1POSTSCREEN(8)               System Manager's Manual              POSTSCREEN(8)
2
3
4

NAME

6       postscreen - Postfix zombie blocker
7

SYNOPSIS

9       postscreen [generic Postfix daemon options]
10

DESCRIPTION

12       The Postfix postscreen(8) server provides additional protection against
13       mail  server  overload.  One  postscreen(8)  process  handles  multiple
14       inbound SMTP connections, and decides which clients may talk to a Post‐
15       fix SMTP server  process.   By  keeping  spambots  away,  postscreen(8)
16       leaves more SMTP server processes available for legitimate clients, and
17       delays the onset of server overload conditions.
18
19       This program should not be used on SMTP ports that  receive  mail  from
20       end-user clients (MUAs). In a typical deployment, postscreen(8) handles
21       the MX service on TCP port 25, and smtpd(8) receives mail from MUAs  on
22       the submission service (TCP port 587) which requires client authentica‐
23       tion.  Alternatively, a site could set up a dedicated,  non-postscreen,
24       "port  25" server that provides submission service and client authenti‐
25       cation, but no MX service.
26
27       postscreen(8) maintains a temporary whitelist  for  clients  that  have
28       passed  a  number  of  tests.   When  an  SMTP  client  IP  address  is
29       whitelisted, postscreen(8) hands off the connection  immediately  to  a
30       Postfix SMTP server process. This minimizes the overhead for legitimate
31       mail.
32
33       By default, postscreen(8) logs statistics and hands off each connection
34       to a Postfix SMTP server process, while excluding clients in mynetworks
35       from all tests (primarily, to avoid  problems  with  non-standard  SMTP
36       implementations  in  network  appliances).  This default mode blocks no
37       clients, and is useful for non-destructive testing.
38
39       In a typical production setting, postscreen(8) is configured to  reject
40       mail  from  clients  that  fail  one  or more tests. postscreen(8) logs
41       rejected mail with the  client  address,  helo,  sender  and  recipient
42       information.
43
44       postscreen(8)  is  not an SMTP proxy; this is intentional.  The purpose
45       is to keep spambots away from Postfix SMTP server processes, while min‐
46       imizing overhead for legitimate traffic.
47

SECURITY

49       The postscreen(8) server is moderately security-sensitive.  It talks to
50       untrusted clients on the network. The process can be  run  chrooted  at
51       fixed low privilege.
52

STANDARDS

54       RFC 821 (SMTP protocol)
55       RFC 1123 (Host requirements)
56       RFC 1652 (8bit-MIME transport)
57       RFC 1869 (SMTP service extensions)
58       RFC 1870 (Message Size Declaration)
59       RFC 1985 (ETRN command)
60       RFC 2034 (SMTP Enhanced Status Codes)
61       RFC 2821 (SMTP protocol)
62       Not: RFC 2920 (SMTP Pipelining)
63       RFC 3030 (CHUNKING without BINARYMIME)
64       RFC 3207 (STARTTLS command)
65       RFC 3461 (SMTP DSN Extension)
66       RFC 3463 (Enhanced Status Codes)
67       RFC 5321 (SMTP protocol, including multi-line 220 banners)
68

DIAGNOSTICS

70       Problems and transactions are logged to syslogd(8) or postlogd(8).
71

BUGS

73       The  postscreen(8)  built-in  SMTP  protocol  engine currently does not
74       announce support for AUTH, XCLIENT or XFORWARD.  If you  need  to  make
75       these  services  available  on port 25, then do not enable the optional
76       "after 220 server greeting" tests.
77
78       The optional "after 220 server greeting" tests may result in unexpected
79       delivery delays from senders that retry email delivery from a different
80       IP address.  Reason: after passing these tests a new client  must  dis‐
81       connect,  and  reconnect from the same IP address before it can deliver
82       mail. See POSTSCREEN_README, section "Tests after the 220  SMTP  server
83       greeting", for a discussion.
84

CONFIGURATION PARAMETERS

86       Changes  to  main.cf  are not picked up automatically, as postscreen(8)
87       processes may run for several hours.  Use the command "postfix  reload"
88       after a configuration change.
89
90       The  text  below provides only a parameter summary. See postconf(5) for
91       more details including examples.
92
93       NOTE: Some postscreen(8) parameters implement  stress-dependent  behav‐
94       ior.   This  is  supported  only  when  the  default parameter value is
95       stress-dependent (that is, it looks like ${stress?{X}:{Y}},  or  it  is
96       the  $name  of  an  smtpd  parameter  with a stress-dependent default).
97       Other parameters always evaluate as if the stress  parameter  value  is
98       the empty string.
99

