1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - postscreen(8) </title> 6</head> <body> <pre> 7POSTSCREEN(8) POSTSCREEN(8) 8 9<b>NAME</b> 10 postscreen - Postfix zombie blocker 11 12<b>SYNOPSIS</b> 13 <b>postscreen</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The Postfix <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server provides additional protection against 17 mail server overload. One <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process handles multiple 18 inbound SMTP connections, and decides which clients may talk to a Post- 19 fix SMTP server process. By keeping spambots away, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 20 leaves more SMTP server processes available for legitimate clients, and 21 delays the onset of server overload conditions. 22 23 This program should not be used on SMTP ports that receive mail from 24 end-user clients (MUAs). In a typical deployment, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> handles 25 the MX service on TCP port 25, while MUA clients submit mail via the 26 <b>submission</b> service on TCP port 587 which requires client authentica- 27 tion. Alternatively, a site could set up a dedicated, non-postscreen, 28 "port 25" server that provides <b>submission</b> service and client authenti- 29 cation, but no MX service. 30 31 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> maintains a temporary whitelist for clients that have 32 passed a number of tests. When an SMTP client IP address is 33 whitelisted, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off the connection immediately to a 34 Postfix SMTP server process. This minimizes the overhead for legitimate 35 mail. 36 37 By default, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs statistics and hands off every connec- 38 tion to a Postfix SMTP server process, while excluding clients in 39 <a href="postconf.5.html#mynetworks">mynetworks</a> from all tests (primarily, to avoid problems with non-stan- 40 dard SMTP implementations in network appliances). This mode is useful 41 for non-destructive testing. 42 43 In a typical production setting, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to reject 44 mail from clients that fail one or more tests. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs 45 rejected mail with the client address, helo, sender and recipient 46 information. 47 48 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is not an SMTP proxy; this is intentional. The purpose 49 is to keep spambots away from Postfix SMTP server processes, while min- 50 imizing overhead for legitimate traffic. 51 52<b>SECURITY</b> 53 The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server is moderately security-sensitive. It talks to 54 untrusted clients on the network. The process can be run chrooted at 55 fixed low privilege. 56 57<b>STANDARDS</b> 58 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 59 <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements) 60 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 61 <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions) 62 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 63 <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command) 64 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes) 65 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 66 Not: <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 67 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 68 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 69 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 70 <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners) 71 72<b>DIAGNOSTICS</b> 73 Problems and transactions are logged to <b>syslogd</b>(8). 74 75<b>BUGS</b> 76 The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine currently does not 77 announce support for AUTH, XCLIENT or XFORWARD. If you need to make 78 these services available on port 25, then do not enable the optional 79 "after 220 server greeting" tests, and do not use DNSBLs that reject 80 traffic from dial-up and residential networks. 81 82 The optional "after 220 server greeting" tests involve <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s 83 built-in SMTP protocol engine. When these tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 84 adds the client to the temporary whitelist, but it cannot not hand off 85 the "live" connection to a Postfix SMTP server process in the middle of 86 a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to deliver mail with 87 a 4XX status, and waits for the client to disconnect. When the client 88 connects again, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will allow the client to talk to a Post- 89 fix SMTP server process (provided that the whitelist status has not 90 expired). <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of this limitation by 91 giving the "after 220 server greeting" tests a long expiration time. 92 93<b>CONFIGURATION PARAMETERS</b> 94 Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 95 processes may run for several hours. Use the command "postfix reload" 96 after a configuration change. 97 98 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 99 more details including examples. 100 101 NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-dependent behav- 102 ior. This is supported only when the default parameter value is 103 stress-dependent (that is, it looks like ${stress?X}${stress:Y}, or it 104 is the $<i>name</i> of an smtpd parameter with a stress-dependent default). 105 Other parameters always evaluate as if the <b>stress</b> parameter value is 106 the empty string. 107 108<b>COMPATIBILITY CONTROLS</b> 109 <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b> 110 A mechanism to transform commands from remote SMTP clients. 111 112 <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_key</a>-</b> 113 <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">word_address_maps</a>)</b> 114 Lookup tables, indexed by the remote SMTP client address, with 115 case insensitive lists of EHLO keywords (pipelining, starttls, 116 auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the 117 EHLO response to a remote SMTP client. 118 119 <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b> 120 A case insensitive list of EHLO keywords (pipelining, starttls, 121 auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the 122 EHLO response to a remote SMTP client. 