{ "content": [ { "type": "text", "text": "# postscreen(8) (man)\n\n**Summary:** postscreen - Postfix zombie blocker\n\n**Synopsis:** postscreen [generic Postfix daemon options]\n\n## See Also\n\n- smtpd(8)\n- tlsproxy(8)\n- dnsblog(8)\n- postlogd(8)\n- syslogd(8)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (2 lines)\n- **DESCRIPTION** (28 lines)\n- **SECURITY** (3 lines)\n- **STANDARDS** (15 lines)\n- **DIAGNOSTICS** (2 lines)\n- **BUGS** (10 lines)\n- **CONFIGURATION PARAMETERS** (11 lines)\n- **COMPATIBILITY CONTROLS** (28 lines)\n- **TROUBLE SHOOTING CONTROLS** (11 lines)\n- **BEFORE-POSTSCREEN PROXY AGENT** (9 lines)\n- **PERMANENT ALLOW/DENYLIST TEST** (10 lines)\n- **MAIL EXCHANGER POLICY TESTS** (9 lines)\n- **BEFORE 220 GREETING TESTS** (65 lines)\n- **AFTER 220 GREETING TESTS** (37 lines)\n- **CACHE CONTROLS** (36 lines)\n- **RESOURCE CONTROLS** (29 lines)\n- **STARTTLS CONTROLS** (8 lines)\n- **OBSOLETE STARTTLS SUPPORT CONTROLS** (10 lines)\n- **MISCELLANEOUS CONTROLS** (37 lines)\n- **SEE ALSO** (6 lines)\n- **README FILES** (3 lines)\n- **LICENSE** (2 lines)\n- **HISTORY** (19 lines)\n\n## Full Content\n\n### NAME\n\npostscreen - Postfix zombie blocker\n\n### SYNOPSIS\n\npostscreen [generic Postfix daemon options]\n\n### DESCRIPTION\n\nThe Postfix postscreen(8) server provides additional protection against mail server overload.\nOne postscreen(8) process handles multiple inbound SMTP connections, and decides which\nclients may talk to a Postfix SMTP server process. By keeping spambots away, postscreen(8)\nleaves more SMTP server processes available for legitimate clients, and delays the onset of\nserver overload conditions.\n\nThis program should not be used on SMTP ports that receive mail from end-user clients (MUAs).\nIn a typical deployment, postscreen(8) handles the MX service on TCP port 25, and smtpd(8)\nreceives mail from MUAs on the submission service (TCP port 587) which requires client au‐\nthentication. Alternatively, a site could set up a dedicated, non-postscreen, \"port 25\"\nserver that provides submission service and client authentication, but no MX service.\n\npostscreen(8) maintains a temporary allowlist for clients that have passed a number of tests.\nWhen an SMTP client IP address is allowlisted, postscreen(8) hands off the connection immedi‐\nately to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.\n\nBy default, postscreen(8) logs statistics and hands off each connection to a Postfix SMTP\nserver process, while excluding clients in mynetworks from all tests (primarily, to avoid\nproblems with non-standard SMTP implementations in network appliances). This default mode\nblocks no clients, and is useful for non-destructive testing.\n\nIn a typical production setting, postscreen(8) is configured to reject mail from clients that\nfail one or more tests. postscreen(8) logs rejected mail with the client address, helo,\nsender and recipient information.\n\npostscreen(8) is not an SMTP proxy; this is intentional. The purpose is to keep spambots\naway from Postfix SMTP server processes, while minimizing overhead for legitimate traffic.\n\n### SECURITY\n\nThe postscreen(8) server is moderately security-sensitive. It talks to untrusted clients on\nthe network. The process can be run chrooted at fixed low privilege.\n\n### STANDARDS\n\nRFC 821 (SMTP protocol)\nRFC 1123 (Host requirements)\nRFC 1652 (8bit-MIME transport)\nRFC 1869 (SMTP service extensions)\nRFC 1870 (Message Size Declaration)\nRFC 1985 (ETRN command)\nRFC 2034 (SMTP Enhanced Status Codes)\nRFC 2821 (SMTP protocol)\nNot: RFC 2920 (SMTP Pipelining)\nRFC 3030 (CHUNKING without BINARYMIME)\nRFC 3207 (STARTTLS command)\nRFC 3461 (SMTP DSN Extension)\nRFC 3463 (Enhanced Status Codes)\nRFC 5321 (SMTP protocol, including multi-line 220 banners)\n\n### DIAGNOSTICS\n\nProblems and transactions are logged to syslogd(8) or postlogd(8).\n\n### BUGS\n\nThe postscreen(8) built-in SMTP protocol engine currently does not announce support for AUTH,\nXCLIENT or XFORWARD. If you need to make these services available on port 25, then do not\nenable the optional \"after 220 server greeting\" tests.