1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 5<link rel='stylesheet' type='text/css' href='postfix-doc.css'> 6<title> Postfix manual - postscreen(8) </title> 7</head> <body> <pre> 8POSTSCREEN(8) POSTSCREEN(8) 9 10<b>NAME</b> 11 postscreen - Postfix zombie blocker 12 13<b>SYNOPSIS</b> 14 <b>postscreen</b> [generic Postfix daemon options] 15 16<b>DESCRIPTION</b> 17 The Postfix <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server provides additional protection against 18 mail server overload. One <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process handles multiple 19 inbound SMTP connections, and decides which clients may talk to a Post- 20 fix SMTP server process. By keeping spambots away, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 21 leaves more SMTP server processes available for legitimate clients, and 22 delays the onset of server overload conditions. 23 24 This program should not be used on SMTP ports that receive mail from 25 end-user clients (MUAs). In a typical deployment, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> handles 26 the MX service on TCP port 25, and <a href="smtpd.8.html"><b>smtpd</b>(8)</a> receives mail from MUAs on 27 the <b>submission</b> service (TCP port 587) which requires client authentica- 28 tion. Alternatively, a site could set up a dedicated, non-postscreen, 29 "port 25" server that provides <b>submission</b> service and client authenti- 30 cation, but no MX service. 31 32 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> maintains a temporary allowlist for clients that have 33 passed a number of tests. When an SMTP client IP address is 34 allowlisted, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off the connection immediately to a 35 Postfix SMTP server process. This minimizes the overhead for legitimate 36 mail. 37 38 By default, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs statistics and hands off each connection 39 to a Postfix SMTP server process, while excluding clients in <a href="postconf.5.html#mynetworks">mynetworks</a> 40 from all tests (primarily, to avoid problems with non-standard SMTP 41 implementations in network appliances). This default mode blocks no 42 clients, and is useful for non-destructive testing. 43 44 In a typical production setting, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to reject 45 mail from clients that fail one or more tests. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs 46 rejected mail with the client address, helo, sender and recipient 47 information. 48 49 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is not an SMTP proxy; this is intentional. The purpose 50 is to keep spambots away from Postfix SMTP server processes, while min- 51 imizing overhead for legitimate traffic. 52 53<b>SECURITY</b> 54 The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server is moderately security-sensitive. It talks to 55 untrusted clients on the network. The process can be run chrooted at 56 fixed low privilege. 57 58<b>STANDARDS</b> 59 <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 60 <a href="https://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements) 61 <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 62 <a href="https://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions) 63 <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 64 <a href="https://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command) 65 <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes) 66 <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 67 Not: <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 68 <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME) 69 <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 70 <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 71 <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 72 <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners) 73 74<b>DIAGNOSTICS</b> 75 Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. 76 77<b>BUGS</b> 78 The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine currently does not 79 announce support for AUTH, XCLIENT or XFORWARD. If you need to make 80 these services available on port 25, then do not enable the optional 81 "after 220 server greeting" tests. 82 83 The optional "after 220 server greeting" tests may result in unexpected 84 delivery delays from senders that retry email delivery from a different 85 IP address. Reason: after passing these tests a new client must dis- 86 connect, and reconnect from the same IP address before it can deliver 87 mail. See <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, section "Tests after the 220 SMTP server 88 greeting", for a discussion. 89 90<b>CONFIGURATION PARAMETERS</b> 91 Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 92 processes may run for several hours. Use the command "postfix reload" 93 after a configuration change. 94 95 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 96 more details including examples. 97 98 NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-dependent behav- 99 ior. This is supported only when the default parameter value is 100 stress-dependent (that is, it looks like ${stress?{X}:{Y}}, or it is 101 the $<i>name</i> of an smtpd parameter with a stress-dependent default). 102 Other parameters always evaluate as if the <b>stress</b> parameter value is 103 the empty string. 104 105<b>COMPATIBILITY CONTROLS</b> 106 <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b> 107 A mechanism to transform commands from remote SMTP clients. 108 109 <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_key</a>-</b> 110 <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">word_address_maps</a>)</b> 111 Lookup tables, indexed by the remote SMTP client address, with 112 case insensitive lists of EHLO keywords (pipelining, starttls, 113 auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the 114 EHLO response to a remote SMTP client. 115 116 <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b> 117 A case insensitive list of EHLO keywords (pipelining, starttls, 118 auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the 119 EHLO response to a remote SMTP client. 120 121 Available in Postfix version 3.1 and later: 122 123 <b><a href="postconf.5.html#dns_ncache_ttl_fix_enable">dns_ncache_ttl_fix_enable</a> (no)</b> 124 Enable a workaround for future libc incompatibility. 125 126 Available in Postfix version 3.4 and later: 127 128 <b><a href="postconf.5.html#postscreen_reject_footer_maps">postscreen_reject_footer_maps</a> ($<a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a>)</b> 129 Optional lookup table for information that is appended after a 130 4XX or 5XX <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response. 131 132 Available in Postfix 3.6 and later: 133 134 <b><a href="postconf.5.html#respectful_logging">respectful_logging</a> (see 'postconf -d' output)</b> 135 Avoid logging that implies white is better than black. 136 137<b>TROUBLE SHOOTING CONTROLS</b> 138 <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b> 139 List of characters that are permitted in 140 <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions. 141 142 <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b> 143 Optional information that is appended after a 4XX or 5XX 144 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response. 