Fatal: Error Reading /var/lib/postfix/postscreen_cache.db: Unknown Error -30986

Postfix Postscreen Howto

---

Introduction

This document describes features that are bachelor in Postfix 3.six and later. Run into POSTSCREEN_3_5_README.html for Postfix versions 2.8 - three.v.

The Postfix postscreen(8) daemon provides additional protection against mail server overload. One postscreen(8) process handles multiple inbound SMTP connections, and decides which clients may talk to a Postfix SMTP server process. By keeping spambots abroad, postscreen(eight) leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions.

postscreen(eight) should non be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deployment, postscreen(8) handles the MX service on TCP port 25, while MUA clients submit mail via the submission service on TCP port 587 which requires client authentication. Alternatively, a site could prepare a defended, non-postscreen, "port 25" server that provides submission service and client authentication, simply no MX service.

postscreen(eight) maintains a temporary allowlist for clients that pass its tests; past allowing allowlisted clients to skip tests, postscreen(8) minimizes its impact on legitimate e-mail traffic.

postscreen(viii) is function of a multi-layer defence.

• As the first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defence force every bit inexpensive equally possible.

• The second layer implements more than complex SMTP-level access checks with Postfix SMTP servers, policy daemons, and Milter applications.

• The 3rd layer performs light-weight content inspection with the Postfix built-in header_checks and body_checks. This can block unacceptable attachments such as executable programs, and worms or viruses with easy-to-recognize signatures.

• The fourth layer provides heavy-weight content inspection with external content filters. Typical examples are Amavisd-new, SpamAssassin, and Milter applications.

Each layer reduces the spam volume. The general strategy is to use the less expensive defenses outset, and to use the more expensive defenses only for the spam that remains.

Topics in this document:

• Introduction
• The bones idea behind postscreen(8)
• Full general functioning
• Quick tests earlier everything else
• Tests before the 220 SMTP server greeting
• Tests later on the 220 SMTP server greeting
• Other errors
• When all tests succeed
• Configuring the postscreen(8) service
• Historical notes and credits

The basic thought behind postscreen(8)

Well-nigh email is spam, and most spam is sent out by zombies (malware on compromised end-user computers). Wietse expects that the zombie trouble will get worse before things ameliorate, if ever. Without a tool like postscreen(8) that keeps the zombies away, Postfix would be spending nearly of its resources non receiving email.

The chief challenge for postscreen(8) is to make an is-a-zombie conclusion based on a single measurement. This is necessary because many zombies try to wing under the radar and avoid spamming the same site repeatedly. Once postscreen(8) decides that a client is not-a-zombie, it allowlists the client temporarily to avoid further delays for legitimate mail service.

Zombies take challenges also: they have only a limited amount of time to deliver spam before their IP address becomes denylisted. To speed up spam deliveries, zombies make compromises in their SMTP protocol implementation. For instance, they speak earlier their turn, or they ignore responses from SMTP servers and continue sending mail fifty-fifty when the server tells them to go away.

postscreen(eight) uses a diverseness of measurements to recognize zombies. Kickoff, postscreen(8) determines if the remote SMTP client IP accost is denylisted. 2d, postscreen(8) looks for protocol compromises that are fabricated to speed up delivery. These are good indicators for making is-a-zombie decisions based on single measurements.

postscreen(eight) does not inspect message content. Message content can vary from 1 delivery to the adjacent, particularly with clients that (also) ship legitimate email. Content is not a good indicator for making is-a-zombie decisions based on single measurements, and that is the trouble that postscreen(viii) is focused on.

General operation

For each connexion from an SMTP client, postscreen(eight) performs a number of tests in the club every bit described below. Some tests introduce a delay of a few seconds. postscreen(8) maintains a temporary allowlist for clients that pass its tests; by allowing allowlisted clients to skip tests, postscreen(8) minimizes its affect on legitimate email traffic.

By default, postscreen(8) easily off all connections to a Postfix SMTP server process afterwards logging its findings. This mode is useful for not-subversive testing.

In a typical production setting, postscreen(eight) is configured to reject postal service from clients that fail 1 or more tests, after logging the helo, sender and recipient data.

Annotation: postscreen(8) is not an SMTP proxy; this is intentional. The purpose is to proceed zombies away from Postfix, with minimal overhead for legitimate clients.

