Provided by: spampd_2.62-2_all 
NAME
SpamPD - Spam Proxy Daemon
VERSION
Documentation for SpamPD version 2.62.
DESCRIPTION
spampd is an SMTP/LMTP proxy that marks (or tags) spam using SpamAssassin
(<http://www.SpamAssassin.org/>). The proxy is designed to be transparent to the sending and receiving
mail servers and at no point takes responsibility for the message itself. If a failure occurs within
spampd (or SpamAssassin) then the mail servers will disconnect and the sending server is still
responsible for retrying the message for as long as it is configured to do so.
spampd uses SpamAssassin to modify (tag) relayed messages based on their spam score, so all SA settings
apply. This is described in the SA documentation. spampd will by default only tell SA to tag a message
if it exceeds the spam threshold score, however you can have it rewrite all messages passing through by
adding the --tagall option (see SA for how non-spam messages are tagged).
spampd logs all aspects of its operation to syslog(8), using the mail syslog facility.
The latest version can be found at <https://github.com/mpaperno/spampd>.
SYNOPSIS
spampd [ options ]
Options:
--config <filename> Load options from file(s).
--host <host>[:<port>] Hostname/IP and optional port to listen on.
--port <n> Port to listen on (alternate syntax to above).
--socket <socketpath> UNIX socket to listen on.
--socket-perms <mode> The octal mode to set on the UNIX socket.
--relayhost <hst>[:<prt>] Host and optional port to relay mail to.
--relayport <n> Port to relay to (alternate syntax to above).
--relaysocket <sockpath> UNIX socket to relay to.
--min-servers | -mns <n> The minimum number of servers to keep running.
--min-spare | -mnsp <n> The minimum number of servers to have waiting.
--max-spare | -mxsp <n> The maximum number of servers to have waiting.
--max-servers | -mxs <n> The maximum number of child servers to start.
--maxrequests or -r <n> Maximum requests that each child can process.
--childtimeout <n> Time out children after this many seconds.
--satimeout <n> Time out SpamAssassin after this many seconds.
--child-name-template [s] Template for formatting child process name.
--pid or -p <filename> Store the daemon's process ID in this file.
--user or -u <user> Specifies the user that the daemon runs as.
--group or -g <group> Specifies the group that the daemon runs as.
--[no]detach Detach from the console daemonize (default).
--[no]setsid Completely detach from stderr with setsid().
--maxsize n Maximum size of mail to scan (in KB).
--dose (D)ie (o)n (s)pamAssassin (e)rrors.
--tagall Tag all messages with SA headers, not just spam.
--set-envelope-headers Set X-Envelope-From and X-Envelope-To headers.
--set-envelope-from Set X-Envelope-From header only.
--local-only or -L Turn off all SA network-based tests.
--homedir <path> Use the specified directory as SA home.
--saconfig <filename> Use the file for SA "user_prefs" configuration.
--logfile or -o <dest> Destination for logs (syslog|stderr|<filename>).
--logsock or -ls <sock> Allows specifying the syslog socket type.
--logident or -li <name> Specify syslog identity name.
--logfacility or -lf <nm> Specify syslog facility (log name).
--log-rules-hit or -rh Log the names of each matched SA test per mail.
--debug or -d [<areas>] Controls extra debug logging.
--help | -h | -? [txt] Show basic command-line usage.
-hh | -?? [txt] Show short option descriptions (this text).
-hhh | -??? [txt] Show usage summary and full option descriptions.
--man [html|txt] Show full docs a man page or HTML/plain text.
--show defaults|<thing> Print default option values or <thing> and exit.
--version Print version information and exit.
Compatibility with previous SpamPD versions:
--children or -c <n> Same as --max-servers | -mxs (since v2.60).
Deprecated since SpamAssassin v3:
--auto-whitelist or -aw Use the SA global auto-whitelist feature.
REQUIRES
Perl modules:
Mail::SpamAssassin
Net::Server (>= v0.89, v2.009+ recommended) with PreForkSimple and/or PreFork submodules.
IO::File
Time::HiRes
IO::Socket::IP (if using TCP/IP sockets)
IO::Socket::UNIX (if using UNIX sockets)
OPERATION
spampd is meant to operate as an S/LMTP mail proxy which passes each message through SpamAssassin for
analysis. Note that spampd does not do anything other than check for spam, so it is not suitable as an
anti-relay system. It is meant to work in conjunction with your regular mail system. Typically one
would pipe any messages they wanted scanned through spampd after initial acceptance by your MX host.
This is especially useful for using Postfix's (http://www.postfix.org) advanced content filtering
mechanism, although certainly not limited to that application.
Please re-read the second sentence in the above paragraph. You should NOT enable spampd to listen on a
public interface (IP address) unless you know exactly what you're doing! It is very easy to set up an
open relay this way.
