Config options
To configure hermes you have to edit the configfile, normally located in /etc/hermes/hermesrc.
These are the options that hermes recognizes:
background
Type: bool
Default value: true
whether to fork to the background. initscripts require
this to be true most of the time.
chroot
Type: string
Default value: ""
chroot to this directory on startup.
this path is ABSOLUTE, it WON'T work with a relative path,
because we are chrooting to the dir BEFORE chrooting, as a
security measure.
to disable chrooting, use an empty string (default).
pid_file
Type: string
Default value: "/var/run/hermes.pid"
write a pid file with the pid of the main hermes server.
if you set background=true above, this will write the pid
of the forked hermes, not the original.
listening_port
Type: int
Default value: 25
the port where hermes will listen for new connection.
if you are going to use a port lower than 1024 (almost always,
smtp is 25, smtps is 465 and delivery is 587), then you need
to run as root (you can drop privileges) or with setUID active.
bind_to
Type: string
Default value: ""
the ip to bind to. if you leave it empty (default), then it
listens on all available ips
server_host
Type: string
Default value: "localhost"
the host of the real smtp server.
if your server is qmail and you have the AUTH patch,
DON'T use localhost, use the external IP instead.
database_file
Type: string
Default value: "/var/hermes/greylisting.db"
database file to use.
if you are chrooting, the path is relative to the chroot:
real filepath = chroot + database_file
greylist
Type: bool
Default value: true
whether to use greylisting.
greylisting will slightly delay your emails (configurable, see below)
to stop most spam. is the most efective technique in use by hermes.
throttle
Type: bool
Default value: true
whether to throttle connection.
it will force some spammers (the more impatient ones) to drop the connection
and leave you alone.
throttling_time
Type: int
Default value: 1
throttling time
this is the time (in seconds) that hermes will wait between each sent line.
don't set this too high (more than 3), as that will drop MANY connections
number_of_unimplemented_commands_allowed
Type: int
Default value: -1
number of unimplemented responses allowed
this is the total number of "503 Unimplemented" responses allowed from the server
-1 = unlimited
allow_data_before_banner
Type: bool
Default value: false
whether we should check if there is data before we send the SMTP banner.
if there is data the email is almost certainly spam.
dns_blacklist_domains
Type: list
Default value: ""
dns blacklist domain list to check.
if this is empty (default) hermes will not check anything, effectively disabling
dns blacklisting.
recommended value is "zen.spamhaus.org"
dns_blacklist_percentage
Type: int
Default value: 100
percentage of domains that have to blacklist an ip before considering it blacklisted.
for example if you need a domain to be listed in only half of the blacklists to be considered
as listed, just define dns_blacklist_percentage as 50 (50%)
dns_whitelist_domains
Type: list
Default value: ""
dns whitelist domain to check.
if this is empty (default) hermes will not check anything, effectively disabling
dns whitelisting.
this lists should only list hosts that have a history of NOT sending spam.
recommended value is "list.dnswl.org"
dns_whitelist_percentage
Type: int
Default value: 100
percentage of domains that have to whitelist an ip before considering it whitelisted.
for example if you need a domain to be listed in only half of the whitelists to be considered
as listed, just define dns_whitelist_percentage as 50 (50%).
add_status_header
Type: bool
Default value: false
if this is enabled, email will get tagged with a header "X-Hermes-Status: {white,black}listed"
that way, your bayesian filter can learn from this automatically
NOTE: if this is enabled, it will accept blacklisted emails and it will be up to you to filter
them out, for example through procmail
initial_expiry
Type: int
Default value: 240
initial expiry time.
when email is first recorded, it will expire after this time (in minutes).
initial_blacklist
Type: int
Default value: 5
initial period of time (in minutes) during which a retry on the spammer's side will FAIL.
whitelist_expiry
Type: int
Default value: 36
once we have whitelisted a triplet, how long it stays whitelisted (in days).
