1POSTSCREEN(8)               System Manager's Manual              POSTSCREEN(8)
2
3
4

NAME

6       postscreen - Postfix zombie blocker
7

SYNOPSIS

9       postscreen [generic Postfix daemon options]
10

DESCRIPTION

12       The Postfix postscreen(8) server provides additional protection against
13       mail  server  overload.  One  postscreen(8)  process  handles  multiple
14       inbound SMTP connections, and decides which clients may talk to a Post‐
15       fix SMTP server  process.   By  keeping  spambots  away,  postscreen(8)
16       leaves more SMTP server processes available for legitimate clients, and
17       delays the onset of server overload conditions.
18
19       This program should not be used on SMTP ports that  receive  mail  from
20       end-user clients (MUAs). In a typical deployment, postscreen(8) handles
21       the MX service on TCP port 25, and smtpd(8) receives mail from MUAs  on
22       the submission service (TCP port 587) which requires client authentica‐
23       tion.  Alternatively, a site could set up a dedicated,  non-postscreen,
24       "port  25" server that provides submission service and client authenti‐
25       cation, but no MX service.
26
27       postscreen(8) maintains a temporary whitelist  for  clients  that  have
28       passed  a  number  of  tests.   When  an  SMTP  client  IP  address  is
29       whitelisted, postscreen(8) hands off the connection  immediately  to  a
30       Postfix SMTP server process. This minimizes the overhead for legitimate
31       mail.
32
33       By default, postscreen(8) logs statistics and hands off each connection
34       to a Postfix SMTP server process, while excluding clients in mynetworks
35       from all tests (primarily, to avoid  problems  with  non-standard  SMTP
36       implementations  in  network  appliances).  This default mode blocks no
37       clients, and is useful for non-destructive testing.
38
39       In a typical production setting, postscreen(8) is configured to  reject
40       mail  from  clients  that  fail  one  or more tests. postscreen(8) logs
41       rejected mail with the  client  address,  helo,  sender  and  recipient
42       information.
43
44       postscreen(8)  is  not an SMTP proxy; this is intentional.  The purpose
45       is to keep spambots away from Postfix SMTP server processes, while min‐
46       imizing overhead for legitimate traffic.
47

SECURITY

49       The postscreen(8) server is moderately security-sensitive.  It talks to
50       untrusted clients on the network. The process can be  run  chrooted  at
51       fixed low privilege.
52

STANDARDS

54       RFC 821 (SMTP protocol)
55       RFC 1123 (Host requirements)
56       RFC 1652 (8bit-MIME transport)
57       RFC 1869 (SMTP service extensions)
58       RFC 1870 (Message Size Declaration)
59       RFC 1985 (ETRN command)
60       RFC 2034 (SMTP Enhanced Status Codes)
61       RFC 2821 (SMTP protocol)
62       Not: RFC 2920 (SMTP Pipelining)
63       RFC 3207 (STARTTLS command)
64       RFC 3461 (SMTP DSN Extension)
65       RFC 3463 (Enhanced Status Codes)
66       RFC 5321 (SMTP protocol, including multi-line 220 banners)
67

DIAGNOSTICS

69       Problems and transactions are logged to syslogd(8).
70

BUGS

72       The  postscreen(8)  built-in  SMTP  protocol  engine currently does not
73       announce support for AUTH, XCLIENT or XFORWARD.  If you  need  to  make
74       these  services  available  on port 25, then do not enable the optional
75       "after 220 server greeting" tests.
76
77       The optional "after 220 server greeting" tests may result in unexpected
78       delivery delays from senders that retry email delivery from a different
79       IP address.  Reason: after passing these tests a new client  must  dis‐
80       connect,  and  reconnect from the same IP address before it can deliver
81       mail. See POSTSCREEN_README, section "Tests after the 220  SMTP  server
82       greeting", for a discussion.
83

CONFIGURATION PARAMETERS

85       Changes  to  main.cf  are not picked up automatically, as postscreen(8)
86       processes may run for several hours.  Use the command "postfix  reload"
87       after a configuration change.
88
89       The  text  below provides only a parameter summary. See postconf(5) for
90       more details including examples.
91
92       NOTE: Some postscreen(8) parameters implement  stress-dependent  behav‐
93       ior.   This  is  supported  only  when  the  default parameter value is
94       stress-dependent (that is, it looks like ${stress?{X}:{Y}},  or  it  is
95       the  $name  of  an  smtpd  parameter  with a stress-dependent default).
96       Other parameters always evaluate as if the stress  parameter  value  is
97       the empty string.
98