Here are some simple examples (square brackets in the "diagrams" indicate physical machines):
Running between firewall/gateway and internal mail server
The firewall/gateway MTA would be configured to forward all of its mail to the port that spampd listens
on, and spampd would relay its messages to port 25 of your internal server. spampd could either run on
its own host (and listen on any port) or it could run on either mail server (and listen on any port
except port 25).
Internet ->
[ MX gateway (@inter.net.host:25) -> spampd (@localhost:2025) ] ->
[ Internal mail (@private.host.ip:25) ]
Using Postfix advanced content filtering
Please see the FILTER_README that came with the Postfix distribution. You need to have a version of
Postfix which supports this (ideally v.2 and up).
Internet -> [ Postfix (@inter.net.host:25) ->
spampd (@localhost:10025) ->
Postfix (@localhost:10026) ] -> final delivery
Note that these examples only show incoming mail delivery. Since it is often unnecessary to scan mail
coming from your network, it may be desirable to set up a separate outbound route which bypasses spampd.
Scalable Mode
Since v2.60 spampd can optionally run in "scalable mode" which dynamically adjusts the number of child
servers which can process requests simultaneously. This is activated automatically if the "--min-servers"
option is specifically set to be lower than "--max-servers".
Historically SpamPD inherited from the module Net::Server::PreForkSimple which only allows for a static
number of child servers to be running at once. This new option essentially allows for inheriting from
Net::Server::PreFork which features dynamic allocation of child servers, with some tunable parameters.
(The reason PreFork wasn't used to begin with is because older versions of it didn't seem to work... it
was an old TODO to try again later.)
Here is what the Net::Server::PreFork documentation has to say (option names changed to match spampd):
"This personality binds to one or more ports and then forks "--min-servers" child process. The server
will make sure that at any given time there are "--min-spare" servers available to receive a client
request, up to "--max-servers". Each of these children will process up to "--maxrequests" client
connections. This type is good for a heavily hit site, and should scale well for most applications."
Some experimentation and tuning will likely be needed to get the best performance vs. efficiency. Keep in
mind that a SIGHUP sent to the parent process will reload configuration files and restart child servers
gracefully (handy for tuning a busy site).
See the documentation for "--min-servers", "--max-servers", "--min-spare", and "--max-spare" options, and
also the section about "Other Net::Server Options" for tuning parameters and links to further
documentation.
INSTALLATION AND CONFIGURATION
spampd can be run directly from the command prompt if desired. This is useful for testing purposes, but
for long term use you probably want to put it somewhere like /usr/bin or /usr/local/bin and execute it at
system startup. For example on Red Hat-style Linux system one can use a script in /etc/rc.d/init.d to
start spampd (a sample script <https://github.com/mpaperno/spampd/tree/master/misc> is available in the
spampd code repository).
spampd is available as a package for a significant number of Linux distributions, including Debian and
derivatives (Ubuntu, etc). This is typically the easiest/best way to install and configure spampd since
it should already take into account any system specifics for setting up and running as a daemon, etc.
Note however that packages might not offer the latest version of spampd. A good reference for available
packages and their versions can be found at <https://repology.org/project/spampd/versions>.
spampd is also used in the turnkey Mail-in-a-Box <https://mailinabox.email/> project, which includes
Postfix as the main MTA and Dovecot as the local delivery agent with LMTP protocol. Even if you don't
need the turnkey solution, it may be informative to peruse the MIAB setup <https://github.com/mail-in-a-
box/mailinabox/tree/master/setup> / configuration <https://github.com/mail-in-a-
box/mailinabox/tree/master/conf> files for reference.
All spampd options have reasonable defaults, especially for a Postfix-centric installation. You may want
to specify the "--max-servers" option if you have an especially beefy or weak server box because spampd
is a memory-hungry program. Check the "Options" for details on this and all other parameters.
To show default values for all options, run "spampd --show defaults".
Since v2.61 spampd injects a "_SPAMPDVERSION_" "template tag"
<https://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html#TEMPLATE-TAGS> macro at message
processing time. This can be used in an "add_header" SA config file directive, for example.
add_header all Filter-Version SpamAssassin _VERSION_ (_SUBVERSION_, Rules: _RULESVERSION_) / SpamPD _SPAMPDVERSION_
Note that spampd replaces spamd from the SpamAssassin distribution in function. You do not need to run
spamd in order for spampd to work. This has apparently been the source of some confusion, so now you
know.
Postfix-specific Notes
Here is a typical setup for Postfix "advanced" content filtering as described in the FILTER_README that
came with the Postfix distribution (which you really need to read):
/etc/postfix/master.cf:
smtp inet n - y - - smtpd
-o content_filter=smtp:localhost:10025
-o myhostname=mx.example.com
localhost:10026 inet n - n - 10 smtpd
-o content_filter=
-o myhostname=mx-int.example.com
The first entry is the main public-facing MTA which uses localhost:10025 as the content filter for all
mail. The second entry receives mail from the content filter and does final delivery. Both smtpd
instances use the same Postfix main.cf file. spampd is the process that listens on localhost:10025 and
then connects to the Postfix listener on localhost:10026. Note that the "myhostname" options must be
different between the two instances, otherwise Postfix will think it's talking to itself and abort
sending.
