/etc/postfix/main.cf:
postscreen_access_list = permit_mynetworks,
- /etc/postfix/postscreen_access.cidr
+ cidr:/etc/postfix/postscreen_access.cidr
/etc/postfix/postscreen_access.cidr:
# Rules are evaluated in the order as specified.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg t\bth\bhe\be p\bpo\bos\bst\bts\bsc\bcr\bre\bee\ben\bn(\b(8\b8)\b) s\bse\ber\brv\bvi\bic\bce\be
-postscreen(8) has been tested on FreeBSD [4-8] and Linux 2.[4-6] systems. It
-probably needs additional work before it can be used on Solaris.
+postscreen(8) has been tested on FreeBSD [4-8], Linux 2.[4-6] and Solaris 9
+systems.
* Turning on postscreen(8) without blocking mail
* Blocking mail with postscreen(8)
several servers to collect real-world statistics. This version still used the
embarrassing dnsblog(8) ad-hoc DNS client program.
+Wietse added STARTTLS support in December 2010. This makes postscreen(8) usable
+for sites that require TLS support. The implementation introduces the tlsproxy
+(8) event-driven TLS proxy that decrypts/encrypts the sessions for multiple
+SMTP clients.
+
Remove this file from the stable release.
+ Make tlsproxy_service and dnsblog_service configurable.
+
Things to do after the stable release:
+ When does it pay off to send domains in the active queue
+ to a DNS prefetch daemon? Could this generalize to a dynamic
+ transport map that piggy-backs domains with the same MX
+ host into the same mail delivery transaction?
+
inline table where the "whitespace replacement" character
is specified in-line. Ex: inline:XYname1Xvalue1Yname2Xvalue2
would instantiate a table with (name1, value1) and (name2,
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
- /etc/postfix/postscreen_access.cidr
+ <a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr
/etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>:
# Rules are evaluated in the order as specified.
<h2> <a name="config"> Configuring the postscreen(8) service</a>
</h2>
-<p> <a href="postscreen.8.html">postscreen(8)</a> has been tested on FreeBSD [4-8] and Linux 2.[4-6]
-systems. It probably needs additional work before it can be used
-on Solaris. </p>
+<p> <a href="postscreen.8.html">postscreen(8)</a> has been tested on FreeBSD [4-8], Linux 2.[4-6]
+and Solaris 9 systems. </p>
<ul>
<p> Many ideas in <a href="postscreen.8.html">postscreen(8)</a> were explored in earlier work by
Michael Tokarev, in OpenBSD spamd, and in MailChannels Traffic
-Control. </p>
+Control. </p>
<p> Wietse threw together a crude prototype with pregreet and dnsbl
support in June 2009, because he needed something new for a Mailserver
collect real-world statistics. This version still used the embarrassing
<a href="dnsblog.8.html">dnsblog(8)</a> ad-hoc DNS client program. </p>
+<p> Wietse added STARTTLS support in December 2010. This makes
+<a href="postscreen.8.html">postscreen(8)</a> usable for sites that require TLS support. The
+implementation introduces the <a href="tlsproxy.8.html">tlsproxy(8)</a> event-driven TLS proxy
+that decrypts/encrypts the sessions for multiple SMTP clients. </p>
+
</body>
</html>
<DT><b><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
a successful "bare newline" SMTP protocol test. During this
time, the client IP address is excluded from this test. The default
is long because a client must disconnect after it passes the test,
<DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
(default: 1h)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
a successful DNS blocklist test. During this time, the client IP address
is excluded from this test. The default is relatively short, because a
good client can immediately talk to a real Postfix SMTP server.
<DT><b><a name="postscreen_greet_ttl">postscreen_greet_ttl</a>
(default: 1d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
a successful PREGREET test. During this time, the client IP address
is excluded from this test. The default is relatively short, because
a good client can immediately talk to a real Postfix SMTP server. </p>
<DT><b><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
a successful "non_smtp_command" SMTP protocol test. During this
time, the client IP address is excluded from this test. The default
is long because a client must disconnect after it passes the test,
<DT><b><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a>
(default: 30d)</b></DT><DD>
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
a successful "pipelining" SMTP protocol test. During this time, the
client IP address is excluded from this test. The default is
long because a good client must disconnect after it passes the test,
<a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
<a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
<a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
- <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
+ <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
<a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
<a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
<a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
removed.
