compatibility. Adding such headers to remote mail can break
DKIM signatures that cover headers that are not present.
File: cleanup/cleanup_message.c.
+
+20090415
+
+ Workaround: to avoid unnecessary "fatal" delivery agent
+ exits, delivery agents retry getting a shared lock on a
+ queue file. This is necessary since the queue manager's
+ behavior was changed years ago to refill the in-memory
+ recipient list before it was completely empty. File:
+ global/deliver_request.c.
+
+ Documentation: updated STRESS_README.
* TLS_README: TLS Encryption and authentication
* TLS_LEGACY_README: Legacy TLS support
* IPV6_README: IP Version 6 Support
+ * MULTI_INSTANCE_README: Multiple-instance management
* INSTALL: Installation from source code
P\bPr\bro\bob\bbl\ble\bem\bm s\bso\bol\blv\bvi\bin\bng\bg
attribute, sends the attribute with an empty value ("name="), or sends a
zero value ("name=0") in the case of a numerical attribute.
- * The "recipient" attribute is available only in the "RCPT TO" stage, and in
- the "DATA" and "END-OF-MESSAGE" stages when Postfix accepted only one
- recipient for the current message.
+ * The "recipient" attribute is available in the "RCPT TO" stage. It is also
+ available in the "DATA" and "END-OF-MESSAGE" stages if Postfix accepted
+ only one recipient for the current message.
* The "recipient_count" attribute (Postfix 2.3 and later) is non-zero only in
the "DATA" and "END-OF-MESSAGE" stages. It specifies the number of
O\bOv\bve\ber\brv\bvi\bie\bew\bw
-This document describes the symptoms of Postfix SMTP server overload, and how
-to avoid the condition under normal conditions. When the condition is caused by
-botnets or other malware, the document suggests configuration settings that
-help to minimize the impact on legitimate mail. Finally, the document
-introduces stress-adaptive behavior, introduced with Postfix 2.5, and how it
-can be used to automatically switch configuration settings under overload.
+This document describes the symptoms of Postfix SMTP server overload. It
+presents permanent main.cf changes to avoid overload during normal operation,
+and temporary main.cf changes to cope with an unexpected burst of mail. This
+document makes specific suggestions for Postfix 2.5 and later which support
+stress-adaptive behavior, and for earlier Postfix versions that don't.
Topics covered in this document:
* Service more SMTP clients at the same time
* Spend less time per SMTP client
* Disconnect suspicious SMTP clients
- * Take desperate measures
- * Make Postfix behavior stress-adaptive
+ * Temporary measures for older Postfix releases
+ * Automatic stress-adaptive behavior
* Detecting support for stress-adaptive behavior
* Forcing stress-adaptive behavior on or off
+ * Other measures to off-load zombies
* Credits
S\bSy\bym\bmp\bpt\bto\bom\bms\bs o\bof\bf P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP s\bse\ber\brv\bve\ber\br o\bov\bve\ber\brl\blo\boa\bad\bd
-Under normal conditions, Postfix responds immediately when a remote SMTP client
-connects. The time needed to deliver mail should be noticeable only with very
-large messages. Performance degrades more dramatically when the number of
-remote SMTP clients exceeds the number of Postfix SMTP server processes. When a
-client connects while all server processes are busy, the client must wait until
-a server process becomes available.
+Under normal conditions, the Postfix SMTP server responds immediately when an
+SMTP client connects to it; the time to deliver mail is noticeable only with
+large messages. Performance degrades dramatically when the number of SMTP
+clients exceeds the number of Postfix SMTP server processes. When an SMTP
+client connects while all Postfix SMTP server processes are busy, the client
+must wait until a server process becomes available.
-Overload may be caused by a legitimate mail (example: a DNS registrar opens a
-new zone for registrations), by mistake (mail explosion caused by a forwarding
-loop) or by illegitimate mail (worm outbreak, botnet, or other malware
-activity). Symptoms of Postfix SMTP mail server overload are:
+SMTP server overload may be caused by a surge of legitimate mail (example: a
+DNS registrar opens a new zone for registrations), by mistake (mail explosion
+caused by a forwarding loop) or by malice (worm outbreak, botnet, or other
+illegitimate activity).
+
+Symptoms of Postfix SMTP server overload are:
* Remote SMTP clients experience a long delay before Postfix sends the "220
- hostname.example.com ESMTP Postfix" greeting. If this affects end-user mail
- clients, enable the "submission" service entry in master.cf (present since
- Postfix 2.1), and tell users to connect to this instead of the public SMTP
- service.
+ hostname.example.com ESMTP Postfix" greeting.
+
+ o NOTE: Broken DNS configurations can also cause lengthy delays before
+ Postfix sends "220 hostname.example.com ...". These delays also exist
+ when Postfix is NOT overloaded.
- o NOTE: Broken DNS configurations also cause lengthy delays before
- Postfix sends "220 hostname.example.com ...". In this case the delay
- happens even when Postfix is not busy.
+ o NOTE: To avoid "overload" delays for end-user mail clients, enable the
+ "submission" service entry in master.cf (present since Postfix 2.1),
+ and tell users to connect to this instead of the public SMTP service.
* The Postfix SMTP server logs an increased number of "lost connection after
CONNECT" events. This happens because remote SMTP clients disconnect before
Postfix answers the connection.
- o NOTE: A portscan for open SMTP ports also results in "lost connection
- ..." logfile messages.
+ o NOTE: A portscan for open SMTP ports can also result in "lost
+ connection ..." logfile messages.
* Postfix 2.3 and later logs a warning that all server ports are busy:
condition, increase the process count in master.cf or reduce the
service time per client
-Legitimate mail that doesn't get through during an episode of overload is not
-necessarily lost. It should still arrive once the situation returns to normal,
-as long as the overload condition is temporary.
+Legitimate mail that doesn't get through during an episode of Postfix SMTP
+server overload is not necessarily lost. It should still arrive once the
+situation returns to normal, as long as the overload condition is temporary.
S\bSe\ber\brv\bvi\bic\bce\be m\bmo\bor\bre\be S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bts\bs a\bat\bt t\bth\bhe\be s\bsa\bam\bme\be t\bti\bim\bme\be
-To service more SMTP clients simultaneously, you need to increase the number of
-SMTP server processes. This will improve the responsiveness for remote SMTP
-clients, as long as the server machine has enough hardware and software
+One measure to avoid the "all server processes busy" condition is to service
+more SMTP clients simultaneously. For this you need to increase the number of
+Postfix SMTP server processes. This will improve the responsiveness for remote
+SMTP clients, as long as the server machine has enough hardware and software
resources to run the additional processes, and as long as the file system can
keep up with the additional load.
operating system that supports kernel-based event filters (BSD kqueue(2),
Linux epoll(4), or Solaris /dev/poll).
- * You can reduce the Postfix memory footprint by using cdb: lookup tables
- instead of Berkeley DB's hash: or btree: tables.
+ * More processes use more memory. You can reduce the Postfix memory footprint
+ by using cdb: lookup tables instead of Berkeley DB's hash: or btree:
+ tables.
1 /etc/postfix/main.cf:
2 # Raise the global process limit, 100 since Postfix 2.0.
S\bSp\bpe\ben\bnd\bd l\ble\bes\bss\bs t\bti\bim\bme\be p\bpe\ber\br S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bt
When increasing the number of SMTP server processes is not practical, you can
-improve Postfix server responsiveness by eliminating unnecessary work. When
-Postfix spends less time per SMTP session, the same number of SMTP server
-processes can service more clients in the same amount of time.
+improve Postfix server responsiveness by eliminating delays. When Postfix
+spends less time per SMTP session, the same number of SMTP server processes can
+service more clients in a given amount of time.
* Eliminate non-functional RBL lookups (blocklists that are no longer in
operation). These lookups can degrade performance. Postfix logs a warning
BACKSCATTER_README for examples of the latter.