COMPATIBILITY CONTROLS

101       postscreen_command_filter ($smtpd_command_filter)
102              A mechanism to transform commands from remote SMTP clients.
103
104       postscreen_discard_ehlo_keyword_address_maps  ($smtpd_discard_ehlo_key‐
105       word_address_maps)
106              Lookup tables, indexed by the remote SMTP client  address,  with
107              case  insensitive  lists of EHLO keywords (pipelining, starttls,
108              auth, etc.) that the postscreen(8) server will not send  in  the
109              EHLO response to a remote SMTP client.
110
111       postscreen_discard_ehlo_keywords ($smtpd_discard_ehlo_keywords)
112              A  case insensitive list of EHLO keywords (pipelining, starttls,
113              auth, etc.) that the postscreen(8) server will not send  in  the
114              EHLO response to a remote SMTP client.
115
116       Available in Postfix version 3.1 and later:
117
118       dns_ncache_ttl_fix_enable (no)
119              Enable a workaround for future libc incompatibility.
120
121       Available in Postfix version 3.4 and later:
122
123       postscreen_reject_footer_maps ($smtpd_reject_footer_maps)
124              Optional  lookup  table for information that is appended after a
125              4XX or 5XX postscreen(8) server response.
126

TROUBLE SHOOTING CONTROLS

128       postscreen_expansion_filter (see 'postconf -d' output)
129              List     of     characters     that     are     permitted     in
130              postscreen_reject_footer attribute expansions.
131
132       postscreen_reject_footer ($smtpd_reject_footer)
133              Optional  information  that  is  appended  after  a  4XX  or 5XX
134              postscreen(8) server response.
135
136       soft_bounce (no)
137              Safety net to keep mail queued that would otherwise be  returned
138              to the sender.
139

BEFORE-POSTSCREEN PROXY AGENT

141       Available in Postfix version 2.10 and later:
142
143       postscreen_upstream_proxy_protocol (empty)
144              The   name   of   the   proxy   protocol  used  by  an  optional
145              before-postscreen proxy agent.
146
147       postscreen_upstream_proxy_timeout (5s)
148              The time  limit  for  the  proxy  protocol  specified  with  the
149              postscreen_upstream_proxy_protocol parameter.
150

PERMANENT WHITE/BLACKLIST TEST

152       This  test is executed immediately after a remote SMTP client connects.
153       If a client is permanently whitelisted, the client will be  handed  off
154       immediately to a Postfix SMTP server process.
155
156       postscreen_access_list (permit_mynetworks)
157              Permanent white/blacklist for remote SMTP client IP addresses.
158
159       postscreen_blacklist_action (ignore)
160              The action that postscreen(8) takes when a remote SMTP client is
161              permanently blacklisted with the postscreen_access_list  parame‐
162              ter.
163

MAIL EXCHANGER POLICY TESTS

165       When  postscreen(8)  is configured to monitor all primary and backup MX
166       addresses, it can refuse to whitelist clients that connect to a  backup
167       MX address only. For small sites, this requires configuring primary and
168       backup MX addresses on the same MTA. Larger sites would have  to  share
169       the  postscreen(8)  cache  between primary and backup MTAs, which would
170       introduce a common point of failure.
171
172       postscreen_whitelist_interfaces (static:all)
173              A list of  local  postscreen(8)  server  IP  addresses  where  a
174              non-whitelisted  remote  SMTP  client can obtain postscreen(8)'s
175              temporary whitelist status.
176

BEFORE 220 GREETING TESTS

178       These tests are executed before the remote  SMTP  client  receives  the
179       "220 servername" greeting. If no tests remain after the successful com‐
180       pletion of this phase, the client will be handed off immediately  to  a
181       Postfix SMTP server process.
182
183       dnsblog_service_name (dnsblog)
184              The name of the dnsblog(8) service entry in master.cf.
185
186       postscreen_dnsbl_action (ignore)
187              The  action that postscreen(8) takes when a remote SMTP client's
188              combined DNSBL score is equal to or greater than a threshold (as
189              defined       with      the      postscreen_dnsbl_sites      and
190              postscreen_dnsbl_threshold parameters).
191
192       postscreen_dnsbl_reply_map (empty)
193              A mapping from actual DNSBL domain name which includes a  secret
194              password,  to  the  DNSBL domain name that postscreen will reply
195              with when it rejects mail.
196
197       postscreen_dnsbl_sites (empty)
198              Optional list of DNS white/blacklist domains, filters and weight
199              factors.
200
201       postscreen_dnsbl_threshold (1)
202              The  inclusive  lower  bound  for blocking a remote SMTP client,
203              based  on  its  combined  DNSBL  score  as  defined   with   the
204              postscreen_dnsbl_sites parameter.
205
206       postscreen_greet_action (ignore)
207              The  action  that  postscreen(8) takes when a remote SMTP client
208              speaks before its  turn  within  the  time  specified  with  the
209              postscreen_greet_wait parameter.
210
211       postscreen_greet_banner ($smtpd_banner)
212              The  text  in  the  optional  "220-text..." server response that
213              postscreen(8) sends ahead of the real Postfix SMTP server's "220
214              text..."  response, in an attempt to confuse bad SMTP clients so
215              that they speak before their turn (pre-greet).
216
217       postscreen_greet_wait (normal: 6s, overload: 2s)
218              The amount of time that postscreen(8)  will  wait  for  an  SMTP
219              client  to send a command before its turn, and for DNS blocklist
220              lookup results to arrive (default: up to 2 seconds under stress,
221              up to 6 seconds otherwise).
222
223       smtpd_service_name (smtpd)
224              The  internal  service that postscreen(8) hands off allowed con‐
225              nections to.
226
227       Available in Postfix version 2.11 and later:
228
229       postscreen_dnsbl_whitelist_threshold (0)
230              Allow a remote SMTP client  to  skip  "before"  and  "after  220
231              greeting"  protocol  tests, based on its combined DNSBL score as
232              defined with the postscreen_dnsbl_sites parameter.
233
234       Available in Postfix version 3.0 and later:
235
236       postscreen_dnsbl_timeout (10s)
237              The time limit for DNSBL or DNSWL lookups.
238