COMPATIBILITY CONTROLS

100       postscreen_command_filter ($smtpd_command_filter)
101              A mechanism to transform commands from remote SMTP clients.
102
103       postscreen_discard_ehlo_keyword_address_maps  ($smtpd_discard_ehlo_key‐
104       word_address_maps)
105              Lookup tables, indexed by the remote SMTP client  address,  with
106              case  insensitive  lists of EHLO keywords (pipelining, starttls,
107              auth, etc.) that the postscreen(8) server will not send  in  the
108              EHLO response to a remote SMTP client.
109
110       postscreen_discard_ehlo_keywords ($smtpd_discard_ehlo_keywords)
111              A  case insensitive list of EHLO keywords (pipelining, starttls,
112              auth, etc.) that the postscreen(8) server will not send  in  the
113              EHLO response to a remote SMTP client.
114
115       Available in Postfix version 3.1 and later:
116
117       dns_ncache_ttl_fix_enable (no)
118              Enable a workaround for future libc incompatibility.
119

TROUBLE SHOOTING CONTROLS

121       postscreen_expansion_filter (see 'postconf -d' output)
122              List     of     characters     that     are     permitted     in
123              postscreen_reject_footer attribute expansions.
124
125       postscreen_reject_footer ($smtpd_reject_footer)
126              Optional information  that  is  appended  after  a  4XX  or  5XX
127              postscreen(8) server response.
128
129       soft_bounce (no)
130              Safety  net to keep mail queued that would otherwise be returned
131              to the sender.
132

BEFORE-POSTSCREEN PROXY AGENT

134       Available in Postfix version 2.10 and later:
135
136       postscreen_upstream_proxy_protocol (empty)
137              The  name  of  the  proxy   protocol   used   by   an   optional
138              before-postscreen proxy agent.
139
140       postscreen_upstream_proxy_timeout (5s)
141              The  time  limit  for  the  proxy  protocol  specified  with the
142              postscreen_upstream_proxy_protocol parameter.
143

PERMANENT WHITE/BLACKLIST TEST

145       This test is executed immediately after a remote SMTP client  connects.
146       If  a  client is permanently whitelisted, the client will be handed off
147       immediately to a Postfix SMTP server process.
148
149       postscreen_access_list (permit_mynetworks)
150              Permanent white/blacklist for remote SMTP client IP addresses.
151
152       postscreen_blacklist_action (ignore)
153              The action that postscreen(8) takes when a remote SMTP client is
154              permanently  blacklisted with the postscreen_access_list parame‐
155              ter.
156

MAIL EXCHANGER POLICY TESTS

158       When postscreen(8) is configured to monitor all primary and  backup  MX
159       addresses,  it can refuse to whitelist clients that connect to a backup
160       MX address only. For small sites, this requires configuring primary and
161       backup  MX  addresses on the same MTA. Larger sites would have to share
162       the postscreen(8) cache between primary and backup  MTAs,  which  would
163       introduce a common point of failure.
164
165       postscreen_whitelist_interfaces (static:all)
166              A  list  of  local  postscreen(8)  server  IP  addresses where a
167              non-whitelisted remote SMTP client  can  obtain  postscreen(8)'s
168              temporary whitelist status.
169

BEFORE 220 GREETING TESTS

171       These  tests  are  executed  before the remote SMTP client receives the
172       "220 servername" greeting. If no tests remain after the successful com‐
173       pletion  of  this phase, the client will be handed off immediately to a
174       Postfix SMTP server process.
175
176       dnsblog_service_name (dnsblog)
177              The name of the dnsblog(8) service entry in master.cf.
178
179       postscreen_dnsbl_action (ignore)
180              The action that postscreen(8) takes when a remote SMTP  client's
181              combined DNSBL score is equal to or greater than a threshold (as
182              defined      with      the      postscreen_dnsbl_sites       and
183              postscreen_dnsbl_threshold parameters).
184
185       postscreen_dnsbl_reply_map (empty)
186              A  mapping from actual DNSBL domain name which includes a secret
187              password, to the DNSBL domain name that  postscreen  will  reply
188              with when it rejects mail.
189
190       postscreen_dnsbl_sites (empty)
191              Optional list of DNS white/blacklist domains, filters and weight
192              factors.
193
194       postscreen_dnsbl_threshold (1)
195              The inclusive lower bound for blocking  a  remote  SMTP  client,
196              based   on   its  combined  DNSBL  score  as  defined  with  the
197              postscreen_dnsbl_sites parameter.
198
199       postscreen_greet_action (ignore)
200              The action that postscreen(8) takes when a  remote  SMTP  client
201              speaks  before  its  turn  within  the  time  specified with the
202              postscreen_greet_wait parameter.
203
204       postscreen_greet_banner ($smtpd_banner)
205              The text in the  optional  "220-text..."  server  response  that
206              postscreen(8) sends ahead of the real Postfix SMTP server's "220
207              text..." response, in an attempt to confuse bad SMTP clients  so
208              that they speak before their turn (pre-greet).
209
210       postscreen_greet_wait (normal: 6s, overload: 2s)
211              The  amount  of  time  that  postscreen(8) will wait for an SMTP
212              client to send a command before its turn, and for DNS  blocklist
213              lookup results to arrive (default: up to 2 seconds under stress,
214              up to 6 seconds otherwise).
215
216       smtpd_service_name (smtpd)
217              The internal service that postscreen(8) hands off  allowed  con‐
218              nections to.
219
220       Available in Postfix version 2.11 and later:
221
222       postscreen_dnsbl_whitelist_threshold (0)
223              Allow  a  remote  SMTP  client  to  skip "before" and "after 220
224              greeting" protocol tests, based on its combined DNSBL  score  as
225              defined with the postscreen_dnsbl_sites parameter.
226
227       Available in Postfix version 3.0 and later:
228
229       postscreen_dnsbl_timeout (10s)
230              The time limit for DNSBL or DNSWL lookups.
231

