postscreen(category14-security-amp-firewalls.html) - phpMan

POSTSCREEN(8)               System Manager's Manual              POSTSCREEN(8)

NAME
       postscreen - Postfix zombie blocker
SYNOPSIS
       postscreen [generic Postfix daemon options]
DESCRIPTION
       The Postfix postscreen(8) server provides additional protection against
       mail  server  overload.  One  postscreen(8)  process  handles  multiple
       inbound SMTP connections, and decides which clients may talk to a Post-
       fix SMTP server  process.   By  keeping  spambots  away,  postscreen(8)
       leaves more SMTP server processes available for legitimate clients, and
       delays the onset of server overload conditions.
       This program should not be used on SMTP ports that  receive  mail  from
       end-user clients (MUAs). In a typical deployment, postscreen(8) handles
       the MX service on TCP port 25, and smtpd(8) receives mail from MUAs  on
       the submission service (TCP port 587) which requires client authentica-
       tion.  Alternatively, a site could set up a dedicated,  non-postscreen,
       "port  25" server that provides submission service and client authenti-
       cation, but no MX service.
       postscreen(8) maintains a temporary whitelist  for  clients  that  have
       passed  a  number  of  tests.   When  an  SMTP  client  IP  address  is
       whitelisted, postscreen(8) hands off the connection  immediately  to  a
       Postfix SMTP server process. This minimizes the overhead for legitimate
       mail.
       By default, postscreen(8) logs statistics and hands off each connection
       to a Postfix SMTP server process, while excluding clients in mynetworks
       from all tests (primarily, to avoid  problems  with  non-standard  SMTP
       implementations  in  network  appliances).  This default mode blocks no
       clients, and is useful for non-destructive testing.
       In a typical production setting, postscreen(8) is configured to  reject
       mail  from  clients  that  fail  one  or more tests. postscreen(8) logs
       rejected mail with the  client  address,  helo,  sender  and  recipient
       information.
       postscreen(8)  is  not an SMTP proxy; this is intentional.  The purpose
       is to keep spambots away from Postfix SMTP server processes, while min-
       imizing overhead for legitimate traffic.
SECURITY
       The postscreen(8) server is moderately security-sensitive.  It talks to
       untrusted clients on the network. The process can be  run  chrooted  at
       fixed low privilege.
STANDARDS
       RFC 821 (SMTP protocol)
       RFC 1123 (Host requirements)
       RFC 1652 (8bit-MIME transport)
       RFC 1869 (SMTP service extensions)
       RFC 1870 (Message Size Declaration)
       RFC 1985 (ETRN command)
       RFC 2034 (SMTP Enhanced Status Codes)
       RFC 2821 (SMTP protocol)
       Not: RFC 2920 (SMTP Pipelining)
       RFC 3030 (CHUNKING without BINARYMIME)
       RFC 3207 (STARTTLS command)
       RFC 3461 (SMTP DSN Extension)
       RFC 3463 (Enhanced Status Codes)
       RFC 5321 (SMTP protocol, including multi-line 220 banners)
DIAGNOSTICS
       Problems and transactions are logged to syslogd(8) or postlogd(8).
BUGS
       The  postscreen(8)  built-in  SMTP  protocol  engine currently does not
       announce support for AUTH, XCLIENT or XFORWARD.  If you  need  to  make
       these  services  available  on port 25, then do not enable the optional
       "after 220 server greeting" tests.
       The optional "after 220 server greeting" tests may result in unexpected
       delivery delays from senders that retry email delivery from a different
       IP address.  Reason: after passing these tests a new client  must  dis-
       connect,  and  reconnect from the same IP address before it can deliver
       mail. See POSTSCREEN_README, section "Tests after the 220  SMTP  server
       greeting", for a discussion.
CONFIGURATION PARAMETERS
       Changes  to  main.cf  are not picked up automatically, as postscreen(8)
       processes may run for several hours.  Use the command "postfix  reload"
       after a configuration change.
       The  text  below provides only a parameter summary. See postconf(5) for
       more details including examples.
       NOTE: Some postscreen(8) parameters implement  stress-dependent  behav-
       ior.   This  is  supported  only  when  the  default parameter value is
       stress-dependent (that is, it looks like ${stress?{X}:{Y}},  or  it  is
       the  $name  of  an  smtpd  parameter  with a stress-dependent default).
       Other parameters always evaluate as if the stress  parameter  value  is
       the empty string.