For the above example you can simply start spampd like this:
spampd --host=localhost:10025 --relayhost=localhost:10026
FILTER_README from the Postfix distro has more details and examples of various setups, including how to
skip the content filter for outbound mail.
Another tip for Postfix when considering what timeout values to use for --childtimout and --satimeout
options is the following command:
"# postconf | grep timeout"
This will return a list of useful timeout settings and their values. For explanations see the relevant
"man" page (smtp, smtpd, lmtp). By default spampd is set up for the default Postfix timeout values.
The following guide has some more specific setup instructions: Integrating SpamAssassin into Postfix
using spampd <https://wiki.apache.org/spamassassin/IntegratePostfixViaSpampd>
UPGRADING
Always consult the changelog.txt file which should be included in the spampd repository/distribution.
If upgrading from a version prior to 2.2, please note that the --add-sc-header option is no longer
supported. Use SA's built-in header manipulation features instead (as of SA v2.6).
Upgrading from version 1 simply involves replacing the spampd program file with the latest one. Note
that the dead-letters folder is no longer being used and the --dead-letters option is no longer needed
(though no errors are thrown if it's present). Check the "OPTIONS" list below for a full list of new and
deprecated options. Also be sure to check out the change log.
Since v2.60 spampd has a new "Scalable Mode" feature which varies the number of running child servers
based on demand. This is disabled by default. The option previosly known as "--children" (or "-c") is now
called "--max-servers" (or "-mxs"), but the old style is still accepted. See descriptions of the
"max-servers" and "min-servers" options for details.
Also note that v2.60 added the ability to use a "CONFIGURATION FILE" for specifying all options.
USAGE
spampd [
[ --config | --cfg | --config-file | --cfg-file [<filename>] ][...]
[ --host <host>[:<port>] | --socket <path> --socket-perms <mode> ]
[ --relayhost <host>[:<port>] | --relaysocket <path> ]
[--min-servers | -mns <n>] [--saconfig <file>] [--user | -u <user> ]
[--min-spare | -mnsp <n>] [--satimeout <n> ] [--group | -g <group> ]
[--max-spare | -mxsp <n>] [--dose ] [--pid | -p <file> ]
[--max-servers | -mxs <n>] [--maxsize <n> ] [--[no]detach ]
[--maxrequests | -r <n>] [--local-only | -L ] [--[no]setsid ]
[--childtimeout <n>] [--tagall | -a ] [--log-rules-hit | -rh]
[ --child-name-template | -cnt [<template>] ] [--homedir <path> ]
[ [--set-envelope-headers | -seh] | [--set-envelope-from | -sef] ]
[ --logfile | -o (syslog|stderr|<filename>) ][...]
[ --logsock | -ls <socketpath> ] [ --logident | -li <name> ]
[ --debug | -d [<area,...>|1|0] ] [ --logfacility | -lf <name> ]
[ --show ( all | (defaults, config, version, argv, start, self) ) ][...]
]
spampd --version
spampd [--help | -?] | -?? [txt] | -??? [txt] | [-???? | --man [html|txt]]
Options are case-insensitive. "=" can be used as name/value separator instead of space (--name=value).
"-" or "--" prefix can be used for all options. Shortest unique option name can be used. All options must
be listed individually (no "bundling"). All boolean options can take an optional argument of 1 or 0, or
can be negated by adding a "no-" prefix in front of the name. An option specified on the command line
overrides the same option loaded from config file(s).
OPTIONS
Please be sure to also read the general information about specifying option arguments in the above
"USAGE" section.
To view default values for all options, run "spampd --show defaults".
--config or -cfg or --config-file or --cfg-file <filename> "new in v2.60"
Load options from one or more configuration file(s). This option can be specified multiple times.
The "filename" can also be a list of files separated by a ":" (colon). If multiple files specify the
same option, the last one loaded will take precedence. Also any options specified on the actual
command line will take precedence (regardless of where they appear relative to the "--config"
option). --config can only be specified on the command line, one cannot use it within another
configuration file.
See "CONFIGURATION FILE" section for more details.
--host (<ip>|<hostname>)[:<port>]
Specifies what hostname/IP and port spampd listens on. By default, it listens on 127.0.0.1
(localhost) on port 10025.
As of v2.60 this option can also handle IPv6 addresses in the form of "--host n:n:n" or, with port,
"--host [n:n:n]:port" (the square brackets are optional in both forms but recommended in the latter
case).