AFTER 220 GREETING TESTS

240       These tests are executed after the remote SMTP client receives the "220
241       servername"  greeting.  If a client passes all tests during this phase,
242       it will receive a 4XX response to  all  RCPT  TO  commands.  After  the
243       client  reconnects,  it  will  be allowed to talk directly to a Postfix
244       SMTP server process.
245
246       postscreen_bare_newline_action (ignore)
247              The action that postscreen(8) takes when a  remote  SMTP  client
248              sends  a bare newline character, that is, a newline not preceded
249              by carriage return.
250
251       postscreen_bare_newline_enable (no)
252              Enable "bare newline" SMTP protocol tests in  the  postscreen(8)
253              server.
254
255       postscreen_disable_vrfy_command ($disable_vrfy_command)
256              Disable the SMTP VRFY command in the postscreen(8) daemon.
257
258       postscreen_forbidden_commands ($smtpd_forbidden_commands)
259              List of commands that the postscreen(8) server considers in vio‐
260              lation of the SMTP protocol.
261
262       postscreen_helo_required ($smtpd_helo_required)
263              Require that a remote SMTP client sends HELO or EHLO before com‐
264              mencing a MAIL transaction.
265
266       postscreen_non_smtp_command_action (drop)
267              The  action  that  postscreen(8) takes when a remote SMTP client
268              sends non-SMTP commands as specified with the postscreen_forbid‐
269              den_commands parameter.
270
271       postscreen_non_smtp_command_enable (no)
272              Enable "non-SMTP command" tests in the postscreen(8) server.
273
274       postscreen_pipelining_action (enforce)
275              The  action  that  postscreen(8) takes when a remote SMTP client
276              sends multiple commands instead of sending one command and wait‐
277              ing for the server to respond.
278
279       postscreen_pipelining_enable (no)
280              Enable  "pipelining"  SMTP  protocol  tests in the postscreen(8)
281              server.
282

CACHE CONTROLS

284       postscreen_cache_cleanup_interval (12h)
285              The amount of time between postscreen(8) cache cleanup runs.
286
287       postscreen_cache_map (btree:$data_directory/postscreen_cache)
288              Persistent storage for the postscreen(8) server decisions.
289
290       postscreen_cache_retention_time (7d)
291              The amount of time that postscreen(8) will cache an expired tem‐
292              porary whitelist entry before it is removed.
293
294       postscreen_bare_newline_ttl (30d)
295              The amount of time that postscreen(8) will use the result from a
296              successful "bare newline" SMTP protocol test.
297
298       postscreen_dnsbl_max_ttl
299       (${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
300              The  maximum  amount  of  time  that  postscreen(8) will use the
301              result from a successful  DNS-based  reputation  test  before  a
302              client IP address is required to pass that test again.
303
304       postscreen_dnsbl_min_ttl (60s)
305              The  minimum  amount  of  time  that  postscreen(8) will use the
306              result from a successful  DNS-based  reputation  test  before  a
307              client IP address is required to pass that test again.
308
309       postscreen_greet_ttl (1d)
310              The amount of time that postscreen(8) will use the result from a
311              successful PREGREET test.
312
313       postscreen_non_smtp_command_ttl (30d)
314              The amount of time that postscreen(8) will use the result from a
315              successful "non_smtp_command" SMTP protocol test.
316
317       postscreen_pipelining_ttl (30d)
318              The amount of time that postscreen(8) will use the result from a
319              successful "pipelining" SMTP protocol test.
320