COMPATIBILITY CONTROLS
       postscreen_command_filter ($smtpd_command_filter)
              A mechanism to transform commands from remote SMTP clients.
       postscreen_discard_ehlo_keyword_address_maps  ($smtpd_discard_ehlo_key-
       word_address_maps)
              Lookup tables, indexed by the remote SMTP client  address,  with
              case  insensitive  lists of EHLO keywords (pipelining, starttls,
              auth, etc.) that the postscreen(8) server will not send  in  the
              EHLO response to a remote SMTP client.
       postscreen_discard_ehlo_keywords ($smtpd_discard_ehlo_keywords)
              A  case insensitive list of EHLO keywords (pipelining, starttls,
              auth, etc.) that the postscreen(8) server will not send  in  the
              EHLO response to a remote SMTP client.
       Available in Postfix version 3.1 and later:
       dns_ncache_ttl_fix_enable (no)
              Enable a workaround for future libc incompatibility.
       Available in Postfix version 3.4 and later:
       postscreen_reject_footer_maps ($smtpd_reject_footer_maps)
              Optional  lookup  table for information that is appended after a
              4XX or 5XX postscreen(8) server response.
TROUBLE SHOOTING CONTROLS
       postscreen_expansion_filter (see 'postconf -d' output)
              List     of     characters     that     are     permitted     in
              postscreen_reject_footer attribute expansions.
       postscreen_reject_footer ($smtpd_reject_footer)
              Optional  information  that  is  appended  after  a  4XX  or 5XX
              postscreen(8) server response.
       soft_bounce (no)
              Safety net to keep mail queued that would otherwise be  returned
              to the sender.
BEFORE-POSTSCREEN PROXY AGENT
       Available in Postfix version 2.10 and later:
       postscreen_upstream_proxy_protocol (empty)
              The   name   of   the   proxy   protocol  used  by  an  optional
              before-postscreen proxy agent.
       postscreen_upstream_proxy_timeout (5s)
              The time  limit  for  the  proxy  protocol  specified  with  the
              postscreen_upstream_proxy_protocol parameter.
PERMANENT WHITE/BLACKLIST TEST
       This  test is executed immediately after a remote SMTP client connects.
       If a client is permanently whitelisted, the client will be  handed  off
       immediately to a Postfix SMTP server process.
       postscreen_access_list (permit_mynetworks)
              Permanent white/blacklist for remote SMTP client IP addresses.
       postscreen_blacklist_action (ignore)
              The action that postscreen(8) takes when a remote SMTP client is
              permanently blacklisted with the postscreen_access_list  parame-
              ter.
MAIL EXCHANGER POLICY TESTS
       When  postscreen(8)  is configured to monitor all primary and backup MX
       addresses, it can refuse to whitelist clients that connect to a  backup
       MX address only. For small sites, this requires configuring primary and
       backup MX addresses on the same MTA. Larger sites would have  to  share
       the  postscreen(8)  cache  between primary and backup MTAs, which would
       introduce a common point of failure.
       postscreen_whitelist_interfaces (static:all)
              A list of  local  postscreen(8)  server  IP  addresses  where  a
              non-whitelisted  remote  SMTP  client can obtain postscreen(8)'s
              temporary whitelist status.
BEFORE 220 GREETING TESTS
       These tests are executed before the remote  SMTP  client  receives  the
       "220 servername" greeting. If no tests remain after the successful com-
       pletion of this phase, the client will be handed off immediately  to  a
       Postfix SMTP server process.
       dnsblog_service_name (dnsblog)
              The name of the dnsblog(8) service entry in master.cf.
       postscreen_dnsbl_action (ignore)
              The  action that postscreen(8) takes when a remote SMTP client's
              combined DNSBL score is equal to or greater than a threshold (as
              defined       with      the      postscreen_dnsbl_sites      and
              postscreen_dnsbl_threshold parameters).
       postscreen_dnsbl_reply_map (empty)
              A mapping from actual DNSBL domain name which includes a  secret
              password,  to  the  DNSBL domain name that postscreen will reply
              with when it rejects mail.
       postscreen_dnsbl_sites (empty)
              Optional list of DNS white/blacklist domains, filters and weight
              factors.
       postscreen_dnsbl_threshold (1)
              The  inclusive  lower  bound  for blocking a remote SMTP client,
              based  on  its  combined  DNSBL  score  as  defined   with   the
              postscreen_dnsbl_sites parameter.
