summaryrefslogtreecommitdiffstats
path: root/html/postscreen.8.html
diff options
context:
space:
mode:
Diffstat (limited to 'html/postscreen.8.html')
-rw-r--r--html/postscreen.8.html468
1 files changed, 468 insertions, 0 deletions
diff --git a/html/postscreen.8.html b/html/postscreen.8.html
new file mode 100644
index 0000000..3511a9c
--- /dev/null
+++ b/html/postscreen.8.html
@@ -0,0 +1,468 @@
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html> <head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
+<title> Postfix manual - postscreen(8) </title>
+</head> <body> <pre>
+POSTSCREEN(8) POSTSCREEN(8)
+
+<b>NAME</b>
+ postscreen - Postfix zombie blocker
+
+<b>SYNOPSIS</b>
+ <b>postscreen</b> [generic Postfix daemon options]
+
+<b>DESCRIPTION</b>
+ The Postfix <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server provides additional protection against
+ mail server overload. One <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process handles multiple
+ inbound SMTP connections, and decides which clients may talk to a Post-
+ fix SMTP server process. By keeping spambots away, <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+ leaves more SMTP server processes available for legitimate clients, and
+ delays the onset of server overload conditions.
+
+ This program should not be used on SMTP ports that receive mail from
+ end-user clients (MUAs). In a typical deployment, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> handles
+ the MX service on TCP port 25, and <a href="smtpd.8.html"><b>smtpd</b>(8)</a> receives mail from MUAs on
+ the <b>submission</b> service (TCP port 587) which requires client authentica-
+ tion. Alternatively, a site could set up a dedicated, non-postscreen,
+ "port 25" server that provides <b>submission</b> service and client authenti-
+ cation, but no MX service.
+
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a> maintains a temporary allowlist for clients that have
+ passed a number of tests. When an SMTP client IP address is
+ allowlisted, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off the connection immediately to a
+ Postfix SMTP server process. This minimizes the overhead for legitimate
+ mail.
+
+ By default, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs statistics and hands off each connection
+ to a Postfix SMTP server process, while excluding clients in <a href="postconf.5.html#mynetworks">mynetworks</a>
+ from all tests (primarily, to avoid problems with non-standard SMTP
+ implementations in network appliances). This default mode blocks no
+ clients, and is useful for non-destructive testing.
+
+ In a typical production setting, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to reject
+ mail from clients that fail one or more tests. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs
+ rejected mail with the client address, helo, sender and recipient
+ information.
+
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is not an SMTP proxy; this is intentional. The purpose
+ is to keep spambots away from Postfix SMTP server processes, while min-
+ imizing overhead for legitimate traffic.
+
+<b>SECURITY</b>
+ The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server is moderately security-sensitive. It talks to
+ untrusted clients on the network. The process can be run chrooted at
+ fixed low privilege.
+
+<b>STANDARDS</b>
+ <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
+ <a href="https://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
+ <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
+ <a href="https://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
+ <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
+ <a href="https://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
+ <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
+ Not: <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+ <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
+ <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
+ <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
+ <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
+ <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners)
+
+<b>DIAGNOSTICS</b>
+ Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
+
+<b>BUGS</b>
+ The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine currently does not
+ announce support for AUTH, XCLIENT or XFORWARD. If you need to make
+ these services available on port 25, then do not enable the optional
+ "after 220 server greeting" tests.
+
+ The optional "after 220 server greeting" tests may result in unexpected
+ delivery delays from senders that retry email delivery from a different
+ IP address. Reason: after passing these tests a new client must dis-
+ connect, and reconnect from the same IP address before it can deliver
+ mail. See <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, section "Tests after the 220 SMTP server
+ greeting", for a discussion.
+
+<b>CONFIGURATION PARAMETERS</b>
+ Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+ processes may run for several hours. Use the command "postfix reload"
+ after a configuration change.
+
+ The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
+ more details including examples.
+
+ NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-dependent behav-
+ ior. This is supported only when the default parameter value is
+ stress-dependent (that is, it looks like ${stress?{X}:{Y}}, or it is
+ the $<i>name</i> of an smtpd parameter with a stress-dependent default).
+ Other parameters always evaluate as if the <b>stress</b> parameter value is
+ the empty string.
+
+<b>COMPATIBILITY CONTROLS</b>
+ <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b>
+ A mechanism to transform commands from remote SMTP clients.
+
+ <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_key</a>-</b>
+ <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">word_address_maps</a>)</b>
+ Lookup tables, indexed by the remote SMTP client address, with
+ case insensitive lists of EHLO keywords (pipelining, starttls,
+ auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
+ EHLO response to a remote SMTP client.
+
+ <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b>
+ A case insensitive list of EHLO keywords (pipelining, starttls,
+ auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
+ EHLO response to a remote SMTP client.