145 146 <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> 147 Safety net to keep mail queued that would otherwise be returned 148 to the sender. 149 150<b>BEFORE-POSTSCREEN PROXY AGENT</b> 151 Available in Postfix version 2.10 and later: 152 153 <b><a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> (empty)</b> 154 The name of the proxy protocol used by an optional 155 before-postscreen proxy agent. 156 157 <b><a href="postconf.5.html#postscreen_upstream_proxy_timeout">postscreen_upstream_proxy_timeout</a> (5s)</b> 158 The time limit for the proxy protocol specified with the 159 <a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> parameter. 160 161<b>PERMANENT ALLOW/DENYLIST TEST</b> 162 This test is executed immediately after a remote SMTP client connects. 163 If a client is permanently allowlisted, the client will be handed off 164 immediately to a Postfix SMTP server process. 165 166 <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b> 167 Permanent allow/denylist for remote SMTP client IP addresses. 168 169 <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b> 170 Renamed to <a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> in Postfix 3.6. 171 172<b>MAIL EXCHANGER POLICY TESTS</b> 173 When <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to monitor all primary and backup MX 174 addresses, it can refuse to allowlist clients that connect to a backup 175 MX address only. For small sites, this requires configuring primary and 176 backup MX addresses on the same MTA. Larger sites would have to share 177 the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache between primary and backup MTAs, which would 178 introduce a common point of failure. 179 180 <b><a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b> 181 A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a 182 non-allowlisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s 183 temporary allowlist status. 184 185<b>BEFORE 220 GREETING TESTS</b> 186 These tests are executed before the remote SMTP client receives the 187 "220 servername" greeting. If no tests remain after the successful com- 188 pletion of this phase, the client will be handed off immediately to a 189 Postfix SMTP server process. 190 191 <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b> 192 The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 193 194 <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b> 195 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client's 196 combined DNSBL score is equal to or greater than a threshold (as 197 defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and 198 <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> parameters). 199 200 <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b> 201 A mapping from an actual DNSBL domain name which includes a 202 secret password, to the DNSBL domain name that postscreen will 203 reply with when it rejects mail. 204 205 <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b> 206 Optional list of patterns with DNS allow/denylist domains, fil- 207 ters and weight factors. 208 209 <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b> 210 The inclusive lower bound for blocking a remote SMTP client, 211 based on its combined DNSBL score as defined with the 212 <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. 213 214 <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b> 215 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 216 speaks before its turn within the time specified with the 217 <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter. 218 219 <b><a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> ($<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b> 220 The <i>text</i> in the optional "220-<i>text</i>..." server response that 221 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real Postfix SMTP server's "220 222 text..." response, in an attempt to confuse bad SMTP clients so 223 that they speak before their turn (pre-greet). 224 225 <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, overload: 2s)</b> 226 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP 227 client to send a command before its turn, and for DNS blocklist 228 lookup results to arrive (default: up to 2 seconds under stress, 229 up to 6 seconds otherwise). 230 231 <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b> 232 The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off allowed con- 233 nections to. 234 235 Available in Postfix version 2.11 and later: 236 237 <b><a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a> (0)</b> 238 Renamed to <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> in Postfix 3.6. 239 240 Available in Postfix version 3.0 and later: 241 242 <b><a href="postconf.5.html#postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a> (10s)</b> 243 The time limit for DNSBL or DNSWL lookups. 244 245 Available in Postfix version 3.6 and later: 246 247 <b><a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> (ignore)</b> 248 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client is 249 permanently denylisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parame- 250 ter. 251 252 <b><a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b> 253 A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a 254 non-allowlisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s 255 temporary allowlist status. 256 257 <b><a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> (0)</b> 258 Allow a remote SMTP client to skip "before" and "after 220 259 greeting" protocol tests, based on its combined DNSBL score as 260 defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. 261 262<b>AFTER 220 GREETING TESTS</b> 263 These tests are executed after the remote SMTP client receives the "220 264 servername" greeting. If a client passes all tests during this phase, 265 it will receive a 4XX response to all RCPT TO commands. After the 266 client reconnects, it will be allowed to talk directly to a Postfix 267 SMTP server process. 268 269 <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b> 270 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 271 sends a bare newline character, that is, a newline not preceded 272 by carriage return. 273 274 <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b> 275 Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 276 server. 277 278 <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b> 279 Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. 280 281 <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b> 282 List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server considers in vio- 283 lation of the SMTP protocol. 284 285 <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b> 286 Require that a remote SMTP client sends HELO or EHLO before com- 287 mencing a MAIL transaction. 288 289 <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b> 290 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 291 sends non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbid</a>- 292 <a href="postconf.5.html#postscreen_forbidden_commands">den_commands</a> parameter. 293 294 <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b> 295 Enable "non-SMTP command" tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. 