POSTSCREEN(8)POSTSCREEN(8)NAME
postscreen - Postfix SMTP triage server
SYNOPSIS
postscreen [generic Postfix daemon options]
DESCRIPTION
The Postfix postscreen(8) server performs triage on multiple inbound
SMTP connections in parallel. While a single postscreen(8) process
keeps spambots away from Postfix SMTP server processes, more Postfix
SMTP server processes remain available for legitimate clients.
postscreen(8) maintains a temporary whitelist for clients that have
passed a number of tests. When an SMTP client IP address is
whitelisted, postscreen(8) hands off the connection immediately to a
Postfix SMTP server process. This minimizes the overhead for legitimate
mail.
By default, postscreen(8) logs statistics and hands off every connec‐
tion to a Postfix SMTP server process, while excluding clients in
mynetworks from all tests (primarily, to avoid problems with non-stan‐
dard SMTP implementations in network appliances). This mode is useful
for non-destructive testing.
In a typical production setting, postscreen(8) is configured to reject
mail from clients that fail one or more tests. postscreen(8) logs
rejected mail with the client address, helo, sender and recipient
information.
postscreen(8) is not an SMTP proxy; this is intentional. The purpose
is to keep spambots away from Postfix SMTP server processes, while min‐
imizing overhead for legitimate traffic.
SECURITY
The postscreen(8) server is moderately security-sensitive. It talks to
untrusted clients on the network. The process can be run chrooted at
fixed low privilege.
STANDARDS
RFC 5321 (SMTP, including multi-line 220 greetings)
RFC 2920 (SMTP Pipelining)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
Some of the non-default protocol tests involve postscreen(8)'s built-in
SMTP protocol engine. When these tests succeed, postscreen(8) adds the
client to the temporary whitelist but it cannot not hand off the "live"
connection to a Postfix SMTP server process in the middle of a session.
Instead, postscreen(8) defers attempts to deliver mail with a 4XX sta‐
tus, and waits for the client to disconnect. The next time a good
client connects, it will be allowed to talk to a Postfix SMTP server
process to deliver mail. postscreen(8) mitigates the impact of this
limitation by giving such tests a long expiration time.
The postscreen(8) built-in SMTP protocol engine does not announce sup‐
port for STARTTLS, AUTH, XCLIENT or XFORWARD (support for STARTTLS and
AUTH may be added in the future). End-user clients should connect
directly to the submission service; other systems that require the
above features should directly connect to a Postfix SMTP server, or
they should be placed on the postscreen(8) whitelist.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, as postscreen(8)
processes may run for several hours. Use the command "postfix reload"
after a configuration change.
The text below provides only a parameter summary. See postconf(5) for
more details including examples.
NOTE: Some postscreen(8) parameters implement stress-dependent behav‐
ior. This is supported only when the default value is stress-dependent
(that is, it looks like ${stress?X}${stress:Y}). Other parameters
always evaluate as if the stress value is the empty string.
TRIAGE PARAMETERS
postscreen_bare_newline_action (ignore)
The action that postscreen(8) takes when an SMTP client sends a
bare newline character, that is, a newline not preceded by car‐
riage return.
postscreen_bare_newline_enable (no)
Enable "bare newline" SMTP protocol tests in the postscreen(8)
server.
postscreen_blacklist_action (ignore)
The action that postscreen(8) takes when an SMTP client is per‐
manently blacklisted with the postscreen_blacklist_networks
parameter.
postscreen_blacklist_networks (empty)
Network addresses that are permanently blacklisted; see the
postscreen_blacklist_action parameter for possible actions.
postscreen_disable_vrfy_command ($disable_vrfy_command)
Disable the SMTP VRFY command in the postscreen(8) daemon.
postscreen_dnsbl_action (ignore)
The action that postscreen(8) takes when an SMTP client's com‐
bined DNSBL score is equal to or greater than a threshold (as
defined with the postscreen_dnsbl_sites and
postscreen_dnsbl_threshold parameters).
postscreen_dnsbl_reply_map (empty)
A mapping from actual DNSBL domain name which includes a secret
password, to the DNSBL domain name that postscreen will reply
with when it rejects mail.
postscreen_dnsbl_sites (empty)
Optional list of DNS blocklist domains, filters and weight fac‐
tors.
postscreen_dnsbl_threshold (1)
The inclusive lower bound for blocking an SMTP client, based on
its combined DNSBL score as defined with the
postscreen_dnsbl_sites parameter.
