> Postscreen is a single Postfix 2.8 daemon that keeps spambots away
> from Postfix SMTP server processes, so that more Postfix server
> resources remain available for handling mail. It will hopefully
> become part of the next stable Postfix release.
>
> Below is a quote from the release notes about new filter and weight
> support for postscreen DNSBL lookup results. This was released
> earlier as non-production snapshot. It has held up well, and after
> some polishing of documentation and comments, it should be ready.
>
> Next steps are a) support for different expiration times for
> different tests, b) a dummy SMTP engine (similar to the smtp-sink
> test program) to log the client/helo/sender/recipient for blocked
> mail, and c) a simple form of greylisting if time permits.
I have implemented the above except greylisting. After a major code
rewrite, the code looks pretty solid, and the user interface looks
usable. In fact, managing user interface complexity was almost half
the work. The user interface changed less than the code underneath.
Below is a the current manpage. After the code has run for 24
hours I'll roll it out as a non-production snapshot.
The new content is in the "enforce" actions and in "tests after
the 220 SMTP server greeting".
Wietse
POSTSCREEN(8) POSTSCREEN(8)
NAME
postscreen - Postfix SMTP triage server
SYNOPSIS
postscreen [generic Postfix daemon options]
DESCRIPTION
The Postfix postscreen(8) server performs triage on multiple inbound
SMTP connections in parallel. While postscreen(8) keeps zombies and
other bogus clients away from Postfix SMTP server processes, more Post-
fix SMTP server processes remain available for legitimate clients.
GENERAL OPERATION
The triage process involves a number of tests, in the order as
described below. Some tests introduce a delay of a few seconds. Once
a client passes all tests, its IP address is temporarily excluded from
any tests, typically for 24 hours. This minimizes the impact of the
tests on legitimate mail clients.
After logging the result of its tests, postscreen(8) by default for-
wards all connections to a real SMTP server process. This mode is use-
ful for non-destructive testing.
In a typical production setting, postscreen(8) is configured to discon-
nect clients that fail one or more tests, after logging the sender and
recipient information.
Note: postscreen(8) is not an SMTP proxy; this is intentional. The pur-
pose is to prioritize legitimate clients with as little overhead as
possible.
1. PERMANENT WHITELIST TEST
The postscreen_whitelist_networks parameter (default: $mynetworks)
specifies a permanent whitelist for SMTP client IP addresses.
When the SMTP client address matches the permanent whitelist, this is
logged as:
WHITELISTED address
The action is not configurable: immediately forward the connection to a
real SMTP server process.
2. PERMANENT BLACKLIST TEST
The postscreen_blacklist_networks parameter (default: empty) specifies
a permanent blacklist for SMTP client IP addresses. The address syntax
is as with mynetworks.
When the SMTP client address matches the permanent blacklist, this is
logged as:
BLACKLISTED address
The postscreen_blacklist_action parameter specifies the action that is
taken next:
ignore (default)
Ignore the failure of this test. Allow other tests to complete.
Repeat this test the next time the client connects.
enforce
Allow other tests to complete. Log and reject all RCPT TO com-
mands with a 550 SMTP reply. Repeat this test the next time the
client connects.
drop Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
3. TEMPORARY WHITELIST TEST
The postscreen(8) daemon maintains a temporary whitelist for SMTP
client IP addresses that have passed all the tests described below. The
postscreen_cache_map parameter specifies the location of the temporary
whitelist. The temporary whitelist is not used for SMTP client
addresses that appear on the permanent blacklist or whitelist.
When the SMTP client address appears on the temporary whitelist, this
is logged as:
PASS OLD address
The action is not configurable: immediately forward the connection to a
real SMTP server process. The client is excluded from further tests
until its temporary whitelist entry expires, as controlled with the
postscreen_*_ttl parameters. Expired entries are silently renewed if
possible.
4. TESTS BEFORE THE 220 SMTP SERVER GREETING
The postscreen_greet_wait parameter specifies a time interval before
the "220 text..." server greeting, where postscreen(8) can run a number
of tests in parallel.
4A. PREGREET TEST
The postscreen_pregreet_banner parameter specifies the text portion of
a "220-text..." teaser banner (default: $smtpd_banner). Note that this
becomes the first part of a multi-line server greeting. The
postscreen(8) daemon sends this before the postscreen_greet_wait timer
is started. The purpose of the teaser banner is to confuse spambots so
that they speak before their turn. It has no effect on SMTP clients
that correctly implement the protocol.