\n\nThe optional \"after 220 server greeting\" tests may result in unexpected delivery delays from\nsenders that retry email delivery from a different IP address. Reason: after passing these\ntests a new client must disconnect, and reconnect from the same IP address before it can de‐\nliver mail. See POSTSCREENREADME, section \"Tests after the 220 SMTP server greeting\", for a\ndiscussion.\n\n### CONFIGURATION PARAMETERS\n\nChanges to main.cf are not picked up automatically, as postscreen(8) processes may run for\nseveral hours. Use the command \"postfix reload\" after a configuration change.\n\nThe text below provides only a parameter summary. See postconf(5) for more details including\nexamples.\n\nNOTE: Some postscreen(8) parameters implement stress-dependent behavior. This is supported\nonly when the default parameter value is stress-dependent (that is, it looks like\n${stress?{X}:{Y}}, or it is the $name of an smtpd parameter with a stress-dependent default).\nOther parameters always evaluate as if the stress parameter value is the empty string.\n\n### COMPATIBILITY CONTROLS\n\npostscreencommandfilter ($smtpdcommandfilter)\nA mechanism to transform commands from remote SMTP clients.\n\npostscreendiscardehlokeywordaddressmaps ($smtpddiscardehlokeywordaddressmaps)\nLookup tables, indexed by the remote SMTP client address, with case insensitive lists\nof EHLO keywords (pipelining, starttls, auth, etc.) that the postscreen(8) server will\nnot send in the EHLO response to a remote SMTP client.\n\npostscreendiscardehlokeywords ($smtpddiscardehlokeywords)\nA case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that the\npostscreen(8) server will not send in the EHLO response to a remote SMTP client.\n\nAvailable in Postfix version 3.1 and later:\n\ndnsncachettlfixenable (no)\nEnable a workaround for future libc incompatibility.\n\nAvailable in Postfix version 3.4 and later:\n\npostscreenrejectfootermaps ($smtpdrejectfootermaps)\nOptional lookup table for information that is appended after a 4XX or 5XX\npostscreen(8) server response.\n\nAvailable in Postfix 3.6 and later:\n\nrespectfullogging (see 'postconf -d' output)\nAvoid logging that implies white is better than black.\n\n### TROUBLE SHOOTING CONTROLS\n\npostscreenexpansionfilter (see 'postconf -d' output)\nList of characters that are permitted in postscreenrejectfooter attribute expan‐\nsions.\n\npostscreenrejectfooter ($smtpdrejectfooter)\nOptional information that is appended after a 4XX or 5XX postscreen(8) server re‐\nsponse.\n\nsoftbounce (no)\nSafety net to keep mail queued that would otherwise be returned to the sender.\n\n### BEFORE-POSTSCREEN PROXY AGENT\n\nAvailable in Postfix version 2.10 and later:\n\npostscreenupstreamproxyprotocol (empty)\nThe name of the proxy protocol used by an optional before-postscreen proxy agent.\n\npostscreenupstreamproxytimeout (5s)\nThe time limit for the proxy protocol specified with the postscreenup‐\nstreamproxyprotocol parameter.\n\n### PERMANENT ALLOW/DENYLIST TEST\n\nThis test is executed immediately after a remote SMTP client connects. If a client is perma‐\nnently allowlisted, the client will be handed off immediately to a Postfix SMTP server\nprocess.\n\npostscreenaccesslist (permitmynetworks)\nPermanent allow/denylist for remote SMTP client IP addresses.\n\npostscreenblacklistaction (ignore)\nRenamed to postscreendenylistaction in Postfix 3.6.\n\n### MAIL EXCHANGER POLICY TESTS\n\nWhen postscreen(8) is configured to monitor all primary and backup MX addresses, it can\nrefuse to allowlist clients that connect to a backup MX address only. For small sites, this\nrequires configuring primary and backup MX addresses on the same MTA. Larger sites would have\nto share the postscreen(8) cache between primary and backup MTAs, which would introduce a\ncommon point of failure.\n\npostscreenwhitelistinterfaces (static:all)\nRenamed to postscreenallowlistinterfaces in Postfix 3.6.