POSTSCREEN_README.html revision 1.1.1.1.6.2
1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3 4 <head> 5 6 <title>Postfix Postscreen Howto</title> 7 8 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 9 10 </head> 11 12 <body> 13 14 <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Postscreen Howto</h1> 15 16 <hr> 17 18 <h2> <a name="intro">Introduction</a> </h2> 19 20 <p> This document describes features that are available in Postfix 21 2.8 and later. </p> 22 23 <p> The Postfix <a href="postscreen.8.html">postscreen(8)</a> daemon provides additional protection 24 against mail server overload. One <a href="postscreen.8.html">postscreen(8)</a> process handles 25 multiple inbound SMTP connections, and decides which clients may 26 talk to a Postfix SMTP server process. By keeping spambots away, 27 <a href="postscreen.8.html">postscreen(8)</a> leaves more SMTP server processes available for 28 legitimate clients, and delays the onset of <a 29 href="STRESS_README.html">server overload</a> conditions. </p> 30 31 <p> <a href="postscreen.8.html">postscreen(8)</a> should not be used on SMTP ports that receive 32 mail from end-user clients (MUAs). In a typical deployment, 33 <a href="postscreen.8.html">postscreen(8)</a> handles the MX service on TCP port 25, while MUA 34 clients submit mail via the submission service on TCP port 587 which 35 requires client authentication. Alternatively, a site could set up 36 a dedicated, non-postscreen, "port 25" server that provides submission 37 service and client authentication, but no MX service. </p> 38 39 <p> <a href="postscreen.8.html">postscreen(8)</a> maintains a temporary whitelist for clients that 40 pass its tests; by allowing whitelisted clients to skip tests, 41 <a href="postscreen.8.html">postscreen(8)</a> minimizes its impact on legitimate email traffic. 42 </p> 43 44 <p> <a href="postscreen.8.html">postscreen(8)</a> is part of a multi-layer defense. <p> 45 46 <ul> 47 48 <li> <p> As the first layer, <a href="postscreen.8.html">postscreen(8)</a> blocks connections from 49 zombies and other spambots that are responsible for about 90% of 50 all spam. It is implemented as a single process to make this defense 51 as inexpensive as possible. </p> 52 53 <li> <p> The second layer implements more complex SMTP-level access 54 checks with <a href="SMTPD_ACCESS_README.html">Postfix SMTP servers</a>, 55 <a href="SMTPD_POLICY_README.html">policy daemons</a>, and 56 <a href="MILTER_README.html">Milter applications</a>. </p> 57 58 <li> <p> The third layer performs light-weight content inspection 59 with the Postfix built-in <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. This can 60 block unacceptable attachments such as executable programs, and 61 worms or viruses with easy-to-recognize signatures. </p> 62 63 <li> <p> The fourth layer provides heavy-weight content inspection 64 with external content filters. Typical examples are <a 65 href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>, <a 66 href="http://spamassassin.apache.org/">SpamAssassin</a>, and <a 67 href="MILTER_README.html">Milter applications</a>. </p> 68 69 </ul> 70 71 <p> Each layer reduces the spam volume. The general strategy is to 72 use the less expensive defenses first, and to use the more expensive 73 defenses only for the spam that remains. </p> 74 75 <p> Topics in this document: </p> 76 77 <ul> 78 79 <li> <a href="#intro">Introduction</a> 80 81 <li> <a href="#basic">The basic idea behind postscreen(8)</a> 82 83 <li> <a href="#general"> General operation </a> 84 85 <li> <a href="#quick">Quick tests before everything else</a> 86 87 <li> <a href="#before_220"> Tests before the 220 SMTP server greeting </a> 88 89 <li> <a href="#after_220">Tests after the 220 SMTP server greeting</a> 90 91 <li> <a href="#other_error">Other errors</a> 92 93 <li> <a href="#victory">When all tests succeed</a> 94 95 <li> <a href="#config"> Configuring the postscreen(8) service</a> 96 97 <li> <a href="#historical"> Historical notes and credits </a> 98 99 </ul> 100 101 <h2> <a name="basic">The basic idea behind postscreen(8)</a> </h2> 102 103 <p> Most email is spam, and most spam is sent out by zombies (malware 104 on compromised end-user computers). Wietse expects that the zombie 105 problem will get worse before things improve, if ever. Without a 106 tool like <a href="postscreen.8.html">postscreen(8)</a> that keeps the zombies away, Postfix would be 107 spending most of its resources not receiving email. </p> 108 109 <p> The main challenge for <a href="postscreen.8.html">postscreen(8)</a> is to make an is-it-a-zombie 110 decision based on a single measurement. This is necessary because 111 many zombies try to fly under the radar and avoid spamming the same 112 site repeatedly. Once <a href="postscreen.8.html">postscreen(8)</a> decides that a client is 113 not-a-zombie, it whitelists the client temporarily to avoid further 114 delays for legitimate mail. </p> 115 116 <p> Zombies have challenges too: they have only a limited amount 117 of time to deliver spam before their IP address becomes blacklisted. 118 To speed up spam deliveries, zombies make compromises in their SMTP 119 protocol implementation. For example, they speak before their turn, 120 or they ignore responses from SMTP servers and continue sending 121 mail even when the server tells them to go away. </p> 122 123 <p> <a href="postscreen.8.html">postscreen(8)</a> uses a variety of measurements to recognize 124 zombies. First, <a href="postscreen.8.html">postscreen(8)</a> determines if the remote SMTP client 125 IP address is blacklisted. Second, <a href="postscreen.8.html">postscreen(8)</a> looks for protocol 126 compromises that are made to speed up delivery. These are good 127 indicators for making is-it-a-zombie decisions based on single 128 measurements. </p> 129 130 <p> <a href="postscreen.8.html">postscreen(8)</a> does not inspect message content. Message content 131 can vary from one delivery to the next, especially with clients 132 that (also) send legitimate email. Content is not a good indicator 133 for making is-it-a-zombie decisions based on single measurements, 134 and that is the problem that <a href="postscreen.8.html">postscreen(8)</a> is focused on. </p> 135 136 <h2> <a