* Group your header_checks and body_checks patterns to avoid unnecessary
- pattern matching operations.
+ pattern matching operations:
1 /etc/postfix/header_checks:
2 if /^Subject:/
3 /^Subject: virus found in mail from you/ reject
- 4 /^Subject: ..../ ....
+ 4 /^Subject: ..other../ reject
5 endif
6
7 if /^Received:/
8 /^Received: from (postfix\.org) / reject forged client name in
received header: $1
- 9 /^Received: from .../ ....
+ 9 /^Received: from ..other../ reject ....
10 endif
D\bDi\bis\bsc\bco\bon\bnn\bne\bec\bct\bt s\bsu\bus\bsp\bpi\bic\bci\bio\bou\bus\bs S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bts\bs
by hanging up on suspicious clients, so that other clients get a chance to talk
to Postfix.
- * Use "521" reply codes (Postfix 2.6 and later) for botnet-related RBLs or
- for selected non-RBL restrictions. With Postfix 2.3-2.5 use "421" for a
- similar result. The Postfix SMTP server will disconnect immediately without
+ * Use "521" SMTP reply codes (Postfix 2.6 and later) or "421" (Postfix 2.3-
+ 2.5) to hang up on clients that that match botnet-related RBLs (see next
+ bullet) or that match selected non-RBL restrictions such as SMTP access
+ maps. The Postfix SMTP server will reject mail and disconnect without
waiting for the remote SMTP client to send a QUIT command.
- You can set individual reject codes for RBLs, and for individual responses
- from a specific RBL. We'll use zen.spamhaus.org as an example; by the time
- you read this document, details may have changed. Right now, their
+ * To hang up connections from blacklisted zombies, you can set specific
+ Postfix SMTP server reject codes for specific RBLs, and for individual
+ responses from specific RBLs. We'll use zen.spamhaus.org as an example; by
+ the time you read this document, details may have changed. Right now, their
documents say that a response of 127.0.0.10 or 127.0.0.11 indicates a
dynamic client IP address, which means that the machine is probably running
a bot of some kind. To give a 521 response instead of the default 554
8 rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
9
10 /etc/postfix/rbl_reply_maps:
- 11 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
- 12 $rbl_class [$rbl_what] blocked using
- 13 $rbl_domain${rbl_reason?; $rbl_reason}
- 14
- 15 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
- 16 $rbl_class [$rbl_what] blocked using
- 17 $rbl_domain${rbl_reason?; $rbl_reason}
-
- Although the above shows three RBL lookups (lines 4-6), Postfix will still
- only do a single DNS query, so the performance difference is negligible.
-
- With Postfix 2.3-2.5, use 421 (reply code 521 will not cause Postfix to
- disconnect). The down-side of sending 421 is that it works only for zombies
- and other malware. If the client is running a real MTA, then it may connect
- again several times until the mail expires in its queue. When this is a
- problem, stick with the default 554 reply, and use "smtpd_hard_error_limit
- = 1" as described below.
-
- With Postfix 2.5, or with earlier releases that contain the stress-adaptive
- behavior patch, you can turn on the above under overload by replacing line
- 8 with:
+ 11 # With Postfix 2.3-2.5 use "421" to hang up connections.
+ 12 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
+ 13 $rbl_class [$rbl_what] blocked using
+ 14 $rbl_domain${rbl_reason?; $rbl_reason}
+ 15
+ 16 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
+ 17 $rbl_class [$rbl_what] blocked using
+ 18 $rbl_domain${rbl_reason?; $rbl_reason}
+
+ Although the above example shows three RBL lookups (lines 4-6), Postfix
+ will only do a single DNS query, so it does not affect the performance.
+
+ * With Postfix 2.3-2.5, use reply code 421 (521 will not cause Postfix to
+ disconnect). The down-side of replying with 421 is that it works only for
+ zombies and other malware. If the client is running a real MTA, then it may
+ connect again several times until the mail expires in its queue. When this
+ is a problem, stick with the default 554 reply, and use
+ "smtpd_hard_error_limit = 1" as described below.
+
+ * You can automatically turn on the above overload measure with Postfix 2.5
+ and later, or with earlier releases that contain the stress-adaptive
+ behavior source code patch from the mirrors listed at http://
+ www.postfix.org/download.html. Simply replace line above 8 with:
8 rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
- More information about automatic stress-adaptive behavior is at the end of
- this document.
+More information about automatic stress-adaptive behavior is in section
+"Automatic stress-adaptive behavior".
-T\bTa\bak\bke\be d\bde\bes\bsp\bpe\ber\bra\bat\bte\be m\bme\bea\bas\bsu\bur\bre\bes\bs
+T\bTe\bem\bmp\bpo\bor\bra\bar\bry\by m\bme\bea\bas\bsu\bur\bre\bes\bs f\bfo\bor\br o\bol\bld\bde\ber\br P\bPo\bos\bst\btf\bfi\bix\bx r\bre\bel\ble\bea\bas\bse\bes\bs
-The following measures will still allow m\bmo\bos\bst\bt legitimate clients to connect and
-send mail, but may affect some legitimate clients.
+See the next section, "Automatic stress-adaptive behavior", if you are running
+Postfix version 2.5 or later, or if you have applied the source code patch for
+stress-adaptive behavior from the mirrors listed at http://www.postfix.org/
+download.html.
+
+The following measures can be applied temporarily during overload. They still
+allow m\bmo\bos\bst\bt legitimate clients to connect and send mail, but may affect some
+legitimate clients.
* Reduce smtpd_timeout (default: 300s). Experience on the postfix-users list
from a variety of sysadmins shows that reducing the "normal" smtpd_timeout
longer-active user names that didn't bother to unsubscribe. No mail should
be lost, as long as this measure is used only temporarily.
- * Disable remote SMTP client hostname lookups, so that all SMTP client
- hostnames become "unknown" (line 5 below). This feature was introduced with
- Postfix 2.3. Unfortunately, this measure is more problematic than the other
- ones proposed sofar. First, this will result in loss of mail when you use
- hostname-based access rules that reject mail from "unknown" SMTP clients
- (examples: reject_unknown_client_hostname,
- reject_unknown_reverse_client_hostname). Second, this may result in loss of
- mail when you subject "unknown" SMTP clients to additional restrictions
- such as reject_unverified_sender.
+ * Use an smtpd_junk_command_limit of 1 instead of the default 100. This
+ prevents clients from keeping idle connections open by repeatedly sending
+ NOOP or RSET commands.
1 /etc/postfix/main.cf:
2 smtpd_timeout = 10
3 smtpd_hard_error_limit = 1
- 4 # Caution: line 5 may trigger REJECTs by hostname-based access rules
-
- 5 smtpd_peername_lookup = no
+ 4 smtpd_junk_command_limit = 1
-Except with the last measure, no mail should be lost, as long as these measures
-are used only temporarily. The next section of this document introduces a way
-to automate this process.
+With these measures, no mail should be lost, as long as these measures are used
+only temporarily. The next section of this document introduces a way to
+automate this process.
-M\bMa\bak\bke\be P\bPo\bos\bst\btf\bfi\bix\bx b\bbe\beh\bha\bav\bvi\bio\bor\br s\bst\btr\bre\bes\bss\bs-\b-a\bad\bda\bap\bpt\bti\biv\bve\be
+A\bAu\but\bto\bom\bma\bat\bti\bic\bc s\bst\btr\bre\bes\bss\bs-\b-a\bad\bda\bap\bpt\bti\biv\bve\be b\bbe\beh\bha\bav\bvi\bio\bor\br
Postfix version 2.5 introduces automatic stress-adaptive behavior. This is also
-available as an add-on patch for Postfix versions 2.4 and 2.3 from the mirrors
-listed at http://www.postfix.org/download.html.
+available as a source code patch for Postfix versions 2.4 and 2.3 from the
+mirrors listed at http://www.postfix.org/download.html.
