5
5
PPuurrppoossee ooff PPoossttffiixx SSMMTTPP aacccceessss ppoolliiccyy ddeelleeggaattiioonn
7
7
The Postfix SMTP server has a number of built-in mechanisms to block or accept
8
mail at specific SMTP protocol stages. As of version 2.1, Postfix can delegate
9
policy decisions to an external server that runs outside Postfix.
8
mail at specific SMTP protocol stages. In addition, the Postfix SMTP server can
9
delegate decisions to an external policy server (Postfix 2.1 and later).
11
11
With this policy delegation mechanism, a simple greylist policy can be
12
12
implemented with only a dozen lines of Perl, as is shown at the end of this
198
* Lines 2, 11: the Postfix spawn(8) daemon by default kills its child process
199
after 1000 seconds. This is too short for a policy daemon that may need to
200
run for as long as the SMTP server process that talks to it. The default
201
time limit is overruled in main.cf with an explicit "policy_time_limit"
202
setting. The name of the parameter is the name of the master.cf entry
203
("policy") concatenated with the "_time_limit" suffix. See spawn(8) for
204
more information about the time limit parameter.
200
* Lines 2-3: this creates the service called "policy" that listens on a UNIX-
201
domain socket. The service is implemented by the Postfix spawn(8) daemon,
202
which executes the policy server program that is specified with the aarrggvv
203
attribute, using the privileges specified with the uusseerr attribute.
206
205
* Line 2: specify a "0" process limit instead of the default "-", to avoid
207
"connection refused" and other problems when the smtpd process limit
208
exceeds the default_process_limit setting.
206
"connection refused" and other problems when you increase the smtpd process
210
209
* Lines 8, 9: always specify "check_policy_service" AFTER
211
210
"reject_unauth_destination" or else your system could become an open relay.
212
* Line 11: this increases the time that a policy server process may run to
213
3600 seconds. The default time limit of 1000 seconds is too short; the
214
policy daemon needs to run long as the SMTP server process that talks to
215
it. See the spawn(8) manpage for more information about the
216
transport_time_limit parameter.
218
Note: the "policy_time_limit" parameter will not show up in "postconf"
219
command output before Postfix version 2.9. This limitation applies to
220
many parameters whose name is a combination of a master.cf service name
221
(in the above example, "policy") and a built-in suffix (in the above
222
example: "_time_limit").
213
224
* Solaris UNIX-domain sockets do not work reliably. Use TCP sockets instead:
215
226
1 /etc/postfix/master.cf:
280
291
daemon. For example, to run the script as user "nobody", using a UNIX-domain
281
292
socket that is accessible by Postfix processes only:
283
1 /etc/postfix/master.cf:
284
2 policy unix - n n - 0 spawn
285
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
287
5 /etc/postfix/main.cf:
288
6 policy_time_limit = 3600
294
1 /etc/postfix/master.cf:
295
2 greylist unix - n n - 0 spawn
296
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
298
5 /etc/postfix/main.cf:
299
6 greylist_time_limit = 3600
300
7 smtpd_recipient_restrictions =
302
9 reject_unauth_destination
303
10 check_policy_service unix:private/greylist
308
* Lines 2-3: this creates the service called "greylist" that listens on a
309
UNIX-domain socket. The service is implemented by the Postfix spawn(8)
310
daemon, which executes the greylist.pl script that is specified with the
311
aarrggvv attribute, using the privileges specified with the uusseerr attribute.
313
* Line 2: specify a "0" process limit instead of the default "-", to avoid
314
"connection refused" and other problems when you increase the smtpd process
292
317
* Line 3: Specify "greylist.pl -v" for verbose logging of each request and
295
* Lines 2, 6: the Postfix spawn(8) daemon by default kills its child process
296
after 1000 seconds. This is too short for a policy daemon that may run for
297
as long as an SMTP client is connected to an SMTP server process. The
298
default time limit is overruled in main.cf with an explicit
299
"policy_time_limit" setting. The name of the parameter is the name of the
300
master.cf entry ("policy") concatenated with the "_time_limit" suffix.
320
* Line 6: this increases the time that a greylist server process may run to
321
3600 seconds. The default time limit of 1000 seconds is too short; the
322
greylist daemon needs to run long as the SMTP server process that talks to
323
it. See the spawn(8) manpage for more information about the
324
transport_time_limit parameter.
302
* Line 2: specify a "0" process limit instead of the default "-", to avoid
303
"connection refused" and other problems when the smtpd process limit
304
exceeds the default_process_limit setting.
326
Note: the "greylist_time_limit" parameter will not show up in
327
"postconf" command output before Postfix version 2.9. This limitation
328
applies to many parameters whose name is a combination of a master.cf
329
service name (in the above example, "greylist") and a built-in suffix
330
(in the above example: "_time_limit").
306
332
On Solaris you must use inet: style sockets instead of unix: style, as detailed
307
333
in the "Policy client/server configuration" section above.
309
1 /etc/postfix/master.cf:
310
2 127.0.0.1:9998 inet n n n - 0 spawn
311
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
313
5 /etc/postfix/main.cf:
314
6 127.0.0.1:9998_time_limit = 3600
316
To invoke this service you would specify "check_policy_service inet:127.0.0.1:
335
1 /etc/postfix/master.cf:
336
2 127.0.0.1:9998 inet n n n - 0 spawn
337
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
339
5 /etc/postfix/main.cf:
340
6 127.0.0.1:9998_time_limit = 3600
341
7 smtpd_recipient_restrictions =
343
9 reject_unauth_destination
344
10 check_policy_service inet:127.0.0.1:9998
319
347
GGrreeyylliissttiinngg mmaaiill ffrroomm ffrreeqquueennttllyy ffoorrggeedd ddoommaaiinnss
358
386
GGrreeyylliissttiinngg aallll yyoouurr mmaaiill
360
If you turn on greylisting for all mail you will almost certainly want to make
361
exceptions for mailing lists that use one-time sender addresses, because such
362
mailing lists can pollute your greylist database relatively quickly.
388
If you turn on greylisting for all mail you may want to make exceptions for
389
mailing lists that use one-time sender addresses, because each message will be
390
delayed due to greylisting, and the one-time sender addresses can pollute your
391
greylist database relatively quickly. Instead of making exceptions, you can
392
automatically whitelist clients that survive greylisting repeatedly; this
393
avoids most of the delays and most of the database pollution problem.
364
395
1 /etc/postfix/main.cf:
365
396
2 smtpd_recipient_restrictions =