The before-filter Postfix SMTP server accepts connections from the +
As shown in the diagram above, the before-queue filter sits +between two Postfix SMTP server processes.
+ +The before-filter Postfix SMTP server accepts connections from the Internet and does the usual relay access control, SASL authentication, TLS negotiation, RBL lookups, rejecting non-existent sender or recipient addresses, -etc. The before-queue filter receives unfiltered mail content from +etc.
+ +The before-queue filter receives unfiltered mail content from Postfix and does one of the following:
The after-filter Postfix SMTP server receives mail from the +
The after-filter Postfix SMTP server receives mail from the content filter. From then on Postfix processes the mail as usual.
+The before-queue content filter described here works just like the after-queue content filter described in the FILTER_README document. In many cases you can use the same software, within the diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html index ff8859c1f..70e5e4098 100644 --- a/postfix/html/cleanup.8.html +++ b/postfix/html/cleanup.8.html @@ -58,8 +58,10 @@ CLEANUP(8) CLEANUP(8) RFC 822 (ARPA Internet Text Messages) RFC 2045 (MIME: Format of Internet Message Bodies) RFC 2046 (MIME: Media Types) + RFC 2822 (Internet Message Format) RFC 3463 (Enhanced Status Codes) RFC 3464 (Delivery status notifications) + RFC 5322 (Internet Message Format) DIAGNOSTICS Problems and transactions are logged to syslogd(8). diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 9465bd00c..83c9a2abe 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -119,6 +119,23 @@ Do not change this unless you have a complete understanding of address_verify_cache_cleanup_interval +(default: 12h)
The amount of time between verify(8) cache cleanup runs. Cache +cleanup increases the load on the cache database and should therefore +not be run frequently. This feature requires that the cache database +supports the "delete" and "sequence" operators. Specify a zero +interval to disable cache cleanup.
+ +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks).
+ +This feature is available in Postfix 2.7.
+ +How many times to query the verify(8) service for the completion @@ -257,12 +274,16 @@ of an address verification request in progress.
-The default poll count is 3. +With Postfix version 2.7 and later, the SMTP server polls the +verify(8) service up to three times under non-overload conditions, +and only once when under overload. With earlier Postfix versions, +the SMTP server always polls the verify(8) service up to three +times.
Specify 1 to implement a crude form of greylisting, that is, always -defer the first delivery request for a never seen before address. +defer the first delivery request for a new address.
@@ -6561,6 +6582,23 @@ never uses the remote SMTP client hostname.
This feature is available in Postfix 2.7.
+The amount of time between postscreen(8) cache cleanup runs. +Cache cleanup increases the load on the cache database and should +therefore not be run frequently. This feature requires that the +cache database supports the "delete" and "sequence" operators. +Specify a zero interval to disable cache cleanup.
+ +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks).
+ +This feature is available in Postfix 2.7.
+ +This feature is available in Postfix 2.7.
+ + +The amount of time that postscreen(8) will cache an expired +temporary whitelist entry before it is removed. This prevents clients +from being logged as "NEW" just because their cache entry expired +an hour ago.
+ +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks).
+ +This feature is available in Postfix 2.7.
+ +The amount of time that postscreen(8) will cache a decision for a specific SMTP client IP address. During this time, the client IP address is excluded from tests. If possible, expired decisions are -renewed silently. Specify a non-zero time value (an integral value -plus an optional one-letter suffix that specifies the time unit). -
+renewed automatically. Specify a non-zero time value (an integral +value plus an optional one-letter suffix that specifies the time +unit).Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
@@ -6661,7 +6715,8 @@ IP address.The text in the optional "220-text..." server response that +
The text in the optional "220-text..." server +response that postscreen(8) sends ahead of the real Postfix SMTP server's "220 text..." response, in an attempt to confuse bad SMTP clients so that they speak before their turn (pre-greet). Specify an empty @@ -8905,7 +8960,7 @@ invalid responses.
In the case of a multi-line reply, the Postfix SMTP client -uses the last reply line's numerical SMTP reply code and enhanced +uses the final reply line's numerical SMTP reply code and enhanced status code.
The numerical SMTP reply code (XYZ) takes precedence over @@ -8924,16 +8979,16 @@ server, except that the trailing <CR><LF> are removed.
/etc/postfix/main.cf: - smtp_reply_filter = pcre:/etc/postfix/command_filter + smtp_reply_filter = pcre:/etc/postfix/reply_filter
/etc/postfix/reply_filter:
- # Transform garbage into part of a multi-line reply. Note
- # that the Postfix SMTP client uses only the last numerical
- # SMTP reply code and enhanced status code from a multi-line
- # reply, so it does not matter what we substitute here as
- # long as it has the right syntax.
+ # Transform garbage into "250-filler..." so that it looks like
+ # one line from a multi-line reply. It does not matter what we
+ # substitute here as long it has the right syntax. The Postfix
+ # SMTP client will use the final line's numerical SMTP reply
+ # code and enhanced status code.
!/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
@@ -11226,6 +11281,20 @@ except that initial whitespace and the trailing <CR><LF>
are removed. The result value is executed by the Postfix SMTP
server.
+Postfix already implements a number of workarounds for malformed +client commands.
+ +Use "resolve_numeric_domain = yes" to accept "user@ipaddress" +Postfix already accepts the correct form "user@[ipaddress]". +
+ +Use "strict_rfc821_envelopes = no" to accept "User Name +<user@example.com>".
+ +Examples:
@@ -11557,8 +11626,9 @@ it changes under overload to just 1 with Postfix 2.6 and later. (default: no)
-Require that a remote SMTP client introduces itself at the beginning -of an SMTP session with the HELO or EHLO command. +Require that a remote SMTP client introduces itself with the HELO +or EHLO command before sending the MAIL command or other commands +that require EHLO negotiation.
@@ -12800,12 +12870,12 @@ inside the chroot jail.
By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CApath should remain empty. In contrast -to smtp_tls_CAfile, DNs of certificate authorities installed +to smtpd_tls_CAfile, DNs of certificate authorities installed in $smtpd_tls_CApath are not included in the client certificate request message. MUAs with multiple client certificates may use the list of preferred certificate authorities to select the correct client certificate. You may want to put your "preferred" CA or -CAs in $smtp_tls_CAfile, and install the remaining trusted CAs in +CAs in $smtpd_tls_CAfile, and install the remaining trusted CAs in $smtpd_tls_CApath.
