xref: /netbsd-src/external/ibm-public/postfix/dist/html/postscreen.8.html (revision 4b169a6ba595ae283ca507b26b15fdff40495b1c) 
1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2        "http://www.w3.org/TR/html4/loose.dtd">
3<html> <head>
4<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
5<title> Postfix manual - postscreen(8) </title>
6</head> <body> <pre>
7POSTSCREEN(8)                                                    POSTSCREEN(8)
8
9<b>NAME</b>
10       postscreen - Postfix zombie blocker
11
12<b>SYNOPSIS</b>
13       <b>postscreen</b> [generic Postfix daemon options]
14
15<b>DESCRIPTION</b>
16       The Postfix <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server provides additional protection against
17       mail  server  overload.  One  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  process  handles  multiple
18       inbound SMTP connections, and decides which clients may talk to a Post-
19       fix SMTP server  process.   By  keeping  spambots  away,  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
20       leaves more SMTP server processes available for legitimate clients, and
21       delays the onset of server overload conditions.
22
23       This program should not be used on SMTP ports that  receive  mail  from
24       end-user clients (MUAs). In a typical deployment, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> handles
25       the MX service on TCP port 25, and <a href="smtpd.8.html"><b>smtpd</b>(8)</a> receives mail from MUAs  on
26       the <b>submission</b> service (TCP port 587) which requires client authentica-
27       tion.  Alternatively, a site could set up a dedicated,  non-postscreen,
28       "port  25" server that provides <b>submission</b> service and client authenti-
29       cation, but no MX service.
30
31       <a href="postscreen.8.html"><b>postscreen</b>(8)</a> maintains a temporary allowlist  for  clients  that  have
32       passed  a  number  of  tests.   When  an  SMTP  client  IP  address  is
33       allowlisted, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off the connection  immediately  to  a
34       Postfix SMTP server process. This minimizes the overhead for legitimate
35       mail.
36
37       By default, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs statistics and hands off each connection
38       to a Postfix SMTP server process, while excluding clients in <a href="postconf.5.html#mynetworks">mynetworks</a>
39       from all tests (primarily, to avoid  problems  with  non-standard  SMTP
40       implementations  in  network  appliances).  This default mode blocks no
41       clients, and is useful for non-destructive testing.
42
43       In a typical production setting, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to  reject
44       mail  from  clients  that  fail  one  or more tests. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs
45       rejected mail with the  client  address,  helo,  sender  and  recipient
46       information.
47
48       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  is  not an SMTP proxy; this is intentional.  The purpose
49       is to keep spambots away from Postfix SMTP server processes, while min-
50       imizing overhead for legitimate traffic.
51
52<b>SECURITY</b>
53       The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server is moderately security-sensitive.  It talks to
54       untrusted clients on the network. The process can be  run  chrooted  at
55       fixed low privilege.
56
57<b>STANDARDS</b>
58       <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
59       <a href="https://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
60       <a href="https://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
61       <a href="https://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
62       <a href="https://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
63       <a href="https://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
64       <a href="https://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
65       <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
66       Not: <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
67       <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME)
68       <a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
69       <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
70       <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
71       <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners)
72
73<b>DIAGNOSTICS</b>
74       Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
75
76<b>BUGS</b>
77       The  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  built-in  SMTP  protocol  engine currently does not
78       announce support for AUTH, XCLIENT or XFORWARD.  If you  need  to  make
79       these  services  available  on port 25, then do not enable the optional
80       "after 220 server greeting" tests.
81
82       The optional "after 220 server greeting" tests may result in unexpected
83       delivery delays from senders that retry email delivery from a different
84       IP address.  Reason: after passing these tests a new client  must  dis-
85       connect,  and  reconnect from the same IP address before it can deliver
86       mail. See <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, section "Tests after the 220  SMTP  server
87       greeting", for a discussion.
88
89<b>CONFIGURATION PARAMETERS</b>
90       Changes  to  <a href="postconf.5.html">main.cf</a>  are not picked up automatically, as <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
91       processes may run for several hours.  Use the command "postfix  reload"
92       after a configuration change.