296 297 <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b> 298 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 299 sends multiple commands instead of sending one command and wait- 300 ing for the server to respond. 301 302 <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b> 303 Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 304 server. 305 306<b>CACHE CONTROLS</b> 307 <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b> 308 The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache cleanup runs. 309 310 <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (<a href="DATABASE_README.html#types">btree</a>:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</b> 311 Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server decisions. 312 313 <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b> 314 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an expired tem- 315 porary allowlist entry before it is removed. 316 317 <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b> 318 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 319 successful "bare newline" SMTP protocol test. 320 321 <b><a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a></b> 322 <b>(${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b> 323 The maximum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the 324 result from a successful DNS-based reputation test before a 325 client IP address is required to pass that test again. 326 327 <b><a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (60s)</b> 328 The minimum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the 329 result from a successful DNS-based reputation test before a 330 client IP address is required to pass that test again. 331 332 <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b> 333 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 334 successful PREGREET test. 335 336 <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b> 337 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 338 successful "non_smtp_command" SMTP protocol test. 339 340 <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b> 341 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 342 successful "pipelining" SMTP protocol test. 343 344<b>RESOURCE CONTROLS</b> 345 <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> 346 Upon input, long lines are chopped up into pieces of at most 347 this length; upon delivery, long lines are reconstructed. 348 349 <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a> ($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connec</a>-</b> 350 <b><a href="postconf.5.html#smtpd_client_connection_count_limit">tion_count_limit</a>)</b> 351 How many simultaneous connections any remote SMTP client is 352 allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. 353 354 <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b> 355 The limit on the total number of commands per SMTP session for 356 <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. 357 358 <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, overload: 10s)</b> 359 The time limit to read an entire command line with 360 <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. 361 362 <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> 363 The number of clients that can be waiting for service from a 364 real Postfix SMTP server process. 365 366 <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> 367 The number of non-allowlisted clients that can be waiting for a 368 decision whether they will receive service from a real Postfix 369 SMTP server process. 370 371 <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b> 372 How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to respond to a 373 remote SMTP client command or to perform a cache operation 374 before it is terminated by a built-in watchdog timer. 375 376<b>STARTTLS CONTROLS</b> 377 <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> 378 The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server; when a 379 non-empty value is specified, this overrides the obsolete param- 380 eters <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. 381 382 <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b> 383 The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 384 385<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> 386 These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy 387 parameters. 388 389 <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> 390 Opportunistic TLS: announce STARTTLS support to remote SMTP 391 clients, but do not require that clients use TLS encryption. 392 393 <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> 394 Mandatory TLS: announce STARTTLS support to remote SMTP clients, 395 and require that clients use TLS encryption. 396 397<b>MISCELLANEOUS CONTROLS</b> 398 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 399 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 400 figuration files. 401 402 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> 403 The maximal number of digits after the decimal point when log- 404 ging sub-second delay values. 405 406 <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> 407 The location of all postfix administrative commands. 408 409 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 410 The maximum amount of time that an idle Postfix daemon process 411 waits for an incoming connection before terminating voluntarily. 412 413 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 414 The process ID of a Postfix command or daemon process. 415 416 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 417 The process name of a Postfix command or daemon process. 418 419 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 420 The syslog facility of Postfix logging. 421 422 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 423 A prefix that is prepended to the process name in syslog 424 records, so that, for example, "smtpd" becomes "prefix/smtpd". 425 426 Available in Postfix 3.3 and later: 427 428 <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> 429 The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. 430 431 Available in Postfix 3.5 and later: 432 433 <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b> 434 The email address form that will be used in non-debug logging 435 (info, warning, etc.). 436 437<b>SEE ALSO</b> 438 <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server 439 <a href="tlsproxy.8.html">tlsproxy(8)</a>, Postfix TLS proxy server 440 <a href="dnsblog.8.html">dnsblog(8)</a>, DNS allow/denylist logger 441 <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging 442 syslogd(8), system logging 443 444<b>README FILES</b> 445 <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto 446 447<b>LICENSE</b> 448 The Secure Mailer license must be distributed with this software. 449 450<b>HISTORY</b> 451 This service was introduced with Postfix version 2.8. 452 453 Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work by Michael 454 Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control. 455 456<b>AUTHOR(S)</b> 457 Wietse Venema 458 IBM T.J. Watson Research 459 P.O. Box 704 460 Yorktown Heights, NY 10598, USA 461 462 Wietse Venema 463 Google, Inc. 464 111 8th Avenue 465 New York, NY 10011, USA 466 467 POSTSCREEN(8) 468</pre> </body> </html> 469