<b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
- results from a successful "bare newline" SMTP pro-
- tocol test.
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+ result from a successful "bare newline" SMTP proto-
+ col test.
<b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
- results from a successful DNS blocklist test.
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+ result from a successful DNS blocklist test.
<b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
- results from a successful PREGREET test.
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+ result from a successful PREGREET test.
<b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
- results from a successful "non_smtp_command" SMTP
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+ result from a successful "non_smtp_command" SMTP
protocol test.
<b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
- results from a successful "pipelining" SMTP proto-
- col test.
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+ result from a successful "pipelining" SMTP protocol
+ test.
<b>RESOURCE CONTROLS</b>
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
<a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
<a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
<a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
- <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
+ <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
<a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
<a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
<a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
<b>DESCRIPTION</b>
The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server implements a server-side TLS proxy.
- Its primary use is to talk plaintext SMTP with
- <a href="postscreen.8.html"><b>postscreen</b>(8)</a>, and to talk SMTP-over-TLS with remote SMTP
- clients whose whitelist status has expired, but it should
- also work for non-SMTP protocols.
+ It is used by <a href="postscreen.8.html"><b>postscreen</b>(8)</a> to talk SMTP-over-TLS with
+ remote SMTP clients whose whitelist status has expired,
+ but it should also work for non-SMTP protocols.
- Although one <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process can serve multiple ses-
- sions at the same time, it is a good idea to allow the
- number of processes to increase with load, so that the
- service remains available.
+ Although one <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process can serve multiple ses-
+ sions at the same time, it is a good idea to allow the
+ number of processes to increase with load, so that the
+ service remains responsive.
<b>PROTOCOL EXAMPLE</b>
- The example below involves <a href="postscreen.8.html"><b>postscreen</b>(8)</a>. However, the
- <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server is agnostic of the application proto-
- col, and the example is easily adapted to other applica-
+ The example below concerns <a href="postscreen.8.html"><b>postscreen</b>(8)</a>. However, the
+ <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server is agnostic of the application proto-
+ col, and the example is easily adapted to other applica-
tions.
The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server sends the remote SMTP client end-
- point string, the requested role (server), and the
+ point string, the requested role (server), and the
requested timeout to <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> then
- receives
a "TLS available" indication from <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>.
- If the TLS service is available, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends the
- remote SMTP client file descriptor to <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>, and
- sends the plaintext 220 greeting to the remote SMTP
+ receives
a "TLS available" indication from <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>.
+ If the TLS service is available, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends the
+ remote SMTP client file descriptor to <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>, and
+ sends the plaintext 220 greeting to the remote SMTP
client. This triggers TLS negotiations between the remote
- SMTP client and <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. Upon completion of the TLS-
- level handshake, <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> translates between plaintext
- from/to <a href="postscreen.8.html"><b>postscreen</b>(8)</a> and ciphertext to/from the remote
+ SMTP client and <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>. Upon completion of the TLS-
+ level handshake, <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> translates between plaintext
+ from/to <a href="postscreen.8.html"><b>postscreen</b>(8)</a> and ciphertext to/from the remote
SMTP client.
<b>SECURITY</b>
- The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server is moderately security-sensitive.
- It talks to untrusted clients on the network. The process
+ The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server is moderately security-sensitive.
+ It talks to untrusted clients on the network. The process
can be run chrooted at fixed low privilege.
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
<b>CONFIGURATION PARAMETERS</b>
- Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, as
+ Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, as
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> processes may run for a long time depending on
- mail server load. Use the command "<b>postfix reload</b>" to
+ mail server load. Use the command "<b>postfix reload</b>" to
speed up a change.
- The text below provides only a parameter summary. See
+ The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
<b>STARTTLS SUPPORT CONTROLS</b>
<b><a href="postconf.5.html#tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a> ($<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b>
- A file containing (PEM format) CA certificates of
- root CAs trusted to sign either remote SMTP client
+ A file containing (PEM format) CA certificates of
+ root CAs trusted to sign either remote SMTP client
certificates or intermediate CA certificates.