       postscreen_greet_action (ignore)
              The  action  that  postscreen(8) takes when a remote SMTP client
              speaks before its  turn  within  the  time  specified  with  the
              postscreen_greet_wait parameter.
       postscreen_greet_banner ($smtpd_banner)
              The  text  in  the  optional  "220-text..." server response that
              postscreen(8) sends ahead of the real Postfix SMTP server's "220
              text..."  response, in an attempt to confuse bad SMTP clients so
              that they speak before their turn (pre-greet).
       postscreen_greet_wait (normal: 6s, overload: 2s)
              The amount of time that postscreen(8)  will  wait  for  an  SMTP
              client  to send a command before its turn, and for DNS blocklist
              lookup results to arrive (default: up to 2 seconds under stress,
              up to 6 seconds otherwise).
       smtpd_service_name (smtpd)
              The  internal  service that postscreen(8) hands off allowed con-
              nections to.
       Available in Postfix version 2.11 and later:
       postscreen_dnsbl_whitelist_threshold (0)
              Allow a remote SMTP client  to  skip  "before"  and  "after  220
              greeting"  protocol  tests, based on its combined DNSBL score as
              defined with the postscreen_dnsbl_sites parameter.
       Available in Postfix version 3.0 and later:
       postscreen_dnsbl_timeout (10s)
              The time limit for DNSBL or DNSWL lookups.
AFTER 220 GREETING TESTS
       These tests are executed after the remote SMTP client receives the "220
       servername"  greeting.  If a client passes all tests during this phase,
       it will receive a 4XX response to  all  RCPT  TO  commands.  After  the
       client  reconnects,  it  will  be allowed to talk directly to a Postfix
       SMTP server process.
       postscreen_bare_newline_action (ignore)
              The action that postscreen(8) takes when a  remote  SMTP  client
              sends  a bare newline character, that is, a newline not preceded
              by carriage return.
       postscreen_bare_newline_enable (no)
              Enable "bare newline" SMTP protocol tests in  the  postscreen(8)
              server.
       postscreen_disable_vrfy_command ($disable_vrfy_command)
              Disable the SMTP VRFY command in the postscreen(8) daemon.
       postscreen_forbidden_commands ($smtpd_forbidden_commands)
              List of commands that the postscreen(8) server considers in vio-
              lation of the SMTP protocol.
       postscreen_helo_required ($smtpd_helo_required)
              Require that a remote SMTP client sends HELO or EHLO before com-
              mencing a MAIL transaction.
       postscreen_non_smtp_command_action (drop)
              The  action  that  postscreen(8) takes when a remote SMTP client
              sends non-SMTP commands as specified with the postscreen_forbid-
              den_commands parameter.
       postscreen_non_smtp_command_enable (no)
              Enable "non-SMTP command" tests in the postscreen(8) server.
       postscreen_pipelining_action (enforce)
              The  action  that  postscreen(8) takes when a remote SMTP client
              sends multiple commands instead of sending one command and wait-
              ing for the server to respond.
       postscreen_pipelining_enable (no)
              Enable  "pipelining"  SMTP  protocol  tests in the postscreen(8)
              server.
CACHE CONTROLS
       postscreen_cache_cleanup_interval (12h)
              The amount of time between postscreen(8) cache cleanup runs.
       postscreen_cache_map (btree:$data_directory/postscreen_cache)
              Persistent storage for the postscreen(8) server decisions.
       postscreen_cache_retention_time (7d)
              The amount of time that postscreen(8) will cache an expired tem-
              porary whitelist entry before it is removed.
       postscreen_bare_newline_ttl (30d)
              The amount of time that postscreen(8) will use the result from a
              successful "bare newline" SMTP protocol test.
       postscreen_dnsbl_max_ttl
       (${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
              The  maximum  amount  of  time  that  postscreen(8) will use the
              result from a successful  DNS-based  reputation  test  before  a
              client IP address is required to pass that test again.
       postscreen_dnsbl_min_ttl (60s)
              The  minimum  amount  of  time  that  postscreen(8) will use the
              result from a successful  DNS-based  reputation  test  before  a
              client IP address is required to pass that test again.
       postscreen_greet_ttl (1d)
              The amount of time that postscreen(8) will use the result from a
              successful PREGREET test.
       postscreen_non_smtp_command_ttl (30d)
              The amount of time that postscreen(8) will use the result from a
              successful "non_smtp_command" SMTP protocol test.
       postscreen_pipelining_ttl (30d)
              The amount of time that postscreen(8) will use the result from a
              successful "pipelining" SMTP protocol test.