\n\n### BEFORE 220 GREETING TESTS\n\nThese tests are executed before the remote SMTP client receives the \"220 servername\" greet‐\ning. If no tests remain after the successful completion of this phase, the client will be\nhanded off immediately to a Postfix SMTP server process.\n\ndnsblogservicename (dnsblog)\nThe name of the dnsblog(8) service entry in master.cf.\n\npostscreendnsblaction (ignore)\nThe action that postscreen(8) takes when a remote SMTP client's combined DNSBL score\nis equal to or greater than a threshold (as defined with the postscreendnsblsites\nand postscreendnsblthreshold parameters).\n\npostscreendnsblreplymap (empty)\nA mapping from actual DNSBL domain name which includes a secret password, to the DNSBL\ndomain name that postscreen will reply with when it rejects mail.\n\npostscreendnsblsites (empty)\nOptional list of DNS allow/denylist domains, filters and weight factors.\n\npostscreendnsblthreshold (1)\nThe inclusive lower bound for blocking a remote SMTP client, based on its combined\nDNSBL score as defined with the postscreendnsblsites parameter.\n\npostscreengreetaction (ignore)\nThe action that postscreen(8) takes when a remote SMTP client speaks before its turn\nwithin the time specified with the postscreengreetwait parameter.\n\npostscreengreetbanner ($smtpdbanner)\nThe text in the optional \"220-text...\" server response that postscreen(8) sends ahead\nof the real Postfix SMTP server's \"220 text...\" response, in an attempt to confuse bad\nSMTP clients so that they speak before their turn (pre-greet).\n\npostscreengreetwait (normal: 6s, overload: 2s)\nThe amount of time that postscreen(8) will wait for an SMTP client to send a command\nbefore its turn, and for DNS blocklist lookup results to arrive (default: up to 2 sec‐\nonds under stress, up to 6 seconds otherwise).\n\nsmtpdservicename (smtpd)\nThe internal service that postscreen(8) hands off allowed connections to.\n\nAvailable in Postfix version 2.11 and later:\n\npostscreendnsblwhitelistthreshold (0)\nRenamed to postscreendnsblallowlistthreshold in Postfix 3.6.\n\nAvailable in Postfix version 3.0 and later:\n\npostscreendnsbltimeout (10s)\nThe time limit for DNSBL or DNSWL lookups.\n\nAvailable in Postfix version 3.6 and later:\n\npostscreendenylistaction (ignore)\nThe action that postscreen(8) takes when a remote SMTP client is permanently\ndenylisted with the postscreenaccesslist parameter.\n\npostscreenallowlistinterfaces (static:all)\nA list of local postscreen(8) server IP addresses where a non-allowlisted remote SMTP\nclient can obtain postscreen(8)'s temporary allowlist status.\n\npostscreendnsblallowlistthreshold (0)\nAllow a remote SMTP client to skip \"before\" and \"after 220 greeting\" protocol tests,\nbased on its combined DNSBL score as defined with the postscreendnsblsites parame‐\nter.\n\n### AFTER 220 GREETING TESTS\n\nThese tests are executed after the remote SMTP client receives the \"220 servername\" greeting.\nIf a client passes all tests during this phase, it will receive a 4XX response to all RCPT TO\ncommands. After the client reconnects, it will be allowed to talk directly to a Postfix SMTP\nserver process.\n\npostscreenbarenewlineaction (ignore)\nThe action that postscreen(8) takes when a remote SMTP client sends a bare newline\ncharacter, that is, a newline not preceded by carriage return.\n\npostscreenbarenewlineenable (no)\nEnable \"bare newline\" SMTP protocol tests in the postscreen(8) server.\n\npostscreendisablevrfycommand ($disablevrfycommand)\nDisable the SMTP VRFY command in the postscreen(8) daemon.\n\npostscreenforbiddencommands ($smtpdforbiddencommands)\nList of commands that the postscreen(8) server considers in violation of the SMTP pro‐\ntocol.\n\npostscreenhelorequired ($smtpdhelorequired)\nRequire that a remote SMTP client sends HELO or EHLO before commencing a MAIL transac‐\ntion.\n\npostscreennonsmtpcommandaction (drop)\nThe action that postscreen(8) takes when a remote SMTP client sends non-SMTP commands\nas specified with the postscreenforbiddencommands parameter.