To avoid problems with broken SMTP engines in network appliances,
either exclude them from all tests with the postscreen_whitelist_net-
works feature or else specify an empty teaser banner with
"postscreen_pregreet_banner = ".
When an SMTP client sends a command before the postscreen_greet_wait
time has elapsed, this is logged as:
PREGREET count after time from address text...
Translation: the client at address sent count bytes before its turn to
speak. This happened time seconds after the postscreen_greet_wait timer
was started. The text is what the client sent (truncated to 100 bytes,
and with non-printable characters replaced with "?").
The postscreen_pregreet_action parameter specifies the action that is
taken next:
ignore (default)
Ignore the failure of this test. Allow other tests to complete.
Repeat this test the next time the client connects.
enforce
Allow other tests to complete. Log and reject all RCPT TO com-
mands with a 550 SMTP reply. Repeat this test the next time the
client connects.
drop Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
4B. DNS BLOCKLIST TEST
The postscreen_dnsbl_sites parameter (default: empty) specifies a list
of DNS blocklist servers with optional filters and weight factors.
These servers will be queried in parallel with the reverse client IP
address.
When the postscreen_greet_wait time has elapsed, and the combined DNSBL
score is equal to or greater than the postscreen_dnsbl_threshold param-
eter value, this is logged as:
DNSBL rank count for address
Translation: the SMTP client at address has a combined DNSBL score of
count.
The postscreen_dnsbl_action parameter specifies the action that is
taken when the combined DNSBL score is equal to or greater than the
threshold:
ignore (default)
Ignore the failure of this test. Allow other tests to complete.
Repeat this test the next time the client connects.
enforce
Allow other tests to complete. Log and reject all RCPT TO com-
mands with a 550 SMTP reply. Repeat this test the next time the
client connects.
drop Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
5. TESTS AFTER THE 220 SMTP SERVER GREETING
The tests in this phase use a dummy SMTP protocol engine that is built
into the postscreen(8) server.
Important notes:
o When these tests are enabled, postscreen(8) does not hand the
"live" session to a Postfix SMTP server upon successful comple-
tion of all tests. Instead, postscreen(8) logs and defers all
RCPT TO commands with a 450 reply and waits for the client to
disconnect.
The next time the client connects it will be allowed to talk to
a real SMTP server process to deliver its mail.
o postscreen(8) does not implement the AUTH, STARTTLS, XCLIENT,
and XFORWARD features. STARTTLS support may be added in a
future version.
End-user client systems should connect directly to the submission ser-
vice. Other systems that require the above features should directly
connect to a Postfix SMTP server, or they should be placed on the
postscreen(8) whitelist.
5A. COMMAND PIPELINING TEST
SMTP is a half-duplex protocol: the sender and receiver send one com-
mand and one response at a time.
With "postscreen_pipelining_enable = yes", the postscreen(8) daemon
detects spambots that send multiple commands, instead of sending one
command and waiting for the server to reply.
This test is also enabled when some other test fails, to make
postscreen(8) logging more informative.
When a client sends multiple commands, this is logged as:
COMMAND PIPELINING after time from address
Translation: the SMTP client at address sent multiple SMTP commands,
instead of sending one command and then waiting for the server to
reply. This happened time seconds after the "220 " server greeting was
sent.
The postscreen_pipelining_action parameter specifies the action that is
taken:
ignore Ignore the failure of this test. Allow other tests to complete.
Do NOT repeat this test the next time the client connects.
enforce
Allow other tests to complete. Log and reject all RCPT TO com-
mands with a 550 SMTP reply. Repeat this test the next time the
client connects.
drop Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
OTHER ERRORS
When an SMTP client hangs up unexpectedly during any tests, this is
logged as:
HANGUP after time from address in test name
Translation: the SMTP client at address disconnected unexpectedly, time
seconds after the start of the test named test name.
Other errors are reported by the built-in SMTP engine. This engine
never accepts mail, therefore it has per-session limits on the number
of commands and on the session length.
COMMAND TIME LIMIT time from address
Translation: the SMTP client at address reached the per-session time
limit as specified with the postscreen_command_time_limit parameter.
The session is terminated immediately.
COMMAND COUNT LIMIT from address
Translation: the SMTP client at address reached the per-session command
count limit as specified with the postscreen_command_count_limit param-
eter. The session is terminated immediately.
COMMAND LENGTH LIMIT from address
Translation: the SMTP client at address reached the per-command length
limit, as specified with the line_length_limit parameter. The session
is terminated immediately.
WHEN ALL TESTS SUCCEED
When the SMTP client passes all tests, this is logged as:
PASS NEW address
The action is to create a temporary whitelist entry that excludes the
client IP address from further tests until the temporary whitelist
entry expires, as controlled with the postscreen_cache_*_ttl parame-
ters.
