1POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
2
6 postscreen - Postfix zombie blocker
7
9 postscreen [generic Postfix daemon options]
10
12 The Postfix postscreen(8) server provides additional protection against
13 mail server overload. One postscreen(8) process handles multiple
14 inbound SMTP connections, and decides which clients may talk to a Post‐
15 fix SMTP server process. By keeping spambots away, postscreen(8)
16 leaves more SMTP server processes available for legitimate clients, and
17 delays the onset of server overload conditions.
18 This program should not be used on SMTP ports that receive mail from
20 end-user clients (MUAs). In a typical deployment, postscreen(8) handles
21 the MX service on TCP port 25, and smtpd(8) receives mail from MUAs on
22 the submission service (TCP port 587) which requires client authentica‐
23 tion. Alternatively, a site could set up a dedicated, non-postscreen,
24 "port 25" server that provides submission service and client authenti‐
25 cation, but no MX service.
26 postscreen(8) maintains a temporary whitelist for clients that have
28 passed a number of tests. When an SMTP client IP address is
29 whitelisted, postscreen(8) hands off the connection immediately to a
30 Postfix SMTP server process. This minimizes the overhead for legitimate
31 mail.
32 By default, postscreen(8) logs statistics and hands off each connection
34 to a Postfix SMTP server process, while excluding clients in mynetworks
35 from all tests (primarily, to avoid problems with non-standard SMTP
36 implementations in network appliances). This default mode blocks no
37 clients, and is useful for non-destructive testing.
38 In a typical production setting, postscreen(8) is configured to reject
40 mail from clients that fail one or more tests. postscreen(8) logs
41 rejected mail with the client address, helo, sender and recipient
42 information.
43 postscreen(8) is not an SMTP proxy; this is intentional. The purpose
45 is to keep spambots away from Postfix SMTP server processes, while min‐
46 imizing overhead for legitimate traffic.
47
49 The postscreen(8) server is moderately security-sensitive. It talks to
50 untrusted clients on the network. The process can be run chrooted at
51 fixed low privilege.
52
54 RFC 821 (SMTP protocol)
55 RFC 1123 (Host requirements)
56 RFC 1652 (8bit-MIME transport)
57 RFC 1869 (SMTP service extensions)
58 RFC 1870 (Message Size Declaration)
59 RFC 1985 (ETRN command)
60 RFC 2034 (SMTP Enhanced Status Codes)
61 RFC 2821 (SMTP protocol)
62 Not: RFC 2920 (SMTP Pipelining)
63 RFC 3030 (CHUNKING without BINARYMIME)
64 RFC 3207 (STARTTLS command)
65 RFC 3461 (SMTP DSN Extension)
66 RFC 3463 (Enhanced Status Codes)
67 RFC 5321 (SMTP protocol, including multi-line 220 banners)
68
70 Problems and transactions are logged to syslogd(8) or postlogd(8).
71
73 The postscreen(8) built-in SMTP protocol engine currently does not
74 announce support for AUTH, XCLIENT or XFORWARD. If you need to make
75 these services available on port 25, then do not enable the optional
76 "after 220 server greeting" tests.
77 The optional "after 220 server greeting" tests may result in unexpected
79 delivery delays from senders that retry email delivery from a different
80 IP address. Reason: after passing these tests a new client must dis‐
81 connect, and reconnect from the same IP address before it can deliver
82 mail. See POSTSCREEN_README, section "Tests after the 220 SMTP server
83 greeting", for a discussion.
84
86 Changes to main.cf are not picked up automatically, as postscreen(8)
87 processes may run for several hours. Use the command "postfix reload"
88 after a configuration change.
89 The text below provides only a parameter summary. See postconf(5) for
91 more details including examples.
92 NOTE: Some postscreen(8) parameters implement stress-dependent behav‐
94 ior. This is supported only when the default parameter value is
95 stress-dependent (that is, it looks like ${stress?{X}:{Y}}, or it is
96 the $name of an smtpd parameter with a stress-dependent default).
97 Other parameters always evaluate as if the stress parameter value is
98 the empty string.