Quick tests before everything else

Before engaging in SMTP-level tests. postscreen(8) queries a number of local deny and allowlists. These tests speed up the handling of known clients.

• Permanent allow/denylist test
• Temporary allowlist test
• MX Policy examination

Permanent let/denylist test

The postscreen_access_list parameter (default: permit_mynetworks) specifies a permanent access list for SMTP customer IP addresses. Typically ane would specify something that allowlists local networks, followed past a CIDR table for selective permit- and denylisting.

Example:

/etc/postfix/primary.cf:     postscreen_access_list = permit_mynetworks,         cidr:/etc/postfix/postscreen_access.cidr  /etc/postfix/postscreen_access.cidr:    # Rules are evaluated in the social club as specified.    # Denylist 192.168.* except 192.168.0.1.    192.168.0.i          permit    192.168.0.0/xvi       reject      

See the postscreen_access_list manpage documentation for more details.

When the SMTP client address matches a "permit" action, postscreen(8) logs this with the customer address and port number as:

          ALLOWLISTED          [address]:port        

Use the respectful_logging configuration parameter to select a deprecated class of this logging.

The allowlist action is not configurable: immediately hand off the connection to a Postfix SMTP server process.

When the SMTP client accost matches a "reject" action, postscreen(8) logs this with the client address and port number equally:

          DENYLISTED          [accost]:port        

Apply the respectful_logging configuration parameter to select a deprecated course of this logging.

The postscreen_denylist_action parameter specifies the action that is taken next. Run across "When tests fail before the 220 SMTP server greeting" below.

Temporary allowlist test

The postscreen(8) daemon maintains a temporary allowlist for SMTP customer IP addresses that accept passed all the tests described below. The postscreen_cache_map parameter specifies the location of the temporary allowlist. The temporary allowlist is non used for SMTP client addresses that announced on the permanent access list.

Past default the temporary allowlist is not shared with other postscreen(8) daemons. See Sharing the temporary allowlist below for alternatives.

When the SMTP client accost appears on the temporary allowlist, postscreen(viii) logs this with the client address and port number every bit:

        Pass OLD        [address]:port      

The activity is not configurable: immediately mitt off the connexion to a Postfix SMTP server process. The client is excluded from further tests until its temporary allowlist entry expires, as controlled with the postscreen_*_ttl parameters. Expired entries are silently renewed if possible.

MX Policy test

When the remote SMTP client is non on the static access listing or temporary allowlist, postscreen(eight) can implement a number of allowlist tests, before it grants the client a temporary allowlist status that allows it to talk to a Postfix SMTP server process.

When postscreen(eight) is configured to monitor all primary and backup MX addresses, it can refuse to allowlist clients that connect to a backup MX address only (an sometime spammer trick to take reward of fill-in MX hosts with weaker anti-spam policies than chief MX hosts).

NOTE: The post-obit solution is for small-scale sites. Larger sites would have to share the postscreen(viii) cache between master and backup MTAs, which would introduce a common indicate of failure.

• First, configure the host to heed on both principal and backup MX addresses. Use the advisable ifconfig or ip command for the local operating system, or update the appropriate configuration files and "refresh" the network protocol stack.

  Second, configure Postfix to listen on the new IP address (this step is needed when y'all have specified inet_interfaces in principal.cf).

• Then, configure postscreen(8) to deny the temporary allowlist condition on the fill-in MX accost(es). An example for Wietse'due south server is:

  /etc/postfix/principal.cf:     postscreen_allowlist_interfaces = !168.100.189.8 static:all          

  Translation: allow clients to obtain the temporary allowlist status on all server IP addresses except 168.100.189.8, which is a backup MX address.

When a non-allowlisted client connects the backup MX address, postscreen(viii) logs this with the client address and port number as:

          CONNECT from          [address]:port          to [168.100.189.eight]:25          ALLOWLIST VETO          [address]:port        

Utilize the respectful_logging configuration parameter to select a deprecated form of this logging.

Translation: the client at [accost]:port connected to the backup MX address 168.100.189.8 while it was not allowlisted. The client will not be granted the temporary allowlist condition, even if passes all the allowlist tests described below.

