diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 19:59:03 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 19:59:03 +0000 |
commit | a848231ae0f346dc7cc000973fbeb65b0894ee92 (patch) | |
tree | 44b60b367c86723cc78383ef247885d72b388afe /html/postscreen.8.html | |
parent | Initial commit. (diff) | |
download | postfix-a848231ae0f346dc7cc000973fbeb65b0894ee92.tar.xz postfix-a848231ae0f346dc7cc000973fbeb65b0894ee92.zip |
Adding upstream version 3.8.5.upstream/3.8.5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | html/postscreen.8.html | 468 |
1 files changed, 468 insertions, 0 deletions
diff --git a/html/postscreen.8.html b/html/postscreen.8.html new file mode 100644 index 0000000..3511a9c --- /dev/null +++ b/html/postscreen.8.html @@ -0,0 +1,468 @@ +<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd"> +<html> <head> +<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +<link rel='stylesheet' type='text/css' href='postfix-doc.css'> +<title> Postfix manual - postscreen(8) </title> +</head> <body> <pre> +POSTSCREEN(8) POSTSCREEN(8) + +<b>NAME</b> + postscreen - Postfix zombie blocker + +<b>SYNOPSIS</b> + <b>postscreen</b> [generic Postfix daemon options] + +<b>DESCRIPTION</b> + The Postfix <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server provides additional protection against + mail server overload. One <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process handles multiple + inbound SMTP connections, and decides which clients may talk to a Post- + fix SMTP server process. By keeping spambots away, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> + leaves more SMTP server processes available for legitimate clients, and + delays the onset of server overload conditions. + + This program should not be used on SMTP ports that receive mail from + end-user clients (MUAs). In a typical deployment, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> handles + the MX service on TCP port 25, and <a href="smtpd.8.html"><b>smtpd</b>(8)</a> receives mail from MUAs on + the <b>submission</b> service (TCP port 587) which requires client authentica- + tion. Alternatively, a site could set up a dedicated, non-postscreen, + "port 25" server that provides <b>submission</b> service and client authenti- + cation, but no MX service. + + <a href="postscreen.8.html"><b>postscreen</b>(8)</a> maintains a temporary allowlist for clients that have + passed a number of tests. When an SMTP client IP address is + allowlisted, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off the connection immediately to a + Postfix SMTP server process. This minimizes the overhead for legitimate + mail. + + By default, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs statistics and hands off each connection + to a Postfix SMTP server process, while excluding clients in <a href="postconf.5.html#mynetworks">mynetworks</a> + from all tests (primarily, to avoid problems with non-standard SMTP + implementations in network appliances). This default mode blocks no + clients, and is useful for non-destructive testing. + + In a typical production setting, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to reject + mail from clients that fail one or more tests. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs + rejected mail with the client address, helo, sender and recipient + information. + + <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is not an SMTP proxy; this is intentional. The purpose + is to keep spambots away from Postfix SMTP server processes, while min- + imizing overhead for legitimate traffic. + +<b>SECURITY</b> + The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server is moderately security-sensitive. It talks to + untrusted clients on the network. The process can be run chrooted at + fixed low privilege. + +<b>STANDARDS</b> + <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) + <a href="https://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements) + <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) + <a href="https://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions) + <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) + <a href="https://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command) + <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes) + <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) + Not: <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) + <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME) + <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) + <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) + <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) + <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners) + +<b>DIAGNOSTICS</b> + Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. + +<b>BUGS</b> + The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine currently does not + announce support for AUTH, XCLIENT or XFORWARD. If you need to make + these services available on port 25, then do not enable the optional + "after 220 server greeting" tests. + + The optional "after 220 server greeting" tests may result in unexpected + delivery delays from senders that retry email delivery from a different + IP address. Reason: after passing these tests a new client must dis- + connect, and reconnect from the same IP address before it can deliver + mail. See <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, section "Tests after the 220 SMTP server + greeting", for a discussion. + +<b>CONFIGURATION PARAMETERS</b> + Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> + processes may run for several hours. Use the command "postfix reload" + after a configuration change. + + The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for + more details including examples. + + NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-dependent behav- + ior. This is supported only when the default parameter value is + stress-dependent (that is, it looks like ${stress?{X}:{Y}}, or it is + the $<i>name</i> of an smtpd parameter with a stress-dependent default). + Other parameters always evaluate as if the <b>stress</b> parameter value is + the empty string. + +<b>COMPATIBILITY CONTROLS</b> + <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b> + A mechanism to transform commands from remote SMTP clients. + + <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_key</a>-</b> + <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">word_address_maps</a>)</b> + Lookup tables, indexed by the remote SMTP client address, with + case insensitive lists of EHLO keywords (pipelining, starttls, + auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the + EHLO response to a remote SMTP client. + + <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b> + A case insensitive list of EHLO keywords (pipelining, starttls, + auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the + EHLO response to a remote SMTP client. + + Available in Postfix version 3.1 and later: + + <b><a href="postconf.5.html#dns_ncache_ttl_fix_enable">dns_ncache_ttl_fix_enable</a> (no)</b> + Enable a workaround for future libc incompatibility. + + Available in Postfix version 3.4 and later: + + <b><a href="postconf.5.html#postscreen_reject_footer_maps">postscreen_reject_footer_maps</a> ($<a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a>)</b> + Optional lookup table