1POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
2
6 postscreen - Postfix zombie blocker
7
9 postscreen [generic Postfix daemon options]
10
12 The Postfix postscreen(8) server provides additional protection against
13 mail server overload. One postscreen(8) process handles multiple
14 inbound SMTP connections, and decides which clients may talk to a Post‐
15 fix SMTP server process. By keeping spambots away, postscreen(8)
16 leaves more SMTP server processes available for legitimate clients, and
17 delays the onset of server overload conditions.
18 This program should not be used on SMTP ports that receive mail from
20 end-user clients (MUAs). In a typical deployment, postscreen(8) handles
21 the MX service on TCP port 25, and smtpd(8) receives mail from MUAs on
22 the submission service (TCP port 587) which requires client authentica‐
23 tion. Alternatively, a site could set up a dedicated, non-postscreen,
24 "port 25" server that provides submission service and client authenti‐
25 cation, but no MX service.
26 postscreen(8) maintains a temporary whitelist for clients that have
28 passed a number of tests. When an SMTP client IP address is
29 whitelisted, postscreen(8) hands off the connection immediately to a
30 Postfix SMTP server process. This minimizes the overhead for legitimate
31 mail.
32 By default, postscreen(8) logs statistics and hands off each connection
34 to a Postfix SMTP server process, while excluding clients in mynetworks
35 from all tests (primarily, to avoid problems with non-standard SMTP
36 implementations in network appliances). This default mode blocks no
37 clients, and is useful for non-destructive testing.
38 In a typical production setting, postscreen(8) is configured to reject
40 mail from clients that fail one or more tests. postscreen(8) logs
41 rejected mail with the client address, helo, sender and recipient
42 information.
43 postscreen(8) is not an SMTP proxy; this is intentional. The purpose
45 is to keep spambots away from Postfix SMTP server processes, while min‐
46 imizing overhead for legitimate traffic.
47
49 The postscreen(8) server is moderately security-sensitive. It talks to
50 untrusted clients on the network. The process can be run chrooted at
51 fixed low privilege.
52
54 RFC 821 (SMTP protocol)
55 RFC 1123 (Host requirements)
56 RFC 1652 (8bit-MIME transport)
57 RFC 1869 (SMTP service extensions)
58 RFC 1870 (Message Size Declaration)
59 RFC 1985 (ETRN command)
60 RFC 2034 (SMTP Enhanced Status Codes)
61 RFC 2821 (SMTP protocol)
62 Not: RFC 2920 (SMTP Pipelining)
63 RFC 3207 (STARTTLS command)
64 RFC 3461 (SMTP DSN Extension)
65 RFC 3463 (Enhanced Status Codes)
66 RFC 5321 (SMTP protocol, including multi-line 220 banners)
67
69 Problems and transactions are logged to syslogd(8).
70
72 The postscreen(8) built-in SMTP protocol engine currently does not
73 announce support for AUTH, XCLIENT or XFORWARD. If you need to make
74 these services available on port 25, then do not enable the optional
75 "after 220 server greeting" tests.
76 The optional "after 220 server greeting" tests may result in unexpected
78 delivery delays from senders that retry email delivery from a different
79 IP address. Reason: after passing these tests a new client must dis‐
80 connect, and reconnect from the same IP address before it can deliver
81 mail. See POSTSCREEN_README, section "Tests after the 220 SMTP server
82 greeting", for a discussion.
83
85 Changes to main.cf are not picked up automatically, as postscreen(8)
86 processes may run for several hours. Use the command "postfix reload"
87 after a configuration change.
88 The text below provides only a parameter summary. See postconf(5) for
90 more details including examples.
91 NOTE: Some postscreen(8) parameters implement stress-dependent behav‐
93 ior. This is supported only when the default parameter value is
94 stress-dependent (that is, it looks like ${stress?{X}:{Y}}, or it is
95 the $name of an smtpd parameter with a stress-dependent default).
96 Other parameters always evaluate as if the stress parameter value is
97 the empty string.
