME_DIR_NEW USER_NAME ← change home directory
usermod -u UID USER ← change UID
gpasswd gpasswd -a USER sudo ← add USER to GROUP
gpasswd -r USER sudo ← remove USER from GROUP
chsh change login shell chsh -l ← = cat /etc/shells
chsh -s /bin/bash ← changing shell
chsh -s /bin/bash user01
getent get entries from Name Service Switch libraries getent passwd ← you can check LDAP Users
getent group
getent shadow
pam_tally2 The login counter (tallying) module pam_tally2 -u USER ← check
pam_tally2 -u USER –reset ← reset

Group

groups print the groups a user is in groups
groups USERNAME
groupadd create a new group groupadd -g GID GROUP
groupadd -g 1100 dev
groupdel delete a group groupdel GROUP
groupmod change USER’s GID groupmod -g GID GROUP
groupmod -g 1501 testgroup1
find / -gid OLDGID -print ← Check the OLD GID
chgrp change the Group of the file chgrp -R GROUP FILE
vigr edit the password, group, shadow-password or shadow-group file

File Permissions

chmod change file mode bits chmod 777 TARGET
chmod u+s PROGRAM ← add SSUID(Set User ID)
chown change file owner and group chown USER FILE
chown USER:GROUP FILE
chown -R USER:GROUP DIR ← -R : operate on files and directories recursively

Etc

finger user information lookup program finger
finger user01
finger -l user01
su change user ID or become superuser su – ← change root user
sudo su – USER -s /bin/bash
su – user1 -c “ssh user1@192.168.0.xx ls -lh /tmp” >> aaa.txt
sudo execute a command as another user sudo -u USER COMMAND
sudo sh -c ‘echo “test” >> /tmp/test.txt’
id print real and effective user and group IDs id USERNAME
last show listing of last logged in users last
last -5 ← last 5 logged in users
last USER
lastlog reports the most recent login of all users or of a given user lastlog
umask set file mode creation mask umask ← check
umask 022 ← default 666-022=644(rw-r–r–)
umask 002 ← 666-002=664(rw-rw-r–)
umask 000 ← 666-000=666(rw-rw-rw-)

Network

Network

ip show / manipulate routing, devices, policy routing and tunnels ip a ← print ip address
ip addr ← print ip address
ip r ← Show IP Routing
ip route ← Show IP Routing
ss another utility to investigate sockets ss -lt ← TCP Listening Port
ss -ltp ← Process Name with Listening TCP
ss -anu
ifconfig configure a network interface ifconfig ← check ip
ifconfig -a ← -a : display all interfaces
ifconfig eth0 up
ifconfig eth0 down
ifdown take a network interface down ifdown eth0
ifdown eth0 && ifup eth0
ifup bring a network interface up ifup eth0
ifdown eth0 && ifup eth0
route show / manipulate the IP routing table route ← show the IP routing table
route -n ← show the IP routing table
route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.50.0.1
route add -host 192.168.0.100 gw 192.168.1.100
route del -net 192.168.10.0 netmask 255.255.255.0
traceroute print the route packets trace to network host traceroute -n 192.168.0.10
traceroute -T -p 80 192.168.0.10 ← (-T = TCP)
traceroute -U -p 53 192.168.0.10 ← DNS (-U = UDP)
tracepath traces path to a network host discovering MTU along this path tracepath -n 192.168.0.10 ← UDP
*tracepath don’t use TCP.
mtr a network diagnostic tool mtr -rwb xx.xx.xx.xx -c 10 -T -P 443
ethtool Display or change ethernet card settings ethtool eth0
mii-tool view, manipulate media-independent interface status mii-tool eth0
mii-tool -vv eth0
arp manipulate the system ARP cache arp -a ← (-a : Shows the entries of the specified hosts.)
arp -d 192.168.xx.xx ← delete arp
nmcli line tool for controlling NetworkManager

DNS

dig DNS lookup utility dig -h ←help
dig [@global-server] [domain] [q-type]
dig @8.8.8.8 google.com any
dig @8.8.8.8 -x 74.125.235.101
dig google.com mx
dig +trace google.com
dig +trace -x 173.252.120.6
nslookup query Internet name servers interactively nslookup -type=any google.com 8.8.8.8
nslookup google.com 8.8.8.8
nslookup -type=txt google.com
host DNS lookup utility host ← help
host [-t type] [server]
host gmail.com
host x.x.x.x
host -t any google.com 8.8.8.8
host -t mx gmail.com 8.8.8.8
host -t soa gmail.com
-t = specifies the query type
whois client for the whois service whois google.com
nscd name service cache daemon nscd –help
nscd -i hosts ← chache clear
nscd -g ← Print current configuration statistics

Connection

telnet user interface to the TELNET protocol telnet IP PORT
ssh popular OpenSSH SSH client (remote login program) ssh USER@IP
ssh xx.xx.xx.xx “hostname; netstat -rn |grep 10.110.0”
ssh xx.xx.xx.xx sudo /sbin/reboot
scp secure copy (remote file copy program)
the link file copyed as the real file.
scp test.tar.gz user1@192.168.0.10:/tmp
scp -rp /home/user1 user1@192.168.0.10:/home
scp -rp /tmp/test1/ user1@192.168.0.10:/tmp/test2/
rsync popular a fast, versatile, remote (and local) file-copying tool
the link file copyed as the link file.

rsync -avz –delete /home/user1/ /tmp/user1.bk/
← rsync “/” is very important.
rsync -e ssh -avz –delete /home/user1/ user2@192.168.0.2:/home/backup/server1/home/user1/
rsync -e ssh -avz –-bwlimit=1250 FILE user@192.168.0.2:/DIR/ # 1Mbps = 125KBps
ssh-keygen authentication key generation, management and conversion ssh-keygen -t rsa ← generate rsa key pair
ssh-keygen -t rsa -b 4096 -C “” -N “” -f id_rsa
ssh-keygen -R HOST
← Removes all keys belonging to hostname from a known_hosts file.

Check

ping send ICMP ECHO_REQUEST to network hosts ping -c 5 -s 1500 192.168.0.1 ​
ping -i 0.5 192.168.0.1 # -i : interval
nmap Network exploration tool and security / port scanner nmap google.com ← Check TCP
nmap -Pn -sT -p 22 xx.xx.xx.xx ← check Firewall
nmap -Pn -sT -p 443 x.x.x.x -max-rtt-timeout 0.1
nmap -PN -p 22 HOST
nmap -p 443 www.google.com
nc
netcat
Concatenate and redirect sockets nc 192.168.0.10 80 22 ← check TCP
nc -u 192.168.0.100 53 ← check UDP
nc -vz 192.168.0.10 1-1023 ← portscan
nping nping –tcp -p PORT HOST
nping -c 1 –tcp -p PORT HOST
httping measure the latency and throughput of a webserver
http_ping
hping , hping3
fping fping -g 192.168.0.0/24

HTTP

curl popular transfer a URL curl -O http://example.com/images/test.jpg
curl -I http://www.example.com/ ← Only Header
curl -i http://www.example.com/ ← Header and Body
curl –proxy http://proxy.example.com:8080 http://example.com/
wget The non-interactive network downloader. wget http://google.com/
wget -e http_proxy=xx.xx.xx.xx:8080 http://example.com/
wget -e https_proxy=xx.xx.xx.xx:8080 https://example.com/
wget -S –spider http://example.com/ ← Only Header

FTP

ftp ARPANET file transfer program
lftp Sophisticated file transfer program

SNMP

snmpwalk retrieve a subtree of management values using SNMP GETNEXT requests snmpwalk -v 2c -c public localhost sysname
snmpwalk -v 2c -c public localhost .1.3.6.1.2.1
snmpget communicates with a network entity using SNMP GET requests snmpget -v 2c 192.168.0.10 -c public .1.3.6.1.4.1.2021.11.50.0
snmptranslate translate MIB OID names between numeric and textual forms snmptranslate -Tp | less
snmpnetstat display networking status and configuration information from a network entity via SNMP snmpnetstat -v 2c -c public -Can localhost
snmpnetstat -v 2c -c public -Ci localhost
snmpnetstat -v 2c -c public -Cs localhost

Shell Script

Shell

date print or set the system date and time date –date ’10day ago’ +”%Y%m%d” → 20061030
date +”%Y%m%d” → 20061030
date +”%H:%M” → 12:47
cp -p FILE FILE.`date +%Y%m%d`
cp -p FILE FILE.`date -d ‘1day ago’ +%Y%m%d`
tr translate or delete characters
cut remove sections from each line of files echo abcdef |cut -c 3-
echo abcdef |cut -c 2-4
sort sort lines of text files sort -t: +1 -n sample.txt
uniq report or omit repeated lines cat access_log.1 | awk {‘print $4’} |awk -F: {‘print $1$2$3’} | sort |uniq -c
logger a shell command interface to the syslog(3) system log module logger “test test”
basename strip directory and suffix from filenames SHELLNAME=`/usr/bin/basename $0`
SHELLNAME=`/usr/bin/basename $0 .sh`
dirname strip last component from file name DIR=`dirname ${0}`
paste merge lines of files paste -d, test1.txt test2.txt
awk echo “1 2 3 4 5” | awk ‘{ print $1 “,” $3 }’
echo “1 2 : 3 4 : 5” | awk -F: ‘{ print $2 }’
sed sed -e ‘s/xxx/XXX/g’ input.txt > output.txt
sed -i “s/IPADDR=192.168.0.10/IPADDR=192.168.0.11/g” ifcfg-eth0
mail
mailx
send and receive Internet mail
echo test | mail -s “test” -S “smtp=smtp://xx.xx.xx.xx:25” test@example.com
cat test.txt | mail -s “test” -S “smtp=smtp://xx.xx.xx.xx:25” test@example.com
while while : ; do uptime ; sleep 1 ; done
while : ; do uptime >> /tmp/tmp.txt ; sleep 1 ; done
while : ; do ps aux |grep httpd |wc -l ; sleep 1 ; done
for for i in 127.0.0.1 192.168.10.1; do ping -c 2 $i; done
sleep sleep 1
usleep sleep some number of microseconds usleep 1000000 ← 1,000,000 = 1sec
usleep 100000 ← 100,000 = 0.1sec
usleep 10000 ← 10,000 = 0.01sec

Hardware

Hardware

dmesg print or control the kernel ring buffer dmesg
lspci list all PCI devices lspci
nproc print the number of processing units available nproc
grep -c processor /proc/cpuinfo
getconf _NPROCESSORS_ONLN

Module

lsmod show the status of modules in the Linux Kernel lsmod
modinfo show information about a Linux Kernel module modinfo MODULENAME
modinfo bnx2
insmod insert a module into the Linux Kernel
rmmod remove a module from the Linux Kernel
modprobe add and remove modules from the Linux Kernel

Disk Utilities

HDD

du estimate file space usage du -sh *
du -h –max-depth=1
fuser identify processes using files or sockets fuser -mv /mnt/test ← check
fuser -mvk /mnt/test ←(-k : Kill processes)
chroot run command or interactive shell with special root directory
hdparm get/set hard disk parameters
dumpe2fs dump ext2/ext3/ext4 filesystem information
badblocks search a device for bad blocks

Partition

df report file system disk space usage df -h ← (-h : print sizes in human readable format)
df -BG ← Bigabyte Unite
df -BM ← Megabyte Unite
sfdisk partition table manipulator for Linux sfdisk -l ←(-l : List the partitions of a device.)
fdisk manipulate disk partition table fdisk -l ← ( -l : List the partition tables)
fdisk -l /dev/sdb
fdisk -l -o +UUID
gdisk Interactive GUID partition table (GPT) manipulator
parted a partition manipulation program parted -l ← check partitions
parted /dev/mapper/mpath0
lsblk list block devices lsblk
e2label Change the label on an ext2/ext3/ext4 filesystem

Swap

mkswap set up a Linux swap area
swapon enable devices and files for paging and swapping swapon -s ← Check
swapon -a
swapon /dev/xvda3
swapoff disable devices and files for paging and swapping swapoff -a

File Systems

mkfs build a Linux filesystem
#you must umount the device before mkfs.
mkfs -t xfs /dev/sdb1
mkfs -t ext3 /dev/sdb1
mkfs -t ext4 /dev/sdb1
mkfs.xfs mkfs.ext4
mkfs.ext3
#you must umount the device before mkfs. mkfs.ext4 /dev/sdb1
mkfs.ext3 /dev/sdb1
mkfs2fs create an ext2/ext3/ext4 filesyste
#you must umount the device before mkfs.
mke2fs /dev/sdb1 ← ext2
mke2fs -j /dev/sdb1 ← ext3
xfs_info xfs_info /dev/sda1
tune2fs adjust tunable filesystem parameters on ext2/ext3/ext4 filesystems tune2fs -l /dev/mapper/mpath0
← -l : List the contents of the filesystem superblock.
tune2fs -l /dev/mapper/mpath0 |egrep “count|interval”
tune2fs -i 0 -c 0 /dev/mapper/mpath0
← -i : interval, -c : mount count
fsck check and repair a Linux filesystem
you must umount the device before fsck.
for example single usermode and umount.
‘shutdown -r -F now’ is force fsck after reboot.
fsck -p /dev/sda1
← -p : Automatically repair (“preen”) the file system.
fsck.ext4 check and repair a Linux filesystem
e2fsck check a Linux ext2/ext3/ext4 file system
resize2fs ext2/ext3/ext4 file system resizer resize2fs /dev/testvg/lvol0

Data

dd convert and copy a file dd if=/dev/zero of=test_10M bs=1M count=10
dd if=/dev/zero of=test_100M bs=1M count=100
dd if=/dev/zero of=test_1G bs=1M count=1000
dd if=/dev/zero of=temp.bin bs=1 count=0 seek=1G ← sparse file
sync flush file system buffers
shred overwrite a file to hide its contents, and optionally delete it

mount

mount mount a filesystem mount /mnt/test /dev/sda1
mount -o remount /dev/sda1
mount -t cifs //xx.xx.xx.xx/test /mnt/test -o username=guest,password=
umount unmount file systems umount /mnt/test
umount -f /mnt/test
(-f : Force unmount(in case of an unreachable NFS system))
umount -l /mnt/test
(-l : Lazy unmount.Detach the filesystem from the filesystem hierarchy now )

LVM

References : LVM – How to Use LVM in Linux

LVM

lvm LVM2 tools

PV (Physical Volume)

pvs report information about physical volumes
pvdisplay display attributes of a physical volume pvdisplay
pvdisplay -C
pvcreate initialize a disk or partition for use by LVM pvcreate /dev/mapper/mpath0p1
pvcreate /dev/mapper/mpath0p1 /dev/mapper/mpath1p1
pvremove remove a physical volume pvremove /dev/mapper/mpath0p1
pvscan scan all disks for physical volumes

VG (Volume Group)

vgs report information about volume groups vgs -o +vg_tags ← check tag
vgdisplay display attributes of volume groups vgdisplay
vgdisplay -C
vgcreate create a volume group vgcreate vgdata1 /dev/hdb1 /dev/hdc1
vgremove remove a volume group vgremove vg01
vgscan scan all disks for volume groups and rebuild caches
vgchange change attributes of a volume group vgchange -a y ← activate
vgchange -a n ← deactivate
vgchange -a y vg01
vgchange -a n vg01
Check : lvdisplay VGDATA |grep Status
vgchange –addtag $(uname -n) VG_TEST
vgchange –deltag $(uname -n) VG_TEST
vgextend add physical volumes to a volume group vgextend vg01 /dev/hdd1
vgrename rename a volume group vgrename oldvg newvg

LV (Logical Volume)

lvs report information about logical volumes
lvdisplay display attributes of a logical volume lvdisplay
lvdisplay -C
lvdisplay /dev/mapper/VGDATA-lv00
lvcreate create a logical volume in an existing volume group lvcreate -l PENUMBER vgdata
lvcreate -L 150G vgdata
lvremove remove a logical volume lvremove /dev/testvg/lvol0
lvscan scan (all disks) for logical volumes
lvresize resize a logical volume lvresize -L +5G /dev/vg0/home
lvextend extend the size of a logical volume lvextend -L +5G /dev/vg0/home
lvextend -l +100%FREE /dev/mapper/Array00-lv00
lvreduce reduce the size of a logical volume
lvrename rename a logical volume lvrename /dev/vgdata/lvol0 /dev/vgdata/lvol1

Performance

Performance

top display Linux processes top -b -n 4 -d 5 ← interval 5sec , 4 times
sar Collect, report, or save system activity information. sar -f /var/log/sa/sa16
sar (cpu,io)
sar -r (memory)
sar -q (Loadaverage)
vmstat LIKE Report virtual memory statistics vmstat 1 ← interval 1sec (cpu, io, memory, swap)
vmstat 1 5 ← interval 1sec, 5 times (cpu, io, memory, swap)
iostat Report Central Processing Unit (CPU) statistics and input/output statistics for devices and partitions. iostat -xtk 1 (cpu, io) ← interval 1sec
mpstat Report processors related statistics. mpstat -P ALL
uptime Tell how long the system has been running. while : ; do uptime ; sleep 1 ; done
while : ; do uptime » /tmp/tmp.txt ; sleep 1 ; done
w Show who is logged on and what they are doing.
free Display amount of free and used memory in the system free -m ← show output in MB
tcpdump dump traffic on a network tcpdump -n port 80 -i any
tcpdump -n not arp and not port 123 and not port 22
tcpdump host 192.168.0.10 -n -w /tmp/20110615.pcap
tcpdump -r /tmp/20110615.pcap ← -r : Read packets from file
netstat Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships netstat -anp (-a : Show both listening and non-listening sockets.)
netstat -rn (-r : Display the kernel routing tables.)
iotop simple top-like I/O monitor iotop -b -n 4 -d 15 ← interval 15sec , 4 times
dstat LIKE versatile tool for generating system resource statistics dstat -taf

Load Test

fio

Software

Software

make GNU make utility to maintain groups of programs
patch apply a diff file to an original patch -p1 -N < ../xxx.patch
ldd print shared library dependencies ldd BINARY
yum popular an interactive, rpm based, package manager yum repolist ← check enabled repository
yum search STRINGS
yum info PACKAGE ← check rpm version etc
yum install PACKAGE
yum –disablerepo=* –enablerepo=test-repo repolist
rpm RPM Package Manager rpm -ivh PACKAGE.rpm ← install
rpm -e PACAGE.rpm ← uninstall
rpm -qa –last
apt
dpkg
alien alien -d package-x.x.x.rpm
alien -r package-x.x.x.deb
update-alternatives update-alternatives –config mta
rhn_register rhn_register –nox –proxy=http://192.168.0.10:9999

etc

X Window System

startx initialize an X session startx
xhost server access control program for X xhost + ← Access is granted to everyone
xauth X authority file utility

TUI

ntsysv simple interface for configuring runlevels
authconfig-tui an interface for configuring system authentication resources
system-config-securitylevel
system-config-network-tui

etc

md5sum compute and check MD5 message digest find . -type f -exec md5sum {} \; > /tmp/md5.out
← check all files
gpg OpenPGP encryption and signing tool
screen
kermit

Wireshark

Wireshark (old name is Ethereal) is a program that can run in many operating systems such as Windows, Linux, MacOS or Solaris and can analyze all the traffic going to network cards connected to computer. Analyze over 750 protocols Can capture packets and save them to a file.

Logical operators are available for all filtering.

Example: http & ip.src == 192.168.0.1
Management Frame: The frame for the connection between the network device and the client.
Control Frame: Controls the integrity of data traffic between the network device and the client.
Data Frame: The frame on which the original data is transferred.

Often used commands
Only to show the outgoing packets from the management frame. wlan.fc.type==0
To show incoming, outgoing packets through control frame. wlan.fc.type==1
To show packets transferred over the data frame. wlan.fc.type==2
Association lists the requests. wlan.fc.type_subtype==0
Association lists the answers. wlan.fc.type_subtype==1
Probe lists requests. wlan.fc.type_subtype==4
Lists the probe responses. wlan.fc.type_subtype==5
Lists Beacon signals / waves. wlan.fc.type_subtype==8
Lists the Authentication requests. wlan.fc.type_subtype==11
Lists deauthentication requests. wlan.fc.type_subtype==12
TCP lists the outgoing packets to the xx port. tcp.port == xx
TCP lists packages with the Source xx port. tcp.srcport == xx
TCP lists packages with a destination xx port. tcp.dstport == xx
UDP lists the outgoing packets to the xx port. udp.port == xx
UDP lists packets with a destination xx port. udp.srcport == xx
UDP lists packages that have the Source xx port. udp.dstport == xx
Lists the HTTP Get requests. http.request
Lists packages for the source or destination mac address. wlan.addr == MAC-Address
The source lists packages that have a mac address. wlan.sa == MAC-Address
Lists packages that have a target mac address. wlan.da == MAC-Address
To view only DHCP traffic.
DHCP uses BOOTP as its transport protocol.
udp.port == 68
bootp

Connection Managers

ToolProtocolLink
MobaXtermMultihttps://mobaxterm.mobatek.net/download.html
PuTTYSSH, SFTP https://www.putty.org/
Royal TSrdp, Multihttps://www.royalapplications.com/ts/win/download
TerminalsRDPhttps://github.com/terminals-Origin/Terminals
Devolutions Remote Desktop Manager All in onehttps://remotedesktopmanager.com/
BitwiseSSHSSHhttps://www.bitvise.com
Remote Desktop Connection Manager RDPhttps://www.microsoft.com/en-us/download/details.aspx?id=44989
mRemoteNGMultihttps://mremoteng.org/
MultiDesk RDPhttp://www.hoowi.com/multidesk/index_en.htm
RD TabsMultihttps://www.avianwaves.com/Software/Tools/RD-Tabs
Babun – wtf Discontinued in 2018Win Shell https://babun.github.io/
pgAdminPostgreshttps://www.pgadmin.org/

PMTA

PowerMTA™ v4.5 User’s Guide

Copyright © 1999-2019, Port25 Solutions, Inc. All Rights Reserved.
Port25 and PowerMTA are trademarks of Port25 Solutions, Inc. All other brands and names are property of their respective owners.

1 Introduction

1.1 General Description and Basic Functionality

PowerMTA is specialized, high performance Message Transfer Agent
(MTA) software that intelligently and efficiently delivers large volumes of email, allowing for maximum delivery and response. While all-purpose MTAs in use today perform a whole variety of tasks including delivering email, these general solutions fall short both in regards to scalability and relevant feature sets, negatively affecting delivery rates and subsequent ROI. In contrast, PowerMTA was developed for this particular task, helping legitimate, permission based email marketers, publishers, and service providers overcome the business and technology challenges of email message delivery.

PowerMTA’s basic functionality consists of receiving inbound or outbound messages via either standard email protocols (SMTP) or programming interfaces, routing them based on either name services (DNS) or pre-configured information and delivering them using SMTP or locally to a program.

1.2 Minimum Requirements

PowerMTA currently runs on:

  • Microsoft Windows 2008/2012/2016/2019 on Intel and compatible processors
  • Red Hat Enterprise Linux 6.0 or later on Intel and compatible processors (32 and 64 bit)
  • Debian based Linux on Intel and compatible processors (32 and 64 bit)

Prerequisites:

  • a name server (DNS), not necessarily on the same host,
  • a static IP address and a domain name,
  • a license activation key (LAK) from Port25 support,
  • minimum hardware requirements, depending on the size of the workload and mail queues, and the desired throughput rate.
  • NTP (Network Time Protocol) – Clock must be synced to internet time server

Contact Port25 if you need hardware recommendations for your specific workload and throughput requirements.

1.3 Supported interfaces

PowerMTA supports the following submission and delivery interfaces:

  • Submission via standard (extended) SMTP
  • Submission via C/C++ API
  • Submission via .NET API
  • Submission via Perl API
  • Submission via Java API
  • Submission via “pickup” directory
  • Delivery via standard (extended) SMTP
  • Delivery to a local program

and will be supporting others in the future. Unless otherwise noted, these interfaces are available on all supported operating systems. You will find detailed information about the submission APIs here. Sample applications for the various APIs are also distributed along with PowerMTA.

1.4 Monitoring/Management Tools Summary

PowerMTA was designed to require only minimal configuration and very little management. However, for those who want to actively monitor and manage, a variety of flexible tools are available to do just that, both on a manual or automated basis. Full details and examples are provided in this Guide, but here is a quick list of the resources available:

  • a built-in web-based monitor that allows you to view in real time what is currently taking place within PowerMTA. This monitor also includes a view and top level break down of the current mail queues, a view and breakdown of each VirtualMTA queue, a view of each job/campaign in the queue, as well as the last error received for each domain.
  • a command line tool supporting a variety of monitoring and management commands, with four output formats (text, XML, JSON and DOM-style), which allow for easy integration into existing monitoring infrastructures or custom parsing and monitoring applications.
  • detailed logging, both for incoming and outgoing connections, configurable both globally and for specific destination domains.
  • detailed accounting data in CSV format on each successful and unsuccessful transfer/delivery that can be post processed for delivery verification/accountability, for performance and throughput analysis, etc.
  • a powerful accounting file search and reporting tool, allowing one to search for records in the accounting file and then to produce a custom output based on specific fields in the matching records.
  • an accounting statistics application for extracting the most commonly needed information for monitoring and capacity planning.
  • the Sparkpost Signals service that analyzes your email sending and response data to help you identify potential problems.

2 PowerMTA Installation

If you are upgrading to a newer version of PowerMTA, please make sure that you have obtained a compatible PowerMTA license for the new version that you are installing. If your license has the “SupportExpires” field in it, please ensure that the current date is not past the “SupportExpires” date. The pre-install checks will fail the installation process if a compatible license for the version you are installing is not found.

2.1 Installing on Microsoft Windows

How to install:

  1. Download the kit.
  2. Log in as Administrator.
  3. Open a command prompt as an administrator (right click and select “Run as Administrator”).
  4. Run the PMTA MSI from within this window.
  5. If you are installing PowerMTA for the first time or upgrading from a different version, copy the license key received from Port25 to a file named license.dat in the directory where PowerMTA was installed (e.g., C:\pmta\license.dat). Please ensure that the file is stored as ASCII, not in Unicode.
  6. Check that the configuration (e.g., C:\pmta\config.dat) suits your needs; the file can be edited with any ASCII-editor such as Notepad. See Initial Configuration for details.
  7. Start the mailer from the Services item in the Control Panel or by typing net start pmta in a Command Prompt window.
  8. If you have an anti-virus and/or indexing service, they should not scan or handle the spool files, accounting files, or log files (to prevent file locking issues with PowerMTA).

2.2 Installing on Linux

How to install:

  1. Download the kit.
  2. Log in as root.
  3. If installing for the first time, optionally create a group called pmta. Membership to this group authorizes non-root users to execute PowerMTA commands and access the submission APIs. The group is created automatically by the installation procedures, but creating it manually allows you to also choose its numeric ID.
  4. Install the package (substituting the file name as appropriate):
    # rpm -Uvh PowerMTA-4.*.rpm
    

    Or on Debian:

    # dpkg -i PowerMTA-4.*.deb
    
  5. If installing for the first time or upgrading from a different version of PowerMTA, copy the license key received from Port25:
    # cp mykey.txt /etc/pmta/license
    
  6. Check that the initial configuration (/etc/pmta/config) suits your needs, as described below.
  7. Start the mailer (only necessary immediately after the install: it will be started automatically upon system startup):
    # /etc/rc.d/init.d/pmta start
    
  8. Optionally, install gdb, which PowerMTA can use in order to obtain useful debugging information.

2.3 Initial Configuration

There are only two things that must be manually defined in the configuration file, in addition to the supplied default entries, in order to have PowerMTA up and running: the postmaster address(es) and the relaying control configuration.

Besides being the traditional address for which external parties can reach the maintainer of the mail server, the postmaster address is used by PowerMTA and its watchdog monitoring facility, pmtawatch, to send crash reports and other information to upon successful automatic restart of the mailer (after a crash).

For security reasons, PowerMTA does not allow external relaying by default; the default configuration only allows messages to be submitted from the local 127.0.0.1 IP address. In order to submit messages for delivery from a different host, you will need to enter its IP address(es) into the configuration file by creating one or more source entries and specifying the always-allow-relaying directive.

Note that the relay-domain and relay-address directives in the configuration file are really only useful when PowerMTA is used to handle inbound traffic. These allow you to specify the recipient domains or email addresses of messages which PowerMTA is to accept from any sources. When configuring PowerMTA for outbound, you want it to accept email from your feeders for all domains by using always-allow-relaying.

See PowerMTA Configuration for detailed information on the configuration file.

2.4 Uninstalling

On each platform PowerMTA is installed with the platform’s standard packaging software. You can uninstall PowerMTA using the platform’s existing uninstall option:

  • On Windows, open the Control Panel, click “Programs”, click “Uninstall or change a program”, select the PowerMTA item, and click on
    “Uninstall” or “Uninstall/Change” at the top of the program list. After confirming that you would like to proceed, that will initiate the uninstall process.
  • On Linux, log in as root and execute rpm -e PowerMTA or dpkg -r PowerMTA

Any configuration, logging, accounting, and message files found in PowerMTA’s directories will not be automatically removed, and neither will the directories themselves. On Linux the uninstall software will display a list of the remaining files and the commands you need to execute to remove them. On Windows, you can simply remove the complete directory tree into which you had installed PowerMTA.

2.5 Running PowerMTA on a Virtual Server

While this is technically possible, it is not a recommended setup unless the virtual server has adequate hardware and the virtual server software is configured correctly. The sharing of resources on a misconfigured virtual machine may create an environment under load that could cause PowerMTA to become unresponsive.

If PowerMTA is going to be run on VMware®, please take the following steps to ensure that PowerMTA gets the needed resources:

  • Open your vSphere client
  • Right click on the PowerMTA server and select “Edit Settings”
  • Select the “Resources” tab
  • Change the shares value for CPU/Memory/Disk to the following values:
    CPU = 1000000
    Memory = 1000000
    Disk = 4000
    
  • For CPU, Memory, and Disk also make sure the “Unlimited” checkbox is checked for each in the same section
  • Restart the PowerMTA server

These can be changed again later if needed or the settings can be turned down to find the optimal setting, but we have found that this helps ensure PowerMTA runs properly in a virtual environment.

3 PowerMTA Configuration

3.1 Working with the configuration file

PowerMTA’s configuration files are simple UTF-8 encoded text files that can edited by most editors, such as Notepad, vim and Emacs. Most settings are entered one per line and are formed by a keyword on the left identifying a directive and a value on the right, as in the example below:

host-id 5

Certain directives, like those applying to a specific destination domain, are grouped based on what they apply to:

<domain test.port25.com> # 'test' host
    smtp-hosts [127.0.0.1]:11111
    log-commands yes
</domain>

As indicated in the examples above, comments can be introduced by prefixing the comment with a hash mark “#”. Like other file formats using the hash mark for comments, PowerMTA ignores the “#” and any characters following it until the end of the line.

Since the files are UTF-8 encoded, internationalized domain names and email addresses can be entered directly:

<domain bücher.de>
    ...
</domain>

PowerMTA reads the configuration upon startup. After making changes, you must either execute the pmta reload
command or restart PowerMTA. Reloading the configuration is more efficient. Most configuration changes can be reloaded, but changes to some directives require PowerMTA to be restarted; this is indicated in each such directive.

PowerMTA supports the ability to remotely modify/upload a configuration file via the web monitor (and thus via HTTP). To push the configuration programmatically, one needs to issue a HTTP POST, passing the configuration file in the field named “file” to the URL http://127.0.0.1:8080/editConfig. One also needs to be authorized for admin access via the http-access directive.

3.2 Syntax definitions

BOOLEAN

Valid values are yes, no, true, or false.

DOMAIN pattern

Domain patterns are used to match domain names in various parts of PowerMTA and can be specified in one of the following formats:

  • * – Matches all domains.
  • domain – A single, fully qualified domain name. Matches that specific domain only.
  • *.domain – Matches any subdomains of domain, but not the domain itself.
  • [*.]domain – Matches domain as well as its subdomains.
  • [ip/mask] – CIDR format, matches domains in the dotted decimal format, like [127.0.0.1]. The actual IP address in the domain must match the given CIDR specification (ip prefix and (optional) mask number of significant bits). [0/0] matches all domains in dotted decimal format.

REGEX

A perl-compatible regular expression (PCRE). For more information, please refer to the Perl documentation or the PCRE library package.

Examples:

/^\s*eval/
/unknown user/
/^421 .* too many errors/

TIME-INTERVAL

A string like 1w2d12h or 300s where w is weeks, d is days, h is hours, m is minutes, and s is seconds.

3.3 Configuration Directives

3.3.1 Global Directives

These directives are “global” and affect PowerMTA as a whole.

3.3.1.1 postmaster

Specifies an email address for the person responsible for PowerMTA’s operation. This should always be specified because it is used by the internal watchdog facility for crash and LAK expiry notifications. Messages sent to the local postmaster and abuse addresses are also by default forwarded to the given addresses. You can specify more than one address by entering postmaster multiple times.

Example:

postmaster you@your.domain
postmaster you@your.domain.at.home

3.3.1.2 spool

Specifies a directory for the message spool, where PowerMTA stores the message files while queued for delivery. While at least one spool directory is required, additional entries can be added for greater performance, for example by distributing the I/O load over several disks.

Deprecated Use <spool> instead.

Example:

spool c:\pmta\spool

3.3.1.3 spool-delete-corrupted

Determines whether PowerMTA should delete any message files in the spool found to contain encoding errors, such as those caused by disk data corruption. If set to false, corrupted spool files, if any, are ignored and remain on disk.

Default: false

Example:

spool-delete-corrupted true

3.3.1.4 spool-min-free-space

Instructs PowerMTA to stop accepting email into a spool directory if the space available on its file system falls below the amount specified. When available disk space increases above that level, messages are accepted again.

On Unix, this is based on the space available to non-root users.

Deprecated Use min-free-space within <spool> instead.

Syntax:

spool-min-free-space N

where N is a positive integer specifying a size in MB.

Default: 0

Example:

spool-min-free-space 100 # MB

3.3.1.5 spool-max-recipients

Specifies the maximum number of recipients to allow across all spool directories, to help prevent overwhelming PowerMTA with more messages than it has the resources to handle. When this limit is reached, feeding new messages into PowerMTA fails with a transient error message.

If set to auto, the maximum number is determined automatically based on system resources.

Syntax:

spool-max-recipients { N | auto }

where N is a positive integer representing the maximum number of recipients allowed.

Default: auto

Example:

spool-max-recipients 10000000

3.3.1.6 run-as-root

Specifies whether PowerMTA should run as root or as user pmta. (Only supported on Unix.) You may want to not run PowerMTA as root for security reasons.

Note: This option requires a restart of PowerMTA service whenever changed.

Default: true

Example:

run-as-root false

3.3.1.7 smtp-server-tls-certificate

Specifies the X.509 certificate that PowerMTA should present when TLS is started on inbound SMTP connections (e.g., when STARTTLS is used). The certificate must be in PEM format.

Syntax:

smtp-server-tls-certificate FILENAME PASSWORD

Example:

smtp-server-tls-certificate /etc/pmta/yourcert.pem SkJkemI0zffkez

3.3.1.8 smtp-server-tls-ca-file

Specifies a “CA file” containing Certification Authority certificates to allow verifying any certificates presented by clients on inbound SMTP connections. The certificates must be in PEM format.

Example:

smtp-server-tls-ca-file /etc/pmta/certchain.pem

3.3.1.9 smtp-server-tls-allow-sslv3

Allows PowerMTA to use SSLv3 when accepting a secure connection from a client during STARTTLS.

Default: false

Example:

smtp-server-tls-allow-sslv3 false

3.3.1.10 smtp-server-tls-allow-tlsv1

Allows PowerMTA to use TLSv1 when accepting a secure connection from a client during STARTTLS.

Default: false

Example:

smtp-server-tls-allow-tlsv1 true

3.3.1.11 smtp-server-tls-allow-tlsv1.1

Allows PowerMTA to use TLSv1.1 when accepting a secure connection from a client during STARTTLS.

Default: true

Example:

smtp-server-tls-allow-tlsv1.1 false

3.3.1.12 smtp-server-tls-allow-tlsv1.2

Allows PowerMTA to use TLSv1.2 when accepting a secure connection from a client during STARTTLS.

Default: true

Example:

smtp-server-tls-allow-tlsv1.2 false

3.3.1.13 smtp-server-tls-ciphers

Specifies the ciphers that PowerMTA is allowed to use when negotiating a TLS session with a client during STARTTLS. Please see documentation for OpenSSL command ‘ciphers’ for valid cipher names that can be used with this.

Default: HIGH:!ADH:@STRENGTH

Example:

smtp-server-tls-ciphers HIGH:!ADH:@STRENGTH

3.3.1.14 smtp-source-host

On a multi-homed host, this directive specifies an IP address (or IP address range) and host-name from which PowerMTA is to initiate outgoing SMTP connections. You can enter this directive several times and/or specify a CIDR IP address range along with the host name, instructing PowerMTA to use the various source IP addresses in round-robin fashion.
All local IP addresses matching the IP range specified are added to the list of source IP addresses, except for 127.0.0.1, which is automatically excluded since it can’t be used to connect to remote hosts.

When specified within a VirtualMTA, this directive overrides the global source IPs for connections established to send messages through that VirtualMTA.

Syntax:

smtp-source-host CIDR HOST-NAME
smtp-source-host IP HOST-NAME

Example:

smtp-source-host 10/8    baz.quux.com
smtp-source-host 1.2.3.4 foo.bar.com

3.3.1.15 alias

This directive allows a list of email addresses to be defined for which PowerMTA should forward messages to different addresses. For example, if a message is received by PowerMTA for example@domain1abc.com, then forward the message on to support@port25.com. See Aliases / Forwarding for more information.

Syntax:

alias SOURCE TARGET

Example:

alias example@domain1abc.com support@port25.com

3.3.1.16 smtp-ip

Deprecated Use smtp-listener instead.


3.3.1.17 smtp-port

Deprecated Use smtp-listener instead.


3.3.1.18 smtp-listener

Specifies an IP address and port to listen for incoming SMTP connections. Multiple smtp-listener entries can be specified in a configuration file, each of which specifying a different IP address and/or port. 0.0.0.0 may be used more than once to set multiple ports for all IP addresses on the system. A CIDR IP address range can also be specified. If any smtp-listener directives are specified, PowerMTA ignores the smtp-ip and smtp-port directives. However, if no smtp-listener directives are specified, one listener is implicitly started for 0.0.0.0:25.

smtp-listener accepts an optional source= parameter which allows you to specify a <source> entry with settings to override those obtained from the normal matching by source IP address.

Syntax:

smtp-listener CIDR:PORT 

Example:

smtp-listener 1.2.3.4:25 source=mta1
smtp-listener 0.0.0.0:26

<source mta1>
    default-virtual-mta mta1
</source>

<source 10.0.0.0/8>
    allow-mailmerge yes
    always-allow-relaying yes
</source>
<source 0/0>
    allow-mailmerge no
    always-allow-relaying no
</source>

In the example above, VirtualMTA mta1 is selected by default for any messages received through 1.2.3.4. Permission for relaying and for using the mailmerge extensions are granted to connections coming from 10.*, whether they connect to 1.2.3.4 or not.

Warning If you specify always-allow-relaying
on a source selected from a smtp-listener directive, anybody who can connect to the given IP address will be allowed to relay. In doing so, you might be creating an “open SMTP relay”.


3.3.1.19 custom-dsn-from-header

Used to configure the content of From header in DSN reports generated by PowerMTA.

Example:

custom-dsn-from-header "Postmaster <foobar@there.com>"

3.3.1.20 smtp-await-slot

Specifies whether PowerMTA should wait for a new connection slot when a new (incoming) SMTP connection request is received but no more slots are available. If set to false, PowerMTA responds with a 421 greeting, indicating that the service is not available, and closes the connection.

Default: false

Example:

smtp-await-slot true

3.3.1.21 host-id

When using add-message-id-header, host-id specifies a per server unique identifier that helps prevent the same message ID from being used on two separate instances of PowerMTA
(multiple servers).

Default: 0

Example:

host-id 5

3.3.1.22 domain-suffix

Specifies the domain name to append when an email address is received whose domain is not fully qualified.

Example:

domain-suffix bounce.port25.com

3.3.1.23 host-name

This directive specifies a (fully qualified) host name for the local host. If the machine on which PowerMTA is running is known under several names, these should all be listed by adding various host-name directives. The first name specified is picked as the “main” name and is used for the SMTP greeting messages, EHLO/HELO commands, etc. When specified within a VirtualMTA, this directive overrides the global host name for messages sent through that VirtualMTA. When used, this directive behaves like relay-domain, meaning that it will accept all messages for the defined domain.

Example:

host-name mail.foo.com

3.3.1.24 name-server

This directive specifies the IP address of a name server (DNS server) for PowerMTA to use. If none is entered, PowerMTA uses the name servers configured in the operating system. If more than one name-server is defined, PowerMTA will round robin through all defined name servers in a load balancing fashion.

Example:

name-server 10.1.2.3
name-server 8.8.8.8

3.3.1.25 thread-min-priority, thread-max-priority

Unix specific directive. Specifies range of process priorities to use for the various threads within PowerMTA. Normally these directives should be left at their defaults, however it may be necessary to weight process priorities differently when PowerMTA shares a host with other server software. thread-min-priority specifies the “slower” priority and thread-max-priority specifies the “faster” priority.

Default: 15 for thread-min-priority 0 for thread-max-priority

Example:

thread-min-priority  5
thread-max-priority  50

3.3.1.26 thread-reuse

Normally, once a thread is finished with its work (like, for example, handling a connection), PowerMTA retains it for later reuse. Setting this directive to false causes PowerMTA to discard threads as soon as they are no longer needed, avoiding certain external problems such as slowing down the top command on Linux. However, this costs some performance and also prevents PowerMTA from working around a bug in glibc versions prior to 2.2.2 that severely reduces the amount of virtual memory available, possibly causing PowerMTA to crash if the queue grows very large.

Default: true

Example:

thread-reuse false

3.3.1.27 mailmerge-expands-undefined-variables

When set to “false”, mail merge inserts like “[foo]” remain as “[foo]” in the message if the “foo” variable isn’t defined, rather than getting expanded to the empty string.

Default: true

Example:

mailmerge-expands-undefined-variables false

3.3.1.28 pmc-acct-min-free-space

If you use PowerMTA’s companion product, the PowerMTA Management Console (PMC), this directive controls when to start deleting old CSV files written for the PMC. If the amount of free space on the disk drops below this number, PowerMTA will start to delete the oldest PMC accounting files in order to make space for new accounting files.

If the PMC runs properly, you should not see accounting files building up on PowerMTA’s side, but if there is a problem (e.g., PMC machine down or too busy, firewall rules preventing the PMC to connect to PowerMTA, or PMC just turned off but not properly de-registered from PowerMTA), this directive can limit the amount of disk space PowerMTA uses. When PowerMTA runs out of disk space and discards accounting files, that data is lost forever, and you’ll see “holes” in the PMC’s reports.

Default: unlimited

Example:

pmc-acct-min-free-space 5G

3.3.1.29 Relaying Control Directives

3.3.1.29.1 always-allow-relaying

Specifies whether SMTP senders from the given source should be allowed to relay email through PowerMTA, even if the recipients are not for one of the relay-domains. Typically you should enable this in the source entries of “internal” hosts feeding PowerMTA through SMTP.

Default: false

Example:

always-allow-relaying false

3.3.1.29.2 relay-domain

Recipient domain name (or pattern) for which PowerMTA will accept email. Any host is allowed to relay email for these domains, independent of its source IP address. This directive may be specified more than once.

This directive is mostly useful for handling inbound email. When setting up PowerMTA for relaying inbound email to some other host, you should enter the corresponding domain name(s) into the relay domains list. Conversely, if in your installation PowerMTA is handling outbound email only, there is no need to configure any relay domains.

Syntax:

relay-domain DOMAIN

where DOMAIN is a domain name pattern.

Default: local domains

Example:

# allow relaying of mail to some.domain
relay-domain some.domain

3.3.1.29.3 relay-address

Recipient address for which PowerMTA will accept email. Any host is allowed to relay email to these addresses, independent of its source IP address. This directive may be specified more than once.

This directive is mostly useful for handling inbound email such as setting up PowerMTA for relaying inbound email to some other host.
Conversely, if in your installation PowerMTA is handling outbound email only, there is no need to configure any relay addresses.

Syntax:

relay-address { EMAIL-ADDRESS | REGEX }

Example:

relay-address bounce@bounce.yourdomain.com
relay-address /@foo(bar)?\.com$/

3.3.1.29.4 relay-debug

Specifies that relaying control is to be performed in “debugging” mode. Normally, recipients to which relaying is not allowed are rejected with persistent (5XX) SMTP error codes, causing immediate bounces. In debugging mode, a transient (4XX) error is returned instead to the sending mailer, allowing it to continue trying to deliver to that recipient. This directive comes handy when making changes to the relaying control configuration since it gives you a chance to review the log for any unintended rejections and correct the configuration before messages are bounced.

Default: false

Example:

relay-debug true

3.3.1.30 General Queueing and Delivery Directives


3.3.1.30.1 domain-key

Specifies a domain key to use for signing messages delivered through the given VirtualMTA or for any messages if configured at the global level. You can specify multiple domain-key entries. PowerMTA determines the key to use by going through the keys sequentially and picking the first key whose domain either equals or is a parent of the message’s sending domain.
If there are matching domain keys at both the global level and the VirtualMTA level, the VirtualMTA’s domain keys take precedence. The sending domain is that of the Sender header, or, if Sender is not present, of the From header. If no keys match the sending domain, the message is not signed. The wildcard * may be used in place of a domain. This will cause all messages to be signed using the sending domain (extracted from the headers). We recommend that all wildcard entries be placed last when multiple domain-key entries are specified, as a wildcard will be matched before a non-wildcard entry. For more information on how to set up DKIM, please see PowerMTA DKIM Implementation.

Syntax:

domain-key SELECTOR,{DOMAIN|*},FILENAME

Example:

domain-key m,mail.port25.com,c:\pmta\m.pem
domain-key base,*,c:\pmta\base.pem

3.3.1.30.2 invalid-virtual-mta-fallback

Specifies a fallback VirtualMTA to select for messages for which an invalid (non-existent) VirtualMTA was selected. By using this directive,
you prevent PowerMTA from bouncing messages for which an invalid VirtualMTA was selected. Instead, the messages are delivered from the fallback VirtualMTA. This directive only works when feeding PowerMTA. It does not work with reroute-to-virtual-mta or backoff-reroute-to-virtual-mta.

Syntax:

invalid-virtual-mta-fallback VMTA-NAME

3.3.1.30.3 include-headers-from

Specifies the name of a file containing RFC2822-formatted headers to insert in all messages delivered from a VirtualMTA. The headers are inserted immediately after the Received header added by PowerMTA. When used globally, all VirtualMTAs will inherit the settings. If a VirtualMTA already has the directive defined, both settings will be used.

Syntax:

include-headers-from FILENAME

3.3.1.30.4 domain-macro

Specifies the variable and bindings for domain macro expansion. Only letters, numbers, and the underscore are supported when naming a domain-macro. See <domain> Directives for more information on usage.

Syntax:

domain-macro MACRO-NAME DOMAIN-LIST

Example:

domain-macro rollupDomains yahoo.com,gmail.com,hotmail.com

domain-macro tld .com,.co.uk,.co.in

3.3.1.31 Pickup Directives

3.3.1.31.1 pickup

This directive specifies the path to a “pickup directory” from which PowerMTA processes email submissions, as well as the path to a corresponding “bad mail” directory to which improperly formatted messages are moved. See Pickup Directory for more information. Only one pickup directory is supported.

Syntax:

pickup PICKUP-DIRECTORY BAD-FILE-DIRECTORY

Example: (Windows)

pickup c:\Inetpub\Mailroot\Pickup c:\Inetpub\Mailroot\BadMail

Example: (Unix)

pickup /opt/pickup/new  /opt/pickup/badfiles

3.3.1.31.2 pickup-retry-interval

Deprecated


3.3.1.31.3 pickup-remove-dot

When using SMTP feeding and a line starts with a period, that period needs to be escaped by adding a second period. When using a pickup file, the period does not need to be escaped. If the feeding application is adding two periods to a pickup file this directive may be set to true to allow the second period to be removed for proper formatting of emails.

Default: false

Example:

pickup-remove-dot yes

3.3.1.32 Dummy SMTP (“blackholing”) Directives

3.3.1.32.1 dummy-smtp-ip

Specifies the IP address on which PowerMTA is to listen for incoming connections that are to be handled as “dummy” SMTP connections.

Example:

dummy-smtp-ip 127.0.0.1

3.3.1.32.2 dummy-smtp-port

Specifies the TCP port on which PowerMTA is to listen for incoming connections that are to be handled as “dummy” SMTP connections.

Default: 0, meaning disabled.

Example:

dummy-smtp-port 2525

3.3.1.32.3 dummy-smtp-await-slot

Specifies whether PowerMTA should wait for a new connection slot when a new dummy SMTP connection request is received but no more slots are available. If set to false, PowerMTA responds with a 421 greeting, indicating that the service is not available, and closes the connection.

Default: false

Example:

dummy-smtp-await-slot true

3.3.1.32.4 dummy-smtp-has-chunking

Specifies whether dummy SMTP connections are to support the CHUNKING SMTP extension.

Default: false

Example:

dummy-smtp-has-chunking true

3.3.1.32.5 dummy-smtp-has-pipelining

Specifies whether dummy SMTP connections are to support the PIPELINING SMTP extension.

Default: false

Example:

dummy-smtp-has-pipelining true

3.3.1.32.6 dummy-smtp-has-verp

Specifies whether dummy SMTP connections are to support the VERP SMTP extension.

Default: false

Example:

dummy-smtp-has-verp true

3.3.1.32.7 dummy-smtp-latency

Specifies the network latency, in milliseconds, to be simulated in dummy SMTP connections.

Default: 0

Example:

dummy-smtp-latency 100

3.3.1.32.8 dummy-smtp-update-stats

Specifies whether dummy SMTP connections should update the traffic statistics displayed by e.g. the web-based Status Monitor.

Default: true

Example:

dummy-smtp-update-stats false

3.3.1.33 Web-Based Monitor Directives

3.3.1.33.1 http-mgmt-port

Specifies the TCP port number for the web-based monitor. Since there is no standard port for this application, other software running on the same host may already be using that port. In this case, change the port to a different port number. If http-mgmt-port is set to 0, no web-based monitor is started.

Changing this directive requires a restart of the pmtahttp service.

Default: 8080

Example:

http-mgmt-port 8888

3.3.1.33.2 http-redirect-to-https

Specifies whether plain HTTP connections to the web monitor are disabled. If this directive is set to true, the web monitor will only accept HTTPS connections, and any incoming HTTP connections are redirected to HTTPS.

Default: false

Example:

http-redirect-to-https true

3.3.1.33.3 http-access

Specifies the level of access given to the web monitor, depending on the IP address from where the request originated.

The keyword after the CIDR gives the level of access: none, monitor (read-only), operator (monitor level plus view configuration and run commands) or admin (operator level plus edit config).

Admin access is intended for things that actually modify PowerMTA’s state (configuration, LAK, queues, etc.).

The directive can be specified several times and builds an access list in which IP addresses are matched in the order in which they are specified in the configuration file (i.e, from the top of the config file to the bottom).

Please see the pmtahttp.log file for errors relating to use of this directive. The pmtahttp.log file should indicate the IP address of any attempted accesses.

Syntax:

http-access CIDR { monitor | operator | admin | none }

Default: none

Example:

# allow internal hosts access to the web-based monitor
http-access 10.0.0.0/8 monitor

# allow all IPs to the web-based monitor (use for testing only! This allows
# anyone in the world access to the web monitor!)
http-access 0/0 monitor

3.3.1.33.4 http-csrf-protection

This directive enables protection against Cross-Site Request Forgery attacks in the web monitor. When set to ‘true’, the web monitor disallows HTTP GET requests that can change PowerMTA’s or the Web monitor’s state, and requires that HTTP POST requests either include an API key (see http-api-key) or a CSRF token received from a previous GET call to the web monitor.

Default: true

Example:

# legacy application X requires mutable GET support http-csrf-protection false

3.3.1.33.5 http-api-key

This directive configures authentication keys for applications accessing the web monitor; it can be repeated to create multiple keys.
Applications passing a valid key in the X-API-Key header are granted full (admin) access to the web monitor.

Syntax:

http-api-key STRING

where STRING is a set of alphanumeric characters or the underscore character, and between 32 and 128 characters in length.

Example:

# application keys
http-api-key abcd_0123_abcd_0123_abcd_0123_ab # app X
http-api-key 5f6e7e426949e3a5e4ec38e747e71963 # app Y

3.3.1.33.6 http-strict-transport-security-max-age

This directive can be used to configure the max-age value included in the Strict-Transport-Security returned in PowerMTA web monitor responses.

Default: 0

Example:

http-strict-transport-security-max-age 0

3.3.1.33.7 http-mgmt-source & no-http-mgmt-source

Deprecated Use http-access instead.


3.3.1.33.8 http-tls-allow-sslv3

Allows PowerMTA web monitor to use SSLv3 when accepting a secure connection from a client.

Example:

http-tls-allow-sslv3 false

Default: false


3.3.1.33.9 http-tls-allow-tlsv1

Allows PowerMTA web monitor to use TLSv1 when accepting a secure connection from a client.

Default: false

Example:

http-tls-allow-tlsv1 false

3.3.1.33.10 http-tls-allow-tlsv1.1

Allows PowerMTA web monitor to use TLSv1.1 when accepting a secure connection from a client.

Default: true

Example:

http-tls-allow-tlsv1.1 false

3.3.1.33.11 http-tls-allow-tlsv1.2

Allows PowerMTA web monitor to use TLSv1.2 when accepting a secure connection from a client.

Default: true

Example:

http-tls-allow-tlsv1.2 false

3.3.1.33.12 http-tls-ciphers

Specifies the ciphers that PowerMTA web monitor is allowed to use when negotiating a TLS session with remote client. Please see documentation for OpenSSL command ciphers for valid cipher names that can be used with this directive.

Default: "HIGH:!ADH:@STRENGTH"

Example:

http-tls-ciphers HIGH:!ADH:@STRENGTH

3.3.1.34 http-tls-ca-file

Specifies a “CA file” containing Certification Authority certificates to allow verifying any certificates presented by clients on inbound HTTP connections to the web monitor. The certificates must be in PEMformat.

Example:

http-tls-ca-file /etc/pmta/certchain.pem

3.3.1.34.1 http-log-tls

Specifies whether PowerMTA web monitor should log information during negotiation of a TLS session with the remote client.

Default: false

Example:

http-log-tls false

3.3.1.34.2 http-log-data

Specifies whether web monitor data exchanges are logged or not. More verbose than http-log-requests.

Default: false


3.3.1.34.3 http-log-requests

Specifies whether web monitor data exchanges are logged or not.

Default: false


3.3.1.35 Logging Directives

3.3.1.35.1 log-auto-rotation

Specifies whether the logging files are to be rotated automatically at midnight. See the log-rotate directive for more information on file rotation.

Default: true


3.3.1.35.2 log-file

Specifies the name of PowerMTA’s logging file. On Windows, it can be either specified with a path name relative to the installation directory or with an absolute path. On Unix it must always be specified as an absolute path. The log-file directive controls the location of the PowerMTA log file, the HTTP log file, and the SNMP log file.

This directive is required and must always be configured in PowerMTA’s configuration file.

Syntax:

log-file FILENAME

Example: (Windows)

log-file log\pmta.log

Example: (Linux)

log-file /var/log/pmta/pmta.log

3.3.1.35.3 log-rotate

Specifies the number of files to keep when rotating the logging files. File rotation is a practical way of preventing files from growing too large and, at the same time, ensure that the most recent data is available in case it is needed. When the log files are rotated, PowerMTA renames the existing logging files, attaching a number to them, starting with 1 for the most recent file. On Unix, assuming a file named log, that’s log.N -> log.N+1, log -> log.1 and on Windows (assuming log.txt), log-N.txt -> log-N+1.txt, log.txt -> log-1.txt. It then creates a new file (either log or log.txt) to which it continues writing logging information. The number passed includes the file currently being written to, so a value of 1 means only the current file is kept (but no older files), 2 means the current file plus one old file, and so on. A value of 0 disables rotation entirely.

To trigger manual rotation run the following command:

pmta rotate log

Default: 8

Example:

log-rotate 8

3.3.1.35.4 log-file-world-readable

Setting this directive to true will allow anyone with access to the machine to read log files generated by PowerMTA.

Default: false


3.3.1.36 MX and IP Connection Limits

3.3.1.36.1 mx-connection-limit

Note that the MX rollup feature is a better way to enforce MX-level controls than the use of mx-connection-limit directive.

Per-MX connection limits can be configured with this directive.

One can define a specific MX record to match on, or use wildcards to define multiple MX records, for example, *.domain.com, using the same conventions available within <domain>
tags. The connection limit applies on a per source IP address basis (per IP address that PowerMTA will make connections from). If the wildcard is used, and multiple records are matched, the connection limit will apply per record matched, and not globally across all matches.

The global directive can be entered several times in the configuration file, once per line, forming a list of rules specifying the limits for the various MX records. It is important to note that
MX-NAME matches the MX record for a domain, and not the recipient domain itself.

This directive is most useful when an ISP or hosting provider hosts hundreds of domains, but has one or few MX records for all of those domains. This directive allows you to limit the number of connections per MX, regardless of the number of recipient domains you are mailing to. Note again, that the connection limit applies on a per source IP address basis and not per VirtualMTA.

Syntax:

mx-connection-limit MX-NAME N

where MX-NAME is the domain pattern that matches the MX(es) for whom the limit is being set and N is the number of simultaneous connections allowed to each MX in that group of MX(es).

Example:

mx-connection-limit *.secureserver.net 20

mx-connection-limit *.aspmx.l.google.com 5

3.3.1.36.2 ip-connection-limit

Per-IP connection limits can be configured with this directive. The IP in this case refers to the IP address of the MX that PowerMTA is connecting to.

The directive is only permitted in global scope. The syntax for the directive is similar to mx-connection-limit directive, except that it is uses IP addresses (CIDR notation).

Syntax:

ip-connection-limit CIDR N

where CIDR is the IP address specification of the destination, and N is the number of simultaneous connections allowed to each MX in the group of IP addresses that match the CIDR.

Example:

ip-connection-limit 173.194/16    50

ip-connection-limit 104.47.2.33   1

3.3.1.37 include

This directive can be used at global level to specify an additional configuration file to process. This can be used, for example, to facilitate maintenance of the configuration files across multiple hosts, by storing those settings which differ from host to host in a separate file and including it from the main (common) file. Wildcards may be used. An include may be used at global level and within <source>, <domain>, <virtual-mta> or <smtp-pattern-list> tag.

Example:

include /etc/pmta/vmtas.txt

3.3.2 <spool> Directives

Each <spool> specifies a directory for the message spool, where PowerMTA stores the message files while queued for delivery. While at least one spool directory is required, additional entries can be added for greater performance, for example by distributing the I/O load over several disks.

Syntax:

<spool DIRECTORY>
</spool>

Example: (Linux)

<spool /var/spool/pmta>
    priority 50
    delete-file-holders false
</spool>

Example: (Windows)

<spool C:\pmta\spool>
    priority 50
    delete-file-holders false
</spool>

3.3.2.1 delete-file-holders

Determines whether PowerMTA should delete any “file holders” (which are files temporarily left behind by PowerMTA in order to save on disk I/O) in the spool directory after a message has been delivered.

Default: false

Example:

<spool /var/spool/pmta>
    delete-file-holders true
</spool>

3.3.2.2 deliver-only

Indicates whether PowerMTA should only deliver messages from a spool directory, without writing new spool files to this directory.

This can be useful during failure recovery by allowing you to attach a spool directory from a failed server and having the messages in that directory be delivered without writing any new spool files to that directory.

Default: false

Example:

<spool /var/spool/pmta>
    deliver-only  true
</spool>

3.3.2.3 priority

Sets the priority for a spool location, from 100 (highest) to 1 (lowest). Spools with higher priority are always used, unless they are full, at which point lower priority spool locations are considered. If two or more spools have same priority, the spools are selected in round-robin fashion.

Syntax:

<spool DIRECTORY>
  priority N
</spool>

where N is a positive integer between 1 and 100.

Default: 1

Example:

<spool /var/spool/pmta/primary>
    priority 10
</spool>

<spool /var/spool/pmta/secondary>
    priority 5
</spool>

3.3.2.4 min-free-space

Instructs PowerMTA to stop accepting email into the spool if the space available on the file system falls below the amount specified.
When available disk space increases above that level, messages are accepted again.

On Unix, this is based on the space available to non-root users.

Syntax:

min-free-space { N{b|k|m|g|t} | 0 }

where N is a positive integer followed by a size multiplier (B for byte, K for Kilobyte, M for Megabyte, G for Gigabyte or T for Terabyte).

Default: 0

Example:

<spool /var/spool/pmta>
    min-free-space 1G
</spool>

3.3.3 <bounce-processor> Directives

The <bounce-processor> directive creates a bounce processor in PowerMTA. PowerMTA will then look for bounce emails when processing incoming messages. See here for more details on usage.

Example:

<bounce-processor>
    deliver-unmatched-email yes            # default: yes
    deliver-matched-email yes              # default: no
    forward-unmatched-to auto-feedback@port25.com
    forward-errors-to auto-feedback@port25.com
    <address-list>
        domain domain.to.filter            # whole domain
        address /regex@domain.to.filter/   # regex
    </address-list>
</bounce-processor>

3.3.3.1 deliver-unmatched-email

Controls whether any emails that were not matched by the bounce processor should be delivered. If set to false, unmatched emails are discarded.

Default: true

Example:

<bounce-processor>
    deliver-unmatched-email false
</bounce-processor>

3.3.3.2 deliver-matched-email

Determines whether any emails that were matched by the bounce processor should be delivered. If set to false, matched emails are discarded.

Default: false

Example:

<bounce-processor>
    deliver-matched-email true
</bounce-processor>

3.3.3.3 deliver-email

Deprecated Use deliver-matched-email/deliver-unmatched-email instead.


3.3.3.4 forward-unmatched-to

This directive allows for forwarding messages unmatched by the bounce processor to an external address.

Syntax:

forward-unmatched-to EMAIL-ADDRESS

Example:

<bounce-processor>
    forward-unmatched-to  foo@port25.com
</bounce-processor>

3.3.3.5 forward-errors-to

This directive configures forwarding for messages that the bounce processor failed to parse.

Syntax:

forward-errors-to EMAIL-ADDRESS

Example:

<bounce-processor>
    forward-errors-to  foo@port25.com
</bounce-processor>

3.3.4 <feedback-loop-processor> Directives

The <feedback-loop-processor> directive creates a feedback loop processor in PowerMTA. PowerMTA will then look for FBL emails when processing incoming messages. See here for more details on usage.

Example:

<feedback-loop-processor>
    deliver-unmatched-email no         # default: yes
    deliver-matched-email yes          # default: no
    forward-unmatched-to auto-feedback@port25.com
    forward-errors-to auto-feedback@port25.com
    <address-list>
        address /fbl@fbl.yourdomain.com/
    </address-list>
</feedback-loop-processor>

3.3.4.1 deliver-unmatched-email

Controls whether any emails that were not matched by the feedback-loop processor should be delivered. If set to false, unmatched emails are discarded.

Default: true

Example:

<feedback-loop-processor>
    deliver-unmatched-email false
</feedback-loop-processor>

3.3.4.2 deliver-matched-email

Determines whether any emails that were matched by the feedback-loop processor should be delivered. If set to false, matched emails are discarded.

Default: false

Example:

<feedback-loop-processor>
    deliver-matched-email true
</feedback-loop-processor>

3.3.4.3 deliver-email

Deprecated Use deliver-matched-email/deliver-unmatched-email instead.


3.3.4.4 forward-unmatched-to

This directive allows for forwarding messages unmatched by the feedback loop processor to an external address.

Syntax:

forward-unmatched-to EMAIL-ADDRESS

Example:

<feedback-loop-processor>
    forward-unmatched-to  foo@port25.com
</feedback-loop-processor>

3.3.4.5 forward-errors-to

This directive configures forwarding for messages that the feedback loop processor failed to parse.

Syntax:

forward-errors-to EMAIL-ADDRESS

Example:

<feedback-loop-processor>
    forward-errors-to  foo@port25.com
</feedback-loop-processor>

3.3.5 <address-list> Directives

An <address-list> can be used to organize domains, or email addresses, or regular expressions into a single list. If the list is named, it can be used with directives such as suppression-list. Unnamed lists can be used in <alias>, <bounce-processor> and <feedback-loop-processor> tags.

Example:

# Named <address-list>
<address-list foo>
 domain foo.com
 address /^bounce@/
</address-list>

# Unnamed <address-list> inside a <bounce-processor>
<bounce-processor>
  <address-list foo>
   domain foo.com
   address /^bounce@/
  </address-list>
</bounce-processor>

3.3.5.1 address

An email address, or a regular expression that matches an email address.

Syntax:

 address { EMAIL-ADDRESS | REGEX }

Example:

<address-list foo>
 address abc@xyz.com
 address /^bounce@/
</address-list>

3.3.5.2 address-file

Includes into the <address-list> all addresses in the file, where each line in the file is either the complete email address, or just the local part of an address.

Syntax:

 address-file FILENAME

Example:

<address-list foo>
 address-file /etc/pmta/suppression-address-list.txt
</address-list>

where /etc/pmta/suppression-address-list.txt contains:

foo
bar
baz@quux.com

3.3.5.3 domain

A domain name.

Syntax:

 domain DOMAIN

where DOMAIN is a complete domain name.

Example:

<address-list foo>
    domain bounce.foo.com
    domain fbl.bar.com
</address-list>

3.3.6 <email-patterns> Directives

<email-pattern> directives can be used to configure regular expressions that will be matched against incoming remote bounces or feedback loop messages in order to extract useful information from them. This feature is useful when the remote MTA does not use standard DSN/ARF formats for remote bounces/feedback loop messages they return. See Handling non-standard DSN/FBL reports for more details.

<email-patterns> can only be used with <bounce-processor> and <feedback-loop-processor> tags.

Example:

<email-patterns>
    body-pattern-file /etc/pmta/report-pattern.txt
    log-match-info true
</email-patterns>

3.3.6.1 body-pattern-file

This directive allows you to configure a file that contains the pattern matching the body of a non-standard FBL/DSN bounce report. See Handling non-standard DSN/FBL reports for more details.

Example:

<email-patterns>
    body-pattern-file /etc/pmta/report-pattern.txt
</email-patterns>

Sample content of the file /etc/pmta/report-pattern.txt

Email from (?<dlvSourceIp>[0-9\\.]+)

3.3.6.2 log-match-info

If set to true, a message will be printed to log file with a summary about the info that was extracted from a remote bounce/feedback loop message that was matched, along with the name of the pattern that matched it. Useful for debugging <email-patterns> when you have multiple email patterns configured.

Example:

<email-patterns>
    body-pattern-file /etc/pmta/report-pattern-1.txt
    body-pattern-file /etc/pmta/report-pattern-2.txt
    body-pattern-file /etc/pmta/report-pattern-3.txt
    body-pattern-file /etc/pmta/report-pattern-4.txt
    log-match-info true
</email-patterns>

Sample log message when log-match-info true is set

matched body-pattern defined in file:/etc/pmta/report-pattern-3.txt

3.3.7 <source> Directives

Directives entered within a <source> entry apply to SMTP connections from the given source. Per-source directives can be specified in two ways: by IP address and by name.

Each <source> entry to be applied by IP address specifies either an IP address in dotted decimal notation (like 10.0.0.1), or a range of IP addresses in CIDR notation (like 10/8).

A <source> entry to be applied by name specifies its name in the entry, like in <source S1>.

The example below shows entries for a specific IP, for a range of IPs in CIDR notation, and for the global 0/0 wildcard. More specific settings are used in favor of the more general if there is a conflict.

<source 10.0.0.5> # matches 10.0.0.5 only
    allow-mailmerge yes
</source>

<source 10.0.0.0/8> # matches 10.*
    always-allow-relaying yes
</source>


<source 0/0> # matches all
    always-allow-relaying no
    allow-mailmerge no
</source>

Note that PowerMTA merges (“inherits”) settings in source entries like it does for the domain entries, allowing you to provide defaults in a more generic entry (such as 0/0). After the inheritance, this is how PowerMTA sees the <source> settings:

<source 10.0.0.5> # matches 10.0.0.5 only
    always-allow-relaying yes
    allow-mailmerge yes
</source>

<source 10.0.0.0/8> # matches 10.*
    always-allow-relaying yes
    allow-mailmerge no
</source>

<source 0/0> # matches all
    always-allow-relaying no
    allow-mailmerge no
</source>

Named entries beginning with { are reserved and have special meaning: <source {pickup}> can be used to modify pickup directory handling and <source {auth}> can be used to specify defaults for any authenticated SMTP user.

Non-reserved named entries are used to override the settings obtained based on the source IP address. They apply only when specifically requested, like in the source=... parameter of the smtp-listener directive or <smtp-user>‘s source directive.

3.3.7.1 add-date-header

Specifies whether PowerMTA should add a Date header if missing. If a Date header is present, it is not overridden unless using the override parameter.

Note: Automatic addition of the Date header is not supported for mailmerge messages. When submitting mailmerge messages, you can use the *date variable to easily accomplish the same.

Syntax:

add-date-header { no | yes | override }

Default: no

Example:

<source 0/0>
    add-date-header yes
</source>

3.3.7.2 date-header-time

Specifies whether PowerMTA should set the Date header to the time the message was received and queued for delivery, or the time that the message was actually delivered. The directive add-date-header needs to be set to yes or override when using this directive.

Syntax:

date-header-time { reception | delivery }

Default: reception

Example:

<source 0/0>
    add-date-header yes
    date-header-time delivery
</source>

3.3.7.3 bcc

This directive takes an email address as a value, and if set, causes each message received from that source to be BCC’ed to the given email address. This can be used for creating a copy of every message for archival purposes.

Syntax:

bcc EMAIL-ADDRESS

Example:

<source 0/0>
    bcc foo@bar.com
</source>

3.3.7.4 add-message-id-header

Specifies whether PowerMTA should add a Message-Id header if missing. If a Message-Id header is present, it is not overridden.

Default: false

Example:

<source 0/0>
    add-message-id-header true
</source>

3.3.7.5 add-received-header

Specifies whether PowerMTA should add a Received header upon reception of an email.

Default: true

Example:

<source 0/0>
    add-received-header false
</source>

3.3.7.6 allow-auth

Specifies whether PowerMTA should allow usage of the AUTH SMTP command.

Default: true

Example:

<source 0/0>
    allow-auth false
</source>

3.3.7.7 smtp-max-auth-failure-rate

Specifies after how many unsuccessful authentication attempts in the given time PowerMTA should refuse further authentication attempts from this source. This is used to defend against password-guessing attacks.

For example, setting the rate limit to 5/min allows only five failed authentication attempts per minute.

Once a source is locked, users can only re-attempt authentication after the expiry of the configured time period, counted from the time of the the first failed attempt. For example, if the max auth failure rate is set to 3/h and someone tries to authenticate unsuccessfully at 10:00, 10:01, and 10:02, authentication will be refused till 11:00.

If this directive is set to unlimited (the default) or 0, PowerMTA will not block the account on failed authentication attempts.

For this directive to be effective, you must enforce authentication with the require-auth directive.

Syntax:

smtp-max-auth-failure-rate { unlimited | 0 | N/{d|day|h|hr|m|min|s|sec} }

where “s” or “sec” is seconds, “m” or “min” is minutes, “h” or “hr” is hours, and “d” or “day” is days.

Default: unlimited

Example:

<source 0/0>
    smtp-max-auth-failure-rate 5/m
</source>

3.3.7.8 remove-header

Specifies a header that PowerMTA should remove from the incoming or outgoing message. The directive takes a comma separated list of headers if there is more than one header to be removed. The header is removed at delivery, not when the message is queued to disk. The directive may be used in a <source> or <domain>, but is not required to be defined in both.

Use empty string ("") to clear any inherited value.

Syntax:

remove-header HEADER-LIST

Example:

<source 0/0>
    remove-header nameOfYourCustomHeader,nameOfOtherHeader
</source>

3.3.7.9 require-auth

Allows for requiring authentication before any emails are received via SMTP (local or not).

Default: false

Example:

<source 0/0>
    require-auth true
</source>

3.3.7.10 allow-mailmerge

Specifies whether PowerMTA should allow usage of the mailmerge SMTP extensions from the given source.

Default: false

Example:

<source 0/0>
    allow-mailmerge true
</source>

3.3.7.11 allow-unencrypted-plain-auth

Specifies whether PowerMTA should allow usage of the PLAIN SASL authentication mechanism in unencrypted connections.

Default: false

Example:

<source 0/0>
     true
</source>

3.3.7.12 allow-starttls

This directive controls whether PowerMTA supports the use of STARTTLS extension with clients that connect to it for submitting email.

Default: false

Example:

<source 0/0>
   allow-starttls true
</source>

3.3.7.13 require-starttls-before-auth

Setting this directive to true will enforce the requirement that connecting clients must perform STARTTLS before issuing any AUTH commands during the session.

Default: false

Example:

<source 0/0>
    require-starttls-before-auth true
</source>

3.3.7.14 broken-auth-clients

** Deprecated **


3.3.7.15 verp-default

If you enable VERP by setting verp-default to yes or true, PowerMTA will create a customized SMTP MAIL FROM address for the message based on the original SMTP MAIL FROM address and the RCPT TO addresses in the message. Since one can then identify the original RCPT TO address in this new encoded SMTP MAIL FROM address, this may make tracking bounces easier for you. The format is fixed, and can be see in the following example:

Original SMTP MAIL FROM: jsmith@example.com
SMTP RCPT TO: jdoe@yahoo.com
VERPed SMTP MAIL FROM: jsmith-jdoe=yahoo.com@example.com

Default: no

Example:

<source 0/0>
   verp-default true
</source>

3.3.7.16 check-dkim-inbound

Specifies whether or not PowerMTA should enable checking DKIM signatures on inbound messages. If the message has DKIM signature header in it, PowerMTA will add an Authentication-Results header stating the results.

Default: false

Example:

<source 0/0>
   check-dkim-inbound true
</source>

3.3.7.17 trace-dkim-check

Allows selecting whether the trace data (currently including all the DNS data looked up) is included in the Authentication-Results headers for the dkim check.

Default: false

Example:

<source 0/0>
   trace-dkim-check true
</source>

3.3.7.18 trace-spf-check

Requests inclusion of trace data (currently including all the DNS data looked up) for the SPF check in the Authentication-Results header.

Default: false

Example:

<source 0/0>
   trace-spf-check true
</source>

3.3.7.19 check-spf-inbound

Specifies whether to perform an SPF check on inbound messages. PowerMTA adds an Authentication-Results header with the results of the test.

Default: false

Example:

<source 0/0>
   check-spf-inbound true
</source>

3.3.7.20 check-spf-inbound-best-guess

Deprecated This directive is deprecated, do not use.


3.3.7.21 check-spf-inbound-max-void-lookups

Specifies the maximum number of “void” (empty or NXDOMAIN) responses to allow before failing the SPF check with “permerror”. A low number, such as 2, helps minimize certain denial-of-service attacks, but may also cause errors evaluating complicated SPF policies.