99
101 postscreen_command_filter ($smtpd_command_filter)
102 A mechanism to transform commands from remote SMTP clients.
103 postscreen_discard_ehlo_keyword_address_maps ($smtpd_discard_ehlo_key‐
105 word_address_maps)
106 Lookup tables, indexed by the remote SMTP client address, with
107 case insensitive lists of EHLO keywords (pipelining, starttls,
108 auth, etc.) that the postscreen(8) server will not send in the
109 EHLO response to a remote SMTP client.
110 postscreen_discard_ehlo_keywords ($smtpd_discard_ehlo_keywords)
112 A case insensitive list of EHLO keywords (pipelining, starttls,
113 auth, etc.) that the postscreen(8) server will not send in the
114 EHLO response to a remote SMTP client.
115 Available in Postfix version 3.1 and later:
117 dns_ncache_ttl_fix_enable (no)
119 Enable a workaround for future libc incompatibility.
120 Available in Postfix version 3.4 and later:
122 postscreen_reject_footer_maps ($smtpd_reject_footer_maps)
124 Optional lookup table for information that is appended after a
125 4XX or 5XX postscreen(8) server response.
126
128 postscreen_expansion_filter (see 'postconf -d' output)
129 List of characters that are permitted in
130 postscreen_reject_footer attribute expansions.
131 postscreen_reject_footer ($smtpd_reject_footer)
133 Optional information that is appended after a 4XX or 5XX
134 postscreen(8) server response.
135 soft_bounce (no)
137 Safety net to keep mail queued that would otherwise be returned
138 to the sender.
139
141 Available in Postfix version 2.10 and later:
142 postscreen_upstream_proxy_protocol (empty)
144 The name of the proxy protocol used by an optional
145 before-postscreen proxy agent.
146 postscreen_upstream_proxy_timeout (5s)
148 The time limit for the proxy protocol specified with the
149 postscreen_upstream_proxy_protocol parameter.
150
152 This test is executed immediately after a remote SMTP client connects.
153 If a client is permanently whitelisted, the client will be handed off
154 immediately to a Postfix SMTP server process.
155 postscreen_access_list (permit_mynetworks)
157 Permanent white/blacklist for remote SMTP client IP addresses.
158 postscreen_blacklist_action (ignore)
160 The action that postscreen(8) takes when a remote SMTP client is
161 permanently blacklisted with the postscreen_access_list parame‐
162 ter.
163
165 When postscreen(8) is configured to monitor all primary and backup MX
166 addresses, it can refuse to whitelist clients that connect to a backup
167 MX address only. For small sites, this requires configuring primary and
168 backup MX addresses on the same MTA. Larger sites would have to share
169 the postscreen(8) cache between primary and backup MTAs, which would
170 introduce a common point of failure.
171 postscreen_whitelist_interfaces (static:all)
173 A list of local postscreen(8) server IP addresses where a
174 non-whitelisted remote SMTP client can obtain postscreen(8)'s
175 temporary whitelist status.
176
178 These tests are executed before the remote SMTP client receives the
179 "220 servername" greeting. If no tests remain after the successful com‐
180 pletion of this phase, the client will be handed off immediately to a
181 Postfix SMTP server process.
182 dnsblog_service_name (dnsblog)
184 The name of the dnsblog(8) service entry in master.cf.
185 postscreen_dnsbl_action (ignore)
187 The action that postscreen(8) takes when a remote SMTP client's
188 combined DNSBL score is equal to or greater than a threshold (as
189 defined with the postscreen_dnsbl_sites and
190 postscreen_dnsbl_threshold parameters).
191 postscreen_dnsbl_reply_map (empty)
193 A mapping from actual DNSBL domain name which includes a secret
194 password, to the DNSBL domain name that postscreen will reply
195 with when it rejects mail.
196 postscreen_dnsbl_sites (empty)
198 Optional list of DNS white/blacklist domains, filters and weight
199 factors.
200 postscreen_dnsbl_threshold (1)
202 The inclusive lower bound for blocking a remote SMTP client,
203 based on its combined DNSBL score as defined with the
204 postscreen_dnsbl_sites parameter.
205 postscreen_greet_action (ignore)
207 The action that postscreen(8) takes when a remote SMTP client
208 speaks before its turn within the time specified with the
209 postscreen_greet_wait parameter.