<b><a href="postconf.5.html#tlsproxy_tls_CApath">tlsproxy_tls_CApath</a> ($<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</b>
A directory containing (PEM format) CA certificates
- of root CAs trusted to sign either remote SMTP
- client certificates or intermediate CA certifi-
+ of root CAs trusted to sign either remote SMTP
+ client certificates or intermediate CA certifi-
cates.
<b><a href="postconf.5.html#tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a></b>
off.
<b><a href="postconf.5.html#tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a> ($<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</b>
- Ask a remote SMTP client for a client certificate.
+ Ask a remote SMTP client for a client certificate.
<b><a href="postconf.5.html#tlsproxy_tls_ccert_verifydepth">tlsproxy_tls_ccert_verifydepth</a> ($<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verify</a>-</b>
<b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">depth</a>)</b>
- The verification depth for remote SMTP client cer-
+ The verification depth for remote SMTP client cer-
tificates.
<b><a href="postconf.5.html#tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
- File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA cer-
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA cer-
tificate in PEM format.
<b><a href="postconf.5.html#tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</b>
- The minimum TLS cipher grade that the Postfix
- <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will use with opportunistic TLS
+ The minimum TLS cipher grade that the Postfix
+ <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will use with opportunistic TLS
encryption.
<b><a href="postconf.5.html#tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
- File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA cer-
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA cer-
tificate in PEM format.
<b><a href="postconf.5.html#tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a></b>
<b>($<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</b>
- File with DH parameters that the Postfix
+ File with DH parameters that the Postfix
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server should use with EDH ciphers.
<b><a href="postconf.5.html#tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a></b>
<b>($<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</b>
- File with DH parameters that the Postfix
+ File with DH parameters that the Postfix
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server should use with EDH ciphers.
<b><a href="postconf.5.html#tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</b>
- File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA pri-
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA pri-
vate key in PEM format.
<b><a href="postconf.5.html#tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
vate key in PEM format.
<b><a href="postconf.5.html#tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a> ($<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</b>
- The Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server security grade for
+ The Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server security grade for
ephemeral elliptic-curve Diffie-Hellman (EECDH) key
exchange.
<b><a href="postconf.5.html#tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b>
List of ciphers or cipher types to exclude from the
- <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at all TLS security
+ <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at all TLS security
levels.
<b><a href="postconf.5.html#tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a> ($<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_finger</a>-</b>
<b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">print_digest</a>)</b>
- The message digest algorithm used to construct
+ The message digest algorithm used to construct
client-certificate fingerprints.
<b><a href="postconf.5.html#tlsproxy_tls_key_file">tlsproxy_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</b>
- File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA pri-
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA pri-
vate key in PEM format.
<b><a href="postconf.5.html#tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a> ($<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</b>
- Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server log-
+ Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server log-
ging of TLS activity.
<b><a href="postconf.5.html#tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_manda</a>-</b>
<b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">tory_ciphers</a>)</b>
- The minimum TLS cipher grade that the Postfix
- <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will use with mandatory TLS
+ The minimum TLS cipher grade that the Postfix
+ <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will use with mandatory TLS
encryption.
<b><a href="postconf.5.html#tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_manda</a>-</b>
<b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">tory_exclude_ciphers</a>)</b>
- Additional list of ciphers or cipher types to
- exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at
+ Additional list of ciphers or cipher types to
+ exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at
mandatory TLS security levels.
<b><a href="postconf.5.html#tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_manda</a>-</b>
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server with mandatory TLS encryption.
<b><a href="postconf.5.html#tlsproxy_tls_protocols">tlsproxy_tls_protocols</a> ($<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</b>
- List
of TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>
- server will exclude or include with opportunistic
+ List
of TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>
+ server will exclude or include with opportunistic
TLS encryption.
<b><a href="postconf.5.html#tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a> ($<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</b>
- With mandatory TLS encryption, require a trusted
- remote SMTP client certificate in order to allow
+ With mandatory TLS encryption, require a trusted
+ remote SMTP client certificate in order to allow
TLS connections to proceed.
<b><a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b>
- The SMTP TLS security level for the Postfix
+ The SMTP TLS security level for the Postfix
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server; when a non-empty value is spec-
- ified, this overrides the obsolete parameters
+ ified, this overrides the obsolete parameters
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
<b><a href="postconf.5.html#tlsproxy_tls_session_cache_timeout">tlsproxy_tls_session_cache_timeout</a> ($<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_ses</a>-</b>
<b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">sion_cache_timeout</a>)</b>
- The expiration time of Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server
+ The expiration time of Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server
TLS session cache information.