Default: 2

Example:

<source 0/0>
   check-spf-inbound-max-void-lookups true
</source>

3.3.7.22 check-iprev-inbound

Determines if PowerMTA performs an inbound DNS PTR check on the IP and EHLO hostname used for the connection.

Default: false

Example:

<source 0/0>
   check-iprev-inbound true
</source>

3.3.7.23 trace-iprev-check

Requests inclusion of trace data (currently including all the DNS data looked up) for the DNS PTR check in the Authentication-Results header.

Default: false

Example:

<source 0/0>
   trace-iprev-check true
</source>

3.3.7.24 reject-iprev-check-temperror

If set to true, and DNS PTR check for a message returns a temp error (such as DNS lookup failure), PowerMTA will reject the message.

Default: false

Example:

<source 0/0>
   reject-iprev-check-temperror true
</source>

3.3.7.25 reject-iprev-check-permerror

If set to true, and DNS PTR check for a message returns a perm error, PowerMTA will reject the message.

Default: false

Example:

<source 0/0>
   reject-iprev-check-permerror true
</source>

3.3.7.26 reject-iprev-check-fail

If set to true, and DNS PTR check for a message results in a failure, PowerMTA will reject the message.

Default: false

Example:

<source 0/0>
   reject-iprev-check-fail true
</source>

3.3.7.27 suppress-local-dsn

Disables the generation of DSN (bounce, delay or delivery) reports for messages received from this <source>.

Default: false

Example:

<source 0/0>
   suppress-local-dsn true
</source>

3.3.7.28 dsn-return-default

Specifies the default for the DSN RET parameter, i.e., whether the full message body or only its headers should be returned in a DSN delivery report. system specifies that the system default should be used. This directive is overridden by the use of “dsn-format plain-text”.

Syntax:

dsn-return-default { headers | full | system }

Default: system

Example:

<source 0/0>
   dsn-return-default headers
</source>

3.3.7.29 default-virtual-mta

Specifies the default VirtualMTA (or VirtualMTA pool) to select for all messages received from the source. This directive is used only when other higher priority methods of selecting a VirtualMTA (such as the use of X-Virtual-Mta header) are not applicable.

The special value by-smtp-source-ip can be used in place of a VirtualMTA name. When configured in this way, on an inbound SMTP connection PowerMTA will use as the default VirtualMTA whose “smtp-source-host” setting equals the destination IP address on the inbound connection.

Syntax:

default-virtual-mta { VMTA-NAME | by-smtp-source-ip }

Example:

<source 127.0.0.1>
    default-virtual-mta mta1  # mta1 is a virtual MTA
</source>

<source 0/0>
    default-virtual-mta by-smtp-source-ip
</source>


3.3.7.30 log-tls

Specifies whether PowerMTA should log information about negotiation of a TLS session with the remote client during STARTTLS.

Default: false

Example:

<source 0/0>
  log-tls true
</source>

3.3.7.31 reject-invalid-virtual-mta

Specifies that PowerMTA should reject messages when an invalid or null VirtualMTA is selected.

Default: true

Example:

<source 0/0>
  reject-invalid-virtual-mta true
</source>

3.3.7.32 disconnect-on-transient-error

Specifies that PowerMTA should close connections instead of sending transient SMTP errors. This is useful in situations where the feeding software cannot process 4xx errors.

Default: false

Example:

<source 0/0>
  disconnect-on-transient-error true
</source>

3.3.7.33 hide-message-source

Specifies that PowerMTA should attempt to hide the source of the message while delivering email from this source. Currently, this just means that the name and IP address of the MTA from which PowerMTA received this message will not be included in the Received: header added. Hiding the message’s source may be desirable, for example, for security purposes, to avoid revealing details from the internal network from which the message was submitted.

Default: false

Example:

<source 0/0>
  hide-message-source true
</source>

3.3.7.34 max-message-size

Specifies the maximum size allowed in messages received through SMTP. If set to unlimited, no explicit limit is enforced.

Syntax:

max-message-size { N{b|k|m|g|t} | 0 | unlimited }

where N is a positive integer followed by a size multiplier (B for byte, K for Kilobyte, M for Megabyte, G for Gigabyte or T for Terabyte).

An unsigned non-zero number is also accepted as the maximum size in bytes, but that syntax is deprecated.

Default: unlimited

Example:

<source 0/0>
  max-message-size 40K
</source>

3.3.7.35 max-message-hops

Specifies the maximum number of “Received” headers that can be present in a message that PowerMTA accepts.

Syntax:

max-message-hops N

Default: 100

Example:

<source 0/0>
  max-message-hops 50
</source>

3.3.7.36 max-rcpt-per-message

Specifies the maximum number of recipients accepted in each message. If set to zero or unlimited, no explicit limit is enforced.

Syntax:

max-rcpt-per-message { N | unlimited }

Default: 0

Example:

<source 0/0>
  max-rcpt-per-message 10
</source>

3.3.7.37 too-many-rcpts-fails-message

Specifies how PowerMTA should enforce the max-rcpt-per-message limit.
If enabled and too many recipients are passed for a message, rather than reject the recipient(s) over the limit (RCPT SMTP command), PowerMTA rejects the entire message (DATA command).

Default: false

Example:

<source 0/0>
  too-many-rcpts-fails-message true
</source>

3.3.7.38 suppression-lists

Specifies the suppression-list(s) to be used for suppressing addresses. Multiple lists may be specified, separating each list name with a comma. See Address Suppression Lists for more information.

Syntax:

suppression-lists SUPPRESSION-LIST-NAME

Example:

<suppression-list foo>
</suppression-list>

<source 0/0>
  suppression-lists foo
</source>

3.3.7.39 pattern-list

Specifies that messages received from the source are to be matched against the given pattern list. The pattern list referenced must precede the source definition in the configuration file. See <pattern-list> Directives for more details.

Syntax:

pattern-list PATTERN-LIST-NAME

Example:

<pattern-list foo>
</pattern-list>

<source 0/0>
  pattern-list foo
</source>

3.3.7.40 process-x-envid

Specifies whether PowerMTA should process x-envid headers. If set to true and one such header is included, PowerMTA will set the message’s (DSN) envelope ID to the header’s body, as well as remove the header from the message. If set to false, PowerMTA will ignore this header, leaving it in the message if present. While the envelope ID can be set by using the ENVID parameter in the SMTP MAIL command, this directive is useful when the software you use to submit the messages does not allow you to control it.

Default: false

Example:

<source 0/0>
  process-x-envid true
</source>

3.3.7.41 process-x-dkim-options

Specifies whether PowerMTA should process x-dkim-options header. If set to true and one such header is included, PowerMTA will use any values in the header for signing messages with DKIM if DKIM signing is configured. If set to false, PowerMTA will ignore this header, leaving it in the message if present.

Default: false

Example:

<source 0/0>
  process-x-dkim-options true
</source>

3.3.7.42 process-x-dkim-key

Specifies whether PowerMTA should process X-DKIM-Key headers. If set to true, PMTA will extract the private key specified in PEM format in the header X-DKIM-Key, use it for DKIM signing the message, and remove that header from the message prior to transmission. Note that if process-x-dkim-key isn’t set, PowerMTA does not remove that header; you should test your setup to avoid leaking private keys. Also, this feature requires specifying the DKIM key selector (s=) in a X-DKIM-Options header and thus also enabling the per-source process-x-dkim-options directive.

Default: false

Example:

<source 0/0>
  process-x-dkim-key true
</source>

3.3.7.43 retain-x-dkim-key

Specifies whether PowerMTA should retain a processed x-dkim-key header in the message. If set to true, PowerMTA will keep the x-dkim-key header in the message when sending it on, otherwise that header will be removed. While this option is generally used in conjunction with the process-x-dkim-key option, they are completely independent of each other. Both directives can be set to false for example, in which case PowerMTA will ignore the header with regards to processing however still removing the header before delivery.

Note: If this directive is set to true, the private key will be included in the email when PowerMTA delivers it.
This is a security risk so it is strongly recommended to keep this directive set to false.

Default: false

Example:

<source 0/0>
  retain-x-dkim-key false
</source>

3.3.7.44 jobid-prefix

Allows one to have PowerMTA add a custom prefix to the data supplied in the x-job: header in the message. A special reserved {auth} prefix has PowerMTA adding the actual authenticated user as the prefix, allowing for example, a relay service to more easily track messages sent through by PowerMTA by each authenticated user.

Syntax:

jobid-prefix STRING

Example:

<source 0/0>
  jobid-prefix customer1
</source>

3.3.7.45 process-x-job

Specifies whether PowerMTA should process x-job headers. If set to true and one such header is included, PowerMTA will set the job ID for the message to the job ID given in the x-job header. The job ID must not include any non-printable or white space characters. A message is supposed to include at most one x-job header. If using Mailmerge, you must use the *jobid variable, and not the x-job header.

Sample header:

x-job: abc123

Default: false

Example:

<source 0/0>
  process-x-job true
</source>

3.3.7.46 jobid-header

Allows setting an alternate header for which the message’s jobId is set in place of using x-job. If other ways to set a jobId (such as x-job processing, if enabled, or *jobId mail merge variable) apply, they take precedence.

Example:

<source 0/0>
  jobid-header Campaign-Id
</source>

3.3.7.47 retain-x-job

Specifies whether PowerMTA should retain a processed x-job header in the message. If set to true, PowerMTA will keep the x-job header in the message when sending it on, otherwise that header will be removed. This option is only used if process-x-job is set to true and the message contains an x-job header.

Default: false

Example:

<source 0/0>
  retain-x-job true
</source>

3.3.7.48 process-x-virtual-mta

Specifies whether PowerMTA should process x-virtual-mta headers. If set to true and one such header is included, PowerMTA will select the VirtualMTA specified in the header’s body for the message, as well as remove the header from the message. If set to false, PowerMTA will ignore this header, leaving it in the message if present. You should enable this directive for the source IP addresses from which you feed messages if you would like to use the x-virtual-mta header to select which VirtualMTA to use.

Default: false

Example:

<source 0/0>
  process-x-virtual-mta true
</source>

3.3.7.49 retain-x-virtual-mta

Specifies whether PowerMTA should retain a processed x-virtual-mta header in the message. If set to true, PowerMTA will keep the x-virtual-mta header in the message when sending it on, otherwise that header will be removed. This option is only used if process-x-virtual-mta is set to true and the message contains an x-virtual-mta header.

Default: false

Example:

<source 0/0>
  retain-x-virtual-mta true
</source>

3.3.7.50 add-x-virtual-mta-header

Requests that an “X-Virtual-MTA” header be added to the message with the name of the Virtual MTA from which it was delivered, if no such header is already present.

Default: false

Example:

<source 0/0>
  add-x-virtual-mta-header true
</source>

3.3.7.51 source-group

Specifies the name of a source group to associate the given source to, allowing linking sources to groups (and thus grouping sources). The directive allows for specifying certain source configuration items whose functionality require them to be grouped by name. The shared resources will be defined in the <source-group> tag.

Syntax:

source-group SOURCE-GROUP-NAME

Example:

<source-group localSources>
    max-smtp-in 10
    reserved-smtp-in 5
</source-group>

<source 192.168.0.30>
    smtp-service yes
    always-allow-relaying yes
    source-group localSources
</source>

<source 192.168.0.40>
    smtp-service yes
    always-allow-relaying yes
    source-group localSources
</source>

3.3.7.52 smtp-data-timeout

Specifies the amount of time that PowerMTA will wait for data from the remote end during data reception phase (after DATA/BDAT command) of the message. Applies to inbound connections only.

Syntax:

smtp-data-timeout TIME-INTERVAL

Default: 10m

Example:

<source 0/0>
  smtp-data-timeout 5m
</source>

3.3.7.53 smtp-command-timeout

Specifies the amount of time that PowerMTA will wait for data to be sent from a remote end during inbound SMTP command exchanges.

Syntax:

smtp-command-timeout TIME-INTERVAL

Default: 10m

Example:

<source 0/0>
  smtp-command-timeout 5m
</source>

3.3.7.54 process-x-schedule

Specifies whether PowerMTA should process the x-schedule header if included in the message. If set to true and one such header is included, PowerMTA will respect the schedule defined in the header, and only attempt to deliver messages per the schedule. If set to false, PowerMTA will ignore this header and attempt to deliver normally, without any time based schedule.

Default: false

Example:

<source 0/0>
  process-x-schedule true
</source>

3.3.7.55 retain-x-schedule

Specifies whether PowerMTA should leave the x-schedule header in the message when messages are delivered (when using PowerMTA’s Schedule Delivery Control feature). While this option is generally used in conjunction with the process x-schedule header option, they are completely independent of each other. Both can be set to false for example, which has PowerMTA ignoring the header with regards to processing however still removing the header before delivery.

Default: false

Example:

<source 0/0>
  retain-x-schedule true
</source>

3.3.7.56 retain-x-dkim-options

Specifies whether PowerMTA should retain the x-dkim-options header when sending a message to a remote mail server.

Default: false

Example:

<source 0/0>
  retain-x-dkim-options true
</source>

3.3.7.57 allow-chunking

Specifies whether PowerMTA should allow usage of the CHUNKING SMTP extension (i.e., the BDAT command) on inbound connections from the source.

Default: true

Example:

<source 0/0>
  allow-chunking true
</source>

3.3.7.58 allow-smtputf8

Specifies whether one can submit internationalized email addresses per RFC6531 to PowerMTA from the connecting IP address. When set to yes (or true), PowerMTA will list “SMTPUTF8” in the list of extended SMTP commands supported for the connecting IP, allowing the submitter to use internationalized email addresses in the SMTP envelope. Note that if the remote gateway for the domain does not advertise support for SMTPUTF8, PowerMTA will subsequently bounce the message(s) for the recipient out of the queue.

Default: true

Example:

<source 0/0>
  allow-smtputf8 true
</source>

3.3.7.59 smtp-service

Specifies whether to allow access to the SMTP service to connections from the given source. If set to false, PowerMTA issues a 5XX SMTP greeting like

521 mta1.foo.com does not accept mail from you

instead of the regular one:

220 mta1.foo.com (PowerMTA v4.5r14) ESMTP service ready

Note that since the default is to grant SMTP service, if you only wish to restrict service to specific sources you must specify that in the 0/0 entry, as in the example below.

Default: true

Example:

<source 10.0.0.1> # we feed from 10.0.0.1
    smtp-service yes
    always-allow-relaying yes # normally desirable for feeder sources
</source>

<source 0/0>
    smtp-service no
</source>

3.3.7.60 log-connections

Instructs PowerMTA to write an entry in the log at the beginning and end of each connection.

Default: false

Example:

# log *all* incoming connections
<source 0/0>
  log-connections yes
</source>

3.3.7.61 log-commands

Instructs PowerMTA to log the full SMTP protocol exchanges between itself and the receiving or sending mailer. Since it displays at which point of the delivery process an error occurs, enabling this directive is generally the first and most useful step in debugging connectivity problems.

Sample Log output:

2003-06-29 15:32:00 ( 20)starting aol.com
2003-06-29 15:32:00 ( 20)connecting to yh.mx.aol.com (205.188.157.1)
2003-06-29 15:32:00 ( 20)>>> 220-rly-yh01.mx.aol.com ESMTP relay_in.5; Thu, 29 Jun 2003 09:27:58
-0400
2003-06-29 15:32:00 ( 20)>>> 220-America Online (AOL) and its affiliated companies do not
2003-06-29 15:32:00 ( 20)>>> 220- authorize the use of its proprietary computers and computer
2003-06-29 15:32:00 ( 20)>>> 220- networks to accept, transmit, or distribute unsolicited bulk
2003-06-29 15:32:00 ( 20)>>> 220 email sent from the internet.
2003-06-29 15:32:00 ( 20)<<< EHLO hazmat.port25.com
2003-06-29 15:32:00 ( 20)>>> 250-rly-yh01.mx.aol.com hazmat.port25.com
2003-06-29 15:32:00 ( 20)>>> 250 HELP
...

Default: false

Example:

<source 0/0>
  log-commands true
</source>

3.3.7.62 log-data

This directive is useful for debugging protocol or interoperability problems between the mailers, for it logs every byte sent, both in ASCII and hexadecimal. This would help show things like whether your messages may be finishing its lines with just LF (line feeds) instead of the CRLF (carriage return, line feed) pair as prescribed by the standards, and the hex data allows you to identify non-printable characters (such as CR and LF) based on their hex codes.

Sample Log output:

2003-06-29 09:53:59 ( 19)starting yahoo.com
2003-06-29 09:53:59 ( 19)connecting to mx1.mail.yahoo.com (128.11.68.155)
2003-06-29 09:54:04 ( 19)>>> rd 53
2003-06-29 09:54:04 ( 19)3232302059536D7470206D7461313334 220 YSmtp mta134
2003-06-29 09:54:04 ( 19)2E6D61696C2E7961686F6F2E636F6D20 .mail.yahoo.com
2003-06-29 09:54:04 ( 19)45534D54502073657276696365207265 ESMTP service re
2003-06-29 09:54:04 ( 19)6164790D0A                       ady..
2003-06-29 09:54:04 ( 19)<<< wr 24
2003-06-29 09:54:04 ( 19)45484C4F2068617A6D61742E706F7274 EHLO hazmat.port
2003-06-29 09:54:04 ( 19)32352E636F6D0D0A                 25.com..
2003-06-29 09:54:04 ( 19)>>> rd 75
2003-06-29 09:54:04 ( 19)3235302D6D74613133342E6D61696C2E 250-mta134.mail.
2003-06-29 09:54:04 ( 19)7961686F6F2E636F6D0D0A3235302D38 yahoo.com..250-8
2003-06-29 09:54:04 ( 19)4249544D494D450D0A3235302D53495A BITMIME..250-SIZ
2003-06-29 09:54:04 ( 19)4520333134353732380D0A3235302050 E 3145728..250 P
2003-06-29 09:54:04 ( 19)4950454C494E494E470D0A           IPELINING..
2003-06-29 09:54:04 ( 19)<<< wr 43
2003-06-29 09:54:04 ( 19)4D41494C2046524F4D3A3C696E666F40 MAIL FROM:<info@
2003-06-29 09:54:04 ( 19)706F727432352E636F6D3E20424F4459 port25.com> BODY
2003-06-29 09:54:04 ( 19)3D384249544D494D450D0A           =8BITMIME..
2003-06-29 09:54:04 ( 19)>>> rd 33
2003-06-29 09:54:04 ( 19)3235302073656E646572203C696E666F 250 sender <info
2003-06-29 09:54:04 ( 19)40706F727432352E636F6D3E206F6B0D @port25.com> ok.
2003-06-29 09:54:04 ( 19)0A                               .
2003-06-29 09:54:04 ( 19)<<< wr 29
...

Default: false

Example:

<source 0/0>
  log-data true
</source>

3.3.7.63 allow-empty-x-virtual-mta

Specifies PowerMTA should allow an empty string value for the x-virtual-mta header. If set to yes and such a header is passed (for example, x-virtual-mta:), the message will be accepted and then queued to the {default} VirtualMTA.

Default: false

Example:

<source 0/0>
  allow-empty-x-virtual-mta true
</source>

3.3.7.64 accept-invalid-recipients

Allows feeding invalid recipients into PowerMTA (which are then immediately bounced). Invalid in this sense means syntactically illegal email addresses (i.e., me@there or you@yahoo..com),
but not e.g., bad mailboxes (syntactically correct but non-existent email addresses). Pickup directory is not supported. For this functionality in a pickup file use XACK OFF/ON. See BSMTP Files for more information.

** Note that any such recipients (with syntax errors in their addresses) are immediately bounced and never delivered. This directive only prevents the rejections from happening within the session that the recipients were submitted in. **

Default: false

Example:

<source 0/0>
  accept-invalid-recipients true
</source>

3.3.7.65 reject-spf-check-temperror

Specifies whether to reject the MAIL command (with a 4xx error) in the SMTP protocol if the SPF check results in a temporary error, such as when unable to look up certain DNS records.

Default: true

Example:

<source 0/0>
  reject-spf-check-temperror true
</source>

3.3.7.66 reject-spf-check-permerror

Specifies whether to reject the MAIL command (with a 5xx error) in the SMTP protocol if the SPF check results in a permanent error, such as when there is a syntax error in a SPF record.

Default: true

Example:

<source 0/0>
  reject-spf-check-permerror true
</source>

3.3.7.67 reject-spf-check-fail

Specifies whether to reject the MAIL command (with a 5xx error) in the SMTP protocol if the SPF check results in a failure, such as when email is being sent from an unauthorized IP address.

Default: true

Example:

<source 0/0>
  reject-spf-check-fail true
</source>

3.3.7.68 always-allow-api-submission

This directive allows easily enabling all SMTP permissions and features required by our submission APIs. If set to “yes”, this is currently equivalent to setting “allow-mailmerge yes”. If set to “no”, the other settings determine whether submission is allowed.

Default: false

Example:

<source 0/0>
  always-allow-api-submission true
</source>

3.3.7.69 auto-qualify-domain

Specifies whether PowerMTA should automatically qualify the domain name in any email addresses received whose domain is not yet fully qualified. For example, if MAIL FROM:user@host is received and the host running PowerMTA is named mail.foo.com, then that address is changed into user@host.foo.com. Automatic qualification is done by appending the domain suffix, which is also configurable.

Default: true

Example:

<source 0/0>
  auto-qualify-domain true
</source>

3.3.7.70 include

This directive specifies an additional configuration file to process.
This can be used, for example, to facilitate maintenance of the configuration files across multiple hosts, by storing those settings which differ from host to host in a separate file and including it from the main (common) file. Wildcards may be used. An include may be used anywhere including in a <source>, <domain>, <virtual-mta> or <smtp-pattern-list> tag.

Example:

<source 0/0>
    include /etc/pmta/smtp-patterns.txt
</source>

3.3.8 <smtp-user> Directives

<smtp-user> directives can used to be configure credentials for users who are allowed to relay email through the system, regardless of the IP from which they are submitting the mail to
PowerMTA. Authenticating users can be done either through the use of passwords, or through system logins(Linux only) or using certificates.

Example:

<smtp-user foo>
    password barbaz
    authentication-method password
    source source-1
</smtp-user>

<smtp-user bar>
    authentication-method certificate
    tls-certificate /etc/pmta/bar-cert.pem
    source source-2
</smtp-user>

3.3.8.1 password

Specifies the password for the defined user in <smtp-user>. The authentication-method must be set to password for this directive to be effective.

Example:

<smtp-user foo>
    password barbaz
    authentication-method password
</smtp-user>

3.3.8.2 authentication-method

Specifies how to authenticate a user logging in to PowerMTA via SMTP. Possible values are:

  • password – The user needs to enter the password as configured by the password directive.
  • certificate – The user needs to send the TLS
    certificate configured by the tls-certificate directive. This requires a TLS connection, either by using STARTTLS in the SMTP dialog or by opening a TLS encrypted connection to PowerMTA. Make sure the submitting applications are configured to support this.
  • system (Linux only) – PowerMTA will check the user’s submitted password against the Linux system’s user accounts.

Syntax:

authentication-method { password | system | certificate }

Default: password

Example:

<smtp-user foo>
    password barbaz
    authentication-method password
</smtp-user>

3.3.8.3 tls-certificate

Specifies the file name containing the certificate the user needs to provide when authenticating to PowerMTA in the SMTP dialog. You can use PowerMTA’s pmtakeytool that ships with PowerMTA to create a certificate. Another option is to use OpenSSL’s command line tools. (Please see the OpenSSL documentation for details.)

Example:

<smtp-user foo>
    authentication-method certificate
    tls-certificate /etc/pmta/bar-cert.pem
</smtp-user>

3.3.8.4 source

Specifies the <source> to be used for the defined user in <smtp-user>.

Example:

<smtp-user foo>
    authentication-method certificate
    tls-certificate /etc/pmta/bar-cert.pem
    source source-1
</smtp-user>

3.3.9 <source-group> Directives

3.3.9.1 max-smtp-in

Specifies a limit for the number of incoming connections from that source group.

Default: unlimited

Example:

<source-group one>
    max-smtp-in 1000
</source-group>

3.3.9.2 reserved-smtp-in

Specifies that a certain number of inbound connections are to be reserved to connections from the given source group.

Default: unlimited

Example:

<source-group one>
    reserved-smtp-in 10
</source-group>

3.3.10 <domain> Directives

These directives are specified with a domain pattern and apply to all matching domains, such as in

<domain *.port25.com>
    bounce-after 6d
</domain>

Domain directives may be added in any order to the configuration file. When PowerMTA needs to determine what parameters to use for a specific domain, it uses the best matching (most specific) entry, regardless of the order domain directives are placed into the configuration file:

<domain discard.port25.com> # matches 'discard' only
    ...
</domain>

<domain *.port25.com> # matches subdomains of port25.com
    ...
</domain>

<domain [*.]port25.com> # matches port25.com and all subdomains
    ...
</domain>

<domain *> # matches all domains
    ...
</domain>

When PowerMTA reads the configuration file, it merges settings for related domains from more general to more specific domains, so you can provide defaults for all domains by specifying them for the * pseudo-domain or for a specific site by specifying them for the toplevel domain for the site.

In the following example, commands will be logged for all proper subdomains of port25.com (but not for port25.com itself) and undelivered messages to any address at port25.com will bounce after four days, except for messages to discard.port25.com, which will bounce after one hour.

<domain discard.port25.com>
    bounce-after 1h
</domain>

<domain *.port25.com>
    log-commands yes
</domain>

<domain [*.]port25.com>
    bounce-after 4d
</domain>

<domain *>
    bounce-after 4d
</domain>

You can use domain macros to specify settings for multiple domains at once. For example, if you could use

domain-macro topLevel com, de, co.uk

<domain yahoo.$topLevel>
    ...settings...
</domain>

to configure settings that apply to yahoo.com, yahoo.de and yahoo.co.uk.

You can also use macros within macros:

domain-macro com com, co.uk, com.br
domain-macro tld $com, org, net

In which case tld expands to com, co.uk, com.br, org and net. Any loops are detected and result in a configuration load or startup error.

Also, specifically listed domains always take precedence over expanded ones. For example, in

<domain aol.com>
    max-smtp-out 100
</domain>

domain-macro com com, co.uk

<domain aol.$com>
    max-smtp-out 50
</domain>

aol.com would have a limit of 100.

3.3.10.1 max-errors-per-connection

This directive tells PowerMTA to break a connection after a certain amount of recipient level errors. The default is unlimited, meaning that PowerMTA will not break a connection due to a number of recipient level errors.

Default: unlimited

Example:

<domain hotmail.com>
  max-errors-per-connection 10
</domain>

3.3.10.2 check-spf-outbound

Specifies whether PowerMTA should perform an SPF check on outbound messages to ensure compliance. If enabled and the check returns a “Pass”, message delivery continues; if instead it returns a “TempError”, the message is retried. Otherwise, the message bounces. To use this feature, you must currently configure a specific smtp-source-host (either at the global or VirtualMTA level).

Default: false

Example:

<domain hotmail.com>
  check-spf-outbound true
</domain>

3.3.10.3 dsn-format

The default is “standard”, which has PowerMTA send a DSN in the standard format. If set to “plain-text”, the “message/delivery-status” portion of the DSN report is delivered instead of the full report. The portion is delivered within a mime-type of “text/plain”, thus allowing this data to pass through (overzealous) email firewalls that strip all “attachments”

Syntax:

dsn-format { standard | plain-text }

Default: standard

Example:

<domain hotmail.com>
  dsn-format plain-text
</domain>

3.3.10.4 log-resolution

Specifies that PowerMTA should log information on DNS (name and routing) lookups performed for the domain. This information is generally useful when debugging DNS-based connectivity problems (such as misconfigured DNS entries).

Default: false

Example:

<domain hotmail.com>
  log-resolution true
</domain>

3.3.10.5 log-transfer-failures

Specifies whether PowerMTA should write a warning to the logging file when connections fail while transferring message’s contents (headers and body). Setting this directive to true may help when diagnosing delivery problems, especially duplicate or partial deliveries.

Default: false

Example:

<domain hotmail.com>
  log-transfer-failures true
</domain>

3.3.10.6 log-resolution

Specifies that PowerMTA should log information on DNS (name and routing) lookups performed for the domain. This information is generally useful when debugging DNS-based connectivity problems (such as misconfigured DNS entries).

Default: false

Example:

<domain hotmail.com>
   log-resolution true
</domain>

3.3.10.7 log-transfer-failures

Specifies whether PowerMTA should write a warning to the logging file when connections fail while transferring message’s contents (headers and body). Setting this directive to true may help when diagnosing delivery problems, especially duplicate or partial deliveries.

Default: false

Example:

<domain hotmail.com>
  log-transfer-failures true
</domain>

3.3.10.8 log-disabled-ips

Turns on logging to show when and which IPs were disabled.

Default: false

Example:

<domain hotmail.com>
  log-disabled-ips true
</domain>

3.3.10.9 max-events-recorded

Specifies the number of events PowerMTA is to record about the given domain. These events are not written to the logging file, but just recorded in memory. They can be viewed using the pmta show domains and the pmta show topdomains commands, or via the web interface. While recording such events can be very useful when investigating delivery problems, may have have an impact on memory consumption. Currently only error events are recorded.

Default: 10

Example:

<domain port25.com>
    max-events-recorded 3
</domain>

At the command prompt:

$ pmta show dom port25.com --errors
-----------------------------domain --#rcpt ---kbytes conn last error----------
port25.com 4 0.5 0 ETIMEDOUT connect...

2003-06-19 16:40:10 ETIMEDOUT connecting to mail.port25.com (193.96.192.241)
2003-06-19 16:40:10 ETIMEDOUT connecting to mail.port25.com (193.96.192.241)
2003-06-19 16:40:10 ETIMEDOUT connecting to mail.port25.com (193.96.192.241)

1 of 10 domains shown.

3.3.10.10 disable-acct-records

Allows one to disable the creation of one or more than one type of accounting file record on a per queue (domain / virtualMTA) basis. For example, there are times when a user wants PowerMTA to discard certain messages without creating an accounting file record for these messages when discarded. By default, PowerMTA would create a “d” (delivered) record for this, since it was delivered to discard, however the creation of a delivered record can be disabled with this option.

Syntax:

disable-acct-records TYPES

where TYPES can be one or more of d,b,t,tq

Example:

<domain hotmail.com>
  disable-acct-records d,b,t,tq
</domain>

3.3.10.11 deliver-local-dsn

Specifies whether PowerMTA should generate DSN (bounce, delay or delivery) reports for messages received from the domain specified in this <domain>. Accounting records are still written normally, so this only affects the actual report emails.

Deprecated Use <source> suppress-local-dsn instead.

Default: true

Example:

<domain bounce.port25.com>
    deliver-local-dsn no
</domain>

3.3.10.12 bounce-after

Determines the maximum amount of time PowerMTA will continue to try to deliver messages to the specified destination domain. Messages older than this time interval are bounced, i.e., a (non-)delivery report in DSN format will be sent back to the originator.

Syntax:

bounce-after TIME-INTERVAL

Default: 4d12h

Example:

<domain hotmail.com>
  bounce-after 1d
</domain>

3.3.10.13 bcc-upon-delivery

Automatically BCC delivered emails to the given address.

Use empty string ("") to clear any inherited value.

Syntax:

bcc-upon-delivery EMAIL-ADDRESS

Example:

<domain hotmail.com>
  bcc-upon-delivery foo@bar.com
</domain>

3.3.10.14 allow-priority-interruption

When set to “no”, this directive prevents interruptions by higher priority queues.

Default: yes

Example:

<domain hotmail.com>
  allow-priority-interruption true
</domain>

3.3.10.15 allow-priority-interruption-during-transfer

When set to ‘no’, the interruption is delayed until a connection is available. When set to ‘yes’, the interruption to an existing connection happens immediately. This directive applies to SMTP queues only.

Default: no

Example:

<domain hotmail.com>
  allow-priority-interruption-during-transfer true
</domain>

3.3.10.16 queue-priority

When PowerMTA needs to deliver email for a queue but no connection slots are available, it looks for a queue with lower priority currently connected and interrupts as many connections as needed, starting with the lowest priority connections and working its way up. A queue’s priority is set with a number between 0 (lowest) and 100 (highest); 50 by default.

Default: 50

Example:

<domain hotmail.com>
  queue-priority 75
</domain>

3.3.10.17 track-recipient-events

Determines whether PowerMTA will keep track of the last 50 recipient delivery, bounce, and deferred events in memory.

Default: false

Example:

<domain hotmail.com>
  track-recipient-events true
</domain>

3.3.10.18 delivery-priority

Deprecated use queue-priority


3.3.10.19 notify-of-delay-every

Sets how often PowerMTA checks to see if delay notification messages should be sent when using NOTIFY=DELAY option with RCPT TO command.

Syntax:

notify-of-delay-every { TIME-INTERVAL | never }

Default: 4h

Example:

<domain hotmail.com>
  notify-of-delay-every 1h
</domain>

3.3.10.20 dkim-sign

Specifies whether or not PowerMTA should perform DKIM signing on messages destined for this domain. Domain keys must be configured for this directive to take effect. Please see the domain-key directive below for more information. Also accepts a special value: if-x-dkim-options-present as a way to enable DKIM signing only when an X-DKIM-Options header is present in the email. The directive continues to accept ‘yes’ and ‘no’ settings with their existing meaning.

Default: false

Example:

<domain hotmail.com>
  dkim-sign true
</domain>

3.3.10.21 dkim-add-body-limit

Specify whether to add an “l=” tag with the body length to the DKIM signature, limiting the signed portion of the body. This allows further content to be added at the bottom of the message without invalidating the signature.

Default: false

Example:

<domain hotmail.com>
  dkim-add-body-limit true
</domain>

3.3.10.22 dkim-add-timestamp

Specify whether to a timestamp to the DKIM signature.

Default: false

Example:

<domain hotmail.com>
  dkim-add-timestamp true
</domain>

3.3.10.23 dkim-algorithm

Specify which DKIM signing algorithm to use.

Syntax:

dkim-algorithm { rsa-sha1 | rsa-sha256 }

Default: rsa-sha256

Example:

<domain hotmail.com>
  dkim-algorithm rsa-sha1
</domain>

3.3.10.24 dkim-body-canon

Specify which DKIM canonicalization to apply to the message body.

Syntax:

dkim-body-canon { simple | relaxed }

Default: relaxed

Example:

<domain hotmail.com>
  dkim-body-canon simple
</domain>

3.3.10.25 dkim-headers-canon

Specify which DKIM canonicalization to apply to the message headers.

Syntax:

dkim-headers-canon { simple | relaxed }

Default: relaxed

Example:

<domain hotmail.com>
  dkim-headers-canon simple
</domain>

3.3.10.26 dkim-expire-after

Requests that an “x=” tag be included in the DKIM signature to indicate when it expires.

Syntax:

dkim-expire-after { TIME-INTERVAL | never }

Default: never

Example:

<domain hotmail.com>
  dkim-expire-after 1d
</domain>

<domain yahoo.com>
  dkim-expire-after never
</domain>

3.3.10.27 dkim-query-method

Specifies the value of the q= tag in DKIM signatures.

Syntax:

dkim-query-method STRING

Example:

<domain hotmail.com>
  dkim-query-method dns/txt
</domain>

3.3.10.28 dkim-headers

Specifies the headers to be used for DKIM signing. The following headers will always be used if included in the message and cannot be removed:

  • CC
  • List-Id
  • Resent-Date
  • Content-Description
  • List-Owner
  • Resent-From
  • Content-Id
  • List-Post
  • Resent-Message-ID
  • Content-Transfer-Encoding
  • List-Subscribe
  • Resent-Sender
  • Content-Type
  • List-Unsubscribe
  • Resent-To
  • Date
  • MIME-Version
  • Sender
  • From
  • Message-ID
  • Subject
  • In-Reply-To
  • References
  • To
  • List-Archive
  • Reply-To
  • List-Help
  • Resent-Cc

RFC 4871 forbids signing the following headers:

  • Bcc
  • Keywords
  • Return-Path
  • Comments
  • Received
  • DKIM-Signature
  • Resent-Bcc

Example:

<domain yahoo.com>
    dkim-headers foo                 # exact match one header
</domain>

<domain hotmail.com>
    dkim-headers foo, bar, baz       # exact match many headers
</domain>

<domain gmail.com>
    dkim-headers /foo/               # regular expression
</domain>

<domain aol.com>
    dkim-headers /foo/, /bar/, /baz/ # many regular expressions
</domain>

<domain comcast.net>
    dkim-headers foo, /bar/          # exact match and a regular expression
</domain>

<domain port25.com>
    dkim-headers ""                  # no changes to default headers
</domain>

3.3.10.29 dkim-identity

Specifies the domain or email address of the signing identity to be used when signing messages with DKIM. (Supported in the DKIM specification only). If defined, and the domain matches, or is a subdomain of the domain defined in the “domain-key” directive, the domain will be used in place of the Sender or From: header domain for signing and for subsequent key verification by the receiving gateways. This may be useful for those who are sending on behalf of another party, and do not have control of the other party’s DNS record. A service provider for example, can sign mail using their own private key, use their own email address/domain as the signing identity, and have their own public key in their own DNS record for validation, all while having the From: header domain in the messages sent being the domain of their customer. The “dkim-identity” address will be seen in the i= parameter in the signature, while the d= parameter is set via the domain used in the “domain-key” directive and which has to match or be the parent domain in the dkim-identity directive. The directive also takes the keyword strict-from which requires an exact match for the From: header’s domain to find a matching domain key for signing. Any sub-domain or the sender header will not be used.

In the above example, the “From:” or “Sender:” headers can be a different domain then “esp123.com”, but it will be the domain “esp123.com” that will be used for the signing, and, the public key in the TXT record in DNS for the domain key1._domainkey.esp123.com will be the one checked for verification.

Syntax:

dkim-identity { EMAIL-ADDRESS | DOMAIN | sender-or-from }

Default: sender-or-from

Example:

domain-key key1,esp123.com,c:\pmta\m.pem

<domain yahoo.com>
    dkim-sign yes
    dkim-identity @esp123.com
</domain>

<domain hotmail.com>
    dkim-sign yes
    dkim-identity sender-or-from
</domain>

<domain gmail.com>
    dkim-sign yes
    dkim-identity email@esp123.com
</domain>

3.3.10.30 dkim-identity-fallback

Specifies an alternative DKIM identity to use if the primary identity isn’t usable (usually because no keys are matched). This allows PowerMTA to use the dkim key for the From or Sender header if available (eg. domain-key directive), but if the key is not available, PowerMTA switches to using the dkim-identity-fallback for signing (i= specified email address in the signature). Requires the use of dkim-identity.

Example:

domain-key key1,esp456.com,c:\pmta\m.pem
<domain yahoo.com>
    dkim-sign yes
    dkim-identity sender-or-from
    dkim-identity-fallback @esp456.com
</domain>

3.3.10.31 dkim-disallow-adding-headers

Primarily used to minimize DKIM replay attacks, it allows one to specify headers that invalidate the DKIM signature if the headers are added after the DKIM signing. The directive takes a comma separated list of headers to include an extra time in the signature’s “h” tag. Any headers listed in this directive that are also present in the original message will be signed as well.

Syntax:

dkim-disallow-adding-headers HEADER-LIST

Example:

<domain yahoo.com>
    dkim-disallow-adding-headers from,to,subject
</domain>

3.3.10.32 queue-to

Allows for grouping domains with the same MX record together. See here for more information.

Use the empty string ("") to clear any inherited value.


3.3.10.33 source-ip-max-msg-rate

IP rate limiting allows for controlling the number of attempted recipients on a per-hour, per-minute and per-second basis for each IP address for each domain/VirtualMTA. Primarily used by sites that define multiple IPs in a single VirtualMTA, and that want to limit the attempted delivery rate for each IP address in the VirtualMTA to the respective domains.

Syntax:

source-ip-max-msg-rate CIDR { unlimited | 0 | N/{h|hr|m|min|s|sec} }

Default: unlimited

Example:

<domain comcast.net>
    source-ip-max-msg-rate 1.2.3.4 600/h
</domain>

3.3.10.34 max-msg-rate

Specifies maximum attempted recipients to this domain per time interval.

Both deliveries and attempted deliveries are counted towards the limit. The following error will be displayed in the web monitor when the rate limit is reached:

message rate limit reached (based on max-msg-rate in configuration)

When using rate limiting, it is best to establish a baseline without rate limiting to ensure that the limits set are having a positive impact on deliverability.

Syntax:

max-msg-rate { unlimited | 0 | N/{h|hr|m|min|s|sec} }

where “h” or “hr” means per-hour, “m” or “min” means per-minute and “s” or “sec” means per-second.

Default: unlimited

Example:

<domain comcast.net>
    max-msg-rate 1000/m
</domain>

3.3.10.35 backoff-max-msg-rate

This directive has the same function as max-msg-rate, and applies instead of max-msg-rate while a queue is in backoff mode. Both deliveries and attempted deliveries are counted towards the limit. The following error will be displayed in the web monitor when the rate limit is reached: “message rate limit reached (based on backoff-max-msg-rate in configuration)” When using rate limiting, it is best to establish a baseline without rate limiting to ensure that the limits set are having a positive impact on deliverability.

Default: If max-msg-rate is also configured for the same queue, the default is equal to the configured max-msg-rate. Else, it is unlimited.

Example:

<domain hotmail.com>
  # backoff-max-msg-rate  is 600/h
  backoff-max-msg-rate 600/h
</domain>

<domain port25.com>
  # backoff-max-msg-rate is unlimited
</domain>

<domain foo.com>
  max-msg-rate 100/h

  # backoff-max-msg-rate defaults to 100/h

</domain>

3.3.10.36 max-msg-per-hour

Deprecated Use max-msg-rate


3.3.10.37 backoff-max-msg-per-hour

Deprecated Use backoff-max-msg-rate


3.3.10.38 retry-after

Specifies the retry interval or intervals for the domain/virtualMTA once the domain/virtualMTA is put in retry mode. The directive is a time interval(s), takes a single interval or comma separated list of intervals, with each having a number along with “d” for days, “h” for hours, “m” for minutes, or “s” for seconds, with no spaces between the parameters.

Syntax:

retry-after TIME-INTERVAL-LIST

Default: 10m

Example:

<domain example.com>
    retry-after 10m,10m,10m,10m,10m,1h,1h,1h,4h,4h,12h
</domain>

In the above example, PowerMTA would try every 10 minutes for the first 5 tries, every hour for the next three tries, every 4 hours for the next two tries, then every 12 hours until the message is bounced. If during any of the retry intervals an email is delivered then the retry-after period is reset and starts again at the first retry interval. The feature is meant to protect against using resources to continually try and email to a dead domain, like example.com.


3.3.10.39 backoff-retry-after

This directive has the same function as retry-after, and applies instead of retry-after while a queue is in backoff mode.

Syntax:

backoff-retry-after TIME-INTERVAL-LIST

Default: 1h

Example:

<domain hotmail.com>
  backoff-retry-after 2h
</domain>

3.3.10.40 retry-recipients-after

Specifies the minimum time interval to wait before retrying delivery for a recipient that previously received a 4XX (temp error) from the receiving gateway. Even if the domain/VirtualMTA is retried as per its retry-after setting, individual recipients do not get retried until the retry-recipients-after has elapsed.

Syntax:

retry-recipients-after TIME-INTERVAL

Default: 10m

Example:

<domain hotmail.com>
  retry-recipients-after 10m
</domain>

3.3.10.41 backoff-notify

Specifies email addresses to notify when any of the queues for the given domain enters or leaves backoff mode. Multiple addresses may be specified in a comma separated list.

Use empty string ("") to clear any inherited value.

Syntax:

backoff-notify EMAIL-ADDRESS-LIST

Example:

<domain *>
    backoff-notify two@host.domain,one@host.domain
</domain>

3.3.10.42 disabled-source-ip-notify

A comma separated list of email addresses that will be notified when a source IP is disabled, either via a command or through an smtp-pattern-list match, and when a source IP is enabled back again.

Use empty string ("") to clear any inherited value.

Syntax:

disabled-source-ip-notify EMAIL-ADDRESS-LIST

Example:

<domain *>
    disabled-source-ip-notify two@host.domain,one@host.domain
</domain>

3.3.10.43 backoff-to-normal-after

Specifies a time interval after which a queue automatically goes back to normal mode. Example:

Syntax:

backoff-to-normal-after { TIME-INTERVAL | never }

Default: never

Example:

<domain hotmail.com>
    backoff-to-normal-after 6h
</domain>

3.3.10.44 backoff-to-normal-after-delivery

If enabled, this puts a queue back into normal mode after a successful delivery.

Default: false

Example:

<domain hotmail.com>
  backoff-to-normal-after-delivery true
</domain>

3.3.10.45 backoff-upon-all-sources-disabled

If enabled, switches a queue into backoff mode when all source IPs become disabled, whether via command line command or when using the <smtp-pattern-list> function “disable-source-ip”. Note: Port25 recommends using the “backoff-to-normal-after” directive in conjunction with this directive, since PowerMTA does not automatically put a queue back into normal mode when an IP address reverts back to being enabled.

Default: false

Example:

<domain hotmail.com>
  backoff-upon-all-sources-disabled true
</domain>

3.3.10.46 reenable-source-ip-after

Sets the interval of time for when an IP disabled with the <smtp-pattern-list> function “disable-source-ip” is to be re-enabled, when no “reenable-after=” option is defined in the pattern action. This directive is ignored however when the “disable-source-ip” actions are defined with the accompanying “reenable-after=” option.

Syntax:

reenable-source-ip-after { TIME-INTERVAL | never }

Default: never

Example:

<domain hotmail.com>
  reenable-source-ip-after 1h
</domain>

3.3.10.47 max-cold-virtual-mta-msg

A per-domain “max-cold-virtual-mta-msg N/day”, default of 0, specifies how many messages go to the “foo-cold” vmta when VirtualMTA “foo” is selected. Re-selection occurs at message reception and over SMTP only. The value specified is the first X messages for that domain. The defined amount is set for delivery upon injection. Please note that this setting is per domain, so 1000 emails will go to yahoo, 1000 will go to hotmail, etc. Auto increments are supported in the following manner:

<domain yahoo.com>
    max-cold-virtual-mta-msg 1/day,2/day,3/day,4/day
</domain>

In the example above, all cold vmtas will have 1 as their first day’s limit for yahoo.com, 2 as the limit for second day to yahoo.com and so on. There is no restriction on the number of per-day limits that can be configured. The last limit value will continue to be used as the per-day limit after all the preceding limits have been used.

Syntax:

max-cold-virtual-mta-msg DAILY-LIMITS

where DAILY-LIMITS is a list of one or more rates of the form N/{d|day}

Default: 0/d

Example:

<virtual-mta vmta1>
    smtp-source-host 1.2.3.4 vmta1.example.com
    cold-virtual-mta vmta2
    <domain *>
        max-cold-virtual-mta-msg 1000/day
    </domain>
</virtual-mta>

<virtual-mta vmta2>
    smtp-source-host 5.6.7.8 vmta2.example.com
    <domain *>
        max-msg-rate 100/h
    </domain>
</virtual-mta>

3.3.10.48 backoff-reroute-to-virtual-mta

Specifies that PowerMTA should reroute messages to the given VirtualMTA in case the queue enters backoff mode. For example, if messages are queued for example.port25.com/vmta1 and that queue enters backoff mode while backoff-reroute-to-virtual-mta is set to vmta2, all of its messages would be rerouted to the queue example.port25.com/vmta2. New messages entering the queue are also rerouted, as long as the queue remains in backoff mode.

Use empty string ("") to clear any inherited value.

It may also make sense to use this directive on a per VirtualMTA basis:

<virtual-mta vmta1>
    ...
    <domain *>
        backoff-reroute-to-virtual-mta vmta2
    </domain>
</virtual-mta>

<virtual-mta vmta2>
    ...
</virtual-mta>

WARNING: PowerMTA performs full loop detection on this directive. If a loop is detected, messages are left in the last queue in the loop, and an error is written to the log file. A reroute from one VirtualMTA to itself is silently ignored, and a reroute to a VirtualMTA pool is not supported.

Syntax:

backoff-reroute-to-virtual-mta VMTA-NAME

Example:

<virtual-mta vmta1>
</virtual-mta>

<domain *>
    backoff-reroute-to-virtual-mta vmta1
</domain>

3.3.10.49 type

Determines whether email for this domain is to be delivered over SMTP, through the pipe delivery API, to a file, or discarded. The default type for a queue is smtp, which means email from the queue is delivered over SMTP. The other choices are

  1. file, in which case, the queue writes its messages to files.
  2. pipe, in which case the queue delivers its messages to a pipe program.
  3. discard in which case, the queue discards the email writing the corresponding accounting record

Note: Change from one type of queue to another with messages in the given queue requires a restart of PowerMTA.

Syntax:

type { smtp | pipe | file | discard }

Default: smtp

Example:

<domain hotmail.com>
    type file
</domain>

3.3.10.50 allow-cancel-during-transfer

Specifies whether PowerMTA should allow connections to this domain to be canceled (e.g., in order to shut down PowerMTA) while a message’s contents (headers and body) are being transferred. Some mailers have been known to still deliver messages if the connection breaks before they are fully received, lastly causing partial and duplicate messages to be delivered as PowerMTA retries delivering. Setting this directive to false prevents PowerMTA from Canceling connections while messages are being transferred on it, but also possibly causes PowerMTA to take longer to shut down.

Default: true

Example:

<domain hotmail.com>
  allow-cancel-during-transfer true
</domain>

3.3.10.51 auth-username

Specifies the user name to use when authenticating to the remote mailer. Authentication is attempted if the AUTH extension as well as a SASL authentication mechanism supported by PowerMTA are available at the remote mailer, and either auth-username or auth-password have non-empty values.

Use empty string ("") to clear any inherited value.

PowerMTA currently only supports the CRAM-MD5, LOGIN, and PLAIN authentication mechanisms.

Example:

<domain hotmail.com>
  auth-username foo
  auth-password 43rusdfdsi
</domain>

3.3.10.52 smtp-data-termination-timeout

Allows for setting the amount of time that PowerMTA will wait for the final “250 ok” response after sending the message body. Setting this value too low is likely to cause duplicates.

Syntax:

smtp-data-termination-timeout TIME-INTERVAL

Default: 10m

Example:

<domain hotmail.com>
  smtp-data-termination-timeout 5m
</domain>

3.3.10.53 auth-password

Specifies the password to use when authenticating to the remote mailer. Please see the auth-username directive above for more information. auth-password cannot contain a # as it will be interpreted as the start of comments.

Example:

<domain hotmail.com>
  auth-password password
</domain>

3.3.10.54 use-unencrypted-plain-auth

Specifies whether PowerMTA should use PLAIN and/or LOGIN for authentication in case the connection is not encrypted (i.e., if
STARTTLS is not being used).

Default: false

Example:

<domain hotmail.com>
  use-unencrypted-plain-auth true
</domain>

3.3.10.55 smtp-553-means-invalid-mailbox

Instructs PowerMTA whether to consider a 553 reply to a RCPT command as an 5.1.1 (invalid mailbox) error when enhanced status code is not returned by the remote gateway.

Default: yes

Example:

<domain hotmail.com>
  smtp-553-means-invalid-mailbox true
</domain>

3.3.10.56 smtp-421-means-mx-unavailable

If set to “yes”, PowerMTA will immediately break the connection upon receiving a 421 error and subsequently attempt a new connection to the next MX record listed in DNS. The default setting of “no” will cause PowerMTA to reset the connection and then reuse the same connection for additional recipients.

Default: no

Example:

<domain hotmail.com>
  smtp-421-means-mx-unavailable true
</domain>

3.3.10.57 replace-smtp-421-service-response

When enabled, this replaces the SMTP response after the 421 code and after any enhanced status code with “service unavailable”, thus preventing any email addresses, etc. that may be included in that response from being used in bounces. The original message is still passed in for pattern matching, so that these continue to work normally.

Default: false

Example:

<domain hotmail.com>
  replace-smtp-421-service-response true
</domain>

3.3.10.58 bounce-upon-no-mx

If set to “true” and no MX record(s) are found for the domain, all emails in the queue bounce immediately.

If a time interval is specified, such as 30m, only messages that have been queued for that amount of time are bounced if no MX record(s) are found for the domain. Defining a time interval allows PowerMTA to attempt delivery to the domain by looking up its A/AAAA records.

Note that this directive applies only to cases where a MX lookup is performed; if a host list is specified with the smtp-hosts directive, no MX lookup is performed.

Syntax:

bounce-upon-no-mx ( true | false | TIME-INTERVAL | never }

Default: false

Example:

<domain example.com>
    bounce-upon-no-mx true
</domain>

<domain *>
    bounce-upon-no-mx 30m
</domain>

3.3.10.59 bounce-upon-5xx-greeting

Specifies whether PowerMTA should immediately bounce all messages for the domain when receiving a 5xx SMTP greeting. email protocols mandate this default behavior, however there exist many misconfigured mailers on the network, causing email to be lost unnecessarily. If this directive is set to false, PowerMTA will regard 5xx greetings as a temporary error and try delivering the messages to any secondary MX mailers, as well continue retrying delivery until the bounce-after interval expires.

Default: true

Example:

<domain hotmail.com>
  bounce-upon-5xx-greeting true
</domain>

3.3.10.60 bounce-upon-pix-transfer-failure

This directive is identical to the bounce-upon-transfer-failuredirective below, except that the message is only bounced if a Cisco PIX Firewall is detected at the receiving site. Detection is performed based on the SMTP greeting line: if it contains at least ten asterisks, a PIX firewall is detected.

Default: false

Example:

<domain hotmail.com>
  bounce-upon-pix-transfer-failure true
</domain>

3.3.10.61 bounce-upon-transfer-failure

Specifies whether PowerMTA should immediately bounce a message whose delivery failed while its contents (message headers and body) were being transferred. Normally, PowerMTA would not immediately bounce the message, but continue trying until it becomes older than the bounce-after interval. Due to deficiencies in the SMTP protocol (See RFC 1047) and in the receiving mail servers, if the TCP connection fails while the contents are being transmitted, there is some risk that various copies of the same message will be delivered, some of which possibly with only partial contents. By enabling this directive, you instruct PowerMTA to bounce the message immediately after the first failed transfer attempt. This effectively prevents sending out duplicates, but may also cause the recipient to never receive the message, or receive only one (possibly partial) copy of it.

Default: false

Example:

<domain hotmail.com>
  bounce-upon-transfer-failure true
</domain>

3.3.10.62 connect-timeout

Specifies the maximum amount of time that PowerMTA waits for an outgoing SMTP connection to be established.

Syntax:

connect-timeout TIME-INTERVAL

Default: 2m

Example:

<domain hotmail.com>
  connect-timeout 5m
</domain>

3.3.10.63 smtp-greeting-timeout

Specifies the amount of time to wait for the initial SMTP 220 greeting message to be received after the connection is accepted.

Syntax:

smtp-greeting-timeout TIME-INTERVAL

Default: 5m

Example:

<domain hotmail.com>
  smtp-greeting-timeout 10m
</domain>

3.3.10.64 data-send-timeout

Specifies the maximum amount of time that PowerMTA waits for a chunk of data (message contents and body) to be sent over an outgoing SMTP connection. For full compliance with RFC 2821, this timeout needs to be at least three minutes.

Syntax:

data-send-timeout TIME-INTERVAL

Default: 3m

Example:

<domain hotmail.com>
  data-send-timeout 5m
</domain>

3.3.10.65 ignore-8bitmime

Specifies whether PowerMTA should ignore the 8BITMIME extension even when supported by the receiving mailer. Setting this directive to true allows you to work around the problem of messages bouncing because a site’s external MTA accepting 8BITMIME messages as such but unable to convert them to 7BIT when passing to an internal MTA which does not support 8BITMIME. The directive doesn’t change the encoding of the message, but rather, by default if a message has 8bit encoding and the feeding application passed that information along in the MAIL FROM command, PowerMTA passes that info along to the remote mail server via the MAIL FROM command. Setting the value to true tells PowerMTA to not pass along the information. This has nothing to do with anything declared in the body of the message. See RFC 1652 for more information http://www.ietf.org/rfc/rfc1652.txt.

Default: false

Example:

<domain hotmail.com>
  ignore-8bitmime true
</domain>

3.3.10.66 ignore-chunking

Specifies whether PowerMTA should ignore the CHUNKING extension even when supported by the receiving mailer. Setting this directive to true may be useful for debugging message transfer problems.

Default: false

Example:

<domain hotmail.com>
  ignore-chunking true
</domain>

3.3.10.67 ignore-pipelining

Specifies whether PowerMTA should ignore the PIPELINING extension even when supported by the receiving mailer. Setting this directive to true may be useful for debugging message transfer problems.

Default: false

Example:

<domain hotmail.com>
  ignore-pipelining true
</domain>

3.3.10.68 ignore-dsn

Specifies whether PowerMTA should ignore the DSN extension even when supported by the receiving mailer (seen in the “250” responses after connecting).

Default: false

Example:

<domain hotmail.com>
  ignore-dsn true
</domain>

3.3.10.69 max-msg-per-connection

Specifies the maximum number of messages delivered within a single connection. Normally it is most efficient to deliver as many messages as possible per connection, but in special circumstances it may be desirable to have PowerMTA close the connection and reconnect before delivering more messages. A value of zero means no limit is imposed.

Default: 0

Example:

<domain hotmail.com>
  max-msg-per-connection 5
</domain>

3.3.10.70 max-rcpt-per-transaction

Specifies the maximum number of recipients passed with each message.
For example, if a message is submitted including 5,000 recipients for a single domain, and max-rcpt-per-message for that domain is set to 3,000, PowerMTA will transfer the message twice, once for 3,000 recipients and again for the remaining 2,000 recipients. Smaller settings increase parallelism by allowing the same message to be transferred over several connections to the same domain, but also reduce efficiency, since the message contents are transferred several times. max-rcpt-per-transaction is an alias to max-rcpt-per-message.

Default: 1000

Example:

<domain hotmail.com>
  max-rcpt-per-transaction 100
</domain>

3.3.10.71 max-rcpt-per-message

Specifies the maximum number of recipients accepted in each message. If set to zero or unlimited, no explicit limit is enforced.

Syntax:

max-rcpt-per-message { N | unlimited }

Default: 0

Example:

<domain yahoo.com>
  max-rcpt-per-message 10
</domain>

3.3.10.72 max-smtp-out

Specifies the maximum number of simultaneous connections to be opened for this domain or VirtualMTA.

Default: 20

Example:

<domain hotmail.com>
  max-smtp-out 30
</domain>

3.3.10.73 backoff-max-smtp-out

Specifies the maximum number of simultaneous connections to be opened for this domain when in backoff mode.

Default: 20

Example:

<domain hotmail.com>
  backoff-max-smtp-out 30
</domain>

3.3.10.74 max-smtp-out-per-source-ip

Deprecated Use source-ip-max-smtp-out instead


3.3.10.75 source-ip-max-smtp-out

Specifies the maximum number of simultaneous connections to be opened for this domain for a given source IP.

Syntax:

source-ip-max-smtp-out CIDR N

Default: unlimited

Example:

<domain comcast.net>
    source-ip-max-smtp-out 1.2.3.4 10
</domain>

3.3.10.76 max-connect-rate

Specifies the maximum number of connections to be opened for this domain during the specified time period.

Syntax:

max-connect-rate { unlimited | 0 | N/{h|hr|m|min|s|sec} }

Default: unlimited

Example:

<domain hotmail.com>
  max-connect-rate 10/m
</domain>

3.3.10.77 source-ip-max-connect-rate

Specifies the maximum number of connections to be opened during the specified time period when using the given source IP for this domain/vmta (i.e. queue).

Syntax:

source-ip-max-connect-rate CIDR { unlimited | 0 | N/{h|hr|m|min|s|sec} }

Default: unlimited

Example:

<domain hotmail.com>
    source-ip-max-connect-rate 1.2.3.4 60/m
</domain>

3.3.10.78 source-ip-max-msg-rate

Specifies the maximum number of messages to be attempted for delivery during the specified time period when using the given source IP for this domain/vmta (i.e. queue).

Syntax:

source-ip-max-msg-rate CIDR { unlimited | 0 | N/{h|hr|m|min|s|sec} }

Default: unlimited

Example:

<domain comcast.net>
    source-ip-max-msg-rate 1.2.3.4 600/m
</domain>

3.3.10.79 backoff-max-connect-rate

Specifies the maximum number of connections to be opened for this domain during the specified time period when in backoff mode.

Syntax:

backoff-max-connect-rate { unlimited | 0 | N/{h|hr|m|min|s|sec} }

Default: If max-connect-rate is also configured for the same queue, the default is equal to the configured max-connect-rate. Else, it is unlimited.

Example:

<domain hotmail.com>
  # backoff-max-connect-rate  is 600/h
  backoff-max-connect-rate 600/h
</domain>

<domain port25.com>
  # backoff-max-connect-rate is unlimited
</domain>

<domain foo.com>
  max-connect-rate 100/h

  # backoff-max-connect-rate defaults to 100/h

</domain>

3.3.10.80 retry-upon-new-mail

Specifies if PowerMTA should immediately schedule delivery of a message when it is received if the queue to which it is injected is already in retry mode. If set to true and a queue is in retry mode, new mail injected into that queue will cause the queue to be scheduled for delivery.

Default: false

Example:

<domain hotmail.com>
  retry-upon-new-mail true
</domain>

3.3.10.81 pix-bug-workaround

Some versions of the Cisco PIX firewall have a bug (bug ID CSCds90792) in its “fixup smtp” command in that it rejects email (causing duplicates to be delivered) if the final . sequence is split across various TCP frames. This directive instructs PowerMTA, in case it detects a PIX firewall, to send the final . in a frame of its own, making it almost certain to arrive at the receiving site in a single frame. Detection is performed based on the SMTP greeting line:
if it contains at least ten asterisks, a PIX firewall is detected.

Default: true

Example:

<domain hotmail.com>
  pix-bug-workaround true
</domain>

3.3.10.82 route

Overrides or modifies the normal DNS-based routing, instructing PowerMTA to deliver to specific hosts or to look up an MX record for a different domain.

Deprecated Use smtp-hosts instead.


3.3.10.83 default-smtp-port

Allows specifying the TCP port to use for delivering over SMTP (unless overridden by smtp-hosts).
This can be used to simplify the setup when multiple PowerMTAs communicate through a NAT (network address translation) device, since the NAT configuration can key on the destination port rather than require individual local source IPs for each externally visible IP address.

Default: 25

Example:

<virtual-mta vmta1>
    <domain *>
      default-smtp-port 9001
    </domain>
</virtual-mta>
<virtual-mta vmta2>
    <domain *>
      default-smtp-port 9002
    </domain>
</virtual-mta>

3.3.10.84 smtp-hosts

Overrides or modifies the normal DNS-based routing, instructing PowerMTA to deliver to specific hosts or to look up an MX record for a different domain.

Multiple host names or IP addresses can be entered. Commas separate hosts within a preference level, and semicolons separate preference levels. Email delivery is attempted by preference level (first to last), exactly as though those hosts had been obtained from MX records.

An IP address may be entered in dotted-decimal notation instead of a host name, for example [10.1.0.2] for IPv4 or [IPv6:2001::1] for IPv6. Each host name or IP address may be followed by : and a number specifying an alternative TCP port number, as in h1.test.com:1025.

To specify that a MX lookup be performed instead, specify lookup-mx: followed by the domain name to look up.

Use the empty string ("") to clear any inherited value.

Examples:

<domain hotmail.com>
    smtp-hosts lookup-mx:example.com
</domain>

In the following example, commas and semicolons are use to create a primary preference level containing hosts h1 and h2 (which will be used in round-robin fashion), a secondary preference level containing the IP address [10.1.1.1]
and specifying an alternate TCP port, and a tertiary preference level
(only used if unable to deliver to the first two levels) containing host
last:

<domain email.test.com>
    smtp-hosts h1.test.com, h2.test.com; [10.1.1.1]:2525; last.test.com
</domain>

3.3.10.85 smtp-pattern-list

Specifies that the given SMTP pattern list is to be used in connections to the given domain.

Syntax:

smtp-pattern-list NAME

Example:

<smtp-pattern-list foo>
</smtp-pattern-list>

<domain hotmail.com>
  smtp-pattern-list foo
</domain>

3.3.10.86 assume-delivery-upon-data-termination-timeout

If enabled and the connection times out while waiting for the reply to the “.” after a DATA or for the reply to the last BDAT segment, PowerMTA assumes that the delivery was successful. May result in duplicate messages if used when not needed.

Default: false

Example:

<domain hotmail.com>
  assume-delivery-upon-data-termination-timeout true
</domain>

3.3.10.87 SSL/TLS Directives

3.3.10.87.1 use-starttls

Specifies whether PowerMTA should use the STARTTLS extension (if supported by the receiving mailer). Setting this directive to true instructs PowerMTA to use that extension to encrypt the connection to the remote mailer.

Default: true

Example:

<domain hotmail.com>
  use-starttls true
</domain>

3.3.10.87.2 require-starttls

Only relevant if “use-starttls” is enabled. The STARTTLS extension may not be available at the remote host, or its use may fail for various reasons. If “require-starttls” is set to “true”, PowerMTA will abort the connection, thus avoiding to send the message through a less secure connection. Otherwise, it will send the message anyway.

Default: false

Example:

<domain hotmail.com>
  require-starttls true
</domain>

3.3.10.87.3 reuse-ssl-session

Session reuse is a mechanism to improve performance when establishing SSL/TLS sessions with a remote host. If PowerMTA is re-connecting to the same host within a short duration, it may be possible to reuse the previous SSL/TLS session details speeding up the initial handshake via an abbreviated protocol.

This directive depends on the remote host’s ability to support reusing SSL/TLS sessions. At present, only gmail.com is known to support. We suggest enabling the directive for only those domains that are known to support this feature.

Default: false

Example:

<domain gmail.com>
    reuse-ssl-session true
</domain>
3.3.10.87.4 smtp-tls-allow-tlsv1

Allows PowerMTA to use TLSv1 when establishing a secure connection.

Default: false

Example:

<domain hotmail.com>
    smtp-tls-allow-tlsv1 false
</domain>

3.3.10.87.5 smtp-tls-allow-tlsv1.1

Allows PowerMTA to use TLSv1.1 when establishing a secure connection.

Default: true

Example:

<domain hotmail.com>
    smtp-tls-allow-tlsv1.1 true
</domain>

3.3.10.87.6 smtp-tls-allow-tlsv1.2

Allows PowerMTA to use TLSv1.2 when establishing a secure connection.

Default: true

Example:

<domain hotmail.com>
    smtp-tls-allow-tlsv1.2 true
</domain>

3.3.10.87.7 smtp-tls-allow-sslv3

Allows PowerMTA to use SSLv3 when establishing a secure connection.

Default: false

Example:

<domain hotmail.com>
    smtp-tls-allow-sslv3 true
</domain>

3.3.10.87.8 smtp-tls-ca-file directive

Specifies the location of a local text file containing one or more root certificates that will be used to verify remote server certificate chains. Used by senders to authenticate remote gateways when using TLS based delivery. If using opportunistic TLS and the certificate verification fails, PowerMTA will fall back to using plain text for the delivery. In contrast, if TLS is required and the certificate verification fails, PowerMTA will return a temporary 4xx error indicating the failure.

Example:

<domain hotmail.com>
    smtp-tls-ca-file /etc/pmta/certchain.pem
</domain>

3.3.10.87.9 smtp-tls-ciphers

Specifies the ciphers that PowerMTA is allowed to use when negotiating a TLS session with remote client during STARTTLS. Please see documentation for OpenSSL command ‘ciphers’ for valid cipher names that can be used with this directive.

Default: "HIGH:!ADH:@STRENGTH"

Example:

<domain example.com>
    smtp-tls-ciphers HIGH:!ADH:@STRENGTH
</domain>
3.3.10.87.10 log-tls

Specifies whether PowerMTA should log information during negotiation of a TLS session with the remote during STARTTLS.

Default: false

Example:

<domain hotmail.com>
  log-tls true
</domain>

3.3.10.88 reroute-to-virtual-mta

Specifies that PowerMTA should reroute messages to the given VirtualMTA. This can be set globally.

A reroute to a VirtualMTA pool is not supported.

Use empty string ("") to clear any inherited value.

Syntax:

reroute-to-virtual-mta VMTA-NAME

Example:

<virtual-mta vmta1>
    ...
</virtual-mta>

<virtual-mta vmta2>
    ...
</virtual-mta>

<domain aol.com>
    reroute-to-virtual-mta vmta2
</domain>

Or, it may also make sense to use this directive on a per VirtualMTA basis:

<virtual-mta vmta1>
    ...
    <domain aol.com>
        reroute-to-virtual-mta vmta2
    </domain>
</virtual-mta>

<virtual-mta vmta2>
    ...
</virtual-mta>

3.3.10.89 disable-mx-rollup

Controls whether MX rollup should be performed for the domain. When set to true, DNS results for the domain are not checked against any MX rollup patterns configured in the system.

Default: false

Example:

<domain hotmail.com>
  disable-mx-rollup true
</domain>

3.3.10.90 Discard Delivery Directives

The directives in this Section are ignored if specified in non-discard delivery domains.

3.3.10.90.1 discard-as-bounce

Controls whether emails in a discard type queue should be recorded as bounces(‘b’). When set to true for a domain with type discard, all emails in the queue are recorded as bounces in the accounting file. When set to false, all emails in the queue are recorded as deliveries(‘d’)
in the accounting file.

Default: false

Example:

<domain undeliverable-domain.com>
  type discard
  discard-as-bounce true
</domain>

3.3.10.91 File Delivery Directives

3.3.10.91.1 file-format

Specifies the format of the file(s) to which PowerMTA delivers the messages:

  • newfile-plain: A new file is created for each message, in the directory indicated by file-destination. The entire message is written to the file, including all headers, but no envelope information.
  • newfile-pickup: A new file is created for each message, in the directory indicated by file-destination. In addition to the entire message body and headers, the special headers x-sender and x-receiver are included, containing the originator and recipient addresses from the message envelope.
  • append-mbox: Messages are appended to the file indicated by file-destination, in the unix “mbox” format.

PowerMTA creates new files with the initial “extension” of .tmp and renames them to .msg once done. If post-processing these files as they are created, you should code to ignore any .tmp files, to avoid processing a file which hasn’t yet been completely written.

When appending to a file (for append-mbox), interlocking is performed using flock on Unix-like platforms and with share options passed to CreateFile on Windows. In order to safely access the file while PowerMTA is running, Port25 recommends using the pmtagetfile application.

Syntax:

file-format { newfile-plain | newfile-pickup | append-mbox }

Default: newfile-plain

Example:

<domain bounce.mydomain.com>
  type file
  file-destination /opt/pickup/
  file-format newfile-pickup
</domain>
3.3.10.91.2 file-destination

Specifies the directory or file name for file delivery. The directory or file name is subjected to the same macro expansion as in the pipe delivery’s command line:

  • $bodytype: The message body type (7BIT, 8BITMIME or BINARYMIME).
  • $ctime: The current date in Unix ctime format.
  • $envid: The DSN envelope ID (from MAIL … ENVID=…).
  • $from: The envelope sender (MAIL FROM) address.
  • $isodate: The current date in the format YYYY-MM-DD.
  • $timet: The current time in numeric (time_t) format.
  • $rfctime: The current date in RFC 822 format.
  • $to: The envelope recipient (RCPT TO) address.
  • $user: The recipient user. That is the local part (mailbox) in the recipient address, or, if the local part contains a
    ‘+’ character, the portion of the mailbox to the left of the ‘+’. For example, in joe+xyzzy@company.com, the user would be joe.
  • $domain: The recipient’s domain.

Whether $from and $to are lowercased depends on the setting of macro-variables-preserve-case.
$user and $domain macros always expand in lower case, avoiding issues when those are used to create directories and files on case-sensitive file systems.

Syntax:

file-destination DIRECTORY

Example:

<domain bounce.mydomain.com>
  type file
  file-destination /opt/pickup/
</domain>

3.3.10.92 Pipe Delivery Directives

The directives in this Section are ignored if specified in non-pipe domains.

3.3.10.92.1 command

Specifies the command to use to start the program which will read from the pipe. This directive is required for pipe domains. PowerMTA substitutes the following macros in the command line:

  • $bodytype: The message body type (7BIT, 8BITMIME or BINARYMIME).
  • $ctime: The current date in Unix ctime format.
  • $envid: The DSN envelope ID (from MAIL … ENVID=…).
  • $from: The envelope sender (MAIL FROM) address.
  • $isodate: The current date in the format YYYY-MM-DD.
  • $timet: The current time in numeric (time_t) format.
  • $rfctime: The current date in RFC 822 format.
  • $to: The envelope recipient (RCPT TO) address.
  • $user: The recipient user. That is the local part (mailbox) in the recipient address, or, if the local part contains a
    ‘+’ character, the portion of the mailbox to the left of the ‘+’. For example, in joe+xyzzy@company.com, the user would be joe.
  • $domain: The recipient’s domain.

To prevent any one of these macros from being interpreted as multiple arguments if they contain spaces, it is a good idea to enclose them in double quotes (like in the example below).

Syntax:

command STRING

where STRING is the complete command that PowerMTA will use to start the program.

Example:

<domain bounces.xyz.com>
    type pipe
    command "/my/bounce/processor --envid \"$envid\" \"$user\""
</domain>

3.3.10.92.2 macro-variables-preserve-case

When set to true prevents $to and $from from being changed to lowercase. $user and $domain are always changed to lowercase, as they are intended to facilitate integration with Linux environments.

Default: false

Example:

<domain bounces.mydomain.com>
   type pipe
   command "/my/bounce/processor --envid \"$envid\" \"$user\""
   macro-variables-preserve-case  true
</domain>

3.3.10.93 SparkPost Traffic Redirection Support

PowerMTA has special support for redirecting traffic for delivery through SparkPost. This may be desirable for various reasons, such as to seasonally add extra delivery capacity. Once your SparkPost setup is ready, you can have PowerMTA connect to it by creating a domain named
{sparkpost} and setting it to authenticate using a SparkPost API key:

<domain {sparkpost}>
    auth-password d41d8cd98f00b204e9800998ecf8427e # API key
</domain>

You can then redirect specific domains (or entire Virtual MTAs, as in the example below) to SparkPost by having PowerMTA place messages in the {sparkpost} queue:

<virtual-mta ExtraCapacity>
    <domain *>
        queue-to {sparkpost}
    </domain>
</virtual-mta>
3.3.10.93.1 add-x-msys-api-header

Instructs PowerMTA to add a special X-MSYS-API header required to set SparkPost specific options, also setting SparkPost’s campaign to the messages’ JobID, if any. This directive is enabled by default for the
{sparkpost} domain.

Default: true for {sparkpost} domain, false for all other domains.

Example:

<domain {sparkpost}>
   add-x-msys-api-header true
</domain>

3.3.10.93.2 sparkpost-sandbox

Sets the sandbox SparkPost option.

Default: false

Example:

<domain {sparkpost}>
   sparkpost-sandbox true
</domain>

3.3.10.93.3 sparkpost-ip-pool

Sets the IP pool from which SparkPost is to send messages.

Syntax:

sparkpost-ip-pool STRING

Example:

<domain {sparkpost}>
    sparkpost-ip-pool shared-pool
</domain>

3.3.10.94 include

This directive can be used at domain level to specify an additional configuration file to process. This can be used, for example, to facilitate maintenance of the configuration files across multiple hosts, by storing those settings which differ from host to host in a separate file and including it from the main (common) file. Wildcards may be used. An include may be used at global level and within <source>, <domain>, <virtual-mta> or <smtp-pattern-list> tag.