Note that the port specified this way implicitly overrides the "--port" option.
Important! You should NOT enable spampd to listen on a public interface (IP address) unless you know
exactly what you're doing!
--port <n>
Specifies what port spampd listens on. This is an alternate to using the above "--host=ip:port"
notation. Note that a port specified in the "--host" option will override this one.
--socket <socketpath>
Specifies what UNIX socket spampd listens on. If this is specified, --host and --port are ignored.
--socket-perms <mode>
The file mode for the created UNIX socket (see --socket) in octal format, e.g. 700 to specify acces
only for the user spampd is run as.
--relayhost (<ip>|<hostname>)[:<port>]
Specifies the hostname/IP to which spampd will relay all messages. Defaults to 127.0.0.1 (localhost)
on port 25.
As of v2.60 this option can also handle IPv6 addresses in the form of "--relayhost n:n:n" or, with
port, "--relayhost [n:n:n]:port" (the square brackets are optional in both forms but recommended in
the latter case).
Note that the port specified this way implicitly overrides the "--relayport" option.
--relayport <n>
Specifies what port spampd will relay to. This is an alternate to using the above
--relayhost=ip:port notation. Note that a port specified in the "--relayhost" option will override
this one.
--relaysocket <socketpath>
Specifies what UNIX socket spampd will relay to. If this is specified --relayhost and --relayport
will be ignored.
--user or -u <username>
--group or -g <groupname>
Specifies the user and/or group that the proxy will run as. Default is mail/mail.
--children or -c <n>
--max-servers or -mxs <n> "new in v2.60"
Number of child servers to start and maintain (where n > 0). Each child will process up to
"--maxrequests" (below) before exiting and being replaced by another child. Keep this number low on
systems w/out a lot of memory. Note that there is always a parent process running, so if you
specify 5 children you will actually have 6 spampd processes running.
Note: If "--min-servers" option is also set, and is less than "--max-servers", then the server runs
in "Scalable Mode" and the meaning of this option changes. In scalable mode, the number of actual
running servers will fluctuate between "--min-servers" and "--max-servers", based on demand.
You may want to set your origination mail server to limit the number of concurrent connections to
spampd to match this setting (for Postfix this is the "xxxx_destination_concurrency_limit" setting
where 'xxxx' is the transport being used, usually 'smtp' or 'lmtp').
See also "--min-servers", "--min-spare", and "--max-spare" options.
--min-servers or -mns <n> "new in v2.60"
Minimum number of child servers to start and maintain (where n > 0).
Note: If this option is set, and it is less than "--max-servers" option, then the server runs in
"Scalable Mode". By default this option is undefined, meaning spampd runs only a set number of
servers specified in "--max-servers". In scalable mode, the number of actual running servers will
fluctuate between "--min-servers" and "--max-servers", based on demand.
See also "--max-servers", "--min-spare", and "--max-spare" options.
--min-spare or -mnsp <n> "new in v2.60"
The minimum number of servers to have waiting for requests. Minimum and maximum numbers should not
be set to close to each other or the server will fork and kill children too often. (- Copied from
"Net::Server::PreFork")
Note: This option is only used when running in "Scalable Mode". See "--min-servers" and
"--max-servers" options.
--max-spare or -mxsp <n> "new in v2.60"
The maximum number of servers to have waiting for requests. (- Copied from "Net::Server::PreFork")
Note: This option is only used when running in "Scalable Mode". See "--min-servers" and
"--max-servers" options.
--maxrequests or -mr or -r <n>
spampd works by forking child servers to handle each message. The maxrequests parameter specifies
how many requests will be handled before the child exits. Since a child never gives back memory, a
large message can cause it to become quite bloated; the only way to reclaim the memory is for the
child to exit.
--childtimeout <n>
This is the number of seconds to allow each child server before it times out a transaction. In an
S/LMTP transaction the timer is reset for every command. This timeout includes time it would take
to send the message data, so it should not be too short. Note that it's more likely the origination
or destination mail servers will timeout first, which is fine. This is just a "sane" failsafe.
--satimeout <n>
This is the number of seconds to allow for processing a message with SpamAssassin (including feeding
it the message, analyzing it, and adding the headers/report if necessary).
This should be less than your origination and destination servers' timeout settings for the DATA
command. (For Postfix this is set in "(smtp|lmtp)_data_done_timeout" and "smtpd_timeout"). In the
event of timeout while processing the message, the problem is logged and the message is passed on
anyway (w/out spam tagging, obviously). To fail the message with a temp 450 error, see the "--dose"
(die-on-sa-errors) option, below.
--child-name-template or -cnt [<template]> "new in v2.61"
Template for formatting child process name. Use a blank string (just the argument name without a
value) to leave the child process name unchanged (will be same as parent command line).