If any tests were handled by postscreen's built-in dummy SMTP protocol
engine, postscreen(8) waits for the client to disconnect. The next
time the client connects it will be allowed to talk to a real SMTP
server process.
SECURITY
The postscreen(8) server is moderately security-sensitive. It talks to
untrusted clients on the network. The process can be run chrooted at
fixed low privilege.
STANDARDS
RFC 5321 (SMTP, including multi-line 220 greetings)
RFC 2920 (SMTP Pipelining)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, as postscreen(8)
processes may run for several hours. Use the command "postfix reload"
after a configuration change.
The text below provides only a parameter summary. See postconf(5) for
more details including examples.
TRIAGE PARAMETERS
postscreen_blacklist_action (ignore)
The action that postscreen(8) takes when an SMTP client is per-
manently blacklisted with the postscreen_blacklist_networks
parameter.
postscreen_blacklist_networks (empty)
Network addresses that are permanently blacklisted; see the
postscreen_blacklist_action parameter for possible actions.
postscreen_dnsbl_action (ignore)
The action that postscreen(8) takes when an SMTP client's com-
bined DNSBL score is equal to or greater than a threshold (as
defined with the postscreen_dnsbl_sites and
postscreen_dnsbl_threshold parameters).
postscreen_dnsbl_sites (empty)
Optional list of DNS blocklist domains, filters and weight fac-
tors.
postscreen_dnsbl_threshold (1)
The inclusive lower bound for blocking an SMTP client, based on
its combined DNSBL score as defined with the
postscreen_dnsbl_sites parameter.
postscreen_greet_wait (6s)
The amount of time that postscreen(8) will wait for an SMTP
client to send a command before its turn, and for DNS blocklist
lookup results to arrive.
postscreen_pipelining_action (ignore)
The action that postscreen(8) takes when an SMTP client sends
multiple commands instead of sending one command and waiting for
the server to respond.
postscreen_pipelining_enable (no)
Enable "pipelining" tests in the postscreen(8) server.
postscreen_pregreet_action (ignore)
The action that postscreen(8) takes when an SMTP client speaks
before its turn within the time specified with the
postscreen_greet_wait parameter.
postscreen_pregreet_banner ($smtpd_banner)
The text in the optional "220-text..." server response that
postscreen(8) sends ahead of the real Postfix SMTP server's "220
text..." response, in an attempt to confuse bad SMTP clients so
that they speak before their turn (pre-greet).
postscreen_whitelist_networks ($mynetworks)
Network addresses that are permanently whitelisted, and that
will not be subjected to postscreen(8) checks.
smtpd_service (smtpd)
The internal service that postscreen(8) forwards allowed connec-
tions to.
CACHE CONTROLS
postscreen_cache_cleanup_interval (12h)
The amount of time between postscreen(8) cache cleanup runs.
postscreen_cache_map (btree:$data_directory/ps_cache)
Persistent storage for the postscreen(8) server decisions.
postscreen_cache_retention_time (1d)
The amount of time that postscreen(8) will cache an expired tem-
porary whitelist entry before it is removed.
postscreen_dnsbl_ttl (1d)
The amount of time that postscreen(8) will cache results from a
successful DNS blocklist test.
postscreen_pipelining_ttl (30d)
The amount of time that postscreen(8) will cache results from a
successful "pipelining" SMTP protocol test.
postscreen_pregreet_ttl (1d)
The amount of time that postscreen(8) will cache results from a
successful PREGREET test.
RESOURCE LIMITS
line_length_limit (2048)
Upon input, long lines are chopped up into pieces of at most
this length; upon delivery, long lines are reconstructed.
postscreen_command_count_limit (20)
The limit on the total number of commands per SMTP session for
postscreen(8)'s built-in SMTP protocol engine.
postscreen_command_time_limit (100s)
The over-all time limit per SMTP session for postscreen(8)'s
built-in SMTP protocol engine.
postscreen_post_queue_limit ($default_process_limit)
The number of clients that can be waiting for service from a
real SMTP server process.
postscreen_pre_queue_limit ($default_process_limit)
The number of non-whitelisted clients that can be waiting for a
decision whether they will receive service from a real SMTP
server process.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf con-
figuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when log-
ging sub-second delay values.
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
ipc_timeout (3600s)
The time limit for sending or receiving information over an
internal communication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
SEE ALSO
smtpd(8), Postfix SMTP server
dnsblog(8), temporary DNS helper
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTSCREEN(8)