Tests earlier the 220 SMTP server greeting

The postscreen_greet_wait parameter specifies a short fourth dimension interval before the "220 text..." server greeting, where postscreen(8) tin run a number of tests in parallel.

When a good customer passes these tests, and no "deep protocol tests" are configured, postscreen(8) adds the client to the temporary allowlist and hands off the "live" connection to a Postfix SMTP server process. The client can then go along equally if postscreen(8) never fifty-fifty existed (except of course for the curt postscreen_greet_wait delay).

• Pregreet test
• DNS Allow/denylist test
• When tests fail earlier the 220 SMTP server greeting

Pregreet test

The SMTP protocol is a archetype example of a protocol where the server speaks before the client. postscreen(eight) detects zombies that are in a hurry and that speak earlier their turn. This examination is enabled past default.

The postscreen_greet_banner parameter specifies the text portion of a "220-text..." teaser imprint (default: $smtpd_banner). Note that this becomes the commencement office of a multi-line server greeting. The postscreen(viii) daemon sends this before the postscreen_greet_wait timer is started. The purpose of the teaser imprint is to confuse zombies so that they speak before their turn. It has no effect on SMTP clients that correctly implement the protocol.

To avoid bug with poorly-implemented SMTP engines in network appliances or network testing tools, either exclude them from all tests with the postscreen_access_list feature or else specify an empty teaser banner:

/etc/postfix/principal.cf:     # Exclude broken clients by allowlisting. Clients in mynetworks     # should always be allowlisted.     postscreen_access_list = permit_mynetworks,          cidr:/etc/postfix/postscreen_access.cidr  /etc/postfix/postscreen_access.cidr:     192.168.254.0/24 permit      

/etc/postfix/principal.cf:     # Disable the teaser banner (try allowlisting kickoff if you lot tin).     postscreen_greet_banner =      

When an SMTP customer sends a control before the postscreen_greet_wait time has elapsed, postscreen(viii) logs this as:

        PREGREET        count        after        fourth dimension        from        [accost]:port text...      

Translation: the client at [address]:port sent count bytes earlier its turn to speak. This happened time seconds subsequently the postscreen_greet_wait timer was started. The text is what the client sent (truncated to 100 bytes, and with non-printable characters replaced with C-style escapes such as \r for railroad vehicle-return and \n for newline).

The postscreen_greet_action parameter specifies the activeness that is taken adjacent. See "When tests fail before the 220 SMTP server greeting" beneath.

DNS Allow/denylist examination

The postscreen_dnsbl_sites parameter (default: empty) specifies a listing of DNS blocklist servers with optional filters and weight factors (positive weights for denylisting, negative for allowlisting). These servers will be queried in parallel with the reverse client IP accost. This test is disabled by default.

Caution: when postscreen rejects post, its SMTP reply contains the DNSBL domain name. Use the postscreen_dnsbl_reply_map feature to hide "password" information in DNSBL domain names.

When the postscreen_greet_wait time has elapsed, and the combined DNSBL score is equal to or greater than the postscreen_dnsbl_threshold parameter value, postscreen(8) logs this as:

        DNSBL rank        count        for        [address]:port      

Translation: the SMTP client at [accost]:port has a combined DNSBL score of count.

The postscreen_dnsbl_action parameter specifies the activity that is taken when the combined DNSBL score is equal to or greater than the threshold. Encounter "When tests fail before the 220 SMTP server greeting" below.

When tests fail earlier the 220 SMTP server greeting

When the client address matches the permanent denylist, or when the client fails the pregreet or DNSBL tests, the action is specified with postscreen_denylist_action, postscreen_greet_action, or postscreen_dnsbl_action, respectively.

ignore (default)

Ignore the failure of this test. Allow other tests to consummate. Echo this test the adjacent time the client connects. This choice is useful for testing and collecting statistics without blocking mail.

enforce

Allow other tests to complete. Turn down attempts to deliver post with a 550 SMTP respond, and log the helo/sender/recipient data. Repeat this test the adjacent time the client connects.

drop

Driblet the connection immediately with a 521 SMTP answer. Echo this test the next time the client connects.

Tests after the 220 SMTP server greeting

In this phase of the protocol, postscreen(8) implements a number of "deep protocol" tests. These tests use an SMTP protocol engine that is built into the postscreen(8) server.