postscreen_forbidden_commands ($smtpd_forbidden_commands)
List of commands that the postscreen(8) server considers in vio‐
lation of the SMTP protocol.
postscreen_greet_action (ignore)
The action that postscreen(8) takes when an SMTP client speaks
before its turn within the time specified with the
postscreen_greet_wait parameter.
postscreen_greet_banner ($smtpd_banner)
The text in the optional "220-text..." server response that
postscreen(8) sends ahead of the real Postfix SMTP server's "220
text..." response, in an attempt to confuse bad SMTP clients so
that they speak before their turn (pre-greet).
postscreen_greet_wait (${stress?2}${stress:6}s)
The amount of time that postscreen(8) will wait for an SMTP
client to send a command before its turn, and for DNS blocklist
lookup results to arrive (default: up to 2 seconds under stress,
up to 6 seconds otherwise).
postscreen_helo_required ($smtpd_helo_required)
Require that a remote SMTP client sends HELO or EHLO before com‐
mencing a MAIL transaction.
postscreen_non_smtp_command_action (drop)
The action that postscreen(8) takes when an SMTP client sends
non-SMTP commands as specified with the postscreen_forbid‐
den_commands parameter.
postscreen_non_smtp_command_enable (no)
Enable "non-SMTP command" tests in the postscreen(8) server.
postscreen_pipelining_action (enforce)
The action that postscreen(8) takes when an SMTP client sends
multiple commands instead of sending one command and waiting for
the server to respond.
postscreen_pipelining_enable (no)
Enable "pipelining" SMTP protocol tests in the postscreen(8)
server.
postscreen_whitelist_networks ($mynetworks)
Network addresses that are permanently whitelisted, and that
will not be subjected to postscreen(8) checks.
smtpd_service_name (smtpd)
The internal service that postscreen(8) forwards allowed connec‐
tions to.
CACHE CONTROLS
postscreen_cache_cleanup_interval (12h)
The amount of time between postscreen(8) cache cleanup runs.
postscreen_cache_map (btree:$data_directory/ps_cache)
Persistent storage for the postscreen(8) server decisions.
postscreen_cache_retention_time (7d)
The amount of time that postscreen(8) will cache an expired tem‐
porary whitelist entry before it is removed.
postscreen_bare_newline_ttl (30d)
The amount of time that postscreen(8) will cache results from a
successful "bare newline" SMTP protocol test.
postscreen_dnsbl_ttl (1h)
The amount of time that postscreen(8) will cache results from a
successful DNS blocklist test.
postscreen_greet_ttl (1d)
The amount of time that postscreen(8) will cache results from a
successful PREGREET test.
postscreen_non_smtp_command_ttl (30d)
The amount of time that postscreen(8) will cache results from a
successful "non_smtp_command" SMTP protocol test.
postscreen_pipelining_ttl (30d)
The amount of time that postscreen(8) will cache results from a
successful "pipelining" SMTP protocol test.
RESOURCE CONTROLS
line_length_limit (2048)
Upon input, long lines are chopped up into pieces of at most
this length; upon delivery, long lines are reconstructed.
postscreen_command_count_limit (20)
The limit on the total number of commands per SMTP session for
postscreen(8)'s built-in SMTP protocol engine.
postscreen_command_time_limit (${stress?10}${stress:300}s)
The command "read" time limit for postscreen(8)'s built-in SMTP
protocol engine.
postscreen_post_queue_limit ($default_process_limit)
The number of clients that can be waiting for service from a
real SMTP server process.
postscreen_pre_queue_limit ($default_process_limit)
The number of non-whitelisted clients that can be waiting for a
decision whether they will receive service from a real SMTP
server process.
postscreen_watchdog_timeout (10s)
How much time a postscreen(8) process may take to respond to an
SMTP client command or to perform a cache operation before it is
terminated by a built-in watchdog timer.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf con‐
figuration files.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when log‐
ging sub-second delay values.
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
ipc_timeout (3600s)
The time limit for sending or receiving information over an
internal communication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post‐
fix/smtpd".
SEE ALSOsmtpd(8), Postfix SMTP server
dnsblog(8), temporary DNS helper
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate
this information.
POSTSCREEN_README, Postfix Postscreen Howto
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
Many ideas in postscreen(8) were explored in earlier work by Michael
Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTSCREEN(8)