Example:

<domain yahoo.com>
   include /etc/pmta/dkim-keys.txt
</domain>

3.3.11 <acct-file> Directives

The accounting file in CSV format can be written to a file or pipe. For more information, see Accounting Files and Statistics.

3.3.11.1 delete-after

This directive tells PowerMTA how long to keep the accounting file before deleting it from the server. “delete-after” only applies if
“move-to” isn’t active” (and move-to must point to a different location than the directory where the file was originally created).

Syntax:

delete-after { Nd | never }

where N is the number of days to retain the accounting file for.

Default: 8d

Example:

<acct-file /var/log/pmta/acct.csv>
    delete-after 5d
</acct-file>

3.3.11.2 move-to

This directive tells PowerMTA where to move the accounting file when using move-interval or max-size. If move-to isn’t set, no moving is done
(move-interval, if configured, is silently ignored).
Directory must be on the same volume as the accounting files. Moving across a network is not supported.

The directive is off by default, and the files are not moved unless this directive is configured.

Syntax:

move-to DIRECTORY

Example:

<acct-file /var/log/pmta/acct.csv>
    move-to /var/log/archive
</acct-file>

3.3.11.3 move-interval

This directive tells PowerMTA at what time interval to move the accounting file and start a new one.

Syntax:

move-interval TIME-INTERVAL

Default: 1d

Example:

<acct-file /var/log/pmta/acct.csv>
    move-to /var/log/archive
    move-interval 1h
</acct-file>

3.3.11.4 max-size

The max size of the accounting file in Bytes, Kilobytes, Megabytes, Gigabytes, or Terabytes before PowerMTA moves the accounting file and starts a new one. Minimum size is 1M (1024K).
This directive applies both with and without “move-to”. If “move-to” is not specified, a new file is started in place (with a higher –NNNN in the file name).

Syntax:

max-size N{b|k|m|g|t}

Default: 250M

Example:

<acct-file /var/log/pmta/acct.csv>
    max-size 1G
</acct-file>

3.3.11.5 queue-filter

Can be set to a comma separated list of queue names, each of which can be optionally prefixed with **!** to indicate negation. If set, the **queue**
field of accounting records is compared against the queue names in the filter list and is written if it matches a non-negated (without a ! prefix) queue name, or not written if it matches a negated (with a !
prefix) queue name. The filtering applies to only records that have a
‘queue’ field in them (d/b/t/tq). Any f/rb/rs/r records that are configured in the acct-file will be written unconditionally (i.e. all records of that type) since they don’t have a ‘queue’ field.

The matching is performed in the order in which the queue names were specified in the queue-filter directive.

Note that if queue-filter is active for an accounting file, any records that are filtered out (i.e., any d/b/t/tq with a queue that does not match one of the queue names listed in the directive) will be lost forever (unless they are configured to be written to other accounting files). Always make sure that the queue-filter is set exactly to your needs.

If all queue names in queue-filter are negated, no records will match. All the queue names listed in the “queue-filter”
directive must obey syntax rules for a valid queue name, namely:

  • The domain part must be non-empty, must obey domain name syntax, and must be a qualified domain name. It cannot be a reserved domain name
    (i.e, cannot start with “{” and end with “}”). This rules out domain names like “{feedbackLoop}”, “{bounceProcessor}” etc.
  • If a VMTA is specified, it must be a syntactically valid VMTA name, or {default}.
    Note that there is no check for whether such a VMTA is defined in the configuration. It is sufficient if the VMTA name is syntactically valid.
  • If no the VMTA name is specified, it is assumed to be the name of the default VMTA ({default}), so foo.com will be treated as foo.com/{default}

By default, filtering is not turned on (in other words, accounting records for all queues are written to the accounting file).

Syntax:

queue-filter QUEUE-NAME-LIST

where QUEUE-NAME-LIST is a list of comma separated list of queue names, optionally prefixed with !.

Example:

<acct-file a.csv>
    records d,b,t,tq,f,rb,rs,r
    queue-filter a.com/vmta1,![*.]b.com/*,*.c.com/vmta2,!*/vmta3,*/vmta4
</acct-file>

3.3.11.6 retry-interval

Retries the pipe program in a regular interval in case of a failure.
This should only be used when using pipe to write an accounting file.

Syntax:

retry-interval TIME-INTERVAL

Default: 5m

Example: (Windows)

<acct-file |C:\pmta\bin\customCode.exe -–thisOption --thatOption>
    retry-interval 10m
</acct-file>

Example: (Unix)

<acct-file |myscript.pl -–thisOption --thatOption>
    retry-interval 10m
</acct-file>

3.3.11.7 iso-times

Requests that PowerMTA writes time stamps in the accounting file (or pipe) in ISO format.

Default: yes

Example:

<acct-file /var/log/pmta/acct.csv>
    iso-times yes
</acct-file>

3.3.11.8 user-string

Specifies a custom string to be stored along with other MTA information in the accounting file. The field “userstring” also needs to be added to the record-fields directive for this to show up in the accounting file.

Syntax:

user-string STRING

Example:

<acct-file /var/log/pmta/acct.csv>
    user-string unique-id
</acct-file>

3.3.11.9 write-timeout

Allows for setting write timeouts in accounting pipes, so that an unresponsive accounting application doesn’t hold up PowerMTA indefinitely. Only used when piping accounting data to another file.

Syntax:

write-timeout TIME-INTERVAL

Default: 1m

Example:

<acct-file |C:\pmta\bin\customCode.exe -–thisOption --thatOption>
    write-timeout 2m
</acct-file>

3.3.11.10 map-header-to-field

Allows for mapping a header to a specific field in the accounting file. This is useful if for example the From header needs to be mapped to the SMTP MAIL FROM address (“orig” field in the accounting file). An example would be like the following:

In the example below, header_x-foo gets mapped to the rcpt field in bounced records, and header_x-bar
gets mapped to the rcpt field for delivered records. Multiple entries may be specified to map multiple headers to the same field. The tq record type cannot be used. The order of the directives is significant when using multiple ones for the same record type and field. In the above example the rcpt field will contain the content of the x-foo header if x-foo exists, if not it will contain the content of the x-bar header if that one exists. Otherwise the content of the x-baz header. If that one also doesn’t exist it will contain the original value of the orig field (i.e. the rcpt field will not be overwritten). The same header can be mapped to multiple fields (e.g., header_x-foo above) and will be written to all fields mapped.

Syntax:

map-header-to-field RECORD-TYPE header_NAME ACCT-FIELD-NAME

Default: none

Example:

<acct-file /var/log/pmta/acct.csv>
  map-header-to-field b header_x-foo rcpt
  map-header-to-field d header_x-bar rcpt
  map-header-to-field d header_x-baz rcpt
  map-header-to-field d header_x-foo orig
</acct-file>

3.3.11.11 records

This directive tells PowerMTA which record types to include in the accounting file. There are 8 record types: d, b, t, tq, r, f, rb and rs.
It may only be defined once per <acct-file> with multiple types separated by commas.

  • “d” is for delivered records and will include all messages that were successfully delivered. “delivery” can be used in place of “d”.
  • “b” is for bounced records and will include all locally generated bounces (synchronous bounces). Note that bounces generated by remote mail servers (asynchronous bounces) will not be included. “bounce” can be used in place of “b”.
  • “t” is for transient recipient level errors only (such as mailbox full). “transient” can be used in place of “t”.
  • “tq” is for queue wide transient errors and will include information about delivery attempts for a given domain/vmta.
    “transient-queue” can be used in place of “t”.
  • “r” is for inbound records and will include information about messages submitted to PowerMTA for delivery. “receipt” can be used in place of “r”.
  • “f” is for feedback loop emails if PowerMTA is configured to look for feedback loop emails with the <feedback-loop-processor>.
    “feedback-loop” may be used in place of “f”. See Processing Feeback Loop Emails for more information.
  • “rb” is for remote bounce emails if PowerMTA is configured to look for remote bounce emails with the <bounce-processor>.
    “remote-bounce” may be used in place of “rb”. See Processing Asynchronous (Remote) Bounces and remote status reports for more information.
  • “rs” is for remote status emails if PowerMTA is configured to look for remote status emails with the <bounce-processor>.
    “remote-status” may be used in place of “rs”. See Processing Asynchronous (Remote) Bounces and remote status reports for more information.

Due to the fact that there can be many delivery attempts for one message, it is suggested that type “t” and/or “tq” should only be used when needed (debugging, troubleshooting, etc.) as it may cause large file sizes. It is also recommended when using this setting to have the
“t” or “tq” type records written to their own file, as so not to cause unwanted data in the primary accounting file.

Syntax:

records RECORD-TYPE-LIST

where RECORD-TYPE-LIST is a comma separated list of record types({d|b|t|tq|r|rb|rs|f})

Default: d,b

Example:

<acct-file /var/log/pmta/acct.csv>
    records d, b, t, tq, r, rb, rs, f
</acct-file>

3.3.11.12 record-fields

This directive specifies the fields to be included in the records defined via the “record” directive, in the accounting file. By default all per record type are included. To include only a subset of all the fields, simply add the desired fields in a comma separated list. To include a custom header, add the record field header_XXX, where XXX is the name of the custom field you wish to log. For example, to log all fields and a custom header, the directive would look like this:

record-fields delivery *,header_Message-Id

To include only a subset of the fields, list the required fields similar to the following:

record-fields bounce timeLogged,orig,rcpt,dlvSourceIp,vmta

To exclude fields from the default, you can use an “!” to exclude the unwanted fields. For example, to include all fields except orcpt you would use:

record-fields d *,!orcpt
record-fields b *,!orcpt

Syntax:

record-fields RECORD-TYPE FIELD-LIST

where RECORD-TYPE is one of {d|b|t|tq|r|rb|rs|f}

Default: *

Example:

<acct-file /var/log/pmta/acct.csv>
    record-fields d *,header_Message-Id
    record-fields b *,!orcpt
</acct-file>

3.3.11.13 world-readable

This directive tells PowerMTA to provide read permissions to all users on the system when it creates a new accounting file.

Default: no

Example:

<acct-file /var/log/pmta/acct.csv>
    world-readable yes
</acct-file>

3.3.11.14 count-moved-records

This directive tells PowerMTA whether or not to count the records in CSV files moved. The record counts are written to the logging file along with the message that indicates that the file was moved.

Default: false

Example:

<acct-file /var/log/pmta/acct.csv>
    count-moved-records yes
</acct-file>

3.3.11.15 sync

Determines whether the OS’ buffers for the accounting file are flushed regularly. This helps ensure that the accounting data isn’t corrupted in case of a system crash.

Default: false

Example:

<acct-file /var/log/pmta/acct.csv>
    sync true
</acct-file>

3.3.11.16 privacy-policy

The directive defaults to retain and also accepts redact (with an optional redaction string), siphash (with a key string in plain text), siphash-hexkey (with hex-formatted key string) hmac-sha256 (with a key string in plain text), and hmac-sha256-hexkey
(with a hex-formatted key string) options as shown in the examples below. When set to anything but retain, it instructs PowerMTA to replace the “local part” (left hand size of the “@”) in the recipient email addresses, as well as any occurrences found in SMTP responses and in in standard VERPed originator addresses, with either the redaction string
(which, if omitted, defaults to “…”) or a hash of that local part.

For Siphash hash calculations, the key string can only be upto 16 bytes in length. If less than 16 bytes are specified, PowerMTA will append null bytes (\0) to the end of the key string to make it 16 bytes in length. The 16 byte length is a requirement of the SipHash algorithm.

For hmac-sha256 hash calculations, RFC 2104 recommends that the key string be at least 32 bytes in length for security reasons.
PowerMTA will emit a warning if the key string is less than 32 bytes in length, however, it does not reject such key strings because RFC 2104’s suggestion is only a recommendation rather than a requirement.

In the example below, the local part is replaced with X:

<acct-file /var/log/pmta/redacted.csv>
    privacy-policy redact "X"
    records b, d
</acct-file>

In this, the local part is replaced with the hex-formatted (64-bit) SipHash of the local part, using the key “secret”:

<acct-file /var/log/pmta/siphashed.csv>
    privacy-policy siphash "secret"
    records b, d
</acct-file>

See https://131002.net/siphash/ for a description of SipHash.

In this, the local part is replaced with the hex-formatted HMAC-SHA256 hash of the local part, using the key “secret”:

<acct-file /var/log/pmta/hmacsha256-hashed.csv>
    privacy-policy hmac-sha256 "secret"
    records b, d
</acct-file>

Syntax:

privacy-policy { retain | redact | siphash | siphash-hexkey | hmac-sha256 | hmac-sha256-hexkey } STRING

Default: retain

Example:

<acct-file /var/log/pmta/siphash.csv>
    privacy-policy siphash "secret"
    records b, d
</acct-file>

3.3.12 <virtual-mta> Directives

These directives specify behavior specific to a “VirtualMTA”.
VirtualMTA directives only apply when that VirtualMTA has been selected through one of the supported selection methods.

<virtual-mta mta1>
    smtp-source-host 1.2.3.4 mta1.company.com
    <domain *>
        dkim-sign yes
    </domain>
</virtual-mta>

See VirtualMTA Support for more information.

3.3.12.1 max-smtp-msg-rate

Specifies maximum attempted recipients per time interval for this VirtualMTA.

Both deliveries and attempted deliveries are counted towards the limit. The following error will be displayed in the web monitor when the rate limit is reached:

message rate limit reached (based on max-smtp-msg-rate in configuration)

When using rate limiting, it is best to establish a baseline without rate limiting to ensure that the limits set are having a positive impact on deliverability.

Syntax:

max-smtp-msg-rate { unlimited | 0 | N/{h|hr|m|min|s|sec} }

Default: unlimited

Example:

<virtual-mta customer1>
    max-smtp-msg-rate 6/sec
</virtual-mta>

3.3.12.2 cold-virtual-mta

This directive takes the name of a manually configured VirtualMTA.
The directive can be repeated to configure multiple cold VirtualMTAs, in which case these are used in round-robin fashion and the per-domain limit applies individually for each cold VirtualMTA.

Syntax:

cold-virtual-mta VMTA-NAME

Example:

<virtual-mta vmta-cold>
    smtp-source-host 1.2.3.4 mail2.yourdomain.com
</virtual-mta>

<virtual-mta vmta1>
    smtp-source-host 2.3.4.5 mail3.yourdomain.com
    cold-virtual-mta vmta-cold
    <domain *>
        max-cold-virtual-mta-msg 1000/d
    </domain>
</virtual-mta>

3.3.12.3 host-name

See host-name definition in Global Directives for more information.

Example:

<virtual-mta vmta>
    host-name mail.foo.com
</virtual-mta>

3.3.12.4 domain-key

See domain-key definition in General Queueing and Delivery Directives for more information.

Example:

<virtual-mta mta1>
    domain-key s1,*,/etc/pmta/key.pem
</virtual-mta>

3.3.12.5 include-headers-from

See include-headers-from definition in General Queueing and Delivery Directives for more information.

Example:

<virtual-mta mta1>
    include-headers-from /etc/pmta/headers.txt
</virtual-mta>

3.3.12.6 max-smtp-out

See max-smtp-out definition in <domain> Directives for more information.

Example:

<virtual-mta mta1>
    max-smtp-out 100
</virtual-mta>

3.3.12.7 rewrite-list

See <rewrite-list> Directives for more information.

Syntax:

 rewrite-list NAME

Example:

<rewrite-list abc>
    mail-from *@foo.com *@bar.com
</rewrite-list>

<virtual-mta mta1>
    rewrite-list abc
</virtual-mta>

3.3.12.8 include

This directive can be used at VirtualMTA level to specify an additional configuration file to process. This can be used, for example, to facilitate maintenance of the configuration files across multiple hosts, by storing those settings which differ from host to host in a separate file and including it from the main (common) file. Wildcards may be used. An include may be used at global level and within <source>, <domain>, <virtual-mta> or <smtp-pattern-list> tag.

Example:

<virtual-mta mta1>
   include /etc/pmta/domain-keys.txt
</virtual-mta>

3.3.13 <virtual-mta-pool> Directives

VirtualMTA pools are groups of VirtualMTAs. They share the same name space as VirtualMTAs, so you can select a pool instead of a specific VirtualMTA. When you select a VirtualMTA pool, the VirtualMTAs in that pool are used in round-robin fashion to deliver the message. See VirtualMTA Support for more information on VirtualMTAs and VirtualMTA pools.

A <domain> may be defined inside of a <virtual-mta-pool>.
If this is done, the defined directives will be inherited by any VirtualMTA that is part of the pool. If a conflicting directive is defined directly in the given VirtualMTA, the directive in the VirtualMTA overrides the one defined in the <virtual-mta-pool>.

The following directives are also supported:

  • cold-virtual-mta
  • domain-key
  • max-smtp-out
  • max-smtp-msg-rate
  • include-headers-from

3.3.13.1 virtual-mta

Specifies the name of a VirtualMTA to include in the pool. To specify multiple VirtualMTAs, repeat this directive with the name of each VirtualMTA to add.

Syntax:

virtual-mta VMTA-NAME

Example:

<virtual-mta mta1>
</virtual-mta>

<virtual-mta mta2>
</virtual-mta>

<virtual-mta-pool pool>
    virtual-mta mta1
    virtual-mta mta2
</virtual-mta-pool>

3.3.13.2 domain

Specifies the settings for a domain that will be inherited by all the Virtual MTAs defined in the pool.

Within the inheritance hierarchy, a domain defined inside a Virtual MTA will first inherit its settings from domain definitions in the pool that the Virtual MTA is part of and then subsequently inherit from global domain definitions.

It is an error to define a VMTA in 2 different pools which have <domain> definitions inside them.

Example: In this example, both yahoo.com/mta1 and yahoo.com/mta2 will inherit max-msg-rate 10/h setting from the pool.

<virtual-mta mta1>
</virtual-mta>

<virtual-mta mta2>
</virtual-mta>

<virtual-mta-pool pool>

    <domain yahoo.com>
       max-msg-rate 10/h
    </domain>

    virtual-mta mta1
    virtual-mta mta2
</virtual-mta-pool>

Below is an example of an invalid configuration.

# Invalid configuration since mta1 is part of both pool-one and pool-two,
# each of which have domain definitions inside them

<virtual-mta mta1>
</virtual-mta>

<virtual-mta-pool pool-one>

    <domain yahoo.com>
       max-msg-rate 10/h
    </domain>

    virtual-mta mta1

</virtual-mta-pool>


<virtual-mta-pool pool-two>

    <domain yahoo.com>
       max-msg-rate 15/h
    </domain>

    virtual-mta mta1

</virtual-mta-pool>

3.3.13.3 domain-key

Syntax: See domain-key definition in General Queueing and Delivery Directives for more information.

Example:

<virtual-mta mta1>
</virtual-mta>

<virtual-mta mta2>
</virtual-mta>

<virtual-mta-pool pool>

    domain-key s1,*,/etc/pmta/key.pem

    virtual-mta mta1
    virtual-mta mta2

</virtual-mta-pool>

3.3.13.4 include-headers-from

Syntax: See include-headers-from definition in General Queueing and Delivery Directives for more information.

Example:

<virtual-mta mta1>
</virtual-mta>

<virtual-mta mta2>
</virtual-mta>

<virtual-mta-pool pool>

    include-headers-from /etc/pmta/headers.txt

    virtual-mta mta1
    virtual-mta mta2

</virtual-mta-pool>

3.3.13.5 max-smtp-msg-rate

See max-smtp-msg-rate definition in <virtual-mta> Directives.

Example:

<virtual-mta mta1>
</virtual-mta>

<virtual-mta mta2>
</virtual-mta>

<virtual-mta-pool pool>

    max-smtp-msg-rate 100/m

    virtual-mta mta1
    virtual-mta mta2

</virtual-mta-pool>

3.3.13.6 max-smtp-out

Syntax: See max-smtp-out definition in <domain> Directives.

Example:

<virtual-mta mta1>
</virtual-mta>

<virtual-mta mta2>
</virtual-mta>

<virtual-mta-pool pool>

    max-smtp-out 100

    virtual-mta mta1
    virtual-mta mta2

</virtual-mta-pool>

3.3.13.7 rewrite-list

See <rewrite-list> Directives for more information.

Syntax:

 rewrite-list NAME

Example:

<virtual-mta mta1>
</virtual-mta>

<virtual-mta mta2>
</virtual-mta>

<rewrite-list abc>
    mail-from *@foo.com *@bar.com
</rewrite-list>

<virtual-mta-pool pool>

    rewrite-list abc

    virtual-mta mta1
    virtual-mta mta2

</virtual-mta-pool>

3.3.14 <pattern-list> Directives

Pattern lists allow you to select a VirtualMTA or set recipient priority based on the message’s originator, the message’s recipient, a message header, or a combination of the three.

The directives described in this section define a list of regular expression patterns. Each entry in a pattern list has the following form:

DIRECTIVE PARAMETERS /PATTERN/ RESULT

where:

  • DIRECTIVE is one of the directives below, specifying what is matched.
  • PARAMETERS is additional information depending on the chosen directive; currently only the header directive supports a parameter, which is the message header you want to match.
  • /PATTERN/ is a perl-compatible regular expression
    (REGEX). For more information on perl-compatible regular expressions, please refer to the Perl documentation or the PCRE library package.
  • RESULT is one or more of the following:
    • virtual-mta=NAME selects a VirtualMTA.
    • recipient-priority=N sets the priority of the recipient using a scale of 0-100 with 0 being the lowest priority and 100 being the highest with a default of 50 when not specified. This may be used without selecting a VirtualMTA.
    • call-to:PATTERN-LIST-NAME selects another pattern list.

If multiple entries match, the first match is used.

An x-virtual-mta header may be used in conjunction with a <pattern-list> to set a recipient-priority.

Adds a pattern match against the specified header. Matching is performed against the entire header contents; in particular, any white space
characters such as blanks, tabs and CR/LFs will still be present.
Because of this, when anchoring the regular expression with the caret (^) and dollar ($) characters, it is important to allow for white space following the caret and preceding the dollar signs, respectively. The \s metacharacter is particularly useful for this, since it will match all white space characters.

Syntax:

 header HEADER-NAME REGEX RESULT

Example:

<pattern-list myList>
    header x-eval /^\s*eval/ virtual-mta=evaluation
    header from /jsmith/ virtual-mta=evaluation
    header subject /hello world/ virtual-mta=evaluation
</pattern-list>

<source 127.0.0.1>
    ...
    pattern-list myList # this selects the pattern list for messages
</source> # from 127.0.0.1

3.3.14.2 mail-from

Adds a pattern match against the message’s originator. This is the SMTP MAIL FROM address and is the address to which bounces are sent.
This is not the same as the from header seen in mail clients.

Syntax:

 mail-from REGEX RESULT

Example:

<pattern-list myList>
    mail-from /^customerservice/ virtual-mta=service
</pattern-list>

<source 127.0.0.1>
    ...
    pattern-list myList # this selects the pattern list for messages
</source> # from 127.0.0.1

3.3.14.3 rcpt-to

Adds a pattern match against the message’s recipient (SMTP RCPT TO).

Syntax:

 rcpt-to REGEX RESULT

Example:

<pattern-list myList>
    rcpt-to /customer/ virtual-mta=customers
</pattern-list>

<source 127.0.0.1>
    ...
    pattern-list myList # this selects the pattern list for messages
</source> # from 127.0.0.1

If multiple recipients are specified in a message and more than one match a rcpt-to directive, the first match’s VirtualMTA will apply to the entire message. This behavior may change in the future, so rcpt-to should only be used if you only intend to submit single-recipient messages.

Another example, showing a combination of matching patterns:

<pattern-list myList>
    header x-eval /eval/ virtual-mta=evaluation
    header from /jsmith/ virtual-mta=evaluation
    header subject /hello world/ virtual-mta=evaluation
    mail-from /newsletter/ virtual-mta=newsletters
    rcpt-to /^stud.*@somesite.com$/ virtual-mta=students
    rcpt-to /password-reset@customer.com/ recipient-priority=90
    rcpt-to /special@customer.com/ virtual-mta=students,recipient-priority=90
</pattern-list>

<source 127.0.0.1>
    ...
    pattern-list myList # this selects the pattern list for messages
</source> # from 127.0.0.1

Here, each email is first checked for the x-eval header. If it is present and its content contains eval, the evaluation
VirtualMTA is used. If the x-eval header isn’t given or does not match the pattern, the next pattern is checked. Each pattern is checked from top to bottom, with the first matching pattern being used. If none of the above matched, PowerMTA will use the default VirtualMTA.

This example shows conditional pattern matching:

<pattern-list patterns>
    mail-from /newsletter/ <pattern-list>
        rcpt-to /^stud.*@somesite.com$/ virtual-mta=students
        rcpt-to /^staff.*@somesite.com$/ virtual-mta=staff
        * virtual-mta=anything
    </pattern-list>

    rcpt-to /admin/ <pattern-list>
        mail-from /thisdomain.com/ virtual-mta=this
        header x-info /newdata/ virtual-mta=other
        * virtual-mta=anything
    </pattern-list>
</pattern-list>

<source 127.0.0.1>
    ...
    pattern-list patterns # this selects the pattern list for messages from 127.0.0.1
</source>

Here, first the MAIL FROM is checked for each email. If the MAIL FROM matches “newsletter”, a sub-pattern is then used. In this sub-pattern, the RCPT TO is checked, and if it matches the pattern, the emails will go to the “students” VirtualMTA, or the “staff” VirtualMTA. Anything with “newsletter” in the MAIL FROM that does not match the sub-patterns
get sent to the wildcard defined “anything” VirtualMTA.

The second pattern is similar to the above, but first checks the RCPT TO. If the RCPT TO matches, the email is then put through the sub patterns, first checking the MAIL FROM, and then for the “x-info”
header. Once again, emails with a RCPT matching “admin”, but not the sub-patterns will be sent to the VirtualMTA “anything”.

Emails not matching any patterns will not be sent to a VirtualMTA based on pattern matching.

3.3.14.4 Nested pattern-list support

In some cases it may be better to use a <pattern-list> to select another <pattern-list> instead of selecting a VirtualMTA directly. This can be accomplished in PowerMTA with the new “call-to”
option defined within a pattern.

Assuming a message has the following header:

x-custom-header: abc123

and you wanted to use that header and content to select another pattern to then select the correct VirtualMTA. The following would be defined in PowerMTA’s config file:

<pattern-list specialSelector1>
    mail-from /newsletters/ virtual-mta=vmta1
</pattern-list>

<pattern-list selections>
    header x-custom-header /abc123/ call-to: specialSelector1
</pattern-list>

<source 0/0>
    pattern-list selections
</source>
#

In the above example, <pattern-list selections> would match the x-custom-header: header, and then select <pattern-list specialSelector1>
to then apply next to the message, given the “call-to:” definition. If the SMTP MAIL FROM address for this message included “newsletters”, PowerMTA would then use VirtualMTA vmta1 for the message.

3.3.15 <smtp-pattern-list> Directives

SMTP pattern lists allow you to have PowerMTA change a delivery queue’s mode based on pattern matching on the SMTP replies received while attempting deliveries.

SMTP pattern lists currently only accept a single directive (reply). Each entry in a pattern list has the following form:

 reply /PATTERN/ ACTION-LIST

Where:

  • /PATTERN/ is a perl-compatible regular expression
    (REGEX). For more information on perl-compatible regular expressions, please refer to the Perl documentation or the PCRE library package.
  • ACTION-LIST is one or more of the following:
    • mode=normal
    • mode=backoff
    • skip-mx
    • bounce-queue
    • bounce-rcpt
    • disable-source-ip
    • reenable-after
    • defer-queue

If multiple conflicting entries match, the first match is used. The following is not allowed:

  • both mode=backoff and mode=normal
  • both skip-mx and bounce-queue
  • reenable-after without a preceding disable-source-ip (in the same rule)
  • more than one reenable-after

skip-mx is intended to help PowerMTA from give up delivering to one or more MXes which is just giving a transient recipient-level error. Any patterns matched will result in the next MX being used and mail being held in queue, even in the case of a 5xx error.

bounce-queue will bounce the entire queue immediately if the pattern is matched. The original error, as well as the fact that the queue was bounced due to this setting, will be recorded in the accounting file.

bounce-rcpt will bounce the recipient immediately if the pattern is matched. This only works for 4xx responses to the RCPT command. The original error, as well as the fact that the recipient was bounced due to this setting, will be recorded in the accounting file.

disable-source-ip will disable the IP that received the error. The source IP will remain disabled until the time period defined by the <domain> directive reenable-source-ip-after, unless using the reenable-after option.

reenable-after Allows for defining the time after which an IP that has been disabled with disable-source-ip will be reenabled. The default is never. Takes priority over the domain’s reenable-source-ip-after setting when used.

defer-queue When a queue goes in backoff mode, it does not automatically go into retry mode as well. Not all SMTP errors will have PowerMTA putting the queue into retry mode immediately vs., for example, having PowerMTA reconnect on the next MX. Since it may be desirable to have the queue put into retry mode immediately for certain errors, a new defer-queue option was added in SMTP pattern lists.

For example, to put any queues in backoff mode upon reception of certain SMTP replies, while bouncing some messages immediately or skipping some MX records:

<smtp-pattern-list blockList>
    reply /generating high volumes of.* complaints from AOL/ mode=backoff
    reply /Excessive unknown recipients - possible Open Relay/ mode=backoff
    reply /^421 .* too many errors/ mode=backoff
    reply /permanently deferred/ bounce-queue
    reply /too many connections/ skip-mx
    reply /account over quota/ bounce-rcpt
    reply /TS03/ mode=backoff,disable-source-ip,reenable-after=1h
    reply /resources temporarily unavailable/ defer-queue
</smtp-pattern-list>

<domain *>
    ...
    smtp-pattern-list blockList
</domain>

To match on a # (the comment symbol in the configuration file)
hexadecimal code may be used. For example, to match the pattern “Sender address deferred by rule #CR-IN-DEF-2”:

<smtp-pattern-list blockList>
    reply /Sender address deferred by rule \x23CR-IN-DEF-2 / mode=backoff
</smtp-pattern-list>

<domain *>
    ...
    smtp-pattern-list blockList
</domain>

Backslashes (\) and quotes (“) will need to be escaped with a backslash. All patterns are case insensitive. If case sensitivity is needed, it can be forced by adding (?-i) like the following example:

<smtp-pattern-list blockList>
    reply /(?-i)TS03/ mode=backoff
</smtp-pattern-list>

3.3.15.1 include

This directive can be used at smtp-pattern-list level to specify an additional configuration file to process. This can be used, for example, to facilitate maintenance of the configuration files across multiple hosts, by storing those settings which differ from host to host in a separate file and including it from the main (common) file.
Wildcards may be used. An include may be used at global level and within <source>, <domain>, <virtual-mta> or <smtp-pattern-list> tag.

Example:

<domain yahoo.com>
   include /etc/pmta/dkim-keys.txt
</domain>

3.3.16 <dns> Directives

3.3.16.1 precached-domains-file

Specifies the name of a text file containing a list of domains, one domain per line, that you want PowerMTA to always have current DNS information for in its DNS cache, regardless of whether recipients are in the queue for the domain or not. Typically PowerMTA would look up domain routing information in DNS when recipients are submitted into PowerMTA for a domain (assuming recipients are not currently queued for the domain already). Depending on the DNS infrastructure and how many other domains are in the queue, this may cause some slight delay in the immediate delivery attempts for these recipients. Having DNS routing information precached in PowerMTA for certain key domains before submission minimizes any delay that may take place due to this required DNS resolution.

Syntax:

precached-domains-file FILENAME

Example:

<dns>
    precached-domains-file /etc/pmta/precached-domains.txt
</dns>

3.3.16.2 precached-refresh-interval

Defines the time frame in which the DNS records for all pre-cached domains are refreshed (looked back up in DNS). Similar to a DNS record’s TTL (time to live), however it manually sets the time interval to refresh, and which overrides the actual records’ TTL in DNS. The regular TTL records for pre-cached domains are ignored.

Syntax:

precached-refresh-interval TIME-INTERVAL

Default: 5m

Example:

<dns>
    precached-domains-file /etc/pmta/precached-domains.txt
    precached-refresh-interval 2m
</dns>

3.3.16.3 precached-max-domains

Specifies the maximum number of domains that can be pre-cached. This number cannot exceed the number of domains defined in the “precached-domains-file”. Defining a very large number will result in lots of frequent DNS queries, so a scalable DNS infrastructure is required.

Syntax:

precached-max-domains N

where N is the maximum number of domains to precache.

Default: 500

Example:

<dns>
    precached-domains-file /etc/pmta/precached-domains.txt
    precached-max-domains 1000
</dns>

3.3.17 <smtp-listener> Directives

3.3.17.1 await-slot

Specifies whether new connections should wait or be refused if PowerMTA is currently at its total-max-smtp-in limit., applies to connections accepted at this <smtp-listener>’s address.

Default: false

Example:

<smtp-listener 127.0.0.1:25>
  await-slot true
</smtp-listener>

3.3.17.2 immediate-tls

Specifies whether to immediately start TLS when a connection is accepted (implementing “SMTPS”)., applies to connections accepted at this <smtp-listener>’s address.

Default: false

Example:

<smtp-listener 127.0.0.1:25>
  immediate-tls true
</smtp-listener>

3.3.17.3 source

Specifies a <source> entry with settings to override those obtained from source IP address matching., applies to connections accepted at this <smtp-listener>’s address.

Example:

<source named-source>
  max-message-size 100K
</source>

<smtp-listener 127.0.0.1:25>
    source named-source
</smtp-listener>

3.3.17.4 tls-certificate

Specifies a file containing the X.509 certificate and private key to use if TLS is started on inbound SMTP connections, as well as the password protecting the private key., applies to connections accepted at this <smtp-listener>’s address, two text fields: file name and password, Inherited from smtp-server-tls-certificate.

Syntax:

tls-certificate FILENAME [PASSWORD]

Example:

<smtp-listener 127.0.0.1:25>
    tls-certificate /var/lib/pmta/smtp.pem aaaa
</smtp-listener>

3.3.17.5 tls-allow-tlsv1.2

Allows PowerMTA to use TLSv1.2 when negotiating a secure connection with a remote client during STARTTLS.

Default: true

Example:

<smtp-listener 0/0:25>
    tls-allow-tlsv1.2 true
</smtp-listener>

3.3.17.6 tls-allow-tlsv1.1

Allows PowerMTA to use TLSv1.1 when negotiating a secure connection with a remote client during STARTTLS.

Default: true

Example:

<smtp-listener 0/0:25>
    tls-allow-tlsv1.1 true
</smtp-listener>

3.3.17.7 tls-allow-tlsv1

Allows PowerMTA to use TLSv1 when negotiating a secure connection with a remote client during STARTTLS.

Default: false

Example:

<smtp-listener 0/0:25>
    tls-allow-tlsv1 true
</smtp-listener>

3.3.17.8 tls-allow-sslv3

Allows PowerMTA to use SSLv3 when negotiating a secure connection with a remote client during STARTTLS.

Default: false

Example:

<smtp-listener 0/0:25>
    tls-allow-sslv3 true
</smtp-listener>

3.3.17.9 tls-ciphers

Specifies the ciphers that PowerMTA is allowed to use when negotiating a TLS session with a remote client during STARTTLS. Please see documentation for OpenSSL command ‘ciphers’ for valid cipher names that can be used with this.

Default: HIGH:!ADH:@STRENGTH

Example:

<smtp-listener 0/0:25>
    tls-ciphers HIGH:!ADH:@STRENGTH
</smtp-listener>

3.3.17.10 tls-ca-file

Specifies a “CA file” containing Certification Authority certificates to allow verifying any certificates presented by clients on inbound SMTP connections. The certificates must be in PEM format.

Example:

<smtp-listener 0/0:25>
  tls-ca-file /etc/pmta/certchain.pem
</smtp-listener>

3.3.18 <rewrite-list> Directives

Rewrite lists can be used to rewrite the MAIL FROM address (envelope address) of an email and the From header in the body of email. Rewrite lists are created using the tag <rewrite-list>. To use <rewrite-list>, you must configure a source with the name of the rewrite-list to use as shown below.

Syntax:

<rewrite-list abc>
   mail-from SOURCE-ADDRESS TARGET-ADDRESS
   from-domain SOURCE-DOMAIN TARGET-DOMAIN
</rewrite-list>

<source 0/0>
   rewrite-list abc
</source>

3.3.18.1 mail-from

Use mail-from rules to rewrite the MAIL FROM address (envelope address) of an email.

Syntax:

 mail-from SOURCE-ADDRESS TARGET-ADDRESS

where SOURCE-ADDRESS can be one of:

SOURCE-ADDRESS matches
abcd@xyz.com this exact email address
abcd@* any address with this local part
*@xyz.com any address at this domain
*@* all addresses except the empty address
<> the empty SMTP MAIL FROM address

Within a source address, the wildcard * has the meaning “match-all”.

and TARGET-ADDRESS can be one of:

TARGET-ADDRESS resulting rewritten address
abcd@xyz.com this specific email address
abcd@* the local part abcd and the same domain as the source address
*@xyz.com the same local part as the source address with the domain xyz.com
<> the empty address

Within a target address, the * has the meaning “replace from source address”.

The TARGET-ADDRESS cannot have non-ASCII UTF8 characters in them. For example:

 mail-from abc@xyz.com foo@bücher.de # this is an invalid rule

The wildcard * cannot be used in a TARGET-ADDRESS if the SOURCE-ADDRESS is empty. For example:

 mail-from <> *@foo.com # this is an invalid rule

Example:

<rewrite-list abc>
  mail-from  foo@*  *@bar.com   # foo@xyz.com will be rewritten to foo@bar.com
</rewrite-list>

3.3.18.2 from-domain

Use from-domain rules to rewrite the domain of the email address contained in the From header of an email.

Syntax:

from-domain SOURCE-DOMAIN TARGET-DOMAIN

where SOURCE-DOMAIN must be a domain pattern (see DOMAIN definition) and TARGET-DOMAIN must be a specific domain name

Example:

<rewrite-list foo>
  from-domain *.port25.com  bouncedomain.com    # rewrites foo@mail.port25.com to foo@bouncedomain.com
</rewrite-list>

3.3.19 <domain-key-list> Directives

domain-key-list can be used to organize a list of domain keys and refer to them using a single name. <domain-key-list> can only be defined in global scope. <domain-key-list> can be used to restrict the search for the exact key to DKIM sign an email to a specific list of keys.

Syntax:

<domain-key-list NAME>
    domain-key ...
    domain-key ...
</domain-key-list>

The x-dkim-options header can be used to specify the domain-key-list that PMTA will use to search for a key from. For example:

x-dkim-options: s=foo;key-list=xyz

In the above example, PMTA will search for the key with the selector foo in the domain-key-list named xyz. If not found, then PMTA will not sign the message.

If the key-list option is not used in x-dkim-options, then PMTA will fallback to the default behavior of selecting a key from those that were defined in the VMTA scope, or were inherited from global scope.

Example:

<domain-key-list keylist-customer-one>
    domain-key m,mail.port25.com,c:\pmta\m.pem
    domain-key base,*,c:\pmta\base.pem
</domain-key-list keylist-customer-one>

3.3.19.1 domain-key

See domain-key for description.


4 PowerMTA Management

Although PowerMTA has been designed for being as low maintenance as possible, it does include various tools for management and troubleshooting. This chapter is intended as a guide to daily operations with PowerMTA, for those who wish to actively manage and monitor, as well as to troubleshooting the most commonly encountered problems.

4.1 Management

4.1.1 Monitoring

There are a number of ways in which you can monitor PowerMTA. It has a web-based monitor built in, so you can simply point your web browser to the monitor’s TCP port on PowerMTA’s machine to view the mailer’s current status and display information about its queue. This comes particularly handy when monitoring over longer periods of time. The web monitor is described in detail in Web-Based Monitoring.

The same information from the web monitor also available through the pmta command line tool. In addition to displaying the command results in formatted plain text, pmta
can also output these in XML, JSON or as DOM-Style variable lists, making it relatively easy to post-process and to integrate PowerMTA in existing management infrastructures. The pmta command line tool and the commands it accepts are described in Command Line Tool.

The available Sparkpost Signals service can analyze your email sending and response data to help you identify potential problems.

4.1.2 Logging and Accounting

For greatest flexibility and best performance, PowerMTA maintains its own logging file. The operating system’s log (i.e., the Event Log on Windows or the syslog on Unix) is only used for recording information on startup errors and similar situations where it may not be possible for PowerMTA to write to its own logging file.

The logging file is used for recording various information about PowerMTA, such as startup and shutdown messages, any errors found during execution, connection traces, etc. In general, the log file is the place where the mailer writes any error messages, and you should look there first when any problems arise.

In addition to the logging file, PowerMTA records detailed information on e-mails processed in a separate accounting file.
Storing accounting data separate from other, more general, logging data allows for a more efficient accounting file format for easier post-processing. It also makes it easier to send feedback about problems with PowerMTA while keeping the accounting data undisclosed. The format of the accounting files is described in Accounting Files and Statistics.

Both logging and accounting files are rotated automatically, that is, a new file is started and the older ones are kept for a number of days. The parameters for the rotation, including the number of
(historical) files to keep can are described in Logging Directives and in <acct-file> Directives.

4.1.3 PowerMTA Startup and Shutdown

On Windows systems, PowerMTA runs as a service and as such is started up automatically by the operating system after booting. It also can be started and stopped both via the Control Panel and by using the net start pmta and net stop pmta commands from a Command Prompt window. Currently, PowerMTA must run under the SYSTEM account.

On Unix systems, PowerMTA runs as a daemon, i.e., a background process. A standard startup/shutdown script is provided in the system’s init.d directory.

On either platform, two processes are started: pmtad, which is PowerMTA itself, and pmtawatch, which is PowerMTA’s watchdog process. As the name suggests, pmtawatch watches over PowerMTA and re-starts it in case of a (PowerMTA) crash.

4.2 Troubleshooting

The following sections guide through troubleshooting the most commonly encountered problems.

4.2.1 Troubleshooting Startup Problems

Startup problems typically occur right after installing PowerMTA or after having changed its configuration. If PowerMTA won’t start up, you should look in the logging file a separate logging file called pmta-startuperr.log
for an error message. On Windows, this file is located in the log subdirectory of the folder where PowerMTA was installed. On Unix systems, the logging file is located on /var/log/pmta/log.

If no logging file is present or if it does not seem to contain an applicable error message, you can try running PowerMTA on the command line. On Windows, open a Command Prompt window and change to PowerMTA’s bin subdirectory. On Unix, ensure that /usr/sbin is in your path. Then start PowerMTA by using the command

pmtad --debug

That will start up PowerMTA and will have it write any error messages to the screen, rather than to the logging file. Most probably, the startup will fail displaying an error message, like in the example below:

# /usr/sbin/pmtad --debug
2018-07-03 18:05:37 Startup error: No logging file specified

You can then fix the problem and restart PowerMTA.

A common cause of startup problems when PowerMTA is first installed is TCP port conflicts. Applications that listen for (i.e., accept)
connections on a TCP port need exclusive access to the port, so if you are running any other SMTP server software on the same machine, either PowerMTA or the other software will fail to obtain access to port number 25 (the standard port for the SMTP protocol). The same might also happen with the TCP port used for the built-in web monitor (port 8080 by default). In the case of the the web monitor, since 8080 is just a local convention, you can resolve the conflict by changing the configuration and specifying a different port that the web-based monitor could listen on.

The SMTP port conflict may be more difficult to solve. If you are not
using PowerMTA for handling inbound traffic, i.e., you are just feeding PowerMTA through SMTP or the submission APIs and inbound traffic is handled by some other software, you can configure PowerMTA to use an alternative SMTP port and change your feeding software to use that port. You can normally pick any free TCP port above 1024; port numbers 2500 and 2525 are popular choices.

If, on the other hand, both PowerMTA and the other SMTP server software are to receive inbound traffic, you will need to give each of them a different IP address. Normally, applications listening for (i.e., accepting) connections on a TCP port will do so for all locally available IP addresses, so both PowerMTA and the other SMTP software need to be configured to use a specific IP address
only for PowerMTA’s configuration). Naturally, you will first need to allocate a new IP address and configure your operating system to respond to it.

4.2.2 Troubleshooting Email Delivery Problems

Email delivery problems constitute by far the most common type of problem encountered. It is quite normal for some email not to be delivered immediately and for the delivery to have to be retried. The causes of such problems are often invalid email addresses, network or server failures or misconfigured software at the recipient’s site.

If you notice email building up in the queue for a specific domain, the first step is to check the (DNS-based) routing information for the domain. If that information is available and seemingly correct, the next step would be to check whether any of the listed mailers is reachable.
PowerMTA’s pmta command line tool has a resolve option that allows you to do all of that in a single step:

$ pmta resolve --connect outlook.com
Querying 127.0.0.1 over UDP about MX outlook.com
Read response from 127.0.0.1
answers:     ttl=60
    outlook.com. 60 IN MX 5 outlook-com.olc.protection.outlook.com.


Querying 127.0.0.1 over UDP about A outlook-com.olc.protection.outlook.com
Read response from 127.0.0.1
answers:     ttl=2
    outlook-com.olc.protection.outlook.com. 2 IN A 104.47.48.33
    outlook-com.olc.protection.outlook.com. 2 IN A 104.47.49.33

status = StatusOk
pref host name                              IP addresses
---- -------------------------------------- -------------------------
   5 outlook-com.olc.protection.outlook.com 104.47.48.33 104.47.49.33

connecting from localhost (0.0.0.0) to outlook-com.olc.protection.outlook.com (104.47.48.33)
>>> 220 CO1NAM05FT041.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 7 Feb 2019 15:18:50 +0000
<<< EHLO localhost
>>> 250-CO1NAM05FT041.mail.protection.outlook.com Hello
>>> 250-SIZE 49283072
>>> 250-PIPELINING
>>> 250-DSN
>>> 250-ENHANCEDSTATUSCODES
>>> 250-STARTTLS
>>> 250-8BITMIME
>>> 250-BINARYMIME
>>> 250-CHUNKING
>>> 250 SMTPUTF8
<<< STARTTLS
>>> 220 2.0.0 SMTP server ready
TLSv1.2 connected with 256-bit ECDHE-RSA-AES256-SHA384
Cert: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com; issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G3; verified=no
<<< EHLO localhost
>>> 250-CO1NAM05FT041.mail.protection.outlook.com Hello
>>> 250-SIZE 49283072
>>> 250-PIPELINING
>>> 250-DSN
>>> 250-ENHANCEDSTATUSCODES
>>> 250-8BITMIME
>>> 250-BINARYMIME
>>> 250-CHUNKING
>>> 250 SMTPUTF8
<<< QUIT
>>> 221 2.0.0 Service closing transmission channel
closed outlook-com.olc.protection.outlook.com (104.47.48.33) in=601 out=48

In the example above, routing information for the domain outlook.com
could be resolved. It listed one mail host, with preference level 5 with two IPv4 addresses. The --connect option specified that pmta attempts connecting to the mailhost (which it did, to “104.47.48.33”).

When you enter this command during troubleshooting, either part of the command may fail. You may get an error during the DNS resolution part, like, for example “No such domain name” for a domain that is not registered in the DNS. Similarly, if the routing information is available but if the mailhosts themselves are not reachable, the connection attempt fails.

Simply connecting to the mailhosts does not preclude other problems delivering email, for the problem may be related to the specific messages queued, or the mailhosts may be temporarily rejecting email
(e.g., returning a 4XX code to SMTP commands). To verify if this is happening, use the pmta command called trace.
The trace command instructs PowerMTA to retry email delivery to the domain immediately and log the connection. This way, you can see (in the logging file) exactly what happens when delivery is attempted.

The pmta trace command is useful for quickly checking on a domain. If you should need to trace connections to a domain over a longer period of time, enable logging for it in the configuration file by adding a <domain> entry, like in in the example below:

<domain outlook.com>
    log-connections yes
    log-commands yes
</domain>

4.2.3 Troubleshooting DNS Name Resolution Problems

PowerMTA requires a recursive name service, i.e., a name server that accepts queries and performs the full DNS resolution.

Some name servers fail to do the recursive lookup and return non-recursive (referral-only) responses instead. These responses don’t contain the information sought by PowerMTA, so it discards them and retries the query in the hope that whatever caused them is temporary, or that some other server will provide the full response. When such responses are received a number of times from the same name server, PowerMTA also writes a warning to its logging file.

Generally speaking, such non-recursive responses may have various causes. However, some DNS server software versions are known to send them when configured to refuse recursive service, or when its limit of concurrent recursive queries has been reached.

Non-recursive responses waste time and may have an impact on performance. If you find a name server refusing recursive queries too often, check the name server configuration for any quotas or access control lists. If you do not control the name server, you should consider no longer using it for PowerMTA and setting up your own.

4.2.4 Troubleshooting Email Reception/SMTP Feeding Problems

Problems receiving email are quite rare and happen most commonly when writing custom applications to feed PowerMTA. The most common mistake when writing such applications is to terminate lines with just a line feed, rather than a carriage return and line feed pair as mandated by the email standards.

The simplest way to debug incoming SMTP connections into PowerMTA is to enable debugging for a specific source IP address. You do so by adding a <source> entry in the configuration file, like in the example below,

<source 127.0.0.1>
    log-connections yes
    log-commands yes
    log-data yes
</source>

and reload the configuration by using the pmta reload
command. This will cause PowerMTA to trace incoming connections to the logging file, which helps determine in what phase of the transaction
(for example, in a RCPT command) the problem is occurring. If you suspect the problem to lay in non-printable characters or in the message’s body, you can additionally enable log-data, which prints all data sent or received through the connection along with each byte’s hexadecimal code.

4.2.5 In Case of a Crash

If PowerMTA crashes, its pmtawatch watchdog program will attempt to restart it and you should get an email informing you about the crash. Please forward this email to us at support@port25.com, so that we can look into the problem. Feel free to include any information you may find relevant, such as recent changes to the configuration or workload, etc.

On Unix systems, the core dump will be stored, compressed if possible, in PowerMTA’s subdirectory on the /opt filesystem.

4.2.6 If All Else Fails

Check out http://www.port25.com/support/ for technical support options from Port25. Evaluators and customers with a support agreement may also get support via email at support@port25.com or over the phone at +1.410.750.7687.

5 Web-Based Monitoring

5.1 Overview

PowerMTA has a web-based monitoring console built in that provides real time display of PowerMTA’s status and allows you to view information on the current message queue based on various criteria.

To access the web monitor, point your web browser to the monitor’s TCP port on the machine you installed PowerMTA. For example, if you are reading this document on the machine running PowerMTA, you would use the URL http://127.0.0.1:8080. This also assumes that you did not change the default TCP port in the configuration.

When you try the URL, you may get a message saying that the access is forbidden. This is because, to protect your privacy, access to the web monitor is denied unless authorized in the configuration. Authorization is done on a per source IP address basis, so you need to enter the IP address of the host running your web browser into the configuration.

5.2 Home Display

The initial “Home” page displays basic information about your installation. In addition to this information, there are some useful links:

  • Edit Configuration – This allows you to view and edit the configuration file from within the web monitor window. After saving changes, a “pmta reload” will not be required as it it done automatically. If the change requires a restart of the service, that will have to be done manually.
  • Show/enter License Key – This links to a form where you can view/add/change the license.
  • Run command – This link allows you to run “pmta”
    commands as if you were logged in a the command/shell prompt of the PowerMTA server. This link is displayed only when PowerMTA service is running on the machine.
  • Start PowerMTA – This link allows you to start the PowerMTA service on the machine. This link is displayed only when PowerMTA service is not running on the machine.
  • User’s Guide – Opens UsersGuide.pdf in a new window for ease of looking up PowerMTA information.
  • Port25 Support – Starts an email to support@port25.com using your default email program.

From the home page, you have the option of changing to other displays:

  • Status, the status monitor page, which displays various information about PowerMTA’s status, updated every few seconds.
  • Queues, which presents you with various options for listing queues to which email is queued.
  • Domains, which presents you with various options for listing domains to which email is queued.
  • VirtualMTAs, which displays a summary of the VirtualMTAs in use.
  • Jobs, which presents you with summary information on any jobs (groups of messages) queued.
  • Logs, allows for the viewing and downloading of PowerMTA’s various log files.

The following sections describe these pages in more detail.

5.3 Status Monitor Display

The status monitor displays data from various components within PowerMTA.

The “Total” counters show the total data received and sent since the mailer was started. Similarly, the “Last Hour” and “Last Minute”
counters show the total data received and sent for the respective time intervals.

The “Top/Hour” and “Top/Minute” lines show the highest throughput observed per hour and minute. The various counters are measured independently of each other, i.e., the top number of inbound recipients may or may not have happened at the same time as the top number of inbound kilobytes.

The “Connections” section shows the number of currently active connections, the top number of simultaneous connections made since last restart, and the maximum number of inbound and outbound simultaneous connections available given your license activation key and configured limits.

The “Domain Names” section shows the number of DNS entries currently in PowerMTA’s internal cache, as well as the number of DNS queries pending, i.e., currently taking place or scheduled and waiting to take place.

The “Spool Files” section shows the number of spool files currently being used for storing queued messages. And, since the spool management code recycles files for efficiency instead of having to recreate as needed, this section also tracks the number of files that have been recycled and are waiting to be reused.

The “Spool Initialization” section shows whether the initialization is in progress or has been completed. This initialization takes place at startup and consists of reading the message files in the spool and loading queue information into memory.

The “Queues” section provides top level counts for each of the delivery methods available: SMTP or through the pipe delivery API. The counts include the total number of recipients currently in the queue, total number of destination domains for these recipients, and the total amount of data in the mail queues to be delivered, for each method.

The default refresh interval is five seconds. You can select a different refresh interval by specifying a refresh parameter in the URL.
For example, to specify a refresh interval of five minutes (300
seconds), you could use an URL like http://127.0.0.1:8080/status?refresh=300.
The refresh interval is independent of the internal throughput sampling interval, and as such has no effect on the display’s accuracy. It thus normally makes little sense to specify refresh intervals below
the default. Specifying refresh intervals above the default interrupts PowerMTA less often, which may have a positive impact on performance.

This page can also be retrieved in XML format for processing by a program. You specify the XML format by adding format=xml to the URL. For example, you could use the wget utility to retrieve it:

$ wget -O- -q http://127.0.0.1:8080/status?format=xml
<rsp>
  <data>
    <mta>
      <product>
        <name>PowerMTA</name>
        <version>4.5r12</version>
        <buildDate>2017-11-22 14:27:54</buildDate>
        <revision>tags/v4_5r12@17232</revision>
        <bits>64</bits>
      </product>
      <lak>
        <serial>123456</serial>
        <instances>1</instances>
      </lak>
      <os>
        <name>Linux</name>
        <version>3.10.0-957.1.3.el7.x86_64</version>
        <build>CentOS Linux release 7.6.1810 (Core) </build>
      </os>
      <cpu>
        <type>x86_64</type>
        <count>2</count>
      </cpu>
      <ram>
        <real>3878876</real>
      </ram>
      <fullHostName>hazmat.port25.com</fullHostName>
      <userString/>
      <hostId>0</hostId>
      <webUI>
        <protocol>1</protocol>
      </webUI>
    </mta>
    <status>
      <timeNow>2019-02-07 17:06:02</timeNow>
      <startupTime>2019-01-31 02:48:06</startupTime>
      <shuttingDown>0</shuttingDown>
      <traffic>
        <total>
          <out>
            <rcp>85402</rcp>
            <msg>85402</msg>
            <kb>2736957.8</kb>
          </out>
          <in>
            <rcp>100640</rcp>
            <msg>100544</msg>
            <kb>2177515.3</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </total>
        <lastHr>
          <out>
            <rcp>772</rcp>
            <msg>772</msg>
            <kb>25208.2</kb>
          </out>
          <in>
            <rcp>984</rcp>
            <msg>984</msg>
            <kb>21202.5</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </lastHr>
        <lastMin>
          <out>
            <rcp>7</rcp>
            <msg>7</msg>
            <kb>54.0</kb>
          </out>
          <in>
            <rcp>10</rcp>
            <msg>10</msg>
            <kb>79.4</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </lastMin>
        <topPerHr>
          <out>
            <rcp>883</rcp>
            <msg>883</msg>
            <kb>73238.2</kb>
          </out>
          <in>
            <rcp>1039</rcp>
            <msg>1039</msg>
            <kb>52393.0</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </topPerHr>
        <topPerMin>
          <out>
            <rcp>158</rcp>
            <msg>158</msg>
            <kb>27369.0</kb>
          </out>
          <in>
            <rcp>188</rcp>
            <msg>187</msg>
            <kb>27269.5</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </topPerMin>
        <perf>
          <lastMin>
            <in>
              <count>0</count>
              <mailFromTime>0</mailFromTime>
              <dataTime>0</dataTime>
              <totalTime>0</totalTime>
            </in>
          </lastMin>
        </perf>
      </traffic>
      <conn>
        <smtpIn>
          <cur>3</cur>
          <max>200</max>
          <top>20</top>
        </smtpIn>
        <smtpOut>
          <cur>11</cur>
          <max>1000</max>
          <top>76</top>
        </smtpOut>
      </conn>
      <resolver>
        <namesCached>81</namesCached>
        <queriesPending>1</queriesPending>
        <queriesActive>1</queriesActive>
      </resolver>
      <queue>
        <smtp>
          <rcp>132</rcp>
          <dom>92</dom>
          <kb>7944.7</kb>
        </smtp>
        <pipe>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </pipe>
        <discard>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </discard>
        <file>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </file>
        <alias>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </alias>
        <bounceProcessor>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </bounceProcessor>
        <feedbackLoopProcessor>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </feedbackLoopProcessor>
      </queue>
      <spool>
        <initPct>100</initPct>
        <dirs>3</dirs>
        <files>
          <inUse>134</inUse>
          <recycled>0</recycled>
          <total>12288</total>
        </files>
        <totalRcp>134</totalRcp>
        <maxRcp>2880000</maxRcp>
      </spool>
      <status>running</status>
    </status>
  </data>
  <succ/>
</rsp>

5.4 Queues Display

Similar to the “Top Domains” page, the “Top Queues” page provides a listing of the top ten queues ranked by number of recipients.

For greatest flexibility and control, PowerMTA groups messages for a particular domain for a particular VirtualMTA in its own separate queue.
For example, mail destined for msn.com and handled by VirtualMTA mta5 would be in a different queue than mail destined for msn.com and handled by VirtualMTA mta10.

Whereas the “Top Domains” page provides a global view with the top ten domains across all queues, the “Top Queues” page provides a listing and counts for specific queues.

The individual queue pages also include data on the last 50 recipient events, the last 10 queue errors and the last 10 mode change
(backoff/normal) events.

This information is also available in the output of the pmta show queues command.

5.5 Queues “View Options”

The “Queues” page consists of a Queues “view options” form which after submitting, generates an output similar in format to the “Top Queues” page, but for the specific queue(s) specified in conjunction with relevant filters.

The filters include:

  • connected queues only, unconnected queues only, or both
  • queues in normal mode, backoff mode, or any mode
  • the desired number of queues to list

One can then choose how to sort the output, either by queue name, number of recipients, or queue size.

5.6 Domains Display

The “Top Domains” page provides a listing of the top ten domains in the queue ranked by number of recipients.

For each domain listed, the number of recipients, amount of data
(kilobytes), the number of open connections and the last error occurred while delivering to the domain are displayed.

5.7 Domains “View Options”

The “Domains” page consists of a Domains “view options” form which after submitting, generates an output similar in format to the “Top Domains” page, but for the specific domain(s) and based on the other parameters specified.

5.8 Common “Last Error”s

Included below is a list of the most common “Last Error” messages, with an explanation about what may cause them. On Windows, system status codes may be prefixed with WSA, but indicate generally the same condition.

ETIMEDOUT in connection to domain (IP)

This error indicates that the connection failed because, while connected, the remote host did not properly respond within a period of time. It possibly indicates that the remote host is overwhelmed or that there are connectivity problems. PowerMTA’s connection timeout parameter is 10 minutes, and is not configurable.

ECONNREFUSED connecting to domain (IP)

This error indicates that no connection could be made because the remote host actively refused it. This usually results when the remote mailer software is temporarily down or inactive, or if the remote site is actively refusing connections (usually with a packet filter) from your company and/or IP address.

EDISCON in connection to domain (IP)

This error indicates that the remote host has unexpectedly closed the connection. It may result from the remote mail server being taken down, crashing, or simply closing the connection, possibly as a “last resort”
kind of response to message contents it could not process.

StatusDnsQueryFailed resolving domain

This error indicates that the DNS query for the domain could not be completed. This could be due to more than one reason, specifically timeouts when PowerMTA attempts to talk to your local DNS server, but more likely, timeouts in your local DNS server itself when attempting to talk to other DNS servers. Although these errors can and will be seen for some domains that appear to not have valid MX or A records, the fact that the actual DNS queries timeout before receiving any verification of this precludes PowerMTA from making any assumptions and thus, for example, bouncing mail to these domains immediately.

EHLO failed

These are errors that are returned by the remote mail server during the initial SMTP handshake (at the HELO or EHLO SMTP commands). Usually the text included in the error messages is self-explanatory. Here are a few examples:

421 domain Service not available - too busy
421 domain Sorry, you are not authorized to make this connection.
421 domain temporarily not accepting mail
452 domain Too busy, please try later.

If you see domains in the queue with no errors specified, along with no active connections, this would mean that the queue is most likely to be waiting for DNS resolution to complete. For these domains, we recommend running the trace command with the --log-resolution option from the command line interface or enable one or more of the various types of logging available.

5.9 VirtualMTAs Display

The VirtualMTAs page provides a listing of the VirtualMTAs selected that currently have messages in the queue. The VirtualMTAs are listed sorted by number of recipients.

Each VirtualMTA listed also links to a top domains page that subsequently lists the top 10 domains in the queue for the specific VirtualMTA, ranked by number of recipients in the queue. Also included on this page is the volume of data in the queue, number of current connections open to the domain, and the last error received for the domain, again for the specific VirtualMTA.

5.10 Jobs Display

For each job listed, the number of recipients and amount of data (kilobytes) are displayed.

As with most pages served by PowerMTA, you can specify a refresh interval in seconds by adding it to the URL. For example, to specify a refresh interval of five minutes (300 seconds), you could use an URL like http://127.0.0.1:8080/jobs?refresh=300.

Like with the status display, this page can also be retrieved in XML format for processing by a program, by adding format=xml to the URL.

5.11 Logs Display

The Logs page displays the various log and accounting files currently available in PowerMTA. By choosing the download link, these files can be downloaded directly to your local machine for viewing. In addition, these files can be accessed programmatically via the URL format: http://127.0.0.1:8080/getFile?file=log.txt where log.txt is the name of the file you want to download.

5.12 Listing of local IPs

To get a list of the IPs currently configured on your machine, use the following URL in your web browser: http://127.0.0.1:8080/getlocalips

5.13 Listing of emails in queue

To get a listing of the messages that are currently in the queue, use a URL similar to the following in your web browser:

http://127.0.0.1:8080/listqueue?format=xml&queue=domain.com/VirtualMTA&jobid=12

http://127.0.0.1:8080/listqueue?format=xml&queue=yahoo.com/*&jobid=12&envid=3

http://127.0.0.1:8080/listqueue?format=xml&queue=*/vmta12&rcpt=test@port25.com

http://127.0.0.1:8080/listqueue?format=xml&queue=*/*&orig=test@port25.com

Use of jobid is optional. Replace domain.com with the domain for which you are looking. Also replace VirtualMTA with the name of the VirtualMTA in question. Also, use * for all domains or all VirtualMTAs.

6 Command Line Tool

6.1 Overview

PowerMTA comes with a command line tool that allows you to execute commands, display various information and also generally aids in investigating delivery problems. On Windows, this tool can be found under bin\pmta.exe in the folder where PowerMTA was installed. On Unix, it is installed as /usr/sbin/pmta. At the command line, you can get a quick listing of the commands available by invoking pmta --help:

PowerMTA(TM) v4.5r17 command tool Copyright(c) 1999-2018, Port25 Solutions, Inc.  All Rights Reserved.

Usage: pmta [options] command

where 'options' are:
    --help                display this message
    --xml                 display result in XML
    --dom                 display result as DOM-like "variables"

and where 'command' is one of:
    clear dnscache domainname
    check mfrom [--tcp] [--dumppackets] mfrom ip
    check spf [--tcp] [--dumppackets] ip heloDomain [mailFrom]
    delete [--dsn] [--queue=domain[/vmta]] [--orig=addr] [--rcpt=addr] [--jobId=id] [--envId=id] [--older-than=time-interval] [--no-accounting]
    deregister [--user=name] [--local-only] [--retain-unloaded]
    disable source [--reenable-after=interval] ip domain[/vmta]
    enable source ip domain[/vmta]
    list [--queue=domain[/vmta]] [--orig=addr] [--rcpt=addr] [--jobId=id] [--envId=id] [--maxitems=n] [--older-than=time-interval] [--pause] [--priority] [--schedule]
    pause queue domain[/vmta]
    pause job jobid
    register [--user=name] [--label=name] [--webmon-ip=ip] [--webmon-port=number] [--pmtamc-port=number] [--reuse-label] pmtamc-hostname
    reload
    reset counters
    reset status
    resolve [--tcp] [--connect] [--dumppackets] [--interactive] [--server=ip] [--source=[host,]ip] domainname
    resume queue domain[/vmta]
    resume job jobid
    rotate acct [file]
    rotate log
    schedule [--retry-recipients] domain[/vmta]
    set priority [--queue=domain[/vmta]] [--orig=addr] [--rcpt=addr] [--jobId=id] [--envId=id] number
    set queue --mode={normal|backoff} domain[/vmta]
    show disabled sources [domain[/vmta]]
    show domains [--vmta=name] [--connected={yes|no}] [--maxitems=n] [--errors] [--sort={name|rcpt|size}] [name]
    show jobs [--maxitems=n]
    show license
    show precache
    show queues [--connected={yes|no}] [--paused={yes|no}] [--mode={normal|backoff}] [--maxitems=n] [--errors] [--sort={name|rcpt|size}] [--no-rcpt-events] [--mode-events] [domain[/vmta]]
    show registration
    show status
    show settings domain[/vmta]
    show topdomains [--vmta=name] [--connected={yes|no}] [--maxitems=n] [--errors]
    show topqueues [--connected={yes|no}] [--paused={yes|no}] [--mode={normal|backoff}] [--maxitems=n] [--errors] [--no-rcpt-events] [domain[/vmta]]
    show version
    show vmtas [--maxitems=n]
    test config
    trace [--log-data] [--log-resolution] [--to-log] [--retry-recipients] [--source-ip=ip] domain[/vmta]

Note: On Windows, you can also use the “/” character instead of “–” (but “–” works on all platforms).

6.2 Command Output Formats

pmta supports three output formats:

  • formatted plain text, intended for human consumption, e.g., for the system or services administrator executing PowerMTA commands. It is the default format if no options are passed to pmta.
  • XML format, intended for XML-enabled applications. It is selected by specifying the --xml option to pmta.
  • DOM-style variable listing, intended for non XML-capable applications and for quick Perl or shell scripts. It is selected by specifying the --dom option to pmta.

6.2.1 Sample Command Outputs

Included below are three sample command outputs along with the commands and options used to generate each. For comparison purposes, all three are based on the show status command.

Formatted Plain Text (pmta show status):

PowerMTA v4.5 status on example.port25.com on 2018-09-10 10:16:19

  Traffic    ------------inbound------------  ------------outbound-----------
                 rcpts      msgs      kbytes      rcpts      msgs      kbytes
      Total     939437      5940    233409.5     939430    939430  34550887.2
  Last Hour     939437      5940    233409.5     939263    939263  34544775.4
   Top/Hour     939437      5940    233409.5     939263    939263  34544775.4
  Last Min.      45063       298     11632.6      45021     45021   1658056.5
   Top/Min.      69881       458     18005.6      69115     69115   2489680.7

 Connections    active       top     maximum  Domain       cached     pending
    Inbound          0         1           5    Names           2           0
   Outbound      10000     10000       10000

     Queues      rcpts   domains      kbytes  Spool        in use    recycled
       SMTP      99459      2895   3985272.8    Files        5667           0
      other          0         0         0.0    Init.                complete

     Status    running    Started  2018-09-10 20:02:12    Uptime   0  0:20:01

XML Format (pmta --xml show status):

(Actual output will not be pretty-printed)

<rsp>
  <data>
    <mta>
      <product>
        <name>PowerMTA</name>
        <version>4.5</version>
        <buildDate>2015-08-31 16:07:03</buildDate>
        <revision>tags/v4_5c1@15693</revision>
        <bits>64</bits>
      </product>
      <lak>
        <serial>112345</serial>
        <instances>1</instances>
      </lak>
      <os>
        <name>Linux</name>
        <version>3.10.0-229.1.2.el7.x86_64</version>
        <build>CentOS Linux release 7.1.1503 (Core) </build>
      </os>
      <cpu>
        <type>x86_64</type>
        <count>12</count>
      </cpu>
      <ram>
        <real>32750628</real>
      </ram>
      <fullHostName>example.port25.com</fullHostName>
      <userString/>
      <hostId>0</hostId>
    </mta>
    <status>
      <timeNow>2015-09-01 10:17:07</timeNow>
      <startupTime>2015-08-31 16:22:01</startupTime>
      <shuttingDown>0</shuttingDown>
      <traffic>
        <total>
          <out>
            <rcp>5317436</rcp>
            <msg>5317436</msg>
            <kb>2788394.0</kb>
          </out>
          <in>
            <rcp>5104905</rcp>
            <msg>128951</msg>
            <kb>1951.8</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </total>
        <lastHr>
          <out>
            <rcp>295376</rcp>
            <msg>295376</msg>
            <kb>97626.3</kb>
          </out>
          <in>
            <rcp>295358</rcp>
            <msg>7366</msg>
            <kb>111.4</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </lastHr>
        <lastMin>
          <out>
            <rcp>4776</rcp>
            <msg>4776</msg>
            <kb>1669.2</kb>
          </out>
          <in>
            <rcp>4772</rcp>
            <msg>124</msg>
            <kb>1.9</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </lastMin>
        <topPerHr>
          <out>
            <rcp>450637</rcp>
            <msg>450637</msg>
            <kb>1176613.1</kb>
          </out>
          <in>
            <rcp>303999</rcp>
            <msg>7591</msg>
            <kb>114.9</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </topPerHr>
        <topPerMin>
          <out>
            <rcp>213222</rcp>
            <msg>213222</msg>
            <kb>1098011.2</kb>
          </out>
          <in>
            <rcp>8365</rcp>
            <msg>207</msg>
            <kb>3.1</kb>
          </in>
          <bounceProcessed>0</bounceProcessed>
          <feedbackLoopProcessed>0</feedbackLoopProcessed>
        </topPerMin>
        <perf>
          <lastMin>
            <in>
              <count>0</count>
              <mailFromTime>0</mailFromTime>
              <dataTime>0</dataTime>
              <totalTime>0</totalTime>
            </in>
          </lastMin>
        </perf>
      </traffic>
      <conn>
        <smtpIn>
          <cur>0</cur>
          <max>150</max>
          <top>1</top>
        </smtpIn>
        <smtpOut>
          <cur>0</cur>
          <max>500</max>
          <top>299</top>
        </smtpOut>
      </conn>
      <resolver>
        <namesCached>0</namesCached>
        <queriesPending>0</queriesPending>
        <queriesActive>0</queriesActive>
      </resolver>
      <queue>
        <smtp>
          <rcp>692</rcp>
          <dom>241</dom>
          <kb>10.4</kb>
        </smtp>
        <pipe>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </pipe>
        <discard>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </discard>
        <file>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </file>
        <alias>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </alias>
        <bounceProcessor>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </bounceProcessor>
        <feedbackLoopProcessor>
          <rcp>0</rcp>
          <dom>0</dom>
          <kb>0.0</kb>
        </feedbackLoopProcessor>
      </queue>
      <spool>
        <initPct>100</initPct>
        <dirs>1</dirs>
        <files>
          <inUse>491</inUse>
          <recycled>0</recycled>
          <total>491</total>
        </files>
        <totalRcp>692</totalRcp>
        <maxRcp>1000000</maxRcp>
      </spool>
      <status>running</status>
    </status>
  </data>
  <succ/>
</rsp>

DOM-Style (pmta --dom show status):

mta.product.name="PowerMTA"
mta.product.version="4.5"
mta.product.buildDate="2015-08-31 16:07:03"
mta.product.revision="tags/v4_5@15693"
mta.product.bits="64"
mta.lak.serial="112345"
mta.lak.instances="1"
mta.os.name="Linux"
mta.os.version="3.10.0-229.1.2.el7.x86_64"
mta.os.build="CentOS Linux release 7.1.1503 (Core) "
mta.cpu.type="x86_64"
mta.cpu.count="12"
mta.ram.real="32750628"
mta.fullHostName="example.port25.com"
mta.userString=""
mta.hostId="0"
status.timeNow="2015-09-01 10:17:50"
status.startupTime="2015-08-31 16:22:01"
status.shuttingDown="0"
status.traffic.total.out.rcp="5319661"
status.traffic.total.out.msg="5319661"
status.traffic.total.out.kb="2789142.9"
status.traffic.total.in.rcp="5107093"
status.traffic.total.in.msg="129008"
status.traffic.total.in.kb="1952.7"
status.traffic.total.bounceProcessed="0"
status.traffic.total.feedbackLoopProcessed="0"
status.traffic.lastHr.out.rcp="294091"
status.traffic.lastHr.out.msg="294091"
status.traffic.lastHr.out.kb="97231.2"
status.traffic.lastHr.in.rcp="294046"
status.traffic.lastHr.in.msg="7335"
status.traffic.lastHr.in.kb="111.0"
status.traffic.lastHr.bounceProcessed="0"
status.traffic.lastHr.feedbackLoopProcessed="0"
status.traffic.lastMin.out.rcp="3275"
status.traffic.lastMin.out.msg="3275"
status.traffic.lastMin.out.kb="1092.6"
status.traffic.lastMin.in.rcp="3242"
status.traffic.lastMin.in.msg="85"
status.traffic.lastMin.in.kb="1.3"
status.traffic.lastMin.bounceProcessed="0"
status.traffic.lastMin.feedbackLoopProcessed="0"
status.traffic.topPerHr.out.rcp="450637"
status.traffic.topPerHr.out.msg="450637"
status.traffic.topPerHr.out.kb="1176613.1"
status.traffic.topPerHr.in.rcp="303999"
status.traffic.topPerHr.in.msg="7591"
status.traffic.topPerHr.in.kb="114.9"
status.traffic.topPerHr.bounceProcessed="0"
status.traffic.topPerHr.feedbackLoopProcessed="0"
status.traffic.topPerMin.out.rcp="213222"
status.traffic.topPerMin.out.msg="213222"
status.traffic.topPerMin.out.kb="1098011.2"
status.traffic.topPerMin.in.rcp="8365"
status.traffic.topPerMin.in.msg="207"
status.traffic.topPerMin.in.kb="3.1"
status.traffic.topPerMin.bounceProcessed="0"
status.traffic.topPerMin.feedbackLoopProcessed="0"
status.traffic.perf.lastMin.in.count="0"
status.traffic.perf.lastMin.in.mailFromTime="0"
status.traffic.perf.lastMin.in.dataTime="0"
status.traffic.perf.lastMin.in.totalTime="0"
status.conn.smtpIn.cur="0"
status.conn.smtpIn.max="150"
status.conn.smtpIn.top="1"
status.conn.smtpOut.cur="0"
status.conn.smtpOut.max="500"
status.conn.smtpOut.top="299"
status.resolver.namesCached="0"
status.resolver.queriesPending="0"
status.resolver.queriesActive="0"
status.queue.smtp.rcp="655"
status.queue.smtp.dom="243"
status.queue.smtp.kb="9.9"
status.queue.pipe.rcp="0"
status.queue.pipe.dom="0"
status.queue.pipe.kb="0.0"
status.queue.discard.rcp="0"
status.queue.discard.dom="0"
status.queue.discard.kb="0.0"
status.queue.file.rcp="0"
status.queue.file.dom="0"
status.queue.file.kb="0.0"
status.queue.alias.rcp="0"
status.queue.alias.dom="0"
status.queue.alias.kb="0.0"
status.queue.bounceProcessor.rcp="0"
status.queue.bounceProcessor.dom="0"
status.queue.bounceProcessor.kb="0.0"
status.queue.feedbackLoopProcessor.rcp="0"
status.queue.feedbackLoopProcessor.dom="0"
status.queue.feedbackLoopProcessor.kb="0.0"
status.spool.initPct="100"
status.spool.dirs="1"
status.spool.files.inUse="476"
status.spool.files.recycled="0"
status.spool.files.total="476"
status.spool.totalRcp="655"
status.spool.maxRcp="1000000"
status.status="running"

6.3 Command Reference

6.3.1 clear dnscache

This command clears PowerMTA’s internal DNS cache, removing all entries for the given domain. If the domain is * all cached DNS data is discarded. On Unix the asterisk must be escaped with a backslash.