93
94       The  text  below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
95       more details including examples.
96
97       NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement  stress-dependent  behav-
98       ior.   This  is  supported  only  when  the  default parameter value is
99       stress-dependent (that is, it looks like ${stress?{X}:{Y}},  or  it  is
100       the  $<i>name</i>  of  an  smtpd  parameter  with a stress-dependent default).
101       Other parameters always evaluate as if the <b>stress</b>  parameter  value  is
102       the empty string.
103
104<b>COMPATIBILITY CONTROLS</b>
105       <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b>
106              A mechanism to transform commands from remote SMTP clients.
107
108       <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a>  ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_key</a>-</b>
109       <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">word_address_maps</a>)</b>
110              Lookup  tables,  indexed by the remote SMTP client address, with
111              case insensitive lists of EHLO keywords  (pipelining,  starttls,
112              auth,  etc.)  that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
113              EHLO response to a remote SMTP client.
114
115       <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b>
116              A case insensitive list of EHLO keywords (pipelining,  starttls,
117              auth,  etc.)  that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the
118              EHLO response to a remote SMTP client.
119
120       Available in Postfix version 3.1 and later:
121
122       <b><a href="postconf.5.html#dns_ncache_ttl_fix_enable">dns_ncache_ttl_fix_enable</a> (no)</b>
123              Enable a workaround for future libc incompatibility.
124
125       Available in Postfix version 3.4 and later:
126
127       <b><a href="postconf.5.html#postscreen_reject_footer_maps">postscreen_reject_footer_maps</a> ($<a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a>)</b>
128              Optional lookup table for information that is appended  after  a
129              4XX or 5XX <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response.
130
131       Available in Postfix 3.6 and later:
132
133       <b><a href="postconf.5.html#respectful_logging">respectful_logging</a> (see 'postconf -d' output)</b>
134              Avoid logging that implies white is better than black.
135
136<b>TROUBLE SHOOTING CONTROLS</b>
137       <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b>
138              List     of     characters     that     are     permitted     in
139              <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions.
140
141       <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b>
142              Optional information  that  is  appended  after  a  4XX  or  5XX
143              <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response.
144
145       <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
146              Safety  net to keep mail queued that would otherwise be returned
147              to the sender.
148
149<b>BEFORE-POSTSCREEN PROXY AGENT</b>
150       Available in Postfix version 2.10 and later:
151
152       <b><a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> (empty)</b>
153              The  name  of  the  proxy   protocol   used   by   an   optional
154              before-postscreen proxy agent.
155
156       <b><a href="postconf.5.html#postscreen_upstream_proxy_timeout">postscreen_upstream_proxy_timeout</a> (5s)</b>
157              The  time  limit  for  the  proxy  protocol  specified  with the
158              <a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> parameter.
159
160<b>PERMANENT ALLOW/DENYLIST TEST</b>
161       This test is executed immediately after a remote SMTP client  connects.
162       If  a  client is permanently allowlisted, the client will be handed off
163       immediately to a Postfix SMTP server process.
164
165       <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b>
166              Permanent allow/denylist for remote SMTP client IP addresses.
167
168       <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
169              Renamed to <a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> in Postfix 3.6.
170
171<b>MAIL EXCHANGER POLICY TESTS</b>
172       When <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to monitor all primary and  backup  MX
173       addresses,  it can refuse to allowlist clients that connect to a backup
174       MX address only. For small sites, this requires configuring primary and
175       backup  MX  addresses on the same MTA. Larger sites would have to share
176       the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache between primary and backup  MTAs,  which  would
177       introduce a common point of failure.
178
179       <b><a href="postconf.5.html#postscreen_whitelist_interfaces">postscreen_whitelist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b>
180              Renamed to <a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> in Postfix 3.6.
181
182<b>BEFORE 220 GREETING TESTS</b>
183       These  tests  are  executed  before the remote SMTP client receives the
184       "220 servername" greeting. If no tests remain after the successful com-
185       pletion  of  this phase, the client will be handed off immediately to a
186       Postfix SMTP server process.
187
188       <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b>
189              The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
190
191       <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
192              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP  client's
193              combined DNSBL score is equal to or greater than a threshold (as
194              defined      with      the      <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>       and
195              <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> parameters).