+
+ Available in Postfix version 3.1 and later:
+
+ <b><a href="postconf.5.html#dns_ncache_ttl_fix_enable">dns_ncache_ttl_fix_enable</a> (no)</b>
+ Enable a workaround for future libc incompatibility.
+
+ Available in Postfix version 3.4 and later:
+
+ <b><a href="postconf.5.html#postscreen_reject_footer_maps">postscreen_reject_footer_maps</a> ($<a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a>)</b>
+ Optional lookup table for information that is appended after a
+ 4XX or 5XX <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response.
+
+ Available in Postfix 3.6 and later:
+
+ <b><a href="postconf.5.html#respectful_logging">respectful_logging</a> (see 'postconf -d' output)</b>
+ Avoid logging that implies white is better than black.
+
+<b>TROUBLE SHOOTING CONTROLS</b>
+ <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b>
+ List of characters that are permitted in
+ <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions.
+
+ <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b>
+ Optional information that is appended after a 4XX or 5XX
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response.
+
+ <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
+ Safety net to keep mail queued that would otherwise be returned
+ to the sender.
+
+<b>BEFORE-POSTSCREEN PROXY AGENT</b>
+ Available in Postfix version 2.10 and later:
+
+ <b><a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> (empty)</b>
+ The name of the proxy protocol used by an optional
+ before-postscreen proxy agent.
+
+ <b><a href="postconf.5.html#postscreen_upstream_proxy_timeout">postscreen_upstream_proxy_timeout</a> (5s)</b>
+ The time limit for the proxy protocol specified with the
+ <a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> parameter.
+
+<b>PERMANENT ALLOW/DENYLIST TEST</b>
+ This test is executed immediately after a remote SMTP client connects.
+ If a client is permanently allowlisted, the client will be handed off
+ immediately to a Postfix SMTP server process.
+
+ <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b>
+ Permanent allow/denylist for remote SMTP client IP addresses.
+
+ <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
+ Renamed to <a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> in Postfix 3.6.
+
+<b>MAIL EXCHANGER POLICY TESTS</b>
+ When <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to monitor all primary and backup MX
+ addresses, it can refuse to allowlist clients that connect to a backup
+ MX address only. For small sites, this requires configuring primary and
+ backup MX addresses on the same MTA. Larger sites would have to share
+ the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache between primary and backup MTAs, which would
+ introduce a common point of failure.
+
+ <b><a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b>
+ A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a
+ non-allowlisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
+ temporary allowlist status.
+
+<b>BEFORE 220 GREETING TESTS</b>
+ These tests are executed before the remote SMTP client receives the
+ "220 servername" greeting. If no tests remain after the successful com-
+ pletion of this phase, the client will be handed off immediately to a
+ Postfix SMTP server process.
+
+ <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b>
+ The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client's
+ combined DNSBL score is equal to or greater than a threshold (as
+ defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and
+ <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> parameters).
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
+ A mapping from an actual DNSBL domain name which includes a
+ secret password, to the DNSBL domain name that postscreen will
+ reply with when it rejects mail.
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
+ Optional list of patterns with DNS allow/denylist domains, fil-
+ ters and weight factors.
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
+ The inclusive lower bound for blocking a remote SMTP client,
+ based on its combined DNSBL score as defined with the
+ <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
+
+ <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
+ speaks before its turn within the time specified with the
+ <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
+
+ <b><a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> ($<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b>
+ The <i>text</i> in the optional "220-<i>text</i>..." server response that
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real Postfix SMTP server's "220
+ text..." response, in an attempt to confuse bad SMTP clients so
+ that they speak before their turn (pre-greet).
+
+ <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, overload: 2s)</b>
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP
+ client to send a command before its turn, and for DNS blocklist
+ lookup results to arrive (default: up to 2 seconds under stress,
+ up to 6 seconds otherwise).
+
+ <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
+ The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off allowed con-
+ nections to.
+
+ Available in Postfix version 2.11 and later:
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a> (0)</b>
+ Renamed to <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> in Postfix 3.6.
+
+ Available in Postfix version 3.0 and later:
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a> (10s)</b>
+ The time limit for DNSBL or DNSWL lookups.
+
+ Available in Postfix version 3.6 and later:
+
+ <b><a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> (ignore)</b>
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client is
+ permanently denylisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parame-
+ ter.
+
+ <b><a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b>
+ A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a
+ non-allowlisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
+ temporary allowlist status.
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> (0)</b>
+ Allow a remote SMTP client to skip "before" and "after 220
+ greeting" protocol tests, based on its combined DNSBL score as
+ defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
+
+<b>AFTER 220 GREETING TESTS</b>
+ These tests are executed after the remote SMTP client receives the "220
+ servername" greeting. If a client passes all tests during this phase,
+ it will receive a 4XX response to all RCPT TO commands. After the
+ client reconnects, it will be allowed to talk directly to a Postfix
+ SMTP server process.