Syntax:

pmta clear dnscache domain

Example:

$ pmta clear dns *
DNS cache cleared.

$ pmta clear dns port25.com
Cleared port25.com from DNS cache.

6.3.2 check mfrom

This command has been deprecated since PowerMTA v4.5r10 because the Sender-ID standard checking performed by this command is obsolete.
Please use check spf instead.

6.3.3 check spf

This command checks whether a message with the given sender would pass the SPF check if sent from the given IP address. If the mailFrom parameter is specified, it will be used as the identity to check, else the heloDomain identity is checked.

Syntax:

pmta check spf [--tcp] [--dumppackets] ip heloDomain [mailFrom]

Options:

--tcp

use TCP (rather than the default UDP) for querying the name server(s).

--dumppackets

print out a hexadecimal dump of any DNS queries and responses exchanged with the name servers. It is ignored unless the output is in text format.


6.3.4 reload

PowerMTA reads its configuration during startup. Use this command to activate the new settings after making changes to the configuration file. The reload command is generally preferable to stopping and restarting PowerMTA because it is more efficient and does not cause an interruption in service.

If PowerMTA detects an error in the configuration file, the reload command fails and the previous in-memory configuration is retained.

Syntax:

pmta reload

Example:

$ pmta reload
Configuration reloaded.

6.3.5 reset counters

The reset counters command allows you to reset the various counters for statistics shown by PowerMTA in the output of show status command without having to restart the PowerMTA service.

Syntax:

pmta reset counters

Example:

$ pmta reset count
Traffic counters reset.

6.3.6 reset status

This command is just an alias to reset counters.


6.3.7 resolve

The resolve command queries DNS for mail routing information (MX and A/AAAA records) for the specified domain, displays that information, and optionally connects to the first available mailhost. It is intended to facilitate debugging connectivity problems to destination domains. For example, if you notice that the queue is building up for a specific domain, you can run resolve against that domain to figure out what problems exist and what if anything can be done to fix the problem.

Syntax:

pmta resolve [--tcp] [--connect] [--dumppackets] [--interactive] [--server=ip] [--source=[host,]ip] domainname

Defaults:

If no options are specified, DNS resolution is attempted via UDP and any relevant information is displayed, however no attempt is made to connect to a mailhost.

Options:

--tcp

this tells PowerMTA to use TCP (rather than the default UDP) for querying the name server(s)

--connect

this option tells PowerMTA to attempt to connect to the first available mailhost as well, after querying and displaying the specified domain’s DNS server for mail routing information.

--dumppackets

this option tells PowerMTA to print out an hexadecimal dump of any DNS queries and responses exchanged with the name servers. It is ignored unless the output is in textual format.

--interactive

this option allows the user to try various SMTP commands, to help diagnose problems.

--server

this option tells PowerMTA which DNS server to connect to when resolving hostnames.

--source

this option tells PowerMTA the internal IP address or hostname to use during the connection attempt.

Examples:

$ pmta resolve --connect outlook.com
Querying 127.0.0.1 over UDP about MX outlook.com
Read response from 127.0.0.1
answers:     ttl=60
    outlook.com. 60 IN MX 5 outlook-com.olc.protection.outlook.com.


Querying 127.0.0.1 over UDP about A outlook-com.olc.protection.outlook.com
Read response from 127.0.0.1
answers:     ttl=2
    outlook-com.olc.protection.outlook.com. 2 IN A 104.47.48.33
    outlook-com.olc.protection.outlook.com. 2 IN A 104.47.49.33

status = StatusOk
pref host name                              IP addresses
---- -------------------------------------- -------------------------
   5 outlook-com.olc.protection.outlook.com 104.47.48.33 104.47.49.33

connecting from localhost (0.0.0.0) to outlook-com.olc.protection.outlook.com (104.47.48.33)
>>> 220 CO1NAM05FT041.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 7 Feb 2019 15:18:50 +0000
<<< EHLO localhost
>>> 250-CO1NAM05FT041.mail.protection.outlook.com Hello
>>> 250-SIZE 49283072
>>> 250-PIPELINING
>>> 250-DSN
>>> 250-ENHANCEDSTATUSCODES
>>> 250-STARTTLS
>>> 250-8BITMIME
>>> 250-BINARYMIME
>>> 250-CHUNKING
>>> 250 SMTPUTF8
<<< STARTTLS
>>> 220 2.0.0 SMTP server ready
TLSv1.2 connected with 256-bit ECDHE-RSA-AES256-SHA384
Cert: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com; issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G3; verified=no
<<< EHLO localhost
>>> 250-CO1NAM05FT041.mail.protection.outlook.com Hello
>>> 250-SIZE 49283072
>>> 250-PIPELINING
>>> 250-DSN
>>> 250-ENHANCEDSTATUSCODES
>>> 250-8BITMIME
>>> 250-BINARYMIME
>>> 250-CHUNKING
>>> 250 SMTPUTF8
<<< QUIT
>>> 221 2.0.0 Service closing transmission channel
closed outlook-com.olc.protection.outlook.com (104.47.48.33) in=601 out=48
$ pmta --dom resolve yahoo.com
status="StatusOk"
host[0].pref="1"
host[0].name="mta5.am0.yahoodns.net"
host[0].ip[0]="98.137.159.25"
host[0].ip[1]="98.137.159.27"
host[0].ip[2]="98.137.159.28"
host[0].ip[3]="66.218.85.52"
host[0].ip[4]="67.195.228.141"
host[0].ip[5]="67.195.229.58"
host[0].ip[6]="67.195.229.59"
host[0].ip[7]="98.136.102.54"
host[1].pref="1"
host[1].name="mta6.am0.yahoodns.net"
host[1].ip[0]="74.6.137.63"
host[1].ip[1]="74.6.137.64"
host[1].ip[2]="74.6.137.65"
host[1].ip[3]="98.137.159.26"
host[1].ip[4]="98.137.159.28"
host[1].ip[5]="66.218.85.52"
host[1].ip[6]="67.195.228.141"
host[1].ip[7]="67.195.229.58"
host[2].pref="1"
host[2].name="mta7.am0.yahoodns.net"
host[2].ip[0]="67.195.229.58"
host[2].ip[1]="67.195.229.59"
host[2].ip[2]="98.136.101.117"
host[2].ip[3]="98.136.102.54"
host[2].ip[4]="98.137.159.24"
host[2].ip[5]="98.137.159.27"
host[2].ip[6]="98.137.159.28"
host[2].ip[7]="66.218.85.139"

6.3.8 rotate acct

This command instructs PowerMTA to immediately rotate all configured
accounting files. If a filename is specified in the command, only that
specified accounting file will be rotated. Immediate rotation does not
affect the automatic rotation at midnight, which is still performed.

Syntax:

pmta rotate acct [file]

Example:

$ pmta rotate acct
Accounting file rotated.

6.3.9 rotate log

This command instructs PowerMTA to immediately rotate the logging file. Immediate rotation does not affect the automatic rotation at midnight, which is still performed.

Syntax:

pmta rotate log

Example:

$ pmta rotate log
Logging file rotated.

6.3.10 schedule

Instructs PowerMTA to immediately request workers to be assigned to the specified queue(s) in order to start delivery attempts for messages queued in them. This command would be used, for example, if connectivity problems to a domain were fixed and the normal retry interval should be bypassed. A wildcard can also be specified in domain or vmta, allowing multiple domains/vmtas to be scheduled at once.

Syntax:

pmta schedule [--retry-recipients] domain/vmta

Options:

--retry-recipients

Recipients that received SMTP 4xx errors (such as “mailbox full”
error) are placed in a separate retry bucket where they are held for upto a period of time controlled by the per-domain setting retry-recipients-after. This flag overrides the retry-after period for recipients, and immediately makes them available for delivery attempts.

Example:

$ pmta schedule */*
154 of 3888 matching queues scheduled.

6.3.11 set queue

Sets the given queue’s mode of operation to either normal or backoff.
While in backoff mode, various different settings may apply. See the backoff-... directives in <domain> Directives for more information.

Wildcards can be used to modify various queues at the same time.

Syntax:

pmta set queue --mode={normal|backoff} domain/vmta

6.3.12 show domains

This command allows you to view current information on the specified destination domain(s).

Syntax:

show domains [--vmta=name] [--connected={yes|no}] [--maxitems=n] [--errors] [--sort={name|rcpt|size}] [name]

Options:

--vmta=name

displays only domains information for the given VirtualMTA. The default is to display (accumulated) information for all VirtualMTAs, including messages for which no VirtualMTA was selected.

--connected

displays domains to which PowerMTA has least one open outgoing connection. The default is to display both connected and unconnected domains.

--maxitems=n

specifies the maximum number of domains to be displayed in the output. By default, 20 domains are displayed.

--errors

displays any errors recorded for the domain.

--sort=key

sort output by key where key may be name to order the domain list alphabetically by name, rcpt to order the list by number of recipients or size to order the list by volume (kbytes).

name

domain name or wildcard specifying the domains about which information is to be displayed. If omitted, all domains are displayed
(subject to the maxitems limit).

Examples:

$ pmta show domains
-----------------------------domain --#rcpt ---kbytes conn last error----------
                   test1.port25.com       7      30.6    0
                  test10.port25.com       8      30.6    0
                  test11.port25.com       3      30.6    0
                  test12.port25.com      13      30.6    0
                  test13.port25.com       3      30.6    0
                  test14.port25.com       3      30.6    0
                  test15.port25.com       3      30.6    0
                  test16.port25.com      52      30.6    0
                  test17.port25.com       3      30.6    0
                  test18.port25.com       3      30.6    0 ETIMEDOUT connect...
                  test19.port25.com       3      30.6    0
                   test2.port25.com       3      30.6    0
                  test20.port25.com       3      30.6    0
                  test21.port25.com       3      30.6    0
                  test22.port25.com       3      30.6    0
                  test23.port25.com       3      30.6    0
                  test24.port25.com       3      30.6    0
                  test25.port25.com       3      30.6    0
                  test26.port25.com       3      30.6    0
                  test27.port25.com       3      30.6    0

20 of 30 domains shown.

6.3.13 show queues

This command allows you to view current information on the specified queues. The output also includes the last 50 delivery/bounce/deferral events by default.

Syntax:

show queues [--connected={yes|no}] [--paused={yes|no}] [--mode-events] [--mode={normal|backoff}] [--maxitems=n] [--errors] [--sort={name|rcpt|size}] [--no-rcpt-events] [queue] [name]

Options:

--connected

displays queues for which PowerMTA has least one open outgoing connection. The default is to display both connected and unconnected
queues.

--mode

displays only queues in the specified mode. The default is to display queues in all modes.

--maxitems=n

specifies the maximum number of queues to be displayed in the output. By default, 20 domains are displayed.

--errors

displays any errors recorded for the queue.

--sort=key

sort output by key where key may be name to order the queue list alphabetically by name, rcpt to order the list by number of recipients or size to order the list by volume (kbytes).

--no-rcpt-events

hides the delivery events, that by default are shown.

--paused={yes|no}

allows selecting only paused or running queues for display. By default, both are shown.

--mode-events

allows show the recent mode changes

queue

name of the queue(s) to display, in the format domain[/vmta], where domain is the destination domain name and vmta is the VirtualMTA. If omitted, both domain and vmta default to * (i.e., */*), which matches all queues.

Examples:

$ pmta show queue
queue           #rcpt kbytes conn st    retry last error
--------------- ----- ------ ---- -- -------- ----------
*/*
example.com/vmta1   2    0.2    0    09:35:42

Recipient Events (deliveries:4, bounces:1, deferrals:1)
-------------------------------------------------------
delivered | 2014-11-24 09:35:09 | 10.25.25.235 | kf@example.com | jobid10145783566176 | [192.168.10.48] (192.168.10.48) | smtp;250 DATA ok
delivered | 2014-11-24 09:31:07 | 10.25.25.235 | ft@example.com | jobid10145783566176 | [192.168.10.48] (192.168.10.48) | smtp;250 DATA ok
deferred | 2014-11-24 09:29:06 | 10.25.25.235 | np@example.com | jobid8363372138340 | [192.168.10.48] (192.168.10.48) | smtp;450 4.0.0 (undefined status);smtp;421 Refused. Your reverse DNS entry does not resolve.
delivered | 2014-11-24 09:26:06 | 10.25.25.235 | ce@example.com | jobid8363372138340 | [192.168.10.48] (192.168.10.48) | smtp;250 DATA ok
delivered | 2014-11-24 09:26:06 | 10.25.25.235 | rd@example.com | jobid10145783566176 | [192.168.10.48] (192.168.10.48) | smtp;250 DATA ok
bounced | 2014-11-24 09:36:09 | 10.25.25.235 | vc@example.com | jobid8363372138340 | [192.168.10.48] (192.168.10.48) | smtp;550 5.0.0 (undefined status);smtp;550 No Such User Here3 of 3 matching queues.

6.3.14 show jobs

This command allows you to view the jobs currently in PowerMTA’s queue.

Syntax:

show jobs [--maxitems=n]

Options:

--maxitems=n

specifies the maximum number of queues to be displayed in the output. By default all jobs are displayed.

Example:

$ pmta show jobs
-----------------------------job-id ----#rcpt ---kbytes
                    weeklyNews22100       431    1236.9

Total of 1 job(s).

6.3.15 show settings

This command allows you to view the (per-queue) settings for the specified domain and VirtualMTA.

Syntax:

show settings domain[/vmta]

Example:

$ pmta show settings port25.com/vmta1
Virtual MTA Settings
--------------------
max-smtp-msg-rate unlimited
max-smtp-out unlimited

Queue Settings
--------------
type smtp
add-x-msys-api-header no
allow-cancel-during-transfer yes
allow-priority-interruption yes
allow-priority-interruption-during-transfer no
assume-delivery-upon-data-termination-timeout no
auth-password ""
auth-username ""
backoff-max-connect-rate unlimited
backoff-max-msg-rate unlimited
backoff-max-smtp-out 20
backoff-notify ""
backoff-reroute-to-virtual-mta ""
backoff-retry-after 10m
backoff-to-normal-after never
backoff-to-normal-after-delivery no
backoff-upon-all-sources-disabled no
bcc-upon-delivery ""
bounce-after 4d12h
bounce-upon-5xx-greeting yes
bounce-upon-no-mx no
bounce-upon-pix-transfer-failure no
bounce-upon-transfer-failure no
check-spf-outbound no
connect-timeout 2m
data-send-timeout 3m
default-smtp-port 25
deliver-local-dsn yes
disable-acct-records ""
disable-mx-rollup no
disabled-source-ip-notify ""
dkim-add-body-limit no
dkim-add-timestamp no
dkim-algorithm rsa-sha256
dkim-body-canon relaxed
dkim-disallow-adding-headers ""
dkim-expire-after never
dkim-headers ""
dkim-headers-canon relaxed
dkim-identity sender-or-from
dkim-query-method ""
dkim-sign yes
ignore-8bitmime no
ignore-chunking yes
ignore-dsn no
ignore-pipelining no
log-commands no
log-connections no
log-data no
log-disabled-ips no
log-resolution yes
log-transfer-failures no
max-cold-virtual-mta-msg 0/d
max-connect-rate unlimited
max-errors-per-connection unlimited
max-events-recorded 10
max-msg-per-connection 20
max-msg-rate unlimited
max-rcpt-per-message 1000
max-smtp-out 20
mx-connection-attempts 10
notify-of-delay-every 4h
pix-bug-workaround yes
queue-priority 50
reenable-source-ip-after never
remove-header ""
replace-smtp-421-service-response no
require-starttls no
retry-after 10m
retry-recipients-after 600
retry-upon-new-mail no
reuse-ssl-session no
smtp-421-means-mx-unavailable no
smtp-553-means-invalid-mailbox yes
smtp-client-certificate ""
smtp-data-termination-timeout 10m
smtp-greeting-timeout 5m
smtp-hosts ""
smtp-multiple-line-response-timeout 5m
smtp-pattern-list ""
smtp-tls-allow-SSLv3 no
smtp-tls-allow-TLSv1 yes
smtp-tls-ca-file ""
sparkpost-ip-pool ""
sparkpost-sandbox no
track-recipient-events no
use-starttls yes
use-unencrypted-plain-auth no

6.3.16 show status

Displays various statistics and counters since last restart. The output includes totals, top throughput and queue information among other things.

Syntax:

pmta show status

Example:

$ pmta show status
PowerMTA v4.5 status on example.port25.com on 2018-09-10 10:16:19

  Traffic    ------------inbound------------  ------------outbound-----------
                 rcpts      msgs      kbytes      rcpts      msgs      kbytes
      Total     939437      5940    233409.5     939430    939430  34550887.2
  Last Hour     939437      5940    233409.5     939263    939263  34544775.4
   Top/Hour     939437      5940    233409.5     939263    939263  34544775.4
  Last Min.      45063       298     11632.6      45021     45021   1658056.5
   Top/Min.      69881       458     18005.6      69115     69115   2489680.7

 Connections    active       top     maximum  Domain       cached     pending
    Inbound          0         1           5    Names           2           0
   Outbound      10000     10000       10000

     Queues      rcpts   domains      kbytes  Spool        in use    recycled
       SMTP      99459      2895   3985272.8    Files        5667           0
      other          0         0         0.0    Init.                complete

     Status    running    Started  2018-09-10 20:02:12    Uptime   0  0:20:01

6.3.17 show topdomains

For displaying the top domains in the queue sorted by number of recipients. Since this command is equivalent to show domains --sort=rcpt, please see show-domains for more information on the various options.

Syntax:

pmta show topdomains [--vmta=name] [--connected={yes|no}] [--maxitems=n] [--errors]

6.3.18 show topqueues

For displaying the top queues sorted by number of recipients. Since this command is equivalent to show queues --sort=rcpt, please see show-queues for more information on the various options.

Syntax:

show topqueues [--connected={yes|no}] [--mode={normal|backoff}] [--maxitems=n] [--errors] [--paused={yes|no}] [--no-rcpt-events] [domain[/vmta]

6.3.19 show version

Displays PowerMTA’s version and build date.

Syntax:

pmta show version

Example:

$ pmta show ver
PowerMTA v4.5r12 (2017-11-22 14:27:54, 64-bit; tags/v4_5r12@17232).

6.3.20 show vmtas

This command displays a summary of the VirtualMTA(s) in use, as well as the number of recipients and message size in kilobytes within the VirtualMTA.

Syntax:

show vmtas [--maxitems=n]

Options:

--maxitems=n

specifies the maximum number of queues to be displayed in the output. By default all vmtas are displayed.

Example:

name    domains #rcpt % total kbytes conn
------- ------- ----- ------- ------ ----
vmta572      13    18       2    0.1   16
vmta103       1     8       1    0.1    8
vmta118       2     8       1    0.1    5
vmta808       2     8       1    0.1    2
vmta261       7     8       1    0.1    3
vmta188       1     7       1    0.0    0
vmta863       4     6       0    0.0    5

7 of 7 virtual MTAs.

6.3.21 trace

Instructs PowerMTA to open a connection to the specified domain and to attempt delivery of a single message from the queue. This command is similar to the schedule command, with the difference that it also automatically enables logging for the domain for the duration of one connection. If the --to-log switch is used, it is a shortcut to enabling logging in the configuration file, reloading the configuration, scheduling a call and undoing these changes when debugging is finished. By default, only the SMTP commands and responses are logged. The result of this command is written to the logging file.

Syntax:

pmta trace [--log-data] [--log-resolution] [--to-log] [--retry-recipients] [--source-ip=ip] domain/vmta

Options:

--log-data

this enables logging of data transfers as well, like the log-data option in the configuration file.

--log-resolution

this enables logging of the DNS resolution as well, like the log-resolution option in the configuration file.

--to-log

this enables logging trace info to the log file

--retry-recipients

Use of the retry-recipients flag will cause all the recipients of the queue that are in Await Retry bucket to become available for retry immediately.

--source-ip

Specifies the source IP used for connection attempts from a virtual mta with multiple smtp-source-hosts configured in it

domain[/vmta]

name of the queue(s) to display, where domain is the destination domain name and vmta is the VirtualMTA. If omitted, both domain and vmta default to * (i.e., */*), which matches all queues.

Example:

$ pmta trace yahoo.com
2019-02-07 22:31:24 starting port25.com/{default}
2019-02-07 22:31:24 connecting from foo.port25.com (::) to ASPMX.L.GOOGLE.com (2607:f8b0:400e:c07::1a)
2019-02-07 22:31:24 connected from [2600:1a17:a893:9b59:dac9:5dr1:de28:5324]:39339
2019-02-07 22:31:24 >>> 220 mx.google.com ESMTP u2si198147pgp.592 - gsmtp
2019-02-07 22:31:24 <<< EHLO foo.port25.com
2019-02-07 22:31:24 >>> 250-mx.google.com at your service
2019-02-07 22:31:24 >>> 250-SIZE 157286400
2019-02-07 22:31:24 >>> 250-8BITMIME
2019-02-07 22:31:24 >>> 250-STARTTLS
2019-02-07 22:31:24 >>> 250-ENHANCEDSTATUSCODES
2019-02-07 22:31:24 >>> 250-PIPELINING
2019-02-07 22:31:24 >>> 250-CHUNKING
2019-02-07 22:31:24 >>> 250 SMTPUTF8
2019-02-07 22:31:24 <<< STARTTLS
2019-02-07 22:31:24 >>> 220 2.0.0 Ready to start TLS
2019-02-07 22:31:24 tls:TLSv1.2 connected with 128-bit ECDHE-RSA-AES128-GCM-SHA256
2019-02-07 22:31:24 tls:Cert: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com; issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3; verified=no
2019-02-07 22:31:24 <<< EHLO foo.port25.com
2019-02-07 22:31:24 >>> 250-mx.google.com at your service
2019-02-07 22:31:24 >>> 250-SIZE 157286400
2019-02-07 22:31:24 >>> 250-8BITMIME
2019-02-07 22:31:24 >>> 250-ENHANCEDSTATUSCODES
2019-02-07 22:31:24 >>> 250-PIPELINING
2019-02-07 22:31:24 >>> 250-CHUNKING
2019-02-07 22:31:24 >>> 250 SMTPUTF8
2019-02-07 22:31:24 <<< QUIT
2019-02-07 22:31:24 >>> 221 2.0.0 closing connection u2si198147pgp.592 - gsmtp
2019-02-07 22:31:24 closed ASPMX.L.GOOGLE.com (2607:f8b0:400e:c07::1a) in=511 out=68
2019-02-07 22:31:24 done port25.com/{default}

6.3.22 delete

Deletes recipients from the queue. Although --queue‘s default is */*, the command requires either --queue or --jobId to be entered explicitly, so that an accidental pmta delete command doesn’t delete the entire queue. Messages are marked in the accounting file as deleted by administrator.

Syntax:

pmta delete [--dsn] [--queue=domain[/vmta]] [--orig=addr] [--rcpt=addr] [--jobId=id] [--envId=id] [--older-than=time-interval] [--no-accounting]

Options:

--dsn

specifies that a DSN report should be sent. Using this option may
slow the deletion process. No entry is written to the accounting file
unless the --accounting flag is used as well.

--queue

specifies which queue(s) to delete from, and defaults to all queues.

--orig

specifies that only recipients with the given MAIL FROM address be deleted

--rcpt

specifies that only recipient(s) with the given address are to be deleted

--jobId

specifies that only recipients with the given Job ID are to be deleted

--envId

specifies that only recipients with the given Envelope ID are to be deleted

--no-accounting

specifies that deletion information will not be written to the accounting file

--older-than

deletes all the recipients in the given queue that are older than the
given from the current time. The syntax for the time interval is same
as the syntax used to specify bounce-after in the configuration file.

Example:

$ pmta delete --queue=yahoo.com/*

6.3.23 pause queue

Pause delivery of messages for the given queue and prevents them from being delivered until they are resumed.

Syntax:

pmta pause queue domain[/vmta]

Example:

$ pmta pause queue */customer1
Queue(s) paused.

6.3.24 pause job

Pause delivery of messages for the given jobID, and prevents them from being delivered until they are resumed.

Syntax:

pmta pause job jobid

Example:

$ pmta pause job campaign1234
paused job.

6.3.25 resume queue

Resumes delivery of messages in the queue.

Syntax:

pmta resume queue domain[/vmta]

Example:

$ pmta resume queue */customer1
Queue(s) resumed.

6.3.26 resume job

Resumes delivery of messages matching the given jobID.

Syntax:

pmta resume job jobid

Example:

$ pmta resume job campaign1234
resumed job.

6.3.27 list

Lists recipients matching the provided options.

Syntax:

pmta list [--queue=domain[/vmta]] [--orig=addr] [--rcpt=addr] [--jobId=id] [--envId=id] [--maxitems=n] [--older-than=time-interval] [--pause] [--priority] [--schedule]

Options:

--queue

specifies which queue(s) to list from, and defaults to all queues.

--orig

specifies that only recipients with the given MAIL FROM address be listed

--rcpt

specifies that only recipients with the given RCPT TO address are to be listed.

--jobId

specifies that only recipients with the given Job ID are to be listed

--envId

specifies that only recipients with the given Envelope ID are to be listed.

--maxitems=n

specifies the maximum number of recipients to be displayed in the output. By default 100 recipients are displayed.

--pause

if recipient is being actively delivered, pause the delivery to enable showing the recipient in the output

--priority

display the priority of each recipient in the output of the command

--schedule

display the per-recipient schedule in the output of the command

--older-than=<time interval>

displays recipients that have been in the queue for longer than the specified time interval. For example, --older-than=24h will list all recipients that have been in the queue for longer than 24 hours. Other examples of valid time intervals are 6h, 2h15m, 4d12h.

Example:

$ pmta list --queue=yahoo.com/vmta1

6.3.28 show license

Allows listing license information from the command line.

Syntax:

pmta show license

Example:

$ pmta show license
  product: PowerMTA
  version: 4.5
 platform: linux-intel
    units: 0
instances: 1
 licensee: Foo Corp
   serial: 238478
   issued: 2016-12-10
  expires: 2100-03-20
copyright: Port25 Solutions, Inc.  All Rights Reserved

6.3.29 deregister

Deregisters a node for PowerMTA Management Console. This command will delete all data that has not yet been loaded into PowerMTA Management Console. This does not effect the user configured accounting files.

Syntax:

pmta deregister [--user=name] [--local-only] [--retain-unloaded]

Options:

--user

specifies the PowerMTA Management Console user account to use when deregistering

--local-only

only deregisters locally, registration will still exist in PowerMTA Management Console.

--retain-unloaded

prevents deleting accounting files that have not yet been loaded from PowerMTA into PMC. Useful when needing to deregister and then reregister without losing any data.

Example:

$ pmta deregister --retain-unloaded
Deregistration successful.
You may still need to remove this PowerMTA node manually from PowerMTA Management Console.

6.3.30 register

Registers a node with PowerMTA Management Console.

Syntax:

pmta register [--user=name] [--label=name] [--webmon-ip=ip] [--webmon-port=number]
[--pmtamc-port=number] [--reuse-label] pmtamc-hostname

Options:

--user

PowerMTA Management Console user to be used for registration

--label

Name of PowerMTA instance that will be shown in PowerMTA Management Console

--webmon-ip

IP address for PowerMTA Management Console to connect to PowerMTA instance

--webmon-port

Port for PowerMTA Management Console to connect to PowerMTA instance

--pmtamc-port

PowerMTA Management Console port to be used for registration

--reuse-label

If label was previously used, but deregistered, this allows label to be used again

--pmtamc-hostname

PowerMTA Management Console server to be used for registration

Example:

$ pmta register --label=pmta1server central.yourdomain.com
PowerMTA Management Console "admin" password:
Registration successful.
PowerMTA Management Console certificate fingerprint:
0B:1D:EC:9C:8F:20:4E:06:55:2C:A8:9B:A1:A6:05:C7:DD:07:93:01

For best security, please verify that the above value is the same as the one displayed on PowerMTA
Management Console's PowerMTA Management page.

6.3.31 show registration

Shows current PowerMTA Management Console registration information.

Syntax:

pmta show registration

Example:

$ pmta show registration
Currently registered with PowerMTA Management Console cental.yourdomain.com:8181 as "pmta1server"
PowerMTA Management Console certificate fingerprint:
0B:1D:EC:9C:8F:20:4E:06:55:2C:A8:9B:A1:A6:05:C7:DD:07:93:01

6.3.32 disable source

Disables the given source IP from being used for delivering email from the given queue.

Syntax:

pmta disable source [--reenable-after=interval] ip domain[/vmta]

Example:

$ pmta disable source --reenable-after=1h 1.2.3.4 yahoo.com/vmta1

6.3.33 enable source

Enables the given source IP to be used for delivering email from the given queue.

Syntax:

pmta enable source ip domain[/vmta]

Example:

$ pmta enable source 1.2.3.4 yahoo.com/vmta1

6.3.34 show disabled sources

Shows currently disabled source IPs for the given queue.

Syntax:

pmta show disabled sources [domain[/vmta]]

Example:

$ pmta show disabled sources yahoo.com/vmta1

6.3.35 show precache

Shows currently precached domains.

Syntax:

pmta show precache

Example:

$ pmta show precache

6.3.36 set priority

Sets priority for individual messages that match the given criteria.

Syntax:

pmta set priority [--queue=domain[/vmta]] [--orig=addr] [--rcpt=addr] [--jobId=id] [--envId=id] number

Example:

$ pmta set priority --rcpt=ceo@example.com 100

6.3.37 test config

Can be used to verify whether the syntax of the configuration file is correct without reloading PMTA’s running configuration.

Syntax:

pmta test config

Example:

$ pmta test config
Error in line 11 of /etc/pmta/config: argument missing

7 Application Programming Interfaces

PowerMTA includes various programming interfaces (APIs) intended to facilitate the creation of email enabled applications and to optimize the way in which messages are submitted to PowerMTA. The following APIs are available:

  • submission APIs, for submitting email from Perl, Java, .NET, C++, and C programs.
  • a “pickup” directory, for submitting pre-formatted email by copying it into a directory.
  • “pipe” delivery, for delivering email to a local program.

Use of the APIs may require the use of the always-allow-api-submission directive.

On Windows Server, any applicable API materials can be found in the api subdirectory within the folder into which PowerMTA was installed. On Linux, these can be found on /opt/pmta/api.

7.1 Submission APIs

The submission APIs allow you to programmatically submit messages for delivery by PowerMTA. Since most users already have pre-formatted messages to send, the APIs mostly concern themselves with the transport of such messages. However, they do include a Date: header generator and a Base64 encoder to facilitate the jobs of those creating messages from scratch.

The submission APIs are object-oriented and comprise three objects:

  • a Connection which represents a connection to a PowerMTA server.
  • a Message which represents the message being submitted.
  • a Recipient which represents the message’s recipients.

The general procedure for submitting a message is pretty straightforward:

  • connect to a PowerMTA server by creating a Connection.
  • create a Message.
  • create one or more Recipients and add them to the Message.
  • add headers and body to the Message by invoking the addData method one or more times.
  • submit the message by invoking the Connection‘s submit method, passing the Message to it.

Other methods are available to set various delivery options, select automatic data encoding, etc. See the language-specific sections below for more information.

NOTE: The submission API doesn’t have any clear advantage over the SMTP connection in terms of speed except in the cases where mailmerge is used and multiple recipients are sent per message.

7.1.1 Requirements

The submission APIs can be run remotely or locally, as they use a modified version of SMTP.

Applications using the submission APIs must also have the proper authorization. On Windows Server, programs must run under either the SYSTEM account or under an account belonging to the Administrators group.

On Unix, programs must either run as root or from an username who belongs to the pmta group. The pmta group is created automatically during PowerMTA’s installation.

The following are required when using the Perl, .NET, or Java APIs:

  • Perl 5.12 or newer when using the Perl API
  • .NET 2.0 or better when using the .NET API
  • Java 6 or better (for JavaMail: JavaMail and Java Activation Framework from Sun’s download site as detailed in the JavaDoc from the archive) when using the Java API
  • PowerMTA needs to be configured with always-allow-relaying yes and allow-mailmerge yes for the appropriate <source>. always-allow-api-submission yes can be used as well, as this will set allow-mailmerge yes. If you want to use authentication you need to define users and passwords and allow auth for the source.
  • It is recommend to add no more than 5000 recipients per batch submission. In the event that the batch fails, this will affect fewer recipients. Also, this helps keep memory usage to a minimum.

7.1.2 Perl Submission API

To install on Linux, the Submitter package is distributed in the standard CPAN format, so you will need to unpack, compile and install as follows:

# cd /opt/pmta/api
# tar -xzf Port25-Submitter-1.5.tar.gz
# cd Port25-Submitter-1.5
# perl Makefile.PL
# make test
# make install

To install on Windows, use the following commands (possibly changing the path first). Currently only Perl 5.6 is supported:

ppm install --location=C:\pmta\api Port25-Submitter
ppm install --location=C:\pmta\api Port25-Accounter

Documentation for the perl APIs is provided in perldoc format. The APIs are available from the download site.

perldoc Port25::Submitter
perldoc Port25::Submitter::Connection
perldoc Port25::Submitter::Message
perldoc Port25::Submitter::Recipient

7.1.3 Java Submission API

To use the Java API, include pmta.jar in your classpath. If you want to use PowerMTA with Oracle’s JavaMail API, install the provided javamail.providers file according to your system configuration. See the JavaMail documentation for details.

Documentation for the Java APIs is provided in JavaDoc format.

On Windows, it can be found in the pmtajavadoc.zip file in the api\java subdirectory of where PowerMTA was installed.

On Linux, it can be found in the /opt/pmta/api/java/doc/javadoc directory as /opt/pmta/api/java/doc/javadoc/index.html.

7.1.4 C++ Submission API

In C++, the three objects described in Submission APIs are available in the include files submitter/Connection.hxx, submitter/Message.hxx and submitter/Recipient.hxx.

On Windows, you can find these files in the api\include subdirectory of where PowerMTA was installed. On Linux, that is /opt/pmta/api/include.

All the methods in the submission API throw an exception in case of an error. Any errors render the object unusable, after which you should discard it.


7.1.4.1 Connection::Connection

Creates a new connection.

Connection(const char* server, int port, const char* name = "", const char*  password = "")
  • server server to which to connect, either as an numeric IP address or a host name.
  • port port number to connect to; use 25 for the default SMTP port.
  • name user name for authentication with the remote server. Leave name and password empty if you don’t want to use authentification.
  • password password to use for authentication. Authentication is done with CRAM-MD5, so no password is ever sent to the remote server.

7.1.4.2 Connection::submit

Submits a message for delivery.

void Connection::submit(const Message& message)

7.1.4.3 Message::Message

Creates a new message.

Message::Message(const char* originator)
  • originator the new message’s originator.

7.1.4.4 Message::setVerp

Sets whether this message should use the VERP extension.

void Message::setVerp(bool isVerp)

7.1.4.5 Message::setReturnType

Sets the type of message return requested in delivery reports.

void Message::setReturnType(PmtaMsgRETURN type)
  • type should be one of:
    • PmtaMsgRETURN_HEADERS (default) return only this message’s headers
    • PmtaMsgRETURN_FULL return the full message headers and body

7.1.4.6 Message::setEnvelopeId

Sets this message’s envelope ID.

void Message::setEnvelopeId(const char* envelopeId)

7.1.4.7 Message::setVirtualMta

Selects the VirtualMTA to use for this message.

void Message::setVirtualMta(const char* virtualMta)

7.1.4.8 Message::setJobId

Sets the job id for this message. This tags the message as belonging to the specified job.

void Message::setJobId(const char* jobId)
  • jobId id of the job (printable, non-white space characters only).

7.1.4.9 Message::addRecipient

Adds a recipient to this message. Do not make any changes to a recipient after it has been added to the message.

void Message::addRecipient(const Recipient& r)

7.1.4.10 Message::setEncoding

Sets the kind of encoding to perform on data. The encoding applies to all thereafter added data. The actual processing performed depends on the encoding selected: PmtaMsgENCODING_7BIT and PmtaMsgENCODING_8BIT
both select the identity encoding, i.e., no transformation is performed on the data, except that any lines terminated with LF alone are converted to CRLF. In the case of 7-bit encoding, it is your responsibility to ensure that all bytes have their high bit off. PmtaMsgENCODING_BASE64
specifies that any data added shall be encoded on the fly using base-64 encoding. No transformation is performed on the data prior to encoding, making it possible to transmit binary content. Note, however, that to effectively transmit binary data, you must also provide the appropriate MIME headers. In fact, the selected encoding should, in general, agree with the Content-Transfer-Encoding header you specify. The default (if this method is never invoked) is PmtaMsgENCODING_7BIT.

void Message::setEncoding(PmtaMsgENCODING encoding)
  • encoding Data encoding desired. This should be one of:
    • PmtaMsgENCODING_7BIT
    • PmtaMsgENCODING_8BIT
    • PmtaMsgENCODING_BASE64

7.1.4.11 Message::beginPart

Starts the next mailmerge part which will have the given number. Note that part 1 is started automatically, so the first settable number is
2.

void Message::beginPart(int partNum)
  • partNum positive integer for the part number. No part number may be specified more than once.

7.1.4.12 Message::addData

Appends data to this message. Use this method to give this message both its headers and a body. How the data you add is handled depends on the kind of encoding selected (see setEncoding). All the data is entered as-is, with no mailmerge variable substitution being performed. To add mailmerge data, use addMergeData.

void Message::addData(const char* data, int length)
  • data data to append (as-is).
  • length length of the data block.

7.1.4.13 Message::addData

Appends null-terminated data to this message. This is a convenience method to facilitate adding C strings directly.

void Message::addData(const char* data)
  • data null-terminated data to append (as-is).

7.1.4.14 Message::addMergeData

Appends merge data to this message. Use this method to give this message both its headers and a body. How the data you add is handled depends on the kind of encoding selected (see setEncoding).
Currently only 7-bit and 8-bit encodings are supported. If any mailmerge variables are included in the data, they will be substituted by their respective values.

void Message::addMergeData(const char* data, int length)
  • data data to append.
  • length length of the data block.

7.1.4.15 Message::addMergeData

Appends null-terminated merge data to this message. This is a convenience method to facilitate adding C strings directly.

void Message::addMergeData(const char* data)
  • data null-terminated merge data to append.

7.1.4.16 Message::addDateHeader

Adds (appends) a Date: header to this message. This method appends a date header line to the message. It is provided as a convenience function.

void Message::addDateHeader()

7.1.4.17 Recipient::Recipient

Creates a new recipient with the given email address.

Recipient::Recipient(const char* address)

7.1.4.18 Recipient::setNotify

Sets the kind of notification (report) desired for this recipient. By default, notification is only requested upon delivery failure.

void Recipient::setNotify(int notifyWhen)
  • notifyWhen should be either PmtaRcptNOTIFY_NEVER to indicate that no notification is desired, or one or more of the following flags (joined by a bitwise OR):
    • PmtaRcptNOTIFY_SUCCESS notify in case the delivery is successful
    • PmtaRcptNOTIFY_FAILURE notify in case of a delivery failure
    • PmtaRcptNOTIFY_DELAY notify in case of a delay in the delivery

7.1.4.19 Recipient::defineVariable

Defines a new mailmerge variable for this recipient. PowerMTA will substitute the variable for its value during delivery of a mailmerge message. Carriage returns and line feeds may be added to a variable with
\r or \n respectively.

void Recipient::defineVariable(char* name, char* value)
  • name the variable’s name.
  • value the variable’s value.

Examples:

Recipient rcpt("me@here.com");
rcpt.defineVariable("cr", "A\rB");             // one linebreak
rcpt.defineVariable("lf", "A\nB");             // one linebreak
rcpt.defineVariable("crLf", "A\r\nB");         // one linebreak
rcpt.defineVariable("literalCrLf", "A\\r\\nB");  // no linebreaks

7.1.5 C Submission API

In C, the three objects described in Submission APIs are available as sets of functions which share a common prefix. Connection‘s functions all begin with PmtaConn and are defined in the file submitter/PmtaConn.h. Message‘s functions all begin with PmtaMsg and are defined in the file submitter/PmtaMsg.h; and Recipient‘s functions all begin with PmtaRcpt and are defined in the file submitter/PmtaRcpt.h.

On Windows, you can find these files in the api\include subdirectory of where PowerMTA was installed. On Linux, that is /opt/pmta/api/include.

In order to differentiate between “out of memory” conditions and other errors, object creation is split in two calls: allocation and initialization. To create an object, you first call its ...Alloc
function. If memory cannot be allocated, a null pointer is returned;
otherwise, a pointer to the object is returned, which you then pass to the object’s initialization function: PmtaConnConnect, PmtaMsgInit and PmtaRcptInit, for a Connection, Message or Recipient object, respectively.

When done with an object, you should call the object’s ...Free method to discard its resources.

Most of the functions in the submission API return a BOOL
(boolean) value. You should check every return value to make sure that no errors occurred. If an error occurs, you can find out what went wrong by calling either PmtaConnGetLastError, PmtaMsgGetLastError or PmtaRcptGetLastError
(depending on which object the error occurred). Any errors render the object unusable, after which you should discard it with the appropriate ...Free function.


7.1.5.1 PmtaConnAlloc

Allocates a new connection. After allocating, invoke PmtaConnConnectRemote to establish the connection to the PowerMTA server. It returns the new connection, or 0 if not enough memory was available.

PmtaConn PmtaConnAlloc()

7.1.5.2 PmtaConnConnect

Deprecated Use one of ..Connect functions below.


7.1.5.3 PmtaConnConnectRemote

Connects to a PowerMTA server. No login / authentication is done. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaConnGetLastError.

PMTACALL(BOOL) PmtaConnConnectRemote(PmtaConn connection, const char* server, int port);
  • connection connection to establish.
  • server string containing the server to which to connect. This can be a host name or an IP address. Use “127.0.0.1” for the local machine.
  • port which port to connect to. Use 25 for the default SMTP port.

7.1.5.4 PmtaConnConnectRemoteAuth

Connects to a PowerMTA server using the given credentials. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaConnGetLastError.

PMTACALL(BOOL) PmtaConnConnectRemoteAuth(PmtaConn connection,
                                         const char* server, int port,
                                         const char* username,
                                         const char* password);
  • connection connection to establish.
  • server string containing the server to which to connect. This can be a host name or an IP address.
  • port to which port to connect. Use 25 for the default SMTP port.
  • username local user name for logging in to PowerMTA. PowerMTA must be configured to allow authentication.
  • password password for the given user name.

7.1.5.5 PmtaConnSubmit

Submits a message for delivery. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaConnGetLastError.

BOOL PmtaConnSubmit(PmtaConn connection, PmtaMsg message)
  • connection connection through which to submit the message.
  • message message to submit.

7.1.5.6 PmtaConnFree

Discards this connection object, freeing any resouces used by it.
This automatically closes the connection to the server, if any.

void PmtaConnFree(PmtaConn connection)
  • connection connection to discard.

7.1.5.7 PmtaConnGetLastError

Returns the last error that occurred on this connection. This function should only be called immediately after an error occurred.

const char* PmtaConnGetLastError(PmtaConn connection)
  • connection connection to query for an error.

7.1.5.8 PmtaConnGetLastErrorType

Returns the type of the last error occurred (one of the PmtaApiERROR codes defined in PmtaApi.h.). This function should only be called immediately after an error occurred.

int PmtaConnGetLastErrorType(PmtaConn connection)
  • connection connection to query for an error.

7.1.5.9 PmtaMsgAlloc

Allocates a new message. Once allocated, the new message must be initialized with PmtaMsgInit. Once done with the message, invoke PmtaMsgFree to free its resources. Returns 0 if not enough memory was available.

PmtaMsg PmtaMsgAlloc()

7.1.5.10 PmtaMsgInit

Initializes a new message. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgInit(PmtaMsg message, const char* originator)
  • message Newly allocated message to initialize.
  • originator Address for the new message’s originator.

7.1.5.11 PmtaMsgFree

Frees memory allocated for this message.

void PmtaMsgFree(PmtaMsg message)

7.1.5.12 PmtaMsgSetVerp

Sets whether this is a VERP message. If you enable VERP, PowerMTA will encode both the originator and recipient addresses in the originator address used for delivering the message. This may make tracking any bounces easier, since you can always derive the original addresses from the address where the bounce is sent. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgSetVerp(PmtaMsg message, BOOL isVerp)
  • message Message to set.
  • isVerp TRUE if the message should be VERP.

7.1.5.13 PmtaMsgSetReturnType

Sets the type of message return requested in delivery reports. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgSetReturnType(PmtaMsg message, PmtaMsgRETURN type)
  • message Message to set.
  • type This should be one of:
    • PmtaMsgRETURN_HEADERS (default) return only this message’s headers
    • PmtaMsgRETURN_FULL return the full message headers and body

7.1.5.14 PmtaMsgSetEnvelopeId

Sets this message’s envelope ID. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgSetEnvelopeId(PmtaMsg message, const char* envelopeId)
  • message Message to set.
  • envelopeId Envelope ID for this message.

7.1.5.15 PmtaMsgSetVirtualMta

Selects the VirtualMTA to use for this message. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgSetVirtualMta(PmtaMsg message, const char* virtualMta)
  • message Message to set.
  • virtualMta name of the VirtualMTA to use.

7.1.5.16 PmtaMsgSetJobId

Sets the job id for this message. This tags the message as belonging to the specified job. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgSetJobId(PmtaMsg message, const char* jobId)
  • message Message to set.
  • jobId id of the job, printable, non-white space characters only.

7.1.5.17 PmtaMsgAddRecipient

Adds a recipient to this message. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

Do not make any changes to a recipient after it has been added to the message. Once added, a recipient should be freed with PmtaRcptFree.

BOOL PmtaMsgAddRecipient(PmtaMsg message, PmtaRcpt recipient)
  • message Message to set.
  • recipient Recipient to add.

7.1.5.18 PmtaMsgSetEncoding

Sets the kind of encoding to perform on data. The encoding applies to all thereafter added data. The actual processing performed depends on the encoding selected: PmtaMsgENCODING_7BIT and PmtaMsgENCODING_8BIT
both select the identity encoding, i.e., no transformation is performed on the data, except that any lines terminated with LF alone are converted to CRLF. In the case of 7-bit encoding, it is your responsibility to ensure that all bytes have their high bit off. PmtaMsgENCODING_BASE64
specifies that any data added shall be encoded on the fly using base-64 encoding. No transformation is performed on the data prior to encoding, making it possible to transmit binary content. Note, however, that to effectively transmit binary data, you must also provide the appropriate MIME headers. In fact, the selected encoding should, in general, agree with the Content-Transfer-Encoding header you specify. The default (if this function is never invoked) is PmtaMsgENCODING_7BIT. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgSetEncoding(PmtaMsg message, PmtaMsgENCODING encoding)
  • message Message to set.
  • encoding Data encoding desired. This should be one of:
    • PmtaMsgENCODING_7BIT
    • PmtaMsgENCODING_8BIT
    • PmtaMsgENCODING_BASE64

7.1.5.19 PmtaMsgBeginPart

Starts the next mailmerge part which will have the given number. Note that part 1 is started automatically, so the first settable number is
2. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgBeginPart(PmtaMsg message, int partNum)
  • message Message to set.
  • partNum positive integer for the part number. No part number may be specified more than once.

7.1.5.20 PmtaMsgAddData

Adds (appends) data to this message. Use this function to give this message both its headers and a body. How the data you add is handled depends on the kind of encoding selected (see PmtaMsgSetEncoding). All the data is entered as-is, with no mailmerge variable substitution being performed. To add mailmerge data, use PmtaMsgAddMergeData. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgAddData(PmtaMsg message, const char* data, int length)
  • message Message to which to add.
  • data Data to add.
  • length Length of the data block.

7.1.5.21 PmtaMsgAddMergeData

Adds (appends) mailmerge data to this message. Use this function to give this message both its headers and a body. How the data you add is handled depends on the kind of encoding selected (see PmtaMsgSetEncoding). Currently only 7-bit and 8-bit encodings are supported. If any mailmerge variables are included in the data, they will be substituted by their respective values. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgAddMergeData(PmtaMsg message, const char* data, int length)
  • message Message to which to add.
  • data Merge data to add.
  • length Length of the data block.

7.1.5.22 PmtaMsgAddString

Adds (appends) a string to this message. This function is identical to PmtaMsgAddData, except that it expects a ‘0’-terminated string and computes the length of the data automatically. It is provided as a convenience function only. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgAddString(PmtaMsg message, const char* str)
  • message Message to which to add.
  • str Null-terminated string to add.

7.1.5.23 PmtaMsgAddMergeString

Adds (appends) a mailmerge string to this message. This function is identical to PmtaMsgAddMergeData,
except that it expects a ‘0’-terminated string and computes the length of the data automatically. It is provided as a convenience function only. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaMsgAddMergeString(PmtaMsg message, const char* str)
  • message Message to which to add.
  • str Null-terminated string to add.

7.1.5.24 PmtaMsgAddDateHeader

Adds (appends) a Date: header to this message. This function appends a date header line to the message. It is provided as a convenience function only.

BOOL PmtaMsgAddDateHeader(PmtaMsg message)

7.1.5.25 PmtaMsgGetLastError

Returns the last error that occurred on this message. This function should only be called immediately after an error occurred.

const char* PmtaMsgGetLastError(PmtaMsg message)
  • message Message to query for an error.

7.1.5.26 PmtaMsgGetLastErrorType

Returns the type of the last error occurred (one of the PmtaApiERROR codes defined in PmtaApi.h). This function should only be called immediately after an error occurred.

int PmtaMsgGetLastErrorType(PmtaMsg message)
  • message Message to query for an error.

7.1.5.27 PmtaRcptAlloc

Allocates a new recipient. Once allocated, the new recipient must be initialized with PmtaRcptInit. When no longer needed (e.g., after adding the recipient to a message), its resources should be freed by calling PmtaRcptFree. Returns 0 if not enough memory was available.

PmtaRcpt PmtaRcptAlloc()

7.1.5.28 PmtaRcptInit

Initializes a new recipient. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaRcptInit(PmtaRcpt recipient, const char* address)
  • recipient Newly allocated recipient to initialize.
  • address email address for the recipient.

7.1.5.29 PmtaRcptFree

Frees storage allocated by this recipient. To avoid memory leaks, this function should be called on every recipient allocated, whether it has been added to a message or not.

void PmtaRcptFree(PmtaRcpt recipient)

7.1.5.30 PmtaRcptSetNotify

Sets the kind of notification (report) desired for this recipient. By default, notification is only requested upon delivery failure. Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaRcptSetNotify(PmtaRcpt recipient, int notifyWhen)
  • recipient Recipient to set
  • notifyWhen This should be either PmtaRcptNOTIFY_NEVER to indicate that no notification is desired, or one or more of the following flags (joined by a bitwise OR):
    • PmtaRcptNOTIFY_SUCCESS notify in case the delivery is successful
    • PmtaRcptNOTIFY_FAILURE notify in case of a delivery failure
    • PmtaRcptNOTIFY_DELAY notify in case of a delay in the delivery

7.1.5.31 PmtaRcptDefineVariable

Defines a new mailmerge variable for this recipient. PowerMTA will substitute the variable for its value during delivery of a mailmerge message. Carriage returns and line feeds may be added to a variable with
\r or \n respectively (Assuming that rcpt is of type PmtaRcpt and is properly initialized). Returns TRUE in case of success, FALSE in case of failure. The cause of the error can be obtained with PmtaMsgGetLastError.

BOOL PmtaRcptDefineVariable(PmtaRcpt recipient, const char* name, const char* value)
  • recipient recipient whose variable is being defined.
  • name the variable’s name.
  • value the variable’s value.

Examples:

if (!PmtaRcptDefineVariable(rcpt, "cr", "A\rB")) {      // one linebreak
    fprintf(stderr, "Error defining cr variable: %s\n",
                    PmtaRcptGetLastError(rcpt));
    return 1;
}
if (!PmtaRcptDefineVariable(rcpt, "lf", "A\nB")) {      // one linebreak
    fprintf(stderr, "Error defining lf variable: %s\n",
                    PmtaRcptGetLastError(rcpt));
    return 1;
}
if (!PmtaRcptDefineVariable(rcpt, "crlf", "A\r\nB")) {  // one linebreak
    fprintf(stderr, "Error defining crlf variable: %s\n",
                    PmtaRcptGetLastError(rcpt));
    return 1;
}

if (!PmtaRcptDefineVariable(rcpt, "literalCrlf", "A\\r\\nB")) {  // no linebreaks
    fprintf(stderr, "Error defining literalCrlf variable: %s\n",
                    PmtaRcptGetLastError(rcpt));
    return 1;
}

7.1.5.32 PmtaRcptGetLastError

Returns the last error occurred on this recipient. This function should only be called immediately after an error occurred.

const char* PmtaRcptGetLastError(PmtaRcpt recipient)
  • recipient Recipient to query for an error.

7.1.5.33 PmtaRcptGetLastErrorType

Returns the type of the last error occurred (one of the PmtaApiERROR codes defined in PmtaApi.h). This function should only be called immediately after an error occurred.

int PmtaRcptGetLastErrorType(PmtaRcpt recipient)
  • recipient Recipient to query for an error.

7.1.6 .NET Submission API

Documentation for the .NET APIs is provided in doc folder.

On Windows, it can be found in the api\dotnet subdirectory of where PowerMTA was installed.

7.2 Pickup Directory

PowerMTA can be instructed to pick up message files from a directory.
To submit a message, you write it to a file, formatting it according to Internet email standards but preceding it with envelope information in special headers: x-sender, x-receiver and, optionally, x-envid and x-job.
You then move this file to the pickup directory, from where PowerMTA reads it into its message spool and performs delivery. It is recommend to add no more than 5000 recipients per pickup file.

The x-sender header should be in the first line in the file, followed by one or more x-receiver headers, each in its own line. You can also optionally set the DSN envelope ID and the job ID by adding the x-envid and x-job headers respectively. The x-sender and x-receiver headers must contain the email addresses only, with no free form name, no <>s, etc. For example:

x-sender: me@over.here
x-receiver: you@over.there
x-receiver: someone.else@some.other.place
x-envid: me-0001
x-job: love-2003-01
From: Myself Personally <me@over.here>
To: You <you@over.there>
Date: Thu, 6 Jul 2000 07:45:43 -0400
Subject: I love it

Hey, did you know that ...

Note that in the example above, someone.else@some.other.place is BCC’ed, i.e., blind copied: he or she receives a copy of the message but is not included in the recipient headers.

PowerMTA’s pickup directory also supports the x-sender-override header, which allows you to override the contents of x-sender. If x-sender-override is present, its contents override the sender specified in x-sender, if any. This is useful when you wish to customize the message sender despite the software you’re using to create the messages not allowing for that. Typically that software will still allow you to pass additional headers, such as x-sender-override.

Other than reading the sender and receiver email address headers and removing them from the message, no other header or body processing takes place. You are responsible for properly formatting the message.

Instead of creating the file elsewhere and then moving to the pickup directory, it is also possible to create the file directly in it.
However, since PowerMTA must repeatedly attempt to lock the file for exclusive access, it is less efficient to do so.

To configure PowerMTA for a pickup directory, specify the pickup
directory. You must also specify a directory as the “bad mail”
directory, to which messages are moved if there is a permanent error processing the message.

7.2.1 BSMTP files

The pickup directory also supports BSMTP (batched SMTP) files. A BSMTP file is simply a file that contains all of the SMTP commands necessary for submitting a message batched together in one text file.
For example:

MAIL FROM:<me@over.here>
RCPT TO:<you@over.there>
DATA
From: Myself Personally <me@over.here>
To: You <you@over.there>
Date: Thu, 6 Jul 2000 07:45:43 -0400
Subject: I love it

Hey, did you know that ...
.

The pickup directory supports the following SMTP commands: HELO, EHLO, MAIL, RCPT and DATA. Additionally, it also supports PowerMTA’s extended SMTP mailmerge commands (XMRG, XDFN, XPRT and XACK), allowing for both mailmerge and non-mailmerge messages to be created.

To be recognized as such, BSMTP files need not be marked in any special way, other than the first command be one of: HELO, EHLO, MAIL, XACK or XACK.

Like in traditional pickup files, only one message may be submitted per file. However, since mailmerge is supported, the message submitted may actually be a template used for many recipients. See Pickup Directory Submission for examples on using the pickup directory for submitting mailmerge messages.

If any commands cannot be successfully processed, the entire file is rejected and moved to the “bad file” directory. For certain recipient address related errors, however, you have the option of requesting that PowerMTA bounce the recipient rather than rejecting the file during submission. This is activated by disabling recipient acknowledgements, using PowerMTA’s XACK SMTP extension. For example:

XACK OFF
MAIL FROM:<me@over.here>
RCPT TO:<you@over.there>
RCPT TO:<notyou@not..here>
DATA
From: Me Personally <me@over.here>
To: (recipients omitted)
Date: Thu, 6 Jul 2000 07:45:43 -0400
Subject: I love it

Hey, did you know that ...
.

In the example above, despite the error in the second recipient’s domain, the file would not be rejected, but a bounce would be sent to the address in the MAIL FROM.

Mailmerge SMTP extensions describes PowerMTA’s mailmerge extensions; look at The XACK SMTP extension for the XACK extension.

7.3 Pipe Delivery

PowerMTA can be configured to deliver email to another program on the same machine. It does so by starting the program for each new recipient and writing the message to the program’s standard input. The mechanism used to pass on the message is called “pipe”, so this feature is named
“pipe delivery”.

To use pipe delivery, you add domain definitions for one or more domains, specifying a type of pipe and defining the command to run for starting the pipe receiver program. For example:

<domain bounces.company.com>
    type pipe
    command "c:\\path\\bounceproc.exe --envid $envid"
</domain>

Note that since the backslash character is also used for escaping other characters (such as spaces, quotes and the dollar sign), you need to specify it twice where you want just one to appear. On Windows, you can also use the (forward) slash character to specify paths, so in the example above it could have been c:/path/bounceproc.exe.

Before starting the program, PowerMTA substitutes any macros found in the command line (such as $envid
in the example above), allowing you to pass on additional message-related parameters to the pipe receiver program. The complete list of macros supported and other configuration directives for pipe domains are described in Pipe Delivery Directives.

7.3.1 Delivering mail to local users

PowerMTA’s pipe delivery can be used to deliver email to local users. The special local
domain name makes this simple to configure by concentrating all email destined to recipients on any of the local domains. PowerMTA will use the hostname of the OS and any host-names configured in PowerMTA, to determine if an email is local. On Unix systems, it is often sufficient to specify procmail as the command to execute for pipe delivery:

<domain local>
    type pipe
    command "/usr/bin/procmail -t -Y -d $user"
</domain>

Note, however, that PowerMTA does not currently process the /etc/aliases or .forward files.

Alternatively, the same could be done be explicitly specifying the domain name as in this example:

<domain bounces.yourdomain.com>
    type pipe
    command "/usr/bin/procmail -t -Y -d $user"
</domain>

The same is also available on Windows, but you will need to provide a pipe delivery processor that can write the messages in a way your user agents (i.e., email clients) understand.

7.3.2 Pipe Delivery Programs Included With PowerMTA

PowerMTA comes with two (fully functional) sample programs to be used with the new pipe delivery functionality; appendtofile, which appends messages to a file, and newfile, which writes each message to a separate (new) file.

appendtofile appends the message and / or arguments passed to it to the file specified. The syntax for appendtofile is:

appendtofile [--nomsg] filename 
  • where filename is the name of the file to which to append the data and text
    is an optional text or a supported macro to write in front of each message. If the first command line argument given to appendtofile is
    –nomsg (or /nomsg), it will just apppend the text or the macro’s value to the file. You can thus choose to either save the complete message to the file or just the summary data passed on the command line, such as only the recipient address of the message (when using the $to macro).

newfile writes each message to a separate (new) file. The syntax for newfile is simply:

newfile dirname
  • where dirname is the directory where the message file should be created. If the given directory does not yet exist, newfile automatically creates it. Each message file name is automatically generated by newfile, and will have a ‘.msg’ extension.

For greatest flexibility, you can use the supported macro substitutions described in Pipe Delivery Directives to automatically pass message-dependent file names and directory names. For example, appendtofile c:/pipe/$domain in the command directive will append messages to the file named after the domain of the recipient address, given the presence of the $domain macro. A message sent to test@port25.com would be appended to a file named port25.com in the directory c:\pipe, while a message sent to test@powermta.com would be appended to a file named powermta.com in the same directory.

In the typical scenario where the pipe delivery applications are used to store and process bounces, using the $domain macro results in files named after the originator / SMTP MAIL FROM domain you used in your original messages, since the recipient address of a bounce report is the original MAIL FROM address used.

For example, if you used a MAIL FROM domain of bounces5.port25.com for all of your messages for customer or campaign ID #5, the file bounces5.port25.com would contain the bounce reports for the messages of this customer or campaign. The configuration for this would be:

<domain bounces5.port25.com>
    type pipe
    command "c:/pmta/bin/appendtofile.exe c:/pipe/$domain"
</domain>

Alternatively, with the --nomsg and passing the $to macro to appendtofile as well, like in:

<domain bounces5.port25.com>
    type pipe
    command "c:/pmta/bin/appendtofile.exe --nomsg c:/pipe/$domain $to"
</domain>

only the recipients would be written to a file (given the $to), which is named after the domain of the recipients (given the $domain), port25.com.

With newfile, if you had a configuration like:

<domain bounces5.port25.com>
    type pipe
    command "c:/pmta/bin/newfile.exe c:/pipe/$domain"
</domain>

newfile will create subdirectories named after the recipients’ domains, and only create message files within the appropriate subdirectories. Using the example above with the domain bounces5.port25.com as the domain of your originator address, when bounces come in, the directory created would be c:\pipe\bounces5.port25.com, and which would contain only files / messages received for the recipients of that domain. If you had PowerMTA handling inbound mail for 50 separate domains, newfile would create 50 separate subdirectories, each named for a different domain, and containing only messages for that domain.

7.3.3 Accessing Files Created By The Sample Applications

Since, in principle, new messages may be delivered at any time through the sample applications, special care must be taken when accessing the files these applications create to avoid loss of data

newfile solves concurrency conflicts by using a naming convention: it initially creates files with a .tmp suffix (“extension”) and when done writing to them, renames them to .msg. This makes it very easy to access the files: you can freely access all the .msg files, while leaving any .tmp files alone.

Doing the same for appendtofile is a little more challenging, since it writes data to the same file and due to the differences in file lock handling across the PowerMTA platforms. To allow access to appendtofile-generated files in a simple and uniform way, Port25 provides a program named pmtagetfile, which moves the contents of a given file.

To use pmtagetfile, you simply run it passing the name of the file to which appendtofile writes and the new destination file name on the command line. For example,

pmtagetfile c:/pmta-pipe/port25.com.txt c:/tmp/port25.com.txt

moves the file c:\pmta-pipe\port25.com.txt to c:\tmp\port25.com.txt.

Once in the new directory, the file is out of appendtofile‘s reach, and you can safely process it as required. Note that the pmtagetfile
program will fail if the first file listed does not exist (nothing to copy from) or if the second file already exists (preventing accidental overwriting of previous data). Also, pmtagetfile does not work across file system boundaries, i.e., the the new file must be on the same file system or drive (on Unix and Windows systems, respectively). To move a file to a different file system, use pmtagetfile to first move it away from appendtofile
to a safe place on the same file system, and then move that file with your usual tools (Explorer, shell commands, etc.) to the desired location.

Please note that pmtagetfile is only intended for use with files written by appendtofile or with files written to by File Delivery.

7.3.4 Writing Your Own Pipe Delivery Programs

For convenience and flexibility, the sample pipe delivery programs detailed above are also provided in source code, allowing you to modify or customize as needed.

The program used for pipe delivery should terminate with certain specific exit codes. On Unix systems, these are defined in /usr/include/sysexits.h. On Windows, a corresponding file is included in the api\include
directory. Depending on the exit code, PowerMTA will consider the delivery to have succeeded or to have temporarily or permanently failed and generate any DSN delivery reports as appropriate:

exit code action DSN status
EX_OK delete 2.0.0 (success)
EX_USAGE bounce 5.5.4 (invalid command arguments)
EX_NOUSER bounce 5.1.1 (bad destination mailbox address)
EX_NOHOST bounce 5.1.2 (bad destination system address)
EX_CANTCREAT bounce 5.2.0 (mailbox-related failure)
EX_UNAVAILABLE bounce 5.3.0 (mail system-related failure)
EX_SOFTWARE bounce 5.3.0 (mail system-related failure)
EX_OSFILE bounce 5.3.0 (mail system-related failure)
EX_NOINPUT bounce 5.3.0 (mail system-related failure)
EX_OSERR retry 4.3.0 (mail system-related failure)
EX_IOERR retry 4.3.0 (mail system-related failure)
EX_TEMPFAIL retry 4.0.0 (transient failure)
EX_DATAERR bounce 5.5.2 (syntax error)
EX_PROTOCOL bounce 5.5.0 (protocol-related failure)
EX_CONFIG bounce 5.3.5 (system incorrectly configured)
EX_NOPERM bounce 5.7.1 (delivery not authorized)

If you use appendtofile but for some reason would like to replace pmtagetfile, please look into pmtagetfile‘s sources first to better understand how it works to avoid file locking conflicts.

8 VirtualMTA Support

8.1 Overview

Increasing volumes of email have prompted many ISPs and email administrators to proactively filter or block incoming email. While their intentions are honest, this also results in the blocking of legitimate mail for sites running on or delivering through a shared mail gateway. Traditionally, all mail sent from a shared MTA or gateway is sent from same host name and IP addresses. Since ISPs and email administrators tend to initially key on the source IP address for blocking incoming mail, more aggressive senders, or simply higher volume customers delivering through a shared MTA will almost certainly put all others at risk of being blocked.

To maximize deliverability and minimize collateral blocking of legitimate email on shared gateways, Port25 has developed VirtualMTA
technology within PowerMTA. Simply put, this functionality allows sites to define and control both the source IP address and host name for each message. This allows for creating VirtualMTAs for separate and specific campaigns, customers or departments, while still running just one instance of PowerMTA.

8.2 VirtualMTA Definitions

VirtualMTAs are defined via the new <virtual-mta> directive. Defining a VirtualMTA entails creating a <virtual-mta>
tag with the desired name and listing its host name and SMTP source IP(s). For example, if you wanted to create a VirtualMTA named mta1, you would simply add in the configuration file:

<virtual-mta mta1>
    smtp-source-host 1.2.3.4 mta1.port25.com
</virtual-mta>

Changes to the VirtualMTA definitions are reloadable via the pmta reload command and do not require a restart.

Note that if you leave out the smtp-source-host
directive in the definition, PowerMTA will use the corresponding global settings for that VirtualMTA. Since that may or may not be the desired result, Port25 always recommends that you specify at least one smtp-source-host
within each VirtualMTA definition. For example, you could use the desired host name as the VirtualMTA name, but you would still need to specify the host-name directive to ensure that the right host name is used:

<virtual-mta mta2.port25.com>
    smtp-source-host 2.3.4.5 mta2.port25.com
</virtual-mta>

Lastly, if more than one smtp-source-host address is listed in a definition, PowerMTA will use the various source IPs in round robin fashion for connections from that VirtualMTA:

<virtual-mta mta3>
    smtp-source-host 1.2.3.4 mta4.port25.com
    smtp-source-host 2.3.4.5 mta5.port25.com
    smtp-source-host 3.4.5.6 mta6.port25.com
</virtual-mta>

VirtualMTA directives only apply when the VirtualMTA has been selected as described in Selecting a VirtualMTA or VirtualMTA Pool. Otherwise, they are simply ignored. More information about smtp-source-host directive can be found in PowerMTA Configuration section.

8.3 VirtualMTA Pools

PowerMTA supports the defining and selecting of VirtualMTA pools per message or campaign as well, which are basically multiple VirtualMTAs grouped in a pool. When a pool is defined and selected for a campaign, PowerMTA will use the VirtualMTAs listed in round robin fashion for connections from that pool.

VirtualMTA pools are defined via the new <virtual-mta-pool> directive. Defining a pool entails creating a <virtual-mta-pool>
group with the desired name and listing the VirtualMTAs that you want belonging to that pool. For example, if you wanted to create a VirtualMTA pool named pond, you would first define the specific VirtualMTAs to be part of pond, as described in VirtualMTA Definitions, and then subsequently list each of the VirtualMTAs that are to be included using the virtual-mta directive:

<virtual-mta mta1>
    smtp-source-host 1.2.3.4 mta1.port25.com
</virtual-mta>

<virtual-mta mta2>
    smtp-source-host 2.3.4.5 mta2.port25.com
</virtual-mta>

<virtual-mta-pool pond>
    virtual-mta mta1
    virtual-mta mta2
</virtual-mta-pool>

Note that PowerMTA will not accept a VirtualMTA pool definition if the pool name equals a previously defined VirtualMTA name, given that you select a VirtualMTA pool and/or VirtualMTA via the same headers and function calls, as detailed in Selecting a VirtualMTA or VirtualMTA Pool.

A <domain> may be defined inside of a <virtual-mta-pool>.
If this is done, the defined directives will be inherited by any VirtualMTA that is part of the pool. If a conflicting directive is defined directly in the given VirtualMTA, the directive in the VirtualMTA overrides the one defined in the <virtual-mta-pool>.

The following directives are also supported:

cold-virtual-mta
domain-key
max-smtp-out
max-smtp-msg-rate
include-headers-from

8.4 Selecting a VirtualMTA or VirtualMTA Pool

PowerMTA supports various methods of selecting a VirtualMTA (or pool), depending on your submission method:

The selection methods above are listed in the order of precedence within each submission methods.

Using mailmerge may effect how VirtualMTA selection is done. When using mailmerge and the API or SMTP, the x-virtual-mta will apply to the entire mailmerge job, not individual recipients (in most cases using the first defined x-virtual-mta).

When using mailmerge and pattern lists, VirtualMTA selection will be for each recipient when matching the RCPT TO, and will only be for each recipient for the MAIL FROM when using the *from mailmerge variable. When not using the *from, or when using header matching, all recipients in the mailmerge job will use the same VirtualMTA (in most cases the first matched pattern).

Note that one selects a VirtualMTA pool using the same exact header, directives or function call, but using the pool name instead of the VirtualMTA name.

8.4.1 Selecting a VirtualMTA with a X-virtual-MTA Header

To select a VirtualMTA with the X-virtual-MTA header, you need to:

  1. define the VirtualMTA(s) or VirtualMTA pool(s) in the configuration file using the <virtual-mta> directive.
  2. define the specific IP address or IP address range for the source of the messages that it is applicable using the expanded <source> directive.
  3. define the ability for PowerMTA to process the x-virtual-mta header via the process-x-virtual-mta directive, within the <source> directive defined in step 2.

After setting up the configuration file properly, you simply need to then add the x-virtual-mta header to your message specifying the VirtualMTA name, like in

x-virtual-mta: yyyyy

where yyyyy is the VirtualMTA name in the configuration file. PowerMTA will remove the x-virtual-mta header by default before ultimate delivery, so it will not be seen by the recipient’s mail gateway or the recipient.

For example, assuming that you had the following VirtualMTA definition in your configuration file:

<virtual-mta mta1>
    smtp-source-host 1.2.3.4 mta1.port25.com
</virtual-mta>

and you wanted PowerMTA to process the x-virtual-mta header for mail arriving from the local IP address 127.0.0.1 for selecting a VirtualMTA, you would need to have the following in your configuration file:

<source 127.0.0.1>
    process-x-virtual-mta yes # allow selection of a VirtualMTA using x-virtual-mta header
    always-allow-relaying yes # allow feeding from 127.0.0.1
</source>

With this, any messages submitted from the local IP address 127.0.0.1 that contained the header x-virtual-mta: mta1 would have PowerMTA using VirtualMTA mta1
and its parameters when making connections to deliver these messages.
One can also select a VirtualMTA pool to be used for messages in the same manner.

The entire message (in this example, submitted through the pickup directory) could thus read:

x-sender: me@over.here
x-envid: me-0001
x-receiver: you@over.there
x-virtual-mta: mta1
From: Me <me@over.here>
To: You <you@over.there>
Date: Thu, 13 Mar 2018 07:45:43 -0400
Subject: PowerMTA is the best

Hey, this new VirtualMTA technology really improves delivery rates!

8.4.2 Selecting a VirtualMTA by Regular Expression Matching

Sites can also have PowerMTA use a VirtualMTA or VirtualMTA pool for specific messages by way of regular expression pattern matching of the SMTP MAIL FROM address, the SMTP RCPT TO address, or a header, based on the IP address of the source of the message.

To select a VirtualMTA or VirtualMTA pool based on regular expression pattern matching, you

  1. define the VirtualMTAs or VirtualMTA pools in the configuration file using the <virtual-mta> directive.
  2. define the name for the regular expression pattern list using the <pattern-list> directive.
  3. define the actual regular expression pattern to use for matching the SMTP MAIL FROM, the RCPT TO address, or a header as well as subsequent VirtualMTA or VirtualMTA pool to use when a match occurs, via the mail-from, rcpt-to, and header directives. These directives are defined within the <pattern-list> definition created in step 2.
  4. define the specific IP address or IP address range for the source of the messages that is applicable within the expanded <source> directive.
  5. define the pattern-list directive using the corresponding name defined in step 2 within the <source> directive defined in step 4. Conditional pattern matching as defined in <pattern-list> Directives may also be used.