Example:
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html index 836d3f92d..a0abf42cc 100644 --- a/postfix/html/postscreen.8.html +++ b/postfix/html/postscreen.8.html @@ -14,26 +14,34 @@ POSTSCREEN(8) POSTSCREEN(8) DESCRIPTION The Postfix postscreen(8) server performs triage on multi- - ple inbound SMTP connections in parallel. The program can - run in two basic modes. + ple inbound SMTP connections in parallel. By running + time-consuming tests in parallel in postscreen(8), zombies + and other bogus clients can be kept away from Postfix SMTP + server processes. Thus, more Postfix SMTP server processes + remain available for legitimate clients. - The purpose of observation mode is to collect statistics - without actually blocking mail. postscreen(8) runs a num- - ber of tests before it forwards a connection to a real - SMTP server process. These tests introduce a delay of a - few seconds; once a client passes the tests as "clean", - its IP address is temporarily whitelisted and subsequent - connections incur no delays until the temporary whitelist - entry expires. + This triage process involves a number of tests, documented + below. The tests introduce a delay of a few seconds; once + a client passes the tests, its IP address is temporarily + whitelisted, typically for 24 hours. - The purpose of enforcement mode is to block mail without - using up one Postfix SMTP server process for every connec- - tion. Here, postscreen(8) terminates connections from - SMTP clients that fail the above tests, and forwards only - the remaining connections to a real SMTP server process. - By running time-consuming spam tests in parallel in - postscreen(8), more Postfix SMTP server processes remain - available for legitimate clients. + The program can run in two basic modes. + + Observation mode + postscreen(8) reports the results of the tests, and + forwards all connections to a real Postfix SMTP + server process. + + Enforcement mode + postscreen(8) reports the results of the tests, but + forwards only connections to a real SMTP server + process from clients that passed the tests. + + postscreen(8) disconnects clients that fail the + tests, after sending a 521 status message (a future + version may pass the connection to a dummy SMTP + protocol engine that logs sender and recipient + information). Note: postscreen(8) is not an SMTP proxy; this is inten- tional. The purpose is to prioritize legitimate clients @@ -44,144 +52,145 @@ POSTSCREEN(8) POSTSCREEN(8) 1. PERMANENT WHITELIST TEST The postscreen_whitelist_networks parameter (default: $mynetworks) specifies a permanent whitelist for SMTP - client IP addresses. This feature is not used for - addresses that appear on the permanent blacklist. + client IP addresses. - When the SMTP client address matches the permanent + When the SMTP client address matches the permanent whitelist, this is logged as: WHITELISTED address - The action is not configurable: immediately forward the + The action is not configurable: immediately forward the connection to a real SMTP server process. 2. PERMANENT BLACKLIST TEST - The postscreen_blacklist_networks parameter (default: - empty) specifies a permanent blacklist for SMTP client IP + The postscreen_blacklist_networks parameter (default: + empty) specifies a permanent blacklist for SMTP client IP addresses. The address syntax is as with mynetworks. - When the SMTP client address matches the permanent black- + When the SMTP client address matches the permanent black- list, this is logged as: BLACKLISTED address - The postscreen_blacklist_action parameter specifies the + The postscreen_blacklist_action parameter specifies the action that is taken next: continue (default, observation mode) - Continue with the SMTP GREETING PHASE TESTS below. + Continue with the SMTP GREETING PHASE TESTS below. drop (enforcement mode) - Drop the connection immediately with a 521 SMTP - reply. In a future implementation, the connection - may instead be passed to a dummy SMTP protocol - engine that logs sender and recipient information. + Drop the connection immediately with a 521 SMTP + reply. In a future implementation, the connection + may instead be passed to a dummy SMTP protocol + engine that logs sender and recipient information. 3. TEMPORARY WHITELIST TEST - The postscreen(8) daemon maintains a temporary whitelist - for SMTP client IP addresses that have passed all the - tests described below. The postscreen_cache_map parameter - specifies the location of the temporary whitelist. The - temporary whitelist is not used for SMTP client addresses + The postscreen(8) daemon maintains a temporary whitelist + for SMTP client IP addresses that have passed all the + tests described below. The postscreen_cache_map parameter + specifies the location of the temporary whitelist. The + temporary whitelist is not used for SMTP client addresses that appear on the permanent blacklist or whitelist. - When the SMTP client address appears on the temporary + When the SMTP client address appears on the temporary whitelist, this is logged as: PASS OLD address - The action is not configurable: immediately forward the - connection to a real SMTP server process. The client is - excluded from further tests until its temporary whitelist + The action is not configurable: immediately forward the + connection to a real SMTP server process. The client is + excluded from further tests until its temporary whitelist entry expires, as controlled with the postscreen_cache_ttl parameter. Expired entries are silently renewed if possi- ble. 4. SMTP GREETING PHASE TESTS - The postscreen_greet_wait parameter specifies a time + The postscreen_greet_wait parameter specifies a time interval during which postscreen(8) runs a number of tests - as described below. These tests run before the client may - see the real SMTP server's "220 text..." server greeting. + in parallel. These tests are described below, and are run + before the client may see the real SMTP server's "220 + text..." server greeting. - When the SMTP client passes all the tests, this is logged - as: + When the SMTP client passes all greeting-phase tests, this + is logged as: PASS NEW address - The action is to forward the connection to a real SMTP - server process and to create a temporary whitelist entry - that excludes the client IP address from further tests + The action is to forward the connection to a real SMTP + server process and to create a temporary whitelist entry + that excludes the client IP address from further tests until the temporary whitelist entry expires, as controlled with the postscreen_cache_ttl parameter. - In a future implementation, the connection may first be - passed to a dummy SMTP protocol engine that implements - more protocol tests including greylisting, before the + In a future implementation, the connection may first be + passed to a dummy SMTP protocol engine that implements + more protocol tests including greylisting, before the client is allowed to talk to a real SMTP server process. 