-It works as follows. When a "public" network service runs into an "all server
-ports are busy" condition, the master(8) daemon logs a warning, restarts the
-service (without interrupting existing network sessions), and runs the service
-with "-o stress=yes" on the command line. Normally, it runs a stress-adaptive
-service with "-o stress=" on the command line (i.e. with an empty parameter
-value). Other services never have "-o stress" parameters on the command line,
-including services that listen on a loopback interface only.
+It works as follows. When a "public" network service such as the SMTP server
+runs into an "all server ports are busy" condition, the Postfix master(8)
+daemon logs a warning, restarts the service (without interrupting existing
+network sessions), and runs the service with "-o stress=yes" on the server
+process command line:
-The stress pseudo-parameter value is the key to making main.cf parameter
-settings stress adaptive:
+ 80821 ?? S 0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes
- 1 /etc/postfix/main.cf:
- 2 smtpd_timeout = ${stress?10}${stress:300}
- 3 smtpd_hard_error_limit = ${stress?1}${stress:20}
+Normally, the Postfix master(8) daemon runs such a service with "-o stress=" on
+the command line (i.e. with an empty parameter value):
-Translation:
+ 83326 ?? S 0:00.28 smtpd -n smtp -t inet -u -c -o stress=
- * Line 2: under conditions of stress, use an smtpd_timeout value of 10
- seconds instead of the default 300 seconds,
+Services that have local access only never have "-o stress" parameters on the
+command line. This includes services internal to Postfix such as the queue
+manager, and services that listen on a loopback interface only, such as after-
+filter SMTP services.
- * Line 3: under conditions of stress, use an smtpd_hard_error_limit of 1
- instead of the default 20.
+The "stress" parameter value is the key to making main.cf parameter settings
+stress adaptive. The following settings are the default with Postfix 2.6 and
+later. With earlier Postfix versions that have stress-adaptive support, append
+the lines below to the main.cf file and issue a "postfix reload" command:
+
+ 1 smtpd_timeout = ${stress?10}${stress:300}s
+ 2 smtpd_hard_error_limit = ${stress?1}${stress:20}
+ 3 smtpd_junk_command_limit = ${stress?1}${stress:100}
+
+Translation:
+
+ * Line 1: under conditions of stress, use an smtpd_timeout value of 10
+ seconds instead of the default 300 seconds. Experience on the postfix-users
+ list from a variety of sysadmins shows that reducing the "normal"
+ smtpd_timeout to 60s is unlikely to affect legitimate clients. However, it
+ is unlikely to become the Postfix default because it's not RFC compliant.
+ Setting smtpd_timeout to 10s (line 2 below) or even 5s under stress will
+ still allow most legitimate clients to connect and send mail, but may delay
+ mail from some clients. No mail should be lost, as long as this measure is
+ used only temporarily.
+
+ * Line 2: under conditions of stress, use an smtpd_hard_error_limit of 1
+ instead of the default 20. This helps by disconnecting clients after a
+ single error, giving other clients a chance to connect. However, this may
+ cause significant delays with legitimate mail, such as a mailing list that
+ contains a few no-longer-active user names that didn't bother to
+ unsubscribe. No mail should be lost, as long as this measure is used only
+ temporarily.
+
+ * Line 3: under conditions of stress, use an smtpd_junk_command_limit of 1
+ instead of the default 100. This prevents clients from keeping idle
+ connections open by repeatedly sending NOOP or RSET commands.
The syntax of ${name?value} and ${name:value} is explained at the beginning of
the postconf(5) manual page.
7 -o stress=
8 -o . . .
+O\bOt\bth\bhe\ber\br m\bme\bea\bas\bsu\bur\bre\bes\bs t\bto\bo o\bof\bff\bf-\b-l\blo\boa\bad\bd z\bzo\bom\bmb\bbi\bie\bes\bs
+
+OpenBSD spamd implements a daemon that handles all connections from "new"
+clients. Only well-behaved mail clients are allowed to talk to the mail server.
+Other clients are tarpitted, and will never get a chance to affect mail server
+performance.
+
+At some point in the future, Postfix may come with a simple front-end daemon
+that does basic greylisting and pipelining detection to keep zombies and other
+ratware away from Postfix itself. This would use the "pass" service type which
+has been available in stable Postfix releases since Postfix 2.5.
+
C\bCr\bre\bed\bdi\bit\bts\bs
* Thanks to the postfix-users mailing list members for sharing early
compatibility. The "first" setting is good for performance
(stress=yes) when all users are defined in local files.
- Make the double-bounce address time-dependent (with 24-hour
- grace period). Spammers appear to use this address to avoid
- DATA command rejects. Avoiding DATA rejects means they can
- pipeline the entire SMTP session without triggering huge
- numbers of protocol errors. They can still trigger "improper
- command pipelining after DATA" alarms, but that requires
- non-default main.cf settings.
-
Cleanup: make DNSBL query format configurable beyond the
client's reversed IP address.
With 'final delivery' in the LMTP client, need an option
- to also add delivered-to and other pipe(8) features.
- This requires making mail_copy() more generic.
+ to also add delivered-to and other pipe(8) features. This
+ requires making mail_copy() functionality available in
+ non-mailbox context.
To work around historical AWK's limit of 10 open files,
pipe all output into a shell and have the shell open files.
- It's too much pain to find out whose AWK is old and where
- if any they keep the XPG4 compliant version.
+ It's too much pain to find out what systems use ancient AWK
+ and where, if any, they keep the XPG4 compliant version.
Cleanup: modernize the "add missing From: header" code, to
``phrase <addr>'' form. Most likely, quote the entire phrase
an empty value ("name="), or sends a zero value ("name=0") in
the case of a numerical attribute. </p>
- <li> <p> The "recipient" attribute is available only in the
- "RCPT TO" stage, and in the "DATA" and "END-OF-MESSAGE" stages
- when Postfix accepted only one recipient for the current message.
- </p>
+ <li> <p> The "recipient" attribute is available in the "RCPT
+ TO" stage. It is also available in the "DATA" and "END-OF-MESSAGE"
+ stages if Postfix accepted only one recipient for the current
+ message. </p>
<li> <p> The "recipient_count" attribute (Postfix 2.3 and later)
is non-zero only in the "DATA" and "END-OF-MESSAGE" stages. It
<h2>Overview </h2>
<p> This document describes the symptoms of Postfix SMTP server
-overload, and how to avoid the condition under normal conditions.