Important notation: these protocol tests are disabled past default. They are more intrusive than the pregreet and DNSBL tests, and they have limitations as discussed next.

• The main limitation of "afterwards 220 greeting" tests is that a new client must disconnect after passing these tests (reason: postscreen is not a proxy). So the client must reconnect from the same IP address before it can deliver mail. The following measures may help to avert electronic mail delays:

  • Allow "expert" clients to skip tests with the postscreen_dnsbl_allowlist_threshold feature. This is particularly effective for large providers that usually don't retry from the same IP address.

  • Small sites: Configure postscreen(8) to listen on multiple IP addresses, published in DNS as unlike IP addresses for the same MX hostname or for different MX hostnames. This avoids mail delivery delays with clients that reconnect immediately from the same IP address.

  • Large sites: Share the postscreen(8) cache between dissimilar Postfix MTAs with a large-enough memcache_table(5). Once again, this avoids mail commitment delays with clients that reconnect immediately from the aforementioned IP address.

• postscreen(viii)'south built-in SMTP engine does not implement the AUTH, XCLIENT, and XFORWARD features. If y'all need to make these services available on port 25, so exercise not enable the tests later the 220 server greeting.

• Terminate-user clients should connect directly to the submission service, so that they never take to deal with postscreen(eight)'s tests.

The following "afterward 220 greeting" tests are available:

• Control pipelining examination
• Non-SMTP command test
• Bare newline test
• When tests fail after the 220 SMTP server greeting

Command pipelining test

By default, SMTP is a half-duplex protocol: the sender and receiver send one command and one response at a time. Unlike the Postfix SMTP server, postscreen(8) does non denote support for ESMTP control pipelining. Therefore, clients are not immune to send multiple commands. postscreen(8)'s deep protocol test for this is disabled past default.

With "postscreen_pipelining_enable = yes", postscreen(8) detects zombies that transport multiple commands, instead of sending one command and waiting for the server to reply.

This examination is opportunistically enabled when postscreen(8) has to use the built-in SMTP engine anyhow. This is to make postscreen(8) logging more informative.

When a client sends multiple commands, postscreen(8) logs this as:

        Command PIPELINING from        [accost]:port        later on        command:        text      

Translation: the SMTP customer at [address]:port sent multiple SMTP commands, instead of sending one command and then waiting for the server to answer. This happened after the client sent command. The text shows part of the input that was sent too early; it is non logged with Postfix two.8.

The postscreen_pipelining_action parameter specifies the activity that is taken next. See "When tests fail after the 220 SMTP server greeting" beneath.

Non-SMTP command test

Some spambots send their mail through open proxies. A symptom of this is the usage of commands such every bit CONNECT and other non-SMTP commands. But like the Postfix SMTP server's smtpd_forbidden_commands feature, postscreen(8) has an equivalent postscreen_forbidden_commands feature to block these clients. postscreen(8)'due south deep protocol test for this is disabled by default.

With "postscreen_non_smtp_command_enable = yes", postscreen(viii) detects zombies that send commands specified with the postscreen_forbidden_commands parameter. This also detects commands with the syntax of a message header characterization. The latter is a symptom that the customer is sending message content after ignoring all the responses from postscreen(8) that turn down postal service.

This test is opportunistically enabled when postscreen(eight) has to use the built-in SMTP engine anyway. This is to make postscreen(8) logging more than informative.

When a client sends non-SMTP commands, postscreen(8) logs this equally:

        Non-SMTP COMMAND from        [address]:port        after        command: text      

Translation: the SMTP client at [address]:port sent a command that matches the postscreen_forbidden_commands parameter, or that has the syntax of a message header label (text followed by optional space and ":"). The " after control " portion is logged with Postfix 2.ten and later.

The postscreen_non_smtp_command_action parameter specifies the action that is taken adjacent. Run into "When tests fail afterward the 220 SMTP server greeting" below.

Blank newline test

SMTP is a line-oriented protocol: lines take a limited length, and are terminated with <CR><LF>. Lines ending in a "bare" <LF>, that is newline not preceded by carriage return, are not allowed in SMTP. postscreen(8)'south deep protocol test for this is disabled by default.

With "postscreen_bare_newline_enable = yep", postscreen(8) detects clients that transport lines ending in bare newline characters.