4A. PREGREET TEST - The postscreen_greet_banner parameter specifies the text - for a "220-text..." teaser banner (default: $smtpd_ban- - ner). The postscreen(8) daemon sends this before the - postscreen_greet_wait timer is started. The purpose of - the teaser banner is to confuse SPAM clients so that they - speak before their turn. It has no effect on SMTP clients - that correctly implement the protocol. + The postscreen_greet_banner parameter specifies the text + portion of a "220-text..." teaser banner (default: + $smtpd_banner). The postscreen(8) daemon sends this + before the postscreen_greet_wait timer is started. The + purpose of the teaser banner is to confuse SPAM clients so + that they speak before their turn. It has no effect on + SMTP clients that correctly implement the protocol. - To avoid problems with broken SMTP engines in network - appliances, either exclude them from all tests with the - postscreen_whitelist_networks feature or else specify an - empty postscreen_greet_banner value to disable the + To avoid problems with broken SMTP engines in network + appliances, either exclude them from all tests with the + postscreen_whitelist_networks feature or else specify an + empty postscreen_greet_banner value to disable the "220-text..." teaser banner. - When an SMTP client sends a command before the + When an SMTP client sends a command before the postscreen_greet_wait time has elapsed, this is logged as: PREGREET count after time from address text... Translation: the client at address sent count bytes before - its turn to speak, and this happened time seconds after - the postscreen_greet_wait timer was started. The text is - what the client sent (truncated to 100 bytes, and with + its turn to speak, and this happened time seconds after + the postscreen_greet_wait timer was started. The text is + what the client sent (truncated to 100 bytes, and with non-printable characters replaced with "?"). The postscreen_greet_action parameter specifies the action that is taken next: continue (default, observation mode) - Wait until the postscreen_greet_wait time has + Wait until the postscreen_greet_wait time has elapsed, then report DNSBL lookup results if appli- cable. Either perform DNSBL-related actions or for- - ward the connection to a real SMTP server process. + ward the connection to a real SMTP server process. drop (enforcement mode) - Drop the connection immediately with a 521 SMTP - reply. In a future implementation, the connection - may instead be passed to a dummy SMTP protocol - engine that logs sender and recipient information. + Drop the connection immediately with a 521 SMTP + reply. In a future implementation, the connection + may instead be passed to a dummy SMTP protocol + engine that logs sender and recipient information. 4B. HANGUP TEST - When the SMTP client hangs up without sending any data + When the SMTP client hangs up without sending any data before the postscreen_greet_wait time has elapsed, this is logged as: HANGUP after time from address - The postscreen_hangup_action specifies the action that is + The postscreen_hangup_action specifies the action that is taken next: continue (default, observation mode) - Wait until the postscreen_greet_wait time has + Wait until the postscreen_greet_wait time has elapsed, then report DNSBL lookup results if appli- - cable. Do not forward the broken connection to a + cable. Do not forward the broken connection to a real SMTP server process. drop (enforcement mode) Drop the connection immediately. 4C. DNS BLOCKLIST TEST - The postscreen_dnsbl_sites parameter (default: empty) - specifies a list of DNS blocklist servers. + The postscreen_dnsbl_sites parameter (default: empty) + specifies a list of DNS blocklist servers. These lookups + are made in parallel. When the postscreen_greet_wait time has elapsed, and the SMTP client address is listed with at least one of these @@ -237,14 +246,6 @@ POSTSCREEN(8) POSTSCREEN(8) see the postscreen_blacklist_action parameter for possible actions. - postscreen_cache_map (btree:$data_directory/ps_whitelist) - Persistent storage for the postscreen(8) server - decisions. - - postscreen_cache_ttl (1d) - The amount of time that postscreen(8) will cache a - decision for a specific SMTP client IP address. - postscreen_dnsbl_action (continue) The action that postscreen(8) takes when an SMTP client is listed at the DNS blocklist domains spec- @@ -259,7 +260,7 @@ POSTSCREEN(8) POSTSCREEN(8) ified with the postscreen_greet_wait parameter. postscreen_greet_banner ($smtpd_banner) - The text in the optional "220-text..." server + The text in the optional "220-text..." server response that postscreen(8) sends ahead of the real Postfix SMTP server's "220 text..." response, in an attempt to confuse bad SMTP clients so that they @@ -294,22 +295,40 @@ POSTSCREEN(8) POSTSCREEN(8) The internal service that postscreen(8) forwards allowed connections to. +CACHE CONTROLS + postscreen_cache_cleanup_interval (12h) + The amount of time between postscreen(8) cache + cleanup runs. + + postscreen_cache_map (btree:$data_directory/ps_whitelist) + Persistent storage for the postscreen(8) server + decisions. + + postscreen_cache_retention_time (1d) + The amount of time that postscreen(8) will cache an + expired temporary whitelist entry before it is + removed. + + postscreen_cache_ttl (1d) + The amount of time that postscreen(8) will cache a + decision for a specific SMTP client IP address. + MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal + The maximal number of digits after the decimal point when logging sub-second delay values. command_directory (see 'postconf -d' output) - The location of all postfix administrative com- + The location of all postfix administrative com- mands. ipc_timeout (3600s) @@ -317,24 +336,24 @@ POSTSCREEN(8) POSTSCREEN(8) over an internal communication channel. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO @@ -343,7 +362,7 @@ POSTSCREEN(8) POSTSCREEN(8) syslogd(8), system logging LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 9685afcc5..c5bf71c69 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -906,123 +906,124 @@ SMTPD(8) SMTPD(8) smtpd_helo_required (no) Require that a remote SMTP client introduces itself - at the beginning of an SMTP session with the HELO - or EHLO command. + with the HELO or EHLO command before sending the + MAIL command or other commands that require EHLO + negotiation. smtpd_helo_restrictions (empty) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of the SMTP HELO command. smtpd_sender_restrictions (empty) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of the MAIL FROM command. smtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destination) The access restrictions that the Postfix SMTP - server applies in the context of the RCPT TO com- + server applies in the context of the RCPT TO com- mand. smtpd_etrn_restrictions (empty) - Optional SMTP server access restrictions in the + Optional SMTP server access restrictions in the context of a client ETRN request. allow_untrusted_routing (no) - Forward mail with sender-specified routing - (user[@%!]remote[@%!]site) from untrusted clients + Forward mail with sender-specified routing + (user[@%!]remote[@%!]site) from untrusted clients to destinations matching $relay_domains. smtpd_restriction_classes (empty) - User-defined aliases for groups of access restric- + User-defined aliases for groups of access restric- tions. smtpd_null_access_lookup_key (<>) - The lookup key to be used in SMTP access(5) tables + The lookup key to be used in SMTP access(5) tables instead of the null sender address. permit_mx_backup_networks (empty) Restrict the use of the permit_mx_backup SMTP - access feature to only domains whose primary MX + access feature to only domains whose primary MX hosts match the listed networks. Available in Postfix version 2.0 and later: smtpd_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP + Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP DATA com- mand. smtpd_expansion_filter (see 'postconf -d' output) - What characters are allowed in $name expansions of + What characters are allowed in $name expansions of RBL reply templates. Available