\n\npostscreennonsmtpcommandenable (no)\nEnable \"non-SMTP command\" tests in the postscreen(8) server.\n\npostscreenpipeliningaction (enforce)\nThe action that postscreen(8) takes when a remote SMTP client sends multiple commands\ninstead of sending one command and waiting for the server to respond.\n\npostscreenpipeliningenable (no)\nEnable \"pipelining\" SMTP protocol tests in the postscreen(8) server.\n\n### CACHE CONTROLS\n\npostscreencachecleanupinterval (12h)\nThe amount of time between postscreen(8) cache cleanup runs.\n\npostscreencachemap (btree:$datadirectory/postscreencache)\nPersistent storage for the postscreen(8) server decisions.\n\npostscreencacheretentiontime (7d)\nThe amount of time that postscreen(8) will cache an expired temporary allowlist entry\nbefore it is removed.\n\npostscreenbarenewlinettl (30d)\nThe amount of time that postscreen(8) will use the result from a successful \"bare new‐\nline\" SMTP protocol test.\n\npostscreendnsblmaxttl (${postscreendnsblttl?{$postscreendnsblttl}:{1}}h)\nThe maximum amount of time that postscreen(8) will use the result from a successful\nDNS-based reputation test before a client IP address is required to pass that test\nagain.\n\npostscreendnsblminttl (60s)\nThe minimum amount of time that postscreen(8) will use the result from a successful\nDNS-based reputation test before a client IP address is required to pass that test\nagain.\n\npostscreengreetttl (1d)\nThe amount of time that postscreen(8) will use the result from a successful PREGREET\ntest.\n\npostscreennonsmtpcommandttl (30d)\nThe amount of time that postscreen(8) will use the result from a successful\n\"nonsmtpcommand\" SMTP protocol test.\n\npostscreenpipeliningttl (30d)\nThe amount of time that postscreen(8) will use the result from a successful \"pipelin‐\ning\" SMTP protocol test.\n\n### RESOURCE CONTROLS\n\nlinelengthlimit (2048)\nUpon input, long lines are chopped up into pieces of at most this length; upon deliv‐\nery, long lines are reconstructed.\n\npostscreenclientconnectioncountlimit ($smtpdclientconnectioncountlimit)\nHow many simultaneous connections any remote SMTP client is allowed to have with the\npostscreen(8) daemon.\n\npostscreencommandcountlimit (20)\nThe limit on the total number of commands per SMTP session for postscreen(8)'s\nbuilt-in SMTP protocol engine.\n\npostscreencommandtimelimit (normal: 300s, overload: 10s)\nThe time limit to read an entire command line with postscreen(8)'s built-in SMTP pro‐\ntocol engine.\n\npostscreenpostqueuelimit ($defaultprocesslimit)\nThe number of clients that can be waiting for service from a real Postfix SMTP server\nprocess.\n\npostscreenprequeuelimit ($defaultprocesslimit)\nThe number of non-allowlisted clients that can be waiting for a decision whether they\nwill receive service from a real Postfix SMTP server process.\n\npostscreenwatchdogtimeout (10s)\nHow much time a postscreen(8) process may take to respond to a remote SMTP client com‐\nmand or to perform a cache operation before it is terminated by a built-in watchdog\ntimer.\n\n### STARTTLS CONTROLS\n\npostscreentlssecuritylevel ($smtpdtlssecuritylevel)\nThe SMTP TLS security level for the postscreen(8) server; when a non-empty value is\nspecified, this overrides the obsolete parameters postscreenusetls and\npostscreenenforcetls.\n\ntlsproxyservicename (tlsproxy)\nThe name of the tlsproxy(8) service entry in master.cf.\n\n### OBSOLETE STARTTLS SUPPORT CONTROLS\n\nThese parameters are supported for compatibility with smtpd(8) legacy parameters.\n\npostscreenusetls ($smtpdusetls)\nOpportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not re‐\nquire that clients use TLS encryption.\n\npostscreenenforcetls ($smtpdenforcetls)\nMandatory TLS: announce STARTTLS support to remote SMTP clients, and require that\nclients use TLS encryption.\n\n### MISCELLANEOUS CONTROLS\n\nconfigdirectory (see 'postconf -d' output)\nThe default location of the Postfix main.cf and master.cf configuration files.