98
100 postscreen_command_filter ($smtpd_command_filter)
101 A mechanism to transform commands from remote SMTP clients.
102 postscreen_discard_ehlo_keyword_address_maps ($smtpd_discard_ehlo_key‐
104 word_address_maps)
105 Lookup tables, indexed by the remote SMTP client address, with
106 case insensitive lists of EHLO keywords (pipelining, starttls,
107 auth, etc.) that the postscreen(8) server will not send in the
108 EHLO response to a remote SMTP client.
109 postscreen_discard_ehlo_keywords ($smtpd_discard_ehlo_keywords)
111 A case insensitive list of EHLO keywords (pipelining, starttls,
112 auth, etc.) that the postscreen(8) server will not send in the
113 EHLO response to a remote SMTP client.
114 Available in Postfix version 3.1 and later:
116 dns_ncache_ttl_fix_enable (no)
118 Enable a workaround for future libc incompatibility.
119
121 postscreen_expansion_filter (see 'postconf -d' output)
122 List of characters that are permitted in
123 postscreen_reject_footer attribute expansions.
124 postscreen_reject_footer ($smtpd_reject_footer)
126 Optional information that is appended after a 4XX or 5XX
127 postscreen(8) server response.
128 soft_bounce (no)
130 Safety net to keep mail queued that would otherwise be returned
131 to the sender.
132
134 Available in Postfix version 2.10 and later:
135 postscreen_upstream_proxy_protocol (empty)
137 The name of the proxy protocol used by an optional
138 before-postscreen proxy agent.
139 postscreen_upstream_proxy_timeout (5s)
141 The time limit for the proxy protocol specified with the
142 postscreen_upstream_proxy_protocol parameter.
143
145 This test is executed immediately after a remote SMTP client connects.
146 If a client is permanently whitelisted, the client will be handed off
147 immediately to a Postfix SMTP server process.
148 postscreen_access_list (permit_mynetworks)
150 Permanent white/blacklist for remote SMTP client IP addresses.
151 postscreen_blacklist_action (ignore)
153 The action that postscreen(8) takes when a remote SMTP client is
154 permanently blacklisted with the postscreen_access_list parame‐
155 ter.
156
158 When postscreen(8) is configured to monitor all primary and backup MX
159 addresses, it can refuse to whitelist clients that connect to a backup
160 MX address only. For small sites, this requires configuring primary and
161 backup MX addresses on the same MTA. Larger sites would have to share
162 the postscreen(8) cache between primary and backup MTAs, which would
163 introduce a common point of failure.
164 postscreen_whitelist_interfaces (static:all)
166 A list of local postscreen(8) server IP addresses where a
167 non-whitelisted remote SMTP client can obtain postscreen(8)'s
168 temporary whitelist status.
169
171 These tests are executed before the remote SMTP client receives the
172 "220 servername" greeting. If no tests remain after the successful com‐
173 pletion of this phase, the client will be handed off immediately to a
174 Postfix SMTP server process.
175 dnsblog_service_name (dnsblog)
177 The name of the dnsblog(8) service entry in master.cf.
178 postscreen_dnsbl_action (ignore)
180 The action that postscreen(8) takes when a remote SMTP client's
181 combined DNSBL score is equal to or greater than a threshold (as
182 defined with the postscreen_dnsbl_sites and
183 postscreen_dnsbl_threshold parameters).
184 postscreen_dnsbl_reply_map (empty)
186 A mapping from actual DNSBL domain name which includes a secret
187 password, to the DNSBL domain name that postscreen will reply
188 with when it rejects mail.
189 postscreen_dnsbl_sites (empty)
191 Optional list of DNS white/blacklist domains, filters and weight
192 factors.
193 postscreen_dnsbl_threshold (1)
195 The inclusive lower bound for blocking a remote SMTP client,
196 based on its combined DNSBL score as defined with the
197 postscreen_dnsbl_sites parameter.
198 postscreen_greet_action (ignore)
200 The action that postscreen(8) takes when a remote SMTP client
201 speaks before its turn within the time specified with the
202 postscreen_greet_wait parameter.