in Postfix version 2.1 and later: smtpd_reject_unlisted_sender (no) - Request that the Postfix SMTP server rejects mail - from unknown sender addresses, even when no - explicit reject_unlisted_sender access restriction + Request that the Postfix SMTP server rejects mail + from unknown sender addresses, even when no + explicit reject_unlisted_sender access restriction is specified. smtpd_reject_unlisted_recipient (yes) - Request that the Postfix SMTP server rejects mail + Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no - explicit reject_unlisted_recipient access restric- + explicit reject_unlisted_recipient access restric- tion is specified. Available in Postfix version 2.2 and later: smtpd_end_of_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP - server applies in the context of the SMTP END-OF- + Optional access restrictions that the Postfix SMTP + server applies in the context of the SMTP END-OF- DATA command. SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS - Postfix version 2.1 introduces sender and recipient - address verification. This feature is implemented by - sending probe email messages that are not actually deliv- - ered. This feature is requested via the reject_unveri- - fied_sender and reject_unverified_recipient access - restrictions. The status of verification probes is main- + Postfix version 2.1 introduces sender and recipient + address verification. This feature is implemented by + sending probe email messages that are not actually deliv- + ered. This feature is requested via the reject_unveri- + fied_sender and reject_unverified_recipient access + restrictions. The status of verification probes is main- tained by the verify(8) server. See the file ADDRESS_VER- - IFICATION_README for information about how to configure + IFICATION_README for information about how to configure and operate the Postfix sender/recipient address verifica- tion service. - address_verify_poll_count (3) - How many times to query the verify(8) service for - the completion of an address verification request + address_verify_poll_count (see 'postconf -d' output) + How many times to query the verify(8) service for + the completion of an address verification request in progress. address_verify_poll_delay (3s) - The delay between queries for the completion of an + The delay between queries for the completion of an address verification request in progress. address_verify_sender ($double_bounce_sender) - The sender address to use in address verification + The sender address to use in address verification probes; prior to Postfix 2.5 the default was "post- master". unverified_sender_reject_code (450) - The numerical Postfix SMTP server response code - when a recipient address is rejected by the + The numerical Postfix SMTP server response code + when a recipient address is rejected by the reject_unverified_sender restriction. unverified_recipient_reject_code (450) - The numerical Postfix SMTP server response when a + The numerical Postfix SMTP server response when a recipient address is rejected by the reject_unveri- fied_recipient restriction. Available in Postfix version 2.6 and later: unverified_sender_defer_code (450) - The numerical Postfix SMTP server response code - when a sender address probe fails due to a tempo- + The numerical Postfix SMTP server response code + when a sender address probe fails due to a tempo- rary error condition. unverified_recipient_defer_code (450) - The numerical Postfix SMTP server response when a - recipient address probe fails due to a temporary + The numerical Postfix SMTP server response when a + recipient address probe fails due to a temporary error condition. unverified_sender_reject_reason (empty) @@ -1036,7 +1037,7 @@ SMTPD(8) SMTPD(8) unverified_sender_tempfail_action ($reject_temp- fail_action) The Postfix SMTP server's action when reject_unver- - ified_sender fails due to a temporary error condi- + ified_sender fails due to a temporary error condi- tion. unverified_recipient_tempfail_action ($reject_temp- @@ -1046,7 +1047,7 @@ SMTPD(8) SMTPD(8) dition. ACCESS CONTROL RESPONSES - The following parameters control numerical SMTP reply + The following parameters control numerical SMTP reply codes and/or text responses. access_map_reject_code (554) @@ -1054,18 +1055,18 @@ SMTPD(8) SMTPD(8) an access(5) map "reject" action. defer_code (450) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "defer" restriction. invalid_hostname_reject_code (501) - The numerical Postfix SMTP server response code - when the client HELO or EHLO command parameter is - rejected by the reject_invalid_helo_hostname + The numerical Postfix SMTP server response code + when the client HELO or EHLO command parameter is + rejected by the reject_invalid_helo_hostname restriction. maps_rbl_reject_code (554) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_rbl_client, reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipient @@ -1073,53 +1074,53 @@ SMTPD(8) SMTPD(8) non_fqdn_reject_code (504) The numerical Postfix SMTP server reply code when a - client request is rejected by the + client request is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction. plaintext_reject_code (450) - The numerical Postfix SMTP server response code - when a request is rejected by the reject_plain- + The numerical Postfix SMTP server response code + when a request is rejected by the reject_plain- text_session restriction. reject_code (554) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "reject" restriction. relay_domains_reject_code (554) - The numerical Postfix SMTP server response code - when a client request is rejected by the + The numerical Postfix SMTP server response code + when a client request is rejected by the reject_unauth_destination recipient restriction. unknown_address_reject_code (450) - The numerical Postfix SMTP server response code - when a sender or recipient address is rejected by + The numerical Postfix SMTP server response code + when a sender or recipient address is rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain restriction. unknown_client_reject_code (450) - The numerical Postfix SMTP server response code - when a client without valid address <=> name map- + The numerical Postfix SMTP server response code + when a client without valid address <=> name map- ping is rejected by the reject_unknown_client_host- name restriction. unknown_hostname_reject_code (450) - The numerical Postfix SMTP server response code - when the hostname specified with the HELO or EHLO - command is rejected by the + The numerical Postfix SMTP server response code + when the hostname specified with the HELO or EHLO + command is rejected by the reject_unknown_helo_hostname restriction. Available in Postfix version 2.0 and later: default_rbl_reply (see 'postconf -d' output) - The default SMTP server response template for a - request that is rejected by an RBL-based restric- + The default SMTP server response template for a + request that is rejected by an RBL-based restric- tion. multi_recipient_bounce_reject_code (550) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_multi_recipient_bounce restriction. @@ -1130,38 +1131,38 @@ SMTPD(8) SMTPD(8) access_map_defer_code (450) The numerical Postfix SMTP server response code for - an access(5) map "defer" action, including + an access(5) map "defer" action, including "defer_if_permit" or "defer_if_reject". reject_tempfail_action (defer_if_permit) The Postfix SMTP server's action when a reject-type - restriction fails due to a temporary error condi- + restriction fails due to a temporary error condi- tion. unknown_helo_hostname_tempfail_action ($reject_temp- fail_action) - The Postfix SMTP server's action when + The Postfix SMTP server's action when reject_unknown_helo_hostname fails due to an tempo- rary error condition. unknown_address_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when + The Postfix SMTP server's action when reject_unknown_sender_domain or - reject_unknown_recipient_domain fail due to a tem- + reject_unknown_recipient_domain fail due to a tem- porary error condition. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. command_directory (see 'postconf -d' output) - The location of all postfix administrative com- + The location of all postfix administrative com- mands. double_bounce_sender (double-bounce) @@ -1182,37 +1183,37 @@ SMTPD(8) SMTPD(8) and most Postfix daemon processes. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. max_use (100) - The maximal number of incoming connections that a - Postfix daemon process will service before termi- + The maximal number of incoming connections that a + Postfix daemon process will service before termi- nating voluntarily. myhostname (see 'postconf -d' output) The internet hostname of this mail system. mynetworks (see 'postconf -d' output) - The list of "trusted" SMTP clients that have more + The list of "trusted" SMTP clients that have more privileges than "strangers". myorigin ($myhostname) The domain name that locally-posted mail appears to - come from, and that locally posted mail is deliv- + come from, and that locally posted mail is deliv- ered to. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. recipient_delimiter (empty) @@ -1220,28 +1221,28 @@ SMTPD(8) SMTPD(8) sions (user+foo). smtpd_banner ($myhostname ESMTP $mail_name) - The text that follows the 220 status code in the + The text that follows the 220 status code in the SMTP greeting banner. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available in Postfix version 2.2 and later: smtpd_forbidden_commands (CONNECT, GET, POST) - List of commands that causes the Postfix SMTP - server to immediately terminate the session with a + List of commands that causes the Postfix SMTP + server to immediately terminate the session with a 221 code. Available in Postfix version 2.5 and later: smtpd_client_port_logging (no) - Enable logging of the remote SMTP client port in + Enable logging of the remote SMTP client port in addition to the hostname and IP address. SEE ALSO @@ -1271,7 +1272,7 @@ SMTPD(8) SMTPD(8) XFORWARD_README, Postfix XFORWARD extension LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/verify.8.html b/postfix/html/verify.8.html index 38db746f5..7143c1cb0 100644 --- a/postfix/html/verify.8.html +++ b/postfix/html/verify.8.html @@ -115,17 +115,23 @@ VERIFY(8) VERIFY(8) The time after which a failed address verification probe needs to be refreshed. + Available with Postfix 2.7 and later: + + address_verify_cache_cleanup_interval (12h) + The amount of time between verify(8) cache cleanup + runs. + PROBE MESSAGE ROUTING CONTROLS - By default, probe messages are delivered via the same - route as regular messages. The following parameters can + By default, probe messages are delivered via the same + route as regular messages. The following parameters can be used to override specific message routing mechanisms. address_verify_relayhost ($relayhost) - Overrides the relayhost parameter setting for + Overrides the relayhost parameter setting for address verification probes. address_verify_transport_maps ($transport_maps) - Overrides the transport_maps parameter setting for + Overrides the transport_maps parameter setting for address verification probes. address_verify_local_transport ($local_transport) @@ -133,7 +139,7 @@ VERIFY(8) VERIFY(8) address verification probes. address_verify_virtual_transport ($virtual_transport) - Overrides the virtual_transport parameter setting + Overrides the virtual_transport parameter setting for address verification probes. address_verify_relay_transport ($relay_transport) @@ -141,17 +147,32 @@ VERIFY(8) VERIFY(8) address verification probes. address_verify_default_transport ($default_transport) - Overrides the default_transport parameter setting + Overrides the default_transport parameter setting for address verification probes. + Available in Postfix 2.3 and later: + + address_verify_sender_dependent_relayhost_maps + ($sender_dependent_relayhost_maps) + Overrides the sender_dependent_relayhost_maps + parameter setting for address verification probes. + + Available in Postfix 2.7 and later: + + address_verify_sender_dependent_default_transport_maps + ($sender_dependent_default_transport_maps) + Overrides the sender_dependent_default_trans- + port_maps parameter setting for address verifica- + tion probes. + MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. ipc_timeout (3600s) @@ -159,23 +180,23 @@ VERIFY(8) VERIFY(8) over an internal communication channel. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO @@ -188,7 +209,7 @@ VERIFY(8) VERIFY(8) ADDRESS_VERIFICATION_README, address verification howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. HISTORY diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 1b31a4186..5d4c9ddad 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -77,6 +77,17 @@ The numerical Postfix SMTP server response code for an \fBaccess\fR(5) map "reject" action. .PP Do not change this unless you have a complete understanding of RFC 2821. +.SH address_verify_cache_cleanup_interval (default: 12h) +The amount of time between \fBverify\fR(8) cache cleanup runs. Cache +cleanup increases the load on the cache database and should therefore +not be run frequently. This feature requires that the cache database +supports the "delete" and "sequence" operators. Specify a zero +interval to disable cache cleanup. +.PP +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks). +.PP +This feature is available in Postfix 2.7. .SH address_verify_default_transport (default: $default_transport) Overrides the default_transport parameter setting for address verification probes. @@ -138,14 +149,18 @@ be refreshed. Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). .PP This feature is available in Postfix 2.1 and later. -.SH address_verify_poll_count (default: 3) +.SH address_verify_poll_count (default: see "postconf -d" output) How many times to query the \fBverify\fR(8) service for the completion of an address verification request in progress. .PP -The default poll count is 3. +With Postfix version 2.7 and later, the SMTP server polls the +\fBverify\fR(8) service up to three times under non-overload conditions, +and only once when under overload. With earlier Postfix versions, +the SMTP server always polls the \fBverify\fR(8) service up to three +times. .PP Specify 1 to implement a crude form of greylisting, that is, always -defer the first delivery request for a never seen before address. +defer the first delivery request for a new address. .PP Example: .PP @@ -3673,16 +3688,38 @@ The blacklist has higher precedence than whitelists. This feature never uses the remote SMTP client hostname. .PP This feature is available in Postfix 2.7. +.SH postscreen_cache_cleanup_interval (default: 12h) +The amount of time between \fBpostscreen\fR(8) cache cleanup runs. +Cache cleanup increases the load on the cache database and should +therefore not be run frequently. This feature requires that the +cache database supports the "delete" and "sequence" operators. +Specify a zero interval to disable cache cleanup. +.PP +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks). +.PP +This feature