name="general"> General operation </a> </h2> 137 138 <p> For each connection from an SMTP client, <a href="postscreen.8.html">postscreen(8)</a> performs 139 a number of tests 140 in the order as described below. Some tests introduce a delay of 141 a few seconds. <a href="postscreen.8.html">postscreen(8)</a> maintains a temporary whitelist for 142 clients that pass its tests; by allowing whitelisted clients to 143 skip tests, <a href="postscreen.8.html">postscreen(8)</a> minimizes its impact on legitimate email 144 traffic. </p> 145 146 <p> By default, <a href="postscreen.8.html">postscreen(8)</a> hands off all connections to a Postfix 147 SMTP server process after logging its findings. This mode is useful 148 for non-destructive testing. </p> 149 150 <p> In a typical production setting, <a href="postscreen.8.html">postscreen(8)</a> is configured 151 to reject mail from clients that fail one or more tests, after 152 logging the helo, sender and recipient information. </p> 153 154 <p> Note: <a href="postscreen.8.html">postscreen(8)</a> is not an SMTP proxy; this is intentional. 155 The purpose is to keep zombies away from Postfix, with minimal 156 overhead for legitimate clients. </p> 157 158 <h2> <a name="quick">Quick tests before everything else</a> </h2> 159 160 <p> Before engaging in SMTP-level tests. <a href="postscreen.8.html">postscreen(8)</a> queries a 161 number of local black and whitelists. These tests speed up the 162 handling of known clients. </p> 163 164 <ul> 165 166 <li> <a href="#perm_white_black"> Permanent white/blacklist test </a> 167 168 <li> <a href="#temp_white"> Temporary whitelist test </a> 169 170 <li> <a href="#white_veto"> MX Policy test </a> 171 172 </ul> 173 174 <h3> <a name="perm_white_black"> Permanent white/blacklist test </a> </h3> 175 176 <p> The <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter (default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>) 177 specifies a permanent access list for SMTP client IP addresses. Typically 178 one would specify something that whitelists local networks, followed 179 by a CIDR table for selective white- and blacklisting. </p> 180 181 <p> Example: </p> 182 183 <pre> 184 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 185 <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, 186 <a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr 187 188 /etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>: 189 # Rules are evaluated in the order as specified. 190 # Blacklist 192.168.* except 192.168.0.1. 191 192.168.0.1 permit 192 192.168.0.0/16 reject 193 </pre> 194 195 <p> See the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> manpage documentation for more 196 details. </p> 197 198 <p> When the SMTP client address matches a "permit" action, 199 <a href="postscreen.8.html">postscreen(8)</a> logs this with the client address and port number as: 200 </p> 201 202 <pre> 203 <b>WHITELISTED</b> <i>[address]:port</i> 204 </pre> 205 206 <p> The whitelist action is not configurable: immediately hand off the 207 connection to a Postfix SMTP server process. </p> 208 209 <p> When the SMTP client address matches a "reject" action, 210 <a href="postscreen.8.html">postscreen(8)</a> logs this with the client address and port number as: 211 </p> 212 213 <pre> 214 <b>BLACKLISTED</b> <i>[address]:port</i> 215 </pre> 216 217 <p> The <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter specifies the action 218 that is taken next. See "<a href="#fail_before_220">When tests 219 fail before the 220 SMTP server greeting</a>" below. </p> 220 221 <h3> <a name="temp_white"> Temporary whitelist test </a> </h3> 222 223 <p> The <a href="postscreen.8.html">postscreen(8)</a> daemon maintains a <i>temporary</i> 224 whitelist for SMTP client IP addresses that have passed all 225 the tests described below. The <a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> parameter 226 specifies the location of the temporary whitelist. The 227 temporary whitelist is not used for SMTP client addresses 228 that appear on the <i>permanent</i> access list. </p> 229 230 <blockquote> 231 232 <p> NOTE: To share a <a href="postscreen.8.html">postscreen(8)</a> cache between multiple 233 <a href="postscreen.8.html">postscreen(8)</a> instances under the same <a href="master.8.html">master(8)</a> daemon, use 234 "<tt><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> = 235 <a href="proxymap.8.html">proxy</a>:btree:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache</tt>", and disable 236 cache cleanup (<a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> = 0) in all 237 <a href="postscreen.8.html">postscreen(8)</a> instances except one that is responsible for cache 238 cleanup. </p> 239 240 <p> <a href="postscreen.8.html">postscreen(8)</a> cache sharing requires Postfix 2.9 or later; 241 earlier <a href="proxymap.8.html">proxymap(8)</a> implementations don't support cache cleanup. 242 </p> 243 244 <p> For an alternative <a href="postscreen.8.html">postscreen(8)</a> cache sharing approach, 245 see the <a href="memcache_table.5.html">memcache_table(5)</a> manpage. </p> 246 247 </blockquote> 248 249 <p> When the SMTP client address appears on the temporary 250 whitelist, <a href="postscreen.8.html">postscreen(8)</a> logs this with the client address and port 251 number as: </p> 252 253 <pre> 254 <b>PASS OLD</b> <i>[address]:port</i> 255 </pre> 256 257 <p> The action is not configurable: immediately hand off the 258 connection to a Postfix SMTP server process. The client is 259 excluded from further tests until its temporary whitelist 260 entry expires, as controlled with the postscreen_*_ttl 261 parameters. Expired entries are silently renewed if possible. </p> 262 263 <h3> <a name="white_veto"> MX Policy test </a> </h3> 264 265 <p> When the remote SMTP client is not on the static access list 266 or temporary whitelist, <a href="postscreen.8.html">postscreen(8)</a> can implement a number of 267 whitelist tests, before it grants the client a temporary whitelist 268 status that allows it to talk to a Postfix SMTP server process. </p> 269 270 <p> When <a href="postscreen.8.html">postscreen(8)</a> is configured to monitor all primary and 271 backup MX addresses, it can refuse to whitelist clients that connect 272 to a backup MX address only (an old spammer trick to take advantage 273 of backup MX hosts with weaker anti-spam policies than primary MX 274 hosts). </p> 275 276 <blockquote> <p> NOTE: The following solution is for small sites. 