For example, assuming that you had the following VirtualMTA definitions in your configuration file:

<virtual-mta mta1>
    smtp-source-host 1.2.3.4 mta1.port25.com
</virtual-mta>

<virtual-mta mta2>
    smtp-source-host 2.3.4.5 mta2.port25.com
</virtual-mta>

and you wanted PowerMTA to match the patterns “abc” and “xyz” at the beginning of the MAIL FROM address in order to select the appropriate VirtualMTA to use for each, you would need to have at a minimum the following in your configuration file:

<pattern-list group2>
    mail-from /^abc/ virtual-mta=mta1
    mail-from /^xyz/ virtual-mta=mta2
</pattern-list>

<source 127.0.0.1>
    pattern-list group2 # this selects the pattern list for messages from this IP
    always-allow-relaying yes # allow feeding from 127.0.0.1
</source>

With this, any messages submitted from the local IP address 127.0.0.1 would have PowerMTA using regular expression matching on the MAIL FROM address, and if PowerMTA found “abc” at the beginning of the address
(for example abc-2890u8@bounces.port25.com), VirtualMTA mta1 and its parameters would be used when making connections to deliver these messages. For messages submitted that had a MAIL FROM starting with “xyz”, for example xyz-ljwer@bounces.port25.com, VirtualMTA mta2 and its parameters would instead be used when making connections to deliver these messages.

To additionally select some other VirtualMTA for recipients at yahoo.com, you could add a rcpt-to directive as below:

<pattern-list group2>
    mail-from /^abc/ virtual-mta=mta1
    mail-from /^xyz/ virtual-mta=mta2
    rcpt-to /@yahoo.com$/ virtual-mta=mta3
</pattern-list>

...

Per the examples above, you can see that PowerMTA can use different matching patterns for different campaigns, customers and/or mailings simultaneously, in order to use different VirtualMTAs or VirtualMTA pools for each.

More than one mail-from, rcpt-to and header directives are allowed within a <pattern-list>
definition, and since the first match is used, you will want to list the most likely matches first. Only one pattern-list is allowed within a
<source> group.

Conditional matching is allowed as well. For example, if you want wanted all emails that have a MAIL FROM of X, and a RCPT TO of Y, that is allowed in a pattern similar to the following:

<pattern-list patterns>
    mail-from /X/ <pattern-list>
        rcpt-to /Y/ virtual-mta=vmta2
        rcpt-to /Z/ virtual-mta=vmta1
        * virtual-mta=vmta2
    </pattern-list>
</pattern-list>

For more information on conditional pattern matching, see <pattern-list> Directives.

Note that simple to advanced regular expression pattern matching is supported, and which is based on Perl Compatible Regular Expressions
(PCRE).

8.4.3 Selecting a VirtualMTA by the IP Address/Port Receiving Connections

For added flexibility, PowerMTA supports the ability to select a VirtualMTA based on the IP address (and TCP port number) on the PowerMTA machine to which you connect when submitting your messages.

For example, if you have 10 VirtualMTAs defined, each with a different IP address, you could select the VirtualMTA to use for each message simply by making your SMTP connection to the specific IP address defined on your PowerMTA machine for the specific VirtualMTA.

This is accomplished through named <source> tags, in conjunction with the smtp-listener directive. Named <source>
tags allow you to specify directives that override those normally selected by source IP address; they apply only when referenced in the smtp-listener directive (and for authenticated users — see Implementation for Inbound Connections.

For example, to select VirtualMTA vmta1 by its assigned smtp-source-host address 1.2.3.4 and the standard SMTP port (25), you would configure:

<virtual-mta vmta1>
    smtp-source-host 1.2.3.4 vmta1.yourdomain.com
    ...
</virtual-mta>

<source vmta1>
default-virtual-mta vmta1
</source>

smtp-listener 1.2.3.4:25 source=vmta1

Multiple smtp-listener entries can be specified in a configuration file, each of which specifying a different IP address and/or port.

Since the named source’s directives apply to anyone who can connect to the listener’s IP address and port, one should be careful about what is entered there. For example, always-allow-relaying should most probably not
be enabled in the named source. Instead, permission for relaying, for accessing the mailmerge extensions, etc. should be based on authenticated sources (see Implementation for Inbound Connections) or on the source IP address, as in the example below:

<virtual-mta vmta1>
    smtp-source-host 1.2.3.4 vmta1.yourdomain.com
    ...
</virtual-mta>

smtp-listener 1.2.3.4:25 source=vmta1
smtp-listener 0.0.0.0:25

<source vmta1>
default-virtual-mta vmta1
</source>

<source 10/8>
allow-mailmerge yes
always-allow-relaying yes
</source>

<source 0/0>
allow-mailmerge no
always-allow-relaying no
</source>

Above, VirtualMTA vmta1 is selected by default for any messages received through 1.2.3.4 on the PowerMTA machine. The default listener on 0.0.0.0:25 is retained through its own smtp-listener directive. Permission for relaying and for using the mailmerge extensions is granted to connections coming from <source 10/8>, whether they connect to 1.2.3.4 or not.

8.4.4 Selecting a VirtualMTA by the Source IP Address

For sites that are using applications that do not allow them to create custom X-headers within their messages, or for sites feeding PowerMTA messages from a variety of different SMTP applications and machines, PowerMTA supports the ability to select and use VirtualMTAs based only on the IP address of the source of the message.

To select a VirtualMTA or VirtualMTA pool based on the IP address of the original source of the message, you need to:

  1. define the VirtualMTAs or VirtualMTA pools in the configuration file using the <virtual-mta> directive.
  2. define the specific IP address or IP address range for the source of the messages that is applicable using the expanded <source> directive.
  3. define the VirtualMTA to use for messages via the new default-virtual-mta directive within the <source> directive defined in step 2.

For example, assuming that you had the following VirtualMTA definition in your configuration file:

<virtual-mta mta1>
    smtp-source-host 1.2.3.4 mta1.port25.com
</virtual-mta>

and you wanted only mail coming from the local IP address 127.0.0.1 to use this VirtualMTA by default for each message (without having to specify an x-virtual-mta header in the messages), you would need to have at a minimum the following in your configuration file:

<source 127.0.0.1>
    default-virtual-mta mta1 # selects a VirtualMTA/pool by source of the message
    always-allow-relaying yes # allow feeding from 127.0.0.1
</source>

With this, any messages submitted from the local IP address 127.0.0.1 would have PowerMTA using VirtualMTA mta1 and its parameters when making connections to deliver these messages. One can also select a VirtualMTA pool to be used for messages coming from the specific IP address by instead specifying a VirtualMTA pool name via the default-virtual-mta directive.

You can basically define as many different source IP addresses or IP address ranges for messages in the configuration file as you wish, with each using a different VirtualMTA or VirtualMTA pool.

8.4.5 Selecting a VirtualMTA by a VirtualMTA IP address

In addition to the above, a VirtualMTA can be selected based on which PowerMTA IP is used for the connection, and the corresponding VirtualMTA that is configured with that IP. To use this selection method, the source directive default-virtual-mta will need to be used with a setting of by-smtp-source-ip in place of a VirtualMTA name.

When configured in this way, on an inbound SMTP connection PowerMTA will use as the default VirtualMTA that whose smtp-source-host setting equals the destination IP address on the inbound connection.

Example:

<virtual-mta mta1>
    smtp-source-host 1.2.3.4 vmta1.port25.com
</virtual-mta>

<source 0/0>
    default-virtual-mta by-smtp-source-ip
</source>

In the above example, connecting to IP address 1.2.3.4 would automatically route the message through VirtualMTA “mta1”.

8.5 Changing VirtualMTAs on the Fly

There may be times when you need to change or even cancel a VirtualMTA definition after mail has already been queued for it, so PowerMTA has been designed to handle these scenarios.

8.5.1 Changing a VirtualMTA

If you change the host name and/or source IP addresses of a VirtualMTA after email has already been queued, PowerMTA will use the new information for all new connections once the configuration file has been reloaded. However, if connections were already established when the changes are loaded, the old VirtualMTA information will be used for the duration of those connections.

8.5.2 Canceling a VirtualMTA

If you would like to cancel a VirtualMTA after messages have already been queued, you can simply delete or comment its definition out of the configuration file (and run the pmta reload command).
PowerMTA will use the new information for all new connections once the configuration file has been reloaded. However, if connections were already established when the changes are loaded, the old VirtualMTA information will be used for the duration of those connections.

If a message selects a VirtualMTA which does not exist when PowerMTA attempts to deliver it, that message is bounced with the DSN status

5.3.5 (specified VirtualMTA does not exist)

9 Mailmerge Support

9.1 Overview

PowerMTA includes internal mailmerge support to maximize performance and efficiency in the creation, queueing, and delivery of customized email messages. PowerMTA’s mailmerge implementation supports both simple keyword or phrase merging as well as merging of larger blocks of data
(such as paragraphs or body parts) for respective recipients. Merging does not depend on the actual message contents and can thus be used for both text and HTML formatted messages.

The process is basically similar to general mailmerge implementations. Your application generates a pre-formatted merge file or recipe
that includes all of the recipient data (recipient addresses, names, order information, etc.) to be merged for each recipient, along with a message template. The message template includes the respective pointers to the variable content and data blocks to be merged in. Based on this, PowerMTA then creates the final merged (i.e., customized) messages for each recipient at actual delivery time.

PowerMTA mailmerge is supported with all of the current mail submission methods. Mailmerge submissions through SMTP and the pickup directory (BSMTP) are supported through special protocol extensions.

9.2 Benefits

While PowerMTA is designed to handle the queueing and delivery of very large volumes of customized messages, inline mailmerge support via PowerMTA Mailmerge offers additional performance and efficiency advantages to all components of your solution. Some of the obvious benefits are:

  • decreased responsibility and load on your CRM or email marketing application by shifting the merging to PowerMTA.
  • increased feeding performance by application to PowerMTA, given that you would be feeding far fewer messages to PowerMTA for the same number of recipients.
  • increased efficiency and delivery throughput given the decrease of the I/O impact on your PowerMTA machine. There will be a huge decrease in the number of queued mail files in the spool for the same number of recipients, allowing for maximum scalability. For example, instead of one spool file for each recipient in the queue, with PowerMTA Mailmerge you could have 10,000 recipients in a single spool file.

9.3 Configuration Requirements

No special configuration is needed to submit mailmerge messages through the submission APIs or the pickup directory. However, to use the mailmerge SMTP extensions, you must enable them with the allow-mailmerge directive for the IP address(es) from which you will be submitting the messages:

<source 127.0.0.1>
    allow-mailmerge yes
</source>

9.4 Creating Mailmerge Messages

9.4.1 Message Template and Mailmerge Variables

Creating mailmerge messages is easy. The first task is to create a message template, marking and labeling the portions that you would like customized for each recipient, like in the example below:

From: shipping-confirmation@example.port25.com
Subject: Your order #[OrderNumber] shipped!

[First_Name],

Your order #[OrderNumber] was shipped on [ShipTime]. Thank you for your
business!

The labels for the customized portions are names of the variables which define what the content for each portion.

Once you have created your message template, you define the content for of these variables for the various recipients. For example, for one recipient you may want to have First_Name set to Bob, OrderNumber set to 1234-56 and ShipTime to 7/14 10:00. In the example above, this would yield:

From: shipping-confirmation@example.port25.com
Subject: Your order #1234-56 shipped!

Bob,

Your order #1234-56 was shipped on 7/14 10:00. Thank you for your
business!

Mailmerge variables are defined per recipient, and you cannot use the same variable name to define more than one set of data in the same message. Variable names are case-insensitive, e.g. name and Name are the same variable. Variable names may be composed of the letters (a-z and A-Z), the digits (0-9), and the underscore (_). The first character in a variable name must be a letter.

As noted above, variable substitutions are enclosed in square brackets in the message template. To include a square bracket itself, simply write it twice. For example,

[First_Name],

Please fill out the fields below marked with square brackets [[].
...

would become (for a First_Name of “George”)

George,

Please fill out the fields below marked with square brackets []
...

9.4.2 Reserved Variables

Variable names beginning with an asterisk are “reserved” and have a special meaning to PowerMTA:

*from

overrides the SMTP MAIL FROM (originator) address for the recipient’s message.

*envid

overrides the DSN envelope ID for the recipient’s message, for better tracking in bounces and in the accounting file. This setting overrides any other method of defining the envelope ID.

*vmta

selects the VirtualMTA (or VirtualMTA pool) through which the recipient’s message should be delivered. This setting overrides any of the other VirtualMTA selection methods described in Selecting a VirtualMTA or VirtualMTA Pool.

*jobid

defines the job (or campaign) ID for the recipient’s message, for tracking in the WWW based monitoring facility. If set, the content of this variable overrides any job ID already set for the recipient’s message. x-job header can be used with Mailmerge, but using *jobid is faster.

*parts

defines the list of merge parts to include in the recipient’s message. For example, if your message has 3 parts, numbered 1, 2 and 3 and you want to include all of them in the recipient message, you should set *parts=1,2,3 or shorter, *parts=1-3. If you wanted part 3 to go before part 2 in the recipient’s message, you would set *parts=1,3,2.

*to

merges in the defined RCPT TO/recipient email address. This variable is automatically set from the recipient address and cannot be overridden.

*date

merges in the message’s reception date & time stamp. This variable is automatically set and cannot be overridden.

*schedule

sets the delivery schedule for the recipient in a message. This overrides any schedule that may be defined in the message body.

*priority

sets the priority of a recipient to the specified value. The value must be a number in the range 1-100, with higher values signifying higher priority for the recipient. The default priority for a recipient, if not set, is 50. If “*priority” is used, it overrides the priority value, if any, obtained from <pattern-list> for the same recipient.


9.4.3 Merge Parts

Each message template is made up of one or more sections called merge parts.
A merge part can be a sentence, a paragraph, a block of paragraphs, a body part, or even the message headers. Within each merge part there can be many mailmerge variable substitutions.

The parts or sections of the message are labelled with a part number, and then assembled for each recipient based upon the content of the special *parts variable for the recipient.

For example, a travel alerts service could send messages in three parts: the first containing the headers and a common preamble,

From: "Customer Service" [*from]
To: "[FName]" [*to]
Date: [*date]
Subject: Travel Plans

Dear [FName],

You are flying out of [Airport] given that it is closest to your location in [City], [State].

the second containing a notice that is only sent to some of the recipients,

With this flight, you are only [MilesToBonus] frequent flyer miles away from your next SuperBonus(TM)!

the third with a common final block:

Have a great trip!

Some recipients could then be sent all parts (*parts=1-3) while others would only be sent parts #1 and #3 (*parts=1,3). Note that the variable MilesToBonus would only need to be defined for those recipients receiving part #2.

9.5 Submitting Mailmerge Messages

You can feed mailmerge messages to PowerMTA using any of the standard supported submission APIs, pickup directory, or through PowerMTA’s mailmerge SMTP extensions. It is recommend to add no more than 5000
recipients per mail merge file when feeding via pickup directory.

9.5.1 API Submission

All PowerMTA submission APIs include support for mailmerge. The basic process involves defining per-recipient variables by invoking the defineVariable for each Recipient object, and then passing the message template by invoking the addMergeData method for the Message object. Please refer to the corresponding API reference for more details.

Sample programs for using mailmerge in the APIs are provided with PowerMTA.

9.5.2 Mailmerge SMTP extensions

Port25 has extended the SMTP protocol for sites that would prefer to feed PowerMTA mailmerge messages via a modified SMTP interface.

The mailmerge extensions define three new verbs:

9.5.2.1 XMRG

Replaces the MAIL FROM command of a standard SMTP submission. All extensions (such as DSN, VERP, etc.) that are supported with MAIL are also supported with XMRG.

Example:

XMRG FROM:<travelAlerts@example.port25.com> VERP

9.5.2.2 XDFN

Defines variables for the recipient following it. One or more XDFN commands should be issued prior to each RCPT command in a mailmerge submission. Variables are defined in the format name=value, where name is the variable name and value
is the value to to be associated with the variable. If the value contains any white space, it should be enclosed in double quotes. You can specify multiple variables in a single XDFN command by separating them with blanks.

Example:

XDFN name="Bob Example" Airport=BWI
XDFN *jobid="TravelAlerts"
RCPT TO:<bob@example.port25.com>

9.5.2.3 XPRT

Replaces the DATA command of a standard SMTP submission. One XPRT command should be issued per merge part in the mailmerge submission, passing the merge part number, like in the example below:

XPRT 1

Like for DATA, PowerMTA responds to the XPRT command with a 3xx reply code. Also, like data, the message template must be passed dot-escaped.
A dot on a line by itself terminates the merge part. The last XPRT is indicated with the additional LAST parameter and terminates the submission:

XPRT 2 LAST

The following example shows all the three verbs used to submit a mailmerge to two recipients. In addition to parts 1 and 3, Alice is also
sent part #2 with a reminder that she’s close to obtaining a bonus:

XMRG FROM:<travelAlerts@example.port25.com> VERP
XDFN FName="Alice" Airport="IAD" MilesToBonus="120"
XDFN City="Herndon" State="VA" *parts=1-3 *vmta="mta4"
XDFN *jobid="TravelAlerts"
RCPT TO:<alice@example.port25.com>
XDFN FName="Bob" Airport="BWI"
XDFN City="Ellicott City" State="MD" *parts=1,3 *vmta="mta5"
XDFN *jobid="TravelAlerts"
RCPT TO:<bob@example.port25.com>
XPRT 1
From: "Customer Service" [*from]
To: "[FName]" [*to]
Date: [*date]
Subject: Travel Plans

Dear [FName],

You are flying out of [Airport] given that it is closest to your location
in [City], [State].
.
XPRT 2

With this flight, you are only [MilesToBonus] frequent flyer miles away from
your next SuperBonus(TM)!
.
XPRT 3 LAST

Have a great trip!
.

9.5.3 Pickup Directory Submission

The pickup directory submission method includes support for mailmerge, which greatly minimizes the disk I/O impact usually associated with this submission method. Instead of creating and writing 100,000 messages, one per recipient, mailmerge support allows you to write say only 25-50 files for the same number of recipients, greatly minimizing the resources utilized and increasing throughput. See Pickup Directory for more details.

The pickup directory submission method is less efficient than submitting messages over SMTP.

Support for mailmerge in the pickup directory is accomplished through its support for BSMTP (batched SMTP) files. See BSMTP files for more information.

Here is a simple example of a properly formatted BSMTP mailmerge file for PowerMTA’s pickup directory:

XMRG FROM:<bounce@port25.com>
XDFN *from="blahblah@port25.com"
XDFN subject="BSMTP mailmerge format"
RCPT TO:<bob@port25.com>
XPRT 1 LAST
From: [*from]
To: [*to]
Subject: [subject]

Hello [*to]!
.

Here is another that contains information for 4 recipients:

XACK ON
XMRG FROM:<bounce@port25.com> verp
XDFN FName="Jim" FavFood="pizza" Car="minivan" CID="1234"
XDFN *vmta="mta1" *parts="1-3" *jobID="1234"
RCPT TO:<jim@test.port25.com>
XDFN FName="Tim" FavFood="sushi" Car="porsche" CID="2345"
XDFN *vmta="mta2" *parts="1,3,2" *jobID="5678"
RCPT TO:<tim@test.port25.com>
XDFN FName="Cosmo" Car="Gremlin" CID="3456"
XDFN *vmta="mta3" *parts="1,3" *jobID="1234"
RCPT TO:<cosmo@test.port25.com>
XDFN FName="Frank" FavFood="pizza" CID="4567"
XDFN *vmta="mta5" *parts="1,2" *jobID="5678"
RCPT TO:<frank@test.port25.com>
XPRT 1
X-CID: [CID]-abc
From: "Customer Service" [*from]
To: "[Fname]" [*to]
Subject: Travel Plans
Date: [*date]

Hey [FName],
.
XPRT 2
Your favorite food is [favfood].
.
XPRT 3 LAST
You drive a [car].
.

Mailmerge SMTP extensions also provides another good example for reference.

Here is an example of a multi-part mailmerge file for a pickup directory:

XMRG FROM:<me@yourdomain.com> verp
XDFN *from="me@yourdomain.com"
XDFN subject="test \ 1"
RCPT TO:<you@yourdomain.com>
XDFN *from="me@yourdomain.com" subject="test 2"
RCPT TO:<you@yourdomain.com>
XPRT 1 LAST
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="12345"
From: [*from]
To: [*to]
Subject: [subject]

--12345
Content-Type: text/plain;

Hello. This is the text version.
--12345
Content-Type: text/html;

<b>This is the HTML version.</b>

--12345--
.

9.5.4 The XACK SMTP extension

To facilitate and improve the feeding performance while using the mailmerge extensions, Port25 has also defined the XACK protocol extension.

The XACK command disables acknowledgements for the RCPT and XDFN commands. It accepts a single parameter, either ON or OFF. To disable acknowledgements, you issue XACK like in the example below:

XACK OFF

Once acknowledgements are disabled, they stay disabled until the connection is closed or until they are re-enabled with XACK ON.

While acknowledgements are disabled, any errors occurring as a result of RCPT or XDFN command during a submission (i.e., after MAIL or XMRG and before the final DATA/BDAT/XPRT command) are reported as a response to the next DATA or BDAT (for non-mailmerge messages) or XPRT (for mailmerge messages). As a result of the error, the entire submission is canceled.

Some errors (e.g., address errors in the RCPT) may optionally be reported by sending a failure Delivery Status Notification, thus allowing the submission to continue. Any RCPT or XDFN errors (e.g., out of sequence errors) occurring not during a submission are ignored entirely.

The following example shows the connection trace (with commands and replies, but with the message content omitted) while submitting a mailmerge message:

>>> 220 mailhost.port25.com (PowerMTA v2.x) ESMTP service ready
<<< EHLO test.port25.com
>>> 250-mailhost.port25.com says hello
>>> 250-ENHANCEDSTATUSCODES
>>> 250-PIPELINING
>>> 250-CHUNKING
>>> 250-8BITMIME
>>> 250-XACK
>>> 250-XMRG
>>> 250-SIZE 0
>>> 250-VERP
>>> 250 DSN
<<< XACK OFF
>>> 250 2.0.0 ok
<<< XMRG FROM:<bounce@example.port25.com> verp
>>> 250 2.1.0 XMRG ok
<<< XDFN FName="Jim" FavFood="pizza" Car="minivan" CID="1234" *vmta="vmtapool" *parts="1-3"
<<< RCPT TO:<jim@example.port25.com>
<<< XDFN FName="Tim" FavFood="sushi" Car="porsche" CID="2345" *vmta="vmta2" *parts="1,3,2"
<<< RCPT TO:<tim@example.port25.com>
<<< XDFN FName="Cosmo" Car="Gremlin" CID="3456" *vmta="vmta3" *parts="1,3"
<<< RCPT TO:<cosmo@example.port25.com>
<<< XDFN FName="Frank" FavFood="pizza" CID="4567" *vmta="vmta1" *parts="1,2"
<<< RCPT TO:<frank@example.port25.com>
<<< XPRT 1
>>> 354 send part
<<< .
>>> 250 2.6.0 part ok
<<< XPRT 2
>>> 354 send part
<<< .
>>> 250 2.6.0 part ok
<<< XPRT 3 LAST
>>> 354 send part
<<< .
>>> 250 2.6.0 message received
<<< QUIT
>>> 221 2.0.0 mailhost.port25.com says goodbye

10 Advanced Features

10.1 Sparkpost Signals

Sparkpost Signals
is an email analytics suite that helps you improve email performance by diagnosing health issues before they impact your business. It analyzes your email sending and benchmark data from across our industry-leading email network to provide data-driven, predictive, and actionable insights to help you increase open rates, prevent blacklisting, and boost inbox placement. See https://www.sparkpost.com/docs/signals/overview/ for more information.

To utilize Signals, you’ll need to enroll in the service and have the feature enabled. To begin your enrollment process please visit Signals enrollment.

Once the feature is enabled you will need to create a SparkPost API key and configure your PowerMTA to send accounting data to SparkPost. To create a SparkPost API key with the Incoming Events: Write permission go to https://app.sparkpost.com/account/api-keys.

Note: For initial testing, the Signals servers need several thousand emails worth of data and then must batch-process the data, so there may be up to a day’s delay before data is reflected in the reports.

Note: A restart of PowerMTA is recommended after the <signals> tag has been added to the configuration
or any signals-related settings have been changed. While a reload is all that is required, a restart will ensure that all internal processes start working with the new settings immediately.

10.1.1 Optional Data Loading Support

Starting with PowerMTA 4.5r19 version, you can optionally designate the virtual MTAs that are allowed to send Signals data to Sparkpost. You can also optionally designate the sending domain (this would be the domain portion of the Sender or From header within the body of the message – see Sample Use Cases below for more details) whose events will be sent over to Sparkpost.

PowerMTA (starting with 4.5r19) offers the use of enable-signals at these scopes:

  1. Global scope: used to enable/disable generation of Signals events globally.
  2. VMTA pool scope: used to enable/disable generation of Signals events for all the virtual MTAs within the same pool.
  3. VMTA scope: used to enable/disable generation of Signals events for a single VMTA.

10.1.2 SparkPost Subaccounts

You can configure PowerMTA to send Signals data to a specific SparkPost subaccount. In order to use a subaccount ID in configuration it must first be created on SparkPost. To manage subaccounts on SparkPost, go to https://app.sparkpost.com/account/subaccounts

If you configure PowerMTA with a subaccount ID that does not exist on SparkPost, you may see subaccount names such as these in the Signals reports: “Deleted (ID x)”, where x is the configured subaccount ID. In such a case:

  • if the data should not be in the subaccount then, update the subaccount ID in PowerMTA configuration
  • if the data should be in the stated subaccount, then create the subaccount ID on SparkPost

10.1.3 Sample Use Cases for Optional Loading of Signals Data

10.1.3.1 Use Case #1. Disable Signals completely.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals false

Result No signals data is sent at all from this PowerMTA.

Explanation The global directive enable-signals is set to false, and is inherited by all VMTAs in the system.

10.1.3.2 Use Case #2. Use Signals to track every email delivered out of PowerMTA.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals true

<virtual-mta mktg>
</virtual-mta>

<virtual-mta transact>
</virtual-mta>

Result Signals data for all VMTAs, including {default}, mktg and transact, is sent from this PowerMTA to Sparkpost.

Explanation: The global directive enable-signals is set to true and is inherited by all VMTAs in the system. So, PowerMTA sends event data for all VMTAs to Sparkpost.

10.1.3.3 Use Case #3. Dedicated VMTAs per message stream.

I am an ESP or an enterprise business with multiple customers/message streams. I have mapped my customers or message streams to individual VMTAs. I don’t mix different message streams within a single VMTA. I want to selectively enable Signals for only some of my message streams but I want to disable Signals for all other customers.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals false

<virtual-mta mktg>
  enable-signals true
</virtual-mta>

<virtual-mta transact>
</virtual-mta>

Result Signals data for all events in mktg
virtual MTA is sent from this PowerMTA to Sparkpost. No data is sent for any other virtual MTA in the system (all other VMTAs, including transact VMTA, inherit enable-signals false from global settings)

10.1.3.4 Use Case #4. Dedicated VMTAs per message stream, with subaccounts.

I am an ESP or an enterprise business with multiple customers/message streams. I have mapped my customers or message streams to individual VMTAs. I don’t mix different message streams within a single VMTA. I want to selectively enable Signals for only some of my message streams
(and assign them a subaccount ID) but I want to disable Signals for all other customers.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals false

<virtual-mta mktg>
  enable-signals true,subaccount=100
</virtual-mta>

<virtual-mta sales>
  enable-signals true,subaccount=200
</virtual-mta>


<virtual-mta transact>
</virtual-mta>

Result Signals data for all events in mktg and sales virtual MTAs are sent from this PowerMTA to Sparkpost. Each event will have the subaccount ID configured for that VMTA, (mktg events will have subaccount ID 100, while sales
VMTA events will have subaccount ID set to 999). No data is sent for any other virtual MTA in the system (all other VMTAs, including transact VMTA, inherit enable-signals false from global settings)

10.1.3.5 Use Case #5. Use of VMTA pools.

I am an ESP or an enterprise business with multiple customers/message streams. I have mapped my customers or message streams to individual VMTAs. Some of my large message streams have been assigned multiple VMTAs, all of which are in a pool. I want to enable Signals for a large message stream using a pool, but keep Signals disabled for all other message streams.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals false

<virtual-mta v1>
</virtual-mta>

<virtual-mta v2>
</virtual-mta>

<virtual-mta transact>
</virtual-mta>

<virtual-mta-pool pond>
    virtual-mta v1
    virtual-mta v2

    enable-signals true
</virtual-mta-pool>

Result Signals data for all events in v1 and v2 virtual MTAs (because they inherit enable-signals true from pond
virtual MTA pool) are sent from this PowerMTA to Sparkpost. No data is sent for any other virtual MTA in the system (all other VMTAs, including
transact VMTA, inherit enable-signals false from global settings). This data can also be configured to have a subaccount ID.

10.1.3.6 Use Case #6. Use of shared VMTAs.

I am an ESP or an enterprise business with multiple customers/message streams that mixes multiple message streams within a single shared VMTA. I need to enable Signals for only some of the mail streams that go out from the shared VMTA but not all. Each mail stream uses a unique sender-or-from domain.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals false

<signals-filter ListOne>

   sender-or-from  mktg.customer1.com             enable-signals,subaccount=100

   sender-or-from  sales.customer1.com            enable-signals,subaccount=100

   sender-or-from  sales.customer2.com            enable-signals,subaccount=999

</signals-filter>

<virtual-mta v1>
    enable-signals ListOne
</virtual-mta>

<virtual-mta transact>
</virtual-mta>

Result Signals data for all events with mktg.customer1.com or sales.customer1.com as their sender-or-from domain are sent from this PowerMTA to Sparkpost with subaccount ID set to 100. Similarly, data for all events with sales.customer2.com as their sender-or-from domain are sent from this PowerMTA to Sparkpost with subaccount ID set to 999. No data is sent for any other sender-or-from domain that is used for sending within this virtual MTA. No data is sent for any other sender-or-from domain within v1 virtual MTA, or any other virtual MTAs in the system (all other VMTAs, including transact VMTA, inherit enable-signals false from global settings)

10.1.3.7 Use Case #7: Use of shared VMTAs (wildcard support)

I am an ESP or an enterprise business with customers/multiple message streams that mixes multiple message streams within a single shared VMTA. I need to enable Signals for all mail streams that go out from the shared VMTA with a common subdomain (*.customer1.com) as their sender-or-from address. I also want to disable Signals for some mail streams that use a specific sender-or-from domain from within that shared VMTA.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals false

<signals-filter ListOne>

   sender-or-from  *.customer1.com             enable-signals,subaccount=100

   sender-or-from  transact.customer1.com      disable-signals

</signals-filter>

<virtual-mta v1>
    enable-signals ListOne
</virtual-mta>

<virtual-mta transact>
</virtual-mta>

Result Signals data for all events with .customer1.com as their sender-or-from domain suffix are sent from this PowerMTA to Sparkpost with subaccount ID set to 100. The only exception is that events with sender-or-from domain set to transact.customer1.com
within this virtual MTA are not sent to Sparkpost. No data is sent for any other virtual MTA in the system (all other VMTAs, including transact VMTA, inherit enable-signals false from global settings)

10.1.3.8 Use Case #8: Global level configuration.

I want a single, global location where I can enable/disable Signals for all the sender-or-from domains I use to mail from, irrespective of the virtual MTA that the email goes out of.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals ListOne

<signals-filter ListOne>

   sender-or-from  *.foo.com             enable-signals,subaccount=100

   sender-or-from  transact.foo.com      disable-signals

</signals-filter>

<virtual-mta v1>
</virtual-mta>

<virtual-mta v2>
</virtual-mta>

Result Signals data for all events in the system, irrespective of the VMTA they were generated from, with .foo.com as their sender-or-from domain suffix are sent from this PowerMTA to Sparkpost with subaccount ID set to 100. The only exception is that events with sender-or-from domain set to transact.foo.com are not sent to Sparkpost.

10.1.3.9 Use Case #9: Global level configuration, example #2.

I want to enable Signals for all Virtual MTAs in the system, but I don’t want Signals enabled for the VMTAs used for transactional and personal email streams. I also want to be able to configure the specific
sender-or-from domains that Signals is enabled for, and keep Signals disabled for the rest of the domains.

<signals>
  api-key 0123456789012345678901234567890123456789
</signals>

enable-signals ListOne

<signals-filter ListOne>

   sender-or-from  mail.customer1.com              enable-signals,subaccount=100
   sender-or-from  sales.customer1.com             enable-signals,subaccount=200
   sender-or-from  mktg.customer1.com              enable-signals,subaccount=300
   sender-or-from  foo.customer1.com               enable-signals,subaccount=400
   sender-or-from  bar.customer1.com               enable-signals,subaccount=500
   sender-or-from  baz.customer1.com               enable-signals,subaccount=600

   sender-or-from  *                               disable-signals

</signals-filter>

<virtual-mta v1>
</virtual-mta>

<virtual-mta v2>
</virtual-mta>

<virtual-mta transact>
   enable-signals false
</virtual-mta>

<virtual-mta personal>
   enable-signals false
</virtual-mta>

Result Signals data for all events in the system with any of {mail|sales|mktg|foo|bar|baz}.customer1.com as their sender-or-from domain suffix are sent from this PowerMTA to Sparkpost along with their respective subaccount IDs.

Events belonging to personal or transact VMTAs, or having any other sender-or-from domain other than the ones listed above are not sent to Sparkpost.

10.1.4 Configuration Directives

Signals configuration is done within the <signals>
tag. Note that there is no need to designate which records and record fields to send to Sparkpost – all the record types and fields needed for Signals are automatically configured by PowerMTA.

Note: It’s recommended to restart PowerMTA after the <signals>
tag has been added to the configuration or any signals-related settings have been changed. While a reload is all that is required, a restart will ensure that all internal processes start working with the new settings immediately.

Starting for 4.5r19, you also have the option of configuring PowerMTA to only transmit data for designated virtual MTAs, virtual MTA pools or sending domains to Signals. See enable-signals directive and Optional Data Loading Support section for more details.

In prior versions of PowerMTA, <signals> tag was called <sparkpost-analytics>, which is deprecated. Please use signals instead.

The available internal directives are as follows.

10.1.4.1 Global Directives

10.1.4.1.1 enable-signals

This directive can be used at global, VMTA pool or VMTA scopes to enable/disable generation of Signals events at that scope level. When this directive is set to true, it can also be optionally suffixed with the subaccount information in Signals for the events generated within that scope.

If this directive is unspecified at global level, then it defaults to true if a <signals>
tag has been added to PowerMTA configuration. This is in order to maintain compatibility with how the feature was enabled in previous versions.

Normal rules for inheritance apply to this directive. A virtual MTA inherits this setting from both pool and global scopes, with the pool scope taking precedence over the global scope.

Syntax:

enable-signals {true[,subaccount=N] | false | <signals-filter-name>}

where N is a subaccount ID obtained from SparkPost.

Note that subaccount ID can only be specified when enable-signals is set to true. It cannot be specified when enable-signals is false or set alongside a <signals-filter> list.

Default: true at global level if <signals> has been configured; false otherwise

Example #1:

# at global scope, inherited by all VMTAs in the system.
enable-signals true,subaccount=555

# at pool scope, inherited by all VMTAs in the pool
<virtual-mta-pool pond>
   enable-signals true,subaccount=999

   virtual-mta v1
   virtual-mta v2
   virtual-mta v3
   virtual-mta v4
</virtual-mta-pool>

# inherits pool setting
<virtual-mta v1>
</virtual-mta>

# overrides all inheritance
<virtual-mta v2>
   enable-signals true,subaccount=888
</virtual-mta>

# inherits pool setting
<virtual-mta v3>
</virtual-mta>

# overrides all inheritance
<virtual-mta v4>
   enable-signals false
</virtual-mta>

# inherits global setting
<virtual-mta v5>
</virtual-mta>

Example #2:

<signals>
    api-key 0123456789012345678901234567890123456789
</signals>

In the above example, enable-signals defaults to true since its not explicitly set at global level but a signals tag is present in the configuration.

10.1.4.2 <signals> Directives

10.1.4.2.1 api-key

Specifies the API key (obtained from Sparkpost) that authorizes this PowerMTA to the Signals server. Required.

Must be composed of exactly 40 hexadecimal digits (0-9 A-F a-f).

Example:

<signals>
    api-key 0123456789abcdef012345678901234567890123
</signals>
10.1.4.2.2 upload-url

Specifies the Sparkpost Signals server URL where the accounting data is sent.

Default:

https://api.sparkpost.com/api/v1/ingest/events

Example:

<signals>
    api-key 0123456789012345678901234567890123456789
    upload-url https://api.sparkpost.com/api/v1/ingest/events
</signals>
10.1.4.2.3 log-verbose

Causes all upload activity to be logged. If not set, upload activity is summarized and logged at regular intervals. Enable this setting to help diagnose upload problems.

Default: false

Example:

<signals>
    api-key 0123456789012345678901234567890123456789
    log-verbose true
</signals>
10.1.4.2.4 min-free-space

Instructs PowerMTA to start deleting Sparkpost accounting data files if the space available on the file system falls below the amount specified. Note that these files are normally deleted once the contents have been sent to the Sparkpost Signals server, so space should only run low if there is a problem such as the Signals server being down or too busy or an incorrect configuration. Once these files are deleted, that data is lost forever, and there will be “holes” in the Signals reports.

On Unix, this refers to the space available to non-root users in /var/lib/pmta/sparkpost.

Syntax:

min-free-space { N{b|k|m|g|t} | 0 }

where N is a positive integer followed by a size multiplier (B for byte, K for Kilobyte, M for Megabyte, G for Gigabyte or T for Terabyte).

Default: 20M

Example:

<signals>
    api-key 0123456789012345678901234567890123456789
    min-free-space 1G
</signals>

10.1.4.3 <signals-filter> Directives

10.1.4.3.1 sender-or-from

Another way to designate the specific events for Signals is to use the domain portion of Sender or From
headers within the content of the email to filter. This permits filtering independent of the virtual MTA that the email was received or delivered out of.

Syntax:

<signals-filter NAME>
   sender-or-from  <domain-pattern>  { enable-signals[,subaccount=N] | disable-signals}
</signals-filter>

where N is a subaccount ID obtained from SparkPost.

Note that subaccount ID can only be specified when enable-signals is set. It cannot be specified when disable-signals is set.

Example:

# at global scope, inherited by all VMTAs in the system.
<signals-filter ListOne>

  sender-or-from  marketing.customer1.com   enable-signals,subaccount=555
  sender-or-from  transact.customer1.com    disable-signals
  sender-or-from  *.customer1.com           enable-signals,subaccount=333

  sender-or-from  *                         enable-signals,subaccount=222

</signals-filter>

<signals-filter ListTwo>

  sender-or-from  sales.customer2.com       enable-signals,subaccount=999

</signals-filter>

<signals-filter ListThree>

  sender-or-from  *                         enable-signals,subaccount=777

</signals-filter>


enable-signals ListOne

# at pool scope, inherited by all VMTAs in the pool
<virtual-mta-pool pond>
   enable-signals ListTwo

   virtual-mta v1
   virtual-mta v2
   virtual-mta v3
   virtual-mta v4
</virtual-mta-pool>

# inherits pool setting
<virtual-mta v1>
</virtual-mta>

# overrides all inheritance
<virtual-mta v2>
   enable-signals ListThree
</virtual-mta>

# inherits pool setting
<virtual-mta v3>
</virtual-mta>

# overrides all inheritance
<virtual-mta v4>
   enable-signals false
</virtual-mta>

# inherits global setting
<virtual-mta v5>
</virtual-mta>

10.1.5 Summary Report Display

The Summary report provides you the ability to view a variety of metrics, adjust reporting date range, and filter by campaign (jobID), recipient domain, or other metrics by clicking on the desired value in the “Group By” listing.

The following “Group By” options are available for viewing detailed data:

  • Recipient Domain
  • Sending Domain – the domain portion of the “Sender” or “From” header
  • Campaign – the jobID
  • Sending IP
  • IP Pool – the VirtualMTA pool

For more information, see https://www.sparkpost.com/docs/reporting/reporting-and-analytics/.

10.1.6 Bounce Report Display

The Bounce report provides detailed information about the bounces during the selected time period. Note that the bounces have been classified according to Sparkpost bounce classification codes and will not correspond directly to PMTA bounce categories.

See https://www.sparkpost.com/docs/reporting/bounces/ for more information.

10.1.7 Signals Overview Display

The Signals Overview contains leaderboards for the three signals provided: Health Score, Spam Trap Monitoring, and Engagement Recency.
The Engagement Recency Summary is not yet supported in PMTA.

Each row in these tables contains the summary for a different subaccount, and can be further sliced by campaign (jobID), IP pool (VirtualMTA pool), or sending domain to help catch issues across any of these facets. Additionally, you can view the data for up to 90 days to analyze trends over time.

See https://www.sparkpost.com/docs/user-guide/signals/ for more information.

10.1.8 Spam Traps Display

With visibility across multiple commercial and non-commercial spam trap networks, SparkPost Signals is a crucial resource for maintaining the health of your email. Spam Trap Monitoring reports the share over time of your total email volume that was sent to known spam traps for each given day. This indicator is important to take note of since an excessive rate of spam trap hits indicates poor list procurement and hygiene practices. You can view the spam trap hits as a raw number or a ratio over the number of injections for that day.

See https://www.sparkpost.com/docs/user-guide/signals/#spam-trap-monitoring for more information.

10.2 Sender Reputation Monitoring

10.2.1 Overview

One of the keys to maximizing deliverability to valid domains is to know as soon as possible when specific delivery problems occur. The sooner one realizes that there are certain problems, or more specifically, that a remote site is rejecting messages for one reason or another, the sooner one can attempt to get the problems resolved. There are many different kinds of errors that remote sites can respond with when connected, both positive and negative, and these responses allow you to see your current sender reputation in the eyes of that recipient domain or mail gateway.

Given the importance of having this information as soon as possible, PowerMTA includes automated sender reputation monitoring, via an advanced, real time SMTP command monitoring implementation. Not only does it give you an early warning alert system for specific types of errors, but it can also be configured to try and possibly resolve some problems as well, via support for automated configuration changes for future delivery attempts.

10.2.2 Implementation

PowerMTA groups messages for a particular domain for a particular VirtualMTA in its own queue. Sender reputation monitoring provides real time monitoring of defined SMTP responses (e.g., “551 Sender IP rejected”) from remote hosts for each queue, with the ability to define certain actions (e.g., send an email alert while throttling deliveries, lower the rate at which messages are delivered etc.) upon a match.

This is accomplished through the introduction of queue “modes”. The two modes initially supported are “normal” and “backoff”. You can configure PowerMTA so that when a queue enters backoff mode, it

  • sends an email alert to one or more addresses (backoff-notify directive).
  • dynamically changes the retry schedule for that queue (backoff-retry-after directive).
  • dynamically applies per-queue delivery throttling (backoff-max-msg-rate directive).
  • dynamically reroutes the messages from one VirtualMTA to another VirtualMTA (backoff-reroute-to-virtual-mta directive).

The dynamic reroute, combined with the ability to have separate per domain configurations per VirtualMTA, allows one to use the full range of domain directives beyond the new backoff-... directives (e.g., using bounce-after), as well as VirtualMTA attributes, for the fallback queue. A chain of backoff VirtualMTAs is also supported (vmta -> vmta1, vmta1 ->
vmta2, vmta2 -> vmta3, etc.).

SMTP response matching is performed based on a list of regular expressions, entered in an smtp-pattern-list directive in the configuration file.

For example, you could define a list of errors that might occur during deliveries to AOL in an smtp-pattern-list named aol-errors, and specify that the queue be put in backoff mode if any such match:

<smtp-pattern-list aol-errors>
    reply /generating high volumes of.* complaints from AOL/ mode=backoff
    reply /Excessive unknown recipients - possible Open Relay/ mode=backoff
    reply /^421 .* too many errors/ mode=backoff
    reply /blocked.*spamhaus/ mode=backoff
    reply /451 Rejected/ mode=backoff
</smtp-pattern-list>

You would then indicate that PowerMTA should match based on that pattern list while delivering to aol.com:

<domain aol.com>
    ...
    smtp-pattern-list aol-errors
    ...
</domain>

Finally, also within that domain definition, you would specify certain backoff-… actions to be taken when the queue enters backoff mode:

<domain aol.com>
    ...
    smtp-pattern-list aol-errors # SMTP response pattern list to use
    backoff-max-msg-rate 120/h # 10 messages per 5 min interval
    backoff-retry-after 1h # retry every hour
    backoff-notify postmaster@yourdomain.com
    ...
</domain>

Upon the first match of the SMTP response, the queue for aol.com for this particular VirtualMTA will enter backoff mode, dynamically applying the specific backoff-… directives:

  • send an email alert to the defined PowerMTA postmaster address.
  • change the retry interval to aol.com for this particular VirtualMTA to 1 hour.
  • throttle the delivery rates to aol.com for this particular VirtualMTA to at most 120 attempted deliveries per hour.

The backoff directives apply until the mode for the queue is returned to normal, which can be accomplished either within an smtp-pattern-list (by specifying a mode=normal for a pattern), or with the pmta set queue command, or by restarting PowerMTA. In the example above, the command to return that queue to normal mode would be

pmta set queue --mode=normal aol.com

Defining backoff VirtualMTAs is also relatively straightforward, using the backoff-reroute-to-virtual-mta
directive. It simply specifies that PowerMTA should reroute messages to the given VirtualMTA in case the queue enters backoff mode.

For example, if messages are queued for example.port25.com/vmta1 and that queue enters backoff mode while backoff-reroute-to-virtual-mta
is set to vmta2, all of its messages would be rerouted to the queue example.port25.com/vmta2. Since the messages would then be queued within vmta2, that VirtualMTA’s settings would apply. New messages entering the queue are also immediately rerouted to the new VirtualMTA, as long as the vmta1 queue remains in backoff mode.

For example, one could define a backoff VirtualMTA as follows:

<virtual-mta mta1>
    smtp-source-host 1.1.1.1 mta1.port25.com

    <domain *>
        backoff-reroute-to-virtual-mta backoff-mta1
        smtp-pattern-list block-errors
    </domain>
</virtual-mta>

<virtual-mta backoff-mta1>
    smtp-source-host 1.1.1.2 mta2.port25.com

    <domain *>
        retry-after 30m
        bounce-after 1h
    </domain>
</virtual-mta>

With this, if there is an SMTP pattern match for any domain for VirtualMTA mta1, any messages in that specific queue will be delivered using the domain directives and VirtualMTA parameters defined in VirtualMTA backoff-mta1. As desired, the backoff parameters will only
apply to messages for the specific queue, that is, for messages in the queue whose delivery attempts received the matched SMTP response.

Note that since the messages are really transferred from one VirtualMTA to another, the backoff-reroute-to-virtual-mta directive effectively takes precedence over backoff-max-msg-rate and backoff-retry-after.

10.2.3 Supporting commands

There are two commands that can be used for sender reputation monitoring and queue modes:

  • pmta set queue –mode={normal|backoff} domain/vmta
  • pmta show queues

The set queue command sets the given queue’s mode of operation to either normal or backoff. See set queue for more information.

The show queues command allows you to view current information on the specified queues, including the current mode of the queue. See show queues for more information.

10.3 SMTP AUTH support

10.3.1 Overview

To facilitate creating a secure email delivery channel, PowerMTA supports authentication in both inbound and outbound SMTP connections.

10.3.2 Implementation for Inbound Connections

PowerMTA supports authentication with either LOGIN, PLAIN or the CRAM-MD5 mechanism in inbound connections. Support for CRAM-MD5 is available whenever AUTH itself is enabled. The password is never sent when using CRAM-MD5 as it’s a challenge/response authentication.

To use AUTH you must also create an <smtp-user>
tag for each valid username, including their passwords, as well as the named source to use when that user authenticates, like in the example below:

<smtp-user jsmith>
    password qwerty123
    source auth2
</smtp-user>

<smtp-user jdoe>
    password abc123
    source auth1
</smtp-user>

For maximum flexibility in supporting the various SASL authentication methods, the passwords must be entered in plaintext in the configuration file. Because of this, it is crucial that the PowerMTA config file permissions are set up as restrictively as possible.

The named source in the configuration file (that is a <source> entry that has a name rather than an IP address or CIDR specification), allows you to specify which <source> settings should apply on a per-user basis.

In the example above, and with the configuration file below, user jsmith would be allowed access to PowerMTA’s mail merge extensions, while jdoe would not:

<source auth2>
    allow-mailmerge yes
    always-allow-relaying yes # allow feeding for auth2
    process-x-virtual-mta yes # allow selection of a VirtualMTA
    max-message-size unlimited
    smtp-service yes          # allow SMTP service
    require-auth true
</source>

<source auth1>
    allow-mailmerge no
    always-allow-relaying yes # allow feeding for auth1
    process-x-virtual-mta yes # allow selection of a VirtualMTA
    max-message-size unlimited
    smtp-service yes          # allow SMTP service
    require-auth true
</source>

When users jsmith and jdoe authenticate, any settings in their named sources would override those settings normally obtained based on each connections’ source IP address. This way, you can combine the usual IP-based settings (which apply to all connections) with specific settings based on the authenticated user.

Certificate based authentication is also supported with a configuration like the following:

<smtp-user jsmith>
    authentication-method certificate
    tls-certificate /etc/pmta/jsmith.pem
    source auth3
</smtp-user>

<source auth3>
    always-allow-relaying yes # allow feeding for auth2
    process-x-virtual-mta yes # allow selection of a VirtualMTA
    max-message-size unlimited
    smtp-service yes          # allow SMTP service
    require-auth true
</source>

In the above example, jsmith can authenticate with the certificate given in jsmith.pem file, and relay through PowerMTA. <source {auth}> would apply to any users that don’t have <source> set.

10.3.3 Implementation for Outbound Connections

PowerMTA supports authentication with the CRAM-MD5, LOGIN, or PLAIN mechanisms in outbound connections, with additional mechanisms being considered for a future version.

To have PowerMTA authenticate to a remote mailhost when delivering messages to a domain, define the domain in the configuration file and specify the auth-username and auth-password directives. Authentication will be attempted only if the remote mailer supports CRAM-MD5, LOGIN, or PLAIN (LOGIN or PLAIN if using the <domain> directive use-unencrypted-plain-auth yes).

To illustrate how this feature could be used, consider the following scenario: an email service provider using PowerMTA is delivering email to secure.example.org, but that domain’s corporate mail system will only accept mail from an authenticated source.

To satisfy the corporate mail system’s requirement, one could configure PowerMTA to select a VirtualMTA based on pattern matching of the From: address (using the support for pattern matching of any RFC 2822 header), and within that VirtualMTA, configure the required username and password for all mail delivered to secure.example.org.

The VirtualMTA definition could look like:

<virtual-mta auth-mta>
    smtp-source-host 1.2.3.4 vmta.esp.com
    ...

    <domain secure.example.org>
        auth-username costanza
        auth-password bosco
    </domain>
</virtual-mta>

With this, all mail delivered by this VirtualMTA to the domain of secure.example.org would attempt authentication, whereas all other mail delivered to this domain by other VirtualMTAs would not.

Note that authentication is not attempted if either auth-username or auth-password are not defined for a domain.

10.4 Automated Authentication

To help maintain a strong sender reputation, PowerMTA can be configured to ensure SPF compliance by only delivering mail that passes SPF tests. Compliance checking is done based on the sender address (SMTP MAIL FROM and HELO domain), the source IP address to be used in the connection, and the SPF records published in the DNS. If the test results in anything other than a “Pass” or a “TempError”, the message bounces.

To enable Automated Authentication for a domain, set the check-spf-outbound directive to yes in its definition in the configuration file (or in <domain *> for all domains).

When enabling this feature, it is advisable to disable it for the domains to which your bounces are delivered, if they are delivered via SMTP. This way, if the check fails, there is no risk of these bounces being lost (“double-bouncing”) due to some problem in your bounce domain’s SPF records.

For example, if your MAIL FROM domain was yourbouncedomain.com, you could configure:

<domain yourbouncedomain.com>
    check-spf-outbound no
</domain>

<domain *>
    check-spf-outbound yes
</domain>

Note that since a specific IP address is needed for the Automated Authentication check, you will need to make sure that the IP address(es)
used by PowerMTA for outbound connections are defined in the configuration file (via the smtp-source-host directive). If no specific source IPs are defined, PowerMTA cannot perform the SPF check. It then generates an error message in the log file and treats this like a transient (“4xx”) error, keeping the messages in the queue and retrying until the bounce-after interval passes.

10.5 DKIM support

10.5.1 Overview

DomainKeys Identified Mail (DKIM) is a sender authentication method based on cryptographically signing messages. Essentially, the steps to signing an email are:

  1. A public / private key pair is generated.
  2. The public key is published in DNS, while the private key is made available (normally as part of the configuration) to the email server.
  3. When a message is submitted for delivery, the email server uses the private key to cryptographically sign the message, adding a DKIM-Signature: header.

More information about DKIM can be found at

http://www.dkim.org/

Port25 highly recommends this site to anyone looking to use this functionality.

10.5.2 PowerMTA DKIM Implementation

Domain keys are added to PowerMTA’s configuration using the domain-key
directive, which can be defined globally, making it available for all mail, or within a VirtualMTA definition, making it specific to that VirtualMTA. They can also be defined within a <domain-key-list> section which can be selected by name in various ways. The directive takes three comma-separated arguments:

  • The key’s selector, which identifies that key among others on the same domain.
  • The DNS domain name for the key, and
  • The name of the file containing the key.

For example:

<virtual-mta domainkey>
    host-name port25.com
    ...
    domain-key test, port25.com, c:\pmta\test.port25.pem
</virtual-mta>

or

domain-key test, port25.com, c:\pmta\test.port25.pem

You can specify multiple domain-key entries. PowerMTA determines the key to use by going through the keys sequentially and picking the first key whose domain matches the identity on behalf of which the email is being signed. That identity is extracted by default from the email’s Sender header address, or, if Sender is not present, the From header, but can also be specified with the dkim-identity directive.

A domain-key may also specify a wildcard “*” domain, in which case PowerMTA considers it to match any identity’s domain. This is useful when the same public key is entered in the DNS under multiple domain names.

To set up DKIM signing for a domain,

  1. Determine the domain in which the key will be registered. That should be either the DKIM identity’s domain itself or a parent of that domain. In the examples below, we will assume example.org.
  2. Decide what to use for your selector. The selector will uniquely identify the key within the domain determined above. We will use k1 in the examples below.
  3. Generate your private key using either PowerMTA’s pmtakeytool utility or Port25’s DomainKey wizard athttps://port25.com/dkim-wizard/(If using the wizard, skip step 8):

pmtakeytool newdk k1 example.org 2048

  1. This creates a 2048-bit private key in the file k1.example.org.pem and a corresponding public key in BIND format in the file k1.example.org.dns.
  2. Move the PEM file to c:\pmta\ on Windows or to /etc/pmta on Unix and ensure its permissions are set properly (ideally only PowerMTA process should have access to it).
  3. Add the DNS TXT record written to k1.example.org.dns to your DNS configuration. You may have to adjust the syntax depending on the software used. Also, please refer to the DKIM specification (from http://www.dkim.org) for more information on the record syntax:
k1._domainkey   IN TXT ("k=rsa\; p="<br />
 "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxeRmblkAUC0ZwBLltS37"
 "ubgOk3bifNP8ubH5wc01mkAskRJcSDnXhxrbNseIBJye2lwVyRSDmkhCo5lreGbt"
 "pwdo3kqIEj0k2+ZC2MSNREovoyFXuJHbNDB2VUvlh0ROJMNQx3VuBsYr884K1dsE"
 "tzb+9+8JjYwKr6khNu4GeuebT4XdTwcqvtYkqw/MW4H0RxPJ8/w7pUHy1o08W1Hk"
 "N/wAQkhcxygJTaehtkApDfY3N5kVk8XAYdzbJaSe/7Uw0ImqFgxy60MrWlUaUyWO"
 "uTBwIPQScDgX3yIl1GHgV25DlEKo8sfTNgFJhil1ju3iZ25KoiPeFyWN+7AohF1Y"
 "SQIDAQAB")
  1. Add the domain-key directive to the configuration file:
<virtual-mta example>
...
domain-key k1, example.org, c:\pmta\k1.example.org.pem
</virtual-mta>
  1. or (at global level in the configuration):

domain-key k1, example.org, c:\pmta\k1.example.org.pem

  1. Enable signing for the domain(s) desired, or in <domain *> to enable signing for all domains:
<domain yahoo.com>
...
dkim-sign yes
</domain>
  1. If the domain-key directive is configured for a VirtualMTA instead of globally, configure PowerMTA so that email originating in the domain(s) to be signed are submitted to that VirtualMTA, for example, by using a pattern list:
<pattern-list L>
    mail-from /[@\.]example\.com$/ virtual-mta=example
</pattern-list>

<source 10.1.0.0/16> # feeding sources
    pattern-list L
</source>
  1. See VirtualMTA Support for more information on selecting VirtualMTAs. <pattern-list> Directives describes pattern lists in greater detail.

10.5.3 Passing DKIM signing options in a header

PowerMTA supports passing DKIM signing options in a header, overriding the configuration on a per message basis. To do so, enable the <source> directive process-X-DKIM-Options and add a X-DKIM-Options
header before submitting the messages. The header uses a syntax similar to the semicolon-separated tags in DKIM-Signature and may be used to pass multiple options:

  • s – selector – specifies the value of the s= tag in the signature, and requires that the domain-key have the given selector
  • d – domain – specifies the value of the d= tag in the signature, and requires that the domain-key have that exact domain (or the “*”
    wildcard)
  • i – identity – specifies the value for the i= tag in the signature. Also, if d isn’t specified, requires that the domain-key have the same domain as or a parent domain of i (or the “*” wildcard)
  • q – query method – specifies the value for the q= tag in the signature
  • key-list – specifies that the domain key is to be picked from the given <domain-key-list> section

For example, with the following configuration:

domain-key key1, example.com, c:\pmta\key1.example.com.pem
domain-key key2, example.com, c:\pmta\key2.example.com.pem

the X-DKIM-Options could be used to select the key to use:

X-DKIM-Options: s=key2

10.5.4 Second DKIM signing support

PowerMTA supports adding a second DKIM-Signature header with different options from the first one. All dkim-... directives are supported with the prefix “second-” added:

second-dkim-add-body-limit
second-dkim-add-timestamp
second-dkim-algorithm
second-dkim-body-canon
second-dkim-disallow-adding-headers
second-dkim-expire-after
second-dkim-headers
second-dkim-headers-canon
second-dkim-identity
second-dkim-identity-fallback
second-dkim-sign
second-dkim-query-method

In the example below, PowerMTA adds both a customer signature and an ESP signature to messages sent through VirtualMTA “12345”. The customer signature is based on the domain of the From header (customer.com) while the ESP signature is based on the second-dkim-identity option defined (esp.com). PowerMTA would include gmail’s required Feedback-ID header in both signatures for messages to gmail only.

<virtual-mta 12345>
    domain-key 2017k1, esp.com, c:\pmta\keys\esp.esp.com.pem
    domain-key 2017-01, customer.com, c:\pmta\keys\2017-01.customer.com.pem
    <domain gmail.com>
        dkim-headers Feedback-ID
        second-dkim-headers Feedback-ID
    </domain>
    <domain *>
        dkim-sign yes
        second-dkim-sign yes
        second-dkim-identity @esp.com
    </domain>
</virtual-mta>

Note: The X-DKIM-Options header method is not supported for the second signature, but still can be used for the first signature.

PowerMTA will still deliver the message if due to message attributes and configuration settings, there are no signatures to be applied, only one signature to be applied or both signatures are to be applied.

10.5.5 Ability to DKIM sign with the private key given in the message

PowerMTA supports the ability to extract a private key from a header in a message and use that private key for DKIM signing the message. This is an alternative to having the keys defined in the configuration file.
To enable this feature, use the per-source process-x-dkim-key directive.

If set to true, PMTA will extract the private key specified in the header X-DKIM-Key, and use it for DKIM signing the message. For security reasons, the header will be removed from the message prior to transmission. Note that when using this feature, you have to specify the selector(the ‘s=’
value) for the DKIM signing using the X-DKIM-Options header, otherwise the message cannot be signed. Processing of the X-DKIM-Options header should be enabled using the per-source process-x-dkim-options directive.

Also note that the content of the X-DKIM-Key will span multiple lines, so you need to fold the header in the body of the message as in the example below.

Date: Mon, 8 Mar 2017 13:29:22 -0500
From: Test User <test@port25.com>
To: test@port25.com Subject: help!
X-Dkim-Options: s=ball; d=some-esp.com;
X-Dkim-Key: -----BEGIN PRIVATE KEY-----
  MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAL2/eGlUEGzYGMoN
  P8fdRRHF8BZ0/7+ani5IkZq5W84WDjSLtx8OryMYJNttOtdcIy3vb5YCsqziZncE
  a8ite5GiYct2SW+Such/KTWWNuJFEpyz7bjWjP46izuoktZ6JWErnmK+IiPCkc8/
  iSVJXZgafio5gBwr0mUi2YDGUX/RAgMBAAECgYBGYCSV1EL/S6ruDbnxNAUxEVv5
  yE0u0HcIrYurekItjoqYPJWfpD+a4ZKR+9JOG/NET0Dwv3Fro9DjJbWgSY/BkSKs
  ckypdEh2DECtAaqpZ18Bs7nmaHnsyhaFHaTvT/VKM/WVvBXfh+NlaHoJK05um9MS
  jVwiDkZHVeku6g+Y0QJBAO392X05FziwQYFS5Y6ldfyJfWQzRmGTsz8B1HGeS84N
  wuMtP4zjL/c5nwOkN5SO8inE7xZLy958WQQtZW9BW00CQQDMGxbwuK4HmBLejLZw
  R7g9SH8b/54bWWt+4BmiWjF1Dnbeq/5Co2ZHcXOQ50fopk/OsAsN/F0VZb5578lz
  nsyVAkAyhSieBHiBeCjvowFH/qfFLAqKMrhGDmyGe4T1eXzuCM3OG9TZu4B7Iqg2
  xa1mw9F0PHHkccKdQBhFYr2dmGohAkAJi6bKAUkaT9FqGRibLa9/JjnTnGPPkaIG
  YAKy5hb0C4YhqdeNVEj/RF4MQ9TIG6cV2oPZ1pif3I9I8p7wSlf1AkBznyYhKnML
  OdSR8QUfwVm8o5TtFz+kisDJ7fQc1kCruB5IyLXPnKxugUcetHBVnC4Y7O996N4R
  mkoEKsyfiQhk
  -----END PRIVATE KEY-----

HELP! How do I port25?
Thanks abunch,
.. Test

With the email above, you have to add the following directives to PMTA config to DKIM sign the message.

<source 0/0>
    process-x-dkim-key yes
    process-x-dkim-options yes
</source>

<source {pickup}>
    process-x-dkim-key yes
    process-x-dkim-options yes
</source>

10.6 Warming of IPs with Cold VirtualMTA

10.6.1 Overview

Note: This functionality is useful when you have at least one warm IP address. If you only have cold IP addresses then use rate limiting features of the VirtualMTAs to build up reputation for the cold IPs.

When starting to send email from a new IP address, it is sometimes important to control the amount of traffic sent from that IP, so that reputation can be built properly. To facilitate this task, PowerMTA adds support for configuring separate queues and diverting part of the traffic to those queues.

The cold VirtualMTA functionality, at its core, is a rerouting feature. The first x messages for each domain submitted to the warm VirtualMTA each day are auto-rerouted to the cold VirtualMTA. The number that is rerouted for each domain per day is determined by the max-cold-virtual-mta-msg
directive defined in the warm VirtualMTA for the domains. The rest of the messages submitted that day to the warm VirtualMTA stay in the warm VirtualMTA. The cold VirtualMTA rerouting counters are reset at midnight.

The messages routed to the cold VirtualMTA are handled/delivered based on the directives defined in the cold VirtualMTA. To this end it is important to configure the cold VirtualMTA as desired.

For example:

<virtual-mta vmta1>
    smtp-source-host 1.2.3.4 vmta1.example.com
    cold-virtual-mta vmta2
    <domain *>
        max-cold-virtual-mta-msg 1000/day
    </domain>
</virtual-mta>

<virtual-mta vmta2>
    smtp-source-host 5.6.7.8 vmta2.example.com
    <domain *>
        max-msg-rate 100/h
    </domain>
</virtual-mta>

With these settings, the first 1000 messages submitted into the warm VirtualMTA vmta1 per day, for each domain, would be auto-rerouted to the cold VirtualMTA vmta2. Every message submitted after the first 1000 per day per domain to the warm VirtualMTA would stay in the warm VirtualMTA, with the daily rerouting counters resetting at midnight.
Because max-cold-virtual-mta-msg setting is per domain, the first 1000 submitted for yahoo.com to vmta1 per day would be rerouted to vmta2, the first 1000 submitted for hotmail.com to vmta1 per day would be rerouted to vmta2, etc.

This is the count for each domain separately given that max-cold-virtual-mta-msg 1000/day is defined in <domain *>
in the VirtualMTA in this example. If different counts per day for different domains are needed, define the different domain definitions in the VirtualMTA with the specific counts desired for each, along with a count for all other domains in <domain *>. Messages that are routed to the cold VirtualMTA are then handled based on the settings defined in the cold VirtualMTA.

The default setting for the “max-cold-virtual-mta-msg” directive is
0, which means “don’t re-select a cold VirtualMTA”. If
“max-cold-virtual-mta-msg” is set globally but the VirtualMTA selected doesn’t have a “cold-virtual-mta” directive configured, no re-selection takes place.

Since the cold VirtualMTA is just another VirtualMTA, this feature can also be used to route traffic from an old server to a new server.
This is useful when moving server locations and the new server is getting new IPs that are not yet established with a good reputation. For example:

<virtual-mta vmta1>
    smtp-source-host 1.2.3.4 vmta1.example.com
    cold-virtual-mta vmta2
    <domain *>
        max-cold-virtual-mta-msg 1000/day
    </domain>
</virtual-mta>

<virtual-mta vmta2>
    smtp-source-host 5.6.7.8 vmta2.example.com
    <domain *>
        queue-to route.queue
    </domain>
    <domain route.queue>
        smtp-hosts [9.8.7.6]:25
    </domain>
</virtual-mta>

In the above example, the first 1000 messages per domain per day injected into vmta1 are routed to vmta2. At this point they are grouped into one large queue with the queue-to directive to help better manage the amount of outbound connections the messages will make.

Both the limits and the selection are persisted on disk, so that you can safely restart PowerMTA without resetting the current rates.

10.7 Use of Bounce Category Patterns

10.7.1 Overview

This feature can be used to make the bounce categories used in CSV accounting files field customizable. A customer can specify the tag in the configuration file, in which case the patterns specified there take precedence over those defined in config-defaults file. The data in the <bounce-category-patterns>
tag consist of two fields. The first field is the SMTP response on which to match, and the second field is the name of the category to be used. Custom category names are allowed. It should be entered in a <bounce-category-patterns> entry, like in:

<bounce-category-patterns>
    /spam/ spam-related
    /no longer (valid|available)/ bad-mailbox
    /mailbox +(is +)?full/ quota-issues
    /banned/ policy-related
</bounce-category-patterns>

<bounce-category-patterns> uses pattern matching in the same method as does <pattern-list>. <smtp-pattern-list> Directives describes SMTP pattern lists and pattern matching in greater detail.

10.8 Combining several domains into one queue

10.8.1 Overview

PowerMTA has the ability to group together different email domains into a single large queue. This can be useful for controlling the message stream across multiple domains. This includes any <domain> based controls such as max-msg-rate, max-smtp-out, and max-connect-rate.

Note that you will need to manually define the smtp-hosts directive for the new queue if it is not resolvable through DNS.

The directive to use is “queue-to”, which is defined in the <domain>
definitions that you want to group together. The parameter defined within the queue-to directive is the name of the “domain” that the other domains will be rolled up into. Use of the smtp-hosts directive is required.

For example:

<virtual-mta hotmail-queue>
    <domain hotmail.queue>
        max-smtp-out 10
        smtp-hosts hotmail.com  # you must define this for the consolidated queue.
    </domain>
    <domain hotmail.com>
        queue-to "hotmail.queue"
    </domain>
    <domain hotmail.co.uk>
        queue-to "hotmail.queue"
    </domain>
    <domain live.com>
        queue-to "hotmail.queue"
    </domain>
</virtual-mta>

With this, all messages queued for this VirtualMTA for any hotmail.com, hotmail.co.uk, or live.com domain will be put in one queue named “hotmail.queue”, and treated as such.

Or:

<virtual-mta client-mta>
    smtp-source-host 1.2.3.4 mail1.yourdomain.com
    <domain *.psmtp.com>
        queue-to "psmtp.com"
        max-smtp-out 20
        bounce-after 2d
        max-msg-per-connection 10
    </domain>
</virtual-mta>

With this, all messages queued for this VirtualMTA for any
*.psmtp.com domain (e.g. mail9.psmtp.com, someone.psmtp.com, etc.) will be put in the one queue for psmtp.com, and treated as such. As a note, if you are using a cold VirtualMTA, the directive max-cold-virtual-mta is applied AFTER queue-to is applied.

10.9 Setting recipient priority

10.9.1 Overview

It may be necessary to set a given recipient of set of recipients with a higher or lower priority (e.g. password reset vs. weekly newsletter). This can be done in PowerMTA in different ways. The first is via the <domain> directive “queue-priority”. The directive works in the following manner:

<domain someplace.com>
    queue-priority 75
</domain>

<virtual-mta newsletter>
    <domain someplaceelse.com>
        queue-priority 30
    </domain>
</virtual-mta>

With the above set, all messages going to someplace.com will get a queue-priority of 75 (the default is 50 with a range of 1-100, higher amounts being given higher priority). This will give this set of messages first priority in PowerMTA for connections and delivery. The messages for someplaceelse.com/newsletter will get a lower priority than the average mail, and will go out last.

Another method of setting the message priority is by using a <pattern-list>. The directive works in the following manner:

<pattern-list myList>
    rcpt-to /password-reset@customer.com/ recipient-priority=100
    rcpt-to /special@customer.com/ virtual-mta=high, recipient-priority=60
    mail-from /newsletter/ recipient-priority=25
</pattern-list>

In the above example, individual emails to password-reset@customer.com will get the highest priority, generic emails to special@customer.com will get a slightly higher than normal priority, and any emails from anything containing newsletter will get a low priority.

If both queue-priority and recipient-priority are used, queue-priority takes precedence. recipient-priority is only used for determining which recipients in a queue are attempted first for delivery.

10.10 SNMP Support

10.10.1 Overview

PowerMTA supports SNMP for monitoring basic status information.

Currently all the information from the pmta show status command is what is available for monitoring via SNMP.

PowerMTA SNMP support is included with the Windows installer. There is a separate package available for Linux from the PowerMTA download page. PowerMTA’s SNMP daemon can be used in master mode or as an AgentX subagent (not available on Windows). It automatically detects whether there is a AgentX master running (e.g. Net-SNMP’s snmpd). If so it registers itself as a subagent, otherwise it runs in master mode.

As a note, to allow Net-SNMP’s snmpd to act as a AgentX master it is required to activate the AgentX support in snmpd (by having a line “master agentx” in snmpd.conf).

The default configuration for PowerMTA’s SNMP daemon is located in:

Linux:

/etc/pmta/pmtasnmp.conf

Windows:

<PowerMTA install directory>\pmtasnmp.conf

This will allow anybody to read data from it with the “public”
community string, which may or may not be appropriate. Since the SNMP daemon is based on Net-SNMP the configuration file is a standard Net-SNMP configuration file and documentation is available from:

http://www.net-snmp.org/docs

The data available through SNMP is described by the MIB which can be found at the following location:

Linux:

/usr/share/snmp/mibs/PowerMTA-MIB.txt

Windows:

<PowerMTA install directory>\mibs\PowerMTA-MIB.txt

To access the data via SNMP a third party solution is required.

On Linux you have the Net-SNMP utils installed you can test that it works (and see the data available) with the following command:

snmpwalk -v2c -c public localhost PowerMTA-MIB::mta

10.11 High Availability Configuration

In “High Availability” deployment, two servers run PowerMTA service, and if one fails, new mail gets sent to the backup server by the feeding application. If the spool directory is recoverable, it is added as a second spool to the backup, and the service is restarted to pickup this spool, sending all new and old mail.

When the production server is backup and online, new mail is redirected back to the production server, and the hot backup is left running until all mail has been delivered or bounced. After the mail is delivered from the hot backup, it is put back into its original single spool state, and is kept idle until the next time it is needed.

10.12 Precached domains support

For senders that have DNS server issues when loading large amounts of domains into PowerMTA in a short period of time, or when maintaining large amounts of domains with short a short DNS TTL, PowerMTA offers the ability to precache a given subset of the DNS names to ensure the DNS name is always available. This feature is enabled by use of the new,
global <dns> tag.

<dns>
    precached-domains-file C:\pmta\precached-domains.txt
    precached-max-domains 500
    precached-refresh-interval 5m
</dns>

The file C:\pmta\precached-domains.txt would contain a list of domains, each on a line by itself. For example,

hotmail.com
yahoo.com
aol.com
gmail.com

PowerMTA would only precache the first 500 domains in the file, refreshing the DNS for these domains every 5 minutes.

10.13 Scheduled Delivery Control

PowerMTA supports the ability to schedule deliveries via a header.

The format of the header is:

x-schedule: <start time>/<end time>, <start time>/<end time>

Here is an example:

x-schedule: 2015-05-29 17:01:11 / 2015-05-29 17:30:11, 2015-05-30 17:01:11 / 2015-05-30 17:30:11

You can add as many time intervals as needed.

The bounce-after does not apply to such recipients. The schedule overrides the bounce-after
and the message is bounced when there are no more schedules to try. In addition, if the queue is in retry mode when the messages are injected, the message delivery will not start at the window start time, but rather message delivery attempts will start when the queue come out of retry mode.

10.14 Custom retry intervals

retry-after and backoff-retry-after can also take a time interval in addition to the static, defined time. This allows for adding up to 30 different retry periods. This may be useful for domains in which the likelihood of messages being delivered decreases over time. The last defined interval is used until the message bounces. The interval resets on a restart of the PowerMTA server. An example usage would be:

<domain example.com>
    retry-after 10m,10m,10m,10m,10m,10m,30m,30m,30m,30m,1h,1h,2h,2h,4h,4h,10h
</domain>

In the above example the domain would be tried every 10 minutes for the 6 tries, every 30m for the next 4 tries, every hour for the 2 tries, every 4 hours for the next two tries, and finally, every 10 hours until the message is bounced.

10.15 Address Suppression Lists

Lists can be defined with the new global <address-list listName> tag and one or more can be referenced within a <source>
with the new “suppression-lists” directive. Addresses in the suppression list are rejected (or turned into bounces, depending on options) during submission. Multiple suppression lists may be used:

<address-list suppression1>
    address foo # local part
    address foo@bar.com # email address
    address /foo/ # pattern
</address-list>

<address-list suppression2>
    domain foo.com # domain
    address-file /etc/pmta/addresses # email addresses or local parts, 1/line
</address-list>

<source 0/0>
    suppression-lists suppression1,suppression2
</source>

NOTE: Defining more than 500 patterns within a single suppression list is not recommended.

If the <source> directive accept-invalid-recipients is set to “no”, then the message is rejected at the time of submission (i.e., while processing the RCPT command).

