分类: 服务器与存储
2015-01-01 22:12:05
To enable the postscreen(8) service and log client information without blocking mail:
Make sure that local clients and systems with non-standard SMTP implementations are excluded from any postscreen(8) tests. The default is to exclude all clients in mynetworks. To exclude additional clients, for example, third-party performance monitoring tools (these tend to have broken SMTP implementations):
ee /usr/local/etc/postfix/main.cf:
# Exclude broken clients by whitelisting. Clients in mynetworks
# should always be whitelisted.
postscreen_access_list = permit_mynetworks, cidr:/usr/local/etc/postfix/postscreen_access.cidr
ee /usr/local/etc/postfix/postscreen_access.cidr:
192.168.254.0/24 permit
Comment out the "smtp inet ... smtpd" service in master.cf, including any "-o parameter=value" entries that follow.
ee /usr/local/etc/postfix/master.cf:
#smtp inet n - n - - smtpd
# -o parameter=value ...
Uncomment the new "smtpd pass ... smtpd" service in master.cf, and duplicate any "-o parameter=value" entries from the smtpd service that was commented out in the previous step.
ee /usr/local/etc/postfix/master.cf:
smtpd pass - - n - - smtpd
-o parameter=value ...
Uncomment the new "smtp inet ... postscreen" service in master.cf.
ee /usr/local/etc/postfix/master.cf:
smtp inet n - n - 1 postscreen
Uncomment the new "tlsproxy unix ... tlsproxy" service in master.cf. This service implements STARTTLS support for postscreen(8).
ee /usr/local/etc/postfix/master.cf:
tlsproxy unix - - n - 0 tlsproxy
Uncomment the new "dnsblog unix ... dnsblog" service in master.cf. This service does DNSBL lookups for postscreen(8) and logs results.
ee /usr/local/etc/postfix/master.cf:
dnsblog unix - - n - 0 dnsblog
To enable DNSBL lookups, list some DNS blocklist sites in main.cf, separated by whitespace. Different sites can have different weights. For example:
ee /usr/local/etc/postfix/main.cf:
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = zen.spamhaus.org*2
bl.spamcop.net*1 b.barracudacentral.org*1
Note: if your DNSBL queries have a "secret" in the domain name, you must censor this information from the postscreen(8) SMTP replies. For example:
ee /usr/local/etc/postfix/main.cf:
postscreen_dnsbl_reply_map = texthash:/usr/local/etc/postfix/dnsbl_reply
ee /usr/local/etc/postfix/dnsbl_reply:
# Secret DNSBL name Name in postscreen(8) replies
secret.zen.spamhaus.org zen.spamhaus.org
The texthash: format is similar to hash: except that there is no need to run postmap(1) before the file can be used, and that it does not detect changes after the file is read. It is new with Postfix version 2.8.
Read the new configuration with "postfix reload".
Notes:
Some postscreen(8) configuration parameters implement stress-dependent behavior. This is supported only when the default value is stress-dependent (that is, "postconf -d parametername" output shows "parametername = ${stress?something}${stress:something}"). Other parameters always evaluate as if the stress value is the empty string.
See "Tests before the 220 SMTP server greeting" for details about the logging from these postscreen(8) tests.
If you run Postfix 2.6 or earlier you must stop and start the master daemon ("postfix stop; postfix start"). This is needed because the Postfix "pass" master service type did not work reliably on all systems.