RESOURCE CONTROLS

322       line_length_limit (2048)
323              Upon input, long lines are chopped up into  pieces  of  at  most
324              this length; upon delivery, long lines are reconstructed.
325
326       postscreen_client_connection_count_limit         ($smtpd_client_connec‐
327       tion_count_limit)
328              How many simultaneous connections  any  remote  SMTP  client  is
329              allowed to have with the postscreen(8) daemon.
330
331       postscreen_command_count_limit (20)
332              The  limit  on the total number of commands per SMTP session for
333              postscreen(8)'s built-in SMTP protocol engine.
334
335       postscreen_command_time_limit (normal: 300s, overload: 10s)
336              The  time  limit  to  read   an   entire   command   line   with
337              postscreen(8)'s built-in SMTP protocol engine.
338
339       postscreen_post_queue_limit ($default_process_limit)
340              The  number  of  clients  that can be waiting for service from a
341              real Postfix SMTP server process.
342
343       postscreen_pre_queue_limit ($default_process_limit)
344              The number of non-whitelisted clients that can be waiting for  a
345              decision  whether  they will receive service from a real Postfix
346              SMTP server process.
347
348       postscreen_watchdog_timeout (10s)
349              How much time a postscreen(8) process may take to respond  to  a
350              remote  SMTP  client  command  or  to  perform a cache operation
351              before it is terminated by a built-in watchdog timer.
352

STARTTLS CONTROLS

354       postscreen_tls_security_level ($smtpd_tls_security_level)
355              The SMTP TLS security level for the postscreen(8) server; when a
356              non-empty value is specified, this overrides the obsolete param‐
357              eters postscreen_use_tls and postscreen_enforce_tls.
358
359       tlsproxy_service_name (tlsproxy)
360              The name of the tlsproxy(8) service entry in master.cf.
361

OBSOLETE STARTTLS SUPPORT CONTROLS

363       These parameters are supported for compatibility with  smtpd(8)  legacy
364       parameters.
365
366       postscreen_use_tls ($smtpd_use_tls)
367              Opportunistic  TLS:  announce  STARTTLS  support  to remote SMTP
368              clients, but do not require that clients use TLS encryption.
369
370       postscreen_enforce_tls ($smtpd_enforce_tls)
371              Mandatory TLS: announce STARTTLS support to remote SMTP clients,
372              and require that clients use TLS encryption.
373

MISCELLANEOUS CONTROLS

375       config_directory (see 'postconf -d' output)
376              The  default  location of the Postfix main.cf and master.cf con‐
377              figuration files.
378
379       delay_logging_resolution_limit (2)
380              The maximal number of digits after the decimal point  when  log‐
381              ging sub-second delay values.
382
383       command_directory (see 'postconf -d' output)
384              The location of all postfix administrative commands.
385
386       max_idle (100s)
387              The  maximum  amount of time that an idle Postfix daemon process
388              waits for an incoming connection before terminating voluntarily.
389
390       process_id (read-only)
391              The process ID of a Postfix command or daemon process.
392
393       process_name (read-only)
394              The process name of a Postfix command or daemon process.
395
396       syslog_facility (mail)
397              The syslog facility of Postfix logging.
398
399       syslog_name (see 'postconf -d' output)
400              A prefix that  is  prepended  to  the  process  name  in  syslog
401              records, so that, for example, "smtpd" becomes "prefix/smtpd".
402
403       Available in Postfix 3.3 and later:
404
405       service_name (read-only)
406              The master.cf service name of a Postfix daemon process.
407
408       Available in Postfix 3.5 and later:
409
410       info_log_address_format (external)
411              The  email  address  form that will be used in non-debug logging
412              (info, warning, etc.).
413

SEE ALSO

415       smtpd(8), Postfix SMTP server
416       tlsproxy(8), Postfix TLS proxy server
417       dnsblog(8), DNS black/whitelist logger
418       postlogd(8), Postfix logging
419       syslogd(8), system logging
420

README FILES

422       Use "postconf readme_directory" or "postconf html_directory" to  locate
423       this information.
424       POSTSCREEN_README, Postfix Postscreen Howto
425

LICENSE

427       The Secure Mailer license must be distributed with this software.
428

HISTORY

430       This service was introduced with Postfix version 2.8.
431
432       Many  ideas  in  postscreen(8) were explored in earlier work by Michael
433       Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
434

AUTHOR(S)

436       Wietse Venema
437       IBM T.J. Watson Research
438       P.O. Box 704
439       Yorktown Heights, NY 10598, USA
440
441       Wietse Venema
442       Google, Inc.
443       111 8th Avenue
444       New York, NY 10011, USA
445
446
447
448                                                                 POSTSCREEN(8)
Impressum