210 postscreen_greet_banner ($smtpd_banner)
212 The text in the optional "220-text..." server response that
213 postscreen(8) sends ahead of the real Postfix SMTP server's "220
214 text..." response, in an attempt to confuse bad SMTP clients so
215 that they speak before their turn (pre-greet).
216 postscreen_greet_wait (normal: 6s, overload: 2s)
218 The amount of time that postscreen(8) will wait for an SMTP
219 client to send a command before its turn, and for DNS blocklist
220 lookup results to arrive (default: up to 2 seconds under stress,
221 up to 6 seconds otherwise).
222 smtpd_service_name (smtpd)
224 The internal service that postscreen(8) hands off allowed con‐
225 nections to.
226 Available in Postfix version 2.11 and later:
228 postscreen_dnsbl_whitelist_threshold (0)
230 Allow a remote SMTP client to skip "before" and "after 220
231 greeting" protocol tests, based on its combined DNSBL score as
232 defined with the postscreen_dnsbl_sites parameter.
233 Available in Postfix version 3.0 and later:
235 postscreen_dnsbl_timeout (10s)
237 The time limit for DNSBL or DNSWL lookups.
238
240 These tests are executed after the remote SMTP client receives the "220
241 servername" greeting. If a client passes all tests during this phase,
242 it will receive a 4XX response to all RCPT TO commands. After the
243 client reconnects, it will be allowed to talk directly to a Postfix
244 SMTP server process.
245 postscreen_bare_newline_action (ignore)
247 The action that postscreen(8) takes when a remote SMTP client
248 sends a bare newline character, that is, a newline not preceded
249 by carriage return.
250 postscreen_bare_newline_enable (no)
252 Enable "bare newline" SMTP protocol tests in the postscreen(8)
253 server.
254 postscreen_disable_vrfy_command ($disable_vrfy_command)
256 Disable the SMTP VRFY command in the postscreen(8) daemon.
257 postscreen_forbidden_commands ($smtpd_forbidden_commands)
259 List of commands that the postscreen(8) server considers in vio‐
260 lation of the SMTP protocol.
261 postscreen_helo_required ($smtpd_helo_required)
263 Require that a remote SMTP client sends HELO or EHLO before com‐
264 mencing a MAIL transaction.
265 postscreen_non_smtp_command_action (drop)
267 The action that postscreen(8) takes when a remote SMTP client
268 sends non-SMTP commands as specified with the postscreen_forbid‐
269 den_commands parameter.
270 postscreen_non_smtp_command_enable (no)
272 Enable "non-SMTP command" tests in the postscreen(8) server.
273 postscreen_pipelining_action (enforce)
275 The action that postscreen(8) takes when a remote SMTP client
276 sends multiple commands instead of sending one command and wait‐
277 ing for the server to respond.
278 postscreen_pipelining_enable (no)
280 Enable "pipelining" SMTP protocol tests in the postscreen(8)
281 server.
282
284 postscreen_cache_cleanup_interval (12h)
285 The amount of time between postscreen(8) cache cleanup runs.
286 postscreen_cache_map (btree:$data_directory/postscreen_cache)
288 Persistent storage for the postscreen(8) server decisions.
289 postscreen_cache_retention_time (7d)
291 The amount of time that postscreen(8) will cache an expired tem‐
292 porary whitelist entry before it is removed.
293 postscreen_bare_newline_ttl (30d)
295 The amount of time that postscreen(8) will use the result from a
296 successful "bare newline" SMTP protocol test.
297 postscreen_dnsbl_max_ttl
299 (${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
300 The maximum amount of time that postscreen(8) will use the
301 result from a successful DNS-based reputation test before a
302 client IP address is required to pass that test again.
303 postscreen_dnsbl_min_ttl (60s)
305 The minimum amount of time that postscreen(8) will use the
306 result from a successful DNS-based reputation test before a
307 client IP address is required to pass that test again.
308 postscreen_greet_ttl (1d)
310 The amount of time that postscreen(8) will use the result from a
311 successful PREGREET test.
312 postscreen_non_smtp_command_ttl (30d)
314 The amount of time that postscreen(8) will use the result from a
315 successful "non_smtp_command" SMTP protocol test.
316 postscreen_pipelining_ttl (30d)
318 The amount of time that postscreen(8) will use the result from a
319 successful "pipelining" SMTP protocol test.