196
197       <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
198              A  mapping from actual DNSBL domain name which includes a secret
199              password, to the DNSBL domain name that  postscreen  will  reply
200              with when it rejects mail.
201
202       <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
203              Optional  list of DNS allow/denylist domains, filters and weight
204              factors.
205
206       <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
207              The inclusive lower bound for blocking  a  remote  SMTP  client,
208              based   on   its  combined  DNSBL  score  as  defined  with  the
209              <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
210
211       <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
212              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a  remote  SMTP  client
213              speaks  before  its  turn  within  the  time  specified with the
214              <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
215
216       <b><a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> ($<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b>
217              The <i>text</i> in the  optional  "220-<i>text</i>..."  server  response  that
218              <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real Postfix SMTP server's "220
219              text..." response, in an attempt to confuse bad SMTP clients  so
220              that they speak before their turn (pre-greet).
221
222       <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, overload: 2s)</b>
223              The  amount  of  time  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP
224              client to send a command before its turn, and for DNS  blocklist
225              lookup results to arrive (default: up to 2 seconds under stress,
226              up to 6 seconds otherwise).
227
228       <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
229              The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off  allowed  con-
230              nections to.
231
232       Available in Postfix version 2.11 and later:
233
234       <b><a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a> (0)</b>
235              Renamed  to <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> in Postfix 3.6.
236
237       Available in Postfix version 3.0 and later:
238
239       <b><a href="postconf.5.html#postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a> (10s)</b>
240              The time limit for DNSBL or DNSWL lookups.
241
242       Available in Postfix version 3.6 and later:
243
244       <b><a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> (ignore)</b>
245              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client is
246              permanently  denylisted  with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parame-
247              ter.
248
249       <b><a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b>
250              A list of  local  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  server  IP  addresses  where  a
251              non-allowlisted  remote  SMTP  client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
252              temporary allowlist status.
253
254       <b><a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> (0)</b>
255              Allow a remote SMTP client  to  skip  "before"  and  "after  220
256              greeting"  protocol  tests, based on its combined DNSBL score as
257              defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
258
259<b>AFTER 220 GREETING TESTS</b>
260       These tests are executed after the remote SMTP client receives the "220
261       servername"  greeting.  If a client passes all tests during this phase,
262       it will receive a 4XX response to  all  RCPT  TO  commands.  After  the
263       client  reconnects,  it  will  be allowed to talk directly to a Postfix
264       SMTP server process.
265
266       <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
267              The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a  remote  SMTP  client
268              sends  a bare newline character, that is, a newline not preceded
269              by carriage return.
270
271       <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
272              Enable "bare newline" SMTP protocol tests in  the  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
273              server.
274
275       <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
276              Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
277
278       <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
279              List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server considers in vio-
280              lation of the SMTP protocol.
281
282       <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b>
283              Require that a remote SMTP client sends HELO or EHLO before com-
284              mencing a MAIL transaction.
285
286       <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
287              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
288              sends non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbid</a>-
289              <a href="postconf.5.html#postscreen_forbidden_commands">den_commands</a> parameter.
290
291       <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b>
292              Enable "non-SMTP command" tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
293
294       <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
295              The  action  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client
296              sends multiple commands instead of sending one command and wait-
297              ing for the server to respond.
298
299       <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
300              Enable  "pipelining"  SMTP  protocol  tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
301              server.
302
303<b>CACHE CONTROLS</b>
304       <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
305              The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache cleanup runs.
306
307       <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (<a href="DATABASE_README.html#types">btree</a>:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</b>
308              Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server decisions.
309
310       <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
311              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an expired tem-
312              porary allowlist entry before it is removed.
313
314       <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
315              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
316              successful "bare newline" SMTP protocol test.
317
318       <b><a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a></b>
319       <b>(${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b>
320              The maximum amount of  time  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  use  the
321              result  from  a  successful  DNS-based  reputation test before a
322              client IP address is required to pass that test again.