<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
- These parameters are supported for compatibility with
+ These parameters are supported for compatibility with
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy parameters.
<b><a href="postconf.5.html#tlsproxy_use_tls">tlsproxy_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
- Opportunistic TLS: announce STARTTLS support to
- SMTP clients, but do not require that clients use
+ Opportunistic TLS: announce STARTTLS support to
+ SMTP clients, but do not require that clients use
TLS encryption.
<b><a href="postconf.5.html#tlsproxy_enforce_tls">tlsproxy_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
- Mandatory TLS: announce STARTTLS support to SMTP
- clients, and require that clients use TLS encryp-
+ Mandatory TLS: announce STARTTLS support to SMTP
+ clients, and require that clients use TLS encryp-
tion.
<b>RESOURCE CONTROLS</b>
<b><a href="postconf.5.html#tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a> (10s)</b>
- How much time a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process may take to
+ How much time a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process may take to
process local or remote I/O before it is terminated
by a built-in watchdog timer.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
syslogd(5), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
.PP
This feature is available in Postfix 2.8.
.SH postscreen_bare_newline_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful "bare newline" SMTP protocol test. During this
time, the client IP address is excluded from this test. The default
is long because a client must disconnect after it passes the test,
.PP
This feature is available in Postfix 2.8.
.SH postscreen_dnsbl_ttl (default: 1h)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful DNS blocklist test. During this time, the client IP address
is excluded from this test. The default is relatively short, because a
good client can immediately talk to a real Postfix SMTP server.
.PP
This feature is available in Postfix 2.8.
.SH postscreen_greet_ttl (default: 1d)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful PREGREET test. During this time, the client IP address
is excluded from this test. The default is relatively short, because
a good client can immediately talk to a real Postfix SMTP server.
.PP
This feature is available in Postfix 2.8.
.SH postscreen_non_smtp_command_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful "non_smtp_command" SMTP protocol test. During this
time, the client IP address is excluded from this test. The default
is long because a client must disconnect after it passes the test,
.PP
This feature is available in Postfix 2.8.
.SH postscreen_pipelining_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful "pipelining" SMTP protocol test. During this time, the
client IP address is excluded from this test. The default is
long because a good client must disconnect after it passes the test,
RFC 1869 (SMTP service extensions)
RFC 1870 (Message Size Declaration)
RFC 1985 (ETRN command)
-RFC 2034 (SMTP Enhanced Error Codes)
+RFC 2034 (SMTP Enhanced Status Codes)
RFC 2821 (SMTP protocol)
RFC 2920 (SMTP Pipelining)
RFC 3207 (STARTTLS command)
The amount of time that \fBpostscreen\fR(8) will cache an expired
temporary whitelist entry before it is removed.
.IP "\fBpostscreen_bare_newline_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful "bare newline" SMTP protocol test.
.IP "\fBpostscreen_dnsbl_ttl (1h)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful DNS blocklist test.
.IP "\fBpostscreen_greet_ttl (1d)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful PREGREET test.
.IP "\fBpostscreen_non_smtp_command_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful "non_smtp_command" SMTP protocol test.
.IP "\fBpostscreen_pipelining_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
a successful "pipelining" SMTP protocol test.
.SH "RESOURCE CONTROLS"
.na
RFC 1869 (SMTP service extensions)
RFC 1870 (Message Size Declaration)
RFC 1985 (ETRN command)
-RFC 2034 (SMTP Enhanced Error Codes)
+RFC 2034 (SMTP Enhanced Status Codes)
RFC 2554 (AUTH command)
RFC 2821 (SMTP protocol)
RFC 2920 (SMTP Pipelining)
.ad
.fi
The \fBtlsproxy\fR(8) server implements a server-side TLS
-proxy. Its primary use is to talk plaintext SMTP with
-\fBpostscreen\fR(8), and to talk SMTP-over-TLS with remote
-SMTP clients whose whitelist status has expired, but it
-should also work for non-SMTP protocols.