The template uses printf() style formatting, but with named parameter placeholders. For example
(wrapped for clarity):
%base_name: child #%child_count(%child_status)
[req %req_count/%req_max, time lst/avg/ttl %(req_time_last).4f/%(req_time_avg).4f/%(req_time_ttl).4f,
ham/spm %req_ham/%req_spam, rules v%sa_rls_ver)]'
Would produce something like:
spampd: child #4(D) [req 8/30, time lst/avg/ttl 0.0222/0.0256/0.2045, ham/spm 3/5, rules v1891891]
Parameters are specified like: "Value of %(my_name)s is %(my_float_value).4f", with names in
parenthesis followed by a standard printf() style formatting specifier ("s" is default), or simply
as "Value of %my_name is %my_value" with the default format being a string (works for numerics
also). Keep in mind that any actual "%" characters need to be escaped as "%%". Formatting warnings
will be logged as "sprintf" errors (most likely a parameter was misspelled).
The following variables are available:
base_name # Base script name, eg. "spampd"
spampd_ver # SpamPD version, eg. "2.61"
perl_ver # Perl version, eg. "5.28.1"
ns_ver # Net::Server version, eg. "2.009"
ns_typ # Net::Server type, "PreFork" or "PreForkSimple"
ns_typ_acr # Net::Server type acronym, "PF" or "PFS"
sa_ver # SpamAassassin version, eg. "3.4.2"
sa_rls_ver # SpamAassassin rules update version, eg. "1891891" or "(unknown)"
child_count # total number of children launched so far (current child number)
child_status # child status, "C" for connected, or "D" for disconnected
req_count # number of requests child has processed so far
req_max # maximum child requests before exit
req_time_last # [s] time to process the last message
req_time_ttl # [s] total processing time for this child
req_time_avg # [s] average processing time for this child (req_time_ttl / req_count)
req_ham # count of ham messages scored by child
req_spam # count of spam messages scored by child
--pid or -p <filename>
Specifies a filename where spampd will write its process ID so that it is easy to kill it later. The
directory that will contain this file must be writable by the spampd user.
--logfile or -o (syslog|stderr|<filename>) "new in v2.60"
Logging method to use. May be one or more of:
• "syslog": Use the system's syslogd (via Sys::Syslog). Default setting.
• "stderr": Direct all logging to stderr (if running in background mode these may still end up in
the default system log).
• "filename": Use the specified file (the location must be accessible to the user spampd is
running as). This can also be a device handle, eg: "/dev/tty0" or even "/dev/null" to disable
logging entirely.
This option may be specified multiple times. You may also specify multiple destination by separating
them with a ":" (colon): "--logfile stderr:/var/log/spampd.log"
Simultaneous logging to "syslog", "stderr", and one "filename" is possible. At this time only one
log file can be used at a time (if several are specified then the last one takes precedence).
--logsock or -ls <type> "new in v2.20" "updated in v2.60"
Syslog socket to use if "--logfile" is set to syslog.
"Since v2.60:"
The type can be any of the socket types or logging mechanisms as accepted by the subroutine
Sys::Syslog::setlogsock(). Depending on the version of Sys::Syslog and the underlying operating
system, one of the following values (or their subset) can be used:
native, tcp, udp, inet, unix, stream, pipe, console, eventlog (Win32 only)
The default behavior since spampd v2.60 is to let Sys::Syslog pick the default syslog socket. This
is the recommended usage for Sys::Syslog (since v0.15), which chooses thusly:
The default is to try native, tcp, udp, unix, pipe, stream, console. Under systems with the
Win32 API, eventlog will be added as the first mechanism to try if Win32::EventLog is available.
For more information please consult the Sys::Syslog <https://metacpan.org/pod/Sys::Syslog>
documentation.
To preserve backwards-compatibility, the default on HP-UX and SunOS (Solaris) systems is "inet".
"Prior to v2.60:"
The default was "unix" except on HP-UX and SunOS (Solaris) systems it is "inet".
--logident or -li <name> "new in v2.60"
Syslog identity name to use. This may also be used in log files written directly (w/out syslog).
--logfacility or -lf <name> "new in v2.60"
Syslog facility name to use. This is typically the name of the system-wide log file to be written
to.
--[no]detach [0|1] "new in v2.20"
Tells spampd to detach from the console and fork into the background ("daemonize"). Using
"--nodetach" can be useful for running under control of some daemon management tools or testing from
a command line.
--[no]setsid [0|1] "new in v2.51"
If "--setsid" is specified then spampd will fork after the bind method to release itself from the
command line and then run the POSIX::setsid() command to truly daemonize. Only used if "--nodetach"
isn't specified.
--maxsize <n>
The maximum message size to send to SpamAssassin, in KBytes. Messages over this size are not scanned
at all, and an appropriate message is logged indicating this. The size includes headers and
attachments (if any).
