postscreen man page on FreeBSD

Man page or keyword search:  
man Server   9747 pages
apropos Keyword Search (all sections)
Output format
FreeBSD logo
[printable version]

POSTSCREEN(8)							 POSTSCREEN(8)

NAME
       postscreen - Postfix SMTP triage server

SYNOPSIS
       postscreen [generic Postfix daemon options]

DESCRIPTION
       The  Postfix  postscreen(8)  server performs triage on multiple inbound
       SMTP connections in parallel.  While  a	single	postscreen(8)  process
       keeps  spambots	away  from Postfix SMTP server processes, more Postfix
       SMTP server processes remain available for legitimate clients.

       postscreen(8) maintains a temporary whitelist  for  clients  that  have
       passed  a  number  of  tests.   When  an	 SMTP  client  IP  address  is
       whitelisted, postscreen(8) hands off the connection  immediately	 to  a
       Postfix SMTP server process. This minimizes the overhead for legitimate
       mail.

       By default, postscreen(8) logs statistics and hands off	every  connec‐
       tion  to	 a  Postfix  SMTP  server  process, while excluding clients in
       mynetworks from all tests (primarily, to avoid problems with  non-stan‐
       dard  SMTP implementations in network appliances).  This mode is useful
       for non-destructive testing.

       In a typical production setting, postscreen(8) is configured to	reject
       mail  from  clients  that  fail	one  or more tests. postscreen(8) logs
       rejected mail with the  client  address,	 helo,	sender	and  recipient
       information.

       postscreen(8)  is  not an SMTP proxy; this is intentional.  The purpose
       is to keep spambots away from Postfix SMTP server processes, while min‐
       imizing overhead for legitimate traffic.

SECURITY
       The postscreen(8) server is moderately security-sensitive.  It talks to
       untrusted clients on the network. The process can be  run  chrooted  at
       fixed low privilege.

STANDARDS
       RFC 5321 (SMTP, including multi-line 220 greetings)
       RFC 2920 (SMTP Pipelining)

DIAGNOSTICS
       Problems and transactions are logged to syslogd(8).

BUGS
       Some of the non-default protocol tests involve postscreen(8)'s built-in
       SMTP protocol engine. When these tests succeed, postscreen(8) adds  the
       client to the temporary whitelist but it cannot not hand off the "live"
       connection to a Postfix SMTP server process in the middle of a session.
       Instead,	 postscreen(8) defers attempts to deliver mail with a 4XX sta‐
       tus, and waits for the client to disconnect.   The  next	 time  a  good
       client  connects,  it  will be allowed to talk to a Postfix SMTP server
       process to deliver mail. postscreen(8) mitigates	 the  impact  of  this
       limitation by giving such tests a long expiration time.

       The  postscreen(8) built-in SMTP protocol engine does not announce sup‐
       port for STARTTLS, AUTH, XCLIENT or XFORWARD (support for STARTTLS  and
       AUTH  may  be  added  in	 the future).  End-user clients should connect
       directly to the submission service;  other  systems  that  require  the
       above  features	should	directly  connect to a Postfix SMTP server, or
       they should be placed on the postscreen(8) whitelist.

CONFIGURATION PARAMETERS
       Changes to main.cf are not picked up  automatically,  as	 postscreen(8)
       processes  may run for several hours.  Use the command "postfix reload"
       after a configuration change.

       The text below provides only a parameter summary. See  postconf(5)  for
       more details including examples.

       NOTE:  Some postscreen(8)  parameters implement stress-dependent behav‐
       ior.  This is supported only when the default value is stress-dependent
       (that  is,  it  looks  like  ${stress?X}${stress:Y}).  Other parameters
       always evaluate as if the stress value is the empty string.

TRIAGE PARAMETERS
       postscreen_bare_newline_action (ignore)
	      The action that postscreen(8) takes when an SMTP client sends  a
	      bare  newline character, that is, a newline not preceded by car‐
	      riage return.

       postscreen_bare_newline_enable (no)
	      Enable "bare newline" SMTP protocol tests in  the	 postscreen(8)
	      server.

       postscreen_blacklist_action (ignore)
	      The  action that postscreen(8) takes when an SMTP client is per‐
	      manently	blacklisted  with  the	 postscreen_blacklist_networks
	      parameter.

       postscreen_blacklist_networks (empty)
	      Network  addresses  that	are  permanently  blacklisted; see the
	      postscreen_blacklist_action parameter for possible actions.

       postscreen_disable_vrfy_command ($disable_vrfy_command)
	      Disable the SMTP VRFY command in the postscreen(8) daemon.

       postscreen_dnsbl_action (ignore)
	      The action that postscreen(8) takes when an SMTP	client's  com‐
	      bined  DNSBL  score  is equal to or greater than a threshold (as
	      defined	   with	     the      postscreen_dnsbl_sites	   and
	      postscreen_dnsbl_threshold parameters).

       postscreen_dnsbl_reply_map (empty)
	      A	 mapping from actual DNSBL domain name which includes a secret
	      password, to the DNSBL domain name that  postscreen  will	 reply
	      with when it rejects mail.

       postscreen_dnsbl_sites (empty)
	      Optional	list of DNS blocklist domains, filters and weight fac‐
	      tors.

       postscreen_dnsbl_threshold (1)
	      The inclusive lower bound for blocking an SMTP client, based  on
	      its    combined	 DNSBL	  score	   as	 defined    with   the
	      postscreen_dnsbl_sites parameter.

       postscreen_forbidden_commands ($smtpd_forbidden_commands)
	      List of commands that the postscreen(8) server considers in vio‐
	      lation of the SMTP protocol.

       postscreen_greet_action (ignore)
	      The  action  that postscreen(8) takes when an SMTP client speaks
	      before  its  turn	  within   the	 time	specified   with   the
	      postscreen_greet_wait parameter.