323
324       <b><a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (60s)</b>
325              The minimum amount of  time  that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  use  the
326              result  from  a  successful  DNS-based  reputation test before a
327              client IP address is required to pass that test again.
328
329       <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
330              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
331              successful PREGREET test.
332
333       <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
334              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
335              successful "non_smtp_command" SMTP protocol test.
336
337       <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
338              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a
339              successful "pipelining" SMTP protocol test.
340
341<b>RESOURCE CONTROLS</b>
342       <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
343              Upon  input,  long  lines  are chopped up into pieces of at most
344              this length; upon delivery, long lines are reconstructed.
345
346       <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a>         ($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connec</a>-</b>
347       <b><a href="postconf.5.html#smtpd_client_connection_count_limit">tion_count_limit</a>)</b>
348              How many simultaneous connections  any  remote  SMTP  client  is
349              allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
350
351       <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
352              The  limit  on the total number of commands per SMTP session for
353              <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
354
355       <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, overload: 10s)</b>
356              The  time  limit  to  read   an   entire   command   line   with
357              <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
358
359       <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
360              The  number  of  clients  that can be waiting for service from a
361              real Postfix SMTP server process.
362
363       <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
364              The number of non-allowlisted clients that can be waiting for  a
365              decision  whether  they will receive service from a real Postfix
366              SMTP server process.
367
368       <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
369              How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to respond  to  a
370              remote  SMTP  client  command  or  to  perform a cache operation
371              before it is terminated by a built-in watchdog timer.
372
373<b>STARTTLS CONTROLS</b>
374       <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b>
375              The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server; when a
376              non-empty value is specified, this overrides the obsolete param-
377              eters <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>.
378
379       <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b>
380              The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
381
382<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
383       These parameters are supported for compatibility with  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>  legacy
384       parameters.
385
386       <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
387              Opportunistic  TLS:  announce  STARTTLS  support  to remote SMTP
388              clients, but do not require that clients use TLS encryption.
389
390       <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
391              Mandatory TLS: announce STARTTLS support to remote SMTP clients,
392              and require that clients use TLS encryption.
393
394<b>MISCELLANEOUS CONTROLS</b>
395       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
396              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
397              figuration files.
398
399       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
400              The maximal number of digits after the decimal point  when  log-
401              ging sub-second delay values.
402
403       <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
404              The location of all postfix administrative commands.
405
406       <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
407              The  maximum  amount of time that an idle Postfix daemon process
408              waits for an incoming connection before terminating voluntarily.
409
410       <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
411              The process ID of a Postfix command or daemon process.
412
413       <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
414              The process name of a Postfix command or daemon process.
415
416       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
417              The syslog facility of Postfix logging.
418
419       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
420              A  prefix  that  is  prepended  to  the  process  name in syslog
421              records, so that, for example, "smtpd" becomes "prefix/smtpd".
422
423       Available in Postfix 3.3 and later:
424
425       <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b>
426              The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process.
427
428       Available in Postfix 3.5 and later:
429
430       <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
431              The email address form that will be used  in  non-debug  logging
432              (info, warning, etc.).
433
434<b>SEE ALSO</b>
435       <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server
436       <a href="tlsproxy.8.html">tlsproxy(8)</a>, Postfix TLS proxy server
437       <a href="dnsblog.8.html">dnsblog(8)</a>, DNS allow/denylist logger
438       <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging
439       syslogd(8), system logging
440
441<b>README FILES</b>
442       <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
443
444<b>LICENSE</b>
445       The Secure Mailer license must be distributed with this software.
446
447<b>HISTORY</b>
448       This service was introduced with Postfix version 2.8.
449
450       Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier  work  by  Michael
451       Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
452
453<b>AUTHOR(S)</b>
454       Wietse Venema
455       IBM T.J. Watson Research
456       P.O. Box 704
457       Yorktown Heights, NY 10598, USA
458
459       Wietse Venema
460       Google, Inc.
461       111 8th Avenue
462       New York, NY 10011, USA
463
464                                                                 POSTSCREEN(8)
465</pre> </body> </html>
466