--dose [0|1]
Acronym for (d)ie (o)n (s)pamAssassin (e)rrors. When disabled and spampd encounters a problem with
processing the message through SpamAssassin (timeout or other error), it will still pass the mail on
to the destination server. When enabled, the mail is instead rejected with a temporary error (code
450, which means the origination server should keep retrying to send it). See the related
"--satimeout" option, above.
--tagall or -a [0|1]
Tells spampd to have SpamAssassin add headers to all scanned mail, not just spam. Otherwise spampd
will only rewrite messages which exceed the spam threshold score (as defined in the SA settings).
Note that for this option to work as of SA-2.50, the always_add_report and/or always_add_headers
settings in your SpamAssassin local.cf need to be set to 1/true.
--log-rules-hit or -rh [0|1]
Logs the names of each SpamAssassin rule which matched the message being processed. This list is
returned by SA.
--set-envelope-headers or -seh [0|1] "new in v2.30"
Turns on addition of X-Envelope-To and X-Envelope-From headers to the mail being scanned before it
is passed to SpamAssassin. The idea is to help SA process any blacklist/whitelist to/from directives
on the actual sender/recipients instead of the possibly bogus envelope headers. This potentially
exposes the list of all recipients of that mail (even BCC'd ones). Therefore usage of this option
is discouraged.
NOTE: Even though spampd tries to prevent this leakage by removing the X-Envelope-To header after
scanning, SpamAssassin itself might add headers that report recipient(s) listed in X-Envelope-To.
--set-envelope-from or -sef [0|1] "new in v2.30"
Same as above option but only enables the addition of X-Envelope-From header. For those that don't
feel comfortable with the possible information exposure of X-Envelope-To. The above option
overrides this one.
--local-only or -L [0|1]
Turn off all SA network-based tests (DNS, Razor, etc).
--homedir <directory> "new in v2.40"
Use the specified directory as home directory for the spamassassin process. Things like the auto-
whitelist and other plugin (razor/pyzor) files get written to here. A good place for this is in the
same place your "bayes_path" SA config setting points to (if any). Make sure this directory is
accessible to the user that spampd is running as.
Thanks to Alexander Wirt for this fix.
--saconfig <filename>
Use the specified file for SpamAssassin configuration options in addition to the default local.cf
file. Any options specified here will override the same option from local.cf.
--debug or -d [<area,...>|1|0] "(updated in v2.60)"
Turns on SpamAssassin debug messages which print to the system mail log (same log as spampd will log
to). Also turns on more verbose logging of what spampd is doing (new in v2). Also increases log
level of Net::Server to 4 (debug), adding yet more info (but not too much) (new in v2.2).
"New in v2.60:"
Setting the value to 1 (one) is the same as using no parameter (eg. simply -d). The value of 0
(zero) disables debug logging.
The area list is passed on directly to SpamAssassin and controls logging facilities. If no areas are
listed (and debug logging is enabled), all debugging information is printed (this equivalent to
passing "all" as the area). Diagnostic output can also be enabled for each area individually; area
is the area of the code to instrument. For example, to produce diagnostic output on bayes, learn,
and dns, use:
-d bayes,learn,dns
You can also disable specific areas with the "no" prefix:
-d all,norules,nobayes
To show only spampd debug messages (none from SpamAssassin), use:
-d spampd
For more information about which areas (aka channels or facilities) are available, please see the
documentation at:
SpamAssassin Wiki::DebugChannels <http://wiki.apache.org/spamassassin/DebugChannels>
Mail::SpamAssassin::Logger::add_facilities()
<https://spamassassin.apache.org/doc/Mail_SpamAssassin_Logger.html#METHODS>
--show <thing>[,<thing>[,...]] "new in v2.60"
Meant primarily for debugging configuration settings (or code), this will print some information to
the console and then exit.
<thing> may be one or more of:
• "defaults": Show default values for all options, in a format suitable for a config file.
• "config": Shows option values after processing all given command-line arguments, including
anything loaded from config file(s).
• "start": Shows the final configuration arguments after processing any config file(s).
• "version": Same as "--version" switch but runs after parsing all options and shows actual
Net::Server type which would be used (PreFork or PreForkSimple).
• "argv": Shows anything remaining on command line (@ARGV) after processing all known arguments
(this will be passed onto Net::Server).
• "self": Dumps the whole SpamPD object, including all settings. Trés geek.
• "all": Prints all of the above.
Multiple "thing"s may be specified by using the --show option multiple times, or separating the
items with a comma: "--show config,start,argv".
Note that all thing options besides "defaults" and "config" require the Perl module Data::Dumper
installed.
--version "new in v2.52"
Prints version information about SpamPD, Net::Server, SpamAssassin, and Perl.