is available in Postfix 2.7. .SH postscreen_cache_map (default: btree:$data_directory/ps_whitelist) Persistent storage for the \fBpostscreen\fR(8) server decisions. .PP This feature is available in Postfix 2.7. +.SH postscreen_cache_retention_time (default: 1d) +The amount of time that \fBpostscreen\fR(8) will cache an expired +temporary whitelist entry before it is removed. This prevents clients +from being logged as "NEW" just because their cache entry expired +an hour ago. +.PP +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks). +.PP +This feature is available in Postfix 2.7. .SH postscreen_cache_ttl (default: 1d) The amount of time that \fBpostscreen\fR(8) will cache a decision for a specific SMTP client IP address. During this time, the client IP address is excluded from tests. If possible, expired decisions are -renewed silently. Specify a non-zero time value (an integral value -plus an optional one-letter suffix that specifies the time unit). +renewed automatically. Specify a non-zero time value (an integral +value plus an optional one-letter suffix that specifies the time +unit). .PP Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). @@ -3722,7 +3759,8 @@ IP address. .PP This feature is available in Postfix 2.7. .SH postscreen_greet_banner (default: $smtpd_banner) -The text in the optional "220-text..." server response that +The \fItext\fR in the optional "220-\fItext\fR..." server +response that \fBpostscreen\fR(8) sends ahead of the real Postfix SMTP server's "220 text..." response, in an attempt to confuse bad SMTP clients so that they speak before their turn (pre-greet). Specify an empty @@ -5028,7 +5066,7 @@ invalid responses. Notes: .IP \(bu In the case of a multi-line reply, the Postfix SMTP client -uses the last reply line's numerical SMTP reply code and enhanced +uses the final reply line's numerical SMTP reply code and enhanced status code. .IP \(bu The numerical SMTP reply code (XYZ) takes precedence over @@ -5047,7 +5085,7 @@ Examples: .na .ft C /etc/postfix/main.cf: - smtp_reply_filter = pcre:/etc/postfix/command_filter + smtp_reply_filter = pcre:/etc/postfix/reply_filter .fi .ad .ft R @@ -5056,11 +5094,11 @@ Examples: .na .ft C /etc/postfix/reply_filter: - # Transform garbage into part of a multi-line reply. Note - # that the Postfix SMTP client uses only the last numerical - # SMTP reply code and enhanced status code from a multi-line - # reply, so it does not matter what we substitute here as - # long as it has the right syntax. + # Transform garbage into "250-filler..." so that it looks like + # one line from a multi-line reply. It does not matter what we + # substitute here as long it has the right syntax. The Postfix + # SMTP client will use the final line's numerical SMTP reply + # code and enhanced status code. !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage .fi .ad @@ -6890,6 +6928,15 @@ except that initial whitespace and the trailingThe before-filter Postfix SMTP server accepts connections from the +
As shown in the diagram above, the before-queue filter sits +between two Postfix SMTP server processes.
+ +The before-filter Postfix SMTP server accepts connections from the Internet and does the usual relay access control, SASL authentication, TLS negotiation, RBL lookups, rejecting non-existent sender or recipient addresses, -etc. The before-queue filter receives unfiltered mail content from +etc.
+ +The before-queue filter receives unfiltered mail content from Postfix and does one of the following:
The after-filter Postfix SMTP server receives mail from the +
The after-filter Postfix SMTP server receives mail from the content filter. From then on Postfix processes the mail as usual.
+The before-queue content filter described here works just like the after-queue content filter described in the FILTER_README document. In many cases you can use the same software, within the diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 62281a169..5cb6237b2 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -199,7 +199,7 @@ verification probes. This feature is available in Postfix 2.1 and later.
-%PARAM address_verify_map +%PARAM address_verify_mapOptional lookup table for persistent address verification status @@ -280,7 +280,20 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). This feature is available in Postfix 2.1 and later.
-%PARAM address_verify_poll_count 3 +%PARAM address_verify_cache_cleanup_interval 12h + +The amount of time between verify(8) cache cleanup runs. Cache +cleanup increases the load on the cache database and should therefore +not be run frequently. This feature requires that the cache database +supports the "delete" and "sequence" operators. Specify a zero +interval to disable cache cleanup.
+ +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks).
+ +This feature is available in Postfix 2.7.
+ +%PARAM address_verify_poll_count see "postconf -d" outputHow many times to query the verify(8) service for the completion @@ -288,12 +301,16 @@ of an address verification request in progress.
-The default poll count is 3. +With Postfix version 2.7 and later, the SMTP server polls the +verify(8) service up to three times under non-overload conditions, +and only once when under overload. With earlier Postfix versions, +the SMTP server always polls the verify(8) service up to three +times.
Specify 1 to implement a crude form of greylisting, that is, always -defer the first delivery request for a never seen before address. +defer the first delivery request for a new address.
@@ -5215,8 +5232,9 @@ This feature is available in Postfix 2.2 and later. %PARAM smtpd_helo_required no
-Require that a remote SMTP client introduces itself at the beginning -of an SMTP session with the HELO or EHLO command. +Require that a remote SMTP client introduces itself with the HELO +or EHLO command before sending the MAIL command or other commands +that require EHLO negotiation.
@@ -8631,12 +8649,12 @@ inside the chroot jail.
By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CApath should remain empty. In contrast -to smtp_tls_CAfile, DNs of certificate authorities installed +to smtpd_tls_CAfile, DNs of certificate authorities installed in $smtpd_tls_CApath are not included in the client certificate request message. MUAs with multiple client certificates may use the list of preferred certificate authorities to select the correct client certificate. You may want to put your "preferred" CA or -CAs in $smtp_tls_CAfile, and install the remaining trusted CAs in +CAs in $smtpd_tls_CAfile, and install the remaining trusted CAs in $smtpd_tls_CApath.
Example:
@@ -12436,9 +12454,34 @@ receive a 421 reponse.The amount of time that postscreen(8) will cache a decision for a specific SMTP client IP address. During this time, the client IP address is excluded from tests. If possible, expired decisions are -renewed silently. Specify a non-zero time value (an integral value -plus an optional one-letter suffix that specifies the time unit). -
+renewed automatically. Specify a non-zero time value (an integral +value plus an optional one-letter suffix that specifies the time +unit). + +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks).
+ +This feature is available in Postfix 2.7.
+ +%PARAM postscreen_cache_retention_time 1d + +The amount of time that postscreen(8) will cache an expired +temporary whitelist entry before it is removed. This prevents clients +from being logged as "NEW" just because their cache entry expired +an hour ago.
+ +Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks).
+ +This feature is available in Postfix 2.7.
