20
20
<h2>Purpose of Postfix SMTP access policy delegation</h2>
22
22
<p> The Postfix SMTP server has a number of built-in mechanisms to
23
block or accept mail at specific SMTP protocol stages. As of version
24
2.1, Postfix can delegate policy decisions to an external server
25
that runs outside Postfix. </p>
23
block or accept mail at specific SMTP protocol stages. In addition,
24
the Postfix SMTP server can delegate decisions to an external policy
25
server (Postfix 2.1 and later). </p>
27
27
<p> With this policy delegation mechanism, a simple <a href="#greylist">
28
28
greylist </a> policy can be implemented with only a dozen lines of
272
<li> <p> Lines 2, 11: the Postfix <a href="spawn.8.html">spawn(8)</a> daemon by default kills
273
its child process after 1000 seconds. This is too short for a
274
policy daemon that may need to run for as long as the SMTP server
275
process that talks to it. The default time limit is overruled in
276
<a href="postconf.5.html">main.cf</a> with an explicit "policy_time_limit" setting. The name of
277
the parameter is the name of the <a href="master.5.html">master.cf</a> entry ("policy")
278
concatenated with the "_time_limit" suffix. See <a href="spawn.8.html">spawn(8)</a> for
279
more information about the time limit parameter. </p>
274
<li> <p> Lines 2-3: this creates the service called "policy" that
275
listens on a UNIX-domain socket. The service is implemented by the
276
Postfix <a href="spawn.8.html">spawn(8)</a> daemon, which executes the policy server program
277
that is specified with the <b>argv</b> attribute, using the privileges
278
specified with the <b>user</b> attribute. </p>
281
280
<li> <p> Line 2: specify a "0" process limit instead of the default
282
"-", to avoid "connection refused" and other problems when the smtpd
283
process limit exceeds the <a href="postconf.5.html#default_process_limit">default_process_limit</a> setting. </p>
281
"-", to avoid "connection refused" and other problems when you
282
increase the smtpd process limit. </p>
285
284
<li> <p> Lines 8, 9: always specify "<a href="postconf.5.html#check_policy_service">check_policy_service</a>" AFTER
286
285
"<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>" or else your system could become an
288
<li> <p> Line 11: this increases the time that a policy server
289
process may run to 3600 seconds. The default time limit of 1000
290
seconds is too short; the policy daemon needs to run long as the
291
SMTP server process that talks to it.
292
See the <a href="spawn.8.html">spawn(8)</a> manpage for more information about the
293
<a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> parameter. </p>
295
<blockquote> <p> Note: the "<a href="postconf.5.html#transport_time_limit">policy_time_limit</a>" parameter will not
296
show up in "postconf" command output before Postfix version 2.9.
297
This limitation applies to many parameters whose name is a combination
298
of a <a href="master.5.html">master.cf</a> service name (in the above example, "policy") and a
299
built-in suffix (in the above example: "_time_limit"). </p>
289
302
<li> <p> Solaris UNIX-domain sockets do not work reliably. Use
290
303
TCP sockets instead: </p>
388
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
389
2 policy unix - n n - 0 spawn
390
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
392
5 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
393
6 policy_time_limit = 3600
401
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
402
2 greylist unix - n n - 0 spawn
403
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
405
5 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
406
6 <a href="postconf.5.html#transport_time_limit">greylist_time_limit</a> = 3600
407
7 <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
409
9 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
410
10 <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/greylist
419
<li> <p> Lines 2-3: this creates the service called "greylist" that
420
listens on a UNIX-domain socket. The service is implemented by the
421
Postfix <a href="spawn.8.html">spawn(8)</a> daemon, which executes the greylist.pl script that
422
is specified with the <b>argv</b> attribute, using the privileges
423
specified with the <b>user</b> attribute. </p>
425
<li> <p> Line 2: specify a "0" process limit instead of the default
426
"-", to avoid "connection refused" and other problems when you
427
increase the smtpd process limit. </p>
401
429
<li> <p> Line 3: Specify "greylist.pl -v" for verbose logging of
402
430
each request and reply. </p>
404
<li> <p> Lines 2, 6: the Postfix <a href="spawn.8.html">spawn(8)</a> daemon by default kills
405
its child process after 1000 seconds. This is too short for a
406
policy daemon that may run for as long as an SMTP client is connected
407
to an SMTP server process. The default time limit is overruled in
408
<a href="postconf.5.html">main.cf</a> with an explicit "policy_time_limit" setting. The name of
409
the parameter is the name of the <a href="master.5.html">master.cf</a> entry ("policy")
410
concatenated with the "_time_limit" suffix. </p>
432
<li> <p> Line 6: this increases the time that a greylist server
433
process may run to 3600 seconds. The default time limit of 1000
434
seconds is too short; the greylist daemon needs to run long as the
435
SMTP server process that talks to it.
436
See the <a href="spawn.8.html">spawn(8)</a> manpage for more information about the
437
<a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> parameter. </p>
412
<li> <p> Line 2: specify a "0" process limit instead of the default
413
"-", to avoid "connection refused" and other problems when the smtpd
414
process limit exceeds the <a href="postconf.5.html#default_process_limit">default_process_limit</a> setting. </p>
439
<blockquote> <p> Note: the "<a href="postconf.5.html#transport_time_limit">greylist_time_limit</a>" parameter will not
440
show up in "postconf" command output before Postfix version 2.9.
441
This limitation applies to many parameters whose name is a combination
442
of a <a href="master.5.html">master.cf</a> service name (in the above example, "greylist") and
443
a built-in suffix (in the above example: "_time_limit"). </p>
424
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
425
2 127.0.0.1:9998 inet n n n - 0 spawn
426
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
428
5 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
429
6 127.0.0.1:9998_time_limit = 3600
454
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
455
2 127.0.0.1:9998 inet n n n - 0 spawn
456
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
458
5 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
459
6 127.0.0.1:9998_time_limit = 3600
460
7 <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
462
9 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
463
10 <a href="postconf.5.html#check_policy_service">check_policy_service</a> inet:127.0.0.1:9998
433
<p> To invoke this service you would specify "<a href="postconf.5.html#check_policy_service">check_policy_service</a>
434
inet:127.0.0.1:9998". </p>
436
468
<h2><a name="frequent">Greylisting mail from frequently forged domains</a></h2>
438
470
<p> It is relatively safe to turn on greylisting for specific
451
483
6 <a href="postconf.5.html#check_sender_access">check_sender_access</a> hash:/etc/postfix/sender_access
453
485
8 <a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> = greylist
454
9 greylist = <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/policy
486
9 greylist = <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/greylist
456
488
11 /etc/postfix/sender_access:
457
489
12 aol.com greylist
487
519
<h2><a name="all_mail">Greylisting all your mail</a></h2>
489
<p> If you turn on greylisting for all mail you will almost certainly
490
want to make exceptions for mailing lists that use one-time sender
491
addresses, because such mailing lists can pollute your greylist
492
database relatively quickly. </p>
521
<p> If you turn on greylisting for all mail you may want to make
522
exceptions for mailing lists that use one-time sender addresses,
523
because each message will be delayed due to greylisting, and the
524
one-time sender addresses can pollute your greylist database
525
relatively quickly. Instead of making exceptions, you can automatically
526
whitelist clients that survive greylisting repeatedly; this avoids
527
most of the delays and most of the database pollution problem. </p>