This examination is opportunistically enabled when postscreen(viii) has to use the congenital-in SMTP engine anyhow. This is to brand postscreen(eight) logging more informative.

When a client sends bare newline characters, postscreen(8) logs this as:

        Bare NEWLINE from        [address]:port        afterwards        command      

Translation: the SMTP client at [address]:port sent a bare newline grapheme, that is newline not preceded by carriage return. The " after command " portion is logged with Postfix 2.ten and later.

The postscreen_bare_newline_action parameter specifies the action that is taken adjacent. Encounter "When tests fail afterwards the 220 SMTP server greeting" below.

When tests fail after the 220 SMTP server greeting

When the customer fails the pipelining, non-SMTP command or bare newline tests, the activity is specified with postscreen_pipelining_action, postscreen_non_smtp_command_action or postscreen_bare_newline_action, respectively.

ignore (default for blank newline)

Ignore the failure of this test. Allow other tests to consummate. Practise Non echo this test before the result from some other test expires. This option is useful for testing and collecting statistics without blocking post permanently.

enforce (default for pipelining)

Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient data. Repeat this test the next time the client connects.

drop (default for non-SMTP commands)

Drib the connexion immediately with a 521 SMTP reply. Echo this test the next time the client connects. This action is compatible with the Postfix SMTP server's smtpd_forbidden_commands feature.

Other errors

When an SMTP customer hangs up unexpectedly, postscreen(8) logs this as:

        HANGUP afterwards        time        from        [accost]:port        in        test proper name      

Translation: the SMTP client at [accost]:port disconnected unexpectedly, time seconds after the offset of the test named test proper noun.

There is no punishment for hanging up. A client that hangs up without sending the QUIT command can still pass all postscreen(8) tests.

The following errors are reported past the congenital-in SMTP engine. This engine never accepts mail, therefore it has per-session limits on the number of commands and on the session length.

        Control TIME LIMIT        from        [address]:port        after        command      

Translation: the SMTP customer at [address]:port reached the per-control fourth dimension limit as specified with the postscreen_command_time_limit parameter. The session is terminated immediately. The " after command " portion is logged with Postfix two.ten and later.

        COMMAND COUNT LIMIT from        [accost]:port        afterwards        command      

Translation: the SMTP customer at [address]:port reached the per-session command count limit as specified with the postscreen_command_count_limit parameter. The session is terminated immediately. The " later on command " portion is logged with Postfix 2.10 and later.

        Control LENGTH LIMIT from        [address]:port        after        command      

Translation: the SMTP client at [address]:port reached the per-control length limit, as specified with the line_length_limit parameter. The session is terminated immediately. The " after command " portion is logged with Postfix 2.x and later.

When an SMTP client makes too many connections at the same fourth dimension, postscreen(8) rejects the connection with a 421 status code and logs:

        NOQUEUE: pass up: CONNECT from        [accost]:port        : too many connections      

The postscreen_client_connection_count_limit parameter controls this limit.

When an SMTP client connects later postscreen(8) has reached a connection count limit, postscreen(8) rejects the connectedness with a 421 status code and logs:

        NOQUEUE: refuse: CONNECT from        [address]:port        : all screening ports busy        NOQUEUE: decline: CONNECT from        [address]:port        : all server ports busy      

The postscreen_pre_queue_limit and postscreen_post_queue_limit parameters control these limits.

When all tests succeed

When a new SMTP client passes all tests (i.east. it is not allowlisted via some mechanism), postscreen(8) logs this as:

        PASS NEW        [address]:port      

Where [address]:port are the client IP address and port. And so, postscreen(viii) creates a temporary allowlist entry that excludes the client IP address from further tests until the temporary allowlist entry expires, as controlled with the postscreen_*_ttl parameters.

When no "deep protocol tests" are configured, postscreen(8) hands off the "live" connexion to a Postfix SMTP server process. The customer tin can then go on equally if postscreen(8) never even existed (except for the brusque postscreen_greet_wait delay).

When any "deep protocol tests" are configured, postscreen(eight) cannot manus off the "live" connexion to a Postfix SMTP server procedure in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX condition, logs the helo/sender/recipient information, and waits for the client to disconnect. The next time the client connects it will be allowed to talk to a Postfix SMTP server procedure to evangelize its mail. postscreen(eight) mitigates the touch of this limitation past giving deep protocol tests a long expiration time.