36 is a magic number, is the maximum days between a day and the same day next month
submit_stats_ssl
Type: bool
Default value: true
should stats be submited using SSL?
recomended, but some people will compile without ssl.
submit_stats_username
Type: string
Default value: "anonymous"
username (used to submit stats).
you can register on http:
log_level
Type: int
Default value: 1
log level:
0: log only errors
1: log errors and information (default)
2: debug (passwords might be written in plaintext with this option, so use with care)
file_logger_filename
Type: string
Default value: "hermes.log"
if you are using the filelogger, which file to log to.
keep_file_locked
Type: bool
Default value: true
whether to keep the logger file locked between writes
log_rotation_frequency
Type: int
Default value: 1440
frequency for log rotating in minutes
default is 1440 (1 day)
0 means no rotation
rotate_filename
Type: string
Default value: "hermes-%%year%%-%%month%%-%%day%%-%%hour%%:%%minute%%.log"
format for the logfile rotation
if you are using logfile rotation, file_logger represents the filename
to which the logger will write, while this is the name files will get
when rotated
you can use the following variables:
%%year%% - current year (4 digits)
%%month%% - current month
%%day%% - current day
%%hour%% - current hour
%%minute%% - current minute
all of them are zero-padded
clean_db
Type: bool
Default value: true
whether to clean the database file and send stats.
if you have two instances of hermes running (for example one for smtp and other for smtps)
you want to configure all of them but one to use clean_db=false.
also, you might prefer to not clean the database at all for many reasons (for example to
keep a huge file around with all your system's email data).
anyway, this doesn't mean in anyway that entries in the database won't expire, only that they
will be left hanging around without any use.
outgoing_ssl
Type: bool
Default value: false
should we try to connect to our real smtp server using ssl?
not really neccesary unless real smtp server is on other machine.
incoming_ssl
Type: bool
Default value: false
should we accept connections using ssl?
NOTE: this does NOT disable the starttls capability, only starts hermes expecting SSL negotiation.
starttls is handled the following way: if you have ssl, it is always on. clients can request it at
any time an hermes will change to ssl at once. if you don't have ssl, hermes will refuse to starttls
with a 354 error code, although it WILL still accept the command. connection should proceed normally
even on that event
private_key_file
Type: string
Default value: "/etc/hermes/hermes.key"
file with our private key (PEM format).
to generate, execute:
# openssl genrsa 1024 > private.key
certificate_file
Type: string
Default value: "/etc/hermes/hermes.cert"
file with our server certificate (PEM format).
to generate, execute:
# openssl req -new -x509 -nodes -sha1 -days 365 -key private.key > certificate.crt
and answer the questions
add_headers
Type: bool
Default value: true
whether to add headers to the email sent or no.
to be rfc compatible this HAS to be true, but if you set to false, no one will know you are using hermes
hostname
Type: string
Default value: ""
the hostname to use for the headers. useful only in case that gethostname() returns
something that is not correct. For example on windows, it seems to return only the host
part of the name.
if this is empty, hermes will use the value returned by gethostname()
whitelisted_disables_everything
Type: bool
Default value: true
should a whitelisted hostname or whitelisted ip also disable throttling and banner delaying?
it is useful to make remote hosts deliver mail almost at once
reject_no_reverse_resolution
Type: bool
Default value: false
whether to reject connections from hosts that do not provide DNS reverse resolution.
don't enable if you don't know what you are doing or what this switch does
check_helo_against_reverse
Type: bool
Default value: false
check whether your ehlo hostname matches your ip reverse resolution.
don't enable unless you understand perfectly what this means
query_spf
Type: bool
Default value: true
whether to query the spf record for the incoming domain.
should help, enable if you have libspf (if you don't, install it and recompile)
return_temp_error_on_reject
Type: bool
Default value: false
return temporary error instead of permanent error.
Currently, this only applies to SPF and DNSBL rejected email
You should enable this while debugging your hermes installation,
as configuration errors won't be fatal.