203 postscreen_greet_banner ($smtpd_banner)
205 The text in the optional "220-text..." server response that
206 postscreen(8) sends ahead of the real Postfix SMTP server's "220
207 text..." response, in an attempt to confuse bad SMTP clients so
208 that they speak before their turn (pre-greet).
209 postscreen_greet_wait (normal: 6s, overload: 2s)
211 The amount of time that postscreen(8) will wait for an SMTP
212 client to send a command before its turn, and for DNS blocklist
213 lookup results to arrive (default: up to 2 seconds under stress,
214 up to 6 seconds otherwise).
215 smtpd_service_name (smtpd)
217 The internal service that postscreen(8) hands off allowed con‐
218 nections to.
219 Available in Postfix version 2.11 and later:
221 postscreen_dnsbl_whitelist_threshold (0)
223 Allow a remote SMTP client to skip "before" and "after 220
224 greeting" protocol tests, based on its combined DNSBL score as
225 defined with the postscreen_dnsbl_sites parameter.
226 Available in Postfix version 3.0 and later:
228 postscreen_dnsbl_timeout (10s)
230 The time limit for DNSBL or DNSWL lookups.
231
233 These tests are executed after the remote SMTP client receives the "220
234 servername" greeting. If a client passes all tests during this phase,
235 it will receive a 4XX response to all RCPT TO commands. After the
236 client reconnects, it will be allowed to talk directly to a Postfix
237 SMTP server process.
238 postscreen_bare_newline_action (ignore)
240 The action that postscreen(8) takes when a remote SMTP client
241 sends a bare newline character, that is, a newline not preceded
242 by carriage return.
243 postscreen_bare_newline_enable (no)
245 Enable "bare newline" SMTP protocol tests in the postscreen(8)
246 server.
247 postscreen_disable_vrfy_command ($disable_vrfy_command)
249 Disable the SMTP VRFY command in the postscreen(8) daemon.
250 postscreen_forbidden_commands ($smtpd_forbidden_commands)
252 List of commands that the postscreen(8) server considers in vio‐
253 lation of the SMTP protocol.
254 postscreen_helo_required ($smtpd_helo_required)
256 Require that a remote SMTP client sends HELO or EHLO before com‐
257 mencing a MAIL transaction.
258 postscreen_non_smtp_command_action (drop)
260 The action that postscreen(8) takes when a remote SMTP client
261 sends non-SMTP commands as specified with the postscreen_forbid‐
262 den_commands parameter.
263 postscreen_non_smtp_command_enable (no)
265 Enable "non-SMTP command" tests in the postscreen(8) server.
266 postscreen_pipelining_action (enforce)
268 The action that postscreen(8) takes when a remote SMTP client
269 sends multiple commands instead of sending one command and wait‐
270 ing for the server to respond.
271 postscreen_pipelining_enable (no)
273 Enable "pipelining" SMTP protocol tests in the postscreen(8)
274 server.
275
277 postscreen_cache_cleanup_interval (12h)
278 The amount of time between postscreen(8) cache cleanup runs.
279 postscreen_cache_map (btree:$data_directory/postscreen_cache)
281 Persistent storage for the postscreen(8) server decisions.
282 postscreen_cache_retention_time (7d)
284 The amount of time that postscreen(8) will cache an expired tem‐
285 porary whitelist entry before it is removed.
286 postscreen_bare_newline_ttl (30d)
288 The amount of time that postscreen(8) will use the result from a
289 successful "bare newline" SMTP protocol test.
290 postscreen_dnsbl_max_ttl
292 (${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
293 The maximum amount of time that postscreen(8) will use the
294 result from a successful DNS-based reputation test before a
295 client IP address is required to pass that test again.
296 postscreen_dnsbl_min_ttl (60s)
298 The minimum amount of time that postscreen(8) will use the
299 result from a successful DNS-based reputation test before a
300 client IP address is required to pass that test again.
301 postscreen_greet_ttl (1d)
303 The amount of time that postscreen(8) will use the result from a
304 successful PREGREET test.
305 postscreen_non_smtp_command_ttl (30d)
307 The amount of time that postscreen(8) will use the result from a
308 successful "non_smtp_command" SMTP protocol test.