-When the condition is caused by botnets or other malware, the
-document suggests configuration settings that help to minimize the
-impact on legitimate mail. Finally, the document introduces
-stress-adaptive behavior, introduced with Postfix 2.5, and how it
-can be used to automatically switch configuration settings under
-overload. </p>
+overload. It presents permanent <a href="postconf.5.html">main.cf</a> changes to avoid overload
+during normal operation, and temporary <a href="postconf.5.html">main.cf</a> changes to cope with
+an unexpected burst of mail. This document makes specific suggestions
+for Postfix 2.5 and later which support stress-adaptive behavior,
+and for earlier Postfix versions that don't. </p>
<p> Topics covered in this document: </p>
<li><a href="#hangup"> Disconnect suspicious SMTP clients </a>
-<li><a href="#desperate"> Take desperate measures </a>
+<li><a href="#legacy"> Temporary measures for older Postfix releases </a>
-<li><a href="#adapt"> Make Postfix behavior stress-adaptive </a>
+<li><a href="#adapt"> Automatic stress-adaptive behavior </a>
<li><a href="#feature"> Detecting support for stress-adaptive behavior </a>
<li><a href="#forcing"> Forcing stress-adaptive behavior on or off </a>
+<li><a href="#other"> Other measures to off-load zombies </a>
+
<li><a href="#credits"> Credits </a>
</ul>
<h2><a name="overload"> Symptoms of Postfix SMTP server overload </a></h2>
-<p> Under normal conditions, Postfix responds immediately when a
-remote SMTP client connects. The time needed to deliver mail should
-be noticeable only with very large messages. Performance degrades
-more dramatically when the number of remote SMTP clients exceeds
-the number of Postfix SMTP server processes. When a client connects
-while all server processes are busy, the client must wait until a
-server process becomes available. </p>
+<p> Under normal conditions, the Postfix SMTP server responds
+immediately when an SMTP client connects to it; the time to deliver
+mail is noticeable only with large messages. Performance degrades
+dramatically when the number of SMTP clients exceeds the number of
+Postfix SMTP server processes. When an SMTP client connects while
+all Postfix SMTP server processes are busy, the client must wait
+until a server process becomes available. </p>
+
+<p> SMTP server overload may be caused by a surge of legitimate
+mail (example: a DNS registrar opens a new zone for registrations),
+by mistake (mail explosion caused by a forwarding loop) or by malice
+(worm outbreak, botnet, or other illegitimate activity). </p>
-<p> Overload may be caused by a legitimate mail (example: a DNS
-registrar opens a new zone for registrations), by mistake (mail
-explosion caused by a forwarding loop) or by illegitimate mail (worm
-outbreak, botnet, or other malware activity). Symptoms of Postfix
-SMTP mail server overload are: </p>
+<p> Symptoms of Postfix SMTP server overload are: </p>
<ul>
<li> <p> Remote SMTP clients experience a long delay before Postfix
-sends the "220 hostname.example.com ESMTP Postfix" greeting. If
-this affects end-user mail clients, enable the "submission" service
-entry in <a href="master.5.html">master.cf</a> (present since Postfix 2.1), and tell users to
-connect to this instead of the public SMTP service. </p>
+sends the "220 hostname.example.com ESMTP Postfix" greeting. </p>
<ul>
-<li> <p> NOTE: Broken DNS configurations also cause lengthy delays
-before Postfix sends "220 hostname.example.com ...". In this case
-the delay happens even when Postfix is not busy. </p>
+<li> <p> NOTE: Broken DNS configurations can also cause lengthy
+delays before Postfix sends "220 hostname.example.com ...". These
+delays also exist when Postfix is NOT overloaded. </p>
+
+<li> <p> NOTE: To avoid "overload" delays for end-user mail
+clients, enable the "submission" service entry in <a href="master.5.html">master.cf</a> (present
+since Postfix 2.1), and tell users to connect to this instead of
+the public SMTP service. </p>
</ul>
<ul>
-<li> <p> NOTE: A portscan for open SMTP ports also results in "lost
-connection ..." logfile messages. </p>
+<li> <p> NOTE: A portscan for open SMTP ports can also result in
+"lost connection ..." logfile messages. </p>
</ul>
</ul>
<p> Legitimate mail that doesn't get through during an episode of
-overload is not necessarily lost. It should still arrive once the
-situation returns to normal, as long as the overload condition is
-temporary. </p>
+Postfix SMTP server overload is not necessarily lost. It should
+still arrive once the situation returns to normal, as long as the
+overload condition is temporary. </p>
<h2><a name="concurrency"> Service more SMTP clients at the same time </a> </h2>
-<p> To service more SMTP clients simultaneously, you need to increase
-the number of SMTP server processes. This will improve the
+<p> One measure to avoid the "all server processes busy" condition
+is to service more SMTP clients simultaneously. For this you need
+to increase the number of Postfix SMTP server processes. This will
+improve the
responsiveness for remote SMTP clients, as long as the server machine
has enough hardware and software resources to run the additional
processes, and as long as the file system can keep up with the
filters (BSD kqueue(2), Linux epoll(4), or Solaris /dev/poll).
</p>
-<li> <p> You can reduce the Postfix memory footprint by using <a href="CDB_README.html">cdb</a>:
+<li> <p> More processes use more memory. You can reduce the Postfix
+memory footprint by using <a href="CDB_README.html">cdb</a>:
lookup tables instead of Berkeley DB's hash: or btree: tables. </p>
<pre>
<p> When increasing the number of SMTP server processes is not
practical, you can improve Postfix server responsiveness by eliminating
-unnecessary work. When Postfix spends less time per SMTP session, the
-same number of SMTP server processes can service more clients in the
-same amount of time. </p>
+delays. When Postfix spends less time per SMTP session, the same
+number of SMTP server processes can service more clients in a given
+amount of time. </p>
<ul>
mail. See <a href="BACKSCATTER_README.html">BACKSCATTER_README</a> for examples of the latter.
<li> <p> Group your <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a> patterns to avoid
-unnecessary pattern matching operations.
+unnecessary pattern matching operations:
<pre>
1 /etc/postfix/header_checks:
2 if /^Subject:/
3 /^Subject: virus found in mail from you/ reject
- 4 /^Subject: ..../ ....
+ 4 /^Subject: ..other../ reject
5 endif
6
7 if /^Received:/
8 /^Received: from (postfix\.org) / reject forged client name in received header: $1
- 9 /^Received: from .../ ....
+ 9 /^Received: from ..other../ reject ....
10 endif
</pre>
<ul>
-<li> <p> Use "521" reply codes (Postfix 2.6 and later) for
-botnet-related RBLs or for selected non-RBL restrictions. With
-Postfix 2.3-2.5 use "421" for a similar result. The Postfix SMTP
-server will disconnect immediately without waiting for the remote
-SMTP client to send a QUIT command. </p>
-
-<p> You can set individual reject codes for RBLs, and for individual
-responses from a specific RBL. We'll use zen.spamhaus.org as an
-example; by the time you read this document, details may have
-changed. Right now, their documents say that a response of 127.0.0.10
-or 127.0.0.11 indicates a dynamic client IP address, which means
-that the machine is probably running a bot of some kind. To give
-a 521 response instead of the default 554 response, use something
-like: </p>
+<li> <p> Use "521" SMTP reply codes (Postfix 2.6 and later) or "421"
+(Postfix 2.3-2.5) to hang up on clients that that match botnet-related
+RBLs (see next bullet) or that match selected non-RBL restrictions
+such as SMTP access maps. The Postfix SMTP server will reject mail
+and disconnect without waiting for the remote SMTP client to send
+a QUIT command. </p>
+
+<li> <p> To hang up connections from blacklisted zombies, you can
+set specific Postfix SMTP server reject codes for specific RBLs,
+and for individual responses from specific RBLs. We'll use
+zen.spamhaus.org as an example; by the time you read this document,
+details may have changed. Right now, their documents say that a
+response of 127.0.0.10 or 127.0.0.11 indicates a dynamic client IP
+address, which means that the machine is probably running a bot of
+some kind. To give a 521 response instead of the default 554
+response, use something like: </p>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
8 <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> = hash:/etc/postfix/rbl_reply_maps
9
10 /etc/postfix/rbl_reply_maps:
-11 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
-12 $rbl_class [$rbl_what] blocked using
-13 $rbl_domain${rbl_reason?; $rbl_reason}
-14
-15 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
-16 $rbl_class [$rbl_what] blocked using
-17 $rbl_domain${rbl_reason?; $rbl_reason}
+11 # With Postfix 2.3-2.5 use "421" to hang up connections.
+12 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
+13 $rbl_class [$rbl_what] blocked using
+14 $rbl_domain${rbl_reason?; $rbl_reason}
+15
+16 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
+17 $rbl_class [$rbl_what] blocked using
+18 $rbl_domain${rbl_reason?; $rbl_reason}
</pre>
-<p> Although the above shows three RBL lookups (lines 4-6), Postfix
-will still only do a single DNS query, so the performance difference
-is negligible. </p>
+<p> Although the above example shows three RBL lookups (lines 4-6),
+Postfix will only do a single DNS query, so it does not affect the
+performance. </p>
-<p> With Postfix 2.3-2.5, use 421 (reply code 521 will not cause
-Postfix to disconnect). The down-side of sending 421 is that
-it works only for zombies and other malware. If the client is running
-a real MTA, then it may connect again several times until the mail
-expires in its queue. When this is a problem, stick with the default
-554 reply, and use "<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = 1" as described below.