123 124<b>TROUBLE SHOOTING CONTROLS</b> 125 <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b> 126 List of characters that are permitted in 127 <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions. 128 129 <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b> 130 Optional information that is appended after a 4XX or 5XX 131 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response. 132 133 <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> 134 Safety net to keep mail queued that would otherwise be returned 135 to the sender. 136 137<b>BEFORE-POSTSCREEN PROXY AGENT</b> 138 Available in Postfix version 2.10 and later: 139 140 <b><a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> (empty)</b> 141 The name of the proxy protocol used by an optional before- 142 postscreen proxy agent. 143 144 <b><a href="postconf.5.html#postscreen_upstream_proxy_timeout">postscreen_upstream_proxy_timeout</a> (5s)</b> 145 The time limit for the proxy protocol specified with the 146 <a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> parameter. 147 148<b>PERMANENT WHITE/BLACKLIST TEST</b> 149 This test is executed immediately after a remote SMTP client connects. 150 If a client is permanently whitelisted, the client will be handed off 151 immediately to a Postfix SMTP server process. 152 153 <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b> 154 Permanent white/blacklist for remote SMTP client IP addresses. 155 156 <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b> 157 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client is 158 permanently blacklisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parame- 159 ter. 160 161<b>MAIL EXCHANGER POLICY TESTS</b> 162 When <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to monitor all primary and backup MX 163 addresses, it can refuse to whitelist clients that connect to a backup 164 MX address only. For small sites, this requires configuring primary and 165 backup MX addresses on the same MTA. Larger sites would have to share 166 the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache between primary and backup MTAs, which would 167 introduce a common point of failure. 168 169 <b><a href="postconf.5.html#postscreen_whitelist_interfaces">postscreen_whitelist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b> 170 A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a non- 171 whitelisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s tempo- 172 rary whitelist status. 173 174<b>BEFORE 220 GREETING TESTS</b> 175 These tests are executed before the remote SMTP client receives the 176 "220 servername" greeting. If no tests remain after the successful com- 177 pletion of this phase, the client will be handed off immediately to a 178 Postfix SMTP server process. 179 180 <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b> 181 The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 182 183 <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b> 184 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client's 185 combined DNSBL score is equal to or greater than a threshold (as 186 defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and 187 <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> parameters). 188 189 <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b> 190 A mapping from actual DNSBL domain name which includes a secret 191 password, to the DNSBL domain name that postscreen will reply 192 with when it rejects mail. 193 194 <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b> 195 Optional list of DNS white/blacklist domains, filters and weight 196 factors. 197 198 <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b> 199 The inclusive lower bound for blocking a remote SMTP client, 200 based on its combined DNSBL score as defined with the 201 <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. 202 203 <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b> 204 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 205 speaks before its turn within the time specified with the 206 <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter. 207 208 <b><a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> ($<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b> 209 The <i>text</i> in the optional "220-<i>text</i>..." server response that 210 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real Postfix SMTP server's "220 211 text..." response, in an attempt to confuse bad SMTP clients so 212 that they speak before their turn (pre-greet). 213 214 <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b> 215 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP 216 client to send a command before its turn, and for DNS blocklist 217 lookup results to arrive (default: up to 2 seconds under stress, 218 up to 6 seconds otherwise). 219 220 <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b> 221 The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off allowed con- 222 nections to. 223 224 Available in Postfix version 2.11 and later: 225 226 <b><a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a> (0)</b> 227 Allow a remote SMTP client to skip "before" and "after 220 228 greeting" protocol tests, based on its combined DNSBL score as 229 defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. 230 231<b>AFTER 220 GREETING TESTS</b> 232 These tests are executed after the remote SMTP client receives the "220 233 servername" greeting. If a client passes all tests during this phase, 234 it will receive a 4XX response to all RCPT TO commands. After the 235 client reconnects, it will be allowed to talk directly to a Postfix 236 SMTP server process. 237 238 <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b> 239 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 240 sends a bare newline character, that is, a newline not preceded 241 by carriage return. 242 243 <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b> 244 Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 245 server. 246 247 <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b> 248 Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. 249 250 <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b> 251 List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server considers in vio- 252 lation of the SMTP protocol. 253 254 <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b> 255 Require that a remote SMTP client sends HELO or EHLO before com- 256 mencing a MAIL transaction. 257 258 <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b> 259 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 260 sends non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbid</a>- 261 <a href="postconf.5.html#postscreen_forbidden_commands">den_commands</a> parameter. 