309 postscreen_pipelining_ttl (30d)
311 The amount of time that postscreen(8) will use the result from a
312 successful "pipelining" SMTP protocol test.
313
315 line_length_limit (2048)
316 Upon input, long lines are chopped up into pieces of at most
317 this length; upon delivery, long lines are reconstructed.
318 postscreen_client_connection_count_limit ($smtpd_client_connec‐
320 tion_count_limit)
321 How many simultaneous connections any remote SMTP client is
322 allowed to have with the postscreen(8) daemon.
323 postscreen_command_count_limit (20)
325 The limit on the total number of commands per SMTP session for
326 postscreen(8)'s built-in SMTP protocol engine.
327 postscreen_command_time_limit (normal: 300s, overload: 10s)
329 The time limit to read an entire command line with
330 postscreen(8)'s built-in SMTP protocol engine.
331 postscreen_post_queue_limit ($default_process_limit)
333 The number of clients that can be waiting for service from a
334 real Postfix SMTP server process.
335 postscreen_pre_queue_limit ($default_process_limit)
337 The number of non-whitelisted clients that can be waiting for a
338 decision whether they will receive service from a real Postfix
339 SMTP server process.
340 postscreen_watchdog_timeout (10s)
342 How much time a postscreen(8) process may take to respond to a
343 remote SMTP client command or to perform a cache operation
344 before it is terminated by a built-in watchdog timer.
345
347 postscreen_tls_security_level ($smtpd_tls_security_level)
348 The SMTP TLS security level for the postscreen(8) server; when a
349 non-empty value is specified, this overrides the obsolete param‐
350 eters postscreen_use_tls and postscreen_enforce_tls.
351 tlsproxy_service_name (tlsproxy)
353 The name of the tlsproxy(8) service entry in master.cf.
354
356 These parameters are supported for compatibility with smtpd(8) legacy
357 parameters.
358 postscreen_use_tls ($smtpd_use_tls)
360 Opportunistic TLS: announce STARTTLS support to remote SMTP
361 clients, but do not require that clients use TLS encryption.
362 postscreen_enforce_tls ($smtpd_enforce_tls)
364 Mandatory TLS: announce STARTTLS support to remote SMTP clients,
365 and require that clients use TLS encryption.
366
368 config_directory (see 'postconf -d' output)
369 The default location of the Postfix main.cf and master.cf con‐
370 figuration files.
371 delay_logging_resolution_limit (2)
373 The maximal number of digits after the decimal point when log‐
374 ging sub-second delay values.
375 command_directory (see 'postconf -d' output)
377 The location of all postfix administrative commands.
378 max_idle (100s)
380 The maximum amount of time that an idle Postfix daemon process
381 waits for an incoming connection before terminating voluntarily.
382 process_id (read-only)
384 The process ID of a Postfix command or daemon process.
385 process_name (read-only)
387 The process name of a Postfix command or daemon process.
388 syslog_facility (mail)
390 The syslog facility of Postfix logging.
391 syslog_name (see 'postconf -d' output)
393 A prefix that is prepended to the process name in syslog
394 records, so that, for example, "smtpd" becomes "prefix/smtpd".
395 Available in Postfix 3.3 and later:
397 service_name (read-only)
399 The master.cf service name of a Postfix daemon process.
400
402 smtpd(8), Postfix SMTP server
403 tlsproxy(8), Postfix TLS proxy server
404 dnsblog(8), DNS black/whitelist logger
405 syslogd(8), system logging
406
408 Use "postconf readme_directory" or "postconf html_directory" to locate
409 this information.
410 POSTSCREEN_README, Postfix Postscreen Howto
411
413 The Secure Mailer license must be distributed with this software.
414
416 This service was introduced with Postfix version 2.8.
417 Many ideas in postscreen(8) were explored in earlier work by Michael
419 Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
420
422 Wietse Venema
423 IBM T.J. Watson Research
424 P.O. Box 704
425 Yorktown Heights, NY 10598, USA
426 Wietse Venema
428 Google, Inc.
429 111 8th Avenue
430 New York, NY 10011, USA
431 POSTSCREEN(8)