+
+ <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
+ sends a bare newline character, that is, a newline not preceded
+ by carriage return.
+
+ <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
+ Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+ server.
+
+ <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
+ Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
+
+ <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
+ List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server considers in vio-
+ lation of the SMTP protocol.
+
+ <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b>
+ Require that a remote SMTP client sends HELO or EHLO before com-
+ mencing a MAIL transaction.
+
+ <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
+ sends non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbid</a>-
+ <a href="postconf.5.html#postscreen_forbidden_commands">den_commands</a> parameter.
+
+ <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b>
+ Enable "non-SMTP command" tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
+
+ <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
+ sends multiple commands instead of sending one command and wait-
+ ing for the server to respond.
+
+ <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
+ Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+ server.
+
+<b>CACHE CONTROLS</b>
+ <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
+ The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache cleanup runs.
+
+ <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (<a href="DATABASE_README.html#types">btree</a>:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</b>
+ Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server decisions.
+
+ <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an expired tem-
+ porary allowlist entry before it is removed.
+
+ <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
+ successful "bare newline" SMTP protocol test.
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a></b>
+ <b>(${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b>
+ The maximum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+ result from a successful DNS-based reputation test before a
+ client IP address is required to pass that test again.
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (60s)</b>
+ The minimum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+ result from a successful DNS-based reputation test before a
+ client IP address is required to pass that test again.
+
+ <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
+ successful PREGREET test.
+
+ <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
+ successful "non_smtp_command" SMTP protocol test.
+
+ <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
+ successful "pipelining" SMTP protocol test.
+
+<b>RESOURCE CONTROLS</b>
+ <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
+ Upon input, long lines are chopped up into pieces of at most
+ this length; upon delivery, long lines are reconstructed.
+
+ <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a> ($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connec</a>-</b>
+ <b><a href="postconf.5.html#smtpd_client_connection_count_limit">tion_count_limit</a>)</b>
+ How many simultaneous connections any remote SMTP client is
+ allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
+
+ <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
+ The limit on the total number of commands per SMTP session for
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
+
+ <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, overload: 10s)</b>
+ The time limit to read an entire command line with
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
+
+ <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
+ The number of clients that can be waiting for service from a
+ real Postfix SMTP server process.
+
+ <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
+ The number of non-allowlisted clients that can be waiting for a
+ decision whether they will receive service from a real Postfix
+ SMTP server process.
+
+ <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
+ How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to respond to a
+ remote SMTP client command or to perform a cache operation
+ before it is terminated by a built-in watchdog timer.
+
+<b>STARTTLS CONTROLS</b>
+ <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b>
+ The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server; when a
+ non-empty value is specified, this overrides the obsolete param-
+ eters <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>.
+
+ <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b>
+ The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
+
+<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
+ These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy
+ parameters.
+
+ <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
+ Opportunistic TLS: announce STARTTLS support to remote SMTP
+ clients, but do not require that clients use TLS encryption.
+
+ <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
+ Mandatory TLS: announce STARTTLS support to remote SMTP clients,
+ and require that clients use TLS encryption.
+
+<b>MISCELLANEOUS CONTROLS</b>
+ <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ figuration files.
+
+ <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
+ The maximal number of digits after the decimal point when log-
+ ging sub-second delay values.
+
+ <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
+ The location of all postfix administrative commands.
+
+ <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
+ The maximum amount of time that an idle Postfix daemon process
+ waits for an incoming connection before terminating voluntarily.
+
+ <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
+ The process ID of a Postfix command or daemon process.
+
+ <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
+ The process name of a Postfix command or daemon process.
+
+ <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
+ The syslog facility of Postfix logging.
+
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
+ A prefix that is prepended to the process name in syslog
+ records, so that, for example, "smtpd" becomes "prefix/smtpd".
+
+ Available in Postfix 3.3 and later:
+
+ <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b>
+ The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process.
+
+ Available in Postfix 3.5 and later:
+
+ <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
+ The email address form that will be used in non-debug logging
+ (info, warning, etc.).
+
+<b>SEE ALSO</b>
+ <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server
+ <a href="tlsproxy.8.html">tlsproxy(8)</a>, Postfix TLS proxy server
+ <a href="dnsblog.8.html">dnsblog(8)</a>, DNS allow/denylist logger
+ <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging
+ syslogd(8), system logging
+
+<b>README FILES</b>
+ <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
+
+<b>LICENSE</b>
+ The Secure Mailer license must be distributed with this software.
+
+<b>HISTORY</b>
+ This service was introduced with Postfix version 2.8.
+
+ Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work by Michael
+ Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
+
+<b>AUTHOR(S)</b>
+ Wietse Venema
+ IBM T.J. Watson Research
+ P.O. Box 704
+ Yorktown Heights, NY 10598, USA
+
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
+ POSTSCREEN(8)
+</pre> </body> </html>