262 263 <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b> 264 Enable "non-SMTP command" tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. 265 266 <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b> 267 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 268 sends multiple commands instead of sending one command and wait- 269 ing for the server to respond. 270 271 <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b> 272 Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 273 server. 274 275<b>CACHE CONTROLS</b> 276 <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b> 277 The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache cleanup runs. 278 279 <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (<a href="DATABASE_README.html#types">btree</a>:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</b> 280 Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server decisions. 281 282 <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b> 283 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an expired tem- 284 porary whitelist entry before it is removed. 285 286 <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b> 287 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 288 successful "bare newline" SMTP protocol test. 289 290 <b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b> 291 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 292 successful DNS blocklist test. 293 294 <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b> 295 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 296 successful PREGREET test. 297 298 <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b> 299 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 300 successful "non_smtp_command" SMTP protocol test. 301 302 <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b> 303 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 304 successful "pipelining" SMTP protocol test. 305 306<b>RESOURCE CONTROLS</b> 307 <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> 308 Upon input, long lines are chopped up into pieces of at most 309 this length; upon delivery, long lines are reconstructed. 310 311 <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a> ($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connec</a>-</b> 312 <b><a href="postconf.5.html#smtpd_client_connection_count_limit">tion_count_limit</a>)</b> 313 How many simultaneous connections any remote SMTP client is 314 allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. 315 316 <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b> 317 The limit on the total number of commands per SMTP session for 318 <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. 319 320 <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b> 321 The time limit to read an entire command line with 322 <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. 323 324 <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> 325 The number of clients that can be waiting for service from a 326 real Postfix SMTP server process. 327 328 <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> 329 The number of non-whitelisted clients that can be waiting for a 330 decision whether they will receive service from a real Postfix 331 SMTP server process. 332 333 <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b> 334 How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to respond to a 335 remote SMTP client command or to perform a cache operation 336 before it is terminated by a built-in watchdog timer. 337 338<b>STARTTLS CONTROLS</b> 339 <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> 340 The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server; when a 341 non-empty value is specified, this overrides the obsolete param- 342 eters <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. 343 344 <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b> 345 The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 346 347<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> 348 These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy 349 parameters. 350 351 <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> 352 Opportunistic TLS: announce STARTTLS support to remote SMTP 353 clients, but do not require that clients use TLS encryption. 354 355 <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> 356 Mandatory TLS: announce STARTTLS support to remote SMTP clients, 357 and require that clients use TLS encryption. 358 359<b>MISCELLANEOUS CONTROLS</b> 360 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 361 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 362 figuration files. 363 364 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> 365 The maximal number of digits after the decimal point when log- 366 ging sub-second delay values. 367 368 <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> 369 The location of all postfix administrative commands. 370 371 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 372 The maximum amount of time that an idle Postfix daemon process 373 waits for an incoming connection before terminating voluntarily. 374 375 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 376 The process ID of a Postfix command or daemon process. 377 378 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 379 The process name of a Postfix command or daemon process. 380 381 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 382 The syslog facility of Postfix logging. 383 384 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 385 The mail system name that is prepended to the process name in 386 syslog records, so that "smtpd" becomes, for example, "post- 387 fix/smtpd". 388 389<b>SEE ALSO</b> 390 <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server 391 <a href="tlsproxy.8.html">tlsproxy(8)</a>, Postfix TLS proxy server 392 <a href="dnsblog.8.html">dnsblog(8)</a>, DNS black/whitelist logger 393 syslogd(8), system logging 394 395<b>README FILES</b> 396 <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto 397 398<b>LICENSE</b> 399 The Secure Mailer license must be distributed with this software. 400 401<b>HISTORY</b> 402 This service was introduced with Postfix version 2.8. 403 404 Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work by Michael 405 Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control. 406 407<b>AUTHOR(S)</b> 408 Wietse Venema 409 IBM T.J. Watson Research 410 P.O. Box 704 411 Yorktown Heights, NY 10598, USA 412 413 POSTSCREEN(8) 414</pre> </body> </html> 415