277 Larger sites would have to share the <a href="postscreen.8.html">postscreen(8)</a> cache between 278 primary and backup MTAs, which would introduce a common point of 279 failure. </p> </blockquote> 280 281 <ul> 282 283 <li> <p> First, configure the host to listen on both primary and 284 backup MX addresses. Use the appropriate <tt>ifconfig</tt> command 285 for the local operating system, or update the appropriate configuration 286 files and "refresh" the network protocol stack. </p> 287 288 <p> <p> Second, configure Postfix to listen on the new IP address 289 (this step is needed when you have specified <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> in 290 <a href="postconf.5.html">main.cf</a>). </p> 291 292 <li> <p> Then, configure <a href="postscreen.8.html">postscreen(8)</a> to deny the temporary whitelist 293 status on the backup MX address(es). An example for Wietse's 294 server is: </p> 295 296 <pre> 297 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 298 <a href="postconf.5.html#postscreen_whitelist_interfaces">postscreen_whitelist_interfaces</a> = !168.100.189.8 <a href="DATABASE_README.html#types">static</a>:all 299 </pre> 300 301 <p> Translation: allow clients to obtain the temporary whitelist 302 status on all server IP addresses except 168.100.189.8, which is a 303 backup MX address. </p> 304 305 </ul> 306 307 <p> When a non-whitelisted client connects the backup MX address, 308 <a href="postscreen.8.html">postscreen(8)</a> logs this with the client address and port number as: 309 </p> 310 311 <pre> 312 <b>CONNECT from</b> <i>[address]:port</i> <b>to [168.100.189.8]:25</b> 313 <b>WHITELIST VETO</b> <i>[address]:port</i> 314 </pre> 315 316 <p> Translation: the client at <i>[address]:port</i> connected to 317 the backup MX address 168.100.189.8 while it was not whitelisted. 318 The client will not be granted the temporary whitelist status, even 319 if passes all the whitelist tests described below. </p> 320 321 <h2> <a name="before_220"> Tests before the 220 SMTP server greeting </a> </h2> 322 323 <p> The <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter specifies a short time 324 interval before the "220 <i>text</i>..." server greeting, where 325 <a href="postscreen.8.html">postscreen(8)</a> can run a number of tests in parallel. </p> 326 327 <p> When a good client passes these tests, and no "<a 328 href="#after_220">deep protocol tests</a>" are configured, postscreen(8) 329 adds the client to the temporary whitelist and hands off the "live" 330 connection to a Postfix SMTP server process. The client can then 331 continue as if <a href="postscreen.8.html">postscreen(8)</a> never even existed (except of course 332 for the short <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> delay). </p> 333 334 <ul> 335 336 <li> <a href="#pregreet"> Pregreet test </a> 337 338 <li> <a href="#dnsbl"> DNS White/blacklist test </a> 339 340 <li> <a href="#fail_before_220">When tests fail before the 220 SMTP server greeting</a> 341 342 </ul> 343 344 <h3> <a name="pregreet"> Pregreet test </a> </h3> 345 346 <p> The SMTP protocol is a classic example of a protocol where the 347 server speaks before the client. <a href="postscreen.8.html">postscreen(8)</a> detects zombies 348 that are in a hurry and that speak before their turn. This test is 349 enabled by default. </p> 350 351 <p> The <a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> parameter specifies the <i>text</i> 352 portion of a "220-<i>text</i>..." teaser banner (default: $<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>). 353 Note that this becomes the first part of a multi-line server greeting. 354 The <a href="postscreen.8.html">postscreen(8)</a> daemon sends this before the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> 355 timer is started. The purpose of the teaser banner is to confuse 356 zombies so that they speak before their turn. It has no effect on 357 SMTP clients that correctly implement the protocol. </p> 358 359 <p> To avoid problems with poorly-implemented SMTP engines in network 360 appliances or network testing tools, either exclude them from all 361 tests with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> feature or else specify 362 an empty teaser banner: </p> 363 364 <pre> 365 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 366 # Exclude broken clients by whitelisting. Clients in <a href="postconf.5.html#mynetworks">mynetworks</a> 367 # should always be whitelisted. 368 <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, 369 <a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr 370 371 /etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>: 372 192.168.254.0/24 permit 373 </pre> 374 375 <pre> 376 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 377 # Disable the teaser banner (try whitelisting first if you can). 378 <a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> = 379 </pre> 380 381 <p> When an SMTP client sends a command before the 382 <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> time has elapsed, <a href="postscreen.8.html">postscreen(8)</a> logs this as: 383 </p> 384 385 <pre> 386 <b>PREGREET</b> <i>count</i> <b>after</b> <i>time</i> <b>from</b> <i>[address]:port text...</i> 387 </pre> 388 389 <p> Translation: the client at <i>[address]:port</i> sent <i>count</i> 390 bytes before its turn to speak. This happened <i>time</i> seconds 391 after the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> timer was started. The <i>text</i> 392 is what the client sent (truncated to 100 bytes, and with non-printable 393 characters replaced with C-style escapes such as \r for carriage-return 394 and \n for newline). </p> 395 396 <p> The <a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> parameter specifies the action that 397 is taken next. See "<a href="#fail_before_220">When tests fail 398 before the 220 SMTP server greeting</a>" below. </p> 399 400 <h3> <a name="dnsbl"> DNS White/blacklist test </a> </h3> 401 402 <p> The <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter (default: empty) specifies 403 a list of DNS blocklist servers with optional filters and weight 404 factors (positive weights for blacklisting, negative for whitelisting). 