1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - postscreen(8) </title> 6</head> <body> <pre> 7POSTSCREEN(8) POSTSCREEN(8) 8 9<b>NAME</b> 10 postscreen - Postfix zombie blocker 11 12<b>SYNOPSIS</b> 13 <b>postscreen</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The Postfix <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server provides additional protection against 17 mail server overload. One <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process handles multiple 18 inbound SMTP connections, and decides which clients may talk to a Post- 19 fix SMTP server process. By keeping spambots away, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 20 leaves more SMTP server processes available for legitimate clients, and 21 delays the onset of server overload conditions. 22 23 This program should not be used on SMTP ports that receive mail from 24 end-user clients (MUAs). In a typical deployment, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> handles 25 the MX service on TCP port 25, and <a href="smtpd.8.html"><b>smtpd</b>(8)</a> receives mail from MUAs on 26 the <b>submission</b> service (TCP port 587) which requires client authentica- 27 tion. Alternatively, a site could set up a dedicated, non-postscreen, 28 "port 25" server that provides <b>submission</b> service and client authenti- 29 cation, but no MX service. 30 31 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> maintains a temporary whitelist for clients that have 32 passed a number of tests. When an SMTP client IP address is 33 whitelisted, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off the connection immediately to a 34 Postfix SMTP server process. This minimizes the overhead for legitimate 35 mail. 36 37 By default, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs statistics and hands off each connection 38 to a Postfix SMTP server process, while excluding clients in <a href="postconf.5.html#mynetworks">mynetworks</a> 39 from all tests (primarily, to avoid problems with non-standard SMTP 40 implementations in network appliances). This default mode blocks no 41 clients, and is useful for non-destructive testing. 42 43 In a typical production setting, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to reject 44 mail from clients that fail one or more tests. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> logs 45 rejected mail with the client address, helo, sender and recipient 46 information. 47 48 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is not an SMTP proxy; this is intentional. The purpose 49 is to keep spambots away from Postfix SMTP server processes, while min- 50 imizing overhead for legitimate traffic. 51 52<b>SECURITY</b> 53 The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server is moderately security-sensitive. It talks to 54 untrusted clients on the network. The process can be run chrooted at 55 fixed low privilege. 56 57<b>STANDARDS</b> 58 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 59 <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements) 60 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 61 <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions) 62 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 63 <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command) 64 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes) 65 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 66 Not: <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 67 <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> (CHUNKING without BINARYMIME) 68 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 69 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 70 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 71 <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol, including multi-line 220 banners) 72 73<b>DIAGNOSTICS</b> 74 Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. 75 76<b>BUGS</b> 77 The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine currently does not 78 announce support for AUTH, XCLIENT or XFORWARD. If you need to make 79 these services available on port 25, then do not enable the optional 80 "after 220 server greeting" tests. 81 82 The optional "after 220 server greeting" tests may result in unexpected 83 delivery delays from senders that retry email delivery from a different 84 IP address. Reason: after passing these tests a new client must dis- 85 connect, and reconnect from the same IP address before it can deliver 86 mail. See <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, section "Tests after the 220 SMTP server 87 greeting", for a discussion. 88 89<b>CONFIGURATION PARAMETERS</b> 90 Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 91 processes may run for several hours. Use the command "postfix reload" 92 after a configuration change. 93 94 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 95 more details including examples. 96 97 NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-dependent behav- 98 ior. This is supported only when the default parameter value is 99 stress-dependent (that is, it looks like ${stress?{X}:{Y}}, or it is 100 the $<i>name</i> of an smtpd parameter with a stress-dependent default). 101 Other parameters always evaluate as if the <b>stress</b> parameter value is 102 the empty string. 103 104<b>COMPATIBILITY CONTROLS</b> 105 <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b> 106 A mechanism to transform commands from remote SMTP clients. 107 108 <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_key</a>-</b> 109 <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">word_address_maps</a>)</b> 110 Lookup tables, indexed by the remote SMTP client address, with 111 case insensitive lists of EHLO keywords (pipelining, starttls, 112 auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the 113 EHLO response to a remote SMTP client. 114 115 <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b> 116 A case insensitive list of EHLO keywords (pipelining, starttls, 117 auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the 118 EHLO response to a remote SMTP client. 119 120 Available in Postfix version 3.1 and later: 121 122 <b><a href="postconf.5.html#dns_ncache_ttl_fix_enable">dns_ncache_ttl_fix_enable</a> (no)</b> 123 Enable a workaround for future libc incompatibility. 124 125 Available in Postfix version 3.4 and later: 126 127 <b><a href="postconf.5.html#postscreen_reject_footer_maps">postscreen_reject_footer_maps</a> ($<a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a>)</b> 128 Optional lookup table for information that is appended after a 129 4XX or 5XX <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response. 130 131<b>TROUBLE SHOOTING CONTROLS</b> 132 <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b> 133 List of characters that are permitted in 134 <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions. 135 136 <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b> 137 Optional information that is appended after a 4XX or 5XX 138 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server response. 