Configuring the postscreen(8) service

postscreen(viii) has been tested on FreeBSD [4-8], Linux 2.[4-half-dozen] and Solaris nine systems.

• Turning on postscreen(8) without blocking mail
• postscreen(8) TLS configuration
• Blocking mail with postscreen(8)
• Turning off postscreen(8)
• Sharing the temporary allowlist

Turning on postscreen(eight) without blocking mail

To enable the postscreen(viii) service and log client information without blocking mail:

1. Make sure that local clients and systems with not-standard SMTP implementations are excluded from any postscreen(viii) tests. The default is to exclude all clients in mynetworks. To exclude additional clients, for instance, third-party performance monitoring tools (these tend to take broken SMTP implementations):

   /etc/postfix/main.cf:     # Exclude broken clients past allowlisting. Clients in mynetworks     # should always be allowlisted.     postscreen_access_list = permit_mynetworks,          cidr:/etc/postfix/postscreen_access.cidr  /etc/postfix/postscreen_access.cidr:     192.168.254.0/24 permit          

2. Comment out the "smtp inet ... smtpd" service in principal.cf, including whatsoever "-o parameter=value" entries that follow.

   /etc/postfix/master.cf:     #smtp      inet  n       -       due north       -       -       smtpd     #    -o parameter=value ...          

3. Uncomment the new "smtpd pass ... smtpd" service in primary.cf, and duplicate any "-o parameter=value" entries from the smtpd service that was commented out in the previous stride.

   /etc/postfix/primary.cf:     smtpd     laissez passer  -       -       n       -       -       smtpd         -o parameter=value ...          

4. Uncomment the new "smtp inet ... postscreen" service in master.cf.

   /etc/postfix/chief.cf:     smtp      inet  n       -       n       -       ane       postscreen          

5. Uncomment the new "tlsproxy unix ... tlsproxy" service in primary.cf. This service implements STARTTLS support for postscreen(viii).

   /etc/postfix/main.cf:     tlsproxy  unix  -       -       n       -       0       tlsproxy          

6. Uncomment the new "dnsblog unix ... dnsblog" service in master.cf. This service does DNSBL lookups for postscreen(8) and logs results.

   /etc/postfix/master.cf:     dnsblog   unix  -       -       n       -       0       dnsblog          

7. To enable DNSBL lookups, list some DNS blocklist sites in master.cf, separated by whitespace. Different sites can have dissimilar weights. For case:

   /etc/postfix/main.cf:     postscreen_dnsbl_threshold = 2     postscreen_dnsbl_sites = zen.spamhaus.org*2          bl.spamcop.net*i b.barracudacentral.org*ane          

   Note: if your DNSBL queries have a "undercover" in the domain proper name, you must censor this information from the postscreen(8) SMTP replies. For example:

   /etc/postfix/main.cf:     postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply          

   /etc/postfix/dnsbl_reply:     # Secret DNSBL proper noun           Proper noun in postscreen(viii) replies     secret.zen.dq.spamhaus.net    zen.spamhaus.org          

   The texthash: format is similar to hash: except that there is no demand to run postmap(1) before the file can be used, and that it does not detect changes after the file is read. It is new with Postfix version two.8.

8. Read the new configuration with "postfix reload".

Notes:

• Some postscreen(8) configuration parameters implement stress-dependent behavior. This is supported only when the default value is stress-dependent (that is, "postconf -d parametername" output shows "parametername = ${stress?something}${stress:something}" or "parametername = ${stress?{something}:{something}}"). Other parameters always evaluate as if the stress value is the empty string.

• See "Tests before the 220 SMTP server greeting" for details almost the logging from these postscreen(8) tests.

• If you run Postfix ii.6 or earlier you must stop and start the master daemon ("postfix stop; postfix beginning"). This is needed considering the Postfix "laissez passer" master service type did not work reliably on all systems.

postscreen(eight) TLS configuration

postscreen(viii) TLS support is available for remote SMTP clients that aren't allowlisted, including clients that need to renew their temporary allowlist condition. When a remote SMTP client requests TLS service, postscreen(8) invisibly hands off the connexion to a tlsproxy(8) procedure. Then, tlsproxy(viii) encrypts and decrypts the traffic betwixt postscreen(8) and the remote SMTP client. I tlsproxy(8) process can handle multiple SMTP sessions. The number of tlsproxy(viii) processes slowly increases with server load, but it should always be much smaller than the number of postscreen(8) TLS sessions.