AFTER 220 GREETING TESTS

233       These tests are executed after the remote SMTP client receives the "220
234       servername" greeting. If a client passes all tests during  this  phase,
235       it  will  receive  a  4XX  response  to all RCPT TO commands. After the
236       client reconnects, it will be allowed to talk  directly  to  a  Postfix
237       SMTP server process.
238
239       postscreen_bare_newline_action (ignore)
240              The  action  that  postscreen(8) takes when a remote SMTP client
241              sends a bare newline character, that is, a newline not  preceded
242              by carriage return.
243
244       postscreen_bare_newline_enable (no)
245              Enable  "bare  newline" SMTP protocol tests in the postscreen(8)
246              server.
247
248       postscreen_disable_vrfy_command ($disable_vrfy_command)
249              Disable the SMTP VRFY command in the postscreen(8) daemon.
250
251       postscreen_forbidden_commands ($smtpd_forbidden_commands)
252              List of commands that the postscreen(8) server considers in vio‐
253              lation of the SMTP protocol.
254
255       postscreen_helo_required ($smtpd_helo_required)
256              Require that a remote SMTP client sends HELO or EHLO before com‐
257              mencing a MAIL transaction.
258
259       postscreen_non_smtp_command_action (drop)
260              The action that postscreen(8) takes when a  remote  SMTP  client
261              sends non-SMTP commands as specified with the postscreen_forbid‐
262              den_commands parameter.
263
264       postscreen_non_smtp_command_enable (no)
265              Enable "non-SMTP command" tests in the postscreen(8) server.
266
267       postscreen_pipelining_action (enforce)
268              The action that postscreen(8) takes when a  remote  SMTP  client
269              sends multiple commands instead of sending one command and wait‐
270              ing for the server to respond.
271
272       postscreen_pipelining_enable (no)
273              Enable "pipelining" SMTP protocol  tests  in  the  postscreen(8)
274              server.
275

CACHE CONTROLS

277       postscreen_cache_cleanup_interval (12h)
278              The amount of time between postscreen(8) cache cleanup runs.
279
280       postscreen_cache_map (btree:$data_directory/postscreen_cache)
281              Persistent storage for the postscreen(8) server decisions.
282
283       postscreen_cache_retention_time (7d)
284              The amount of time that postscreen(8) will cache an expired tem‐
285              porary whitelist entry before it is removed.
286
287       postscreen_bare_newline_ttl (30d)
288              The amount of time that postscreen(8) will use the result from a
289              successful "bare newline" SMTP protocol test.
290
291       postscreen_dnsbl_max_ttl
292       (${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
293              The maximum amount of  time  that  postscreen(8)  will  use  the
294              result  from  a  successful  DNS-based  reputation test before a
295              client IP address is required to pass that test again.
296
297       postscreen_dnsbl_min_ttl (60s)
298              The minimum amount of  time  that  postscreen(8)  will  use  the
299              result  from  a  successful  DNS-based  reputation test before a
300              client IP address is required to pass that test again.
301
302       postscreen_greet_ttl (1d)
303              The amount of time that postscreen(8) will use the result from a
304              successful PREGREET test.
305
306       postscreen_non_smtp_command_ttl (30d)
307              The amount of time that postscreen(8) will use the result from a
308              successful "non_smtp_command" SMTP protocol test.
309
310       postscreen_pipelining_ttl (30d)
311              The amount of time that postscreen(8) will use the result from a
312              successful "pipelining" SMTP protocol test.
313