If the <source> directive accept-invalid-recipients is set to “yes”, then the message is queued and later bounced with generation of a bounce record with details such as:

dsnStatus: 5.7.1 (delivery not authorized)
dsnDiag: smtp;550 5.7.1 recipient is in suppression list "a1": <foo@bar.com>

For BSMTP pickup files, If XACK is set to “on”, then the message is rejected while the file is picked up (i.e., while processing the RCPT command). This is logged in the PowerMTA log file just like any other pickup submission error. If XACK is set to “off”, then the file is picked up and the message is later bounced with a bounce record that looks similar to SMTP submission case above.

For non-BSMTP pickup files, the message is rejected while the file is picked up (i.e., when processing the x-receiver header). This is logged in the PowerMTA log file just like any other pickup submission error.

10.16 MX Rollup List

This feature allows one to define “rollup” queues based on the MX records of the recipient domain, in order to consolidate separate but related recipient domains into one queue. Messages moved into the roll up queue are handled as if they were one recipient domain with regards to rate limiting, connection caps, etc…. For example, since msn.com, live.com and hotmail.com are all handled by the same exact MXs/gateway, it makes sense to roll these up into one queue vs. being handled separately by PowerMTA. This feature works very well for the large mailbox providers that provide corporate hosting, for filtering/antispam cloud providers, or for large hosting providers in general that manage corporate email for tens or hundreds of thousands of various domains.

To configure this feature, you need to define the MX record that maps to each rollup queue name along with the name of the rollup queue, which must end in “.rollup”. More than one MX can be mapped to the same rollup queue, for example:

<mx-rollup-list>
    mx mx1.hotmail.com hotmail.rollup
    mx mx2.hotmail.com hotmail.rollup
    mx mx3.hotmail.com hotmail.rollup
    mx mx4.hotmail.com hotmail.rollup
    mx smtp.secureserver.net secureserver.net.rollup
</mx-rollup-list>

NOTE that only the lowest preference (highest priority) MX records should be defined with this feature.

Wildcards are also supported for the MX records, for example:

<mx-rollup-list>
    mx *.hotmail.com hotmail.rollup
    mx *.mail.protection.outlook.com outlook.rollup rollup-by-ip
</mx-rollup-list>

which would then automatically include all matching lowest preference MX records. Any recipient domain whose lowest preference MXs match the wildcard would be automatically placed in the hotmail.rollup queue, and which all messages would be treated as if to a single recipient domain.

No match occurs when a rollup queue defined in the
<mx-rollup-list> has more lowest preference MXs configured to it than what is returned by DNS.

For rollup queues in which the MX records are explicitly defined (no wildcards) in the rollup list, PowerMTA will automatically use/look up the specific defined MXs in DNS for routing information for the domains in the rollup queue.

For rollup queues in which a wildcard is used, one must explicitly define the smtp-hosts
directive within the domain definition for the rollup queue along with the appropriate MX or A records, since it is impossible for PowerMTA to infer the proper MXs to use for all domains in the rollup queue (in contrast to when they are explicitly defined).

For rollup queues in which a wildcard is used with the “rollup-by-ip”
option, there is no need to configure “smtp-hosts” directive. PMTA will automatically set the “smtp-hosts” for such rollup queues to the hosts that the original domain resolved to. In order to perform the rollup action, PMTA will use the IP addresses that the MXes resolve to, not the MX name.

Port25 recommends always explicitly defining the rollup queue within its own domain definition in order to explicitly set the delivery controls you want to achieve for the rollup queue.

For clarification, the table below provides various scenarios and end results based on the following MX rollup list definitions and defined DNS results.

Configuration settings for MX Rollup list to be used for examples below:

<mx-rollup-list>
    mx mx1.domain.com domain.rollup
    mx mx2.domain.com domain.rollup
    mx mx1.domain2.com domain2.rollup
</mx-rollup-list>

The below table lists various examples of how this would work. For all examples the recipient domain would be domain.com.

Example 1

DNS results for domain’s MX lookup (MX name + preference)

mx1.domain.com 10
mx2.domain.com 10

Rollup Queue Used domain.rollup

Destination MXes for the Rollup Queue

mx1.domain.com
mx2.domain.com

Explanation MXs defined for rollup queue are present in domain’s DNS results.

Example 2

DNS results for domain’s MX lookup (MX name + preference)

mx1.domain.com 10
mx2.domain.com 20

Rollup Queue Used N/A – rollup would not take place

Explanation Rollup queue has more lowest-preference MXs defined than what DNS returns.

Example 3

DNS results for domain’s MX lookup (MX name + preference)

mx1.domain.com 10
mx2.domain.com 10
mx3.domain.com 10

Rollup Queue Used domain.rollup

Destination MXes for the Rollup Queue

mx1.domain.com
mx2.domain.com

Explanation MXs defined for rollup queue are present in domain’s DNS results, mx3.domain.com is not used by PowerMTA for delivery.

Example 4

DNS results for domain’s MX lookup (MX name + preference)

mx1.domain.com 10
mx2.domain.com 10
mx3.domain.com 10

Rollup Queue Used domain.rollup

Destination MXes for the Rollup Queue

mx1.domain.com
mx2.domain.com

Explanation MXs defined for rollup queue are present in domain’s DNS results, mx3.domain.com is not used by PowerMTA for delivery.

Example 5

DNS results for domain’s MX lookup (MX name + preference)

mx1.domain.com 10

Rollup Queue Used N/A – rollup would not take place

Explanation Rollup queue has more lowest preference MXs

Example 6

DNS results for domain’s MX lookup (MX name + preference)

mx1.domain2.com 10
mx2.domain2.com 10

Rollup Queue Used domain2.rollup

Destination MXes for the Rollup Queue

mx1.domain2.com

Explanation MXs defined for rollup queue are present in domain’s DNS results, mx2.domain2.com is not used by PowerMTA for delivery.

Example 7

DNS results for domain’s MX lookup (MX name + preference)

mx1.domain2.com 10
mx1.domain2.com 20

Rollup Queue Used domain2.rollup

Destination MXes for the Rollup Queue

mx1.domain2.com

Explanation MXs defined for rollup queue are present in domain’s DNS results.

Example 8

DNS results for domain’s MX lookup (MX name + preference)

mx1.mail.domain.com 10

Rollup Queue Used N/A – rollup would not take place

Explanation DNS results do not match any defined rollup queue.

10.17 Recipient Events

To aid in real-time queue diagnostics, PowerMTA shows the last 50
recipient delivery, bounce, and deferred events. This data is disabled by default, and can be enabled by setting:

<domain *>
    track-recipient-events true
</domain>

You can also enable this feature for only some of the domains instead of all.

The data is available in the output of the following commands in addition to being displayed on the individual queue detail page in the web monitor:

pmta show queues
pmta show topqueues
pmta show queue domain[/vmta]

The information is held in memory as long as the queue has any recipients in it.

11 Accounting Files and Statistics

11.1 Introduction

The accounting file can be written in CSV format to a file or streamed to pipe.

11.2 The Accounting File

For efficiency and ease of use, PowerMTA writes accounting information to a separate file rather than to its logging file.

For ease of use, the accounting file is a CSV (Comma Separated Value) file.

There are 8 types of records available:

  • Successful delivered records which provide the data for all messages successfully transferred to the destination domain mail servers.
  • Bounced records which provide the data for all reports PowerMTA generated and delivered, including bounces for messages that PowerMTA could not deliver.
  • Transient error records which show each unsuccessful delivery attempt of an individual message. These errors are for individual recipients.
  • Transient queue error records for queue-level errors.
  • Inbound recipients records which show each successful submission of an individual message to PowerMTA.
  • Feedback loop records can be logged if PowerMTA has been configured with a <feedback-loop-processor>
  • Remote bounce/status records can be logged if PowerMTA has been configured with a <bounce-processor>

All records are written to the accounting file at the time the message or report is delivered, so they will be ordered by delivery time.


11.2.1 Accounting records

PowerMTA writes an accounting record per recipient delivered. These various records can be stored in all in one file, or in separate files by record type. The CSV field type is used to determine one of four possible values for the file. The various types are “d” for delivered, “b” for bounced, or “t” for transient, “tq” for transient-queue, and “r” for received, “f” for feedback loop records and
“rb”/”rs” for remote bounce or remote status records. By default, only
“d” and “b” records are recorded.

11.2.2 “Successful delivered” Records

The following are all the available fields for the CSV file that can be configured with “d” or “delivery” record type.

CSV Accounting File
(record-fields)
Description
type Type of record (“d” or “delivery”) (Note: this field is always logged and cannot be disabled or changed).
timeLogged Time the record was delivered and logged to the accounting file
timeQueued Time message was queued to disk
totalSecondsQueued the total amount of time in seconds, between reception to delivery
orig originator (from MAIL FROM:<x>)
rcpt recipient (RCPT TO:<x>) being reported
orcpt original recipient (from RCPT TO:... ORCPT=x), immediately following the recipient to which it refers
dsnAction DSN action for the recipient to which it refers (Relayed means the message was passed on to another MTA, one that doesn’t support the DSN extensions. Delivered means the MTA that issued the report actually did the final delivery.)
dsnStatus DSN status for the recipient to which it refers
dsnDiag DSN diagnostic string for the recipient to which it refers
dsnMta DSN remote MTA for the recipient to which it refers
bounceCat likely category of the bounce (see Bounce Categories), following the recipient which it refers
srcType source type from which the message was received, either api or smtp
srcMta source from which the message was received. the MTA name (from the HELO/EHLO command) for messages received through SMTP
dlvType delivery method, one of smtp, pipe, discard, or file
dlvSourceIp local IP address PowerMTA used for delivery
dlvDestinationIp IP address of the mailer to which the report/message was delivered
dlvEsmtpAvailable SMTP extensions supported by receiving mailer
dlvSize report/message size in bytes
vmta VirtualMTA selected for this message, if any
jobId job ID for the message, if any
envId envelope Id, from MAIL FROM:... ENVID=x (present only if specified)
queue domain/vmta used for delivery (remote status only)
vmtaPool VirtualMTA pool selected for this message, if any (remote status only)
header_XXX for each custom header included where XXX is the name of the header, if any
userString String added to accounting file as defined by the <acct-file> directive user-string.
dlvTlsProtocol The TLS version that was negotiated with the remote end during STARTTLS
dlvTlsCipher The TLS cipher that was negotiated with the remote end during STARTTLS
rcvSmtpUser The SMTP authenticated user that submitted the message

Sample accounting entry for a delivery record:

d,2019-02-08 21:54:05+0000,2019-02-08 21:54:05+0000,AA-D=1181.com@bounce.bar.com,D@1181.com,,relayed,2.0.0 (success),smtp;250 DATA ok,foo.int.port25.com (10.1.2.3),,api,foo.int.port25.com (127.0.0.1),smtp,10.1.2.3,10.1.2.3,"ENHANCEDSTATUSCODES,8BITMIME,SMTPUTF8",41159,vmta48,JoBID29546016861868,,1181.com/vmta48

11.2.3 “Bounced” Records

The following are all the available fields for the CSV file that can be configured with “b” or “bounced” record type.

CSV Accounting File
(record-fields)
Description
type Type of record (“b” or “bounce”) (Note: this field is always logged and cannot be disabled or changed).
timeLogged Time the record was delivered and logged to the accounting file
timeQueued Time message was queued to disk
totalSecondsQueued the total amount of time in seconds, between reception to delivery
orig originator (from MAIL FROM:<x>)
rcpt recipient (RCPT TO:<x>) being reported
orcpt original recipient (from RCPT TO:... ORCPT=x), immediately following the recipient to which it refers
dsnAction DSN action for the recipient to which it refers
dsnStatus DSN status for the recipient to which it refers
dsnDiag DSN diagnostic string for the recipient to which it refers
dsnMta DSN remote MTA for the recipient to which it refers
bounceCat likely category of the bounce (see Bounce Categories), following the recipient which it refers
srcType source type from which the message was received, either ‘api’ or ‘smtp’
srcMta No data present in Bounce Record
dlvType No data present in Bounce Record
dlvSourceIp No data present in Bounce Record
dlvDestinationIp No data present in Bounce Record
dlvEsmtpAvailable No data present in Bounce Record
dlvSize Deprecated. No data present in Bounce Record
vmta VirtualMTA selected for this message, if any
jobId job ID for the message, if any
envId envelope Id, from MAIL FROM:... ENVID=x (present only if specified)
queue domain/vmta used for delivery (remote status only)
vmtaPool VirtualMTA pool selected for this message, if any (remote status only)
header_XXX for each custom header included where XXX is the name of the header, if any
userString String added to accounting file as defined by the <acct-file> directive user-string.
dlvTlsProtocol The TLS version that was negotiated with the remote end during STARTTLS
dlvTlsCipher The TLS cipher that was negotiated with the remote end during STARTTLS
rcvSmtpUser The SMTP authenticated user that submitted the message

Sample accounting entry for a bounce record:

b,2019-02-08 21:53:41+0000,2019-02-08 21:53:41+0000,CB-A=yahoo.com@bounce.bar.com,A@yahoo.com,,failed,5.7.1 (delivery not authorized),smtp;554 5.7.1 Denied - Spam Suspected - http://www.w357sfhsjhf873.net/services/spamwatch/blocked.php,foo.int.bar.com (10.1.2.3),spam-related,api,foo.int.bar.com (127.0.0.1),smtp,10.1.2.3,10.1.2.3,"ENHANCEDSTATUSCODES,8BITMIME,SMTPUTF8",,vmta18,,,yahoo.rollup/vmta18

11.2.4 “Transient error” Records

There are times when sending emails may fail. To help identify these issues, PowerMTA has the ability to show transient errors per message.
This logging is handled with the record type “t”.

The following are all the available fields for the CSV file that can be configured with “t” or “transient” record type.

CSV Accounting File
(record-fields)
Description
type Type of record (“t” or “transient”) (Note: this field is always logged and cannot be disabled or changed).
timeLogged Time the record was delivered and logged to the accounting file
timeQueued Time message was queued to disk
totalSecondsQueued the total amount of time in seconds, between reception to delivery
orig originator (from MAIL FROM:<x>)
rcpt recipient (RCPT TO:<x>) being reported
orcpt original recipient (from RCPT TO:... ORCPT=x), immediately following the recipient to which it refers
dsnAction DSN action for the recipient to which it refers
dsnStatus DSN status for the recipient to which it refers
dsnDiag DSN diagnostic string for the recipient to which it refers
dsnMta DSN remote MTA for the recipient to which it refers
bounceCat likely category of the bounce (see Bounce Categories), following the recipient which it refers
srcType source type from which the message was received, either ‘api’ or ‘smtp’
srcMta source from which the message was received. the MTA name (from the HELO/EHLO command) for messages received through SMTP
dlvType delivery method, one of “smtp”, “pipe”, “discard”, or “file”
dlvSourceIp local IP address PowerMTA used for delivery
dlvDestinationIp IP address of the mailer to which the report/message was delivered
dlvEsmtpAvailable SMTP extensions supported by receiving mailer
dlvSize Deprecated. report/message size in bytes
vmta VirtualMTA selected for this message, if any
jobId job ID for the message, if any
envId envelope Id, from MAIL FROM:... ENVID=x (present only if specified)
queue domain/vmta used for delivery (remote status only)
vmtaPool VirtualMTA pool selected for this message, if any (remote status only)
header_XXX for each custom header included where XXX is the name of the header, if any
userString String added to accounting file as defined by the <acct-file> directive user-string.
dlvTlsProtocol The TLS version that was negotiated with the remote end during STARTTLS
dlvTlsCipher The TLS cipher that was negotiated with the remote end during STARTTLS
rcvSmtpUser The SMTP authenticated user that submitted the message

Sample accounting entry for a transient record:

t,2019-02-08 21:53:54+0000,2019-02-08 21:53:54+0000,DB.AD.G.AA.AB-DA=yahoo.fr@bounce.bar.com,DA@yahoo.fr,,delayed,4.7.0 (other or undefined security status),smtp;421 4.7.0 mx002.roc2.bluetie.com Error: too many errors,foo.int.bar.com (10.1.2.165),policy-related,api,foo.int.bar.com (127.0.0.1),smtp,10.59.14.69,10.1.2.165,"ENHANCEDSTATUSCODES,8BITMIME,SMTPUTF8",,vmta21,,,yahoo.rollup/vmta21,

11.2.5 “Transient Queue” Records

There are times when sending emails that an entire given queue may fail. It may be problems with a particular outbound IP address, or maybe one domain is currently offline. To help identify these issues, PowerMTA has not only the ability to show transient recipient errors per message, but also the same information on a per queue basis. This logging is handled with the record type “tq”. The records when using
“tq” are slightly different than those mentioned above. The fields available are as follows:

CSV Accounting File
(record-fields)
Description
type Type of record (“tq” or “transient queue”) (Note: this field is always logged and cannot be disabled or changed).
timeLogged current time
queue queue name
vmta VirtualMTA name
dsnStatus DSN status code for failure
dsnDiag DSN diagnostic string for failure
dsnMta remote MTA, if applicable
dlvType delivery type
dlvSourceIp IP address from which the connection was made/attempted
dlvDestinationIp IP address to which the connection as made/attempted
userString String added to accounting file as defined by the <acct-file> directive user-string.

Sample accounting entry for a transient queue record:

tq,2019-02-08 21:53:39+0000,4.4.1 (no answer from host),,mx.xn--bcher-kva.de (87.98.150.101),smtp,0.0.0.0,87.98.150.101,vmta29,bücher.de/vmta29

11.2.6 “Received” Records

PowerMTA can log messages in the accounting file during the injection process. This logging is handled with the record type “r”. The fields available are as follows:

CSV Accounting File
(record-fields)
Description
type Type of record (“r” or “received”) (Note: this field is always logged and cannot be disabled or changed).
timeLogged current time
orig originator (from MAIL FROM:<x>)
rcpt recipient (RCPT TO:<x>) being reported
orcpt original recipient (from RCPT TO:... ORCPT=x), immediately following the recipient to which it refers
srcType source type from which the message was received, either api or smtp
srcMta source from which the message was received. the MTA name (from the HELO/EHLO command) for messages received through SMTP
rcvSourceIp IP address of the server connecting to PowerMTA
rcvDestinationIp IP address PowerMTA used to handle the connection
vmta VirtualMTA selected for this message, if any. If the message was submitted to a pool, this field will contain the pool name instead of the eventual virtual MTA (of that pool) that the message was placed into.
vmtaPool VirtualMTA pool selected for this message, if any.
jobId job ID for the message, if any
envId envelope Id, from MAIL FROM:... ENVID=x (present only if specified)
header_XXX for each custom header included where XXX is the name of the header, if any
userString String added to accounting file as defined by the <acct-file> directive user-string.
rcvSmtpUser The SMTP authenticated user that submitted the message

Sample accounting entry for a received record:

r,2010-04-17 16:19:57-0400,test@port25.com,test@port25.com,,smtp,tesFeeder (192.168.25.56),192.168.25.56,192.168.25.11,vmta1,job2,envid1234

11.2.7 “Remote Bounce” & “Remote Status” Records

PowerMTA can log remote (asynchronous) bounces in the accounting file and remote status reports. This logging is handled with the record type
“rb” for remote bounce and “rs” for reporting other kinds of remote status (used for DSN positive and “delayed” status notifications). The fields available are as follows:

CSV Accounting File
(record-fields)
Description
type Type of record “rb” or “rs” (Note: this field is always logged and cannot be disabled or changed).
timeLogged current time
orig originator address (of original email)
rcpt recipient address (of original email)
orcpt original recipient (from RCPT TO:... ORCPT=x), immediately following the recipient to which it refers
dsnAction DSN action (remote status only)
dsnStatus DSN status
dsnDiag DSN diagnostic
dsnMta DSN remote MTA
dsnReportingMta DSN reporting MTA (remote bounce only)
bounceCat bounce category
srcType source type from which the message was received, either api or smtp
srcMta source from which the message was received. the MTA name (from the HELO/EHLO command) for messages received through SMTP
envId envelope Id
format either dsn or qmail or mxl or brightmail or interscan, or the name of the file containing the body-pattern-file pattern that matched this report

Sample accounting entry for a remote bounce record:

rb,2010-12-01 14:24:44-0500,bounce@bounce.com,lksjflkj@somedomain.com,,5.1.1 (bad destination mailbox address),"smtp;550 5.1.1 no such local recipient: <lksjflkj@somedomain.com> in ""RCPT TO:<lksjflkj@somedomain.com>""",mail.remotedomain.com (169.3.169.30),my.local.server.com,bad-mailbox,smtp,my.local.server.com
(192.168.0.150),

11.2.8 “Feedback Loop” Records

PowerMTA can log feedback loop reports in the accounting file. This logging is handled with the record type “f”. The records when using “f”
are slightly different than those mentioned above. The fields available are as follows:

CSV Accounting File
(record-fields)
Description
type Type of record “f” (Note: this field is always logged and cannot be disabled or changed).
timeLogged Current time
repSourceIp the IP of PowerMTA that received the message
feedbackType mapped to ARF’s Feedback-Type field
format arf or jmrp or the name of the file containing the body-pattern-file pattern that matched this report
userAgent name & version of the program that generated the report
envid envelope ID (of original email)
orig originator address (of original email)
rcpt recipient address (of original email)
reportingMTA the name of the MTA generating this feedback report
dlvSourceIp address of MTA from which the message was received
reportedDomain the domain about which the feedback report was generated
header_<name> header extracted from original email
arf_<name> field from ARF feedback-report

Sample accounting entry for a FBL record:

f,2010-04-12 11:40:37-0400,arf,AOL SComp,,,,mail1.domain.com,169.63.151.30

11.2.9 Encoding

As much as possible, standard CSV encodings are used for all fields, with most characters being as-is in the output. Time stamps are normally formatted as “MM/DD/YYYY HH:MM:SS+UTCoffset” but can be changed to UNIX
time_t, i.e. the number of seconds since midnight on January 1, 1970.

The format of the file is CSV (comma-separated values), UTF-8 encoded, as described in RFC 4180, with a header line at the beginning of the file describing what field is in which column. Here is the format from RFC 4180 in short: columns are separated by commas and records terminated with CRLF. Values may be quoted with double quotes (“”), and must be quoted if its value contains a comma, a double quote or CRLF. A double quote occurring within double quotes is repeated, like in:

two inches,"2"""

To accommodate writing various record types in the same file, the first column is always the record type. If an accounting file is configured (or defaulted) to have multiple record types, all the possible columns from the selected records are included. For example, if a file was configured as:

records d, b
record-fields delivery timeLogged,orig,rcpt,dlvSourceIp
record-fields bounce timeLogged,orig,rcpt,bounceCat

the resulting file (including a few record of each type) might look like:

type,timeLogged,orig,rcpt,dlvSourceIp,bounceCat
d,1178807903,orig@port25.com,user1@domain.com,10.0.0.1,
d,1178807905,orig@port25.com,user2@domain.com,10.0.0.1,
b,1178807915,orig@port25.com,user3@domain.com,,policy-related
b,1178807915,orig@port25.com,user4@domain.com,,policy-related

Note that the dlvSourceIp field was omitted (empty field at the end) for the ‘b’ record, and that the bounceCat was omitted in the ‘d’ record, because they were not configured.

11.3 Configuring the accounting file

Use <acct-file> tag in the config file to enable accounting files. The tag takes one parameter – either the location of the CSV file or the location of the executable program to which PowerMTA should pipe the accounting records. If using pipe, the parameter should be preceded by by a “|”. It may be required to quote the acct file path if it contains spaces (like <acct-file "c:\my stuff\\acctproc.exe">) or if arguments are passed (like <acct-file "/bin/foo.pl -x -a -z">). See Examples below.

In the current pipe implementation, if PowerMTA runs into a problem writing to the pipe, it gives up on it and won’t retry either until the next pmta reload command is run, or after a certain predefined time limit. With this, it will be necessary for customers to configure PowerMTA to create a corresponding accounting data file as well, in order to have the data to recover, if there are problems with the customer’s pipe application.

In the event of a broken pipe, PowerMTA writes:

Error TYPE "CMD": DETAILS

to the logging file, where TYPE is one of “starting”, “writing to” or
“executing”, CMD is the configured command, and DETAILS is a string with details on what went wrong. Each time a pipe is started, the first line written to it is a headers line with the various fields (like in the CSV files). It is only re-started upon a pmta reload.

11.3.1 Examples

The accounting file is configured with the <acct-file> type directive with the date added as part of the file name. For example <acct-file log/acct.csv> yields a file name like /pmta/log/acct-2007-09-05-0000.csv. By default on a new installation, the settings will look similar to the following:

<acct-file log\acct.csv>
#  move-to c:\myapp\pmta-acct   # configure as fit for your application
   move-interval 1d
   max-size 250M   # MB
</acct-file>

The data may also be written to pipe. This can be useful if a custom application is created in which the data would be written to a database in real time. PowerMTA instantiates the script only once at startup and then keeps passing data to the pipe as and when available. An example would look similar to the following:

<acct-file |C:\pmta\bin\customCode.exe --thisOption --thatOption>
</acct-file>

Multiple files can be used if needed. For example, it may be more convenient to have all bounces and deliveries in one file and transient reports in another file. An example of such would be similar to the following:

<acct-file log\acct-bd.csv>
    records b,d
    record-fields d *,!orcpt,header_myCustomHeader
    record-fields b *,!orcpt
</acct-file>

<acct-file log\acct-t.csv>
    records t,tq
</acct-file>

11.4 The pmtastats Accounting Statistics Application

PowerMTA comes with an accounting file parsing application, pmtastats, that calculates delivery throughput and general traffic statistics both on a global basis and/or on a per campaign or mailing basis.

If you wish to run the parsing application over more than one accounting file (for example, if the accounting file was rotated while sending a campaign), simply specify the various files within the same command. For example:

pmtastats [global options] [statistic [options] ..] acct.csv acct-1.csv

11.4.1 pmtastats Options

pmtastats has the following options, as shown by the --help output:

PowerMTA(TM) v4.5r16 statistics program
Copyright(c) 1999-2018, Port25 Solutions, Inc.  All Rights Reserved.

Usage: bin/pmtastats [global options] [statistic [options] ...] file ...

One or more statistics can be specified, each with its own options.  Use with one or more files, in either binary, CSV or XML format.  '-' can be used for reading from standard input.

examples:
     bin/pmtastats vmta-summary vmta-time-breakdown acct*
     bin/pmtastats bounce-categories --bounceCat all acct*
     bin/pmtastats --vmta vmta1 top-rates delivery-times acct*
     bin/pmtastats --output html vmta-time-breakdown acct* > report.html

global options:
    --help
        display this help and exit
    --version
        display version information and exit
    --quiet
        do not display progress information
    --output <format>
        selects the output format (text, html; default: text)
    --envId <id>
    --from <originator>
    --toDomain <domain>
    --jobId <id>
    --vmta <vmta>
    --rcvSmtpUser <username>
    --header <name> <content>
        filter input: use only records whose envelope ID, originator,
        recipient domain, job ID, VirtualMTA, or the given header
        starts with the given string, respectively
        (default: no filtering)
    --last DdHhMmSs
        filter input: use only records written in the last D days, H hours,
        M minutes and S seconds.  Each part of the time specification can
        be omitted, such as in "3h15m" for 3 hours, 15 minutes.
        (default: no filtering)
    --byEnvId
    --byJobId
    --byFrom
    --byVmta
    --byHeader <header>
        statistics split by envelope ID, job ID, originator, VirtualMTA, or a
        given header, respectively.
        Only one of these can be used.
        For --byHeader, specify the header.
        (default: statistics not split)
    --splitLimit <num>
        set the maximum number of statistics a statistic can be split into
        (default: 5000)

    --topDomains <num>
        display top <num> domains (passed on to all statistics)

"bounce-categories" statistic
Shows most frequent bounce categories.
Options:
    --topCategories <num>
        display top <num> bounce categories (default: 10)
    --bounceCat <option>
        selects categories for detailed display.  Possible options are:
            <num> - top <num> categories
            <category> - category name
            'all' - all available categories
        (default: spam-related)
    --byDsn <num>
        display bounce category detail for the top <num> DSN codes (default: 10)
    --byDomain <num>
        display bounce category detail for the top <num> domains (default: 10)
    --byDsnAndDomain <num>
        display bounce category detail for the top <num> DSN code / domain
        combinations (default: 10)

"delivery-times" statistic
Shows times and recipients / time from queueing to delivery.
Options:
    (none)

"message-counts" statistic
Total counts of recipients and volume for messages and bounces.
Options:
    (none)

"top-bounce" statistic
Top bounce domains, aggregated by DSN code (reason).
Options:
    --topDomains <num>
        display bounce statistic for top <num> domains (default: 10)
    --topStatusCodes <num>
        display bounce statistics for top <num> status codes (default: 10)

"top-domains" statistic
Domains with the most recipients, bounces, and delivery times.
Options:
    --topDomains <num>
        display top <num> domains (default: 10)
    --noDeliveryTimes
        omits list of domains with the highest average delivery times
        (default: includes it)

"top-rates" statistic
Data transfer and recipient rates over time.
Options:
    (none)

"vmta-summary" statistic
High-level Virtual MTA traffic summary.
Options:
    --byDate
        split records by date (default: no splitting done)

"vmta-time-breakdown" statistic
Daily and hourly recipients and bounces for each Virtual MTA.
Options:
    --noHourly
        do not include hourly breakdown (default: include it)

"vmta-top-bounce" statistic
Bounces for individual Virtual MTAs.
Options:
    --topBounced <num>
        show top <num> domains by bounces (default: 20)
    --byDate
        split records by date (default: no splitting done)

shortcut options:
    --all
        create all available statistics with default options
    --acctstats
        create statistics similar to what acctstats did

Note: On Windows, you can also use the “/” character instead of “–” (but “–” works on all platforms).

The following is a list of the various fields available, and which reports return those fields.

bounce-categories delivery-times just-delivery-times message-counts top-bounce top-domains top-rates vmta-summary vmta-time-breakdown vmta-top-bounce
bounceCat *
dlvSourceIp * * *
dsnDiag * * * * * *
dsnStatus * *
envId
header_<xyz>
jobId
nRcpt * * * * * * *
orig
rcpt * * * *
size * *
timeLogged * * * * * *
timeQueued * * *
vmta * * *

11.4.2 pmtastats Report Breakdown

Given the various reports available, different data will or will not be included in each report based on the options used. Here is a sample of the reports available and their output. Multiple reports can be run at the same time.

11.4.2.1 Time Frame

   Time Frame:
                                       first                last
                                       -------------------  -------------------
                    received           2018-11-06 18:07:52  2018-11-06 19:29:33
                    delivered/bounced  2018-11-06 19:12:00  2018-11-06 19:29:33

This section is always generated for each report type, and shows the first and the last receipt time stamps and the first and the last delivery time stamps of the applicable messages. The scope of the output is based on the type of report specified, i.e., global or by originator or by envelope ID, and such can be used to calculate a campaign duration time. In this example, the mailing duration would be 13 hours 56 minutes and 35 seconds, which is the difference between when the first message was received (2007-01-15 14:19:11) and the last message was delivered (2007-01-17 03:15:46).

11.4.2.2 Bounce Categories

Total Bounce Breakdown By Category:

   Bounces (across 12 categories):

   total bounced  5.X.X bounces  4.X.X bounces
   -------------  -------------  -------------
           9,321          8,994            327

   bounced  %bounced  bounce category
   -------  --------  -------------------
     2,748     29.5%  spam-related
     1,978     21.2%  policy-related
     1,628     17.5%  bad-mailbox
       812      8.7%  quota-issues
       482      5.2%  other
       451      4.8%  invalid-sender
       366      3.9%  inactive-mailbox
       327      3.5%  no-answer-from-host
       259      2.8%  relaying-issues
       160      1.7%  protocol-errors

Bounce Category Detail (spam-related)

   bounce category  total bounced  5.X.X bounces  4.X.X bounces
   ---------------  -------------  -------------  -------------
   spam-related             2,748          2,748              0


   Sorted By DSN Code (Reason)

   bounced  % in category  dsn code (reason)
   -------  -------------  -----------------
        43           1.6%  5.7.1 (delivery not authorized); 554 5.7.1 Blacklisted by black.uribl.com Contact the postmaster of this domain for resolution.
        38           1.4%  5.7.1 (delivery not authorized); 554 5.7.1 Blacklisted by Contact the postmaster of this domain for resolution. This attempt has been logged.
        35           1.3%  5.7.1 (delivery not authorized); 554 5.7.1 Blacklisted by cim-10.net.multi.surbl.org Contact the postmaster of this domain for resolution. This attempt has been logged.
        32           1.2%  5.7.1 (delivery not authorized); 554 5.7.1 Denied - Spam Suspected - http://<RCPT_SERVER>/services/spamwatch/blocked.php
        32           1.2%  5.7.1 (delivery not authorized); 554 5.7.1 Rejected... Message identified as UBE (spam). If you feel you have received this message in error CALL the intended recipient and ask them to report the issue to support services.
        32           1.2%  5.7.1 (delivery not authorized); 554 5.7.1 Your message was rejected as spam
        32           1.2%  5.7.1 (delivery not authorized); 571 5.7.1 Message contains spam or virus : 1585:<HEXDUMP>|5439
        31           1.1%  5.7.1 (delivery not authorized); 554 5.7.1 Blacklisted by cim-10.net.black.uribl.com Contact the postmaster of this domain for resolution. This attempt has been logged.
        31           1.1%  5.7.1 (delivery not authorized); 554 5.7.1 Message blocked due to spam content in the message
        30           1.1%  5.7.1 (delivery not authorized); 554 5.7.1 <SENDER_IPADDRESS>: on real-time blacklist b.barracudacentral.org


   Sorted By Domain

   domain                              bounced  % in category
   ----------------------------------  -------  -------------
   yahoo.com                               149           5.4%
   hotmail.fr                               94           3.4%
   中文邮箱.网络                              91           3.3%
   hotmail.es                               71           2.6%
   öbb.de                                   61           2.2%
   yahoo.fr                                 58           2.1%
   yahoo.es                                 56           2.0%
   blåbærsyltetøy.gulbrandsen.priv.no       55           2.0%
   live.ca                                  46           1.7%
   live.nl                                  45           1.6%


   Sorted By DSN Code (Reason) By Domain

   domain                              bounced  % in category  dsn code (reason)
   ----------------------------------  -------  -------------  -----------------
   中文邮箱.网络                               7           0.3%  5.0.0 (undefined status); 553 5.0.0 We do not accept mail from spammers ([<SENDER_IPADDRESS>][<SENDER_IPADDRESS>])
   yahoo.com                                 7           0.3%  5.7.1 (delivery not authorized); 554 5.7.1 Message blocked due to spam content in the message
   yahoo.com                                 7           0.3%  5.7.1 (delivery not authorized); 571 5.7.1 Message contains spam or virus : 1585:<HEXDUMP>|5439
   blåbærsyltetøy.gulbrandsen.priv.no        5           0.2%  5.0.0 (undefined status); 551 5.0.0 message classified as spam (RefID: str=0001.<HEXDUMP>.<HEXDUMP>.00C9,ss=4,fgs=0)
   hotmail.fr                                5           0.2%  5.7.1 (delivery not authorized); 554 5.7.1 Message rejected, SpamAssassin scored: 9.674 points TESTS=HTML_MESSAGE,IISDATED_4_25_2009,MIME_HTML_ONLY,NO_216_174_43CLASSC
   yahoo.com                                 5           0.2%  5.7.1 (delivery not authorized); 554 5.7.1 Rejected... Message identified as UBE (spam). If you feel you have received this message in error CALL the intended recipient and ask them to report the issue to support services.
   yahoo.es                                  4           0.1%  5.0.0 (undefined status); 553 5.0.0 We do not accept mail from spammers ([<SENDER_IPADDRESS>][<SENDER_IPADDRESS>])
   yahoo.fr                                  4           0.1%  5.3.0 (unknown mail system-related status); 553 5.3.0 <<RCPT_USER>@<yahoo.fr>>... Rejected by Iserv RBL. If this is an error, please contact our customer service department at 1-888-644-7378. - <SENDER_IPADDRESS>
   msn.com                                   4           0.1%  5.7.1 (delivery not authorized); 550 5.7.1 mail from <SENDER_IPADDRESS> rejected for spam/virus content
   blåbærsyltetøy.gulbrandsen.priv.no        4           0.1%  5.7.1 (delivery not authorized); 550 5.7.1 rejected as confirmed spam

This report list the top level bounce information. The scope of the output is based on the type of report specified, and the above example is done using no additional options.

Note that the report is based only on the messages that have already been handled by PowerMTA. If the report is generated while PowerMTA is still attempting to deliver some of the messages, these will not be included in the report.

11.4.2.3 Delivery Times

Delivery Times And Numbers (total queue time):

   Delivery times per percentage of recipients (successful deliveries only):

                                       recipients  avg. time  max. time  %rcpt.
                                       ----------  ---------  ---------  ------
                                           46,497    0:00:00    0:00:00     50%
                                           55,797    0:00:00    0:00:00     60%
                                           65,096    0:00:00    0:00:00     70%
                                           74,396    0:00:00    0:00:00     80%
                                           83,695    0:00:00    0:00:00     90%
                                           88,345    0:00:00    0:00:01     95%
                                           89,275    0:00:00    0:00:01     96%
                                           90,205    0:00:00    0:00:01     97%
                                           91,135    0:00:00    0:05:05     98%
                                           92,065    0:00:06    0:10:00     99%
                                           92,995    0:00:13    0:45:01    100%


   Deliveries per time increment (successful deliveries only):

               interval (between)  histogram                recipients   %rcpt.
               ------------------  -----------------------  -----------  ------
                0 -  5 seconds     **********************        90,691   97.5%
                6 - 30 seconds                                        0    0.0%
               31 - 60 seconds                                        0    0.0%
                1 -  2 minutes                                       48    0.1%
                2 -  5 minutes                                      394    0.4%
                5 - 10 minutes                                    1,222    1.3%
               10 - 30 minutes                                      626    0.7%
               30 - 60 minutes                                       14    0.0%
                1 -  2 hours                                          0    0.0%
                2 -  3 hours                                          0    0.0%
                3 -  4 hours                                          0    0.0%
                4 -  5 hours                                          0    0.0%
                5 -  6 hours                                          0    0.0%
                6 -  8 hours                                          0    0.0%
                8 - 10 hours                                          0    0.0%
               10 - 12 hours                                          0    0.0%
               after 12 hours                                         0    0.0%


   Cumulative deliveries per time increment (successful deliveries only):

                interval           histogram                recipients   %rcpt.
                -----------------  -----------------------  -----------  ------
                within 5 seconds   **********************        90,691   97.5%
                within 30 seconds  **********************        90,691   97.5%
                within 1 minute    **********************        90,691   97.5%
                within 2 minutes   **********************        90,739   97.6%
                within 5 minutes   **********************        91,133   98.0%
                within 10 minutes  **********************        92,355   99.3%
                within 30 minutes  ***********************       92,981  100.0%
                within 1 hour      ***********************       92,995  100.0%
                within 2 hours     ***********************       92,995  100.0%
                within 3 hours     ***********************       92,995  100.0%
                within 4 hours     ***********************       92,995  100.0%
                within 5 hours     ***********************       92,995  100.0%
                within 6 hours     ***********************       92,995  100.0%
                within 8 hours     ***********************       92,995  100.0%
                within 10 hours    ***********************       92,995  100.0%
                within 12 hours    ***********************       92,995  100.0%
                after 12 hours     ***********************       92,995  100.0%

This section and respective outputs are always generated and the scope of the outputs are based on the type of report specified, i.e., global or by originator/envelope ID. They also are primarily based on the difference between each message’s queue timestamp and transfer timestamp for only the messages that were successfully delivered by PowerMTA.

As mentioned in Top Domains, for the avg. time and max. time calculations, each recipient is counted by itself, even if a message is transferred in multi-recipient SMTP transactions.

The avg. time is calculated by adding together the fastest n% transfer times (transfer timestamp – queue timestamp) and then dividing this sum by the number of recipients that make up n% of the total deliveries. For example, in the 80% fastest delivery line in the top output, one would read that it took an average of 21 seconds for each message to each recipient to be delivered once each was queued, for the fastest 80% of all transfer times (or to 7,504,928 recipients).

The max. time is the longest transfer time (transfer timestamp – queue timestamp) for one message from all of the fastest transfer times for the number of recipients. In the 80% fastest delivery case, one would read that the longest it took for a message to be transferred, for the fastest 80% of all transfer times (or to 7,504,928 recipients), was 4 minutes and 24 seconds. Conversely, all of the 80%
messages were transferred in equal or less time. Note that this does not show total campaign duration time since these figures are only based on each message’s own transfer time.

11.4.2.4 Message Counts

Global Message Counts And Sizes:

   Message counts:

                                                        recipients       volume
                                                        ----------  -----------
                                            deliveries      92,995  18,532.1 kb
                                            bounces          9,321
                                            total          102,316  18,532.1 kb


   Message sizes:

                                                min. size  avg. size  max. size
                                                ---------  ---------  ---------
                                                   0.2 kb     0.2 kb     0.3 kb

This report list the basic numbers associated on the mailings being reported. Totals for delivered, bounced, and size of messages are included.

11.4.2.5 Top Bounce

Top Bounce Domain Breakdowns:

                               domain  recipients  total bounced  5.X.X bounces  4.X.X bounces
   ----------------------------------  ----------  -------------  -------------  -------------
                            yahoo.com       2,620            458            458              0
                          中文邮箱.网络       1,577            342            342              0
                              noos.fr         257            257              0            257
                           hotmail.fr         846            232            232              0
                               öbb.de       1,643            194            194              0
                             yahoo.fr         737            183            183              0
                             yahoo.es         580            177            177              0
                              msn.com         668            172            172              0
   blåbærsyltetøy.gulbrandsen.priv.no         960            166            166              0
                           hotmail.es         614            160            160              0

...

   hotmail.fr

                domain  recipients  total bounced  5.X.X bounces  4.X.X bounces
            ----------  ----------  -------------  -------------  -------------
            hotmail.fr         846            232            232              0

   bounced  %bounced  dsn code (reason)
   -------  --------  -----------------
         5      2.2%  5.7.1 (delivery not authorized); 554 5.7.1 BRBL entry - see <http://www.barracudanetworks.com/reputation/?pr=1&ip=<SENDER_IPADDRESS>>
         5      2.2%  5.7.1 (delivery not authorized); 554 5.7.1 Command rejected
         5      2.2%  5.7.1 (delivery not authorized); 554 5.7.1 Message rejected, SpamAssassin scored: 9.674 points TESTS=HTML_MESSAGE,IISDATED_4_25_2009,MIME_HTML_ONLY,NO_216_174_43CLASSC
         4      1.7%  5.7.1 (delivery not authorized); 554 5.7.1 <END-OF-MESSAGE>: End-of-data rejected: email account is over quota (<HEXDUMP>+<HEXDUMP>><HEXDUMP>)
         4      1.7%  5.7.1 (delivery not authorized); 554 5.7.1 Abusive connections. Please try again later.
         4      1.7%  5.7.1 (delivery not authorized); 554 5.7.1 Error: Mailbox over quota
         4      1.7%  5.7.1 (delivery not authorized); 554 5.7.1 Service unavailable; Sender address [<ORIG>] found on high spam probability list
         4      1.7%  5.7.1 (delivery not authorized); 554 5.7.1 Spam filter: Please Visit http://www.ncmail.net/rejectedemails.htm to resolve issues
         3      1.3%  5.0.0 (undefined status); 550 5.0.0 Rejected-This domain is a chronic spammer.Contact <OTHER_USER>@<hotmail.fr> via an alternate domain
         3      1.3%  5.1.1 (bad destination mailbox address); 550 5.1.1 <<RCPT_USER>@<hotmail.fr>>: Recipient address rejected: User unknown in virtual alias table

...

The top bounce domain breakdown shows detailed bounce reasons for the top domains. By default, the top 10 domains (in terms of bounces) are printed, but this can be changed with the –topDomains num option. Data was removed from the above output to save space in this document.

For each domain the top bounce reasons are given as absolute number of bounces and as percentage of the bounces. The DSN (delivery status notification) code gives the reason for that bounce, as received by the foreign mail server. As a trade-off between detail and usability the DSN reason is only slightly modified (for example, email addresses in bounce messages are also replaced by …@…to be able to generalize the bounces into bounce categories).

So, while the total bounces breakdown provides an aggregated overview of the bounces, the top domains breakdown gives full detail on bounces grouped by domain.

11.4.2.6 Top Domains

Top Domains Breakdown:

   Domains with largest number of queued recipients:

                      domain  recipients  bounced  avg. time  max. time  %rcpt.
              --------------  ----------  -------  ---------  ---------  ------
                 hotmail.com      29,718       54    0:00:00    0:10:41    4.2%
                   yahoo.com      18,326    3,326    0:00:17    0:21:45    2.6%
                   gmail.com      14,181        0    0:00:00    0:00:03    2.0%
                  mañana.com      12,021      908    0:00:06    0:20:00    1.7%
                 中文邮箱.网络      10,492    2,490    0:00:12    0:20:50    1.5%


   Domains with highest number of bounces:

                               domain  recipients  bounced  avg. time  max. time  %rcpt.
   ----------------------------------  ----------  -------  ---------  ---------  ------
                            yahoo.com      18,326    3,326    0:00:17    0:21:45    2.6%
                          中文邮箱.网络      10,492    2,490    0:00:12    0:20:50    1.5%
                              noos.fr       1,648    1,648        n/a        n/a    0.2%
                           hotmail.fr       5,637    1,440    0:00:34    0:21:01    0.8%
                             yahoo.fr       5,007    1,301    0:00:15    0:20:20    0.7%


   Domains with highest average delivery times:

                      domain  recipients  bounced  avg. time  max. time  %rcpt.
              --------------  ----------  -------  ---------  ---------  ------
               earthlink.net       1,940    1,119    0:31:43    1:00:59    0.3%
              mindspring.com         634      380    0:28:28    1:00:50    0.1%
                  freenet.de         507        0    0:10:50    0:45:01    0.1%
                    3363.com           3        1    0:10:00    0:20:00    0.0%
                    3471.com           1        0    0:10:00    0:10:00    0.0%

This report shows the counts and throughput for the top domains based on:

  • the largest number of recipients initially submitted and queued for delivery,
  • the highest number of bounces handled by PowerMTA, and
  • the highest average delivery times.

The scope of the outputs are based on the type of report specified, i.e., global or by originator, envelope ID, or virtual mail transfer agent.

For all three sections, the recipients column shows the total number of recipients submitted and queued for delivery for the domains, while the bounced
column provides just the number of recipients that PowerMTA itself bounced (local bounces). Note that this is not a count of all of the bounces since any bounces happening after PowerMTA has transferred the message to an intermediate mailer count as successful transfers. The difference between the recipients and bounced columns is then the number of recipients that were successfully transferred by PowerMTA.

For all three sections, the avg. time and max. time
calculations are based on the difference between each message’s queue timestamp and transfer timestamp. Only messages that were successfully delivered are included; bounces and other delivery reports are not.
Messages transferred in multi-recipient (multi-“RCPT TO”) SMTP transactions are broken down and each recipient is counted as a separate
“delivery”, each with its own transfer rate equal to that of the whole transaction itself. This is not an issue with single RCPT TO messages since messages delivered already equals recipients delivered.

The avg. time is calculated by adding together all of the transfer times (transfer timestamp – queue timestamp) to the respective domain for each recipient, and then dividing this by the number of recipients to the domain. Using AOL as an example in the first output, one would read that it took an average of 2 seconds for each message for each recipient to be delivered, once each message was queued, for the 92,891 recipients at AOL.com.

The max. time is the longest transfer time (transfer timestamp – queue timestamp) for one message to the respective domain.
In the AOL case, one would read that the longest it took for one message to be delivered to AOL was 1 minute and 23 seconds. Conversely, all other messages to AOL for the 92,891 recipients were transferred in equal or less time.

The %rcpt column provides the percentage of recipients submitted and queued for the domain to the total number of recipients across the scope of the report. For example, AOL’s 92,891 queued recipients were 23.2% of the 400,761 total queued recipients.

11.4.2.7 Top Rates

Top Rates:

   Top recipient delivery rates:

                     measured over  rcpt./min.  recipients  beginning on
                     -------------  ----------  ----------  -------------------
                     one minute          6,458       6,458  2018-11-06 21:05:17
                     five minutes        5,495      27,479  2018-11-06 21:04:38
                     one hour            5,290     317,450  2018-11-06 20:09:36


   Top throughput rates:

             measured over  kbytes/s    kbytes  recipients  beginning on
             -------------  --------  --------  ----------  -------------------
             one minute         21.4   1,286.1       6,458  2018-11-06 21:05:17
             five minutes       18.3   5,485.4      27,469  2018-11-06 21:01:40
             one hour           17.6  63,229.6     317,401  2018-11-06 20:12:19

This report shows the top throughput rates realized per recipient and the top data transfer rates during a time interval of one and five minutes and one hour. The scope of the output is always global and such is always based on the total numbers in the whole accounting file. All messages, normal deliveries as well as reports (including bounces) are taken into account when calculating these rates.

The top recipient delivery rates are calculated for each time increment by sorting all accounting records by delivery time and then searching for the time interval during which the largest number of recipients were handled. This number is then entered in then recipients column. The rcpt./min.
column provides a uniform recipient transfer measurement across the three time intervals, and is calculated by taking the numbers in the recipients
column and dividing each by the number of minutes that make up each respective time interval (i.e. dividing the five minutes result by five and the one hour result by sixty). The messages column shows the corresponding number of messages that were actually sent
(i.e., number of SMTP transactions) while handling these recipients.
This information is important when comparing performance numbers, since delivering a single message to multiple recipients is a lot less resource intensive than delivering individual messages.

The top throughput rates are calculated in the same manner as the recipient delivery rates, however the top amount of data transferred per time interval is reported rather than the number of recipients. This transfer rate output is independent to the recipient delivery rate output, so they may or may not reflect the same messages. The kbytes/s
column provides a uniform data transfer measurement across the three time increments, and is calculated by taking the numbers in the kbytes
column and dividing each by the number of seconds that make up each respective time increment (i.e., dividing the five minutes result by 300
and the one hour result by 3600). The messages column shows the corresponding number of messages that were actually sent comprising the number of kilobytes shown.

11.4.2.8 VMTA Summary

VirtualMTA Traffic Summary:

   VirtualMTA  IP address   Recipients  Delivered  Bounced  Bounced%
   ----------  -----------  ----------  ---------  -------  --------
   vmta816     127.0.0.1           920        802      118     12.8%
   vmta76      127.0.0.1           824        742       82     10.0%
   vmta447     127.0.0.1           794        716       78      9.8%
   vmta489     127.0.0.1           792        706       86     10.9%
   vmta545     127.0.0.1           772        691       81     10.5%
   vmta77      127.0.0.1           770        691       79     10.3%
   vmta816     10.59.14.69         763        707       56      7.3%
   vmta688     127.0.0.1           758        677       81     10.7%
   vmta941     127.0.0.1           748        665       83     11.1%
   vmta603     127.0.0.1           743        664       79     10.6%
   vmta76      10.59.14.69         737        670       67      9.1%
   vmta632     127.0.0.1           726        653       73     10.1%
   vmta602     127.0.0.1           722        647       75     10.4%
   vmta567     127.0.0.1           719        655       64      8.9%
   vmta523     127.0.0.1           713        623       90     12.6%
   vmta960     127.0.0.1           711        656       55      7.7%
   vmta718     127.0.0.1           710        636       74     10.4%
   vmta134     127.0.0.1           708        628       80     11.3%
   vmta13      127.0.0.1           703        618       85     12.1%
   vmta5       127.0.0.1           701        628       73     10.4%
   vmta387     127.0.0.1           698        621       77     11.0%
   vmta723     127.0.0.1           698        641       57      8.2%
   vmta825     127.0.0.1           693        629       64      9.2%
   vmta62      127.0.0.1           690        624       66      9.6%
   vmta941     10.59.14.69         688        630       58      8.4%
   vmta794     127.0.0.1           688        621       67      9.7%
   vmta945     127.0.0.1           687        630       57      8.3%
   vmta124     127.0.0.1           681        599       82     12.0%
   vmta136     127.0.0.1           679        598       81     11.9%
   vmta695     127.0.0.1           678        597       81     11.9%
   vmta51      127.0.0.1           676        615       61      9.0%
   vmta286     127.0.0.1           672        587       85     12.6%
   vmta545     10.59.14.69         670        636       34      5.1%
   vmta400     127.0.0.1           665        600       65      9.8%
   vmta346     127.0.0.1           662        592       70     10.6%
   vmta357     127.0.0.1           661        585       76     11.5%
   vmta447     10.59.14.69         661        614       47      7.1%
   vmta456     127.0.0.1           660        591       69     10.5%
   vmta718     10.59.14.69         659        611       48      7.3%

   ...

   Total                       701,338    635,365   65,973      9.4%

VMTA Summary shows high level counters on the amount of messages that were sent to individual VirtualMTAs. This information includes a breakdown of deliveries, bounces, and percentage of bounces per VirtualMTA. The delivering IP is also included to help in determining if there is a reputation/sending issue with a given address.

11.4.2.9 VMTA Time Breakdown

VirtualMTA Traffic Breakdown By Time:

   VirtualMTA: vmta816, IP Address: 127.0.0.1

   Daily Breakdown:

   Date        Recipients  Delivered  Bounced  Bounced%
   ----------  ----------  ---------  -------  --------
   2018-11-06         920        802      118     12.8%

   Hourly Breakdown:

   ---------------------- 2018-11-06 ---------------------
   Interval       Recipients  Delivered  Bounced  Bounced%
   -------------  ----------  ---------  -------  --------
   00:00 - 00:59           0          0        0      0.0%
   01:00 - 01:59           0          0        0      0.0%
   02:00 - 02:59           0          0        0      0.0%
   03:00 - 03:59           0          0        0      0.0%
   04:00 - 04:59           0          0        0      0.0%
   05:00 - 05:59           0          0        0      0.0%
   06:00 - 06:59           0          0        0      0.0%
   07:00 - 07:59           0          0        0      0.0%
   08:00 - 08:59           0          0        0      0.0%
   09:00 - 09:59           0          0        0      0.0%
   10:00 - 10:59           0          0        0      0.0%
   11:00 - 11:59           0          0        0      0.0%
   12:00 - 12:59           0          0        0      0.0%
   13:00 - 13:59           0          0        0      0.0%
   14:00 - 14:59           0          0        0      0.0%
   15:00 - 15:59           0          0        0      0.0%
   16:00 - 16:59           0          0        0      0.0%
   17:00 - 17:59           0          0        0      0.0%
   18:00 - 18:59           0          0        0      0.0%
   19:00 - 19:59         424        368       56     13.2%
   20:00 - 20:59         390        344       46     11.8%
   21:00 - 21:59         106         90       16     15.1%
   22:00 - 22:59           0          0        0      0.0%
   23:00 - 23:59           0          0        0      0.0%

   ...

The VMTA time breakdown shows bounce counts for the top VirtualMTAs by time interval. By default all the VirtualMTAs are printed. For each VirtualMTA the bounce counts are given as absolute number of bounces and as percentage of the bounces for a given time period.

11.4.2.10 VMTA Top Bounces

VirtualMTA Top Bounce Domains:

   VirtualMTA: vmta816, IP Address: 127.0.0.1

   Domain                              Recipients  Delivered  Bounced  Bounced%
   ----------------------------------  ----------  ---------  -------  --------
   blåbærsyltetøy.gulbrandsen.priv.no          22         15        7     31.8%
   telefonica.net                              14          8        6     42.9%
   öbb.de                                      19         14        5     26.3%
   centurytel.net                               6          1        5     83.3%
   中文邮箱.网络                                 19         15        4     21.1%
   windowslive.com                             11          7        4     36.4%
   live.nl                                      9          5        4     44.4%
   knology.net                                  5          1        4     80.0%
   orange.fr                                   17         14        3     17.6%
   voila.fr                                    10          7        3     30.0%
   live.com.au                                  9          6        3     33.3%
   att.net                                      8          5        3     37.5%
   gmx.de                                       5          2        3     60.0%
   gmx.fr                                       5          2        3     60.0%
   surewest.net                                 4          1        3     75.0%
   光明网.cn                                    19         17        2     10.5%
   free.fr                                     12         10        2     16.7%
   wanadoo.fr                                  11          9        2     18.2%
   rocketmail.com                               9          7        2     22.2%
   wowway.com                                   6          4        2     33.3%

   ...

The VMTA Top Bounces report shows bounce counts for all the VirtualMTAs. By default, the top 20 domains (in terms of bounces) are printed, but this can be changed with the --topBounced <num> option.

For each domain the top bounce reasons are given as absolute number of bounces and as percentage of the bounces. So, while the top bounces report provides an aggregated overview of the bounces, the VMTA top bounces report gives high level data on bounces grouped by VirtualMTA.

11.5 The acctfind Accounting Reporting Application

acctfind is a powerful accounting file search and reporting tool. It can be found in the \pmta\bin directory on Windows, and in the /usr/sbin directory (named pmtaacctfind) on Unix.

The tool is not required for exporting data from the accounting file because the file is no longer in a proprietary binary format. With the CSV accounting file written by PowerMTA, reporting can be done without this tool. This tool, however, will still work with the CSV file format, and is provided to assist with extracting subsets of the data.

acctfind allows one to search for records in the accounting file, as well as to produce a custom output based on specific fields in the matching records. For example, one can easily use acctfind
to generate a list of all addresses that bounced with a persistent
(5xx) error for a particular campaign, sorted by the bounce reason, in a tab separated output that contains the recipient address first, followed by the MAIL FROM/originator address, then the bounce code and reason.

acctfind currently supports seven different output formats including standard, comma separated values, tab separated values, html, xml, “pretty” xml, and custom-defined outputs.

This Section provides a quick overview of the feature set and options, along with sample commands, however the more detailed help obtained by passing the –help option to acctfind itself should be referenced for further insight.

The general format for the command is

acctfind [options] accounting files ...

The top level segmentation options are based on the record types, which include searching for matches in records for messages successfully delivered (--delivered), bounce reports delivered (--bounced), run status records (--status), and general mta information (--mta).

For example,

acctfind --bounced acct.csv

would search for matching records only among the bounce report records. If none of these are specified in the command, the default is to search for matches in both message delivered records and bounce report records.

All of the fields in the accounting records (listed in “Successful delivered” Records & “Transient Queue” Records) are available for matching (with the --match option), and the match pattern can be either a perl regular expression (e.g., m/^5\./) or some string for case-independent string matching.

If you want to restrict the matching to some fields, you can do that by providing a list of fields to match enclosed in square brackets in front of the pattern (e.g. --match [from,to]port25.com).

Shortcut options for matching single fields are also available. For example, --match [to]port25 is equivalent to --to port25. To further refine the output, more than one matching needle can be specified. For example, to get a listing of all yahoo.com addresses that bounced with a persistent (5xx) error, you would have the following option combinations in the command

acctfind --bounced --dsnStatus m/^5\./ --to yahoo.com acct.csv

As mentioned, seven different output formats are supported. You choose the desired format using the --output option, along with the format and the fields desired to be outputted. For example,

acctfind --delivered --to hotmail.com --output csv[to,from,envid,vmta,dstIp] acct.csv

would search all message delivered records for recipient addresses at hotmail.com and generate a comma separated output which lists, on each line,

  • the hotmail recipient address,
  • the message originator address,
  • the envelope ID used for tracking the message,
  • the VirtualMTA used to deliver the message, and
  • the IP address of the Hotmail machine that accepted the message.

To get an HTML output vs. csv output of the same, you would run

acctfind --delivered --to hotmail.com --output html[to,from,envid,vmta,dstIp] acct.csv

A full detailed listing and description of all of the options available can be found in the help by running acctfind --help.
Included below are a few sample commands and options to help better understand the formats and capabilities. Do not hesitate to contact us at support@port25.com with any questions or when seeking the proper command sequence for a desired result.

11.5.1 Examples

  1. To generate a list of all addresses that bounced in a comma separated output, that contains the recipient address first, followed by the MAIL FROM/originator address, then VirtualMTA used, then the bounce codes and reason, sorted by the bounce reason (DSN Diagnostics):
    acctfind --bounced --sortBy dsnDiag --output tsv[to,from,vmta,dsnStatus,dsnDiag] acct.csv
    

    Note that the --sortBy option is only supported on Unix at this time.

  2. To generate a list of all addresses that bounced with a persistent (5xx) error, in a comma separated output that contains the recipient address first, followed by the MAIL FROM/originator address, envelope ID, then the bounce code and reason:
    acctfind --bounced --dsnStatus m/^5\./ --output csv[to,from,envId,dsnStatus,dsnDiag] acct
    
  3. To generate a list of all hotmail.com addresses that bounced, in an HTML output that contains the recipient address, and bounce reasons:
    acctfind --bounced --to hotmail --output html[to,dsnStatus,dsnDiag] acct
    
  4. To generate a list of all hotmail.com addresses that were successfully transferred, in a “pretty XML” output that contains the recipient addresses, VirtualMTA used to deliver the messages, the queue and transfer time stamps in ISO format, and the IP address of the hotmail machine that accepted the messages:
    acctfind --iso-times --delivered --to hotmail --output prettyxml[to,vmta,timeQueued,timeDelivered,dstIp] acct.csv
    
  5. To search for a particular email address (test@port25.com)
    to see whether it was delivered or bounced, with a tsv output showing the address, whether the message failed, and the ISO-formatted queue time and delivery time:

    acctfind --iso-times --to test@port25.com --output tsv[to,dsnAction,timeQueued,timeDelivered] acct.csv
    
  6. To search for a particular email address (test@port25.com) to see whether it was delivered or bounced, with the standard output:
    acctfind --iso-times --to support acct.csv
    
  7. To search for a particular header that is being logged via the acct-log-header directive:
    acctfind --output csv[to,from,header:x-foobar] acct.csv
    

11.6 Bounce Categories

For easier classification of the actual reason for a bounce, pmtastats groups bounces in bounce categories.
All bounces in a category have probably the same root cause, e.g. all messages in a category may be considered spam or another category may indicate the recipient is unknown. Using the various bounce codes and DSN reasons, pmtastats aggregates these message in likely bounce categories. This gives a good overview of why messages could not be delivered.

The categories are customizable using the <bounce-category-patterns> tag (see Use of Bounce Category Patterns). Any new or custom categories would be show in the pmtastats output as well as in the accounting file itself.

The bounce category is included in the accounting file (the bounceCat tag, see “Successful delivered” Records). It can be obtained directly from the CSV file or be used in acctfind.

Currently, these bounce categories are defined:

category description
bad-configuration messages rejected due to configuration issues with remote host, 5.X.X error
bad-connection messages bounced due to bad connection issues with remote host, 4.X.X error
bad-domain messages bounced due to invalid or non-existing domains, 5.X.X error
bad-mailbox messages rejected due to bad, invalid, or non-existent recipient addresses, 5.X.X error
content-related messages refused or blocked due to content related reasons, 5.X.X error
inactive-mailbox messages rejected due to expired, inactive, or disabled recipient addresses, 5.X.X error
invalid-sender messages bounced due to invalid DNS or MX entry for sending domain
message-expired messages bounced due to not being delivered before the bounce-after, 4.X.X error
no-answer-from-host messages bounces due to receiving no response from remote host after connecting, 4.X.X or 5.X.X error
other messages rejected due to other reasons, 4.X.X or 5.X.X error
policy-related messages refused or blocked due to general policy reasons, 5.X.X error
protocol-errors messages rejected due to SMTP protocol syntax or sequence errors, 5.X.X error
quota-issues messages rejected or blocked due to mailbox quota issues, 4.X.X or 5.X.X error
relaying-issues messages refused or blocked due to remote mail server relaying issues, 5.X.X error
routing-errors messages bounced due to mail routing issues for recipient domain, 5.X.X error
spam-related messages refused or blocked due to spam related reasons, 5.X.X error
virus-related messages refused or blocked due to virus related reasons, 5.X.X error

Note that this list and the classifications may be subject to change, since DSN status messages may vary.

12 Processing Inbound email

12.1 Introduction

There may be times when PowerMTA needs to handle inbound mail outside of messages created by a submission (e.g. list manager, CRM, etc.)
application. These messages may be remote (asynchronous) bounces, corporate mail, or any other type of email originating from outside an organization’s infrastructure. In these cases, PowerMTA can accept the messages and do one of a few things with the messages. It can:

  • Relay them to another mail server
  • Deliver them to file on the local system
  • Discard them (blackhole)
  • Deliver to pipe (local mail processing application)
  • Process as an asynchronous (remote) bounce
  • Process as a feedback loop email

Any combination of these options may be used, and PowerMTA will create a subsequent delivery record in the accounting file for mail that is processed in one of these manners.

12.2 Relaying

To relay messages to another mail server, PowerMTA will need to be configured to accept the messages, and then deliver them to their final destination.

relay-domain yourdomain.com relay-domain otherdomain.com
relay-address bounce@bounces.yourdomain.com

<domain bounces.yourdomain.com>
    smtp-hosts [1.2.3.4]:25
</domain>

<domain otherdomain.com>
    smtp-hosts [5.6.7.8]:2525
</domain>

In the above example, messages for bounces.yourdomain.com are accepted for delivery and then forwarded to server 1.2.3.4 on port 25 and messages for otherdomain.com are forwarded to 5.6.7.8 on port 2525 and marked as such in the accounting file.

12.3 Deliver to File

To deliver messages to file, PowerMTA will need to be configured to accept the messages, and then deliver them to somewhere on the local disk system.

relay-domain bounces.yourdomain.com
relay-domain otherdomain.com
relay-address bounce@bounces.yourdomain.com

<domain bounces.yourdomain.com>
    type file
    file-format append-mbox
    file-destination /etc/pmta/inbound/$domain
</domain>

<domain otherdomain.com>
    type file
    file-format newfile-pickup
    file-destination /etc/pmta/inbound/$domain
</domain>

In the above example, messages for bounces.yourdomain.com and otherdomain.com are accepted for delivery and then each message is delivered to the individual files (based on domain) on the local disk and marked as such in the accounting file.

12.4 Discarding

To discard (blackhole) the inbound messages, PowerMTA will need to be configured to accept the messages, and then discard them based on domain.

relay-domain bounces.yourdomain.com
relay-domain otherdomain.com
relay-address bounce@bounces.yourdomain.com

<domain bounces.yourdomain.com>
    type discard
</domain>

<domain otherdomain.com>
    type discard
</domain>

In the above example, messages for bounces.yourdomain.com and otherdomain.com are accepted for delivery, then discarded and marked as such in the accounting file.

12.5 Delivering to local application (pipe)

To deliver messages to a local application via pipe, PowerMTA will need to be configured to accept the messages, and then deliver them based on domain.

relay-domain bounces.yourdomain.com
relay-domain otherdomain.com
relay-address bounce@bounces.yourdomain.com

<domain bounces.yourdomain.com>
    type pipe
    command "/my/bounce/processor --envid \"$envid\" \"$user\""
</domain>

<domain otherdomain.com>
    type pipe
    command "/my/bounce/processor --envid \"$envid\" \"$user\""
</domain>

In the above example, messages for bounces.yourdomain.com and otherdomain.com are accepted for delivery, then piped to the custom application (with associated parameters) on the local file system and marked as such in the accounting file.

12.6 Processing Asynchronous (Remote) Bounces and remote status reports

Remote bounce processing works as a “filter” located after receipt of an email and before it is routed to a delivery queue. If PowerMTA recognizes the format and no errors occur while processing it, it writes a new type of accounting record (“rb” and “rs”, see below). For any
“filtered” emails you have the option of discarding the email at that point or letting it pass to regular delivery (e.g. see deliver-matched-email).
Depending on these settings, or if an error occurs, it is passed to a delivery queue and delivered normally (by whatever method assigned to the domain — usually ‘file’ or ‘pipe’).

The email address used should be unique for each email sent to allow for more detailed tracking. For example, instead of <bounce@bounce.yourdomain.com> or an address starting with postmaster@ or abuse@, an address like the following should be considered:

customer1-campaign563-uniqueID498294@bounce.yourdomain.com

Accounting Records

There are two kinds of records for asynchronous bounces: “rb” for remote bounce and “rs” for reporting other kinds of remote status (used for DSN positive and “delayed” status notifications). Most people will only be interested in “rb” records. The following columns are available for these records:

Name Description
timeLogged current time
orig originator (taken from report’s recipient address)
rcpt (final) recipient
orcpt original recipient
dsnAction DSN action
dsnStatus DSN status
dsnDiag DSN diagnostic
dsnMta DSN remote MTA
dsnReportingMta DSN reporting MTA
bounceCat bounce category
srcType type of source from which the report was received
srcMta MTA from which the report was received
envId envelope ID
header_<name> header extracted from original email

Configuration

You define a list of email addresses that are bounce addresses, i.e., original MAIL FROM addresses. Only email received for those addresses gets filtered/looked at looking for bounces. Use of the following requires a restart of the PowerMTA service. You can define entire domains which get filtered, or for more granular control you can use regular expressions to match entire addresses. There are also options to deliver filtered emails that are recognized (matched) or not recognized:

<bounce-processor>
    deliver-unmatched-email yes            # default: yes
    deliver-matched-email yes              # default: no
    forward-unmatched-to auto-feedback@port25.com
    forward-errors-to auto-feedback@port25.com
    <address-list>
        domain domain.to.filter            # whole domain
        address /regex@domain.to.filter/   # regex
    </address-list>
</bounce-processor>

The accounting records are configured just like the other types in the configuration. The example below has both local (sync) and remote
(async) bounces written to the same file, and includes a custom “x-id”
header:

<acct-file /var/log/pmta/bounces.csv>
    records b, rb
    record-fields b  *,header_x-id
    record-fields rb *,header_x-id
</acct-file>

<acct-file /var/log/pmta/status.csv>
    records rs
    record-fields rs *,header_x-id
</acct-file>

If you are having trouble, setting the following directive will log all filtered emails:

<domain {bounce}>
    log-messages yes
</domain>

12.7 Processing Feedback Loop Emails

To enable feedback loop processing, you add something like:

<feedback-loop-processor>
    deliver-unmatched-email no
    deliver-matched-email yes          # default: no
    forward-unmatched-to auto-feedback@port25.com
    forward-errors-to auto-feedback@port25.com
    <address-list>
        address /fbl@fbl.yourdomain.com/
    </address-list>
</feedback-loop-processor>

to the configuration file. The “forward-…” directives can be specified more than once to have email forward to multiple addresses.
“<address-list>” accepts individual domains like domain foo.com
and regular expressions like in the example above, so you have great flexibility in specifying the addresses for which we should attempt FBL processing. As with bounce processing, you have the option to continue to deliver the emails after processing (e.g., to save them all to a folder) or to have them end there. Failed emails always proceed to delivery.

The email address used should be something easy to parse. For example:

fbl@fbl.yourdomain.com

PowerMTA should be the MX to handle these messages. If there are MTAs that handle the messages prior to being delivered to PowerMTA, PowerMTA may be unable to recognize the message as a FBL email.

Use of postmaster@ or abuse@ is discouraged.

To allow for more detailed tracking a custom header may be added to the email (assuming the remote mailer doesn’t redact the header).

x-tracker: customer1-campaign563-uniqueID498294

Custom headers are not included by default in the PowerMTA accounting file, so if the above header is needed in the accounting make sure to add it as a custom header.

Emails matching the address list go into a special {feedbackLoop} queue, where they are processed. You can configure an accounting file to receive the resulting data:

<acct-file /var/log/pmta/fbl.csv>
    records feedback-loop
    record-fields f *,header_subject
</acct-file>

“f” and “feedback-loop” can be used for the record name interchangeably. In the accounting file you actually see ‘f’. The available columns (all of which, except for ‘header’, are included by default) are:

The following columns are available for f records:

Name Description
timeLogged current time
repSourceIp the IP of PowerMTA that received the message
format arf or jmrp
userAgent name & version of the program that generated the report
envId envelope ID
orig originator (taken from report’s recipient address)
rcpt (final) recipient
reportingMta the name of the MTA generating this feedback report
dlvSourceIp address of MTA from which the message was received
header_<name> header extracted from original email
arf_<name> field from ARF feedback-report
reportedDomain the domain about which the feedback report was generated
feedbackType mapped to ARF’s Feedback-Type field

‘header_From’, ‘header_Return-Path’, ‘header_X-job’ and ‘header_Subject’ are included by default.

If a feedback report includes multiple recipients, a separate ‘f’
record is written for each recipient, repeating any common fields. Since a field requested via ‘arf_…’ may occur multiple times in the report, the column may contain a (CSV-encoded) list of values.

12.7.1 Hotmail Feedback Loop Emails

Hotmail does not follow the standard ARF format as the others. To get FBL emails to work for Hotmail messages, sign up for the RFC attachments option, since their “original” option does not include the key headers that PowerMTA parses on to indicate that it is an FBL, and the original format includes less info in general.

Because the RFC attachment option is still non-standard, the header fields from the original message will need to be extracted in contrast to standard ARF messages. Otherwise the RCPT field is empty by default in Hotmail JMRP accounting records.

In this case, PowerMTA will need to add the header
“X-HmXmrOriginalRecipient” into the csv accounting file, which is where Hotmail includes the original recipient address that complained in the original message. To add custom headers to an acct record, add the header within the syntax “header_xxx” in the record-fields directive, for example:

<acct-file /var/log/pmta/fbl.csv>
   records feedback-loop
   record-fields f *,header_X-HmXmrOriginalRecipient
</acct-file>

Alternatively, the map-header-to-field feature can be used to cause the custom header “X-HmXmrOriginalRecipient” to be be mapped to a standard field. With this, the same field for all FBL emails will be used. To map this Hotmail specific header to the existing rcpt field use something like the following:

<acct-file /var/log/pmta/fbl.csv>
   records feedback-loop
   record-fields f *
   map-header-to-field fbl header_X-HmXmrOriginalRecipient rcpt
</acct-file>

Lastly, what many sites do instead is create a custom header in each message that obfuscates the recipient address, perhaps using a mailing or campaign ID as well, for example:

x-rid: 12345-hdhgjkeuydfpdfldfd

and then have this header included in the FBL accounting file. When parsing the csv file just key on this header, since again, it is included in all FBLs sent back, which is the only thing consistent across the FBL generating sites.

12.8 Tracking a campaign in PowerMTA with a JobID

To track campaigns in PowerMTA it is best to use the x-job
header. This will show as a JobID or a Job in PowerMTA and PowerMTA Management Console. For this to work properly the application feeding PowerMTA needs to set an x-job header. The value of this header should be unique to each campaign. For example:

x-job: UniqueID-Date

With this set, PowerMTA needs to know to look for the header with a setting similar to the following:

<source 0/0>
    process-x-job yes
</source>

If needed, an alternate header may be used with something similar to the following:

<source 0/0>
    jobid-header x-custom-header
    process-x-job yes
</source>

In the above example x-custom-header will be used as the JobID in place of x-job.

Once the above is set, PowerMTA will log the JobID to the accounting file once a delivery or bounce has taken place. Information about messages still in the queue can be found on the Jobs tab of the PowerMTA web monitor or by using the pmta show jobs command.

When using a Job ID, it may become necessary during the course of a mailing to pause the job. Instances of when this would be needed might be to make sure the injected job was setup correctly, or that it is using the correct VirtualMTAs. The command to pause job Campaign1234 would be:

pmta pause job Campaign1234

And to resume the job:

pmta resume job Campaign1234

Lastly, additional information about current queue and historical reporting can be found in the PowerMTA Management Console dashboard, monitoring, and reporting sections.