\n\ndelayloggingresolutionlimit (2)\nThe maximal number of digits after the decimal point when logging sub-second delay\nvalues.\n\ncommanddirectory (see 'postconf -d' output)\nThe location of all postfix administrative commands.\n\nmaxidle (100s)\nThe maximum amount of time that an idle Postfix daemon process waits for an incoming\nconnection before terminating voluntarily.\n\nprocessid (read-only)\nThe process ID of a Postfix command or daemon process.\n\nprocessname (read-only)\nThe process name of a Postfix command or daemon process.\n\nsyslogfacility (mail)\nThe syslog facility of Postfix logging.\n\nsyslogname (see 'postconf -d' output)\nA prefix that is prepended to the process name in syslog records, so that, for exam‐\nple, \"smtpd\" becomes \"prefix/smtpd\".\n\nAvailable in Postfix 3.3 and later:\n\nservicename (read-only)\nThe master.cf service name of a Postfix daemon process.\n\nAvailable in Postfix 3.5 and later:\n\ninfologaddressformat (external)\nThe email address form that will be used in non-debug logging (info, warning, etc.).\n\n### SEE ALSO\n\nsmtpd(8), Postfix SMTP server\ntlsproxy(8), Postfix TLS proxy server\ndnsblog(8), DNS allow/denylist logger\npostlogd(8), Postfix logging\nsyslogd(8), system logging\n\n### README FILES\n\nUse \"postconf readmedirectory\" or \"postconf htmldirectory\" to locate this information.\nPOSTSCREENREADME, Postfix Postscreen Howto\n\n### LICENSE\n\nThe Secure Mailer license must be distributed with this software.\n\n### HISTORY\n\nThis service was introduced with Postfix version 2.8.\n\nMany ideas in postscreen(8) were explored in earlier work by Michael Tokarev, in OpenBSD\nspamd, and in MailChannels Traffic Control.\n\nAUTHOR(S)\nWietse Venema\nIBM T.J. Watson Research\nP.O. Box 704\nYorktown Heights, NY 10598, USA\n\nWietse Venema\nGoogle, Inc.\n111 8th Avenue\nNew York, NY 10011, USA\n\n\n\nPOSTSCREEN(8postfix)\n\n" } ], "structuredContent": { "command": "postscreen", "section": "8", "mode": "man", "summary": "postscreen - Postfix zombie blocker", "synopsis": "postscreen [generic Postfix daemon options]", "flags": [], "examples": [], "see_also": [ { "name": "smtpd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/smtpd/8/json" }, { "name": "tlsproxy", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tlsproxy/8/json" }, { "name": "dnsblog", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/dnsblog/8/json" }, { "name": "postlogd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/postlogd/8/json" }, { "name": "syslogd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/syslogd/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 28, "subsections": [] }, { "name": "SECURITY", "lines": 3, "subsections": [] }, { "name": "STANDARDS", "lines": 15, "subsections": [] }, { "name": "DIAGNOSTICS", "lines": 2, "subsections": [] }, { "name": "BUGS", "lines": 10, "subsections": [] }, { "name": "CONFIGURATION PARAMETERS", "lines": 11, "subsections": [] }, { "name": "COMPATIBILITY CONTROLS", "lines": 28, "subsections": [] }, { "name": "TROUBLE SHOOTING CONTROLS", "lines": 11, "subsections": [] }, { "name": "BEFORE-POSTSCREEN PROXY AGENT", "lines": 9, "subsections": [] }, { "name": "PERMANENT ALLOW/DENYLIST TEST", "lines": 10, "subsections": [] }, { "name": "MAIL EXCHANGER POLICY TESTS", "lines": 9, "subsections": [] }, { "name": "BEFORE 220 GREETING TESTS", "lines": 65, "subsections": [] }, { "name": "AFTER 220 GREETING TESTS", "lines": 37, "subsections": [] }, { "name": "CACHE CONTROLS", "lines": 36, "subsections": [] }, { "name": "RESOURCE CONTROLS", "lines": 29, "subsections": [] }, { "name": "STARTTLS CONTROLS", "lines": 8, "subsections": [] }, { "name": "OBSOLETE STARTTLS SUPPORT CONTROLS", "lines": 10, "subsections": [] }, { "name": "MISCELLANEOUS CONTROLS", "lines": 37, "subsections": [] }, { "name": "SEE ALSO", "lines": 6, "subsections": [] }, { "name": "README FILES", "lines": 3, "subsections": [] }, { "name": "LICENSE", "lines": 2, "subsections": [] }, { "name": "HISTORY", "lines": 19, "subsections": [] } ] } }