POSTSCREEN(8) | System Manager's Manual | POSTSCREEN(8) |
postscreen - Postfix zombie blocker
postscreen [generic Postfix daemon options]
The Postfix postscreen(8) server provides additional protection against mail server overload. One postscreen(8) process handles multiple inbound SMTP connections, and decides which clients may talk to a Postfix SMTP server process. By keeping spambots away, postscreen(8) leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.
This program should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deployment, postscreen(8) handles the MX service on TCP port 25, and smtpd(8) receives mail from MUAs on the submission service (TCP port 587) which requires client authentication. Alternatively, a site could set up a dedicated, non-postscreen, "port 25" server that provides submission service and client authentication, but no MX service.
postscreen(8) maintains a temporary whitelist for clients that have passed a number of tests. When an SMTP client IP address is whitelisted, postscreen(8) hands off the connection immediately to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.
By default, postscreen(8) logs statistics and hands off each connection to a Postfix SMTP server process, while excluding clients in mynetworks from all tests (primarily, to avoid problems with non-standard SMTP implementations in network appliances). This default mode blocks no clients, and is useful for non-destructive testing.
In a typical production setting, postscreen(8) is configured to reject mail from clients that fail one or more tests. postscreen(8) logs rejected mail with the client address, helo, sender and recipient information.
postscreen(8) is not an SMTP proxy; this is intentional. The purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic.
The postscreen(8) server is moderately security-sensitive. It talks to untrusted clients on the network. The process can be run chrooted at fixed low privilege.
RFC 821 (SMTP protocol) RFC 1123 (Host requirements) RFC 1652 (8bit-MIME transport) RFC 1869 (SMTP service extensions) RFC 1870 (Message Size Declaration) RFC 1985 (ETRN command) RFC 2034 (SMTP Enhanced Status Codes) RFC 2821 (SMTP protocol) Not: RFC 2920 (SMTP Pipelining) RFC 3207 (STARTTLS command) RFC 3461 (SMTP DSN Extension) RFC 3463 (Enhanced Status Codes) RFC 5321 (SMTP protocol, including multi-line 220 banners)
Problems and transactions are logged to syslogd(8).
The postscreen(8) built-in SMTP protocol engine currently does not announce support for AUTH, XCLIENT or XFORWARD. If you need to make these services available on port 25, then do not enable the optional "after 220 server greeting" tests.
The optional "after 220 server greeting" tests may result in unexpected delivery delays from senders that retry email delivery from a different IP address. Reason: after passing these tests a new client must disconnect, and reconnect from the same IP address before it can deliver mail. See POSTSCREEN_README, section "Tests after the 220 SMTP server greeting", for a discussion.
Changes to main.cf are not picked up automatically, as postscreen(8) processes may run for several hours. Use the command "postfix reload" after a configuration change.
The text below provides only a parameter summary. See postconf(5) for more details including examples.
NOTE: Some postscreen(8) parameters implement stress-dependent behavior. This is supported only when the default parameter value is stress-dependent (that is, it looks like ${stress?{X}:{Y}}, or it is the $name of an smtpd parameter with a stress-dependent default). Other parameters always evaluate as if the stress parameter value is the empty string.
Available in Postfix version 3.1 and later:
Available in Postfix version 2.10 and later:
This test is executed immediately after a remote SMTP client connects. If a client is permanently whitelisted, the client will be handed off immediately to a Postfix SMTP server process.
When postscreen(8) is configured to monitor all primary and backup MX addresses, it can refuse to whitelist clients that connect to a backup MX address only. For small sites, this requires configuring primary and backup MX addresses on the same MTA. Larger sites would have to share the postscreen(8) cache between primary and backup MTAs, which would introduce a common point of failure.
These tests are executed before the remote SMTP client receives the "220 servername" greeting. If no tests remain after the successful completion of this phase, the client will be handed off immediately to a Postfix SMTP server process.
Available in Postfix version 2.11 and later:
Available in Postfix version 3.0 and later:
These tests are executed after the remote SMTP client receives the "220 servername" greeting. If a client passes all tests during this phase, it will receive a 4XX response to all RCPT TO commands. After the client reconnects, it will be allowed to talk directly to a Postfix SMTP server process.
These parameters are supported for compatibility with smtpd(8) legacy parameters.
smtpd(8), Postfix SMTP server tlsproxy(8), Postfix TLS proxy server dnsblog(8), DNS black/whitelist logger syslogd(8), system logging
Use "postconf readme_directory" or "postconf html_directory" to locate this information.
POSTSCREEN_README, Postfix Postscreen Howto
The Secure Mailer license must be distributed with this software.
This service was introduced with Postfix version 2.8.
Many ideas in postscreen(8) were explored in earlier work by Michael Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA Wietse Venema Google, Inc. 111 8th Avenue New York, NY 10011, USA