405 These servers will be queried in parallel with the reverse client 406 IP address. This test is disabled by default. </p> 407 408 <blockquote> 409 <p> 410 CAUTION: when postscreen rejects mail, its SMTP reply contains the 411 DNSBL domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> feature to 412 hide "password" information in DNSBL domain names. 413 </p> 414 </blockquote> 415 416 <p> When the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> time has elapsed, and the combined 417 DNSBL score is equal to or greater than the <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> 418 parameter value, <a href="postscreen.8.html">postscreen(8)</a> logs this as: </p> 419 420 <pre> 421 <b>DNSBL rank</b> <i>count</i> <b>for</b> <i>[address]:port</i> 422 </pre> 423 424 <p> Translation: the SMTP client at <i>[address]:port</i> has a combined 425 DNSBL score of <i>count</i>. </p> 426 427 <p> The <a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> parameter specifies the action that 428 is taken when the combined DNSBL score is equal to or greater than 429 the threshold. See "<a href="#fail_before_220">When tests fail 430 before the 220 SMTP server greeting</a>" below. </p> 431 432 <h3> <a name="fail_before_220">When tests fail before the 220 SMTP server greeting</a> </h3> 433 434 <p> When the client address matches the permanent blacklist, or 435 when the client fails the pregreet or DNSBL tests, the action is 436 specified with <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a>, <a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a>, 437 or <a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a>, respectively. </p> 438 439 <dl> 440 441 <dt> <b>ignore</b> (default) </dt> 442 443 <dd> Ignore the failure of this test. Allow other tests to complete. 444 Repeat this test the next time the client connects. This option 445 is useful for testing and collecting statistics without blocking 446 mail. </dd> 447 448 <dt> <b>enforce</b> </dt> 449 450 <dd> Allow other tests to complete. Reject attempts to deliver mail 451 with a 550 SMTP reply, and log the helo/sender/recipient information. 452 Repeat this test the next time the client connects. </dd> 453 454 <dt> <b>drop</b> </dt> 455 456 <dd> Drop the connection immediately with a 521 SMTP reply. Repeat 457 this test the next time the client connects. </dd> 458 459 </dl> 460 461 <h2> <a name="after_220">Tests after the 220 SMTP server greeting</a> </h2> 462 463 <p> In this phase of the protocol, <a href="postscreen.8.html">postscreen(8)</a> implements a 464 number of "deep protocol" tests. These tests use an SMTP protocol 465 engine that is built into the <a href="postscreen.8.html">postscreen(8)</a> server. </p> 466 467 <p> Important note: deep protocol tests are disabled by default. 468 They are more intrusive than the pregreet and DNSBL tests, and they 469 have limitations as discussed next. </p> 470 471 <ul> 472 473 <li> <p> When a good client passes the <a href="#after_220">deep 474 protocol tests</a>, postscreen(8) adds the client to the temporary 475 whitelist but it cannot hand off the "live" connection to a Postfix 476 SMTP server process in the middle of the session. Instead, <a href="postscreen.8.html">postscreen(8)</a> 477 defers mail delivery attempts with a 4XX status, logs the 478 helo/sender/recipient information, and waits for the client to 479 disconnect. </p> 480 481 <p> The next time the client connects it will be allowed to talk 482 to a Postfix SMTP server process to deliver its mail. To minimize the 483 impact of this limitation, <a href="postscreen.8.html">postscreen(8)</a> gives deep protocol tests 484 a relatively long expiration time. </p> 485 486 <li> <p> <a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP engine does not implement 487 the AUTH, XCLIENT, and XFORWARD features. AUTH support may be added 488 in a future version. In the mean time, if you need to make these 489 services available on port 25, then do not enable the tests after 490 the 220 server greeting. </p> 491 492 </ul> 493 494 <p> End-user clients should connect directly to the submission 495 service, so that they never have to deal with <a href="postscreen.8.html">postscreen(8)</a>'s tests. 496 </p> 497 498 <ul> 499 500 <li> <a href="#pipelining">Command pipelining test</a> 501 502 <li> <a href="#non_smtp">Non-SMTP command test</a> 503 504 <li> <a href="#barelf">Bare newline test</a> 505 506 <li> <a href="#fail_after_220">When tests fail after the 220 SMTP server greeting</a> 507 508 </ul> 509 510 <h3> <a name="pipelining">Command pipelining test</a> </h3> 511 512 <p> By default, SMTP is a half-duplex protocol: the sender and 513 receiver send one command and one response at a time. Unlike the 514 Postfix SMTP server, <a href="postscreen.8.html">postscreen(8)</a> does not announce support 515 for ESMTP command pipelining. Therefore, clients are not allowed 516 to send multiple commands. postscreen(8)'s <a href="#after_220">deep 517 protocol test</a> for this is disabled by default. </p> 518 519 <p> With "<a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a> detects 520 zombies that send multiple commands, instead of sending one command 521 and waiting for the server to reply. </p> 522 523 <p> This test is opportunistically enabled when <a href="postscreen.8.html">postscreen(8)</a> has 524 to use the built-in SMTP engine anyway. This is to make <a href="postscreen.8.html">postscreen(8)</a> 525 logging more informative. </p> 526 527 <p> When a client sends multiple commands, <a href="postscreen.8.html">postscreen(8)</a> logs this 528 as: </p> 529 530 <pre> 531 <b>COMMAND PIPELINING from</b> <i>[address]:port</i> <b>after</b> <i>command</i>: <i>text</i> 532 </pre> 533 534 <p> Translation: the SMTP client at <i>[address]:port</i> sent 535 multiple SMTP commands, instead of sending one command and then 536 waiting for the server to reply. This happened after the client 537 sent <i>command</i>. The <i>text</i> shows part of the input that 538 was sent too early; it is not logged with Postfix 2.8. </p> 539 540 <p> The <a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> parameter specifies the action 541 that is taken next. See "<a href="#fail_after_220">When tests fail 542 after the 220 SMTP server greeting</a>" below. </p> 543 544 <h3> <a name="non_smtp">Non-SMTP command test</a> </h3> 545 546 <p> Some spambots send their mail through open proxies. A symptom 547 of this is the usage of commands such as CONNECT and other non-SMTP 548 commands. Just like the Postfix SMTP server's <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> 549 feature, <a href="postscreen.8.html">postscreen(8)</a> has an equivalent <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> 550 feature to block these clients. postscreen(8)'s <a href="#after_220">deep 551 protocol test</a> for this is disabled by default. </p> 552 553 <p> With "<a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a> 554 detects zombies that send commands specified with the 555 <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter. This also detects commands 556 with the syntax of a message header label. The latter is a symptom 557 that the client is sending message content after ignoring all the 558 responses from <a href="postscreen.8.html">postscreen(8)</a> that reject mail. </p> 559 560 <p> This test is opportunistically enabled when <a href="postscreen.8.html">postscreen(8)</a> has 561 to use the built-in SMTP engine anyway. This is to make <a href="postscreen.8.html">postscreen(8)</a> 562 logging more informative. </p> 563 564 <p> When a client sends non-SMTP commands, <a href="postscreen.8.html">postscreen(8)</a> logs this 565 as: </p> 566 567 <pre> 568 <b>NON-SMTP COMMAND from</b> <i>[address]:port</i> <b>after</b> <i>command: text</i> 569 </pre> 570 571 <p> Translation: the SMTP client at <i>[address]:port</i> sent a 572 command that matches the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> 573 parameter, or that has the syntax of a message header label (text 574 followed by optional space and ":"). 575 The "<tt><b>after</b> <i>command</i></tt>" portion is logged with 576 Postfix 2.10 and later. </p> 577 578 <p> The <a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> parameter specifies 579 the action that is taken next. See "<a href="#fail_after_220">When 580 tests fail after the 220 SMTP server greeting</a>" below. </p> 581 582 <h3> <a name="barelf">Bare newline test</a> </h3> 583 584 <p> SMTP is a line-oriented protocol: lines have a limited length, 585 and are terminated with <CR><LF>. Lines ending in a 586 "bare" <LF>, that is newline not preceded by carriage return, 587 are not allowed in SMTP. postscreen(8)'s <a href="#after_220">deep 588 protocol test</a> for this is disabled by default. </p> 589 590 <p> With "<a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a> 591 detects clients that send lines ending in bare newline characters. 592 </p> 593 594 <p> This test is opportunistically enabled when <a href="postscreen.8.html">postscreen(8)</a> has 595 to use the built-in SMTP engine anyway. This is to make <a href="postscreen.8.html">postscreen(8)</a> 596 logging more informative. </p> 597 598 <p> When a client sends bare newline characters, <a href="postscreen.8.html">postscreen(8)</a> logs 599 this as: 600 </p> 601 602 <pre> 603 <b>BARE NEWLINE from</b> <i>[address]:port</i> <b>after</b> <i>command</i> 604 </pre> 605 606 <p> Translation: the SMTP client at <i>[address]:port</i> sent a bare 607 newline character, that is newline not preceded by carriage 608 return. 609 The "<tt><b>after</b> <i>command</i></tt>" portion is logged with 610 Postfix 2.10 and later. </p> 611 612 <p> The <a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> parameter specifies the 613 action that is taken next. See "<a href="#fail_after_220">When 614 tests fail after the 220 SMTP server greeting</a>" below. </p> 615 616 <h3> <a name="fail_after_220">When tests fail after the 220 SMTP server greeting</a> </h3> 617 618 <p> When the client fails the pipelining, non-SMTP command or bare 619 newline tests, the action is specified with <a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a>, 620 <a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> or <a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a>, 621 respectively. </p> 622 623 <dl> 624 625 <dt> <b>ignore</b> (default for bare newline) </dt> 626 627 <dd> Ignore the failure of this test. Allow other tests to complete. 628 Do NOT repeat this test before the result from some other test 629 expires. 630 631 This option is useful for testing and collecting statistics without 632 blocking mail permanently. </dd> 633 634 <dt> <b>enforce</b> (default for pipelining) </dt> 635 636 <dd> Allow other tests to complete. Reject attempts to deliver 637 mail with a 550 SMTP reply, and log the helo/sender/recipient 638 information. Repeat this test the next time the client connects. 639 </dd> 640 641 <dt> <b>drop</b> (default for non-SMTP commands) </dt> 642 643 <dd> Drop the connection immediately with a 521 SMTP reply. Repeat 644 this test the next time the client connects. This action is 645 compatible with the Postfix SMTP server's <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> 646 feature. </dd> 647 648 </dl> 649 650 <h2> <a name="other_error">Other errors</a> </h2> 651 652 <p> When an SMTP client hangs up unexpectedly, <a href="postscreen.8.html">postscreen(8)</a> logs 653 this as: </p> 654 655 <pre> 656 <b>HANGUP after</b> <i>time</i> <b>from</b> <i>[address]:port</i> <b>in</b> <i>test name</i> 657 </pre> 658 659 <p> Translation: the SMTP client at <i>[address]:port</i> disconnected 660 unexpectedly, <i>time</i> seconds after the start of the 661 test named <i>test name</i>. </p> 662 663 <p> There is no punishment for hanging up. A client that hangs up 664 without sending the QUIT command can still pass all <a href="postscreen.8.html">postscreen(8)</a> 665 tests. </p> 666 667 <!-- 668 669 <p> While an unexpired penalty is in effect, an SMTP client is not 670 allowed to pass any tests, and <a href="postscreen.8.html">postscreen(8)</a> logs each connection 671 with the remaining amount of penalty time as: </p> 672 673 <pre> 674 <b>PENALTY</b> <i>time</i> <b>for</b> <i>[address]:port</i> 675 </pre> 676 677 <p> During this time, all attempts by the client to deliver mail 678 will be deferred with a 450 SMTP status. </p> 679 680 --> 681 682 <p> The following errors are reported by the built-in SMTP engine. 