postscreen

最後更新: 2017-12-11

介紹

One process handles multiple inbound SMTP connections,
    and decides which clients may talk to a Postfix SMTP server process.

postscreen maintains a temporary whitelist for clients that pass its tests;
(minimizes its impact on legitimate email traffic.)

postscreen(8) is not an SMTP proxy; this is intentional.

The purpose is to keep spambots away from Postfix SMTP server processes,
    while minimizing overhead for legitimate traffic.

目錄

 

 


設定使用 postscreen

 

master.cf

#smtp     inet  n       -       -       -       -       smtpd
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd

# pass

The service listens on a UNIX-domain socket, and is accessible to local clients only. (unix)
It receives one open connection (file  descriptor  passing) per connection request. (pass 的不同之處)

 


Whitelist an IP

 

 * postscreen 不支援 whitelist by domain name (i.e. user@from)

設定 Whitelist IP

This test is executed immediately after a remote SMTP client connects.

If a client is permanently whitelisted, the client will be handed off immediately to a Postfix SMTP server process.

/etc/postfix/main.cf

postscreen_access_list = permit_mynetworks,
    cidr:/etc/postfix/postscreen_access.cidr

/etc/postfix/postscreen_access.cidr:

# Rules are evaluated in the order as specified
# Blacklist 192.168.* except 192.168.0.1
192.168.0.1          permit
192.168.0.0/16       reject
    
# Permit local clients
127.0.0.0/8          permit

dunno             # All postscreen access lists implicitly have this command at the end.

 * 修改了 postscreen_access.cidr 後 "postfix reload" 就得

Logs:

Whitelisted Logs

... mail postfix/postscreen[24345]: CONNECT from [s.s.s.s]:61632 to [d.d.d.d]:25
... mail postfix/postscreen[24345]: WHITELISTED [s.s.s.s]:61632
... mail postfix/smtpd[24346]: connect from unknown[s.s.s.s]

Blacklisted Logs

... BLACKLISTED [address]:port

postscreen_blacklist_action

當 Client 的 IP 在 blacklist(postscreen_access_list) 時所執行的 Action

# ignore (default)      # Ignore this result. Repeat this test the next time the client connects.

# drop                      # Drop the connection immediately with a 521 SMTP reply.

# enforce                  # Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply,
                                # and log the helo/sender/recipient information.

postscreen_blacklist_action = enforce

 


dnsbl

 

dnsbl 的運作: Positive weights for blacklisting, negative for whitelisting

# Takes when a remote SMTP client's combined DNSBL score is equal to or greater than a threshold

# Default: ignore
postscreen_dnsbl_action = enforce

# The time limit for DNSBL (N) or DNSWL (-N) lookups

postscreen_dnsbl_timeout = 10s

# 設定 RBL 到幾多分才 Block

# Default: 1
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1

# Use the result from a successful DNS-based reputation test

# Default: 1h
postscreen_dnsbl_ttl = 1d

# RBL 的權重

postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.[2..11]*2

postscreen RBL log (maillog)

Jan 25 12:28:31 mail postfix/postscreen[25069]: CONNECT from [c.c.c.c]:n to [s.s.s.s]:25
Jan 25 12:28:31 mail postfix/dnsblog[25071]: addr c.c.c.c listed by domain zen.spamhaus.org as 127.0.0.10
Jan 25 12:28:37 mail postfix/postscreen[25069]: DNSBL rank 3 for [c.c.c.c]:n
Jan 25 12:28:37 mail postfix/postscreen[25069]: HANGUP after 0.03 from [c.c.c.c]:n in tests after SMTP handshake
Jan 25 12:28:37 mail postfix/postscreen[25069]: DISCONNECT [c.c.c.c]:n

 * 原來 log 唔到 from, to !!

 


Temporary whitelist test

 

The postscreen(8) daemon maintains a temporary whitelist for SMTP client IP addresses that have passed all the tests described below.

logs

PASS OLD [address]:port ....

 


Greet

 

# Default: ignore
# enforce - Allow other tests to complete.

postscreen_greet_action = drop

# wait for an SMTP client to send a command before its turn
# and for DNS blocklist lookup results to arrive
# default: normal: 6s, overload: 2s

postscreen_greet_wait = 2s

# Default: 1d

postscreen_greet_ttl = 1h

 


RESOURCE CONTROLS

 

# The  number of clients that can be waiting for service from a real Postfix SMTP server process.

postscreen_post_queue_limit = 30

# The number of non-whitelisted clients that can be waiting for a decision

postscreen_pre_queue_limit = 30

# Default: $smtpd_client_connection_count_limit (default: 50)

postscreen_client_connection_count_limit = 10

# normal: 300s, overload: 10s
# The  time  limit  to  read   an   entire   command   line

postscreen_command_time_limit = 10s

 


Cache

 

# The amount of time between postscreen(8) cache cleanup runs.
# Default: 12h

postscreen_cache_cleanup_interval = 12h

 


Doc

 

http://www.postfix.org/postscreen.8.html
http://www.postfix.org/POSTSCREEN_README.html

 

Creative Commons license icon Creative Commons license icon