139 140 <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> 141 Safety net to keep mail queued that would otherwise be returned 142 to the sender. 143 144<b>BEFORE-POSTSCREEN PROXY AGENT</b> 145 Available in Postfix version 2.10 and later: 146 147 <b><a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> (empty)</b> 148 The name of the proxy protocol used by an optional 149 before-postscreen proxy agent. 150 151 <b><a href="postconf.5.html#postscreen_upstream_proxy_timeout">postscreen_upstream_proxy_timeout</a> (5s)</b> 152 The time limit for the proxy protocol specified with the 153 <a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> parameter. 154 155<b>PERMANENT WHITE/BLACKLIST TEST</b> 156 This test is executed immediately after a remote SMTP client connects. 157 If a client is permanently whitelisted, the client will be handed off 158 immediately to a Postfix SMTP server process. 159 160 <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b> 161 Permanent white/blacklist for remote SMTP client IP addresses. 162 163 <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b> 164 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client is 165 permanently blacklisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parame- 166 ter. 167 168<b>MAIL EXCHANGER POLICY TESTS</b> 169 When <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is configured to monitor all primary and backup MX 170 addresses, it can refuse to whitelist clients that connect to a backup 171 MX address only. For small sites, this requires configuring primary and 172 backup MX addresses on the same MTA. Larger sites would have to share 173 the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache between primary and backup MTAs, which would 174 introduce a common point of failure. 175 176 <b><a href="postconf.5.html#postscreen_whitelist_interfaces">postscreen_whitelist_interfaces</a> (<a href="DATABASE_README.html#types">static</a>:all)</b> 177 A list of local <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server IP addresses where a 178 non-whitelisted remote SMTP client can obtain <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s 179 temporary whitelist status. 180 181<b>BEFORE 220 GREETING TESTS</b> 182 These tests are executed before the remote SMTP client receives the 183 "220 servername" greeting. If no tests remain after the successful com- 184 pletion of this phase, the client will be handed off immediately to a 185 Postfix SMTP server process. 186 187 <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b> 188 The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 189 190 <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b> 191 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client's 192 combined DNSBL score is equal to or greater than a threshold (as 193 defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and 194 <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> parameters). 195 196 <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b> 197 A mapping from actual DNSBL domain name which includes a secret 198 password, to the DNSBL domain name that postscreen will reply 199 with when it rejects mail. 200 201 <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b> 202 Optional list of DNS white/blacklist domains, filters and weight 203 factors. 204 205 <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b> 206 The inclusive lower bound for blocking a remote SMTP client, 207 based on its combined DNSBL score as defined with the 208 <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. 209 210 <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b> 211 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 212 speaks before its turn within the time specified with the 213 <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter. 214 215 <b><a href="postconf.5.html#postscreen_greet_banner">postscreen_greet_banner</a> ($<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b> 216 The <i>text</i> in the optional "220-<i>text</i>..." server response that 217 <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real Postfix SMTP server's "220 218 text..." response, in an attempt to confuse bad SMTP clients so 219 that they speak before their turn (pre-greet). 220 221 <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (normal: 6s, overload: 2s)</b> 222 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for an SMTP 223 client to send a command before its turn, and for DNS blocklist 224 lookup results to arrive (default: up to 2 seconds under stress, 225 up to 6 seconds otherwise). 226 227 <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b> 228 The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> hands off allowed con- 229 nections to. 230 231 Available in Postfix version 2.11 and later: 232 233 <b><a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a> (0)</b> 234 Allow a remote SMTP client to skip "before" and "after 220 235 greeting" protocol tests, based on its combined DNSBL score as 236 defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. 237 238 Available in Postfix version 3.0 and later: 239 240 <b><a href="postconf.5.html#postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a> (10s)</b> 241 The time limit for DNSBL or DNSWL lookups. 242 243<b>AFTER 220 GREETING TESTS</b> 244 These tests are executed after the remote SMTP client receives the "220 245 servername" greeting. If a client passes all tests during this phase, 246 it will receive a 4XX response to all RCPT TO commands. After the 247 client reconnects, it will be allowed to talk directly to a Postfix 248 SMTP server process. 249 250 <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b> 251 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 252 sends a bare newline character, that is, a newline not preceded 253 by carriage return. 254 255 <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b> 256 Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 257 server. 258 259 <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b> 260 Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. 261 262 <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b> 263 List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server considers in vio- 264 lation of the SMTP protocol. 265 266 <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b> 267 Require that a remote SMTP client sends HELO or EHLO before com- 268 mencing a MAIL transaction. 269 270 <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b> 271 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 272 sends non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbid</a>- 273 <a href="postconf.5.html#postscreen_forbidden_commands">den_commands</a> parameter. 274 275 <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b> 276 Enable "non-SMTP command" tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. 277 278 <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b> 279 The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when a remote SMTP client 280 sends multiple commands instead of sending one command and wait- 281 ing for the server to respond. 