683 This engine never accepts mail, therefore it has per-session limits 684 on the number of commands and on the session length. </p> 685 686 <pre> 687 <b>COMMAND TIME LIMIT</b> <b>from</b> <i>[address]:port</i> <b>after</b> <i>command</i> 688 </pre> 689 690 <p> Translation: the SMTP client at <i>[address]:port</i> reached the 691 per-command time limit as specified with the <a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> 692 parameter. The session is terminated immediately. 693 The "<tt><b>after</b> <i>command</i></tt>" portion is logged with 694 Postfix 2.10 and later. </p> 695 696 <pre> 697 <b>COMMAND COUNT LIMIT from</b> <i>[address]:port</i> <b>after</b> <i>command</i> 698 </pre> 699 700 <p> Translation: the SMTP client at <i>[address]:port</i> reached the 701 per-session command count limit as specified with the 702 <a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> parameter. The session is terminated 703 immediately. 704 The "<tt><b>after</b> <i>command</i></tt>" portion is logged with 705 Postfix 2.10 and later. </p> 706 707 <pre> 708 <b>COMMAND LENGTH LIMIT from</b> <i>[address]:port</i> <b>after</b> <i>command</i> 709 </pre> 710 711 <p> Translation: the SMTP client at <i>[address]:port</i> reached the 712 per-command length limit, as specified with the <a href="postconf.5.html#line_length_limit">line_length_limit</a> 713 parameter. The session is terminated immediately. 714 The "<tt><b>after</b> <i>command</i></tt>" portion is logged with 715 Postfix 2.10 and later. </p> 716 717 <p> When an SMTP client makes too many connections at the same time, 718 or when all <a href="postscreen.8.html">postscreen(8)</a> ports are busy, <a href="postscreen.8.html">postscreen(8)</a> rejects the 719 connection with a 421 status code and logs: </p> 720 721 <pre> 722 <b>NOQUEUE: reject: CONNECT from</b> <i>[address]:port</i><b>: too many connections</b> 723 <b>NOQUEUE: reject: CONNECT from</b> <i>[address]:port</i><b>: all server ports busy</b> 724 </pre> 725 726 <p> The <a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a> and 727 <a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> parameters control these limits. </p> 728 729 <h2> <a name="victory">When all tests succeed</a> </h2> 730 731 <p> When a new SMTP client passes all tests (i.e. it is not whitelisted 732 via some mechanism), <a href="postscreen.8.html">postscreen(8)</a> logs this as: </p> 733 734 <pre> 735 <b>PASS NEW</b> <i>[address]:port</i> 736 </pre> 737 738 <p> Where <i>[address]:port</i> are the client IP address and port. 739 Then, <a href="postscreen.8.html">postscreen(8)</a> 740 creates a temporary whitelist entry that excludes the client IP 741 address from further tests until the temporary whitelist entry 742 expires, as controlled with the postscreen_*_ttl parameters. </p> 743 744 <p> When no "<a href="#after_220">deep protocol tests</a>" are 745 configured, <a href="postscreen.8.html">postscreen(8)</a> hands off the "live" connection to a Postfix 746 SMTP server process. The client can then continue as if <a href="postscreen.8.html">postscreen(8)</a> 747 never even existed (except for the short <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> delay). 748 </p> 749 750 <p> When any "<a href="#after_220">deep protocol tests</a>" are 751 configured, <a href="postscreen.8.html">postscreen(8)</a> cannot hand off the "live" connection to 752 a Postfix SMTP server process in the middle of the session. Instead, 753 <a href="postscreen.8.html">postscreen(8)</a> defers mail delivery attempts with a 4XX status, logs 754 the helo/sender/recipient information, and waits for the client to 755 disconnect. The next time the client connects it will be allowed 756 to talk to a Postfix SMTP server process to deliver its mail. 757 <a href="postscreen.8.html">postscreen(8)</a> mitigates the impact of this limitation by giving 758 <a href="#after_220">deep protocol tests</a> a long expiration 759 time. </p> 760 761 <h2> <a name="config"> Configuring the postscreen(8) service</a> 762 </h2> 763 764 <p> <a href="postscreen.8.html">postscreen(8)</a> has been tested on FreeBSD [4-8], Linux 2.[4-6] 765 and Solaris 9 systems. </p> 766 767 <ul> 768 769 <li> <a href="#enable"> Turning on postscreen(8) without blocking 770 mail</a> 771 772 <li> <a href="#starttls"> postscreen(8) TLS configuration </a> 773 774 <li> <a href="#blocking"> Blocking mail with postscreen(8) </a> 775 776 <li> <a href="#turnoff"> Turning off postscreen(8) </a> 777 778 </ul> 779 780 <h3> <a name="enable"> Turning on postscreen(8) without blocking mail</a> </h3> 781 782 <p> To enable the <a href="postscreen.8.html">postscreen(8)</a> service and log client information 783 without blocking mail: </p> 784 785 <ol> 786 787 <li> <p> Make sure that local clients and systems with non-standard 788 SMTP implementations are excluded from any <a href="postscreen.8.html">postscreen(8)</a> tests. The 789 default is to exclude all clients in <a href="postconf.5.html#mynetworks">mynetworks</a>. To exclude additional 790 clients, for example, third-party performance monitoring tools (these 791 tend to have broken SMTP implementations): </p> 792 793 <pre> 794 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 795 # Exclude broken clients by whitelisting. Clients in <a href="postconf.5.html#mynetworks">mynetworks</a> 796 # should always be whitelisted. 797 <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, 798 <a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr 799 800 /etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>: 801 192.168.254.0/24 permit 802 </pre> 803 804 <li> <p> Comment out the "<tt>smtp inet ... smtpd</tt>" service 805 in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries 806 that follow. </p> 807 808 <pre> 809 /etc/postfix/<a href="master.5.html">master.cf</a>: 810 #smtp inet n - n - - smtpd 811 # -o parameter=value ... 812 </pre> 813 814 <li> <p> Uncomment the new "<tt>smtpd pass ... smtpd</tt>" service 815 in <a href="master.5.html">master.cf</a>, and duplicate any "<tt>-o parameter=value</tt>" entries 816 from the smtpd service that was commented out in the previous step. 817 </p> 818 819 <pre> 820 /etc/postfix/<a href="master.5.html">master.cf</a>: 821 smtpd pass - - n - - smtpd 822 -o parameter=value ... 