12.9 Aliases / Forwarding

There may be a need to use aliases or to forward emails. This directive allows a list of email addresses to be defined for which PowerMTA should forward messages to different addresses. For example, if a message is received by PowerMTA for example@domain1abc.com, then forward the message on to support@port25.com.

Alias expansion happens after a pattern list is applied and a VirtualMTA is selected, but before the message is added to the VirtualMTA. The same applies to messages injected using default-virtual-mta or an x-virtual-mta header.

Defining just the local part of the email address (the text to the left of the @) is also supported, however forwarding will only occur on addresses that have the matching local part and the domain of one of the local host names. Domain matching or regex pattern matching is not supported at this time.

The directives are applied on a global basis. The format is an email address (or local part of an address) followed by one or more than one comma separated email addresses. For example:

host-name yourdomain.com
host-name yourotherdomain.com
relay-domain example.com
relay-address user@example.com
<aliases>
    alias example@yourdomain.com support@port25.com,info@port25.com
    alias jdoe someone@example.com
</aliases>

In the above example emails sent to example@yourdomain.com will be forwarded to support@port25.com and info@port25.com. Emails sent to jdoe@yourdomain.com or jdoe@yourotherdomain.com will be forwarded to someone@example.com.

Multiple addresses can be defined with the same exact local part across different domains. For example:

<aliases>
    alias newsletters@domain1abc.com support@port25.com
    alias newsletters@domain2def.com info@port25.com
    alias newsletters@domain3xyz.com support@port25.com,info@port25.com
</aliases>

To forward all messages from a domain to a given address the following may be used:

<aliases>
    alias *@domain1abc.com support@port25.com
</aliases>

12.10 Handling non-standard DSN/FBL reports

While the major ISPs return FBL/DSN reports in standard format that
PMTA can parse, some ISPs return these reports in non-standard formats.

Here’s an example of such an email:

From: "ABC" <xyz@reports.spamcop.net>
To: abuse@foobar.com
Subject: [SpamCop] Is your data safe?
Precedence: list
Message-ID: <asdfkajsdfj>
Date: Fri, 31 Mar 2017 06:11:38 -0400
X-Mailer: https://www.spamcop.net/ v4.8.6

[ SpamCop V4.8.6 ]
This message is brief for your comfort. Please use links below for details.

Email from 1.2.3.4 / Fri, 31 Mar 2017 06:11:38 -0400
https://www.spamcop.net/w3m?i=askdjfkasjsadjfajs

[ Offending message ]
<the original email follows>

The above feedback report is not in the standard ARF format. To handle such reports, PMTA allows you to define the patterns that can match the body of such emails and extract fields from them that can be written to accounting files.

For the email above, you would create a regexp from the relevant part of the body of the email in a file, say /etc/pmta/report-pattern.txt such as:

Email from (?<dlvSourceIp>[0-9\\.]+)

The above pattern file is configured for use in PMTA using directives like the following:

<feedback-loop-processor>
    <email-patterns>
        body-pattern-file /etc/pmta/report-pattern.txt
    </email-patterns>
</feedback-loop-processor>
<bounce-processor>
    <email-patterns>
        body-pattern-file /etc/pmta/report-pattern.txt
        log-match-info true
    </email-patterns>
</bounce-processor>

Whenever PMTA receives such reports, it will process the email through this pattern, and extract the source IP address(1.2.3.4 in the example above) into a field named dlvSourceIp – the source IP that was originally used to deliver the message. The field is then written in an ’f’ record to the accounting file.

For feedback loop reports, you can extract the following fields from the body of the message:

  • reportedDomainTo – domain about which the feedback report was generated
  • reportedDomainFrom – domain that generated the feedback report
  • dlvSourceIp – IP address from which the connection was made/attempted
  • rcpt – recipient
  • orig – originator

For DSN reports, you can extract the following fields from the body of the message:

  • r – recipient
  • or – originator
  • orig – Original Recipient
  • diag – DSN diagnostic string for failure
  • action – DSN action
  • repMta – DSN reporting MTA
  • remMta – DSN remote MTA

Please contact support@port25.com if you have questions about the use of this feature, or for help with handling such reports.

13 Acknowledgments

Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England. PCRE is available from ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/.

PowerMTA uses, and may in its distribution kits include, OpenSSL. The OpenSSL license requires that we reproduce it here:

/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/

Original SSLeay License
-----------------------

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/

PowerMTA uses, and may in its distribution kits include, ICU. The ICU license requires that we reproduce it here:

ICU License - ICU 1.8.1 and later

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1995-2016 International Business Machines Corporation and others

All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.


All trademarks and registered trademarks mentioned herein are the property of their respective owners.

---------------------

Third-Party Software Licenses

This section contains third-party software notices and/or additional terms for licensed third-party software components included within ICU libraries.

1. Unicode Data Files and Software

COPYRIGHT AND PERMISSION NOTICE

Copyright © 1991-2016 Unicode, Inc. All rights reserved.
Distributed under the Terms of Use in http://www.unicode.org/copyright.html.

Permission is hereby granted, free of charge, to any person obtaining a copy of the Unicode data files and any associated documentation
(the "Data Files") or Unicode software and any associated documentation
(the "Software") to deal in the Data Files or Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Data Files or Software, and to permit persons to whom the Data Files or Software are furnished to do so, provided that
(a) this copyright and permission notice appear with all copies of the Data Files or Software,
(b) this copyright and permission notice appear in associated documentation, and
(c) there is clear notice in each modified Data File or in the Software as well as in the documentation associated with the Data File(s) or Software that the data or software has been modified.

THE DATA FILES AND SOFTWARE ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE DATA FILES OR SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in these Data Files or Software without prior written authorization of the copyright holder.

2. Chinese/Japanese Word Break Dictionary Data (cjdict.txt)

 #     The Google Chrome software developed by Google is licensed under
 # the BSD license. Other software included in this distribution is
 # provided under other licenses, as set forth below.
 #
 #  The BSD License
 #  http://opensource.org/licenses/bsd-license.php
 #  Copyright (C) 2006-2008, Google Inc.
 #
 #  All rights reserved.
 #
 #  Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 #  Redistributions of source code must retain the above copyright notice,
 # this list of conditions and the following disclaimer.
 #  Redistributions in binary form must reproduce the above
 # copyright notice, this list of conditions and the following
 # disclaimer in the documentation and/or other materials provided with
 # the distribution.
 #  Neither the name of  Google Inc. nor the names of its
 # contributors may be used to endorse or promote products derived from
 # this software without specific prior written permission.
 #
 #
 #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
 # CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 #
 #  The word list in cjdict.txt are generated by combining three word lists
 # listed below with further processing for compound word breaking. The
 # frequency is generated with an iterative training against Google web
 # corpora.
 #
 #  * Libtabe (Chinese)
 #    - https://sourceforge.net/project/?group_id=1519
 #    - Its license terms and conditions are shown below.
 #
 #  * IPADIC (Japanese)
 #    - http://chasen.aist-nara.ac.jp/chasen/distribution.html
 #    - Its license terms and conditions are shown below.
 #
 #  ---------COPYING.libtabe ---- BEGIN--------------------
 #
 #  /*
 #   * Copyrighy (c) 1999 TaBE Project.
 #   * Copyright (c) 1999 Pai-Hsiang Hsiao.
 #   * All rights reserved.
 #   *
 #   * Redistribution and use in source and binary forms, with or without
 #   * modification, are permitted provided that the following conditions
 #   * are met:
 #   *
 #   * . Redistributions of source code must retain the above copyright
 #   *   notice, this list of conditions and the following disclaimer.
 #   * . Redistributions in binary form must reproduce the above copyright
 #   *   notice, this list of conditions and the following disclaimer in
 #   *   the documentation and/or other materials provided with the
 #   *   distribution.
 #   * . Neither the name of the TaBE Project nor the names of its
 #   *   contributors may be used to endorse or promote products derived
 #   *   from this software without specific prior written permission.
 #   *
 #   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 #   * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 #   * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 #   * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 #   * REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 #   * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 #   * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 #   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 #   * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 #   * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 #   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 #   * OF THE POSSIBILITY OF SUCH DAMAGE.
 #   */
 #
 #  /*
 #   * Copyright (c) 1999 Computer Systems and Communication Lab,
 #   *                    Institute of Information Science, Academia
 #       *                    Sinica. All rights reserved.
 #   *
 #   * Redistribution and use in source and binary forms, with or without
 #   * modification, are permitted provided that the following conditions
 #   * are met:
 #   *
 #   * . Redistributions of source code must retain the above copyright
 #   *   notice, this list of conditions and the following disclaimer.
 #   * . Redistributions in binary form must reproduce the above copyright
 #   *   notice, this list of conditions and the following disclaimer in
 #   *   the documentation and/or other materials provided with the
 #   *   distribution.
 #   * . Neither the name of the Computer Systems and Communication Lab
 #   *   nor the names of its contributors may be used to endorse or
 #   *   promote products derived from this software without specific
 #   *   prior written permission.
 #   *
 #   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 #   * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 #   * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 #   * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 #   * REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 #   * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 #   * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 #   * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 #   * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 #   * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 #   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 #   * OF THE POSSIBILITY OF SUCH DAMAGE.
 #   */
 #
 #  Copyright 1996 Chih-Hao Tsai @ Beckman Institute,
 #      University of Illinois
 #  c-tsai4@uiuc.edu  http://casper.beckman.uiuc.edu/~c-tsai4
 #
 #  ---------------COPYING.libtabe-----END--------------------------------
 #
 #
 #  ---------------COPYING.ipadic-----BEGIN-------------------------------
 #
 #  Copyright 2000, 2001, 2002, 2003 Nara Institute of Science
 #  and Technology.  All Rights Reserved.
 #
 #  Use, reproduction, and distribution of this software is permitted.
 #  Any copy of this software, whether in its original form or modified,
 #  must include both the above copyright notice and the following
 #  paragraphs.
 #
 #  Nara Institute of Science and Technology (NAIST),
 #  the copyright holders, disclaims all warranties with regard to this
 #  software, including all implied warranties of merchantability and
 #  fitness, in no event shall NAIST be liable for
 #  any special, indirect or consequential damages or any damages
 #  whatsoever resulting from loss of use, data or profits, whether in an
 #  action of contract, negligence or other tortuous action, arising out
 #  of or in connection with the use or performance of this software.
 #
 #  A large portion of the dictionary entries
 #  originate from ICOT Free Software.  The following conditions for ICOT
 #  Free Software applies to the current dictionary as well.
 #
 #  Each User may also freely distribute the Program, whether in its
 #  original form or modified, to any third party or parties, PROVIDED
 #  that the provisions of Section 3 ("NO WARRANTY") will ALWAYS appear
 #  on, or be attached to, the Program, which is distributed substantially
 #  in the same form as set out herein and that such intended
 #  distribution, if actually made, will neither violate or otherwise
 #  contravene any of the laws and regulations of the countries having
 #  jurisdiction over the User or the intended distribution itself.
 #
 #  NO WARRANTY
 #
 #  The program was produced on an experimental basis in the course of the
 #  research and development conducted during the project and is provided
 #  to users as so produced on an experimental basis.  Accordingly, the
 #  program is provided without any warranty whatsoever, whether express,
 #  implied, statutory or otherwise.  The term "warranty" used herein
 #  includes, but is not limited to, any warranty of the quality,
 #  performance, merchantability and fitness for a particular purpose of
 #  the program and the nonexistence of any infringement or violation of
 #  any right of any third party.
 #
 #  Each user of the program will agree and understand, and be deemed to
 #  have agreed and understood, that there is no warranty whatsoever for
 #  the program and, accordingly, the entire risk arising from or
 #  otherwise connected with the program is assumed by the user.
 #
 #  Therefore, neither ICOT, the copyright holder, or any other
 #  organization that participated in or was otherwise related to the
 #  development of the program and their respective officials, directors,
 #  officers and other employees shall be held liable for any and all
 #  damages, including, without limitation, general, special, incidental
 #  and consequential damages, arising out of or otherwise in connection
 #  with the use or inability to use the program or any product, material
 #  or result produced or otherwise obtained by using the program,
 #  regardless of whether they have been advised of, or otherwise had
 #  knowledge of, the possibility of such damages at any time during the
 #  project or thereafter.  Each user will be deemed to have agreed to the
 #  foregoing by his or her commencement of use of the program.  The term
 #  "use" as used herein includes, but is not limited to, the use,
 #  modification, copying and distribution of the program and the
 #  production of secondary products from the program.
 #
 #  In the case where the program, whether in its original form or
 #  modified, was distributed or delivered to or received by a user from
 #  any person, organization or entity other than ICOT, unless it makes or
 #  grants independently of ICOT any specific warranty to the user in
 #  writing, such person, organization or entity, will also be exempted
 #  from and not be held liable to the user for any such damages as noted
 #  above as far as the program is concerned.
 #
 #  ---------------COPYING.ipadic-----END----------------------------------

3. Lao Word Break Dictionary Data (laodict.txt)

 #  Copyright (c) 2013 International Business Machines Corporation
 #  and others. All Rights Reserved.
 #
 # Project: http://code.google.com/p/lao-dictionary/
 # Dictionary: http://lao-dictionary.googlecode.com/git/Lao-Dictionary.txt
 # License: http://lao-dictionary.googlecode.com/git/Lao-Dictionary-LICENSE.txt
 #              (copied below)
 #
 #  This file is derived from the above dictionary, with slight
 #  modifications.
 #  ----------------------------------------------------------------------
 #  Copyright (C) 2013 Brian Eugene Wilson, Robert Martin Campbell.
 #  All rights reserved.
 #
 #  Redistribution and use in source and binary forms, with or without
 #  modification,
 #  are permitted provided that the following conditions are met:
 #
 #
 # Redistributions of source code must retain the above copyright notice, this
 #  list of conditions and the following disclaimer. Redistributions in
 #  binary form must reproduce the above copyright notice, this list of
 #  conditions and the following disclaimer in the documentation and/or
 #  other materials provided with the distribution.
 #
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 # OF THE POSSIBILITY OF SUCH DAMAGE.
 #  --------------------------------------------------------------------------

4. Burmese Word Break Dictionary Data (burmesedict.txt)

 #  Copyright (c) 2014 International Business Machines Corporation
 #  and others. All Rights Reserved.
 #
 #  This list is part of a project hosted at:
 #    github.com/kanyawtech/myanmar-karen-word-lists
 #
 #  --------------------------------------------------------------------------
 #  Copyright (c) 2013, LeRoy Benjamin Sharon
 #  All rights reserved.
 #
 #  Redistribution and use in source and binary forms, with or without
 #  modification, are permitted provided that the following conditions
 #  are met: Redistributions of source code must retain the above
 #  copyright notice, this list of conditions and the following
 #  disclaimer.  Redistributions in binary form must reproduce the
 #  above copyright notice, this list of conditions and the following
 #  disclaimer in the documentation and/or other materials provided
 #  with the distribution.
 #
 #    Neither the name Myanmar Karen Word Lists, nor the names of its
 #    contributors may be used to endorse or promote products derived
 #    from this software without specific prior written permission.
 #
 #  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
 #  CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 #  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 #  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 #  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
 #  BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 #  EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 #  TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 #  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
 #  ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
 #  TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
 #  THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 #  SUCH DAMAGE.
 #  --------------------------------------------------------------------------

5. Time Zone Database

  ICU uses the public domain data and code derived from Time Zone Database for its time zone support. The ownership of the TZ database is explained in BCP 175: Procedure for Maintaining the Time Zone Database section 7.

 # 7.  Database Ownership
 #
 #    The TZ database itself is not an IETF Contribution or an IETF
 #    document.  Rather it is a pre-existing and regularly updated work
 #    that is in the public domain, and is intended to remain in the
 #    public domain.  Therefore, BCPs 78 [RFC5378] and 79 [RFC3979] do
 #    not apply to the TZ Database or contributions that individuals make
 #    to it.  Should any claims be made and substantiated against the TZ
 #    Database, the organization that is providing the IANA
 #    Considerations defined in this RFC, under the memorandum of
 #    understanding with the IETF, currently ICANN, may act in accordance
 #    with all competent court orders.  No ownership claims will be made
 #    by ICANN or the IETF Trust on the database or the code.  Any person
 #    making a contribution to the database or code waives all rights to
 #    future claims in that contribution or in the TZ Database.

14 Directives index

Examples

Recommendations

WP5 keyboard shortcuts

Global shortcuts
Shift+Alt+H
Display this help.
Ctrl+S
Save your changes.
Ctrl+Z
Undo your last changes.
Ctrl+Shift+Z
Redo your last undo.
Ctrl+Shift+,
Show or hide the settings sidebar.
Shift+Alt+O
Open the block navigation menu.
Ctrl+`
Navigate to the previous part of the editor.
Shift+Alt+N
Navigate to the next part of the editor (alternative).
Shift+Alt+P
Navigate to the previous part of the editor (alternative).
Alt+F10
Navigate to the nearest toolbar.
Ctrl+Shift+Alt+M
Switch between Visual Editor and Code Editor.

Selection shortcuts
Ctrl+A
Select all text when typing. Press again to select all blocks.
Esc
Clear selection.
Block shortcuts
Ctrl+Shift+D
Duplicate the selected block(s).
Shift+Alt+Z
Remove the selected block(s).
Ctrl+Alt+T
Insert a new block before the selected block(s).
Ctrl+Alt+Y
Insert a new block after the selected block(s).
/
Change the block type after adding a new paragraph.

Text formatting
Ctrl+B
Make the selected text bold.
Ctrl+I
Make the selected text italic.
Ctrl+U
Underline the selected text.
Ctrl+K
Convert the selected text into a link.
Ctrl+Shift+K
Remove a link.
Shift+Alt+D
Add a strikethrough to the selected text.
Shift+Alt+X

Total Commander

Intro

Total Commander is a file manager for Windows, a program like Windows Explorer to copy, move or delete files. However, Total Commander can do much more than Explorer, e.g. pack and unpack files, access ftp servers, compare files by content, etc!
It was known as Windows Commander and in 2002 there was a name change – the new name is “Total Commander”.
See the latest version at https://www.ghisler.com/

Shortcuts

F1 Help
F2 Reread source window
F3 List files
F4 Edit files
F5 Copy files
F6 Rename or move files
F7 Create directory
F8 Delete files to recycle bin /delete directly – according to configuration (or Delete)
F9 Activate menu above source window (left or right)
F10 Activate left menu or deactivate menu
Alt+F1 change left drive
Alt+F2 change right drive
Alt+F3 Use alternate (external or internal) viewer
Alt+Shift+F3 Start Lister and load file with internal viewer (no plugins or multimedia)
Alt+F4 Exit | Minimize (with option MinimizeOnClose in wincmd.ini)
Alt+F5 Pack files
Alt+Shift+F5 Move to archive
Alt+F6 Unpack specified files from archive under cursor, or selected archives (use Alt+F9 on Windows 95)
Alt+F7 Find
Alt+F8 Opens the history list of the command line
Alt+F9 Same as ALT+F6 (because ALT+F6 is broken on Windows 95)
Alt+Shift+F9 Test archives
Alt+F10 Opens a dialog box with the current directory tree
Alt+F11 Opens left current directory bar (breadcrumb bar)
Alt+F12 Opens right current directory bar (breadcrumb bar)
Alt+Shift+F11 Focus the button bar to use it with the keyboard
Shift+F1 Custom columns view menu
Shift+F2 Compare file lists
Shift+F3 List only file under cursor, when multiple files selected
Shift+F4 Create new text file and load into editor
Shift+F5 Copy files (with rename) in the same directory
Shift+Ctrl+F5 Create shortcuts of the selected files
Shift+F6 Rename files in the same directory
Shift+F8/Delete Delete directly / delete to recycle bin – according to configuration
Shift+F10 Show context menu
Shift+Esc Minimizes Total Commander to an icon
Alt+Arrow left / Arrow right Go to previous/next dir of already visited dirs
Alt+Arrow down Open history list of already visited dirs (like the history list in a WWW browser)
Num + Expand selection (configurable: just files or files and folders)
Num – Shrink selection
Num * Invert selection (also with shift, see link)
Num / Restore selection
Shift+Num+[+] Like Num +, but files and folders if Num + selects just files (and vice versa)
Shift+Num+- Always removes the selection just from files (Num – from files and folders)
Shift+Num+* Like Num *, but files and folders if Num * inverts selection of just files (and vice versa)
Ctrl+Num + Select all (configurable: just files or files and folders)
Ctrl+Shift+Num + Select all (files and folders if CTRL+Num + selects only files)
Ctrl+Num – Deselect all (always files and folders)
Ctrl+Shift+Num – Deselect all (always files, no folders)
Alt+Num + Select all files with the same extension
Alt+Num – Remove selection from files with the same extension
Ctrl+Page up Change to parent directory (cd ..) , or Backspace
Ctrl+< Jump to the root directory (most European keyboards)
Ctrl+\ Jump to the root directory (US keyboard)
Ctrl+Page down Open directory/archive (also self extracting .EXE archives)
Ctrl+Arrow left / Arrow right Open directory/archive and display it in the target window. If the cursor is not on a directory name, or the other panel is active, then the current directory is displayed instead.
Ctrl+F1 File display ‘brief’ (only file names)
Ctrl+Shift+F1 Thumbnails view (preview pictures)
Ctrl+F2 File display ‘full’ (all file details)
Ctrl+Shift+F2 Comments view (new comments are created with Ctrl+Z)
Ctrl+F3 Sort by name
Ctrl+F4 Sort by extension
Ctrl+F5 Sort by date/time
Ctrl+F6 Sort by size
Ctrl+F7 Unsorted
Ctrl+F8 Display directory tree
Ctrl+Shift+F8 Cycle through separate directory tree states: one tree, two trees, off
Ctrl+F9 Print file under cursor using the associated program
Ctrl+F10 Show all files
Ctrl+F11 Show only programs
Ctrl+F12 Show user defined files
Tab Switch between left and right file list
Shift+Tab Switch between current file list and separate tree (if enabled)
Insert Select file or directory.
Space Select file or directory (as INSERT). If SPACE is used on an unselected directory under the cursor, the contents in this directory are counted and the size is shown in the “full” view instead of the string . This can be disabled through ‘Configuration’ – ‘Options’ – ‘Operation’ – ‘Selection with Space’.
Enter Change directory / run program / run associated program / execute command line if not empty. If the source directory shows the contents of an archive, further information on the packed file is given.
Shift+Enter 1. Runs command line / program under cursor with preceding command /c and leave the program’s window open. Only works if NOCLOSE.PIF is in your Windows directory! 2. With ZIP files: use alternative choice of these (as chosen in Packer config): (Treat archives like directories <-> call associated program, i.e. winzip or quinzip) 3. In the list of last used dirs (History, Ctrl+D), open the directory on a new Tab.
Alt+Shift+Enter The contents of all directories in the current directory are counted. The sizes of the directories are then shown in the “full” view instead of the string . Abort by holding down ESC key.
Alt+Enter Show property sheet.
Ctrl+a Select all
Ctrl+b Directory branch: Show contents of current dir and all subdirs in one list
Ctrl+Shift+b Selected directory branch: Show selected files, and all in selected subdirs
Ctrl+c Copy files to clipboard
Ctrl+x Cut files to clipboard
Ctrl+v Paste from clipboard to current dir.
Ctrl+d Open directory hotlist (‘bookmarks’)
Ctrl+f Connect to FTP server
Ctrl+Shift+f Disconnect from FTP server
Ctrl+i Switch to target directory
Ctrl+l Calculate occupied space (of the selected files)
Ctrl+m Multi-Rename-Tool
Ctrl+Shift+m Change FTP transfer mode
Ctrl+n New FTP connection (enter URL or host address)
Ctrl+p Copy current path to command line
Ctrl+q Quick view panel instead of file window
Ctrl+r Reread source directory
Ctrl+s Open Quick Filter dialog and activate filter (deactivate with ESC or CTRL+F10)
Ctrl+Shift+s Open Quick Filter dialog and reactivate last-used filter
Ctrl+t Open new folder tab and activate it
Ctrl+Shift+t Open new folder tab, but do not activate it
Ctrl+u Exchange directories
Ctrl+Shift+u Exchange directories and tabs
Ctrl+w Close currently active tab
Ctrl+Shift+w Close all open tabs
Ctrl+z Edit file comment
Ctrl+Arrow up Open dir under cursor in new tab
Ctrl+Shift+Arrow Up Open dir under cursor in other window (new tab)
Ctrl+Tab/Ctrl+Shift+Tab Jump to next tab / jump to previous tab
Ctrl+Alt+Letter Quick search for a file name (starting with specified letters) in the current directory (Support hotkeys Ctrl+X, Ctrl+C, Ctrl+V and Ctrl+A; use Ctrl+S for search filter on/off)

FTP

Ctrl+F Connect to FTP Server
Ctrl+SHIFT+F Disconnect current FTP connection
Ctrl+N New FTP connection

 

 

 

Selections

Insert­/Space Select current file/f­older
Num * Invert selection
Num / Restore selection
Ctrl+A Select all
Ctrl+l Calculate occupied space of selecte files
Ctrl+Num – Deselect all
Alt+Num+ Select all files with extension
Alt+Num- Deselect all files with extension

 

 

 

 

 

 

Selections

Alt+F1 Change left drive
Alt+F2 Change right drive
Alt+Arrow Down Open list of visited direct­ories
Alt+Arrow Left Jump to previous directory
Alt+Arrow Right Jump to next directory
Ctrl+< Jump to root directory
Backspace Change to parent directory
Tab Switch between left and right file list

 

 

 

 

 

 

Navigation

Alt+F1 Change left drive
Alt+F2 Change right drive
Alt+Arrow Down Open list of visited direct­ories
Alt+Arrow Left Jump to previous directory
Alt+Arrow Right Jump to next directory
Ctrl+< Jump to root directory
Backspace Change to parent directory
Tab Switch between left and right file list

 

 

 

 

 

 

View

Ctrl+u Swap left & right view
F2/Ctrl+r Refresh current directory
Ctrl+b Show contents of current dir and all subdirs in one list
Ctrl+S­hift+B Selected directory branch
Alt+Enter Show file properties window
F1 Help
Ctrl+l Calculate occupied space (of selecte files)

 

 

 

 

 

 

File manipu­lation

F3 List file contents
Shift+F3 List file under cursor with multiple files selected
F4 Edit files
Shift+F4 Create new text file and load in editor
F5/Ctrl+c Copy file
Shift+F5 Copy files (with rename) in same directory
F6 Rename or move files
Shift+F6 Rename files in same directory
F7 Create directory
F8/Delete Delete files
Ctrl+v Paste file in current directory
Ctrl+x Cut file
Ctrl+m Multi-­rename tool

 

 

 

 

 

 

 

 

 

 

Archiving

Alt+F5 Pack files
Alt+Sh­ift+F5 Move to archive
Alt+F6 Unpack from archive under cursor
Alt+Sh­ift+F9 Test archives

 

 

 

 

File sorting

Ctrl+F3 Sort by name
Ctrl+F4 Sort by extension
Ctrl+F5 Sort by date/time
Ctrl+F6 Sort by size
Ctrl+F7 Unsorted

 

 

 

 

Searching

Ctrl+s Quick search
Alt+F7 Find

 

 

 

Command Line with TC

%comspec%            Envoke CMD (ancient times)
CMD                         Envoke CMD
CMD /C                    Carries out the command specified by string and then terminates
CMD /K                    Carries out the command specified by string but remains
(For more complete CMD with switches see relevant CMD cheatsheet)

 

Other

Ctrl+Shift+w                              Close all open tabs
Ctrl+z                                          Edit file comment
Ctrl+Arrow up                           Open dir under cursor in new tab
Ctrl+Shift+Arrow                     Up Open dir under cursor in other window (new tab)
Ctrl+Tab/Ctrl+Shift+Tab        Jump to next tab / jump to previous tab
Ctrl+Alt+Letter                          Quick search for a file name (starting with specified letters) in the current directory
                                                       (Support hotkeys Ctrl+X, Ctrl+C, Ctrl+V and Ctrl+A; use Ctrl+S for search filter on/off)

PowerMTA

Intro

PowerMTA is an enterprise-grade infrastructure application for high-volume email built to address the challenges of digital messaging and integrated customer communications. PowerMTA provides unsurpassed reliability and delivery execution in a stable SMTP environment with granular connection controls. Superior message throughput, simplified set up and configuration and real-time analysis provide our clients with performance, deliverability, and manageability without any further investment in hardware.

PowerMTA (PMTA) is industrial strength software which consistently delivers hundreds of thousands of emails per hour. It is specifically designed for better performance, deliverability and manageability. With its extensive configuration capabilities and Virtual MTA technology, it allows granular control of sources, sending IPs, and domain policies.

In 2016 acquisition of Port25 by Message Systems (now SparkPost) was announced!

PowerMTA Features

  • Confuigure number of simultaneous connections
  • Configure number of messages per connection
  • Confugure number of delivery attempts per hour (throttling)
  • Configure retry period and bounce period
  • Authentication method
  • Ability to break connections of lower priority queues
  • New IP address warm-up feature to help build reputation
  • Ability to pause queues and delete or re-start
  • Delivers 10x more messages per hour than leading freeware alternatives and corporate mail systems
  • Strict compliance with Internet email protocols
  • Includes both outbound and inbound message processing
  • VirtualMTAs allowing you to segment your mail-streams as necessary. Each VMTA may have its own IP address and delivery policy configured by you.
  • Real-time reputation monitoring
  • Immediate notification of perceived blocks
  • Ability to implement new delivery policy for perceived blocks
  • Command line statistics and analysis utility
  • Web-based status monitoring
  • Data export of statistics log (XML, CSV, HTML, etc.)
  • API to statistics log (C, Java, Perl)
  • Data can be accessed in real-time or batch mode.
  • Statistics can also be retrieved on a “per job” or “Virtual MTA” basis.
  • Standard submission interface using SMTP
  • File-based submission using pickup directory
  • Proprietary submission interface through our API (C, C++, Java, Perl, .NET)
  • Data exports from delivery log (XML, CSV, HTML, etc.)
  • API to delivery log (C, Java, Perl)
  • Forwarding of inbound messages to file or via local pipe
  • Installation follows the common approaches used on each of the major platforms.
  • Text-file configuration tool comes pre-populated with common settings
  • Extensive control options allow you to tailor PowerMTA to your specific needs.
  • A command-line management tool is provided.

Built-in support for :

  • Domain Keys and DKIM
  • SenderID and SPF

Platforms where PMTA can be installed includes :

  • Microsoft Windows (2003/2008)
  • Linux RPM based (Red Hat, CentOS) and DEB based (Debian, Ubuntu)
  • Sun Solaris (Solaris 8 or later, SPARC)

What’s an ideal server!

Perfect System

  • Secure configuration based on Linux operating system
  • SSH access with full root access
  • SFTP access for easy file transfer
  • Webmail, POP3, IMAP and SMTP for postmaster, abuse, bounce, FBL, … emails
  • Automatic daily backups
  • Reverse DNS (rDNS) or PTR
  • Multi IP and domain/subdomain setup
  • Free SSL on all domains

Perfect Mail Server

  • Multi MTAs/SMTPs with smart queue (IP rotation)
  • Automatic bounce processing
  • Auto processing spam complaints with Feedback loops (FBL)
  • Valid DomainKeys Identified Mail (DKIM) records
  • Valid Sender Policy Framework (SPF) records
  • Domain-based Message Authentication, Reporting & Conformance (DMARC)
  • Automatic backoff rules in case of delivery problems
  • Custom ISP rules to ensure best delivery rates

Perfect Email Manager

  • Create and Manage Contact Lists
  • Create Email Campaigns
  • Stay Delegate with auto follow-ups
  • Spin the words within your email campaign(s) to avoid being spammed
  • Manage your lists with triggers for best conversions
  • Get best stats with split (A/B) tests
  • Keep your lists clean by filtering spam complaints and abusers
  • Mask your main domain with multiple remote domains
  • Use multiple MTA/SMTP for better emailing practice
  • Be informed when the reputation gets down
  • Create user groups and user accounts
  • Track real-time advanced statistics along with Geo Location

Perfect Monitoring

  • Server up time
  • SMTP up time
  • Blacklist

Commands

Five Essential PowerMTA Configuration Tips

When asked what are the best configurations to use with PowerMTA? The answer is different for every region of the world. Configuration settings in the US will be vastly different than those in Europe for example, so global settings are not as effective. In this blog post we’ll look at five essential PowerMTA configuration tips that will help make your sending infrastructure more efficient and reduce I/O clutter.

1. Utilize source directives to make sure your email headers are correct

ESPs and many high volume senders send email on behalf of other organizations and often feel they do not have full control over the email headers. This is not the case, and if best practices are not followed, email almost inherently will end up being routed to the junk folder. With PowerMTA™, you can add missing data or Message-ID headers. You can also hide internal sources in the “received header,” or completely disable adding the received header altogether. The latter is often used to make it look as if the email originated from the sender’s public IP. You also have granular rate limiting control of both the source IP and sending IP basis, as a result of an update last year.

2. Keeping a clean configuration by using parameter inheritance more wisely

For manageability of configurations, it is important to keep them DRY. DRY stands for Don’t Repeat Yourself, and, is an acronym used by software developers. For example, PowerMTA™ merges the settings from all matching sources, top to bottom. Thus you can often move common settings to the source that matches 0/0. Except for always-allow-relaying of course, which should only be allowed from specific sources, by removing settings with obvious default values, you can further reduce redundant configurations.

With domain directives, all matching domain entries are merged, giving preference to more specific entries, regardless of the order in the configuration. By using sensible default settings for the wildcard domain, you can reduce the configuration to only a few exceptions. For example, the following settings string reduces the need to set limits on “many” specific domains:

  • max-smtp-out 2 # enough for small domains, increase for common domains
  • max-msg-per-connection 100 # most ISPs accept 100 emails per session
  • max-errors-per-connection 10 # avoid disconnect due to long sequence of invalid recipients

3. Don’t waste resources on invalid email domains

If the local part of an email address does not exist, you’ll usually get an error message from the ISP. However, if the domain is not valid, you might run into repetitive errors such as failed DNS lookup, non-responsive servers, or servers that refuse to relay from a particular domain.

PowerMTA™ should be configured not to waste resources on these domains, and focus delivery of resources to valid domains. For example, use a rather low max-smtp-out for default domains, and increase this for important valid domains. A setting of 20 is enough to send millions per hour, and completely over the top for many domains. Furthermore, you can instruct PowerMTA to bounce email if an MX record is missing. Invalid domains caused by typos often have an “A “record without a proper mail server, causing these domains to languish in the queue until they timeout. You can also use a domain macro combined with black-holing to drop mail known for discontinued domains or domains with anonymous discardable accounts. In any event, the goal is to keep the configuration “lean” for invalid or less important domains.

4. Apply settings based on your own data and experience

We’ve talked about this before, but I’d like to reiterate here. PowerMTA™ has a long list of configuration directives that you can use straight out of the box. Directly copying settings from other sources or matching configurations from another sender environment is not useful, since you might end up with redundant configurations, or even applying settings that are not applicable in your sending environment. The best approach is to keep it as simple as possible, and add settings that you understand, and that are appropriate in your “own” environment.

Senders in the US require a different configuration than senders in Europe. Furthermore, the settings often depend on the volume, the type the emails and the reputation of the IPs. You can use data from PowerMTA’s accounting files to determine what are the most important domains in your case. By looking at the bounce reports, you can determine which errors should trigger the back-off mode for example.

5. Log transient errors to monitor throttling by ISPs

The PowerMTA accounting logs are often used to record deliveries or bounces. But by enabling logging of transient errors, you can get a wealth of information about the delivery, and how to optimize it. Large webmail providers, but also smaller ISPs, have limits on the number of messages they accept from a certain IP. When the limit is reached, they return a temporary error, which can be logged by PowerMTA. This information can be used to adjust the volume for IP seasoning (warm-up) or maximum rate of sending, or tune the configuration of the back-off mode.

For more comprehensive information on configuration settings, join our forum and don’t hesitate to ask detailed questions about your settings and more specifically about your sending environment.

Encrypting Inbound and Outbound Email Connections with PowerMTA

Encryption is becoming increasingly necessary when transferring data across the internet, and email is no different. In PowerMTA 4.5 and later there are several methods to encrypt both inbound and outbound connections. Here we’ll provide a quick overview of how they may be achieved. Keep in mind, this document only deals with encrypting the channel, not the content.

Outbound Opportunistic Encryption

To use outbound opportunistic encryption in PowerMTA, simply add the following to your configuration file:

<domain *>
    use-starttls yes
    require-starttls no
</domain>

With this, PowerMTA will check to see if the remote mail server supports encryption. If it does, an attempt will be made to create an encrypted channel over which to send mail. If the encryption fails, or if no encryption is offered, then the mail is sent using no encryption.

To verify if the mail was sent over an encrypted channel, it is necessary to add additional fields to the CSV accounting file. This can be done with the following configuration:

<acct-file logacct.csv>
    records d, b
    record-fields d *, dlvTlsProtocol, dlvTlsCipher
    record-fields b *, dlvTlsProtocol, dlvTlsCipher
</acct-file>

If encryption is used, the above configuration will record the protocol and cipher used to deliver the message over an encrypted channel.

Outbound Client Certificate

While the vast majority of outbound connections do not require a local certificate, there may be some B2B cases in which the remote mail server requires PowerMTA to use a given certificate for encrypting the channel between the two servers. This can be facilitated in PowerMTA with a setup similar to the following:

<domain super-secure-server.com>
    smtp-client-certificate /path/to/certificate.pem password
    use-starttls yes
    require-starttls yes
</domain>

In the above example, any messages sent to super-secure-server.com will sent over an encrypted channel using the certificate /path/to/certificate.pem (in most cases supplied by the administrator of the remote mail server). If the encryption fails, the messages will not be sent.

Inbound Encryption

Of course, outbound traffic is only half of the traffic on a PowerMTA server. It may be required to encrypt the traffic coming into a PowerMTA server as well. This can be done in PowerMTA on a per <source> basis. The setup would look similar to the following:

#
smtp-listener 1.2.3.4:465 tls=yes
smtp-server-tls-certificate /etc/pmta/smtp-cert.pem “YourPasswordHere” smtp-server-tls-ciphers “HIGH:MEDIUM:!ADH:@STRENGTH”

<source 0/0>    # matches all
    allow-starttls yes
    require-starttls-before-auth yes
    allow-unencrypted-plain-auth no
</source>
#

Creation of the certificate /etc/pmta/smtp-cert.pem follows standard OpenSSL practices, and if assistance is needed in getting the certificate created (please contact support@port25.com). An example of the contents of the certificate is as follows:

—–BEGIN CERTIFICATE—–
YOUR CERT HERE
—–END CERTIFICATE—–
—–BEGIN RSA PRIVATE KEY—– Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,EBA505536010547C

YOUR PRIVATE KEY HERE
—–END RSA PRIVATE KEY—–

With this configuration all traffic connecting to 1.2.3.4 on port 465 can attempt to use encryption for transmitting email into PowerMTA.

Inbound Certificate Chain Validation

PowerMTA 4.5 and later supports the ability to validate certificate chains.

What’s New – PowerMTA v4.5

PowerMTA from Port25 is an industrial-strength software for high-volume email delivery. Designed for performance, deliverability and manageability, PowerMTA is able to consistently deliver millions of emails per hour. With it’s extensive configuration capabilities and VirtualMTA technology it provides granular control of sources, sending IPs, and domain policies.

Port25 recently introduced PowerMTA v4.5 as a major new release of PowerMTA. It now includes a wide variety of new advanced features and functionalities that allow for greater flexibility and delivery control to help maximize overall performance and deliverability.

PowerMTA Management Console (PMC) v1.5 is also now available with support for all new PowerMTA v4.5 features.  Other new features in the PMC include: IP based reporting, saved reports, configurable session timeouts, and advanced reporting filters including sets and regular expressions.

Key features included in the release:

  • Scheduled Delivery Control – PowerMTA now supports the ability to schedule deliveries via a header. This may be very useful for instances when it takes a long time to build a campaign, or if you need to adhere to strict delivery windows.
  • Precached domains support – To help optimize DNS usage during peak sending times, PowerMTA now offers the ability to precache predefined domain names to ensure the DNS name is always available.
  • IP Rate Limiting – IP rate limiting allows for controlling the number of attempted recipients on a per-hour, per-minute and per-second basis for each IP address for each domain/VirtualMTA. This is primarily used by sites that define multiple IPs in a single VirtualMTA, and that want to limit the attempted delivery rate for each IP address in the VirtualMTA to the respective domains. One can also specify the maximum number of connections to be opened for this domain during the specified time period per IP per domain/vmta.
  • Auto Cold VirtualMTA Rate Increase – PowerMTA now supports the ability to auto-increase cold VirtualMTA mail volumes with a list of daily limits. This makes it very easy to have a set it and forget it configuration for warming new IP addresses.
  • Address Suppression Lists – Addresses in the suppression list are rejected (or turned into bounces, depending on options) during submission. This is very useful for sites that do not have complete control of the list to which they are mailing.

Other Noteworthy Enhancements in PowerMTA v4.5:

  • Custom retry intervals
  • Enhanced job control (pause & resume)
  • Recipient events listing
  • Second DKIM signing support
  • Backoff reason insight
  • Time interval for bounce-upon-no-mx
  • Defer-queue option in SMTP pattern list
  • Disabling of accounting records per queue
  • Domain definitions in virtual-mta-pools
  • Reverse DNS check support on inbound connections
  • TLS information in accounting file fields
  • Pattern matching support on non-ASCII headers
  • Added inbound AUTH username to accounting field
  • Change recipient priority on-the-fly

PMTA 4.5: IP Based Rate Limiting

One of the noteworthy features in PowerMTA’s new v4.5 release is IP based Rate Limiting. The feature, enabled via the new per domain “source-ip-max-msg-rate” directive, is designed to give delivery engineers/admins additional control. IP based rate-limiting allows for throttling the number of attempted recipients on a per-hour, per-minute and per-second basis separately for each IP address for each domain/VirtualMTA. This feature will be primarily used by senders that define multiple IPs in a single VirtualMTA and that want to limit the attempted delivery rate for each IP address in the VirtualMTA to the respective domains.

In addition, IP connection rate limits can now also be controlled via the “source-ip-max-connect-rate” directive, which allows one to specify the maximum number of connections to be attempted during the specified time period per IP per domain/vmta.

Backoff Insight

In previous versions of PowerMTA the only method to know why a queue entered backoff mode was to check the log file or to setup the backoff-notify directive. Now PowerMTA will show the “error” that caused the queue to go into backoff mode in the individual queues of the web monitor as well as in these commands:

pmta show queues domain/vmta
pmta show topqueues domain/vmta

IP based rate-limiting and Backoff Insight, are just two features of the latest release of PowerMTA v4.5, which is available now for download.

IP Monitoring Service

One of the noteworthy features in PowerMTA’s new v4.5 release is IP based Rate Limiting. The feature, enabled via the new per domain “source-ip-max-msg-rate” directive, is designed to give delivery engineers/admins additional control. IP based rate-limiting allows for throttling the number of attempted recipients on a per-hour, per-minute and per-second basis separately for each IP address for each domain/VirtualMTA. This feature will be primarily used by senders that define multiple IPs in a single VirtualMTA and that want to limit the attempted delivery rate for each IP address in the VirtualMTA to the respective domains.

In addition, IP connection rate limits can now also be controlled via the “source-ip-max-connect-rate” directive, which allows one to specify the maximum number of connections to be attempted during the specified time period per IP per domain/vmta.

Backoff Insight

In previous versions of PowerMTA the only method to know why a queue entered backoff mode was to check the log file or to setup the backoff-notify directive. Now PowerMTA will show the “error” that caused the queue to go into backoff mode in the individual queues of the web monitor as well as in these commands:

pmta show queues domain/vmta
pmta show topqueues domain/vmta

IP based rate-limiting and Backoff Insight, are just two features of the latest release of PowerMTA v4.5, which is available now for download.

IP Monitoring Service

If you receive an alert from your IP based monitoring service, such as excessive bounces or complaints, one of the most critical elements to preserving your IP reputation is the ability to quickly throttle at the source IP. The best tool I’ve seen has recently just launched by Postmastery. They offer IP reputation monitoring based off of SNDS Status and Sender Score. They also cross-reference your IP to a database of blacklists. You’ll receive real-time notifications via email based off of any decreases in any of the metrics above. Notifications are sent on an “as needed” basis- you’re notified at the beginning of a potentially forming IP reputation issue. So, if there’s any decrease in IP reputation or a high number of complaints, you’ll know about it very quickly. There’s also a weekly email with a summary of all IPs being monitored and their current rep/status. Postmastery also has the ability to use SNDS API keys to aggregate data from that as well, showing complaints from SNDS domains.

RELEASE of PowerMTA V4.5r5

Port25, A Message Systems Company, has just released its latest version of PowerMTA v4.5r5 and PowerMTA Management Console v1.5r5. Highlighted below are the major features of this particular release.

SMTPUTF8 Support

Support for SMTPUTF8 is a specification whether one can submit internationalized email addresses per RFC6531, RFC6532, and RFC6533 to PowerMTA from the connecting IP address. When enabled or set to yes (or true), PowerMTA will list “SMTPUTF8” in the list of extended SMTP commands supported for the connecting IP, allowing the submitter to use internationalized email addresses in the SMTP envelope. Note that if the remote gateway for the domain does “not” advertize support for SMTPUTF8, PowerMTA will subsequently bounce the message(s) for the recipient out of the queue. If desired, SMTPUTF8 support can be disabled with the new per-<source> allow-smtputf8 directive.

UTF-8 is the dominant character encoding specification for the internet accounting for 87.1% of all Web pages as of June 2016. The Internet Mail Consortium (IMC) recommends that all email programs be able to display and create mail using UTF-8.

MX RollUp

MX Rollup List Allows one to define “rollup” queues based on the MX records of the recipient domain, in order to consolidate separate but related recipient domains into one queue. Messages moved into the roll up queue are handled as if they were one recipient domain with regards to rate limiting, connection caps, and other directives.

For example, since ‘msn.com’, ‘live.com’ and ‘outlook.com’ are all handled by the same exact MXs or Gateway, it makes sense to roll these up into a single queue (outlook.rollup for example) vs. being handled separately by PowerMTA. This feature works very well for the large mailbox providers that provide corporate hosting, for filtering/antispam cloud providers, or for large hosting providers in general that manage corporate email for tens or hundreds of thousands of various domains. To configure this feature, you need to define the MX record that maps to each rollup queue name along with the name of the rollup queue, which must end in “.rollup.” More than one MX can be mapped to the same rollup queue.

Additional Features include but not limited to:

  • Added support for internationalized domains to “pmta resolve”
  • Increased spool-max-recipients limit to ~16.8M and total-max-smtp-out to 10,000
  • Added ability to show per-recipient schedule in “pmta list”
  • Added support for pattern list header matching on Encoded-Words that include a language declaration, as specified by RFC2231

Related updates 2019

AOL and Yahoo merge could impact your email delivery and MTA

fIn 2018 AOL reported that AOL and Yahoo will come together under the OATH umbrella and merge with the Yahoo email infrastructure to serve both brands. This happened on 20 February 2018, and now all the AOL recipient domains’ MX, including the following, will point to
mx-aol.mail.gm0.yahoodns.net :

– aol.com
– verizon.net
– aol.co.uk
– aim.com
– netscape.net
– cs.com

Will your email delivery be affected? Based on some quick reviews, Postmastery engineers saw that senders who had bad delivery to AOL will now see improved delivery if they had good delivery to Yahoo. Senders who had bad delivery to Yahoo and good to AOL, will probably experience the reverse.

Register FBL on both providers

FBL complaints would still come to mailboxes which are still on AOL infrastructure. As soon as the mailboxes are moved to Yahoo, the FBL reports will come from Yahoo. It is therefore strongly recommended to register FBL on both providers. Please be advised that Yahoo provides FBL reports based on DKIM signing domain, while AOL sends FBL reports based on sending IP addresses.

BIMI – Brand Indicators for Message Identification (BIMI)

BIMI is the new open standard to visualize your brand in the recipient’s mailbox with an image.
The new standard makes use of DMARC, leading some to call BIMI “DMARC 2.0”. While almost all previous authentication and identification methods work in the background, BIMI is the first one that really tries to visualise and strengthen your brand right on the front-end. The mailbox provider will show your branded image within the user interface.
BIMI

What are the prerequisites for BIMI? In order to enable BIMI you have to make sure the following requirements are in place.

  • You need to have a DMARC record with a ‘quarantine’ or ‘reject’ policy.
  • You need to be recognised as bulk sender and have a good sender reputation.
  • You need a DNS record, the so-called BIMI Assertion Record. This record will contain the link to the image (SVG format) that is going to be used. This TXT record needs to be placed as (for example) default._bimi in the DNS of the sending domain. Usually this would be the From header. The value of the record looks like: v=BIMI1; l=https://www.example.com/images/logo.svg;

This should be enough for now. But it the future you may need to certificate the image. Otherwise anyone could publish someone else’s logo on their domain. The providers require the certificate to prove ownership of the domain name. The proof is held and secured (cryptographically) by third parties referred as Mark-Verifying Authorities.

Who is supporting BIMI? BIMI is currently only supported by OATH (Yahoo & AOL, they will identify domain brands automatically) and Verizon. But we recently heard at the CSA in Cologne, that Gmail has joined the working group. It is not yet clear whether they will actually support BIMI in their client.

Microsoft seems to be going in another direction and will not use the BIMI standard. Instead they are going to use so-called business profiles, see business.microsoft.com. It’s in beta testing at the moment and is publicly available for any consumer-facing business in the US.
And, will BIMI take off?

Gmail is not supporting BIMI and Microsoft is following a different strategy. Nevertheless it’s a good to start with BIMI tech-preparations and testing.

SSL Basic HowTo

Raise a CSR and apply SSL on an AWS/IIS/ELB

Table Of Contents

 Basic HOWTO’s  and commands below (full explanation further below)

  1. Request/create a CSR in IIS
  2. Obtain purchased SSL, download from CA
  3. Obtain Private Key
    Using GnuWin32  or Install OpenSSL for Windows. Alternatively  uses XCA tool with GUI (at https://hohnstaedt.de/xca/)
    Then run CMD (C:\openssl\bin ) and convert files using following commands:

    When you have the PFX file (that’s the most used commands below, 1.3.1 for pfx, 1.3.4 to decrypt key and 1.3.2 for p7b CA bundle is all you need):
    1.3.1 – convert the private key which is in PFX format into readable txt/pem format bypassing the encrypted format. Ready decrypted RSA pem file:
    openssl pkcs12 -in NAME1.pfx -out NAME2.key -nocerts -nodes (used to obtain the private key alone)
    openssl pkcs12 -in FILE.pfx -out FILE2.pem -nodes (used to obtain all certs within pfx)
    Used when Client provides PFX file with a password and Admin need to break it down to individual certs – usually holds the Private, Public and Intermediate/Root/Chain certificates (or only Private+Public)

    When you have the P7B file:
    1.3.2 -decrypting the bunch of certificates into separate pieces to import in AWS LB, Packaging 7 is another bundle holding THREE encrypted certs – it must be decrypted by:
    openssl pkcs7 -in file.pem -print_certs -out certs.pem  (if the SSL is in pkcs7 encryption – looks like this: —–BEGIN PKCS7—–)

    EXTRA COMMANDS:
    For exporting only the private and public key use the specific command below
    openssl pkcs12 -in myfile.pfx -nocerts -out private_key.pem -nodes      (When you have pfx file, exported from server with private key in pkcs12 encryption —–BEGIN PKCS12—–)

    1.3.4- the converted private key is still encrypted with password, to remove it and copy/paste in a TXT format use the command below
    openssl rsa -in site.pem -out decrypted.key  (used for private key decryption – convert from encrypted to open pem format)

    1.3.4 – converting signed P7B to usual pem – use inform der – (When P7b is signed data file. ALTERNATIVELY open -doubleclick – in Windows and export single files in X.509 format)

penssl pkcs7 -inform der -in a.p7b -out a.cer

1.3.5. Buildup of PFX from a single private and public keys:openssl pkcs12 -export -out Survey_Loeb_com.pfx -inkey private_key.pem -in Public-cert.pem

  • Obtain Intermediate /chain/ certificates – it is specific for each CA  – usually provided in a zip within main cert file (else one may have to contact them …)
    The certificate chain includes the intermediate certificates and optionally the root certificate, one after the other without any blank lines, as shown in the following example. If you include the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates that were provided by your CA. Do not include any intermediaries that are not in the chain of trust path. (see Comodo sample below)
  1. Apply them all three at the Load Balancer for the relevant site
  2. Use https://www.sslshopper.com/ssl-certificate-tools.html as helping tools to confirm matching

7. HAPROXY

1.7.1 HAPROXY CONVERTION of pfx file  – Use Openssl to convert PFX/PEM to PKCS#8

(this is what HAProxy and Unix uses – private key must be starting with BEGIN PRIVATE KEY and not BEGIN RSA PRIVATE KEY) – (BEGIN RSA PRIVATE KEY is PKCS#1 and is just an RSA key. It is essentially just the key object from PKCS#8, but without the version or algorithm identifier in front.BEGIN PRIVATE KEY is PKCS#8 and indicates that the key type is included in the key data itself.). Includes 2 commands converting from PFX, or a single line converting from ready PEM

openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem
openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8

1.7.2. HAPROXY CONCATENATE PEM – concatenate within the linux box

        cat private.pem wildcard-certificate.pem intermediates.pem > ssl-certs.pem

ALTERNATIVE GUI TOOL for Certificate management

There’s only one useful CRT convertion and exporting tool nowadays. This is XCA tool. Download at https://sourceforge.net/projects/xca/

XCA tool – X Certificate and Key management is an interface for managing asymetric keys like RSA or DSA. It is intended as a small CA for creation and signing certificates. It uses the OpenSSL library for the cryptographic operations.
This Opensource application is suitable for work with crypto keys. You can use it for making PFX files in which you keep your Code signing application signing. App keeps all keys in one file and password protected. You are not allowed to export any key from this archive without right password. It’s much secure that OpenSSL with keys in separate files.

Features

  • Start your own PKI and create all kinds of certificates, requests or CRLs
  • Import and export them in any format like PEM, DER, PKCS#7, PKCS#12
  • Use them for your IPsec, OpenVPN, HTTPs or any other certificate based setup
  • Manage your Smart-Cards via PKCS#11 interface
  • Export certificates and requests to a OpenSSL config file
  • Create Subject- and/or Extension- templates to ease issuing similar certs
  • Convert existing certificates or requests to templates
  • Get the broad support of x509v3 extensions as flexible as OpenSSL but user friendlier
  • Adapt the Columns to have your important information at a glance

SSL and PFX certs are imported into tool. Export to any kind of PEM/X509/CRT/CER files is possible with few clicks.

OPENSSL FORMATS and DETAILED EXPLANATIONS (CLI) below:

Intro

There are two main objects: the private key, which is what the server owns, keeps secret, and uses to receive new SSL connections; and the public key which is mathematically linked to the private key, and made “public”: it is sent to every client as part of the initial steps of the connection.

The certificate is, nominally, a container for the public key. It includes the public key, the server name, some extra information about the server, and a signature computed by a certification authority. When the server sends its public key to a client, it actually sends its certificate, with a few other certificates (the certificate which contains the public key of the CA which signed its certificate, and the certificate for the CA which signed the CA’s certificate, and so on). Certificates are intrinsically public objects.

Some people use the term “certificate” to designate both the certificate and the private key; this is a common source of confusion. I personally stick to the strict definition for which the certificate is the signed container for the public key only.

A “.pfx” file is a PKCS#12 archive: a bag which can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key. You do not distribute the .pfx file because that is the file containing the private key. You can extract and distribute the certificate (which is public) from the .pfx file via methods shown below.

On the other hand, a “.cert” (or “.cer” or “.crt”) file usually contains a single certificate, alone and without any wrapping (no private key, no password protection, just the certificate).

And .csr file is just a text file generated/based on the privete key with corresponding Identification company data

Types of Certificate – visual

Self Signed Certificate

Self Signed Certificates are certs where both the Issued To and the Issued By field of the certificates are same. In simple words it is a certificate where one issues a certificate to itself and hence the name Self Signed Certificate. Here is one example:

image

As seen in the above image the Issued to and Issued by are same. You may also observe the warning indicating that the certificate is not trusted. Of course it is not as it is self-signed, none of the Known Public CA’s have issued this, so it wont be trusted.

NOTE: To get past the above error put the cert in the Root CA store. 

These certs come in handy as they can be created easily using several tools. Obtaining a certificate from a noted Certification Authority has a cost associated with it and may not be feasible at all times. Developers typically test their applications using a self signed certificates most of the times.

Root CA Certificate

Root CA Certificate is a CA Certificate which is simply a Self-signed Certificate. This certificate represents a entity which issues certificate and is known as Certificate Authority or the CA. The usage of the certificate distinguishes it with other normal certificates. Now a CA can be classified as either Root CA’s or Intermediate CA’s. On a Windows OS, if you are looking at the certificate store, you would see all the Root CA certificates in the Trusted Root Certification Authorities. This by default includes the list of public root CA’s which are installed with Windows and are updated periodically through Windows Updates. The number of the certificates would be lesser.

NOTE: Don’t add Intermediate CA certificates to the Trusted Root Certification Authorities store.

Identification of a Root CA:

Now how do we differentiate the CA certificates as Root CA or Intermediate CA. There is so much fuss around this. Its actually easy, look at the CA cert. If the Issued to and Issued by are same then it is a Root CA or else it is a Intermediate CA. Another identification would be to look at the Certification Path. The Cert which appears at the top of the list is the Root CA. Below is one example of one of the public root CA’s:

image

If you think logically this makes sense. CA’s are supposed to issue certificates. Now if I start the process from the beginning, then someone has to issue a certificate to himself and then start the process of issuing the certs down the line.

I’m not going to discuss the purpose of the CA certificate as that would lead to a whole new discussion altogether.

Intermediate CA Certificate

Intermediate CA Certificate is a CA certificate which is not a Self-signed Certificate. The purpose of this certificate may be same as the Root CA or different. Now one may think why to have a intermediate CA at all. Well here is what I think:

Initially it may not require to have a Intermediate CA, as the Root CA’s will serve the purpose. However as the requirement for PKI increases so would the number of CA’s. Understanding that CA at the end of the day is a Server Machine performing this computational task, it is required to have multiple machines. So they have to be replicated. Now it is again not viable to have many Root CA’s in the case of a Internet Scenario as this could lead to fraud and other management issues. So the concept of Intermediate CA was introduced. The Root CA’s delegated their tasks to the corresponding Intermediate CA’s for this. This way they can have one or more Intermediate CA’s.

On Windows OS, these certificates can be found in the Intermediate Certification Authorities Store. Comparatively the number of certificates in this store would be more compared to Trusted Root Certification Authorities store.

Below is a image of a certificate store of MY or Local Computer account. It contains many certificate stores, but I have only highlighted the ones relevant to this article.

image

Hope this article will clear some confusion at least.

Request an Internet Server Certificate (IIS 7)

To request an Internet server certificate when you must prove the identity of your Web server to clients who request content that resides on the server. Internet server certificates are issued by public certification authorities (CA).

What is a CSR? A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. What is a CSR and private key good for if someone else can potentially read your communications? The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

 To request an Internet server certificate (CSR)

You can perform this procedure by using the user interface (UI).

  1.  
    1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
    1. In Features View, double-click Server Certificates.
    1. In the Actions pane, click Create Certificate Request.
    1. On the Distinguished Name Properties page of the Request Certificate Wizard, type the following information, and then click Next.
  2. In the Common name text box, type a name for the certificate.
  3. In the Organization text box, type the name of the organization in which the certificate will be used.
  4. In the Organizational unit text box, type the name of the organizational unit in the organization in which the certificate will be used.
  5. In the City/locality text box, type the unabbreviated name of the city or locality where your organization or organizational unit is located.
  6. In the State/province text box, type the unabbreviated name of the state or province where your organization or organizational unit is located. 
  7. In the Country/region text box, type the name of the country or region where your organization or organizational unit is located
  8.  
    1. On the Cryptographic Service Provider Properties page, select either Microsoft RSA SChannel Cryptographic Provider or Microsoft DH SChannel Cryptographic Provider from the Cryptographic service provider drop-down list. By default, IIS 7 uses the Microsoft RSA SChannel Cryptographic Provider.
    1. In the Bit length drop-down list, select a bit length that can be used by the provider. By default, the RSA SChannel provider uses a bit length of 2048. A longer bit length is more secure, but it can affect performance. Choose 2048-bit
    1. Click Next.
    1. On the File Name page, type a file name in the Specify a file name for the certificate request text box, or click the browse button () to locate a file, and then click Finish.
    1. Send the certificate request to a public CA. Or to the Client IT department that manages the main domain!
  9. Obtain SSL form Client and convert to private/public key.

How to export a private key from the webserver you have just sent the request from

  • Find the certificate within the Enrollment requests
    • you may have to add the computer certificates module through MMC
  • Export the certificate with the following options
    • Yes, export the private key
    • Select “Include all certificates in the certification path if possible
    • Select “Export all extended properties”
    • Set the password “password”
    • Save and finish

Converting the provided SSL to apply at Loadbalancer

  • Certificate need to be converted to pem (txt) file and pasted into Amazon Loadballancer.
  • The required certificates shown below:
    • Public Certificate
    • Private Certificate Key
    • Chain Certificates (Intermediate)
  • The conversion is done by OpenSSL so you will need to install OpenSSL onto your workstation
  • locate the bin folder within the OpenSSL
  • make sure you have the private key you exported earlier into the OPENSSL\…..\BIN folder along with the keys that were provided after renewing the SSL
    • Convert a .p12/.pfx file to PEM-formatted file containing both the key(s) and certificate(s) (note: including the “-nodes” flag here will prevent using a passphrase to encrypt the private key(s)):
      • openssl pkcs12 -in filename.pfx -out site.pem
    • This will create a new file ready to decrypt
  • Decrypt the file using the following command
    • openssl rsa -in site.pem -out decrypted.key
  • You now have a text file of the private key
  • Now you need to do similiar with the certificate you were provided with
  • Run the following command
    • openssl pkcs7 -in file.p7b -print_certs -out certs.pem

Common OpenSSL Certificate Manipulations.

Convert/edit a PKCS#7 file from signed single PKCS7 certificate to a PEM (txt) cert file./If certificate is from verisign it may have extra wordings that need to be stripped:

FROM:
-----BEGIN PKCS #7 SIGNED DATA-----
TO:
-----BEGIN CERTIFICATE-----
FROM:
-----END PKCS #7 SIGNED DATA-----
TO:
-----END CERTIFICATE-----


Output all certificates in a file:

openssl pkcs7 -in file.pem -print_certs -out certs.pem

Convert a PKCS#7 file from PEM to DER:

 openssl pkcs7 -in file.pem -outform DER -out file.der
 

Export only the private key(s) from a .p12/.pfx file to a .pem file:

openssl pkcs12 -nocerts -in filename.pfx -out sitekey.pem

Strip the passphrase from a certificate with embedded, encrypted key in two steps (N.B.: postpend the certificate to the file using the appropriate shell redirection “>>”!):

openssl rsa -in somesystemcert.pem -out system.fqdn.like. this .crt

openssl x509 -in somesystemcert.pem >> system.fqdn.like. this .crt

ALTERNATIVELY one can obtain private key directly in no RSA encrypted form by:

openssl pkcs12 -in myfile.pfx -nocerts -out private_key.pem -nodes

BUILD a PFX file from all certificate

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.


Requirements:

  • The original private key used for the certificate
  • A PEM (.pem, .crt, .cer) or PKCS#7/P7B (.p7b, .p7c) File
  • OpenSSL

The commands below demonstrate examples of how to create a .pfx/.p12 file in the command line using OpenSSL.

PEM (.pem, .crt, .cer) to PFX

1 openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Breaking down the command:

  • openssl – the command for executing OpenSSL
  • pkcs12 – the file utility for PKCS#12 files in OpenSSL
  • -export -out certificate.pfx – export and save the PFX file as certificate.pfx
  • -inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
  • -in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
  • -certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.

PKCS#7/P7B (.p7b, .p7c) to PFX
P7B files cannot be used to directly create a PFX file. P7B files must be converted to PEM. Once converted to PEM, follow the above steps to create a PFX file from a PEM file.

1 openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

Breaking down the command:

  • openssl – the command for executing OpenSSL
  • pkcs7 – the file utility for PKCS#7 files in OpenSSL
  • -print_certs -in certificate.p7b – prints out any certificates or CRLs contained in the file.
  • -out certificate.crt – output the file as certificate.crt

Which type of certificate Implementation team is to request from client when SSL purchased

The downloadable SSL cert have different structure for different OS.

Even though they’re all convertible the preferable type of downloading SSL is shown below marked in red –

Download the certificate and provide to IT team into format for APACHE, APPLE, Cisco, Oracle or Other – These are all .X509 type !!!

Any other would work, yet it requires time/tools to convert.

2.2 Extracting Certificate and Private Key Files from a .pfx File

Purpose

Customers sometimes have a need to export a certificate and private key from a Windows computer to separate certificate and key files for use elsewhere. Windows doesn’t provide the means to complete this process.

Exporting Certificates from the Windows Certificate Store describes how to export a certificate and private key into a single .pfx file. Follow the procedure below to extract separate certificate and private key files from the .pfx file.

Procedure

  1. Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
  2. Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
  3. Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
  4. Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key

3. Chain Certificates, Intermediate and root certificates!

Intermediate certificate authority: certificates

There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.

If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).

To facilitate this process of verifying a “chain” of trust, every certificate includes the fields “Issued To” and “Issued By”. An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.

Root CA certificates, on the other hand, are “Issued To” and “Issued By” themselves, so no further checking is possible or necessary in order to establish trust (or lack thereof).

For example, if a certificate issued to “example.com” and issued by “Intermediate CA1”, and the visiting web browser trusts “Root CA”, trust may be established in the following manner:

Certificate 1 – Issued To: example.com; Issued By: Intermediate CA 1Certificate 2 – Issued To: Intermediate CA 1; Issued By: Intermediate CA 2Certificate 3 – Issued To: Intermediate CA 2; Issued By: Intermediate CA 3Certificate 4 – Issued To: Intermediate CA 3; Issued By: Root CA

The visiting web browser trusts “Root CA”, and a secure connection can now be established. Since this process is often called “certificate chaining,” intermediate CA certificates are sometimes called “chained certificates”. For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities.

Installing an intermediate CA signed certificate on a web server or load balancer usually requires installing a bundle of certificates.

Summary: 1. a private key is generated on the big-ip and kept in the filestore (will be used later in your clientssl profile as ‘key’)

2. a certificate signing request will be created for the specific hostname and with some specific attributes

3. you will submit the certificate signing request to a certficate authority (CA)

4. the CA with return a signed certficate. You will import it into the TMOS filestore and use it in your clientssl profile as ‘certficate’.

5. the CA will also provide a so called intermediate CA file or chain certificate. It proves, that your choosen CA is trusted by one of the root CAs. You will need the intermedidate CA certificate as ‘chain’ certificate in your clientssl profile.

3.1 Thawte and Verisign certificate example that require Chain Certificate addition and how to:

1) Top space: private key

2) Middle Space:  public key

3. Bottom space: Intermediate Certificates (Two certificates one after another)

Image of  uploading new SSL for each loadballancer that requires HTTPS/443/secure  connection:

Explanation of chains – In the chain certificate area  two certificates are copy/pasted

One is actually the SHA2 secure server (just signed by the Global Root) then the bottom is Global Root Signed by itself (global root) which is why its a root

One is the intermediate (SHA2) and the other is a root!

Example below:

 —–BEGIN RSA PRIVATE KEY—–
subject=/C=AU/ST=New South Wales/L=Sydney/O=Gilbert & Tobin/OU=Law/CN=subscriptions.gtlaw.com.au
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
—–BEGIN CERTIFICATE—–
subject=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
—–BEGIN CERTIFICATE—–

3.2 Network Solutions CA certificate example that require Chain Certificate bundle:

Network Solutions provide a zip file with couple of certeficates after CSR procedure. See image of the files included into ZIP:

  1. Export the private key from pfx file, explained in previous chapter using Openssl commands.
  2. Get the public certificate within the provided zip file (in that case: preferences.pbwt.crt)
    1. Use the chain certificates in the order as shown below. Copy/paste both txt file into ”Certificate Area” of the LB

      Network Solutions_CA.crt
      UTNAddTrustServer_CA.crt

                b. Or in the case of:

Use in the strict order:


NetworkSolutionsEVServerCA.crt

NetworkSolutionsAddTrustedEVServerCA.crt

More details to understand the reason behind chain bundle:

Let’s analyze these certs in your chain. The first one is AddTrustExternalCARoot.crt which is called the “root certificate”. This is the first cert in your chain. This root cert is installed to the Trusted Root Certification Authorities store on your server or network appliance.

The second cert in your chain is NetworkSolutions_CA.crt and the UTNAddTrustServer_CA.crt which are “intermediate certificates”. An intermediate cert is essentially a certificate issued by the Trusted Root CA specifically designed to issue SSL Certificates to you. The reason for this is because if the CA root cert were to ever be compromised, the entire chain fails. It is good security practice to use an “intermediary” to issue the certs from to prevent your root CAs from being exposed from the signing process. If an intermediate were to ever be compromised, you can always regenerate those unlike the root certs. This intermediate certificate sits between your website cert and the root cert. This intermediate cert is installed to the Intermediate Certification Authorities store on your server or appliance.

The last cert in your chain is PREFERENCES.PBWT.COM.crt which is your actual SSL cert. This is also known as your “domain certificate”. This domain cert is installed to the Personal store on your server or appliance.

So the end result is chain of certs that begins at the trusted root CA, runs through the intermediary, and finally ends with the SSL certificate issued to you for your website or appliance (preferences.pbwt.com).



More:
You will need to install the Intermediate CA certificates in order for browsers to trust your SSL Certification. The Intermediate CA certificates are contained within the ‘Apache_Plesk_Install.txt ‘ file that can be downloaded from the “Optional Download: Individual Certificate Files” section in Account Manager.Alternatively you can create this file yourself by combining the ‘UTNAddTrustServer_CA.crt’ file, the ‘NetworkSolutionsUTNServerCA.crt’ file, and the ‘NetworkSolutionsEVSSLCA.crt‘ file within a text document. The ‘UTNAddTrustServer_CA.crt’ cert content will be above the ‘NetworkSolutionsUTNServerCA.crt’ cert content, which will be above the’NetworkSolutionsEVSSLCA.crt‘ cert content. The files can be found in the *.zip file or downloaded individually from the “Optional Download: Individual Certificate Files” section in Account Manager. There can be no whitespace in the combined file. It is recommended that you use the .txt file already provided by Network Solutions.

That’s how it looks when all SSL successfully applied and checked at http://www.sslshopper.com/ssl-checker.html

      3.3 GoDaddy CA

In short: convert the provided Godaddy p7b into pem using:

C:\Program Files (x86)\GnuWin32\bin>openssl pkcs7 -in gdd.p7b -print_certs -out certs-gdd.pem

The resulting file is holding two certs that need to be copied into Chain Cert field at the loadbalancer:

Copy Begin-to-End line of the first and add second cert just below the first (within the same field). Pasting both certs at one field.

Resulting converted file:

3.4 Comodo CA

Comodo provides intermediate and root certs bundle comprising of 3 certs:
Sample below – use the first one as the SSL, then add the other three as chain in aws elb.

The certificate chain includes the intermediate certificates and optionally the root certificate, one after the other without any blank lines, as shown in the following example. If you include the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates that were provided by your CA. Do not include any intermediaries that are not in the chain of trust path.

subject=/serialNumber=02228255/1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=Private Organization/C=GB/postalCode=EC1 Y8YY/ST=London/L=London/streetAddress=One Bunhill Row/O=Slaughter and May Ltd/OU=Technology/OU=COMODO EV SSL/CN=subscriptions.slaughterandmay.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
—–BEGIN CERTIFICATE—–
MIIHwTCCBqmgAwIBAgIQL2nOpFtNzse8Y9sNiXKP+zANBgkqhkiG9w0BAQsFADCB
kjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
29tG/9zC8YQ3oQmTNvXvqOf9anB+GtoXB2AywralskOTB4/prgxi7Yrfo24lAC3f
Sude5m30p/semVUtGRa4IV6OADWy
—–END CERTIFICATE—–

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
—–BEGIN CERTIFICATE—–
MIIGDjCCA/agAwIBAgIQBqdDgNTr/tQ1taP34Wq92DANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
pLwltum95OmYdBbxN4SBB7SC
—–END CERTIFICATE—–

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
—–BEGIN CERTIFICATE—–
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
—–END CERTIFICATE—–

subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
—–BEGIN CERTIFICATE—–
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
—–END CERTIFICATE—–

How do I make my own bundle file from CRT files?

Answer: You may do this using you favorite text editor or by using the command line.

Example:

# Root CA Certificate – AddTrustExternalCARoot.crt
# Intermediate CA Certificate 1 – UTNAddTrustSGCCA.crt
# Intermediate CA Certificate 2 – ComodoUTNSGCCA.crt
# Intermediate CA Certificate 3 – EssentialSSLCA_2.crt
# Your SSL Certificate – yourDomain.crt

Note: You will not need your SSL certificate for this exercise.

GUI Text Editor

1. Open All files in a text editor. (Remember, not your domain certificate.)
2. Create a new blank text file.
3. Copy contents of all files in reverse order and paste them into the new file.
Example: Intermediate 3, Intermediate 2, Intermediate 1, Root Certificate.
4. Save newly created file as ‘yourDomain.ca-bundle’.

Command Line

Linux or UNIX-like Operating Systems:
— cat EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle

Windows or DOS:
— copy EssentialSSLCA_2.crt + ComodoUTNSGCCA.crt + UTNAddTrustSGCCA.crt + AddTrustExternalCARoot.crt yourDomain.ca-bundle

Note: ‘yourDomain.ca-bundle’ is only a place holder file name. You may call it anything you want.

3.5 Adding GlobalSign Intermediates to ELB

Use DomanSSL with https://support.globalsign.com/customer/portal/articles/1464460-domainssl-intermediate-certificates if exact domain is ordered

Use OrganisationSSL with https://support.globalsign.com/customer/en/portal/articles/1219303-organizationssl-intermediate-certificates if an Organisation is ordered

NOTE: See what the actual SSL says:

Check the link https://www.sslshopper.com/certificate-decoder.html and decode actual PUBLIC SSL
At the bottom it should say something like:
Issuer: GlobalSign Organization Validation CA – SHA256 – G2, GlobalSign

If its either Domain or Organisation Validated CA – use the avbbove relevant link and copy the G2 -SHA256 BASE64 pem file

EXAMPLE pem if the Intermediate is Organisation Validated:

3.6 Add the GeoSites RapidSSL SHA-2

Download the Intermediate cert at https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO28589 and add to AWS intermediates

3.7 Install by the simple way of importing cer and p7b into IIS6-IIS7 (IT DOES NOT APPLY FOR ELB Amazon Loadbalancers)

To Install an Intermediate Certificate in Microsoft IIS 7

  1. Click Start, and then click Run….
  2. Type mmc, and then click OK. The Microsoft Management Console (Console) window opens.
  3. In the Console1 window, click the File menu, and then select Add/Remove Snap-in.
  4. In the Add or Remove Snap-in window, select Certificates, and then click Add.
  5. In the Certificates snap-in window, select Computer Account, and then click Next.
  6. In the Select Computer window, select Local Computer, and then click Finish.
  7. In the Add or Remove Snap-in window, click OK.
  8. In the Console1 window, click + to expand the folder.
  9. Right-click Intermediate Certification Authorities, mouse-over All Tasks, and then click Import.
  10. In the Certificate Import Wizard window, click Next.
  11. Click Browse to find the intermediate certificate file.
  12. In the Open window, change the file extension filter to PKCS #7 Certificates (*.spc;*.p7b), select the *_iis_intermediates.p7b file, and then click Open.