       postscreen_greet_banner ($smtpd_banner)
	      The  text	 in  the  optional  "220-text..." server response that
	      postscreen(8) sends ahead of the real Postfix SMTP server's "220
	      text..."	response, in an attempt to confuse bad SMTP clients so
	      that they speak before their turn (pre-greet).

       postscreen_greet_wait (${stress?2}${stress:6}s)
	      The amount of time that postscreen(8)  will  wait	 for  an  SMTP
	      client  to send a command before its turn, and for DNS blocklist
	      lookup results to arrive (default: up to 2 seconds under stress,
	      up to 6 seconds otherwise).

       postscreen_helo_required ($smtpd_helo_required)
	      Require that a remote SMTP client sends HELO or EHLO before com‐
	      mencing a MAIL transaction.

       postscreen_non_smtp_command_action (drop)
	      The action that postscreen(8) takes when an  SMTP	 client	 sends
	      non-SMTP	commands  as  specified	 with  the  postscreen_forbid‐
	      den_commands parameter.

       postscreen_non_smtp_command_enable (no)
	      Enable "non-SMTP command" tests in the postscreen(8) server.

       postscreen_pipelining_action (enforce)
	      The action that postscreen(8) takes when an  SMTP	 client	 sends
	      multiple commands instead of sending one command and waiting for
	      the server to respond.

       postscreen_pipelining_enable (no)
	      Enable "pipelining" SMTP protocol	 tests	in  the	 postscreen(8)
	      server.

       postscreen_whitelist_networks ($mynetworks)
	      Network  addresses  that	are  permanently whitelisted, and that
	      will not be subjected to postscreen(8) checks.

       smtpd_service_name (smtpd)
	      The internal service that postscreen(8) forwards allowed connec‐
	      tions to.

CACHE CONTROLS
       postscreen_cache_cleanup_interval (12h)
	      The amount of time between postscreen(8) cache cleanup runs.

       postscreen_cache_map (btree:$data_directory/ps_cache)
	      Persistent storage for the postscreen(8) server decisions.

       postscreen_cache_retention_time (7d)
	      The amount of time that postscreen(8) will cache an expired tem‐
	      porary whitelist entry before it is removed.

       postscreen_bare_newline_ttl (30d)
	      The amount of time that postscreen(8) will cache results from  a
	      successful "bare newline" SMTP protocol test.

       postscreen_dnsbl_ttl (1h)
	      The  amount of time that postscreen(8) will cache results from a
	      successful DNS blocklist test.

       postscreen_greet_ttl (1d)
	      The amount of time that postscreen(8) will cache results from  a
	      successful PREGREET test.

       postscreen_non_smtp_command_ttl (30d)
	      The  amount of time that postscreen(8) will cache results from a
	      successful "non_smtp_command" SMTP protocol test.

       postscreen_pipelining_ttl (30d)
	      The amount of time that postscreen(8) will cache results from  a
	      successful "pipelining" SMTP protocol test.

RESOURCE CONTROLS
       line_length_limit (2048)
	      Upon  input,  long  lines	 are chopped up into pieces of at most
	      this length; upon delivery, long lines are reconstructed.

       postscreen_command_count_limit (20)
	      The limit on the total number of commands per SMTP  session  for
	      postscreen(8)'s built-in SMTP protocol engine.

       postscreen_command_time_limit (${stress?10}${stress:300}s)
	      The  command "read" time limit for postscreen(8)'s built-in SMTP
	      protocol engine.

       postscreen_post_queue_limit ($default_process_limit)
	      The number of clients that can be waiting	 for  service  from  a
	      real SMTP server process.

       postscreen_pre_queue_limit ($default_process_limit)
	      The  number of non-whitelisted clients that can be waiting for a
	      decision whether they will receive  service  from	 a  real  SMTP
	      server process.

       postscreen_watchdog_timeout (10s)
	      How  much time a postscreen(8) process may take to respond to an
	      SMTP client command or to perform a cache operation before it is
	      terminated by a built-in watchdog timer.

MISCELLANEOUS CONTROLS
       config_directory (see 'postconf -d' output)
	      The  default  location of the Postfix main.cf and master.cf con‐
	      figuration files.

       delay_logging_resolution_limit (2)
	      The maximal number of digits after the decimal point  when  log‐
	      ging sub-second delay values.

       command_directory (see 'postconf -d' output)
	      The location of all postfix administrative commands.

       ipc_timeout (3600s)
	      The  time	 limit	for  sending  or receiving information over an
	      internal communication channel.

       max_idle (100s)
	      The maximum amount of time that an idle Postfix  daemon  process
	      waits for an incoming connection before terminating voluntarily.

       process_id (read-only)
	      The process ID of a Postfix command or daemon process.

       process_name (read-only)
	      The process name of a Postfix command or daemon process.

       syslog_facility (mail)
	      The syslog facility of Postfix logging.

       syslog_name (see 'postconf -d' output)
	      The  mail	 system	 name that is prepended to the process name in
	      syslog records, so that "smtpd"  becomes,	 for  example,	"post‐
	      fix/smtpd".

SEE ALSO
       smtpd(8), Postfix SMTP server
       dnsblog(8), temporary DNS helper
       syslogd(8), system logging

README FILES
       Use  "postconf readme_directory" or "postconf html_directory" to locate
       this information.
       POSTSCREEN_README, Postfix Postscreen Howto

LICENSE
       The Secure Mailer license must be distributed with this software.

HISTORY
       Many ideas in postscreen(8) were explored in earlier  work  by  Michael
       Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.

AUTHOR(S)
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

								 POSTSCREEN(8)
[top]

List of man pages available for FreeBSD

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
...................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net