-</p>
+<li> <p> With Postfix 2.3-2.5, use reply code 421 (521 will not
+cause Postfix to disconnect). The down-side of replying with 421
+is that it works only for zombies and other malware. If the client
+is running a real MTA, then it may connect again several times until
+the mail expires in its queue. When this is a problem, stick with
+the default 554 reply, and use "<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = 1" as
+described below. </p>
-<p> With Postfix 2.5, or with earlier releases that contain the
-stress-adaptive behavior patch, you can turn on the above under
-overload by replacing line 8 with: </p>
+<li> <p> You can automatically turn on the above overload measure
+with Postfix 2.5 and later, or with earlier releases that contain
+the stress-adaptive behavior source code patch from the mirrors
+listed at <a href="http://www.postfix.org/download.html">http://www.postfix.org/download.html</a>. Simply replace line
+above 8 with: </p>
<pre>
8 <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> = ${stress?hash:/etc/postfix/rbl_reply_maps}
</pre>
+</ul>
+
<p> More information about automatic stress-adaptive behavior is
-at the end of this document. </p>
+in section "<a href="#adapt">Automatic stress-adaptive behavior</a>".
+</p>
-</ul>
+<h2><a name="legacy"> Temporary measures for older Postfix releases </a></h2>
-<h2><a name="desperate"> Take desperate measures </a></h2>
+<p> See the next section, "<a href="#adapt">Automatic stress-adaptive
+behavior</a>", if you are running Postfix version 2.5 or later, or
+if you have applied the source code patch for stress-adaptive
+behavior from the mirrors listed at <a href="http://www.postfix.org/download.html">http://www.postfix.org/download.html</a>.
+</p>
-<p> The following measures will still allow <b>most</b> legitimate
-clients to connect and send mail, but may affect some legitimate
-clients. </p>
+<p> The following measures can be applied temporarily during overload.
+They still allow <b>most</b> legitimate clients to connect and send
+mail, but may affect some legitimate clients. </p>
<ul>
names that didn't bother to unsubscribe. No mail should be lost,
as long as this measure is used only temporarily. </p>
-<li> <p> Disable remote SMTP client hostname lookups, so that all
-SMTP client hostnames become "unknown" (line 5 below). This feature
-was introduced with Postfix 2.3. Unfortunately, this measure is
-more problematic than the other ones proposed sofar. First, this
-will result in loss of mail when you use hostname-based access rules
-that reject mail from "unknown" SMTP clients (examples:
-<a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a>, <a href="postconf.5.html#reject_unknown_reverse_client_hostname">reject_unknown_reverse_client_hostname</a>).
-Second, this may result in loss of mail when you subject "unknown"
-SMTP clients to additional restrictions such as <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>.
-</p>
+<li> <p> Use an <a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> of 1 instead of the default
+100. This prevents clients from keeping idle connections open by
+repeatedly sending NOOP or RSET commands. </p>
</ul>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2 <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = 10
3 <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = 1
-4 # Caution: line 5 may trigger REJECTs by hostname-based access rules
-5 <a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> = no
+4 <a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> = 1
</pre>
</blockquote>
-<p> Except with the last measure, no mail should be lost, as long
+<p> With these measures, no mail should be lost, as long
as these measures are used only temporarily. The next section of
this document introduces a way to automate this process. </p>
-<h2><a name="adapt"> Make Postfix behavior stress-adaptive </a></h2>
+<h2><a name="adapt"> Automatic stress-adaptive behavior </a></h2>
<p> Postfix version 2.5 introduces automatic stress-adaptive behavior.
-This is also available as an add-on patch for Postfix versions 2.4
-and 2.3 from the mirrors listed at <a href="http://www.postfix.org/download.html">http://www.postfix.org/download.html</a>.
+This is also available as a source code patch for Postfix versions
+2.4 and 2.3 from the mirrors listed at
+<a href="http://www.postfix.org/download.html">http://www.postfix.org/download.html</a>. </p>
+
+<p> It works as follows. When a "public" network service such as
+the SMTP server runs into an "all server ports are busy" condition,
+the Postfix <a href="master.8.html">master(8)</a> daemon logs a warning, restarts the service
+(without interrupting existing network sessions), and runs the
+service with "-o stress=yes" on the server process command line:
</p>
-<p> It works as follows. When a "public" network service runs into
-an "all server ports are busy" condition, the <a href="master.8.html">master(8)</a> daemon logs
-a warning, restarts the service (without interrupting existing
-network sessions), and runs the service with "-o stress=yes" on the
-command line. Normally, it runs a stress-adaptive service with "-o
-stress=" on the command line (i.e. with an empty parameter value).
-Other services never have "-o stress" parameters on the command
-line, including services that listen on a loopback interface only.
-</p>
+<blockquote>
+<pre>
+80821 ?? S 0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes
+</pre>
+</blockquote>
-<p> The stress pseudo-parameter value is the key to making <a href="postconf.5.html">main.cf</a>
-parameter settings stress adaptive: </p>
+<p> Normally, the Postfix <a href="master.8.html">master(8)</a> daemon runs such a service with
+"-o stress=" on the command line (i.e. with an empty parameter
+value): </p>
<blockquote>
<pre>
-1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-2 <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = ${stress?10}${stress:300}
-3 <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = ${stress?1}${stress:20}
+83326 ?? S 0:00.28 smtpd -n smtp -t inet -u -c -o stress=
+</pre>
+</blockquote>
+
+<p> Services that have local access only never have "-o stress"
+parameters on the command line. This includes services internal to
+Postfix such as the queue manager, and services that listen on a
+loopback interface only, such as after-filter SMTP services. </p>
+
+<p> The "stress" parameter value is the key to making <a href="postconf.5.html">main.cf</a>
+parameter settings stress adaptive. The following settings are the
+default with Postfix 2.6 and later. With earlier Postfix versions
+that have stress-adaptive support, append the lines below to the
+<a href="postconf.5.html">main.cf</a> file and issue a "postfix reload" command: </p>
+
+<blockquote>
+<pre>
+1 <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = ${stress?10}${stress:300}s
+2 <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = ${stress?1}${stress:20}
+3 <a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> = ${stress?1}${stress:100}
</pre>
</blockquote>
<ul>
-<li> <p> Line 2: under conditions of stress, use an <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a>
-value of 10 seconds instead of the default 300 seconds,
+<li> <p> Line 1: under conditions of stress, use an <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a>
+value of 10 seconds instead of the default 300 seconds. Experience
+on the postfix-users list from a variety of sysadmins shows that
+reducing the "normal" <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> to 60s is unlikely to affect
+legitimate clients. However, it is unlikely to become the Postfix
+default because it's not RFC compliant. Setting <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> to
+10s (line 2 below) or even 5s under stress will still allow most
+legitimate clients to connect and send mail, but may delay mail
+from some clients. No mail should be lost, as long as this measure
+is used only temporarily. </p>
-<li> <p> Line 3: under conditions of stress, use an <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a>
-of 1 instead of the default 20. </p>
+<li> <p> Line 2: under conditions of stress, use an <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a>
+of 1 instead of the default 20. This helps by disconnecting clients
+after a single error, giving other clients a chance to connect.
+However, this may cause significant delays with legitimate mail,
+such as a mailing list that contains a few no-longer-active user
+names that didn't bother to unsubscribe. No mail should be lost,
+as long as this measure is used only temporarily. </p>
+
+<li> <p> Line 3: under conditions of stress, use an
+<a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> of 1 instead of the default 100. This
+prevents clients from keeping idle connections open by repeatedly
+sending NOOP or RSET commands. </p>
</ul>
</pre>
</blockquote>
+<h2><a name="other"> Other measures to off-load zombies </h2>
+
+<p> OpenBSD <a href="http://www.openbsd.org/spamd/">spamd</a>
+implements a daemon that handles all connections from "new" clients.
