1 <!doctype html public
"-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
8 <title>Postfix SMTP Access Policy Delegation
</title>
10 <meta http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
16 <h1><img src=
"postfix-logo.jpg" width=
"203" height=
"98" ALT=
"">Postfix SMTP Access Policy Delegation
</h1>
20 <h2>Purpose of Postfix SMTP access policy delegation
</h2>
22 <p> The Postfix SMTP server has a number of built-in mechanisms to
23 block or accept mail at specific SMTP protocol stages. As of version
24 2.1, Postfix can delegate policy decisions to an external server
25 that runs outside Postfix.
</p>
27 <p> With this policy delegation mechanism, a simple
<a href=
"#greylist">
28 greylist
</a> policy can be implemented with only a dozen lines of
29 Perl, as is shown at the end of this document. A complete example
30 can be found in the Postfix source code, in the directory
31 examples/smtpd-policy.
</p>
33 <p> Another example of policy delegation is the SPF policy server
34 at http://www.openspf.org/Software.
</p>
36 <p> Policy delegation is now the preferred method for adding policies
37 to Postfix. It's much easier to develop a new feature in few lines
38 of Perl, Python, Ruby, or TCL, than trying to do the same in C code.
40 performance will be unnoticeable except in the most demanding
41 environments. On active systems a policy daemon process is used
42 multiple times, for up to $max_use incoming SMTP connections.
</p>
44 <p> This document covers the following topics:
</p>
48 <li><a href=
"#protocol">Policy protocol description
</a>
50 <li><a href=
"#client_config">Policy client/server configuration
</a>
52 <li><a href=
"#greylist">Example: greylist policy server
</a>
54 <li><a href=
"#frequent">Greylisting mail from frequently forged domains
</a>
56 <li><a href=
"#all_mail">Greylisting all your mail
</a>
58 <li><a href=
"#maintenance">Routine greylist maintenance
</a>
60 <li><a href=
"#greylist_code">Example Perl greylist server
</a>
64 <h2><a name=
"protocol">Protocol description
</a></h2>
66 <p> The Postfix policy delegation protocol is really simple. The
67 client request is a sequence of name=value attributes separated by
68 newline, and is terminated by an empty line. The server reply is
69 one name=value attribute and it, too, is terminated by an empty
72 <p> Here is an example of all the attributes that the Postfix SMTP
73 server sends in a delegated SMTPD access policy request:
</p>
77 <b>Postfix version
2.1 and later:
</b>
78 request=smtpd_access_policy
81 helo_name=some.domain.tld
86 client_address=
1.2.3.4
87 client_name=another.domain.tld
88 reverse_client_name=another.domain.tld
90 <b>Postfix version
2.2 and later:
</b>
95 ccert_subject=solaris9.porcupine.org
96 ccert_issuer=Wietse+
20Venema
97 ccert_fingerprint=C2:
9D:F4:
87:
71:
73:
73:D9:
18:E7:C2:F3:C1:DA:
6E:
04
98 <b>Postfix version
2.3 and later:
</b>
99 encryption_protocol=TLSv1/SSLv3
100 encryption_cipher=DHE-RSA-AES256-SHA
101 encryption_keysize=
256
103 <b>Postfix version
2.5 and later:
</b>
113 <li> <p> The
"request" attribute is required. In this example
114 the request type is
"smtpd_access_policy".
</p>
116 <li> <p> The order of the attributes does not matter. The policy
117 server should ignore any attributes that it does not care about.
120 <li> <p> When the same attribute name is sent more than once,
121 the server may keep the first value or the last attribute value.
124 <li> <p> When an attribute value is unavailable, the client
125 either does not send the attribute, sends the attribute with
126 an empty value (
"name="), or sends a zero value (
"name=0") in
127 the case of a numerical attribute.