--help or -h or -? [txt]
--hh or -?? [txt]
--hhh or -??? [txt]
--man or -hhhh or -???? [html|txt]
Prints increasingly verbose usage information. By default help is displayed in "terminal" (groff)
format with some text styling applied. If you want to use "less" as a pager, provide it with the
"-R" switch, eg.:
spampd --??? | less -R
Alternatively you can request plain-text format with the optional "txt" value.
"--man" displays the full documentation, optionally in "html" or plain text "txt" formats (default
is to use actual "man" format/display). HTML version is saved to a temp file and an attempt is made
to open it in the default system browser (it is better if the browser is already opened). If
available, the optional Perl module HTML::Display is used to (try to) open a browser.
Other Net::Server Options
Net::Server supports some other options which spampd doesn't accept directly. For example there are
access control options, child process tuning, and a few more (see below). Such options can be passed
through to Net::Server (and subtypes) by specifying them at the end of the spampd command line (or in a
configuration file) following two dashes " -- " by themselves (this is a failry typicaly convention for
passing options onto another program). As an example, it may look something like this:
spampd --host 10.0.0.1 -port 10025 -- --cidr_allow 10.0.0.0/24
The "--cidr_allow" after the " -- " is passed onto Net::Server. If the " -- " were not there, you would
get an error from spampd about an unknown option.
To specify Net::Server options in a configuration file, place them after two dashes ("--") on a line by
themselves. See "CONFIGURATION FILE" for an example.
This only makes sense with the few options not directly controlled by/through spampd. As of Net::Server
v2.009 the list is:
reverse_lookups, allow, deny, cidr_allow, cidr_deny, chroot, ipv, conf_file,
serialize, lock_file, check_for_dead, max_dequeue, check_for_dequeue
If running in "Scalable Mode" then these settings from Net::Server::PreFork can also be very relevant to
performance tuning:
check_for_waiting, check_for_spawn, min_child_ttl
Keep in mind that the Net::Server types inherit from each other: "PreFork" inherits from "PreForkSimple"
which inherits from "Net::Server" itself. Which means all the options are also inherited.
See the Net::Server(3) <https://https://metacpan.org/pod/Net::Server#DEFAULT-ARGUMENTS-FOR-Net::Server>,
Net::Server::PreForkSimple(3) <https://metacpan.org/pod/Net::Server::PreForkSimple#COMMAND-LINE-
ARGUMENTS>, and Net::Server::PreFork(3) <https://metacpan.org/pod/Net::Server::PreFork#COMMAND-LINE-
ARGUMENTS> documentation for details.
Deprecated Options
The following options are no longer used but still accepted for backwards compatibility with prevoius
spampd versions:
--dead-letters
--heloname
--stop-at-threshold
--add-sc-header
--hostname
--auto-whitelist or -aw "deprecated with SpamAssassin v3+"
This option is no longer relevant with SA version 3.0 and above, which controls auto whitelist use
via config file settings. Do not use it unless you must use an older SA version. An error will be
generated if attempting to use this option with SA 3.0 or above.
For SA version < 3.0, turns on the SpamAssassin global whitelist feature. See the SA docs. Note
that per-user whitelists are not available.
NOTE: DBBasedAddrList is used as the storage mechanism. If you wish to use a different mechanism
(such as SQLBasedAddrList), the spampd code will need to be modified in 2 instances (search the
source for DBBasedAddrList).
CONFIGURATION FILE
Since v2.60 spampd allows for the use of a configuration file to load server parameters. One or more
files can be specified on the command line (see "--config" option for more details on syntax). The
format of a configuration file is simple key/value pairs. Comments (starting with # or ;) and blank lines
are ignored. The option names are exactly as they appear above in the "OPTIONS" section. They can be
listed with or w/out the "-"/"--" prefixes. Key/value separator can be one or more of space, tab, or "="
(equal) sign.
Multiple configuration files can be loaded, with the latter ones being able to override options loaded
earlier. Any options specified on the command line will take precedence over options from file(s).
Configuration file(s) are reloaded during a HUP-induced restart (see "SIGNALS"), making it possible to
adjust settings dynamically on a running server.
You may also provide "passthrough" options directly to Net::Server by putting them after a "--" on a line
by itself (this is just like using the lonesome "--" on a command line; see "Other Net::Server Options").
Note that one cannot use the "--config" option to load a file from within another file. A config file can
only be specified on the command line.
Use the "spampd --show defaults > spampd.config" command to generate a sample configuration file showing
all default values. The example below demonstrates various valid syntax for the file.
# Sample configuration file for SpamPD.
# Double dashes
--user spampd
# Single dash and = separator with spaces
-pid = /var/run/spampd/spampd.pid
# No dashes required, equals separator no spaces
homedir=/var/cache/spampd
# No dashes, space separator
host 127.0.0.1
# Disabled option (after comment character)
#port 10025
# Boolean values can be set/unset a number of ways:
tagall 1
local-only 0
set-envelope-from
no-log-rules-hit
# Passthrough arguments for Net::Server[::PreFork[Simple]] could go here.
# Be sure to also uncomment the "--" if using any.
# --
# cidr_allow 127.0.0.1/32
SIGNALS
HUP "updated in v2.60"
Sending HUP signal to the master process will restart all the children gracefully (meaning the
currently running requests will shut down once the request is complete).