TLS support for postscreen(8) and tlsproxy(8) uses the same parameters as with smtpd(8). We recommend that you continue the relevant configuration parameters in main.cf. If you lot must specify "-o smtpd_mumble=value" parameter overrides in main.cf for a postscreen-protected smtpd(viii) service, so you should specify those same parameter overrides for the postscreen(8) and tlsproxy(8) services.

Blocking mail with postscreen(8)

For compatibility with smtpd(viii), postscreen(viii) implements the soft_bounce safety characteristic. This causes Postfix to decline post with a "try again" reply code.

• To turn this on for all of Postfix, specify "soft_bounce = yes" in primary.cf.

• To turn this on for postscreen(viii) but, suspend "-o soft_bounce=yes" (notation: NO SPACES around '=') to the postscreen entry in primary.cf.

Execute "postfix reload" to brand the change effective.

After testing, do non forget to remove the soft_bounce characteristic, otherwise senders won't receive their non-delivery notification until many days later on.

To apply the postscreen(8) service to block mail service, edit chief.cf and specify one or more of:

• "postscreen_dnsbl_action = enforce", to turn down clients that are on DNS blocklists, and to log the helo/sender/recipient information. With skilful DNSBLs this reduces the corporeality of load on Postfix SMTP servers dramatically.

• "postscreen_greet_action = enforce", to reject clients that talk earlier their turn, and to log the helo/sender/recipient information. This stops over half of all knownhoped-for illegitimate connections to Wietse'south postal service server. It is fill-in protection for zombies that haven't yet been denylisted.

• You can also enable "deep protocol tests", just these are more intrusive than the pregreet or DNSBL tests.

  When a good client passes the "deep protocol tests", postscreen(8) adds the client to the temporary allowlist simply it cannot manus off the "alive" connection to a Postfix SMTP server procedure in the middle of the session. Instead, postscreen(eight) defers mail commitment attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect.

  When the good customer comes back in a later session, it is allowed to talk directly to a Postfix SMTP server. See "Tests after the 220 SMTP server greeting" to a higher place for limitations with AUTH and other features that clients may demand.

  An unexpected benefit from "deep protocol tests" is that some "good" clients don't return after the 4XX reply; these clients were not so good after all.

  Unfortunately, some senders will retry requests from different IP addresses, and may never get allowlisted. For this reason, Wietse stopped using "deep protocol tests" on his own net-facing postal service server.

• In that location is also support for permanent denylisting and allowlisting; see the description of the postscreen_access_list parameter for details.

Turning off postscreen(8)

To plough off postscreen(eight) and handle mail directly with Postfix SMTP server processes:

1. Annotate out the "smtp inet ... postscreen" service in master.cf, including any "-o parameter=value" entries that follow.

   /etc/postfix/master.cf:     #smtp      inet  due north       -       n       -       one       postscreen     #    -o parameter=value ...          

2. Annotate out the "dnsblog unix ... dnsblog" service in principal.cf.

   /etc/postfix/master.cf:     #dnsblog   unix  -       -       due north       -       0       dnsblog          

3. Comment out the "smtpd laissez passer ... smtpd" service in chief.cf, including any "-o parameter=value" entries that follow.

   /etc/postfix/master.cf:     #smtpd     pass  -       -       north       -       -       smtpd     #    -o parameter=value ...          

4. Comment out the "tlsproxy unix ... tlsproxy" service in main.cf, including any "-o parameter=value" entries that follow.

   /etc/postfix/main.cf:     #tlsproxy  unix  -       -       due north       -       0       tlsproxy     #    -o parameter=value ...          

5. Uncomment the "smtp inet ... smtpd" service in master.cf, including any "-o parameter=value" entries that may follow.

   /etc/postfix/master.cf:     smtp       inet  north       -       n       -       -       smtpd         -o parameter=value ...          