</p>
129 <li> <p> The
"recipient" attribute is available in the
"RCPT
130 TO" stage. It is also available in the
"DATA" and
"END-OF-MESSAGE"
131 stages if Postfix accepted only one recipient for the current
134 <li> <p> The
"recipient_count" attribute (Postfix
2.3 and later)
135 is non-zero only in the
"DATA" and
"END-OF-MESSAGE" stages. It
136 specifies the number of recipients that Postfix accepted for
137 the current message.
</p>
139 <li> <p> The client address is an IPv4 dotted quad in the form
140 1.2.3.4 or it is an IPv6 address in the form
1:
2:
3::
4:
5:
6.
143 <li> <p> For a discussion of the differences between reverse
144 and verified client_name information, see the
145 reject_unknown_client_hostname discussion in the postconf(
5)
148 <li> <p> An attribute name must not contain
"=", null or newline,
149 and an attribute value must not contain null or newline.
</p>
151 <li> <p> The
"instance" attribute value can be used to correlate
152 different requests regarding the same message delivery. These
153 requests are sent over the same policy connection (unless the
154 policy daemon terminates the connection). Once Postfix sends
155 a query with a different instance attribute over that same
156 policy connection, the previous message delivery is either
157 completed or aborted.
</p>
159 <li> <p> The
"size" attribute value specifies the message size
160 that the client specified in the MAIL FROM command (zero if
161 none was specified). With Postfix
2.2 and later, it specifies
162 the actual message size when the client sends the END-OF-DATA
166 <li> <p> The
"sasl_*" attributes (Postfix
2.2 and later) specify
167 information about how the client was authenticated via SASL.
168 These attributes are empty in case of no SASL authentication.
171 <li> <p> The
"ccert_*" attributes (Postfix
2.2 and later) specify
172 information about how the client was authenticated via TLS.
173 These attributes are empty in case of no certificate authentication.
174 As of Postfix
2.2.11 these attribute values are encoded as
175 xtext: some characters are represented by +XX, where XX is the
176 two-digit hexadecimal representation of the character value. With
177 Postfix
2.6 and later, the decoded string is an UTF-
8 string
178 without non-printable ASCII characters.
</p>
180 <li> <p> The
"encryption_*" attributes (Postfix
2.3 and later)
181 specify information about how the connection is encrypted. With
182 plaintext connections the protocol and cipher attributes are
183 empty and the keysize is zero.
</p>
185 <li> <p> The
"etrn_domain" attribute is defined only in the
186 context of the ETRN command, and specifies the ETRN command
189 <li> <p> The
"stress" attribute is either empty or
"yes". See
190 the STRESS_README document for further information.
</p>
194 <p> The following is specific to SMTPD delegated policy requests:
199 <li> <p> Protocol names are ESMTP or SMTP.
</p>
201 <li> <p> Protocol states are CONNECT, EHLO, HELO, MAIL, RCPT,
202 DATA, END-OF-MESSAGE, VRFY or ETRN; these are the SMTP protocol
204 the Postfix SMTP server makes an OK/REJECT/HOLD/etc. decision.
209 <p> The policy server replies with any action that is allowed in a
210 Postfix SMTPD access(
5) table. Example:
</p>
214 action=defer_if_permit Service temporarily unavailable
219 <p> This causes the Postfix SMTP server to reject the request with
220 a
450 temporary error code and with text
"Service temporarily
221 unavailable", if the Postfix SMTP server finds no reason to reject
222 the request permanently.
</p>
224 <p> In case of trouble the policy server must not send a reply.
225 Instead the server must log a warning and disconnect. Postfix will
226 retry the request at some later time.