+proxy. It is used by \fBpostscreen\fR(8) to talk SMTP-over-TLS
+with remote SMTP clients whose whitelist status has expired,
+but it should also work for non-SMTP protocols.
Although one \fBtlsproxy\fR(8) process can serve multiple
sessions at the same time, it is a good idea to allow the
number of processes to increase with load, so that the
-service remains available.
+service remains responsive.
.SH "PROTOCOL EXAMPLE"
.na
.nf
.ad
.fi
-The example below involves \fBpostscreen\fR(8). However,
+The example below concerns \fBpostscreen\fR(8). However,
the \fBtlsproxy\fR(8) server is agnostic of the application
protocol, and the example is easily adapted to other
applications.
<pre>
/etc/postfix/main.cf:
postscreen_access_list = permit_mynetworks,
- /etc/postfix/postscreen_access.cidr
+ cidr:/etc/postfix/postscreen_access.cidr
/etc/postfix/postscreen_access.cidr:
# Rules are evaluated in the order as specified.
<h2> <a name="config"> Configuring the postscreen(8) service</a>
</h2>
-<p> postscreen(8) has been tested on FreeBSD [4-8] and Linux 2.[4-6]
-systems. It probably needs additional work before it can be used
-on Solaris. </p>
+<p> postscreen(8) has been tested on FreeBSD [4-8], Linux 2.[4-6]
+and Solaris 9 systems. </p>
<ul>
<p> Many ideas in postscreen(8) were explored in earlier work by
Michael Tokarev, in OpenBSD spamd, and in MailChannels Traffic
-Control. </p>
+Control. </p>
<p> Wietse threw together a crude prototype with pregreet and dnsbl
support in June 2009, because he needed something new for a Mailserver
collect real-world statistics. This version still used the embarrassing
dnsblog(8) ad-hoc DNS client program. </p>
+<p> Wietse added STARTTLS support in December 2010. This makes
+postscreen(8) usable for sites that require TLS support. The
+implementation introduces the tlsproxy(8) event-driven TLS proxy
+that decrypts/encrypts the sessions for multiple SMTP clients. </p>
+
</body>
</html>
%PARAM postscreen_greet_ttl 1d
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
a successful PREGREET test. During this time, the client IP address
is excluded from this test. The default is relatively short, because
a good client can immediately talk to a real Postfix SMTP server. </p>
%PARAM postscreen_dnsbl_ttl 1h
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
a successful DNS blocklist test. During this time, the client IP address
is excluded from this test. The default is relatively short, because a
good client can immediately talk to a real Postfix SMTP server.
%PARAM postscreen_pipelining_ttl 30d
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
a successful "pipelining" SMTP protocol test. During this time, the
client IP address is excluded from this test. The default is
long because a good client must disconnect after it passes the test,
%PARAM postscreen_non_smtp_command_ttl 30d
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
a successful "non_smtp_command" SMTP protocol test. During this
time, the client IP address is excluded from this test. The default
is long because a client must disconnect after it passes the test,
%PARAM postscreen_bare_newline_ttl 30d
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
a successful "bare newline" SMTP protocol test. During this
time, the client IP address is excluded from this test. The default
is long because a client must disconnect after it passes the test,
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20110112"
+#define MAIL_RELEASE_DATE "20110113"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT
/* RFC 1869 (SMTP service extensions)
/* RFC 1870 (Message Size Declaration)
/* RFC 1985 (ETRN command)
-/* RFC 2034 (SMTP Enhanced Error Codes)
+/* RFC 2034 (SMTP Enhanced Status Codes)
/* RFC 2821 (SMTP protocol)
/* RFC 2920 (SMTP Pipelining)
/* RFC 3207 (STARTTLS command)
/* The amount of time that \fBpostscreen\fR(8) will cache an expired
/* temporary whitelist entry before it is removed.
/* .IP "\fBpostscreen_bare_newline_ttl (30d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will cache results from
+/* The amount of time that \fBpostscreen\fR(8) will use the result from
/* a successful "bare newline" SMTP protocol test.
/* .IP "\fBpostscreen_dnsbl_ttl (1h)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will cache results from
+/* The amount of time that \fBpostscreen\fR(8) will use the result from
/* a successful DNS blocklist test.