6. Read the new configuration with "postfix reload".

Sharing the temporary allowlist

Past default, the temporary allowlist is non shared between multiple postscreen(8) daemons. To enable sharing, choose one of the following options:

• A non-persistent memcache: temporary allowlist can exist shared between postscreen(8) daemons on the aforementioned host or different hosts. Disable cache cleanup (postscreen_cache_cleanup_interval = 0) in all postscreen(eight) daemons because memcache: has no outset-adjacent API (but come across case 4 below for memcache: with persistent fill-in). This requires Postfix 2.ix or later on.

              # Example 1: non-persistent memcache: allowlist.     /etc/postfix/main.cf:         postscreen_cache_map = memcache:/etc/postfix/postscreen_cache         postscreen_cache_cleanup_interval = 0      /etc/postfix/postscreen_cache:         memcache = inet:127.0.0.1:11211         key_format = postscreen:%s          

• A persistent lmdb: temporary allowlist can be shared between postscreen(eight) daemons that run under the same primary(viii) daemon, or nether different master(8) daemons on the aforementioned host. Disable enshroud cleanup (postscreen_cache_cleanup_interval = 0) in all postscreen(8) daemons except 1 that is responsible for enshroud cleanup. This requires Postfix 2.11 or later.

              # Example 2: persistent lmdb: allowlist.     /etc/postfix/chief.cf:         postscreen_cache_map = lmdb:$data_directory/postscreen_cache         # Run into note 1 below.         # postscreen_cache_cleanup_interval = 0          

• Other kinds of persistent temporary allowlist can be shared only between postscreen(eight) daemons that run nether the same master(8) daemon. In this case, temporary allowlist access must exist shared through the proxymap(eight) daemon. This requires Postfix 2.9 or later.

              # Example 3: proxied btree: allowlist.     /etc/postfix/main.cf:         postscreen_cache_map =              proxy:btree:/var/lib/postfix/postscreen_cache         # See annotation 1 below.         # postscreen_cache_cleanup_interval = 0      # Example iv: proxied btree: allowlist with memcache: accelerator.     /etc/postfix/main.cf:         postscreen_cache_map = memcache:/etc/postfix/postscreen_cache         proxy_write_maps =              proxy:btree:/var/lib/postfix/postscreen_cache              ... other proxied tables ...         # See note 1 beneath.         # postscreen_cache_cleanup_interval = 0      /etc/postfix/postscreen_cache:         # Notation: the $data_directory macro is not defined in this context.         memcache = inet:127.0.0.ane:11211         fill-in = proxy:btree:/var/lib/postfix/postscreen_cache         key_format = postscreen:%due south          

  Annotation 1: disable enshroud cleanup (postscreen_cache_cleanup_interval = 0) in all postscreen(8) daemons except one that is responsible for cache cleanup.

  Notation 2: postscreen(8) cache sharing via proxymap(eight) requires Postfix 2.9 or later; before proxymap(8) implementations don't support cache cleanup.

Historical notes and credits

Many ideas in postscreen(viii) were explored in earlier work by Michael Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.

Wietse threw together a crude prototype with pregreet and dnsbl support in June 2009, because he needed something new for a Mailserver briefing presentation in July. Ralf Hildebrandt ran this code on several servers to collect real-world statistics. This version used the dnsblog(eight) advertisement-hoc DNS client program.

Wietse needed new material for a LISA conference presentation in November 2010, then he added back up for DNSBL weights and filters in Baronial, followed by a major code rewrite, deep protocol tests, helo/sender/recipient logging, and stress-adaptive beliefs in September. Ralf Hildebrandt ran this lawmaking on several servers to collect real-globe statistics. This version still used the embarrassing dnsblog(8) ad-hoc DNS client program.

Wietse added STARTTLS support in December 2010. This makes postscreen(8) usable for sites that require TLS support. The implementation introduces the tlsproxy(8) event-driven TLS proxy that decrypts/encrypts the sessions for multiple SMTP clients.

The tlsproxy(eight) implementation led to the discovery of a "new" class of vulnerability (CVE-2011-0411) that affected multiple implementations of SMTP, Popular, IMAP, NNTP, and FTP over TLS.

postscreen(8) was officially released as part of the Postfix 2.eight stable release in January 2011.

Noel Jones helped with the Postfix 3.half-dozen transition towards respectful documentation.

wattsuposened.blogspot.com

Source: http://www.postfix.org/POSTSCREEN_README.html

Share this post