"Since v2.60":
SpamAssassin configuration IS reloaded on HUP. Any children currently in the middle of a transaction
will finish with the previous SA config and then exit. A new set of children, using the new config,
is spawned immediately upon HUP and will serve any new requests.
In a similar manner, spampd will also reload its own settings from any configuration file(s)
specified on the original command line with "--config" option (see "OPTIONS" and "CONFIGURATION
FILE").
"Since v2.52": Children were restarted but SpamAssassin configuration was not reloaded.
"Prior to v2.52": HUP would try to restart the server with all default settings (usually failing).
TTIN, TTOU
Sending TTIN signal to the master process will dynamically increase the number of children by one,
and TTOU signal will decrease it by one.
INT, TERM
Sending INT or TERM signal to the master process will kill all the children immediately and shut
down the daemon.
QUIT Sending QUIT signal to the master process will perform a graceful shutdown, waiting for all children
to finish processing any current transactions and then shutting down the parent process.
EXAMPLES
Running between firewall/gateway and internal mail server:
spampd listens on port 10025 on the same host as the internal mail server.
spampd --host=192.168.1.10
Same as above but spampd runs on port 10025 of the same host as the firewall/gateway and passes
messages on to the internal mail server on another host.
spampd --relayhost=192.168.1.10
Using Postfix advanced content filtering example and disable SA network checks:
spampd --port=10025 --relayhost=127.0.0.1:10026 --local-only
Using UNIX sockets instead if INET ports:
spampd listens on the UNIX socket "/var/run/spampd.socket" with persmissions 700 instead of a TCP
port:
spampd --socket /var/run/spampd.socket --socket-perms 700
spampd will relay mail to "/var/run/dovecot/lmtp" instead of a TCP port:
spampd --relaysocket /var/run/dovecot/lmtp
Remember that the user spampd runs as needs to have read AND write permissions on the relaysocket!
CREDITS
spampd is written and maintained by Maxim Paperno <MPaperno@WorldDesign.com>. The open source code
repository is located at <https://github.com/mpaperno/spampd/>. See
<http://www.WorldDesign.com/index.cfm/rd/mta/spampd.htm> for historical info.
spampd v2 uses two Perl modules (MSDW::SMTP::Client and MSDW::SMTP::Server) by Bennett Todd and Copyright
(C) 2001 Morgan Stanley Dean Witter. These are distributed under the GNU GPL (see module code for more
details). Both modules have been slightly modified from the originals and are included in this file
under new names (SpamPD::Client and SpamPD::Server, respectively).
Also thanks to Bennett Todd for the example smtpproxy script which helped create this version of spampd.
See <http://bent.latency.net/smtpprox/> (seems to be down) or <https://github.com/jnorell/smtpprox>.
spampd v1 was based on code by Dave Carrigan named assassind. Trace amounts of his code or documentation
may still remain. Thanks to him for the original inspiration and code. <https://openshut.net/>.
Also thanks to spamd (included with SpamAssassin) and amavisd-new (<http://www.ijs.si/software/amavisd/>)
for some tricks.
Various people have contributed patches, bug reports, and ideas, all of whom I would like to thank. I
have tried to include credits in code comments and in the change log, as appropriate.
Code Contributors (in order of appearance):
Kurt Andersen
Roland Koeckel
Urban Petry
Sven Mueller
See also: <https://github.com/mpaperno/spampd/graphs/contributors/>
COPYRIGHT, LICENSE, AND DISCLAIMER
spampd is Copyright (c) Maxim Paperno; All Rights Reserved.
Portions are Copyright (c) 2001 Morgan Stanley Dean Witter as mentioned above in the Credits section.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see
<https://www.gnu.org/licenses/>.
BUGS
Use GitHub issue tracking: <https://github.com/mpaperno/spampd/issues>
SEE ALSO
spamassassin(1)
Mail::SpamAssassin(3) <https://spamassassin.apache.org/doc/Mail_SpamAssassin.html>
Net::Server(3) <https://metacpan.org/pod/Net::Server>
SpamAssassin Site <http://www.spamassassin.org/>
SpamPD Code Repository <https://github.com/mpaperno/spampd>
SpamPD product page <http://www.WorldDesign.com/index.cfm/rd/mta/spampd.htm>
Integrating SpamAssassin into Postfix using spampd
<https://wiki.apache.org/spamassassin/IntegratePostfixViaSpampd>
perl v5.40.1 2025-02-27 SPAMPD(8)