320
322 line_length_limit (2048)
323 Upon input, long lines are chopped up into pieces of at most
324 this length; upon delivery, long lines are reconstructed.
325 postscreen_client_connection_count_limit ($smtpd_client_connec‐
327 tion_count_limit)
328 How many simultaneous connections any remote SMTP client is
329 allowed to have with the postscreen(8) daemon.
330 postscreen_command_count_limit (20)
332 The limit on the total number of commands per SMTP session for
333 postscreen(8)'s built-in SMTP protocol engine.
334 postscreen_command_time_limit (normal: 300s, overload: 10s)
336 The time limit to read an entire command line with
337 postscreen(8)'s built-in SMTP protocol engine.
338 postscreen_post_queue_limit ($default_process_limit)
340 The number of clients that can be waiting for service from a
341 real Postfix SMTP server process.
342 postscreen_pre_queue_limit ($default_process_limit)
344 The number of non-whitelisted clients that can be waiting for a
345 decision whether they will receive service from a real Postfix
346 SMTP server process.
347 postscreen_watchdog_timeout (10s)
349 How much time a postscreen(8) process may take to respond to a
350 remote SMTP client command or to perform a cache operation
351 before it is terminated by a built-in watchdog timer.
352
354 postscreen_tls_security_level ($smtpd_tls_security_level)
355 The SMTP TLS security level for the postscreen(8) server; when a
356 non-empty value is specified, this overrides the obsolete param‐
357 eters postscreen_use_tls and postscreen_enforce_tls.
358 tlsproxy_service_name (tlsproxy)
360 The name of the tlsproxy(8) service entry in master.cf.
361
363 These parameters are supported for compatibility with smtpd(8) legacy
364 parameters.
365 postscreen_use_tls ($smtpd_use_tls)
367 Opportunistic TLS: announce STARTTLS support to remote SMTP
368 clients, but do not require that clients use TLS encryption.
369 postscreen_enforce_tls ($smtpd_enforce_tls)
371 Mandatory TLS: announce STARTTLS support to remote SMTP clients,
372 and require that clients use TLS encryption.
373
375 config_directory (see 'postconf -d' output)
376 The default location of the Postfix main.cf and master.cf con‐
377 figuration files.
378 delay_logging_resolution_limit (2)
380 The maximal number of digits after the decimal point when log‐
381 ging sub-second delay values.
382 command_directory (see 'postconf -d' output)
384 The location of all postfix administrative commands.
385 max_idle (100s)
387 The maximum amount of time that an idle Postfix daemon process
388 waits for an incoming connection before terminating voluntarily.
389 process_id (read-only)
391 The process ID of a Postfix command or daemon process.
392 process_name (read-only)
394 The process name of a Postfix command or daemon process.
395 syslog_facility (mail)
397 The syslog facility of Postfix logging.
398 syslog_name (see 'postconf -d' output)
400 A prefix that is prepended to the process name in syslog
401 records, so that, for example, "smtpd" becomes "prefix/smtpd".
402 Available in Postfix 3.3 and later:
404 service_name (read-only)
406 The master.cf service name of a Postfix daemon process.
407 Available in Postfix 3.5 and later:
409 info_log_address_format (external)
411 The email address form that will be used in non-debug logging
412 (info, warning, etc.).
413
415 smtpd(8), Postfix SMTP server
416 tlsproxy(8), Postfix TLS proxy server
417 dnsblog(8), DNS black/whitelist logger
418 postlogd(8), Postfix logging
419 syslogd(8), system logging
420
422 Use "postconf readme_directory" or "postconf html_directory" to locate
423 this information.
424 POSTSCREEN_README, Postfix Postscreen Howto
425
427 The Secure Mailer license must be distributed with this software.
428
430 This service was introduced with Postfix version 2.8.
431 Many ideas in postscreen(8) were explored in earlier work by Michael
433 Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
434
436 Wietse Venema
437 IBM T.J. Watson Research
438 P.O. Box 704
439 Yorktown Heights, NY 10598, USA
440 Wietse Venema
442 Google, Inc.
443 111 8th Avenue
444 New York, NY 10011, USA
445 POSTSCREEN(8)