for information that is appended after a + 4XX or 5XX <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response. + + Available in Postfix 3.6 and later: + + <b><a href="postconf.5.html#respectful_logging">respectful_logging</a> (see 'postconf -d' output)</b> + Avoid logging that implies white is better than black. + +<b>TROUBLE SHOOTING CONTROLS</b> + <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b> + List of characters that are permitted in + <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions. + + <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b> + Optional information that is appended after a 4XX or 5XX + <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response. + + <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> + Safety net to keep mail queued that would otherwise be returned + to the sender. + +<b>BEFORE-POSTSCREEN PROXY AGENT</b> + Available in Postfix version 2.10 and later: + + <b><a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> (empty)</b> + The name of the proxy protocol used by an optional + before-postscreen proxy agent. + + <b><a href="postconf.5.html#postscreen_upstream_proxy_timeout">postscreen_upstream_proxy_timeout</a> (5s)</b> + The time limit for the proxy protocol specified with the + <a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> parameter. + +<b>PERMANENT ALLOW/DENYLIST TEST</b> + This test is executed immediately after a remote SMTP client connects. + If a client is permanently allowlisted, the client will be handed off + immediately to a Postfix SMTP server process. + + <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b> + Permanent allow/denylist for remote SMTP client IP addresses. + + <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b> + Renamed to <a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> in Postfix 3.6. + +<b>MAIL EXCHANGER POLICY TESTS</b> + When <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to monitor all primary and backup MX + addresses, it can refuse to allowlist clients that connect to a backup + MX address only. For small sites, this requires configuring primary and + backup MX addresses on the same MTA. Larger sites would have to share + the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache between primary and backup MTAs, which would + introduce a common point of failure. + + <b><a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b> + A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a + non-allowlisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s + temporary allowlist status. + +<b>BEFORE 220 GREETING TESTS</b> + These tests are executed before the remote SMTP client receives the + "220 servername" greeting. If no tests remain after the successful com- + pletion of this phase, the client will be handed off immediately to a + Postfix SMTP server process. + + <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b> + The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. + + <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b> + The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client's + combined DNSBL score is equal to or greater than a threshold (as + defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and + <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> parameters). + + <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b> + A mapping from an actual DNSBL domain name which includes a + secret password, to the DNSBL domain name that postscreen will + reply with when it rejects mail. + + <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b> + Optional list of patterns with DNS allow/denylist domains, fil- + ters and weight factors. + + <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b> + The inclusive lower bound for blocking a remote SMTP client, + based on its combined DNSBL score as defined with the + <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. + + <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b> + The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client + speaks before its turn within the time specified with the + <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter. + + <b><a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> ($<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b> + The <i>text</i> in the optional "220-<i>text</i>..." server response that + <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real Postfix SMTP server's "220 + text..." response, in an attempt to confuse bad SMTP clients so + that they speak before their turn (pre-greet). + + <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, overload: 2s)</b> + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP + client to send a command before its turn, and for DNS blocklist + lookup results to arrive (default: up to 2 seconds under stress, + up to 6 seconds otherwise). + + <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b> + The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off allowed con- + nections to. + + Available in Postfix version 2.11 and later: + + <b><a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a> (0)</b> + Renamed to <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> in Postfix 3.6. + + Available in Postfix version 3.0 and later: + + <b><a href="postconf.5.html#postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a> (10s)</b> + The time limit for DNSBL or DNSWL lookups. + + Available in Postfix version 3.6 and later: + + <b><a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> (ignore)</b> + The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client is + permanently denylisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parame- + ter. + + <b><a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b> + A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a + non-allowlisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s + temporary allowlist status. + + <b><a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> (0)</b> + Allow a remote SMTP client to skip "before" and "after 220 + greeting" protocol tests, based on its combined DNSBL score as + defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. + +<b>AFTER 220 GREETING TESTS</b> + These tests are executed after the remote SMTP client receives the "220 + servername" greeting. If a client passes all tests during this phase, + it will receive a 4XX response to all RCPT TO commands. After the + client reconnects, it will be allowed to talk directly to a Postfix + SMTP server process. + + <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b> + The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client + sends a bare newline character, that is, a newline not preceded + by carriage return. + + <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b> + Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> + server. + + <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b> + Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. + + <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b> + List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server considers in vio- + lation of the SMTP protocol. + + <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b> + Require that a remote SMTP client sends HELO or EHLO before com- + mencing a MAIL transaction. + + <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b> + The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client + sends non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbid</a>- + <a href="postconf.5.html#postscreen_forbidden_commands">den_commands</a> parameter. + + <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b> + Enable "non-SMTP command" tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. + + <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b> + The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client + sends multiple commands instead of sending one command and wait- + ing for the server to respond. + + <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b> + Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> + server. + +<b>CACHE CONTROLS</b> + <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b> + The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache cleanup runs. + + <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (<a href="DATABASE_README.html#types">btree</a>:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</b> + Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server decisions. + + <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b> + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an expired tem- + porary allowlist entry before it is removed. + + <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b> + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a + successful "bare newline" SMTP protocol test. + + <b><a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a></b> + <b>(${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b> + The maximum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the + result from a successful DNS-based reputation test before a + client IP address is required to pass that test again. + + <b><a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (60s)</b> + The minimum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the + result from a successful DNS-based reputation test before a + client IP address is required to pass that test again. + + <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b> + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a + successful PREGREET test. + + <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b> + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a + successful "non_smtp_command" SMTP protocol test. + + <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b> + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a + successful "pipelining" SMTP protocol test. + +<b>RESOURCE CONTROLS</b> + <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> + Upon input, long lines are chopped up into pieces of at most + this length; upon delivery, long lines are reconstructed. + + <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a> ($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connec</a>-</b> + <b><a href="postconf.5.html#smtpd_client_connection_count_limit">tion_count_limit</a>)</b> + How many simultaneous connections any remote SMTP client is + allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. + + <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b> + The limit on the total number of commands per SMTP session for + <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. + + <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, overload: 10s)</b> + The time limit to read an entire command line with + <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. + + <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> + The number of clients that can be waiting for service from a + real Postfix SMTP server process. + + <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> + The number of non-allowlisted clients that can be waiting for a + decision whether they will receive service from a real Postfix + SMTP server process. + + <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b> + How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to respond to a + remote SMTP client command or to perform a cache operation + before it is terminated by a built-in watchdog timer. + +<b>STARTTLS CONTROLS</b> + <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> + The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server; when a + non-empty value is specified, this overrides the obsolete param- + eters <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. + + <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b> + The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. + +<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> + These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy + parameters. + + <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> + Opportunistic TLS: announce STARTTLS support to remote SMTP + clients, but do not require that clients use TLS encryption. + + <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> + Mandatory TLS: announce STARTTLS support to remote SMTP clients, + and require that clients use TLS encryption. + +<b>MISCELLANEOUS CONTROLS</b> + <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> + The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- + figuration files. + + <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> + The maximal number of digits after the decimal point when log- + ging sub-second delay values. + + <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> + The location of all postfix administrative commands. + + <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> + The maximum amount of time that an idle Postfix daemon process + waits for an incoming connection before terminating voluntarily. + + <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> + The process ID of a Postfix command or daemon process. + + <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> + The process name of a Postfix command or daemon process. + + <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> + The syslog facility of Postfix logging. + + <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> + A prefix that is prepended to the process name in syslog + records, so that, for example, "smtpd" becomes "prefix/smtpd". + + Available in Postfix 3.3 and later: + + <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> + The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. + + Available in Postfix 3.5 and later: + + <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b> + The email address form that will be used in non-debug logging + (info, warning, etc.). + +<b>SEE ALSO</b> + <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server + <a href="tlsproxy.8.html">tlsproxy(8)</a>, Postfix TLS proxy server + <a href="dnsblog.8.html">dnsblog(8)</a>, DNS allow/denylist logger + <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging + syslogd(8), system logging + +<b>README FILES</b> + <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto + +<b>LICENSE</b> + The Secure Mailer license must be distributed with this software. + +<b>HISTORY</b> + This service was introduced with Postfix version 2.8. + + Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work by Michael + Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control. + +<b>AUTHOR(S)</b> + Wietse Venema + IBM T.J. Watson Research + P.O. Box 704 + Yorktown Heights, NY 10598, USA + + Wietse Venema + Google, Inc. + 111 8th Avenue + New York, NY 10011, USA + + POSTSCREEN(8) +</pre> </body> </html> |