823 </pre> 824 825 <li> <p> Uncomment the new "<tt>smtp inet ... postscreen</tt>" 826 service in <a href="master.5.html">master.cf</a>. </p> 827 828 <pre> 829 /etc/postfix/<a href="master.5.html">master.cf</a>: 830 smtp inet n - n - 1 postscreen 831 </pre> 832 833 <li> <p> Uncomment the new "<tt>tlsproxy unix ... tlsproxy</tt>" 834 service in <a href="master.5.html">master.cf</a>. This service implements STARTTLS support for 835 <a href="postscreen.8.html">postscreen(8)</a>. </p> 836 837 <pre> 838 /etc/postfix/<a href="master.5.html">master.cf</a>: 839 tlsproxy unix - - n - 0 tlsproxy 840 </pre> 841 842 <li> <p> Uncomment the new "<tt>dnsblog unix ... dnsblog</tt>" 843 service in <a href="master.5.html">master.cf</a>. This service does DNSBL lookups for <a href="postscreen.8.html">postscreen(8)</a> 844 and logs results. </p> 845 846 <pre> 847 /etc/postfix/<a href="master.5.html">master.cf</a>: 848 dnsblog unix - - n - 0 dnsblog 849 </pre> 850 851 <li> <p> To enable DNSBL lookups, list some DNS blocklist sites in 852 <a href="postconf.5.html">main.cf</a>, separated by whitespace. Different sites can have different 853 weights. For example: 854 855 <pre> 856 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 857 <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> = 2 858 <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = zen.spamhaus.org*2 859 bl.spamcop.net*1 b.barracudacentral.org*1 860 </pre> 861 862 <p> Note: if your DNSBL queries have a "secret" in the domain name, 863 you must censor this information from the <a href="postscreen.8.html">postscreen(8)</a> SMTP replies. 864 For example: </p> 865 866 <pre> 867 /etc/postfix/<a href="postconf.5.html">main.cf</a>: 868 <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> = <a href="DATABASE_README.html#types">texthash</a>:/etc/postfix/dnsbl_reply 869 </pre> 870 871 <pre> 872 /etc/postfix/dnsbl_reply: 873 # Secret DNSBL name Name in <a href="postscreen.8.html">postscreen(8)</a> replies 874 secret.zen.spamhaus.org zen.spamhaus.org 875 </pre> 876 877 <p> The <a href="DATABASE_README.html#types">texthash</a>: format is similar to hash: except that there is 878 no need to run <a href="postmap.1.html">postmap(1)</a> before the file can be used, and that it 879 does not detect changes after the file is read. It is new with 880 Postfix version 2.8. </p> 881 882 <li> <p> Read the new configuration with "<tt>postfix reload</tt>". 883 </p> 884 885 </ol> 886 887 <p> Notes: </p> 888 889 <ul> 890 891 <li> <p> Some <a href="postscreen.8.html">postscreen(8)</a> configuration parameters implement 892 stress-dependent behavior. This is supported only when the default 893 value is stress-dependent (that is, "postconf -d <i>parametername</i>" 894 output shows "<i>parametername</i> = 895 ${stress?<i>something</i>}${stress:<i>something</i>}"). 896 Other parameters always evaluate as if the stress value is the empty 897 string. </p> 898 899 <li> <p> See "<a href="#before_220">Tests before the 220 SMTP server 900 greeting</a>" for details about the logging from these postscreen(8) 901 tests. </p> 902 903 <li> <p> If you run Postfix 2.6 or earlier you must stop and start 904 the master daemon ("<tt>postfix stop; postfix start</tt>"). This 905 is needed because the Postfix "pass" master service type did not 906 work reliably on all systems. </p> 907 908 </ul> 909 910 <h3> <a name="starttls"> postscreen(8) TLS configuration </a> </h3> 911 912 <p> <a href="postscreen.8.html">postscreen(8)</a> TLS support is available for remote SMTP clients 913 that aren't whitelisted, including clients that need to renew their 914 temporary whitelist status. When a remote SMTP client requests TLS 915 service, <a href="postscreen.8.html">postscreen(8)</a> invisibly hands off the connection to a 916 <a href="tlsproxy.8.html">tlsproxy(8)</a> process. Then, <a href="tlsproxy.8.html">tlsproxy(8)</a> encrypts and decrypts the 917 traffic between <a href="postscreen.8.html">postscreen(8)</a> and the remote SMTP client. One 918 <a href="tlsproxy.8.html">tlsproxy(8)</a> process can handle multiple SMTP sessions. The number 919 of <a href="tlsproxy.8.html">tlsproxy(8)</a> processes slowly increases with server load, but it 920 should always be much smaller than the number of <a href="postscreen.8.html">postscreen(8)</a> TLS 921 sessions. </p> 922 923 <p> TLS support for <a href="postscreen.8.html">postscreen(8)</a> and <a href="tlsproxy.8.html">tlsproxy(8)</a> uses the same 924 parameters as with <a href="smtpd.8.html">smtpd(8)</a>. We recommend that you keep the relevant 925 configuration parameters in <a href="postconf.5.html">main.cf</a>. If you must specify "-o 926 smtpd_mumble=value" parameter overrides in <a href="master.5.html">master.cf</a> for a 927 postscreen-protected <a href="smtpd.8.html">smtpd(8)</a> service, then you should specify those 928 same parameter overrides for the <a href="postscreen.8.html">postscreen(8)</a> and <a href="tlsproxy.8.html">tlsproxy(8)</a> 929 services. </p> 930 931 <h3> <a name="blocking"> Blocking mail with postscreen(8) </a> </h3> 932 933 <p> For compatibility with <a href="smtpd.8.html">smtpd(8)</a>, <a href="postscreen.8.html">postscreen(8)</a> implements the 934 <a href="postconf.5.html#soft_bounce">soft_bounce</a> safety feature. This causes Postfix to reject mail with 935 a "try again" reply code. </p> 936 937 <ul> 938 939 <li> <p> To turn this on for all of Postfix, specify "<tt><a href="postconf.5.html#soft_bounce">soft_bounce</a> 940 = yes</tt>" in <a href="postconf.5.html">main.cf</a>. </p> 941 942 <li> <p> To turn this on for <a href="postscreen.8.html">postscreen(8)</a> only, append "<tt>-o 943 <a href="postconf.5.html#soft_bounce">soft_bounce</a>=yes</tt>" (note: NO SPACES around '=') to the postscreen 944 entry in <a href="master.5.html">master.cf</a>. <p> 945 946 </ul> 947 948 <p> Execute "<tt>postfix reload</tt>" to make the change effective. </p> 949 950 <p> After testing, do not forget to remove the <a href="postconf.5.html#soft_bounce">soft_bounce</a> feature, 951 otherwise senders won't receive their non-delivery