+Only well-behaved mail clients are allowed to talk to the mail
+server. Other clients are tarpitted, and will never get a chance
+to affect mail server performance. </p>
+
+<p> At some point in the future, Postfix may come with a simple
+front-end daemon that does basic greylisting and pipelining detection
+to keep zombies and other ratware away from Postfix itself. This
+would use the "pass" service type which has been available in
+stable Postfix releases since Postfix 2.5. </p>
+
<h2><a name="credits"> Credits </a></h2>
<ul>
<li> <a href="IPV6_README.html"> IP Version 6 Support </a>
+<li> <a href="MULTI_INSTANCE_README.html"> Multiple-instance management </a>
+
<li> <a href="INSTALL.html"> Installation from source code </a>
</ul>
<b>New or existing instance name assignment</b>
<b>-I</b> <i>name</i>
Assign the specified instance <i>name</i> to an existing
- instance or to a newly created or imported
- instance. Instance names other than "-" (which
+ instance, newly-created instance, or imported
+ instance. Instance names other than "-" (which
makes the instance "nameless") must start with
"postfix-". This restriction reduces the likeli-
hood of name collisions with system files.
export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
# Snapshot only.
-CCARGS="$CCARGS -DSNAPSHOT"
+#CCARGS="$CCARGS -DSNAPSHOT"
# Non-production: needs thorough testing, or major changes are still
# needed before the code stabilizes.
.SH "New or existing instance name assignment"
.IP "\fB-I \fIname\fR"
Assign the specified instance \fIname\fR to an existing
-instance or to a newly created or imported instance. Instance
-names other than "-" (which makes the instance "nameless")
+instance, newly-created instance, or imported instance.
+Instance
+names other than "-" (which makes the instance "nameless")
must start with "postfix-". This restriction reduces the
likelihood of name collisions with system files.
.IP "\fB-G \fIgroup\fR"
an empty value ("name="), or sends a zero value ("name=0") in
the case of a numerical attribute. </p>
- <li> <p> The "recipient" attribute is available only in the
- "RCPT TO" stage, and in the "DATA" and "END-OF-MESSAGE" stages
- when Postfix accepted only one recipient for the current message.
- </p>
+ <li> <p> The "recipient" attribute is available in the "RCPT
+ TO" stage. It is also available in the "DATA" and "END-OF-MESSAGE"
+ stages if Postfix accepted only one recipient for the current
+ message. </p>
<li> <p> The "recipient_count" attribute (Postfix 2.3 and later)
is non-zero only in the "DATA" and "END-OF-MESSAGE" stages. It
<h2>Overview </h2>
<p> This document describes the symptoms of Postfix SMTP server
-overload, and how to avoid the condition under normal conditions.
-When the condition is caused by botnets or other malware, the
-document suggests configuration settings that help to minimize the
-impact on legitimate mail. Finally, the document introduces
-stress-adaptive behavior, introduced with Postfix 2.5, and how it
-can be used to automatically switch configuration settings under
-overload. </p>
+overload. It presents permanent main.cf changes to avoid overload
+during normal operation, and temporary main.cf changes to cope with
+an unexpected burst of mail. This document makes specific suggestions
+for Postfix 2.5 and later which support stress-adaptive behavior,
+and for earlier Postfix versions that don't. </p>
<p> Topics covered in this document: </p>
<li><a href="#hangup"> Disconnect suspicious SMTP clients </a>
-<li><a href="#desperate"> Take desperate measures </a>
+<li><a href="#legacy"> Temporary measures for older Postfix releases </a>
-<li><a href="#adapt"> Make Postfix behavior stress-adaptive </a>
+<li><a href="#adapt"> Automatic stress-adaptive behavior </a>
<li><a href="#feature"> Detecting support for stress-adaptive behavior </a>
<li><a href="#forcing"> Forcing stress-adaptive behavior on or off </a>
+<li><a href="#other"> Other measures to off-load zombies </a>
+
<li><a href="#credits"> Credits </a>
</ul>
<h2><a name="overload"> Symptoms of Postfix SMTP server overload </a></h2>
-<p> Under normal conditions, Postfix responds immediately when a
-remote SMTP client connects. The time needed to deliver mail should
-be noticeable only with very large messages. Performance degrades
-more dramatically when the number of remote SMTP clients exceeds
-the number of Postfix SMTP server processes. When a client connects
-while all server processes are busy, the client must wait until a
-server process becomes available. </p>
+<p> Under normal conditions, the Postfix SMTP server responds
+immediately when an SMTP client connects to it; the time to deliver
+mail is noticeable only with large messages. Performance degrades
+dramatically when the number of SMTP clients exceeds the number of
+Postfix SMTP server processes. When an SMTP client connects while
+all Postfix SMTP server processes are busy, the client must wait
+until a server process becomes available. </p>
+
+<p> SMTP server overload may be caused by a surge of legitimate
+mail (example: a DNS registrar opens a new zone for registrations),
+by mistake (mail explosion caused by a forwarding loop) or by malice
+(worm outbreak, botnet, or other illegitimate activity). </p>
-<p> Overload may be caused by a legitimate mail (example: a DNS
-registrar opens a new zone for registrations), by mistake (mail
-explosion caused by a forwarding loop) or by illegitimate mail (worm
-outbreak, botnet, or other malware activity). Symptoms of Postfix
-SMTP mail server overload are: </p>
+<p> Symptoms of Postfix SMTP server overload are: </p>
<ul>
<li> <p> Remote SMTP clients experience a long delay before Postfix
-sends the "220 hostname.example.com ESMTP Postfix" greeting. If
-this affects end-user mail clients, enable the "submission" service
-entry in master.cf (present since Postfix 2.1), and tell users to
-connect to this instead of the public SMTP service. </p>
+sends the "220 hostname.example.com ESMTP Postfix" greeting. </p>
<ul>
-<li> <p> NOTE: Broken DNS configurations also cause lengthy delays
-before Postfix sends "220 hostname.example.com ...". In this case
-the delay happens even when Postfix is not busy. </p>
+<li> <p> NOTE: Broken DNS configurations can also cause lengthy
+delays before Postfix sends "220 hostname.example.com ...". These
+delays also exist when Postfix is NOT overloaded. </p>
+
+<li> <p> NOTE: To avoid "overload" delays for end-user mail
+clients, enable the "submission" service entry in master.cf (present
+since Postfix 2.1), and tell users to connect to this instead of
+the public SMTP service. </p>
</ul>
<ul>
-<li> <p> NOTE: A portscan for open SMTP ports also results in "lost
-connection ..." logfile messages. </p>
+<li> <p> NOTE: A portscan for open SMTP ports can also result in
+"lost connection ..." logfile messages. </p>
</ul>
</ul>
<p> Legitimate mail that doesn't get through during an episode of
-overload is not necessarily lost. It should still arrive once the
-situation returns to normal, as long as the overload condition is
-temporary. </p>
+Postfix SMTP server overload is not necessarily lost. It should
+still arrive once the situation returns to normal, as long as the
+overload condition is temporary. </p>
<h2><a name="concurrency"> Service more SMTP clients at the same time </a> </h2>
-<p> To service more SMTP clients simultaneously, you need to increase
-the number of SMTP server processes. This will improve the
+<p> One measure to avoid the "all server processes busy" condition
+is to service more SMTP clients simultaneously. For this you need
+to increase the number of Postfix SMTP server processes. This will
+improve the
responsiveness for remote SMTP clients, as long as the server machine
has enough hardware and software resources to run the additional
processes, and as long as the file system can keep up with the
filters (BSD kqueue(2), Linux epoll(4), or Solaris /dev/poll).