+ +%PARAM postscreen_cache_cleanup_interval 12h + +The amount of time between postscreen(8) cache cleanup runs. +Cache cleanup increases the load on the cache database and should +therefore not be run frequently. This feature requires that the +cache database supports the "delete" and "sequence" operators. +Specify a zero interval to disable cache cleanup.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
@@ -12560,7 +12603,8 @@ never uses the remote SMTP client hostname. %PARAM postscreen_greet_banner $smtpd_banner -The text in the optional "220-text..." server response that +
The text in the optional "220-text..." server +response that postscreen(8) sends ahead of the real Postfix SMTP server's "220 text..." response, in an attempt to confuse bad SMTP clients so that they speak before their turn (pre-greet). Specify an empty @@ -12608,6 +12652,20 @@ except that initial whitespace and the trailing <CR><LF> are removed. The result value is executed by the Postfix SMTP server.
+Postfix already implements a number of workarounds for malformed +client commands.
+ +Use "resolve_numeric_domain = yes" to accept "user@ipaddress" +Postfix already accepts the correct form "user@[ipaddress]". +
+ +Use "strict_rfc821_envelopes = no" to accept "User Name +<user@example.com>".
+ +Examples:
@@ -12647,7 +12705,7 @@ invalid responses.
In the case of a multi-line reply, the Postfix SMTP client -uses the last reply line's numerical SMTP reply code and enhanced +uses the final reply line's numerical SMTP reply code and enhanced status code.
The numerical SMTP reply code (XYZ) takes precedence over @@ -12666,16 +12724,16 @@ server, except that the trailing <CR><LF> are removed.
/etc/postfix/main.cf: - smtp_reply_filter = pcre:/etc/postfix/command_filter + smtp_reply_filter = pcre:/etc/postfix/reply_filter
/etc/postfix/reply_filter:
- # Transform garbage into part of a multi-line reply. Note
- # that the Postfix SMTP client uses only the last numerical
- # SMTP reply code and enhanced status code from a multi-line
- # reply, so it does not matter what we substitute here as
- # long as it has the right syntax.
+ # Transform garbage into "250-filler..." so that it looks like
+ # one line from a multi-line reply. It does not matter what we
+ # substitute here as long it has the right syntax. The Postfix
+ # SMTP client will use the final line's numerical SMTP reply
+ # code and enhanced status code.
!/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
diff --git a/postfix/src/cleanup/cleanup.c b/postfix/src/cleanup/cleanup.c
index 461ebf84e..c5b71e9d8 100644
--- a/postfix/src/cleanup/cleanup.c
+++ b/postfix/src/cleanup/cleanup.c
@@ -46,8 +46,10 @@
/* RFC 822 (ARPA Internet Text Messages)
/* RFC 2045 (MIME: Format of Internet Message Bodies)
/* RFC 2046 (MIME: Media Types)
+/* RFC 2822 (Internet Message Format)
/* RFC 3463 (Enhanced Status Codes)
/* RFC 3464 (Delivery status notifications)
+/* RFC 5322 (Internet Message Format)
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* BUGS
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index a440152e1..31dd2c25c 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -2552,7 +2552,7 @@ extern int var_scache_stat_time;
extern char *var_verify_service;
#define VAR_VERIFY_MAP "address_verify_map"
-#define DEF_VERIFY_MAP ""
+#define DEF_VERIFY_MAP "btree:$data_directory/verify_cache"
extern char *var_verify_map;
#define VAR_VERIFY_POS_EXP "address_verify_positive_expire_time"
@@ -2575,12 +2575,16 @@ extern int var_verify_neg_try;
#define DEF_VERIFY_NEG_CACHE 1
extern bool var_verify_neg_cache;
+#define VAR_VERIFY_SCAN_CACHE "address_verify_cache_cleanup_interval"
+#define DEF_VERIFY_SCAN_CACHE "12h"
+extern int var_verify_scan_cache;
+
#define VAR_VERIFY_SENDER "address_verify_sender"
#define DEF_VERIFY_SENDER "$" VAR_DOUBLE_BOUNCE
extern char *var_verify_sender;
#define VAR_VERIFY_POLL_COUNT "address_verify_poll_count"
-#define DEF_VERIFY_POLL_COUNT 3
+#define DEF_VERIFY_POLL_COUNT "${stress?1}${stress:3}"
extern int var_verify_poll_count;
#define VAR_VERIFY_POLL_DELAY "address_verify_poll_delay"
@@ -3186,6 +3190,14 @@ extern int var_ps_pre_queue_limit;
#define DEF_PS_CACHE_TTL "1d"
extern int var_ps_cache_ttl;
+#define VAR_PS_CACHE_RET "postscreen_cache_retention_time"
+#define DEF_PS_CACHE_RET "1d"
+extern int var_ps_cache_ret;
+
+#define VAR_PS_CACHE_SCAN "postscreen_cache_cleanup_interval"
+#define DEF_PS_CACHE_SCAN "12h"
+extern int var_ps_cache_scan;
+
#define VAR_PS_GREET_WAIT "postscreen_greet_wait"
#define DEF_PS_GREET_WAIT "4s"
extern int var_ps_greet_wait;
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index e187c4eeb..5da201516 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20091209"
+#define MAIL_RELEASE_DATE "20091229"
#define MAIL_VERSION_NUMBER "2.7"
#ifdef SNAPSHOT
diff --git a/postfix/src/postscreen/Makefile.in b/postfix/src/postscreen/Makefile.in
index 3ea518a54..dc3403e6c 100644
--- a/postfix/src/postscreen/Makefile.in
+++ b/postfix/src/postscreen/Makefile.in
@@ -61,7 +61,9 @@ postscreen.o: ../../include/addr_match_list.h
postscreen.o: ../../include/argv.h
postscreen.o: ../../include/attr.h
postscreen.o: ../../include/connect.h
+postscreen.o: ../../include/data_redirect.h
postscreen.o: ../../include/dict.h
+postscreen.o: ../../include/dict_cache.h
postscreen.o: ../../include/events.h
postscreen.o: ../../include/format_tv.h
postscreen.o: ../../include/htable.h
diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c
index 2e9d4b8c4..c0a6ede27 100644
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@@ -7,26 +7,31 @@
/* \fBpostscreen\fR [generic Postfix daemon options]
/* DESCRIPTION
/* The Postfix \fBpostscreen\fR(8) server performs triage on
-/* multiple inbound SMTP connections in parallel. The program
-/* can run in two basic modes.
+/* multiple inbound SMTP connections in parallel. By running
+/* time-consuming tests in parallel in \fBpostscreen\fR(8),
+/* zombies and other bogus clients can be kept away from Postfix
+/* SMTP server processes. Thus, more Postfix SMTP server
+/* processes remain available for legitimate clients.