RESOURCE CONTROLS
       line_length_limit (2048)
              Upon input, long lines are chopped up into  pieces  of  at  most
              this length; upon delivery, long lines are reconstructed.
       postscreen_client_connection_count_limit         ($smtpd_client_connec-
       tion_count_limit)
              How many simultaneous connections  any  remote  SMTP  client  is
              allowed to have with the postscreen(8) daemon.
       postscreen_command_count_limit (20)
              The  limit  on the total number of commands per SMTP session for
              postscreen(8)'s built-in SMTP protocol engine.
       postscreen_command_time_limit (normal: 300s, overload: 10s)
              The  time  limit  to  read   an   entire   command   line   with
              postscreen(8)'s built-in SMTP protocol engine.
       postscreen_post_queue_limit ($default_process_limit)
              The  number  of  clients  that can be waiting for service from a
              real Postfix SMTP server process.
       postscreen_pre_queue_limit ($default_process_limit)
              The number of non-whitelisted clients that can be waiting for  a
              decision  whether  they will receive service from a real Postfix
              SMTP server process.
       postscreen_watchdog_timeout (10s)
              How much time a postscreen(8) process may take to respond  to  a
              remote  SMTP  client  command  or  to  perform a cache operation
              before it is terminated by a built-in watchdog timer.
STARTTLS CONTROLS
       postscreen_tls_security_level ($smtpd_tls_security_level)
              The SMTP TLS security level for the postscreen(8) server; when a
              non-empty value is specified, this overrides the obsolete param-
              eters postscreen_use_tls and postscreen_enforce_tls.
       tlsproxy_service_name (tlsproxy)
              The name of the tlsproxy(8) service entry in master.cf.
OBSOLETE STARTTLS SUPPORT CONTROLS
       These parameters are supported for compatibility with  smtpd(8)  legacy
       parameters.
       postscreen_use_tls ($smtpd_use_tls)
              Opportunistic  TLS:  announce  STARTTLS  support  to remote SMTP
              clients, but do not require that clients use TLS encryption.
       postscreen_enforce_tls ($smtpd_enforce_tls)
              Mandatory TLS: announce STARTTLS support to remote SMTP clients,
              and require that clients use TLS encryption.
MISCELLANEOUS CONTROLS
       config_directory (see 'postconf -d' output)
              The  default  location of the Postfix main.cf and master.cf con-
              figuration files.
       delay_logging_resolution_limit (2)
              The maximal number of digits after the decimal point  when  log-
              ging sub-second delay values.
       command_directory (see 'postconf -d' output)
              The location of all postfix administrative commands.
       max_idle (100s)
              The  maximum  amount of time that an idle Postfix daemon process
              waits for an incoming connection before terminating voluntarily.
       process_id (read-only)
              The process ID of a Postfix command or daemon process.
       process_name (read-only)
              The process name of a Postfix command or daemon process.
       syslog_facility (mail)
              The syslog facility of Postfix logging.
       syslog_name (see 'postconf -d' output)
              A prefix that  is  prepended  to  the  process  name  in  syslog
              records, so that, for example, "smtpd" becomes "prefix/smtpd".
       Available in Postfix 3.3 and later:
       service_name (read-only)
              The master.cf service name of a Postfix daemon process.
       Available in Postfix 3.5 and later:
       info_log_address_format (external)
              The  email  address  form that will be used in non-debug logging
              (info, warning, etc.).
SEE ALSO
       smtpd(8), Postfix SMTP server
       tlsproxy(8), Postfix TLS proxy server
       dnsblog(8), DNS black/whitelist logger
       postlogd(8), Postfix logging
       syslogd(8), system logging
README FILES
       Use "postconf readme_directory" or "postconf html_directory" to  locate
       this information.
       POSTSCREEN_README, Postfix Postscreen Howto
LICENSE
       The Secure Mailer license must be distributed with this software.
HISTORY
       This service was introduced with Postfix version 2.8.
       Many  ideas  in  postscreen(8) were explored in earlier work by Michael
       Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
AUTHOR(S)
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA
       Wietse Venema
       Google, Inc.
       111 8th Avenue
       New York, NY 10011, USA

                                                                 POSTSCREEN(8)