</p>
-<li> <p> You can reduce the Postfix memory footprint by using cdb:
+<li> <p> More processes use more memory. You can reduce the Postfix
+memory footprint by using cdb:
lookup tables instead of Berkeley DB's hash: or btree: tables. </p>
<pre>
<p> When increasing the number of SMTP server processes is not
practical, you can improve Postfix server responsiveness by eliminating
-unnecessary work. When Postfix spends less time per SMTP session, the
-same number of SMTP server processes can service more clients in the
-same amount of time. </p>
+delays. When Postfix spends less time per SMTP session, the same
+number of SMTP server processes can service more clients in a given
+amount of time. </p>
<ul>
mail. See BACKSCATTER_README for examples of the latter.
<li> <p> Group your header_checks and body_checks patterns to avoid
-unnecessary pattern matching operations.
+unnecessary pattern matching operations:
<pre>
1 /etc/postfix/header_checks:
2 if /^Subject:/
3 /^Subject: virus found in mail from you/ reject
- 4 /^Subject: ..../ ....
+ 4 /^Subject: ..other../ reject
5 endif
6
7 if /^Received:/
8 /^Received: from (postfix\.org) / reject forged client name in received header: $1
- 9 /^Received: from .../ ....
+ 9 /^Received: from ..other../ reject ....
10 endif
</pre>
<ul>
-<li> <p> Use "521" reply codes (Postfix 2.6 and later) for
-botnet-related RBLs or for selected non-RBL restrictions. With
-Postfix 2.3-2.5 use "421" for a similar result. The Postfix SMTP
-server will disconnect immediately without waiting for the remote
-SMTP client to send a QUIT command. </p>
-
-<p> You can set individual reject codes for RBLs, and for individual
-responses from a specific RBL. We'll use zen.spamhaus.org as an
-example; by the time you read this document, details may have
-changed. Right now, their documents say that a response of 127.0.0.10
-or 127.0.0.11 indicates a dynamic client IP address, which means
-that the machine is probably running a bot of some kind. To give
-a 521 response instead of the default 554 response, use something
-like: </p>
+<li> <p> Use "521" SMTP reply codes (Postfix 2.6 and later) or "421"
+(Postfix 2.3-2.5) to hang up on clients that that match botnet-related
+RBLs (see next bullet) or that match selected non-RBL restrictions
+such as SMTP access maps. The Postfix SMTP server will reject mail
+and disconnect without waiting for the remote SMTP client to send
+a QUIT command. </p>
+
+<li> <p> To hang up connections from blacklisted zombies, you can
+set specific Postfix SMTP server reject codes for specific RBLs,
+and for individual responses from specific RBLs. We'll use
+zen.spamhaus.org as an example; by the time you read this document,
+details may have changed. Right now, their documents say that a
+response of 127.0.0.10 or 127.0.0.11 indicates a dynamic client IP
+address, which means that the machine is probably running a bot of
+some kind. To give a 521 response instead of the default 554
+response, use something like: </p>
<pre>
1 /etc/postfix/main.cf:
8 rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
9
10 /etc/postfix/rbl_reply_maps:
-11 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
-12 $rbl_class [$rbl_what] blocked using
-13 $rbl_domain${rbl_reason?; $rbl_reason}
-14
-15 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
-16 $rbl_class [$rbl_what] blocked using
-17 $rbl_domain${rbl_reason?; $rbl_reason}
+11 # With Postfix 2.3-2.5 use "421" to hang up connections.
+12 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
+13 $rbl_class [$rbl_what] blocked using
+14 $rbl_domain${rbl_reason?; $rbl_reason}
+15
+16 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
+17 $rbl_class [$rbl_what] blocked using
+18 $rbl_domain${rbl_reason?; $rbl_reason}
</pre>
-<p> Although the above shows three RBL lookups (lines 4-6), Postfix
-will still only do a single DNS query, so the performance difference
-is negligible. </p>
+<p> Although the above example shows three RBL lookups (lines 4-6),
+Postfix will only do a single DNS query, so it does not affect the
+performance. </p>
-<p> With Postfix 2.3-2.5, use 421 (reply code 521 will not cause
-Postfix to disconnect). The down-side of sending 421 is that
-it works only for zombies and other malware. If the client is running
-a real MTA, then it may connect again several times until the mail
-expires in its queue. When this is a problem, stick with the default
-554 reply, and use "smtpd_hard_error_limit = 1" as described below.
-</p>
+<li> <p> With Postfix 2.3-2.5, use reply code 421 (521 will not
+cause Postfix to disconnect). The down-side of replying with 421
+is that it works only for zombies and other malware. If the client
+is running a real MTA, then it may connect again several times until
+the mail expires in its queue. When this is a problem, stick with
+the default 554 reply, and use "smtpd_hard_error_limit = 1" as
+described below. </p>
-<p> With Postfix 2.5, or with earlier releases that contain the
-stress-adaptive behavior patch, you can turn on the above under
-overload by replacing line 8 with: </p>
+<li> <p> You can automatically turn on the above overload measure
+with Postfix 2.5 and later, or with earlier releases that contain
+the stress-adaptive behavior source code patch from the mirrors
+listed at http://www.postfix.org/download.html. Simply replace line
+above 8 with: </p>
<pre>
8 rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
</pre>
+</ul>
+
<p> More information about automatic stress-adaptive behavior is
-at the end of this document. </p>
+in section "<a href="#adapt">Automatic stress-adaptive behavior</a>".
+</p>
-</ul>
+<h2><a name="legacy"> Temporary measures for older Postfix releases </a></h2>
-<h2><a name="desperate"> Take desperate measures </a></h2>
+<p> See the next section, "<a href="#adapt">Automatic stress-adaptive
+behavior</a>", if you are running Postfix version 2.5 or later, or
+if you have applied the source code patch for stress-adaptive
+behavior from the mirrors listed at http://www.postfix.org/download.html.
+</p>
-<p> The following measures will still allow <b>most</b> legitimate
-clients to connect and send mail, but may affect some legitimate
-clients. </p>
+<p> The following measures can be applied temporarily during overload.
+They still allow <b>most</b> legitimate clients to connect and send
+mail, but may affect some legitimate clients. </p>
<ul>
names that didn't bother to unsubscribe. No mail should be lost,
as long as this measure is used only temporarily. </p>
-<li> <p> Disable remote SMTP client hostname lookups, so that all
-SMTP client hostnames become "unknown" (line 5 below). This feature
-was introduced with Postfix 2.3. Unfortunately, this measure is
-more problematic than the other ones proposed sofar. First, this
-will result in loss of mail when you use hostname-based access rules
-that reject mail from "unknown" SMTP clients (examples:
-reject_unknown_client_hostname, reject_unknown_reverse_client_hostname).
-Second, this may result in loss of mail when you subject "unknown"
-SMTP clients to additional restrictions such as reject_unverified_sender.
-</p>
+<li> <p> Use an smtpd_junk_command_limit of 1 instead of the default
+100. This prevents clients from keeping idle connections open by
+repeatedly sending NOOP or RSET commands. </p>
</ul>
1 /etc/postfix/main.cf:
2 smtpd_timeout = 10
3 smtpd_hard_error_limit = 1
-4 # Caution: line 5 may trigger REJECTs by hostname-based access rules
-5 smtpd_peername_lookup = no
+4 smtpd_junk_command_limit = 1
</pre>
</blockquote>
-<p> Except with the last measure, no mail should be lost, as long
+<p> With these measures, no mail should be lost, as long
as these measures are used only temporarily. The next section of
this document introduces a way to automate this process. </p>
-<h2><a name="adapt"> Make Postfix behavior stress-adaptive </a></h2>
+<h2><a name="adapt"> Automatic stress-adaptive behavior </a></h2>
<p> Postfix version 2.5 introduces automatic stress-adaptive behavior.