282 283 <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b> 284 Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> 285 server. 286 287<b>CACHE CONTROLS</b> 288 <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b> 289 The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache cleanup runs. 290 291 <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (<a href="DATABASE_README.html#types">btree</a>:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</b> 292 Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server decisions. 293 294 <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b> 295 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an expired tem- 296 porary whitelist entry before it is removed. 297 298 <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b> 299 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 300 successful "bare newline" SMTP protocol test. 301 302 <b><a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a></b> 303 <b>(${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b> 304 The maximum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the 305 result from a successful DNS-based reputation test before a 306 client IP address is required to pass that test again. 307 308 <b><a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (60s)</b> 309 The minimum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the 310 result from a successful DNS-based reputation test before a 311 client IP address is required to pass that test again. 312 313 <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b> 314 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 315 successful PREGREET test. 316 317 <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b> 318 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 319 successful "non_smtp_command" SMTP protocol test. 320 321 <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b> 322 The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a 323 successful "pipelining" SMTP protocol test. 324 325<b>RESOURCE CONTROLS</b> 326 <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> 327 Upon input, long lines are chopped up into pieces of at most 328 this length; upon delivery, long lines are reconstructed. 329 330 <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a> ($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connec</a>-</b> 331 <b><a href="postconf.5.html#smtpd_client_connection_count_limit">tion_count_limit</a>)</b> 332 How many simultaneous connections any remote SMTP client is 333 allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. 334 335 <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b> 336 The limit on the total number of commands per SMTP session for 337 <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. 338 339 <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (normal: 300s, overload: 10s)</b> 340 The time limit to read an entire command line with 341 <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. 342 343 <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> 344 The number of clients that can be waiting for service from a 345 real Postfix SMTP server process. 346 347 <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> 348 The number of non-whitelisted clients that can be waiting for a 349 decision whether they will receive service from a real Postfix 350 SMTP server process. 351 352 <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b> 353 How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to respond to a 354 remote SMTP client command or to perform a cache operation 355 before it is terminated by a built-in watchdog timer. 356 357<b>STARTTLS CONTROLS</b> 358 <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> 359 The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server; when a 360 non-empty value is specified, this overrides the obsolete param- 361 eters <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. 362 363 <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b> 364 The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 365 366<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> 367 These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy 368 parameters. 369 370 <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> 371 Opportunistic TLS: announce STARTTLS support to remote SMTP 372 clients, but do not require that clients use TLS encryption. 373 374 <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> 375 Mandatory TLS: announce STARTTLS support to remote SMTP clients, 376 and require that clients use TLS encryption. 377 378<b>MISCELLANEOUS CONTROLS</b> 379 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 380 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 381 figuration files. 382 383 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> 384 The maximal number of digits after the decimal point when log- 385 ging sub-second delay values. 386 387 <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> 388 The location of all postfix administrative commands. 389 390 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 391 The maximum amount of time that an idle Postfix daemon process 392 waits for an incoming connection before terminating voluntarily. 393 394 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 395 The process ID of a Postfix command or daemon process. 396 397 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 398 The process name of a Postfix command or daemon process. 399 400 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 401 The syslog facility of Postfix logging. 402 403 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 404 A prefix that is prepended to the process name in syslog 405 records, so that, for example, "smtpd" becomes "prefix/smtpd". 406 407 Available in Postfix 3.3 and later: 408 409 <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> 410 The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. 411 412 Available in Postfix 3.5 and later: 413 414 <b>info_log_address_format (external)</b> 415 The email address form that will be used in non-debug logging 416 (info, warning, etc.). 417 418<b>SEE ALSO</b> 419 <a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server 420 <a href="tlsproxy.8.html">tlsproxy(8)</a>, Postfix TLS proxy server 421 <a href="dnsblog.8.html">dnsblog(8)</a>, DNS black/whitelist logger 422 <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging 423 syslogd(8), system logging 424 425<b>README FILES</b> 426 <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto 427 428<b>LICENSE</b> 429 The Secure Mailer license must be distributed with this software. 430 431<b>HISTORY</b> 432 This service was introduced with Postfix version 2.8. 433 434 Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work by Michael 435 Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control. 436 437<b>AUTHOR(S)</b> 438 Wietse Venema 439 IBM T.J. Watson Research 440 P.O. Box 704 441 Yorktown Heights, NY 10598, USA 442 443 Wietse Venema 444 Google, Inc. 445 111 8th Avenue 446 New York, NY 10011, USA 447 448 POSTSCREEN(8) 449</pre> </body> </html> 450