/*
-/* The purpose of \fBobservation mode\fR is to collect statistics
-/* without actually blocking mail. \fBpostscreen\fR(8) runs a
-/* number of tests before it forwards a connection to a real
-/* SMTP server process. These tests introduce a delay of a
-/* few seconds; once a client passes the tests as "clean", its
-/* IP address is temporarily whitelisted and subsequent
-/* connections incur no delays until the temporary whitelist
-/* entry expires.
+/* This triage process involves a number of tests, documented
+/* below. The tests introduce a delay of a few seconds; once
+/* a client passes the tests, its IP address is temporarily
+/* whitelisted, typically for 24 hours.
/*
-/* The purpose of \fBenforcement mode\fR is to block mail
-/* without using up one Postfix SMTP server process for every
-/* connection. Here, \fBpostscreen\fR(8) terminates connections
-/* from SMTP clients that fail the above tests, and forwards
-/* only the remaining connections to a real SMTP server process.
-/* By running time-consuming spam tests in parallel in
-/* \fBpostscreen\fR(8), more Postfix SMTP server processes
-/* remain available for legitimate clients.
+/* The program can run in two basic modes.
+/* .IP "\fBObservation mode\fR"
+/* \fBpostscreen\fR(8) reports the results of the tests, and
+/* forwards all connections to a real Postfix SMTP server
+/* process.
+/* .IP "\fBEnforcement mode\fR"
+/* \fBpostscreen\fR(8) reports the results of the tests, but
+/* forwards only connections to a real SMTP server process
+/* from clients that passed the tests.
+/* .sp
+/* \fBpostscreen\fR(8) disconnects clients that fail the tests,
+/* after sending a 521 status message (a future version may
+/* pass the connection to a dummy SMTP protocol engine that
+/* logs sender and recipient information).
/* .PP
/* Note: \fBpostscreen\fR(8) is not an SMTP proxy; this is
/* intentional. The purpose is to prioritize legitimate clients
@@ -38,8 +43,7 @@
/* .fi
/* The postscreen_whitelist_networks parameter (default:
/* $mynetworks) specifies a permanent whitelist for SMTP client
-/* IP addresses. This feature is not used for addresses that
-/* appear on the permanent blacklist.
+/* IP addresses.
/*
/* When the SMTP client address matches the permanent whitelist,
/* this is logged as:
@@ -99,12 +103,13 @@
/* .ad
/* .fi
/* The postscreen_greet_wait parameter specifies a time interval
-/* during which \fBpostscreen\fR(8) runs a number of tests as
-/* described below. These tests run before the client may
-/* see the real SMTP server's "220 text..." server greeting.
+/* during which \fBpostscreen\fR(8) runs a number of tests in
+/* parallel. These tests are described below, and are run
+/* before the client may see the real SMTP server's "220
+/* text..." server greeting.
/*
-/* When the SMTP client passes all the tests, this is logged
-/* as:
+/* When the SMTP client passes all greeting-phase tests, this
+/* is logged as:
/* .sp
/* .nf
/* \fBPASS NEW \fIaddress\fR
@@ -123,8 +128,9 @@
/* .SH 4A. PREGREET TEST
/* .ad
/* .fi
-/* The postscreen_greet_banner parameter specifies the text
-/* for a "220-text..." teaser banner (default: $smtpd_banner).
+/* The postscreen_greet_banner parameter specifies the \fItext\fR
+/* portion of a "220-\fItext\fR..." teaser banner (default:
+/* $smtpd_banner).
/* The \fBpostscreen\fR(8) daemon sends this before the
/* postscreen_greet_wait timer is started. The purpose of the
/* teaser banner is to confuse SPAM clients so that they speak
@@ -185,7 +191,8 @@
/* .ad
/* .fi
/* The postscreen_dnsbl_sites parameter (default: empty)
-/* specifies a list of DNS blocklist servers.
+/* specifies a list of DNS blocklist servers. These lookups
+/* are made in parallel.
/*
/* When the postscreen_greet_wait time has elapsed, and the
/* SMTP client address is listed with at least one of these
@@ -240,11 +247,6 @@
/* .IP "\fBpostscreen_blacklist_networks (empty)\fR"
/* Network addresses that are permanently blacklisted; see the
/* postscreen_blacklist_action parameter for possible actions.
-/* .IP "\fBpostscreen_cache_map (btree:$data_directory/ps_whitelist)\fR"
-/* Persistent storage for the \fBpostscreen\fR(8) server decisions.
-/* .IP "\fBpostscreen_cache_ttl (1d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will cache a decision for
-/* a specific SMTP client IP address.
/* .IP "\fBpostscreen_dnsbl_action (continue)\fR"
/* The action that \fBpostscreen\fR(8) takes when an SMTP client is listed
/* at the DNS blocklist domains specified with the postscreen_dnsbl_sites
@@ -256,7 +258,8 @@
/* before its turn within the time specified with the postscreen_greet_wait
/* parameter.
/* .IP "\fBpostscreen_greet_banner ($smtpd_banner)\fR"
-/* The text in the optional "220-text..." server response that
+/* The \fItext\fR in the optional "220-\fItext\fR..." server
+/* response that
/* \fBpostscreen\fR(8) sends ahead of the real Postfix SMTP server's "220
/* text..." response, in an attempt to confuse bad SMTP clients so
/* that they speak before their turn (pre-greet).
@@ -281,6 +284,19 @@
/* .IP "\fBsmtpd_service (smtpd)\fR"
/* The internal service that \fBpostscreen\fR(8) forwards allowed
/* connections to.
+/* CACHE CONTROLS
+/* .ad
+/* .fi
+/* .IP "\fBpostscreen_cache_cleanup_interval (12h)\fR"
+/* The amount of time between \fBpostscreen\fR(8) cache cleanup runs.
+/* .IP "\fBpostscreen_cache_map (btree:$data_directory/ps_whitelist)\fR"
+/* Persistent storage for the \fBpostscreen\fR(8) server decisions.
+/* .IP "\fBpostscreen_cache_retention_time (1d)\fR"
+/* The amount of time that \fBpostscreen\fR(8) will cache an expired
+/* temporary whitelist entry before it is removed.
+/* .IP "\fBpostscreen_cache_ttl (1d)\fR"
+/* The amount of time that \fBpostscreen\fR(8) will cache a decision for
+/* a specific SMTP client IP address.
/* MISCELLANEOUS CONTROLS
/* .ad
/* .fi
@@ -347,7 +363,7 @@
#include