/* .IP "\fBpostscreen_greet_ttl (1d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will cache results from
+/* The amount of time that \fBpostscreen\fR(8) will use the result from
/* a successful PREGREET test.
/* .IP "\fBpostscreen_non_smtp_command_ttl (30d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will cache results from
+/* The amount of time that \fBpostscreen\fR(8) will use the result from
/* a successful "non_smtp_command" SMTP protocol test.
/* .IP "\fBpostscreen_pipelining_ttl (30d)\fR"
-/* The amount of time that \fBpostscreen\fR(8) will cache results from
+/* The amount of time that \fBpostscreen\fR(8) will use the result from
/* a successful "pipelining" SMTP protocol test.
/* RESOURCE CONTROLS
/* .ad
#include <postscreen.h>
-#define PSC_ACL_SEPARATORS " \t\r"
+#define PSC_ACL_SEPARATORS ", \t\r"
static ADDR_MATCH_LIST *psc_mynetworks;
* resume SMTP command events after receiving the asynchrounous proxy
* response.
*/
-#define PSC_RESUME_SMTP_CMD_EVENTS(state) \
- PSC_READ_EVENT_REQUEST2(vstream_fileno((state)->smtp_client_stream), \
- psc_smtpd_read_event, psc_smtpd_time_event, \
- (char *) (state), PSC_EFF_CMD_TIME_LIMIT)
+#define PSC_RESUME_SMTP_CMD_EVENTS(state) do { \
+ PSC_READ_EVENT_REQUEST2(vstream_fileno((state)->smtp_client_stream), \
+ psc_smtpd_read_event, psc_smtpd_time_event, \
+ (char *) (state), PSC_EFF_CMD_TIME_LIMIT); \
+ if (!PSC_SMTPD_BUFFER_EMPTY(state)) \
+ psc_smtpd_read_event(EVENT_READ, (char *) state); \
+ } while (0)
#define PSC_SUSPEND_SMTP_CMD_EVENTS(state) \
PSC_CLEAR_EVENT_REQUEST(vstream_fileno((state)->smtp_client_stream), \
* command processor immediately.
*/
PSC_RESUME_SMTP_CMD_EVENTS(state);
- if (!PSC_SMTPD_BUFFER_EMPTY(state))
- psc_smtpd_read_event(EVENT_READ, (char *) state);
}
/* psc_starttls_cmd - activate the tlsproxy server */
/* RFC 1869 (SMTP service extensions)
/* RFC 1870 (Message Size Declaration)
/* RFC 1985 (ETRN command)
-/* RFC 2034 (SMTP Enhanced Error Codes)
+/* RFC 2034 (SMTP Enhanced Status Codes)
/* RFC 2554 (AUTH command)
/* RFC 2821 (SMTP protocol)
/* RFC 2920 (SMTP Pipelining)
/* \fBtlsproxy\fR [generic Postfix daemon options]
/* DESCRIPTION
/* The \fBtlsproxy\fR(8) server implements a server-side TLS
-/* proxy. Its primary use is to talk plaintext SMTP with
-/* \fBpostscreen\fR(8), and to talk SMTP-over-TLS with remote
-/* SMTP clients whose whitelist status has expired, but it
-/* should also work for non-SMTP protocols.
+/* proxy. It is used by \fBpostscreen\fR(8) to talk SMTP-over-TLS
+/* with remote SMTP clients whose whitelist status has expired,
+/* but it should also work for non-SMTP protocols.
/*
/* Although one \fBtlsproxy\fR(8) process can serve multiple
/* sessions at the same time, it is a good idea to allow the
/* number of processes to increase with load, so that the
-/* service remains available.
+/* service remains responsive.
/* PROTOCOL EXAMPLE
/* .ad
/* .fi
-/* The example below involves \fBpostscreen\fR(8). However,
+/* The example below concerns \fBpostscreen\fR(8). However,
/* the \fBtlsproxy\fR(8) server is agnostic of the application
/* protocol, and the example is easily adapted to other
/* applications.
/*++
/* NAME
-/* tlsp_state 3
+/* tlsproxy_state 3
/* SUMMARY
/* Postfix SMTP server
/* SYNOPSIS
projects / thirdparty / postfix.git / commitdiff