-This is also available as an add-on patch for Postfix versions 2.4
-and 2.3 from the mirrors listed at http://www.postfix.org/download.html.
+This is also available as a source code patch for Postfix versions
+2.4 and 2.3 from the mirrors listed at
+http://www.postfix.org/download.html. </p>
+
+<p> It works as follows. When a "public" network service such as
+the SMTP server runs into an "all server ports are busy" condition,
+the Postfix master(8) daemon logs a warning, restarts the service
+(without interrupting existing network sessions), and runs the
+service with "-o stress=yes" on the server process command line:
</p>
-<p> It works as follows. When a "public" network service runs into
-an "all server ports are busy" condition, the master(8) daemon logs
-a warning, restarts the service (without interrupting existing
-network sessions), and runs the service with "-o stress=yes" on the
-command line. Normally, it runs a stress-adaptive service with "-o
-stress=" on the command line (i.e. with an empty parameter value).
-Other services never have "-o stress" parameters on the command
-line, including services that listen on a loopback interface only.
-</p>
+<blockquote>
+<pre>
+80821 ?? S 0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes
+</pre>
+</blockquote>
-<p> The stress pseudo-parameter value is the key to making main.cf
-parameter settings stress adaptive: </p>
+<p> Normally, the Postfix master(8) daemon runs such a service with
+"-o stress=" on the command line (i.e. with an empty parameter
+value): </p>
<blockquote>
<pre>
-1 /etc/postfix/main.cf:
-2 smtpd_timeout = ${stress?10}${stress:300}
-3 smtpd_hard_error_limit = ${stress?1}${stress:20}
+83326 ?? S 0:00.28 smtpd -n smtp -t inet -u -c -o stress=
+</pre>
+</blockquote>
+
+<p> Services that have local access only never have "-o stress"
+parameters on the command line. This includes services internal to
+Postfix such as the queue manager, and services that listen on a
+loopback interface only, such as after-filter SMTP services. </p>
+
+<p> The "stress" parameter value is the key to making main.cf
+parameter settings stress adaptive. The following settings are the
+default with Postfix 2.6 and later. With earlier Postfix versions
+that have stress-adaptive support, append the lines below to the
+main.cf file and issue a "postfix reload" command: </p>
+
+<blockquote>
+<pre>
+1 smtpd_timeout = ${stress?10}${stress:300}s
+2 smtpd_hard_error_limit = ${stress?1}${stress:20}
+3 smtpd_junk_command_limit = ${stress?1}${stress:100}
</pre>
</blockquote>
<ul>
-<li> <p> Line 2: under conditions of stress, use an smtpd_timeout
-value of 10 seconds instead of the default 300 seconds,
+<li> <p> Line 1: under conditions of stress, use an smtpd_timeout
+value of 10 seconds instead of the default 300 seconds. Experience
+on the postfix-users list from a variety of sysadmins shows that
+reducing the "normal" smtpd_timeout to 60s is unlikely to affect
+legitimate clients. However, it is unlikely to become the Postfix
+default because it's not RFC compliant. Setting smtpd_timeout to
+10s (line 2 below) or even 5s under stress will still allow most
+legitimate clients to connect and send mail, but may delay mail
+from some clients. No mail should be lost, as long as this measure
+is used only temporarily. </p>
-<li> <p> Line 3: under conditions of stress, use an smtpd_hard_error_limit
-of 1 instead of the default 20. </p>
+<li> <p> Line 2: under conditions of stress, use an smtpd_hard_error_limit
+of 1 instead of the default 20. This helps by disconnecting clients
+after a single error, giving other clients a chance to connect.
+However, this may cause significant delays with legitimate mail,
+such as a mailing list that contains a few no-longer-active user
+names that didn't bother to unsubscribe. No mail should be lost,
+as long as this measure is used only temporarily. </p>
+
+<li> <p> Line 3: under conditions of stress, use an
+smtpd_junk_command_limit of 1 instead of the default 100. This
+prevents clients from keeping idle connections open by repeatedly
+sending NOOP or RSET commands. </p>
</ul>
</pre>
</blockquote>
+<h2><a name="other"> Other measures to off-load zombies </h2>
+
+<p> OpenBSD <a href="http://www.openbsd.org/spamd/">spamd</a>
+implements a daemon that handles all connections from "new" clients.
+Only well-behaved mail clients are allowed to talk to the mail
+server. Other clients are tarpitted, and will never get a chance
+to affect mail server performance. </p>
+
+<p> At some point in the future, Postfix may come with a simple
+front-end daemon that does basic greylisting and pipelining detection
+to keep zombies and other ratware away from Postfix itself. This
+would use the "pass" service type which has been available in
+stable Postfix releases since Postfix 2.5. </p>
+
<h2><a name="credits"> Credits </a></h2>
<ul>
* ID uniqueness only within a second, we must ensure that the time in
* the message ID matches the queue ID creation time, as long as we use
* the queue ID in the message ID.
+ *
+ * XXX We log a dummy name=value record so that we (hopefully) don't break
+ * compatibility with existing logfile analyzers, and so that we don't
+ * complicate future code that wants to log more name=value attributes.
*/
if ((state->hdr_rewrite_context || var_always_add_hdrs)
&& (state->headers_seen & (1 << (state->resent[0] ?
msg_info("%s: %smessage-id=<%s.%s@%s>",
state->queue_id, *state->resent ? "resent-" : "",
time_stamp, state->queue_id, var_myhostname);
+ state->headers_seen |= (1 << (state->resent[0] ?
+ HDR_RESENT_MESSAGE_ID : HDR_MESSAGE_ID));
}
+ if ((state->headers_seen & (1 << HDR_MESSAGE_ID)) == 0)
+ msg_info("%s: message-id=<>", state->queue_id);
/*
* Add a missing (Resent-)Date: header. The date is in local time units,
static RCPT_BUF *rcpt_buf;
int rcpt_count;
int dsn_ret;
+ int lock_tries;
/*
* Initialize. For some reason I wanted to allow for multiple instances
}
if (msg_verbose)
msg_info("%s: file %s", myname, VSTREAM_PATH(request->fp));
- if (myflock(vstream_fileno(request->fp), INTERNAL_LOCK, DELIVER_LOCK_MODE) < 0)
- msg_fatal("shared lock %s: %m", VSTREAM_PATH(request->fp));
+
+ /*
+ * XXX Originally, the queue manager would read new recipients AFTER all
+ * the in-memory recipients were processed. either the queue manager held
+ * an exclusive lock or delivery agents held a shared lock. Now we try a
+ * few times.
+ */
+ for (lock_tries = 0; /* see below */; lock_tries++) {
+ if (myflock(vstream_fileno(request->fp), INTERNAL_LOCK, DELIVER_LOCK_MODE) == 0)
+ break;
+ if (lock_tries < 5)
+ sleep(1);
+ else
+ msg_fatal("shared lock %s: %m", VSTREAM_PATH(request->fp));
+ }
close_on_exec(vstream_fileno(request->fp), CLOSE_ON_EXEC);
return (0);
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20090404"
-#define MAIL_VERSION_NUMBER "2.6"
+#define MAIL_RELEASE_DATE "20090415"
+#define MAIL_VERSION_NUMBER "2.6.0-RC1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
/* .SH "New or existing instance name assignment"
/* .IP "\fB-I \fIname\fR"
/* Assign the specified instance \fIname\fR to an existing
-/* instance or to a newly created or imported instance. Instance
-/* names other than "-" (which makes the instance "nameless")
+/* instance, newly-created instance, or imported instance.
+/* Instance
+/* names other than "-" (which makes the instance "nameless")
/* must start with "postfix-". This restriction reduces the
/* likelihood of name collisions with system files.
/* .IP "\fB-G \fIgroup\fR"
VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
VAR_SMTP_SASL_AUTH_SOFT_BOUNCE, DEF_SMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,
+ VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final,
0,
};
projects / thirdparty / postfix.git / commitdiff