NOTE: Do not install your Leaf Certificate in this area. Doing so removes your certificate from the list, and you must reinstall to correct the problem.

  1. In the Certificate Import Wizard window, click Next.
  2. Select Place all certificates in the following store, and then click Browse.
  3. In the Select Certificate Store window, select Intermediate Certification Authorities, and then click OK.
  4. In the Certificate Import Wizard window, click Next.
  5. Click Finish.
  6. Click OK.
  7. Close the Console 1 window, and then click No to remove the console settings.

To Install an SSL Certificate in Microsoft IIS 7

  1. Click Start, mouse-over Administrative Tools, and then click Internet Services Manager.
  2. In the Internet Information Services (IIS) Manager window, select your server.
  3. Scroll to the bottom, and then double-click Server Certificates.
  4. From the Actions panel on the right, click Complete Certificate Request….
  5. To locate your certificate file, click .
  6. In the Open window, select *.* as your file name extension, select your certificate (it might be saved as a .txt, .cer, or .crt), and then click Open.
  7. In the Complete Certificate Request window, enter a Friendly name for the certificate file, and then click OK.

NOTE: For Wildcard SSL certificates make sure your Friendly Name to matches your Common Name (i.e. *.coolexample.com).

  1. In the Internet Information Services (IIS) Manager window, select the name of the server where you installed the certificate.
  2. Click + beside Sites, select the site to secure with the SSL certificate.
  3. In the Actions panel on the right, click Bindings….
  4. Click Add….
  5. In the Add Site Binding window:
    • For Type, select https.
    • For IP address, select All Unassigned, or the IP address of the site.
    • For Port, type 443.
    • For SSL Certificate, select the SSL certificate you just installed, and then click OK.
  6. Close the Site Bindings window.
  7. Close the Internet Information Services (IIS) Manager window. Your SSL certificate installation is complete

If you have any questions about how to do this, contact your certificate authority or follow their SSL certificate installation instructions listed below:

Certificate Provider Links to Installation Instructions
Comodo Comodo Certificate Installation Instructions
InstantSSL Certificate Installation Instructions
DigiCert DigiCert Certificate Installation Instructions
Entrust Entrust Certificate Installation Instructions
GeoTrust GeoTrust Certificate Installation Instructions
RapidSSL Certificate Installation Instructions
GlobalSign GlobalSign Certificate Installation Instructions
GoDaddy GoDaddy Certificate Installation Instructions
Network Solutions Network Solutions Certificate Installation Instructions
Network Solutions list of Intermediate Certificates
StartCom StartCom Certificate Installation Instructions
StartCom list of Intermediate Certificates
Thawte Thawte SSL Web Server Certificate Installation Instructions
Thawte SSL123 Certificate Installation Instructions
Thawte SGC SuperCert Certificate Installation Instructions
VeriSign VeriSign Certificate Installation Instructions
VeriSign list of Intermediate Certificates

Most web browsers make it clear that you shouldn’t just continue when you receive this error. This is because, while most of the time it doesn’t, it could indicate that a phisher is trying to pass a website off as a legitimate site. You shouldn’t have to continue through this error message on legitimate web sites unless the web site owner just doesn’t want to spend a little money to buy a trusted SSL certificate. You definitely shouldn’t continue through this error on big websites like your bank.

This error is often phrased differently depending on the web browser. These are some common ways the certificate not trusted error is stated in other browsers:

 Different certificate not trusted errors in different web browsers

Web Browser  Error Message
 Internet Explorer 6 “The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.”
 Internet Explorer 7 “The security certificate presented by this website was not issued by a trusted certificate authority.”
 Firefox 2 “Unable to verify the identity of www.paypal.com as a trusted site. Possible reasons for this error: – Your browser does not recognize the Certificate Authority that issued the site’s certificate. – The site’s certificate is incomplete due to a server misconfiguration.”
 Firefox 3  “The certificate is not trusted because it is self signed.”  “The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)”
 Safari 3  “Authentication failed because the server certificate is not trusted.”
 Google Chrome “The site’s security certificate is not trusted!”

What happens if no chain certificate is present

Certificate Not Trusted Error in Internet Explorer 6
Certificate Not Trusted Error in Firefox 2
Certificate Not Trusted Error in in Firefox 3
Certificate Not Trusted Error in Google Chrome

What is contained in a CSR?

Name Explanation Examples
Common Name The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error. *.google.com
mail.google.com
Organization The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Google Inc.
Organizational Unit The division of your organization handling the certificate. Information Technology
IT Department
City/Locality The city where your organization is located. Mountain View
State/County/Region The state/region where your organization is located. This shouldn’t be abbreviated. California
Country The two-letter ISO code for the country where your organization is location. US
GB
Email address An email address used to contact your organization. webmaster@google.com
Public Key The public key that will go into the certificate. The public key is created automatically

FInally verify SSL details at https://www.sslshopper.com/ssl-certificate-tools.html and input HTTPS link to view details!!

Managing trusted root certificates for a local computer

Administrators is the minimum group membership required to complete this procedure.

To manage trusted root certificates for a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove Snap-in.
  3. Under Available snap-ins, click Local Group Policy Object Editor,click Add, select the computer whose local Group Policy object (GPO) you want to edit, and then click Finish.
  4. If you have no more snap-ins to add to the console, click OK.
  5. In the console tree, go to Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
  6. Double-click Certificate Path Validation Settings,and thenclick the Stores tab.
  7. Select the Define these policy settings check box.
  8. Under Per user certificate stores, clear the Allow user trusted root CAs to be used to validate certificates and Allow users to trust peer trust certificates check boxes.
  9. Under Root certificate stores, select the root CAs that the client computers can trust, and then click OK to apply the new settings.

Managing trusted root certificates for a domain

Domain Admins is the minimum group membership required to complete this procedure.

To manage trusted root certificates for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.
  2. After the Installation Results page shows that the installation of the Group Policy Management Console (GPMC) was successful, click Close.
  3. Click Start, point to Administrative Tools, and then click Group Policy Management.
  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.
  5. Right-click the Default Domain Policy GPO, and then click Edit.
  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
  7. Double-click Certificate Path Validation Settings, and then click the Stores tab.
  8. Select the Define these policy settings check box.
  9. Under Per user certificate stores, clear the Allow user trusted root CAs to be used to validate certificates and Allow users to trust peer trust certificates option in the Per User Certificate Stores check boxes.
  10. Under Root certificate stores, select the root CAs that the client computers can trust, and then click OK to apply the new settings.

Adding certificates to the Trusted Root Certification Authorities store for a local computer

Administrators is the minimum group membership required to complete this procedure.

To add certificates to the Trusted Root Certification Authorities store for a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove Snap-in.
  3. Under Available snap-ins, click Certificates,and then click Add.
  4. Under This snap-in will always manage certificates for, click Computer account, and then click Next.
  5. Click Local computer, and click Finish.
  6. If you have no more snap-ins to add to the console, click OK.
  7. In the console tree, double-click Certificates.
  8. Right-click the Trusted Root Certification Authorities store.
  9. Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

Adding certificates to the Trusted Root Certification Authorities store for a domain

Domain Admins is the minimum group membership required to complete this procedure.

To add certificates to the Trusted Root Certification Authorities store for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.
  2. After the Installation Results page shows that the installation of the GPMC was successful, click Close.
  3. Click Start, point to Administrative Tools, and then click Group Policy Management.
  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.
  5. Right-click the Default Domain Policy GPO, and then click Edit.
  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
  7. Right-click the Trusted Root Certification Authorities store.
  8. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

Certificates and Encoding

At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.

X509 File Extensions

The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

  •  
  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

  • CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
  • CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  • .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)

    openssl rsa -in site.pem -out decrypted.key

Checking A Remote Certificate Chain With OpenSSL

If you deal with SSL/TLS long enough you will run into situations where you need to examine what certificates are being presented by a server to the client. The best way to examine the raw output is via (what else but) OpenSSL.1

First let’s do a standard webserver connection (-showcerts dumps the PEM encoded certificates themselves for more extensive parsing if you desire. The output below snips them for readability.):


openssl s_client -showcerts -connect www.domain.com:443
CONNECTED(00000003)
--snip--
---
Certificate chain
 0 s:/C=US/ST=Texas/L=Carrollton/O=Woot Inc/CN=*.woot.com
   i:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
-----BEGIN CERTIFICATE-----
--snip--
-----END CERTIFICATE-----
 1 s:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
-----BEGIN CERTIFICATE-----
--snip--
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Texas/L=Carrollton/O=Woot Inc/CN=*.woot.com
issuer=/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
---
No client certificate CA names sent
---
SSL handshake has read 2123 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
--snip--

There’s a lot of data here so I have truncated several sections to increase readability. Points of interest:

  1. The certificate chain consists of two certificates. At level 0 there is the server certificate with some parsed information. s: is the subject line of the certificate and i: contains information about the issuing CA.
  2. This particular server (www.woot.com) has sent an intermediate certificate as well. Subject and issuer information is provided for each certificate in the presented chain. Chains can be much longer than 2 certificates in length.
  3. The server certificate section is a duplicate of level 0 in the chain. If you’re only looking for the end entity certificate then you can rapidly find it by looking for this section.
  4. No client certificate CAs were sent. If the server was configured to potentially accept client certs the returned data would include a list of “acceptable client CAs”.
  5. Connection was made via TLSv1/SSLv3 and the chosen cipher was RC4-MD5. Incidentally, this typically means that the server you’re connecting to is IIS.

But what if you want to connect to something other than a bog standard webserver on port 443? Well, if you need to use starttls that is also available. As of OpenSSL 0.9.8 you can choose from smtp, pop3, imap, and ftp as starttls options.

openssl s_client -showcerts -starttls imap -connect mail.domain.com:139

If you need to check using a specific SSL version (perhaps to verify if that method is available) you can do that as well. -ssl2, -ssl3, -tls1, and -dtls1 are all choices here.2

openssl s_client -showcerts -ssl2 -connect www.domain.com:443

You can also present a client certificate if you are attempting to debug issues with a connection that requires one.3

openssl s_client -showcerts -cert cert.cer -key cert.key -connect www.domain.com:443

And for those who really enjoy playing with SSL handshakes, you can even specify acceptable ciphers.4 bash openssl s_client -showcerts -cipher DHE-RSA-AES256-SHA -connect www.domain.com:443

The cipher used above should work for almost any Apache server, but will fail on IIS since it doesn’t support 256-bit AES encryption.


  1. The s_client command we’re using opens an interactive socket and does not automatically return to the shell prompt, so remember you will have to hit control-c or type something and hit return to terminate the process.
  2. This example shows an attempted SSLv2 only connection. SSLv2 should be disabled on any web server you control. It has a variety of flaws and has been superseded by SSLv3/TLSv1 for over a decade.
  3. This example expects the certificate and private key in PEM form. You can provide them in DER if you add -certform DER and -keyform DER (OpenSSL 0.9.8 or newer only)
  4. A list of available ciphers can be found by typing “openssl ciphers”, but there are also myriad ways to sort by type and strength. See the ciphers man page for more details.

5. Move a SSL certificate from Microsoft IIS 5.0, 6.0, or 7.0 to Apache

Resolution

To move a SSL certificate from Microsoft IIS 5.0, 6.0, or 7.0 to Apache, the certificate must be converted from a PKCS#12 (.p12 or .pfx) to two separate files (private and public key).

Step 1: Export SSL certificate from Microsoft IIS 5.0, 6.0, or 7.0

  1. From the web server, click Start
  2. In the Search programs and files field, type mmc
  3. From the Programs list, click mmc.exe
  4. At the permission prompt, click Yes
  5. From the Microsoft Management Console (MMC), click  File > Add/Remove Snap-in
  6. From the list of snap-ins, select Certificates
  7. Click Add
  8. Select Computer account
  9. Click Next
  10. Select Local computer (the computer this console is running on)
  11. Click Finish
  12. In the Add/Remove Snap-in window, click OK
  13. Save these console settings for future use
  14. Double click on Certificates (Local Computer) in the center window.
  15. Double click on the Personal folder, and then on Certificates.
  16. Right Click on the Certificate you would like to backup and choose > All Tasks > Export
  17. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
  18. Choose to ‘Yes, export the private key
  19. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
  20. Enter a password you will remember
  21. Choose to save file on a set location
  22. Click Finish
  23. You will receive a message > “The export was successful.” > Click OK
  24. The .pfx file backup is now saved in the location you selected.


Step 2:  Convert PFX file to compatible files for Apache

Move the .pfx file to the Apache server.

To extract the private key, run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx  -nocerts -out key.pem
 
To extract the certificate (public key), run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem


Step 3: Install SSL certificate for Apache 

For installation instructions, refer to Thawte knowledge base article: SO1498
 
If these steps are unsuccessful, and you are not able to export your SSL certificate from IIS to Apache, you will need to create a new CSR and Revoke and Replace your certificate. Please see the instructions on solution: SO470
 
If you do not want to include a passphrase you can use the following command:

openssl rsa -in key.pem -out server.key

6. How to Import and Export SSL Certificates in IIS 7

Transferring IIS 7 Certificate Files

Background

Want an easier way to export? Our management & troubleshooting tool works on all Windows-based servers.

Windows servers use .pfx files to contain the public key files (your SSL Certificate files, provided by DigiCert) and the associated private key file (generated by your server as part of the CSR).

Since both the public and private keys are needed for an SSL Certificate to function, you need a .pfx backup to transfer SSL server security certificates from one server to another.

This page explains how to back up your certificate on a working server, import the certificate to another server, and then enable the certificate for use on the new server. If you have not yet installed the certificate files that you received from DigiCert on the server that generated your CSR, please see our IIS 7 installation instructions page.

Exporting/Backing Up to a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Choose Yes, export the private key and include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  8. Leave the default settings and then enter your password if required.
  9. Choose to save the file and then click Finish. You should receive an “export successful” message. The .pfx file is now saved to the location you selected.

Importing from a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Enabling a New Certificate on a Server

  1. On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.
  2. In the IIS Manager, click the server name.
  3. Expand the sites folder.
  4. Select the site that you want to secure (usually the default website).
  5. On the actions menu in the edit site section, click Bindings.
https://www.digicert.com/images/support-images/iis7/iis7-install-4.gif
  • In the site bindings window, click Add. If a binding for https already exists, select the https binding and click Edit.
https://www.digicert.com/images/support-images/iis7/iis7-install-5.gif
  • Fill out the information in the add site binding window. In the type drop-down choose https. Set the IP address to the IP address of the site or choose all unassigned. The port for SSL traffic is usually 443. Enter the recently imported certificate in the SSL Certificate field.
https://www.digicert.com/images/support-images/iis7/iis7-install-6.gif
  • Click OK. Your SSL Certificate is now installed and the website is configured to accept secure connections. You may have to restart IIS or the server for it to recognize the new certificate.
https://www.digicert.com/images/support-images/iis7/iis7-install-7.gif

 

7. AWS CLI commands remove/upload certificates:

Change / Update SSL certificate for Amazon Elastic Load Balancer with AWS Command Line Interface

  1. Install and configure the AWS Command Line Interface
  2. Show existing certificates to test if the AWS Cli is working:
$ aws iam list-server-certificates 
{"ServerCertificateMetadataList":[{"Path":"/","Arn":"arn:aws:iam::5xxxxxxxxxxx:server-certificate/www.example.com-201307-201407","ServerCertificateId":"AXXXXXXXXXXXXXXXXXXXX","ServerCertificateName":"www.example.com-201210-201310","UploadDate":"2012-10-10T11:25:35Z"}]}
  • Upload your certificate:
$ aws iam upload-server-certificate --server-certificate-name www.example.com-2013010-2014010--certificate-body file://www.example.com.crt --private-key file://www.example.com.key --certificate-chain file://www.example.com.ca-bundle {"ServerCertificateMetadata":{"Path":"/","Arn":"arn:aws:iam::5xxxxxxxxxxx:server-certificate/www.example.com-2013010-2014010","ServerCertificateId":"AXXXXXXXXXXXXXXXXXXXX","ServerCertificateName":"www.example.com-2013010-2014010","UploadDate":"2013-10-22T16:57:36.704Z"}}

If you got the error message A client error (MalformedCertificate) occurred: Invalid Private Key. please look at this card to see how to fix it.

  • Get the name of your loadbalancer:
$aws elb describe-load-balancers | grep LoadBalancerName"LoadBalancerName":"example-com",
  • Update certificate on your loadbalancer:
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name example-com --ssl-certificate-id arn:aws:iam::5xxxxxxxxxxx:server-certificate/www.example.com-2013010-2014010--load-balancer-port 443

8. Errors

 8.1  “CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met.0x8009310b”

Problem

When completing the certificate request using the PKCS#7 file in Internet Information Services (IIS) Manager 7.0, 7.5, and 8.0, the server may respond with the following error message:

There was an error while performing this operation.

Details:

CertEnroll::CX509Enrollment::p_InstallResponse:ASN1 bad tag value met. 0x8009310b (ASN: 267)
 

Cause

Microsoft IIS 7.0 currently reports an error indicating it does not accept PKCS#7 formatted certificates.  Although the ASN1 error occurs during installation, the certificate might still install successfully.

This is a known Microsoft IIS 7.0 issue.  Please see Microsoft Knowledge Base Article 959216 in regards to this issue.

Resolution

To verify the SSL certificate is successfully installed, try to bind the certificate to the web site.

To bind the certifcate to the appropriate web site, perform the following steps:

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager
  2. Browse to your Server Name > Sites > Your SSL-based site
  3. From the Actions pane, choose Bindings
  4. In the Site Bindings window, choose Add
  5. From the Add Site Bindings window, provide the binding type as HTTPS
  6. Select the SSL certificate that will be used for this site
  7. Click OK
  8. Test the if the site is secure by using HTTPS
     

If in step 6 above, you cannot find the new certificate in the list, try restoring the private key.
 

Import certificate in to the Computer certificate store

  1. Create a Certificate snap-in in a MMC console, per KB solution SO1849
  2. In the left-hand pane, expand the Certificates folder, expand and select the Personal folder
  3. Right-click the Certificates folder inside the Personal folder, select All Tasks, select Import
  4. The Certificate Import Wizard opens. Click Next
  5. Click Browse and then navigate to the file that contains the SSL certificate. Click Open > Next
  6. Ensure “Place all certificates in the following store” is selected, ensure that “Personal” is listed for the certificate store, click Next > Finish


Restore Private Key

  1. With the MMC console still open, select the Certificates folder inside the Personal folder in the left-hand pane.
  2. Double-click the newly imported SSL certificate in the right-hand pane, then select the Details tab.
  3. Scroll down and select the Thumbprint field, then select and copy the entire thumbprint (in the bottom box) to the clipboard.
  4. Open a command prompt, then enter the following command:

    certutil -repairstore my “<thumbprint>”

    Example:

    certutil -repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”

    If successful, the response will be “CertUtil: -repairstore command completed successfully”
     

Assign SSL certificate in IIS

  1. Open the IIS Manager application.
  2. From the Connections pane on the left, expand the local server, expand the Sites folder and select the web site to be secured with SSL.
  3. From the Actions pane on the right, select the Bindings option (under Edit Site).
  4. In the Site Bindings window, select an existing https binding and click Edit. If there are no existing https bindings, click Add.
  5. Ensure the type is set to ‘https’, then select the new SSL certificate from the drop down menu. Click the View button to confirm details of the certificate, if necessary. Click OK > Close

8.2 Error: “unable to load PKCS7 object” is Displayed when Converting or Installing a PKCS #7 Certificate

Symptoms or Error – When converting and installing a public-key cryptography standards (PKCS) #7 certificate (which has .p7b file extension) to Privacy Enhanced Mail (PEM) format by using OpenSSL toolkit, the “unable to load PKCS7 object” error message is displayed.

Due to the unusual way or application that has been used to export files

User-added image

Solution – To resolve this issue, complete the following procedure:

  1. Save a copy of the .p7b certificate file on the computer.
  2. Open the certificate file.
  3. Expand the node in the left-pane which displays path where the certificate is stored as shown in the following screen shot.
User-added image

The certificates stored on the computer are displayed in the right-pane.

  1. Open the required certificate from the right-pane. The certificate opens as shown in the following screen shot.
User-added image
  • Activate the Details tab.
  1. Click Copy to File as shown in the following screen shot.
User-added image
  1. Click Next in the Certificate Export Wizard as shown in the following screen shot.
User-added image
  1. Select the Base-64 encoded X.509 (.CER) option and then click Next as shown in the following screen shot.
User-added image
  1. Click Browse and specify the file name to which you want to export the certificate as shown in the following screen shot.
User-added image
  1. Click Next.
  2. Click Finish as shown in the following screen shot.
User-added image
  1. Click OK as shown in the following screen shot.
User-added image
  1. Transfer the exported certificate to the /nsconfig/ssl directory of the NetScaler appliance as shown in the following screen shot.
User-added image
  1. Install the certificate.

9.View deatails of SSL and exact expiry date:

C:\OpenSSL\bin>openssl x509 -in star.domain.com.pem -text


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            48:61:10:b7:bd:b8:29:51
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority –
        Validity
            Not Before: Jun 13 08:58:38 2016 GMT
            Not After : Jun 14 17:09:21 2017 GMT
        Subject: OU=Domain Control Validated, CN=*.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a4:c8:d5:5d:a5:6d:e1:4b:10:9a:6d:d4:83:30:
                    74:7a:f1:eb:d7:45:15:b1:47:1c:97:c3:9c:01:1c:
                    6d:cd:af:53:0f:27:94:a7:e5:b0:63:28:a8:56:84:
                    ef:d0:83:88:ca:ac:27:31:d4:52:7c:62:12:24:47:
                    77:d8:b9:03:ab:2c:58:d9:d5:d4:80:51:22:9b:dc:
                    2a:e5:0b:60:3a:bb:aa:7c:f4:8a:21:2e:5c:ea:dd:
                    3f:bf:4a:bd:7a:81:32:25:db:f4:e1:1e:18:36:2c:
                    d7:81:5d:8c:55:f4:bd:cc:07:4f:ca:8b:57:b6:5d:
                    89:81:8c:b1:7d:d9:11:e3:22:0c:98:39:07:3c:22:
                    32:c6:8d:eb:d8:db:87:01:ad:79:bf:bc:fa:42:a7:
                    e5:0b:ea:4c:c5:9a:e7:bf:11:2b:30:8a:a7:41:ed:
                    0b:9b:0d:d1:82:eb:8e:17:44:cb:b6:a6:66:0b:87:
                    eb:a2:c6:c4:7c:e8:a4:cc:c6:f6:b0:9e:4b:e7:c5:
                    66:9b:43:eb:cf:97:bf:83:79:0f:db:34:a5:35:68:
                    79:d1:e3:a9:0b:83:29:6f:96:f1:d0:38:63:3f:30:
                    48:1b:3f:3d:e8:5b:a2:9b:81:b6:aa:ec:2e:ee:a7:
                    71:cb:97:34:e2:99:34:e6:89:83:78:ed:83:18:44:
                    f3:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:
                URI:http://crl.godaddy.com/gdig2s1-252.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1

            Authority Information Access:
                OCSP – URI:http://ocsp.godaddy.com/
                CA Issuers – URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier:
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name:
                DNS:*.domain.com, DNS: domain.com
            X509v3 Subject Key Identifier:
                68:08:6D:68:28:08:19:1C:EC:BE:EE:02:40:35:1A:C9:1D:FC:4E:AE
    Signature Algorithm: sha256WithRSAEncryption
        87:60:bd:49:8f:27:2c:4b:24:b9:6d:15:c4:e8:b5:18:46:9e:
        4e:a6:b4:df:e2:6b:7b:44:df:07:d9:1b:c7:0f:cd:19:3f:13:
        4f:dd:17:c2:5d:3a:18:9b:76:05:55:14:a4:3b:67:75:38:bd:
        35:78:79:1a:db:d7:f3:e1:a2:da:f2:f3:9f:00:64:88:fc:2f:
        de:d5:4f:e8:69:b4:65:de:dc:7b:df:8f:0b:a0:03:8b:af:90:
        2a:f2:75:ed:5c:00:89:fd:c8:50:98:e4:09:13:77:7b:03:72:
        15:e7:b3:82:f6:54:8d:5e:dd:88:39:9a:b4:ce:67:e1:75:b5:
        5d:41:08:68:49:44:96:b3:d5:70:58:7a:38:e5:6a:84:72:b5:
        62:ad:b0:7a:c5:c1:df:b9:3d:a7:3b:32:7a:36:ca:3f:b6:28:
        ba:ad:d7:6a:83:ae:32:06:d5:e1:64:96:ff:74:b6:60:93:72:
        fb:95:3b:98:f4:98:a3:b1:d1:fc:bb:08:f5:0b:15:2c:fc:48:
        84:07:01:aa:ec:83:05:f0:4d:86:73:25:51:6d:e0:0d:a5:99:
        dd:10:22:01:5d:ce:76:3c:23:5e:29:d3:ed:c4:ca:6a:8f:d9:
        51:01:4d:f2:96:86:e7:ab:50:fe:be:c1:7b:83:c4:60:dc:3d:
        47:ce:29:17
—–BEGIN CERTIFICATE—–
MIIFKTCCBBGgAwIBAgIISGEQt724KVEwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTYwNjEzMDg1ODM4WhcN
MTcwNjE0MTcwOTIxWjA6MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxFTATBgNVBAMMDCouY29uY2VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKTI1V2lbeFLEJpt1IMwdHrx69dFFbFHHJfDnAEcbc2vUw8nlKfl
sGMoqFaE79CDiMqsJzHUUnxiEiRHd9i5A6ssWNnV1IBRIpvcKuULYDq7qnz0iiEu
XOrdP79KvXqBMiXb9OEeGDYs14FdjFX0vcwHT8qLV7ZdiYGMsX3ZEeMiDJg5Bzwi
MsaN69jbhwGteb+8+kKn5QvqTMWa578RKzCKp0HtC5sN0YLrjhdEy7amZguH66LG
xHzopMzG9rCeS+fFZptD68+Xv4N5D9s0pTVoedHjqQuDKW+W8dA4Yz8wSBs/Pehb
opuBtqrsLu6nccuXNOKZNOaJg3jtgxhE8ycCAwEAAaOCAbYwggGyMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQE
AwIFoDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dk
aWcyczEtMjUyLmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYB
BQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y
eS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh
dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA
FEDCvSeOzDSDMKIz1/tss/C0LIDOMCMGA1UdEQQcMBqCDCouY29uY2VwLmNvbYIK
Y29uY2VwLmNvbTAdBgNVHQ4EFgQUaAhtaCgIGRzsvu4CQDUayR38Tq4wDQYJKoZI
hvcNAQELBQADggEBAIdgvUmPJyxLJLltFcTotRhGnk6mtN/ia3tE3wfZG8cPzRk/
E0/dF8JdOhibdgVVFKQ7Z3U4vTV4eRrb1/Photry858AZIj8L97VT+hptGXe3Hvf
jwugA4uvkCryde1cAIn9yFCY5AkTd3sDchXns4L2VI1e3Yg5mrTOZ+F1tV1BCGhJ
RJaz1XBYejjlaoRytWKtsHrFwd+5Pac7Mno2yj+2KLqt12qDrjIG1eFklv90tmCT
cvuVO5j0mKOx0fy7CPULFSz8SIQHAarsgwXwTYZzJVFt4A2lmd0QIgFdznY8I14p
0+3EymqP2VEBTfKWhuerUP6+wXuDxGDcPUfOKRc=
—–END CERTIFICATE—–

Or alternatively VIEW details of SSL:

10. Move or copy an SSL certificate from a Windows server to another Windows server

If you have multiple Windows servers that need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard or UC SSL certificates, you can export the certificate to .pfx file and import it on a new Windows server. This may also be necessary when you switch hosting companies. We will go over the exact process with step-by-step instructions in this article. If necessary, you can copy the SSL certificate to an Apache or other type of server.

Explanations of all file types – Raise a CSR and apply SSL on an AWS/IIS/ELB

We will assume that you have already successfully installed the SSL certificate on one Windows web server. You will follow these steps to move or copy that working certificate to a new server:

  1. Export the SSL certificate from the server with the private key and any intermediate certificates into a .pfx file.
  2. Import the SSL certificate and private key on the new server.
  3. Configure your web sites to use them in IIS.

On a Windows server you will need to export your certificate from the MMC console to a .pfx file with your private key. You can then copy that .pfx file to the new Windows server and import it. The following screenshots are from a Windows Server 2008 machine but any differences for Windows Server 2003 are noted.

10.1 Export the certificate from the Windows MMC console

The export is done with a .PFX file holding the private amd intermediate keys, secured with a password!

Note: These instructions will have you export the certificate using the MMC console. If you have Windows Server 2008 (IIS7) you can also import and export certificates directly in the Server Certificates section in IIS. Click here to hide or show the images

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-1.png
  1. Click on the File menu and click Add/Remove Snap-in…
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-2.png
  1. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-3.png
  1. Click on Computer Account and click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-4.png
  1. Leave Local Computer selected and click Finish.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-5.png
  1. If you are using Windows Server 2003, click the Close button. Click OK.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-6.png
  1. Click the plus sign next to Certificates in the left pane.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-7.png
  1. Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export…
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-8.png
  1. In the Certificate Export Wizard click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-9.png
  1. Choose “Yes, export the private key” and click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-10.png
  1. Click the checkbox next to “Include all certificates in the certification path if possible” and click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-11.png
  1. Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-12.png
  1. Click Browse and find a location to save the .pfx file to. Type in a name such as “mydomain.pfx” and then click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-13.png
  1. Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-14.png

10.2 Import the certificate in the Windows MMC console (intermediates.root)

Following import is done for new CA root/intermediate certs (or expired).

The steps below are for importing of the private key to another Windows server (when no root cert required)

After you have exported the certificate from the original server you will need to copy the .pfx file that you created to the new server and follow these import instructions.

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-1.png
  1. Click on the File menu and click Add/Remove Snap-in…
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-2.png
  1. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-3.png
  1. Click on Computer Account and click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-4.png
  1. Leave Local Computer selected and click Finish.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-5.png
  1. If you are using Windows Server 2003, click the Close button. Click OK.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Export-6.png
  1. Right-click on the Personal folder and select All Tasks and then Import…
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Import-1.png
  1. In the Certificate Import Wizard click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Import-2.png
  1. Click the Browse button and change the file type from “X.509…” to “Personal Information Exchange (*.pfx, *.p12)”. find the .pfx file that you copied over and click Open and then Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Import-3.png
  1. Enter the password that you set when you exported the .pfx file and click “Mark this key as exportable” so you can export the certificate from this machine as well as the original. Click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Import-4.png
  1. Click “Automatically select the certificate store based on the type of certificate” and click Next.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Import-5.png
  1. Click Finish to complete the wizard.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Import-6.png
  1. You can now click the Refresh button in the toolbar to refresh and find your certificate in the Certificates folder under Personal. You can verify that it was imported correctly by double-clicking it and looking for “You have a private key that corresponds to this certificate” at the bottom of the certificate dialog.
http://www.sslshopper.com/assets/images/move-import-export-certificates/Windows-SSL-Import-7.png
  1. Close the MMC console. You do not need to save any changes.

10.3 Importing whole chain (private + intermediates) into a new server

This option is much simpler. Import is done ONCE the renewal of CSR is completed on the original server CRS request is generated.

When Completed the PFX file could be exported and reimported

Import is done in general IIS page (not site pages) at ‘SERVER Certificates’ icon. Then Import. and let it automatically decide the import.

10.4 RENAME the Friendly name of existing SSL

  1. Importing of certs via IIS Certificate Icon at the main IIS Dashboard page

Changing the Friendly Name of an SSL Certificate

SSL Certificates are not required to have friendly names and are not part of the SSL Certificate. However, in environments that require multiple SSL Certificates, the lack of friendly names or poorly used friendly names can make managing your SSL Certificate more difficult.

If you are using multiple SSL Certificates in your environment, good friendly names can help you easily identify each certificate at a glance. You can use friendly names to remind you when a certificate expires, to provide information about who issued the certificate, and to distinguish multiple certificates with the same domain name.

On IIS and Exchange servers, when assigning your SSL Certificates to a website or a domain, friendly names are extremely helpful because certificates are displayed by their friendly names.

How to Edit an SSL Certificate’s Friendly Name with the DigiCert Utility

  1. On the Windows server where your SSL Certificates are located, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).
  2. Run the DigiCert® Certificate Utility for Windows (double-click DigiCertUtil).
  3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), right-click on the SSL Certificate whose friendly name you want to change, and then click Edit friendly name.
DigiCert Utility
  • In the Friendly Name box, enter a unique friendly name for the certificate to help you distinguish this certificate from the other certificates on your server.

Example Naming Conventions:

Domain Name: yourDomain-digicert-(expiration.date)
 
Company Name: yourCompany-digicert-(expiration.date)
 
Certificate Type: wildcard-digicert-(expiration.date)

Note:    If you are using a Wildcard certificate with multiple websites, you may want to begin your friendly name with a wildcard character * (e.g. *your.domain-digicert-(expiration.date)). This naming convention makes it easier to identify the wildcard certificate so that you can assign it to multiple websites.

DigiCert Utility - Right-Click Menu
  • When you are finished, click Save.

NOTES:

  1. Have to complete the CSR request . Then EXPORT the PFX file with strong password
  2. Importing of certs via IIS Certificate Icon at the main IIS Dashboard page
  3. IF the Certificate is not using the ‘*.domain.com‘ name – the IIS website will not accept it for specific HOSTNAME and will greyout the area. Use Digicert, or just name it *.whatever it is
    Use Digicert to rename friendly name of installed certificate –  You have a wildcard SSL such as *.ipsum.com and the certificate is installed but you can’t choose a host name for the site in IIS when you try to add an HTTPS binding because the text box is greyed out.

The solution -Your wildcard SSL can be used with any subdomain, you just need to make sure you start the Friendly Name of the certificate with *. I prefer to use the same friendly name as the wildcard domain, e.g. *.ipsum.com but you can call it anything that beings with the asterix: *foo I gave my certificate the wrong Friendly Name, help!

Since Windows 8 or Server 2012, you can type certlm.msc in the start menu to manage certificates for the local machine. On previous versions of windows you will need to do something slightly more convoluted:

  1. Run mmc.exe from start
  2. Go to File menu and choose Add/Remove Snap-in... or hit (Ctrl-M)
  3. Highlight the Certificates snap-in and hit Add > then choose Computer Account followed by Local Computer in the subsequent dialogs then hit Finish followed by OK to close the Snap-ins window

In the main window, expand Certificates (Local Computer) then Personal then Certificates and you will be able to right-click the certificate, hit Properties where you can update the friendly name.

10.5 .Adding SSL to OpnevpnAccess Server

Use the web UI/Webserver tab at vpn.domain.com/admin

5.

TOOLS

SSL checker https://www.sslshopper.com/ssl-checker.html

Decoder,checker, matcher, reader: https://www.sslshopper.com/ssl-certificate-tools.html

SSL Server test – SSL and Cipher Suites: https://www.ssllabs.com/ssltest/

DigiCert check – https://www.digicert.com/help/

CIPHER SUITES – Cipher Suites in Schannel

A cipher suite is a set of cryptographic algorithms. Schannel protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks:

  • Key exchange
  • Bulk encryption
  • Message authentication

Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.

Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.

Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.

Developers specify these elements by using ALG_ID data types. For more information, see Specifying Schannel Ciphers and Cipher Strengths.

Schannel supports the following cipher suites. The suites are listed in the default order in which they are chosen by the Microsoft Schannel Provider.

Cipher suite FIPS mode enabled Protocols Exchange Encryption Hash
TLS_RSA_WITH_AES_128_CBC_SHA256 Yes TLS 1.2 RSA AES SHA256
TLS_RSA_WITH_AES_128_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0 RSA AES SHA1
TLS_RSA_WITH_AES_256_CBC_SHA256 Yes TLS 1.2 RSA AES SHA256
TLS_RSA_WITH_AES_256_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0 RSA AES SHA1
TLS_RSA_WITH_RC4_128_SHA No TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0 RSA RC4 SHA1
TLS_RSA_WITH_3DES_EDE_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0 RSA 3DES SHA1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 Yes TLS 1.2 ECDH_P256 AES SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 Yes TLS 1.2 ECDH_P384 AES SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 Yes TLS 1.2, TLS 1.1, TLS 1.0 ECDH_P256 AES SHA1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 Yes TLS 1.2, TLS 1.1, TLS 1.0 ECDH_P384 AES SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 Yes TLS 1.2, TLS 1.1, TLS 1.0 ECDH_P256 AES SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 Yes TLS 1.2, TLS 1.1, TLS 1.0 ECDH_P384 AES SHA1
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 Yes TLS 1.2 ECDH_P256 AES SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 Yes TLS 1.2 ECDH_P384 AES SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 Yes TLS 1.2 ECDH_P256 AES SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 Yes TLS 1.2, TLS 1.1, TLS 1.0 ECDH_P256 AES SHA1
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 Yes TLS 1.2, TLS 1.1, TLS 1.0 ECDH_P384 AES SHA1
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 Yes TLS 1.2, TLS 1.1, TLS 1.0 ECDH_P256 AES SHA1
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 Yes TLS 1.2, TLS 1.1, TLS 1.0 ECDH_P384 AES SHA1
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 Yes TLS 1.2 ECDH_P384 AES SHA384
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Yes TLS 1.2 DH AES SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0 DH AES SHA1
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Yes TLS 1.2 DH AES SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0 DH AES SHA1
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0 DH 3DES SHA1
TLS_RSA_WITH_RC4_128_MD5 No TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0 RSA RC4 MD5
SSL_CK_RC4_128_WITH_MD5 No SSL 2.0 RSA RC4 MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 No SSL 2.0 RSA 3DES MD5
TLS_RSA_WITH_NULL_SHA256 No TLS 1.2 RSA NULL SHA256
TLS_RSA_WITH_NULL_SHA No TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0 RSA NULL SHA1

The following cipher suites are supported by Schannel; however, they are not present by default. They must be added as necessary. For information about how to add cipher suites to the Schannel provider, see Prioritizing Schannel Cipher Suites.

  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  • SSL_CK_RC4_128_EXPORT40_MD5
  • SSL_CK_DES_64_CBC_WITH_MD5
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_NULL_MD5
  • TLS_RSA_WITH_NULL_SHA
  • TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

Windows Server 2008 and Windows Vista:  For information about supported cipher suites in Windows Vista, see Schannel Cipher Suites in Windows Vista.

Windows Server 2003 and Windows XP:  For information about supported cipher suites, see the following topics.

Follow the best practice below:

If you configure a web server’s TLS configuration, you have primarily to take care of three things:

  1. disable SSL 2.0 (FUBAR) and SSL 3.01 (POODLE),
  2. disable TLS 1.0 compression (CRIME),
  3. disable weak ciphers (DES, RC4), prefer modern ciphers (AES), modes (GCM), and protocols (TLS 1.2).

You should also put effort into mitigating BREACH. That’s out of scope here though as it’s largely application-dependent.

Software and Versions

On the server side you should update your OpenSSL to 1.0.1c+ so you can support TLS 1.2, GCM, and ECDHE as soon as possible. Fortunately that’s already the case in Ubuntu 12.04 and later.

On the client side the browser vendors are starting to catch up. As of now, Chrome 30, Internet Explorer 11 on Windows 8, Safari 7 on OS X 10.9, and Firefox 26 all support TLS 1.2.

RC4

There used to be a bullet point suggesting to use RC4 to avoid BEAST and Lucky Thirteen. And ironically that used to be the original reason for this article: when Lucky Thirteen came out the word in the streets was: “use RC4 to mitigate” and everyone was like “how!?”.

Unfortunately shortly thereafter RC4 was found broken in a way that makes deploying TLS with it nowadays a risk. While BEAST et al require an active attack on the browser of the victim, passive attacks on RC4 ciphertext are getting stronger every day. In other words: it’s possible that it will become feasible to decrypt intercepted RC4 traffic eventually and the NSA probably already is. Microsoft even issued a security advisory that recommends to disable RC4. As of 2015, there’s even an RFC.

The String

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

You can test it against your OpenSSL installation using

openssl ciphers -v 

to see what’s supported2.

You’ll get:

  • Best possible encryption in all browsers.
  • Perfect forward secrecy; if your web server, your OpenSSL, and their browser support it.
  • It doesn’t offer RC4 even as a fallback. Although its inclusion at the end of the cipher string shouldn’t matter, active downgrade attacks on SSL/TLS exist and having RC4 as part of the the cipher string you potentially expose all of your users to it. Even very old browsers do 3DES just fine.
  • Using ECDSA for authentication is even as of 2015 still very rare and cumbersome/expensive to deploy. Hence it’s completely ignored by the string. That makes it being sorted after RSA which is probably not what you want if you went the lengths to obtain an EC certificate3. However if you manage to deploy a dual-certificate setup (which you still need nowadays), you probably don’t need this article and it would have made the string twice as long.

The string also prefers AES-256 over AES-128 (except for GCM which is preferred over everything else). It does so mostly for liability reasons because customers may insist on it for bogus reasons.

However quoth a cryptographer:

AES-128 isn’t really worse than AES-anythingelse, at least not in ways you care about

The very simplified gist here is that the only reason for having 256 bit keys are quantum computers which are less likely to become a problem than the key scheduling issues in AES-256. But let me stress that both are fine. It’s just that adding AES-256 ciphers doesn’t improve your security in practice.

So if AES-128 is fine for you, feel free to add an ‘:!AES256’ to the end of the cipher string like I do.

Apache

SSLProtocolALL -SSLv2 -SSLv3
SSLHonorCipherOrderOn
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

This works on both Apache 2.2 and 2.4. If your OpenSSL doesn’t support the preferred modern ciphers (like the still common 0.9.8), it will fall back gracefully but your configuration is ready for the future.

Please note: you need Apache 2.4 for ECDHE and ECDSA. You can circumvent that limitation by putting an SSL proxy like stud or even nginx in front of it and let Apache serve only plain HTTP.

TLS compression is a bit more complicated: as of Apache 2.2.23, it’s not possible to switch it off inside of Apache. For Apache 2.2.24+ and 2.4.3+ you can switch it off using:

SSLCompressionOff

Currently the default is On. But that changed from 2.4.4 on.

The good news for Ubuntu admins is that Ubuntu has back ported that option into their 2.2 packages – and set it to off by default – so you should be fine. On RHEL/CentOS you used to have to set an environment variable but that has been fixed too and should be correct by default now.

nginx

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

TLS compression depends on the version of nginx and the version of OpenSSL. If OpenSSL 1.0.0 or later is installed, anything after nginx 1.0.9 and 1.1.6 is fine. If an older OpenSSL is installed, you’ll need at least nginx 1.2.2 or 1.3.2.

Have a look at this serverfault answer for more details.

TL;DR on TLS compression & nginx: if you’re using Ubuntu 12.04 or later you’re fine (OpenSSL 1.0.1/nginx 1.1.19).

CentOS/Red Hat Enterprise Linux 6

Although CentOS 6.5 is shipping an OpenSSL that is capable of ECDHE key exchange, it doesn’t ship an nginx and the nginx you get from nginx.org is compiled against an older OpenSSL. Therefore openssl ciphers will confusingly show you all the shiny ciphers but nginx just won’t offer it to the clients.

That’s terrible because it costs you PFS for IE browsers.

You’ll have to compile nginx yourself or source it from an alternative package index (EPEL for instance).

HAProxy

For TLS matters HAProxy shouldn’t be older than version 1.5.

global
   ssl-default-bind-options no-sslv3
   ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
   ssl-default-server-options no-sslv3
   ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Bonus Points

Qualys updated their requirements on 2014-01-21 and the cipher suites here are still “A”–material. If you want an “A+” though, you’ll need to add HSTS headers too. That’s out of scope for this article but the linked Wikipedia article will get you started.

Finally

Make sure to test your server afterwards!

If you want to learn more about deploying SSL/TLS, Qualys’s SSL/TLS Deployment Best Practices are a decent primer.

For investigating the SSL/TLS behavior of your browser, How’s My SSL? will give you all the details you need.

The (Near) Future

2013 has galvanized the whole industry. This is a good thing. In 2012 barely anyone lost a thought about configuring their TLS ciphers, how many bits their certificates had, or even forward secrecy. That made it way too easy for the bad folks. Nowadays people are questioning their own practices, open source projects work on enhancing their TLS support, and the public started to listen to cryptographers again instead of discounting them as crazy tinfoil crowd.

Good things are shaping on the horizon and Google’s Adam Langley given the power of having control over both servers and the most popular browser is pressing ahead. Their servers widely support TLS 1.2 with AES-GCM. Chrome has the best TLS support already. Additionally, recent releases now have grown support for ChaCha20 which is an extremely fast yet secure stream cipher by Dan Bernstein and Poly1305 a great MAC of the same pedigree. Google uses them if the the client doesn’t have hardware acceleration for AES.

Now if people just stopped using old browsers and we could roll out SNI and mandatory TLS 1.2.

History

Since I’m keeping this up to date, I’m going to document changes for returning visitors:

  • 2015-05-20: The new weakdh/Logjam attack doesn’t affect you if you followed these instructions. It might be worthwhile though to create your own DH groups with at least 2048 bits as described in this guide.
  • 2015-01-16: Added a note on ECDSA because there seemed to be some confusion about it.
  • 2014-11-25: Added HAProxy, courtesy of Sander Klein.
  • 2014-10-24: Updated the TLS compression part about Red Hat/CentOS. TL;DR: it’s secure by default now.
  • 2014-10-21: Clarified that Internet Explorer 8 on Windows XP works fine with TLSv1-only. The original wrong claim stemmed from the fact that I double-checked using SauceLabs and it turned out that they don’t use Windows XP when you ask for it but Windows Server 2003 R2 instead. Since then I re-tested using actual Windows XP workstations running Internet Explorer 8 and it works fine.
  • 2014-10-15: Disabled SSLv3 because of POODLE.
  • 2014-04-11: Added note on CentOS/RHEL 6 and nginx+ECDHE.
  • 2014-01-17: RSA+AES has been split into RSA+AESGCM:RSA+AES. This is a very minor update that only matters if you have TLS 1.2 but neither ECDHE nor DHE (which is rather rare). It makes sure, that RSA-AES-128-GCM is preferred over RSA-AES-256-CBC in these cases. Since both are just fallbacks and you should use PFS ciphers, this is just minutiae.

CIPHER SUITE NAMES

The following lists give the SSL or TLS cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.

SSL v3.0 cipher suites

 SSL_RSA_WITH_NULL_MD5                   NULL-MD5
 SSL_RSA_WITH_NULL_SHA                   NULL-SHA
 SSL_RSA_WITH_RC4_128_MD5                RC4-MD5
 SSL_RSA_WITH_RC4_128_SHA                RC4-SHA
 SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
 SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
 SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA
 SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA
 SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
 SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
 SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
 SSL_FORTEZZA_KEA_WITH_RC4_128_SHA       Not implemented.

TLS v1.0 cipher suites

 TLS_RSA_WITH_NULL_MD5                   NULL-MD5
 TLS_RSA_WITH_NULL_SHA                   NULL-SHA
 TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
 TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
 TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
 TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA
 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA
 TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA

AES ciphersuites from RFC3268, extending TLS v1.0

 TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
 TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
 TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
 TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
 TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
 TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
 TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA
 TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
 TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA

Camellia ciphersuites from RFC4132, extending TLS v1.0

 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      CAMELLIA128-SHA
 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      CAMELLIA256-SHA
 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA   DH-DSS-CAMELLIA128-SHA
 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA   DH-DSS-CAMELLIA256-SHA
 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA   DH-RSA-CAMELLIA128-SHA
 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA   DH-RSA-CAMELLIA256-SHA
 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  DHE-DSS-CAMELLIA128-SHA
 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  DHE-DSS-CAMELLIA256-SHA
 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  DHE-RSA-CAMELLIA128-SHA
 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  DHE-RSA-CAMELLIA256-SHA
 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  ADH-CAMELLIA128-SHA
 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  ADH-CAMELLIA256-SHA

SEED ciphersuites from RFC4162, extending TLS v1.0

 TLS_RSA_WITH_SEED_CBC_SHA              SEED-SHA
 TLS_DH_DSS_WITH_SEED_CBC_SHA           DH-DSS-SEED-SHA
 TLS_DH_RSA_WITH_SEED_CBC_SHA           DH-RSA-SEED-SHA
 TLS_DHE_DSS_WITH_SEED_CBC_SHA          DHE-DSS-SEED-SHA
 TLS_DHE_RSA_WITH_SEED_CBC_SHA          DHE-RSA-SEED-SHA
 TLS_DH_anon_WITH_SEED_CBC_SHA          ADH-SEED-SHA

GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0

Note: these ciphers require an engine which including GOST cryptographic algorithms, such as the ccgost engine, included in the OpenSSL distribution.

 TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89
 TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89
 TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94-NULL-GOST94
 TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001-NULL-GOST94

Additional Export 1024 and other cipher suites

Note: these ciphers can also be used in SSL v3.

 TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA

Elliptic curve cipher suites.

 TLS_ECDHE_RSA_WITH_NULL_SHA             ECDHE-RSA-NULL-SHA
 TLS_ECDHE_RSA_WITH_RC4_128_SHA          ECDHE-RSA-RC4-SHA
 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     ECDHE-RSA-DES-CBC3-SHA
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      ECDHE-RSA-AES128-SHA
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      ECDHE-RSA-AES256-SHA
 TLS_ECDHE_ECDSA_WITH_NULL_SHA           ECDHE-ECDSA-NULL-SHA
 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        ECDHE-ECDSA-RC4-SHA
 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   ECDHE-ECDSA-DES-CBC3-SHA
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    ECDHE-ECDSA-AES128-SHA
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    ECDHE-ECDSA-AES256-SHA
 TLS_ECDH_anon_WITH_NULL_SHA             AECDH-NULL-SHA
 TLS_ECDH_anon_WITH_RC4_128_SHA          AECDH-RC4-SHA
 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA     AECDH-DES-CBC3-SHA
 TLS_ECDH_anon_WITH_AES_128_CBC_SHA      AECDH-AES128-SHA
 TLS_ECDH_anon_WITH_AES_256_CBC_SHA      AECDH-AES256-SHA

TLS v1.2 cipher suites

 TLS_RSA_WITH_NULL_SHA256                  NULL-SHA256
 TLS_RSA_WITH_AES_128_CBC_SHA256           AES128-SHA256
 TLS_RSA_WITH_AES_256_CBC_SHA256           AES256-SHA256
 TLS_RSA_WITH_AES_128_GCM_SHA256           AES128-GCM-SHA256
 TLS_RSA_WITH_AES_256_GCM_SHA384           AES256-GCM-SHA384
 TLS_DH_RSA_WITH_AES_128_CBC_SHA256        DH-RSA-AES128-SHA256
 TLS_DH_RSA_WITH_AES_256_CBC_SHA256        DH-RSA-AES256-SHA256
 TLS_DH_RSA_WITH_AES_128_GCM_SHA256        DH-RSA-AES128-GCM-SHA256
 TLS_DH_RSA_WITH_AES_256_GCM_SHA384        DH-RSA-AES256-GCM-SHA384
 TLS_DH_DSS_WITH_AES_128_CBC_SHA256        DH-DSS-AES128-SHA256
 TLS_DH_DSS_WITH_AES_256_CBC_SHA256        DH-DSS-AES256-SHA256
 TLS_DH_DSS_WITH_AES_128_GCM_SHA256        DH-DSS-AES128-GCM-SHA256
 TLS_DH_DSS_WITH_AES_256_GCM_SHA384        DH-DSS-AES256-GCM-SHA384
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE-RSA-AES128-SHA256
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE-RSA-AES256-SHA256
 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256
 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE-DSS-AES128-SHA256
 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE-DSS-AES256-SHA256
 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE-DSS-AES128-GCM-SHA256
 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE-DSS-AES256-GCM-SHA384
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE-ECDSA-AES128-SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE-ECDSA-AES128-GCM-SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE-ECDSA-AES256-GCM-SHA384
 TLS_DH_anon_WITH_AES_128_CBC_SHA256       ADH-AES128-SHA256
 TLS_DH_anon_WITH_AES_256_CBC_SHA256       ADH-AES256-SHA256
 TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH-AES128-GCM-SHA256
 TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH-AES256-GCM-SHA384
 RSA_WITH_AES_128_CCM                      AES128-CCM
 RSA_WITH_AES_256_CCM                      AES256-CCM
 DHE_RSA_WITH_AES_128_CCM                  DHE-RSA-AES128-CCM
 DHE_RSA_WITH_AES_256_CCM                  DHE-RSA-AES256-CCM
 RSA_WITH_AES_128_CCM_8                    AES128-CCM8
 RSA_WITH_AES_256_CCM_8                    AES256-CCM8
 DHE_RSA_WITH_AES_128_CCM_8                DHE-RSA-AES128-CCM8
 DHE_RSA_WITH_AES_256_CCM_8                DHE-RSA-AES256-CCM8
 ECDHE_ECDSA_WITH_AES_128_CCM              ECDHE-ECDSA-AES128-CCM
 ECDHE_ECDSA_WITH_AES_256_CCM              ECDHE-ECDSA-AES256-CCM
 ECDHE_ECDSA_WITH_AES_128_CCM_8            ECDHE-ECDSA-AES128-CCM8
 ECDHE_ECDSA_WITH_AES_256_CCM_8            ECDHE-ECDSA-AES256-CCM8

Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2

 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   ECDHE-RSA-CAMELLIA128-SHA256
 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   ECDHE-RSA-CAMELLIA256-SHA384

Pre-shared keying (PSK) ciphersuites

 PSK_WITH_NULL_SHA                         PSK-NULL-SHA
 DHE_PSK_WITH_NULL_SHA                     DHE-PSK-NULL-SHA
 RSA_PSK_WITH_NULL_SHA                     RSA-PSK-NULL-SHA
 PSK_WITH_RC4_128_SHA                      PSK-RC4-SHA
 PSK_WITH_3DES_EDE_CBC_SHA                 PSK-3DES-EDE-CBC-SHA
 PSK_WITH_AES_128_CBC_SHA                  PSK-AES128-CBC-SHA
 PSK_WITH_AES_256_CBC_SHA                  PSK-AES256-CBC-SHA
 DHE_PSK_WITH_RC4_128_SHA                  DHE-PSK-RC4-SHA
 DHE_PSK_WITH_3DES_EDE_CBC_SHA             DHE-PSK-3DES-EDE-CBC-SHA
 DHE_PSK_WITH_AES_128_CBC_SHA              DHE-PSK-AES128-CBC-SHA
 DHE_PSK_WITH_AES_256_CBC_SHA              DHE-PSK-AES256-CBC-SHA
 RSA_PSK_WITH_RC4_128_SHA                  RSA-PSK-RC4-SHA
 RSA_PSK_WITH_3DES_EDE_CBC_SHA             RSA-PSK-3DES-EDE-CBC-SHA
 RSA_PSK_WITH_AES_128_CBC_SHA              RSA-PSK-AES128-CBC-SHA
 RSA_PSK_WITH_AES_256_CBC_SHA              RSA-PSK-AES256-CBC-SHA
 PSK_WITH_AES_128_GCM_SHA256               PSK-AES128-GCM-SHA256
 PSK_WITH_AES_256_GCM_SHA384               PSK-AES256-GCM-SHA384
 DHE_PSK_WITH_AES_128_GCM_SHA256           DHE-PSK-AES128-GCM-SHA256
 DHE_PSK_WITH_AES_256_GCM_SHA384           DHE-PSK-AES256-GCM-SHA384
 RSA_PSK_WITH_AES_128_GCM_SHA256           RSA-PSK-AES128-GCM-SHA256
 RSA_PSK_WITH_AES_256_GCM_SHA384           RSA-PSK-AES256-GCM-SHA384
 PSK_WITH_AES_128_CBC_SHA256               PSK-AES128-CBC-SHA256
 PSK_WITH_AES_256_CBC_SHA384               PSK-AES256-CBC-SHA384
 PSK_WITH_NULL_SHA256                      PSK-NULL-SHA256
 PSK_WITH_NULL_SHA384                      PSK-NULL-SHA384
 DHE_PSK_WITH_AES_128_CBC_SHA256           DHE-PSK-AES128-CBC-SHA256
 DHE_PSK_WITH_AES_256_CBC_SHA384           DHE-PSK-AES256-CBC-SHA384
 DHE_PSK_WITH_NULL_SHA256                  DHE-PSK-NULL-SHA256
 DHE_PSK_WITH_NULL_SHA384                  DHE-PSK-NULL-SHA384
 RSA_PSK_WITH_AES_128_CBC_SHA256           RSA-PSK-AES128-CBC-SHA256
 RSA_PSK_WITH_AES_256_CBC_SHA384           RSA-PSK-AES256-CBC-SHA384
 RSA_PSK_WITH_NULL_SHA256                  RSA-PSK-NULL-SHA256
 RSA_PSK_WITH_NULL_SHA384                  RSA-PSK-NULL-SHA384
 PSK_WITH_AES_128_GCM_SHA256               PSK-AES128-GCM-SHA256
 PSK_WITH_AES_256_GCM_SHA384               PSK-AES256-GCM-SHA384
 ECDHE_PSK_WITH_RC4_128_SHA                ECDHE-PSK-RC4-SHA
 ECDHE_PSK_WITH_3DES_EDE_CBC_SHA           ECDHE-PSK-3DES-EDE-CBC-SHA
 ECDHE_PSK_WITH_AES_128_CBC_SHA            ECDHE-PSK-AES128-CBC-SHA
 ECDHE_PSK_WITH_AES_256_CBC_SHA            ECDHE-PSK-AES256-CBC-SHA
 ECDHE_PSK_WITH_AES_128_CBC_SHA256         ECDHE-PSK-AES128-CBC-SHA256
 ECDHE_PSK_WITH_AES_256_CBC_SHA384         ECDHE-PSK-AES256-CBC-SHA384
 ECDHE_PSK_WITH_NULL_SHA                   ECDHE-PSK-NULL-SHA
 ECDHE_PSK_WITH_NULL_SHA256                ECDHE-PSK-NULL-SHA256
 ECDHE_PSK_WITH_NULL_SHA384                ECDHE-PSK-NULL-SHA384
 PSK_WITH_CAMELLIA_128_CBC_SHA256          PSK-CAMELLIA128-SHA256
 PSK_WITH_CAMELLIA_256_CBC_SHA384          PSK-CAMELLIA256-SHA384
 DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256      DHE-PSK-CAMELLIA128-SHA256
 DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384      DHE-PSK-CAMELLIA256-SHA384
 RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256      RSA-PSK-CAMELLIA128-SHA256
 RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384      RSA-PSK-CAMELLIA256-SHA384
 ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256    ECDHE-PSK-CAMELLIA128-SHA256
 ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384    ECDHE-PSK-CAMELLIA256-SHA384
 PSK_WITH_AES_128_CCM                      PSK-AES128-CCM
 PSK_WITH_AES_256_CCM                      PSK-AES256-CCM
 DHE_PSK_WITH_AES_128_CCM                  DHE-PSK-AES128-CCM
 DHE_PSK_WITH_AES_256_CCM                  DHE-PSK-AES256-CCM
 PSK_WITH_AES_128_CCM_8                    PSK-AES128-CCM8
 PSK_WITH_AES_256_CCM_8                    PSK-AES256-CCM8
 DHE_PSK_WITH_AES_128_CCM_8                DHE-PSK-AES128-CCM8
 DHE_PSK_WITH_AES_256_CCM_8                DHE-PSK-AES256-CCM8

ChaCha20-Poly1305 cipher suites, extending TLS v1.2

 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256      ECDHE-RSA-CHACHA20-POLY1305
 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256    ECDHE-ECDSA-CHACHA20-POLY1305
 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256        DHE-RSA-CHACHA20-POLY1305
 TLS_PSK_WITH_CHACHA20_POLY1305_SHA256            PSK-CHACHA20-POLY1305
 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256      ECDHE-PSK-CHACHA20-POLY1305
 TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256        DHE-PSK-CHACHA20-POLY1305
 TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256        RSA-PSK-CHACHA20-POLY1305

Older names used by OpenSSL

The following names are accepted by older releases:

 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA    EDH-RSA-DES-CBC3-SHA (DHE-RSA-DES-CBC3-SHA)
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA    EDH-DSS-DES-CBC3-SHA (DHE-DSS-DES-CBC3-SHA)

NOTES

Some compiled versions of OpenSSL may not include all the ciphers listed here because some ciphers were excluded at compile time.

EXAMPLES

Verbose listing of all OpenSSL ciphers including NULL ciphers:

 openssl ciphers -v 'ALL:eNULL'

Include all ciphers except NULL and anonymous DH then sort by strength:

 openssl ciphers -v 'ALL:!ADH:@STRENGTH'

Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL):

 openssl ciphers -v 'ALL:!aNULL'

Include only 3DES ciphers and then place RSA ciphers last:

 openssl ciphers -v '3DES:+RSA'

Include all RC4 ciphers but leave out those without authentication:

 openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'

Include all ciphers with RSA authentication but leave out ciphers without encryption.

 openssl ciphers -v 'RSA:!COMPLEMENTOFALL'

Set security level to 2 and display all ciphers consistent with level 2:

 openssl ciphers -s -v 'ALL:@SECLEVEL=2'

Even Further Details on Certificates:

Its not easy to determine by looking at a file extension whether it would carry a certificate or not.

I will be discussing file extensions related to certificates . This would give you some idea on what are the different types of certificates that exist. My area of expertise is in IIS, so I would be discussing related to that mostly.

SSL certificates are being used for various purposes such as:

  • Authentication, The digital certificate is a common credential that provides a means to verify the identity of either the sender or the recipient.
  • Privacy, which ensures that information, is only available to the intended audience. Certificates enable privacy of transmitted data using a number of different methods
  • Encryption, which disguises information so that unauthorized readers are unable to decipher the message. On computers, sensitive data in the form of e-mail messages, files on a disk, and files being transmitted across the network can be encrypted using a key.
  • Digital signatures, it provides strong evidence that the data has not been altered since it was signed and it confirms the identity of the person or entity who signed the data.

Different types of Certificates:

Different file format exists for certificates based upon how they are encoded and what information store. They can be classified as ones that contain the private key and the ones that doesn’t. We have many certificate file types that are supported on Windows. The most commonly used file type which allows private key to be exported is the .pfx/.p12 extension.

Certificate Signing Request (.csr)

This file type is sued by applications to submit requests to the Certification Authority or CA. The request can be base64 encoded as shown below and is enclosed between “—–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–“.

—–BEGIN NEW CERTIFICATE REQUEST—–
MIIERDCCAywCAQAwZDELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCUthcm5hdGFrYTES
MBAGA1UEBxMJQmFuZ2Fsb3JlMQswCQYDVQQKEwJNUzEMMAoG
—–END NEW CERTIFICATE REQUEST—–

 Base64-encoded X.509 Certificate (.cer or .crt)

The Base64 format supports storage of a single certificate. This format does not support storage of the private key or certification path. They are Base64 encoded ASCII files. The encoded string is enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. Right click and open a certificate (exported in the base 64 format) in a notepad:

—–BEGIN CERTIFICATE—–
MIIB0TCCATqgAwIBAgIQUq+2SdEkLr5K6xqjSEvRsDANBgkqhkiG9w0BAQUFADAU MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTIwODA0MDA0OTEyWhcNMTcwODA0MDAw
MDAwWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAKjGuGT8NN5chlGSHIqEgjgceLQOX41f46MvYZMbGecoaF
—–END CERTIFICATE—–
Base-64 encoded Certificate

This file type is used more often for exporting certificates.

DER-encoded binary X.509 Certificate (.cer, .der or .crt)

The Distinguished Encoding Rules (DER) format supports storage of a single certificate. This format does not support storage of the private key or certification path.

DER is on of the encoding formats defined by ASN.1 in X.690. It is a variant or a subset of BER. You can refer the following Wiki article for further read: http://en.wikipedia.org/wiki/Distinguished_Encoding_Rules#DER_encoding

Cryptographic Message Syntax Standard (PKCS#7) Certificate (.p7b, .p7r or .spc)

The PKCS #7 format supports storage of certificates and all certificates in the certification path. A PKCS #7 file typically has a .p7b file name extension, but this is not always the case. This again doesn’t support storage of private keys. It is generally used by the CA to provide certificate chain to clients.

However as in the case of any other data file, the creator has the authority to use the existing .p7b extension or change it as desired.

Personal Information Exchange Format (PKCS#12) Certificate (.pfx or .p12)

The Personal Information Exchange format (PFX, also called PKCS #12) defines a file format that can be used for secure storage of certificates (containing both private and public keys), and all certificates in a certification path, protected with a password-based symmetric key. PFX is a predecessor to PKCS#12.

The PKCS #12 formats is the only file format that can be used to export a certificate and its private key. A PKCS#12 certificate containing a private key is shown below:

image

Certificate containing a private key


Certificate Revocation List (.crl extension)

The Certificate Revocation List or CRL is a file type that identifies whether a certificate has been revocated or not. These files are provided by CA’s. The client browser while accessing a site on HTTPS will use the CRL Distribution Points field in the certificate to download the CRL. Here is one example:

image

Certificate from login.live.com depicting the CRL Distribution Points

NOTE: Not all certificates may have CRL distribution points. One good example is a Self-Signed certificate.

Now, once the client (browser) gets the CRL information from the server certificate, it downloads the CRL file and checks the list to ensure that the current certificate is not part of that list. The CA can make the CRL available for download to the client, via HTTP, FTP or any other protocol. Here is the downloaded CRL from the CA:

image
image

CRL file downloaded from the CA


Microsoft serialized certificate store (.sst)

This is one of the most rarely used file types. This format allows storage of multiple certificates in one single file. Typically it contains the ROOT CA certificates. It is the only file type which allows to save the certificate store. It preserves the properties of the certificate stores. There is another extension viz. “.STO”. However, I have rarely seen the usage of either of these file types.

Not much documentation is available except this: http://msdn.microsoft.com/en-us/library/dd921035(v=office.12).aspx


Certificate Trust List (.stl)

Certificate Trust List is generally used during SSL/TLS handshake when Client Certificate Authentication comes in to picture. During SSL Handshake the server sends the client the list of the distinguished CA names that it supports as a part of Server Hello message. The Client uses this list to draw up a list of client certificates that is issued by any of the CA’s in the list i.e., only those client certificates which are issued by any of the CA’s in the CTL will be populated. Below is an example of how a CTL looks like

image


Privacy-enhanced Electronic Mail (.pem)

PEM format is a refinement of base64 encoding. It has been documented in the following RFC’s:

This file format is typically used by OpenSSL to make Private Key available from a .pfx/.p12 file. So this is more widely used in the UNIX/LINUX world and not much in Windows. Once extracted to PEM format, this is how it looks:

Command used to convert PFX to PEM: openssl.exe pkcs12 -in Certificate.pfx -nocerts -out Certificate.pem
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: le-cd130455-259a-4b96-a900-94cc74670020
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4F53AB2E5701A52B 5XAtCElFXut0HuvYcKefoc+a++xm7tNXgzLGvIQiBgJbBipPLrnqxLr37xofX21u
G5lnnPHyPSDTdna9fFryIM5sZQuZsvy1JjFyV4yOu1nl2wdzVRJyW/LSdN964lZV
gj3CLaxMce5KL319i3t2A3SeFhMc6KnqxW8XEkkG7MpEhsL3Kz6bf5LJmuVeTfKx
0Ad3lr6t8ct6N8yPIFpqpMR/lHRevHvNilyAeU8dyxg7tzIFQOoapz+s/LjhbZWI
XCdz2a/pH2ERFTKzCRg57dmmQ4znyHpiIxn92WOKQChQiDaIysGYBj4hbSZqaB8p
8H4x4t+TDjWcnIKLp5JxUJt3DN3qlzwP2Vdo/KTlFNvnmmEMmoTd931jALuk0+xC
PaAz7KM1nDwe7zRwpIXCHkTTPp519icQrXj52tEO7sWhFVkjBaoaBVMeYPnpjb88 ==
—–END RSA PRIVATE KEY—–

The two headers ”Proc-Type“ and “DEK-Info” specify the type of encryption. The string following afterwards with “5XAtC…” is Base64-encoded, encrypted, ASN.1-encoded object. Sometimes it also referred to as Base-64 encoded DER Certificate.

It is very similar to the PFX file format and can contain any/all of the following information in one single file.

  • Issued Public Certificate (Client/Server)
  • Intermediate CA Certificate
  • Root CA certificate
  • Private Key

A single PEM file can also be split into multiple PEM files each containing a part of the original PEM file.

PEM for storing Public Key

This format can also be used for storing only the public key information of a certificate. I found this article: http://www.bo.infn.it/alice/introgrd/certmgr/node20.html, which talks about extracting only the public part of the certificate. Even in this case the file is a Base-64 encoded string enclosed between “—–BEGIN PUBLIC KEY—–” and “—–END PUBLIC KEY—–“.

—–BEGIN PUBLIC KEY—–
MIICXQIBAAKBgQDedH/Kb8d0oqAu2+huQTHhQbqP1gx2Ae6LOtVejTt1Tg54f/iF
79E8wD/EUKNJ9omWCj4rFsPF6aiN+QNjmJc5zJqH4uCuIS7NeB2DCIeZxtS6f5oS


qIco7Hxh0B71QnL/22lxAkAXcqs0Ah0yw3+3yBFDJgu1Wj/8gzMMRTrw8B07v13k
gFlJxAuPc2ckMXsegTJf+mMaoS59KXMqcNh3B8P4V2ko
—–END PUBLIC KEY—–

I have personally never encountered any situation or a usage scenario where the public key information of the certificate had to be extracted.

Private Key(.key)

This file format contains the private key of the certificate. On Windows  there is no mechanism available to extract only the private key from the certificate, as it is not required. However, OpenSSL allows only the Private Key to be extracted from the certificate. If you open the file in a notepad, you would find that it is a Base-64 encoded string enclosed between “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“.

Command used to convert PFX to PEM: openssl.exe pkcs12 -in Certificate.pfx -nocerts -out Certificate.pem
—–BEGIN RSA PRIVATE KEY—–
MIICXQIBAAKBgQDedH/Kb8d0oqAu2+huQTHhQbqP1gx2Ae6LOtVejTt1Tg54f/iF
79E8wD/EUKNJ9omWCj4rFsPF6aiN+QNjmJc5zJqH4uCuIS7NeB2DCIeZxtS6f5oS
BWyoQ/eAjmFE0T/6P/aupsjrrB9qI7mELQnJEikzWCwsiBzSlM+bjdTDeQIDAQAB
AoGBAItNyPisJusTK9wsOdFRYjr9Pib0k7kSXJ8zqIodRy6eQtGS0b6N/ylb+pKl
LJwUlvQuVeAF0XMOb074sPadh5Suyos/Sa8OuHDDRmhxTQjk03EUhXrpGkA7WCU6
VdIf7xyCZFOc4RXy222xHfweZohEZ6qEdqyn7Cy6yQrHJKkBAkEA/15+gomP9rt4
M3Pyp+r2GsCm6aq1lHzF+/Req1Tzj/h4DlBN9dCNH2NnRFJ3S1GbrSsPR9YTpitu
U+eah7+JXQJBAN8BMFa6bye1gc7Y/4McOfeNzUXzQc1TCCwdRxlF7VBxJkOcD3FD
53Ur/TSQL++TaE+ihsuQLUBnO31aJXOSlM0CQQCd83yckSmSmvIGITl90z7V3UNg
VE5rwaFT7hqALtNXwX/AmrsdyBkBySIeiENxOtDnkzKoZClTJpnfG+ng/P+hAkA7
aWGreXfrqFuw8/b+wyJeZZTuseQyA5EFz7cFcK/M4phDIuyqTGD5woJu4osi1K7R
qIco7Hxh0B71QnL/22lxAkAXcqs0Ah0yw3+3yBFDJgu1Wj/8gzMMRTrw8B07v13k
gFlJxAuPc2ckMXsegTJf+mMaoS59KXMqcNh3B8P4V2ko
—–END RSA PRIVATE KEY—–

This is more widely used in JAVA & UNIX world.


More on Certificates:

When a certificate request is created for a website in IIS 6, corresponding private key is also created. The requests are stored under the Certificate Enrollment Requests store under Computer account. This contains the private key information corresponding to the request raised.

Once you have submitted the request to the CA. It will process the request and provide a certificate in .cer, crt or .der extension (DER or Base64 encoded). Now the pending request can be processed in the IIS Manager by installing the certificate which was provided by the CA.

Consider, if somehow the request for the certificate was lost i.e., the request under the Certificate Enrollment Requests was removed. Now if you install the certificate on the website you are bound to see some issues due to the missing key information. The SSL handshake will not complete and you will see a “Page cannot be displayed error message” on the browser.

By default a .cer file doesn’t contain a private key. The notion of such file is that the private key already exists on the server and during installation the binds to the certificate. Now since the request (private key) no longer exists the server doesn’t know how to decrypt the information received from client (encrypted using the public key). However, we are not totally helpless. We can try to retrieve the private key for the certificate. Here are the steps to do it:

1. Import the certificate to the personal store of computer account.

2. Now double click the certificate and go to the Details tab. Select the Thumbprint section and copy the value as shown below:

image

3. We will use certutil tool to map the private key to the certificate. Open a command prompt and execute the following:

Certutil -repairstore my “73 14 b2 20 1c 57 f9 fe 19 36 cf ff 9f cb c9 1e 8c 0f 1a 02

If the command is successful then you will see a confirmation message as shown below:

clip_image009

More information on certutil tool can be found here:
http://technet.microsoft.com/en-us/library/cc772898%28WS.10%29.aspx

Scenarios:

Sometimes the web-administrator has to install the same certificate across various servers in a load balanced server. So, continuing from the above scenario let’s assume the web-admin has to install the cert on other 12 servers. Manually copying the .cer file to every server and running the above command is quite tedious.

Why can’t we export the certificate along with the private key to the other servers and then install it? Well, it can be done, provided the private key has been marked as exportable. Generally, you would see this if the certificate was renewed again with the private key not being exported earlier.

Go to the websites on which the certificate has been installed.

  1. Right click and select Properties-> Directory Security-> View Certificate.
  2. Now go to the details tab and click on “Copy to File…
  3. Click on Next, you will now see a window provided with 2 radio buttons
    • Yes, export the private key
    • No, do not export the private key
  4. If the private key was not marked as exportable, earlier when the certificate was created the first time, then the first option would be grayed out.
  5. Select the first option “Yes, export the private key” and click on Next.
  6. In the next window the “Personal Information Exchange – PKCS#12 (.PFX)” will be selected provided with three checkboxes. Select the first and third option and then click on Next.
  7. Type in the password if required and then click on Next.
  8. Browse to the location where you want to save the file (in .pfx format) and then click on Next.
  9. Click on Finish, you would get a small prompt saying “The export was successful”
  10. Click on OK and it’s done.

Now you have a SSL certificate containing the Private Key. You can copy this to other servers and then install it on the website. You may also choose to install the certificate programmatically on IIS using the KB article 313624.