RESOURCE CONTROLS

315       line_length_limit (2048)
316              Upon  input,  long  lines  are chopped up into pieces of at most
317              this length; upon delivery, long lines are reconstructed.
318
319       postscreen_client_connection_count_limit         ($smtpd_client_connec‐
320       tion_count_limit)
321              How  many  simultaneous  connections  any  remote SMTP client is
322              allowed to have with the postscreen(8) daemon.
323
324       postscreen_command_count_limit (20)
325              The limit on the total number of commands per SMTP  session  for
326              postscreen(8)'s built-in SMTP protocol engine.
327
328       postscreen_command_time_limit (normal: 300s, overload: 10s)
329              The   time   limit   to   read   an  entire  command  line  with
330              postscreen(8)'s built-in SMTP protocol engine.
331
332       postscreen_post_queue_limit ($default_process_limit)
333              The number of clients that can be waiting  for  service  from  a
334              real Postfix SMTP server process.
335
336       postscreen_pre_queue_limit ($default_process_limit)
337              The  number of non-whitelisted clients that can be waiting for a
338              decision whether they will receive service from a  real  Postfix
339              SMTP server process.
340
341       postscreen_watchdog_timeout (10s)
342              How  much  time a postscreen(8) process may take to respond to a
343              remote SMTP client command  or  to  perform  a  cache  operation
344              before it is terminated by a built-in watchdog timer.
345

STARTTLS CONTROLS

347       postscreen_tls_security_level ($smtpd_tls_security_level)
348              The SMTP TLS security level for the postscreen(8) server; when a
349              non-empty value is specified, this overrides the obsolete param‐
350              eters postscreen_use_tls and postscreen_enforce_tls.
351
352       tlsproxy_service_name (tlsproxy)
353              The name of the tlsproxy(8) service entry in master.cf.
354

OBSOLETE STARTTLS SUPPORT CONTROLS

356       These  parameters  are supported for compatibility with smtpd(8) legacy
357       parameters.
358
359       postscreen_use_tls ($smtpd_use_tls)
360              Opportunistic TLS: announce  STARTTLS  support  to  remote  SMTP
361              clients, but do not require that clients use TLS encryption.
362
363       postscreen_enforce_tls ($smtpd_enforce_tls)
364              Mandatory TLS: announce STARTTLS support to remote SMTP clients,
365              and require that clients use TLS encryption.
366

MISCELLANEOUS CONTROLS

368       config_directory (see 'postconf -d' output)
369              The default location of the Postfix main.cf and  master.cf  con‐
370              figuration files.
371
372       delay_logging_resolution_limit (2)
373              The  maximal  number of digits after the decimal point when log‐
374              ging sub-second delay values.
375
376       command_directory (see 'postconf -d' output)
377              The location of all postfix administrative commands.
378
379       max_idle (100s)
380              The maximum amount of time that an idle Postfix  daemon  process
381              waits for an incoming connection before terminating voluntarily.
382
383       process_id (read-only)
384              The process ID of a Postfix command or daemon process.
385
386       process_name (read-only)
387              The process name of a Postfix command or daemon process.
388
389       syslog_facility (mail)
390              The syslog facility of Postfix logging.
391
392       syslog_name (see 'postconf -d' output)
393              A  prefix  that  is  prepended  to  the  process  name in syslog
394              records, so that, for example, "smtpd" becomes "prefix/smtpd".
395
396       Available in Postfix 3.3 and later:
397
398       service_name (read-only)
399              The master.cf service name of a Postfix daemon process.
400

SEE ALSO

402       smtpd(8), Postfix SMTP server
403       tlsproxy(8), Postfix TLS proxy server
404       dnsblog(8), DNS black/whitelist logger
405       syslogd(8), system logging
406

README FILES

408       Use "postconf readme_directory" or "postconf html_directory" to  locate
409       this information.
410       POSTSCREEN_README, Postfix Postscreen Howto
411

LICENSE

413       The Secure Mailer license must be distributed with this software.
414

HISTORY

416       This service was introduced with Postfix version 2.8.
417
418       Many  ideas  in  postscreen(8) were explored in earlier work by Michael
419       Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
420

AUTHOR(S)

422       Wietse Venema
423       IBM T.J. Watson Research
424       P.O. Box 704
425       Yorktown Heights, NY 10598, USA
426
427       Wietse Venema
428       Google, Inc.
429       111 8th Avenue
430       New York, NY 10011, USA
431
432
433
434                                                                 POSTSCREEN(8)
Impressum