notification 952 until many days later. </p> 953 954 <p> To use the <a href="postscreen.8.html">postscreen(8)</a> service to block mail, edit <a href="postconf.5.html">main.cf</a> and 955 specify one or more of: </p> 956 957 <ul> 958 959 <li> <p> "<tt><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> = enforce</tt>", to reject 960 clients that are on DNS blocklists, and to log the helo/sender/recipient 961 information. With good DNSBLs this reduces the amount of load on 962 Postfix SMTP servers dramatically. </p> 963 964 <li> <p> "<tt><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> = enforce</tt>", to reject 965 clients that talk before their turn, and to log the helo/sender/recipient 966 information. This stops over half of all known-to-be illegitimate 967 connections to Wietse's mail server. It is backup protection for 968 zombies that haven't yet been blacklisted. </p> 969 970 <li> <p> You can also enable "<a href="#after_220">deep protocol 971 tests</a>", but these are more intrusive than the pregreet or DNSBL 972 tests. </p> 973 974 <p> When a good client passes the "<a href="#after_220">deep 975 protocol tests</a>", postscreen(8) adds the client to the temporary 976 whitelist but it cannot hand off the "live" connection to a Postfix 977 SMTP server process in the middle of the session. Instead, <a href="postscreen.8.html">postscreen(8)</a> 978 defers mail delivery attempts with a 4XX status, logs the 979 helo/sender/recipient information, and waits for the client to 980 disconnect. </p> 981 982 <p> When the good client comes back in a later session, it is allowed 983 to talk directly to a Postfix SMTP server. See "after_220 <a 984 href="#after_220">Tests after the 220 SMTP server greeting</a> above 985 for limitations with AUTH and other features that clients may need. 986 </p> 987 988 <p> An unexpected benefit from "<a href="#after_220">deep protocol 989 tests</a>" is that some "good" clients don't return after the 4XX 990 reply; these clients were not so good after all. Wietse enables 991 "<a href="#after_220">deep protocol tests</a>" on his own internet-facing 992 mail server. </p> 993 994 <li> <p> There is also support for permanent blacklisting and 995 whitelisting; see the description of the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> 996 parameter for details. </p> 997 998 </ul> 999 1000 <h3> <a name="turnoff"> Turning off postscreen(8) </a> </h3> 1001 1002 <p> To turn off <a href="postscreen.8.html">postscreen(8)</a> and handle mail directly with Postfix 1003 SMTP server processes: </p> 1004 1005 <ol> 1006 1007 <li> <p> Comment out the "<tt>smtp inet ... postscreen</tt>" service 1008 in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries 1009 that follow. </p> 1010 1011 <pre> 1012 /etc/postfix/<a href="master.5.html">master.cf</a>: 1013 #smtp inet n - n - 1 postscreen 1014 # -o parameter=value ... 1015 </pre> 1016 1017 <li> <p> Comment out the "<tt>dnsblog unix ... dnsblog</tt>" service 1018 in <a href="master.5.html">master.cf</a>. </p> 1019 1020 <pre> 1021 /etc/postfix/<a href="master.5.html">master.cf</a>: 1022 #dnsblog unix - - n - 0 dnsblog 1023 </pre> 1024 1025 <li> <p> Comment out the "<tt>smtpd pass ... smtpd</tt>" service 1026 in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries 1027 that follow. </p> 1028 1029 <pre> 1030 /etc/postfix/<a href="master.5.html">master.cf</a>: 1031 #smtpd pass - - n - - smtpd 1032 # -o parameter=value ... 1033 </pre> 1034 1035 <li> <p> Comment out the "<tt>tlsproxy unix ... tlsproxy</tt>" 1036 service in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" 1037 entries that follow. </p> 1038 1039 <pre> 1040 /etc/postfix/<a href="master.5.html">master.cf</a>: 1041 #tlsproxy unix - - n - 0 tlsproxy 1042 # -o parameter=value ... 1043 </pre> 1044 1045 <li> <p> Uncomment the "<tt>smtp inet ... smtpd</tt>" service in 1046 <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries that 1047 may follow. </p> 1048 1049 <pre> 1050 /etc/postfix/<a href="master.5.html">master.cf</a>: 1051 smtp inet n - n - - smtpd 1052 -o parameter=value ... 1053 </pre> 1054 1055 <li> <p> Read the new configuration with "<tt>postfix reload</tt>". 1056 </p> 1057 1058 </ol> 1059 1060 <h2> <a name="historical"> Historical notes and credits </a> </h2> 1061 1062 <p> Many ideas in <a href="postscreen.8.html">postscreen(8)</a> were explored in earlier work by 1063 Michael Tokarev, in OpenBSD spamd, and in MailChannels Traffic 1064 Control. </p> 1065 1066 <p> Wietse threw together a crude prototype with pregreet and dnsbl 1067 support in June 2009, because he needed something new for a Mailserver 1068 conference presentation in July. Ralf Hildebrandt ran this code on 1069 several servers to collect real-world statistics. This version used 1070 the <a href="dnsblog.8.html">dnsblog(8)</a> ad-hoc DNS client program. </p> 1071 1072 <p> Wietse needed new material for a LISA conference presentation 1073 in November 2010, so he added support for DNSBL weights and filters 1074 in August, followed by a major code rewrite, deep protocol tests, 1075 helo/sender/recipient logging, and stress-adaptive behavior in 1076 September. Ralf Hildebrandt ran this code on several servers to 1077 collect real-world statistics. This version still used the embarrassing 1078 <a href="dnsblog.8.html">dnsblog(8)</a> ad-hoc DNS client program. </p> 1079 1080 <p> Wietse added STARTTLS support in December 2010. This makes 1081 <a href="postscreen.8.html">postscreen(8)</a> usable for sites that require TLS support. The 1082 implementation introduces the <a href="tlsproxy.8.html">tlsproxy(8)</a> event-driven TLS proxy 1083 that decrypts/encrypts the sessions for multiple SMTP clients. </p> 1084 1085 <p> The <a href="tlsproxy.8.html">tlsproxy(8)</a> implementation led to the discovery of a "new" 1086 class of vulnerability (<a 1087 href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411" 1088 >CVE-2011-0411</a>) that affected multiple implementations of SMTP, 1089 POP, IMAP, NNTP, and FTP over TLS. </p> 1090 1091 <p> <a href="postscreen.8.html">postscreen(8)</a> was officially released as part of the Postfix 1092 2.8 stable release in January 2011.</p> 1093 1094 </body> 1095 1096 </html> 1097 1098
Indexes created Sun Jun 07 00:24:08 UTC 2026