</p>
228 <h2><a name=
"client_config">Policy client/server configuration
</a></h2>
230 <p> The Postfix delegated policy client can connect to a TCP socket
231 or to a UNIX-domain socket. Examples:
</p>
236 unix:/some/where/policy
241 <p> The first example specifies that the policy server listens on
242 a TCP socket at
127.0.0.1 port
9998. The second example specifies
243 an absolute pathname of a UNIX-domain socket. The third example
244 specifies a pathname relative to the Postfix queue directory; use
245 this for policy servers that are spawned by the Postfix master
248 <p> To create a policy service that listens on a UNIX-domain socket
249 called
"policy", and that runs under control of the Postfix spawn(
8)
250 daemon, you would use something like this:
</p>
254 1 /etc/postfix/master.cf:
255 2 policy unix - n n -
0 spawn
256 3 user=nobody argv=/some/where/policy-server
258 5 /etc/postfix/main.cf:
259 6 smtpd_recipient_restrictions =
261 8 reject_unauth_destination
262 9 check_policy_service unix:private/policy
264 11 policy_time_limit =
3600
272 <li> <p> Lines
2,
11: the Postfix spawn(
8) daemon by default kills
273 its child process after
1000 seconds. This is too short for a
274 policy daemon that may need to run for as long as the SMTP server
275 process that talks to it. The default time limit is overruled in
276 main.cf with an explicit
"policy_time_limit" setting. The name of
277 the parameter is the name of the master.cf entry (
"policy")
278 concatenated with the
"_time_limit" suffix. See spawn(
8) for
279 more information about the time limit parameter.
</p>
281 <li> <p> Line
2: specify a
"0" process limit instead of the default
282 "-", to avoid
"connection refused" and other problems when the smtpd
283 process limit exceeds the default_process_limit setting.
</p>
285 <li> <p> Lines
8,
9: always specify
"check_policy_service" AFTER
286 "reject_unauth_destination" or else your system could become an
289 <li> <p> Solaris UNIX-domain sockets do not work reliably. Use
290 TCP sockets instead:
</p>
296 1 /etc/postfix/master.cf:
297 2 127.0.0.1:
9998 inet n n n -
0 spawn
298 3 user=nobody argv=/some/where/policy-server
300 5 /etc/postfix/main.cf:
301 6 smtpd_recipient_restrictions =
303 8 reject_unauth_destination
304 9 check_policy_service inet:
127.0.0.1:
9998
306 11 127.0.0.1:
9998_time_limit =
3600
310 <p> Other configuration parameters that control the client side of
311 the policy delegation protocol:
</p>
315 <li> <p> smtpd_policy_service_max_idle (default:
300s): The amount
316 of time before the Postfix SMTP server closes an unused policy
317 client connection.
</p>
319 <li> <p> smtpd_policy_service_max_ttl (default:
1000s): The amount
320 of time before the Postfix SMTP server closes an active policy
321 client connection.
</p>
323 <li> <p> smtpd_policy_service_timeout (default:
100s): The time
324 limit to connect to, send to or receive from a policy server.
</p>
328 <h2><a name=
"greylist">Example: greylist policy server
</a></h2>
330 <p> Greylisting is a defense against junk email that is described at
331 http://www.greylisting.org/. The idea was discussed on the
332 postfix-users mailing list
<a
333 href=
"http://archives.neohapsis.com/archives/postfix/2002-03/0846.html">
334 one year before it was popularized
</a>.
</p>
336 <p> The file examples/smtpd-policy/greylist.pl in the Postfix source
337 tree implements a simplified greylist policy server. This server
338 stores a time stamp for every (client, sender, recipient) triple.
339 By default, mail is not accepted until a time stamp is more than
340 60 seconds old. This stops junk mail with randomly selected sender
341 addresses, and mail that is sent through randomly selected open
342 proxies. It also stops junk mail from spammers that change their
343 IP address frequently.
</p>
345 <p> Copy examples/smtpd-policy/greylist.pl to /usr/libexec/postfix
346 or whatever location is appropriate for your system.
</p>
348 <p> In the greylist.pl Perl script you need to specify the
349 location of the greylist database file, and how long mail will
350 be delayed before it is accepted. The default settings are:
355 $
database_name=
"/var/mta/greylist.db";
360 <p> The /var/mta directory (or whatever you choose) should be
361 writable by
"nobody", or by whatever username you configure below
362 in master.cf for the policy service.
</p>
369 # chown nobody /var/mta
373 <p> Note: DO NOT create the greylist database in a world-writable
374 directory such as /tmp or /var/tmp, and DO NOT create the greylist
375 database in a file system that may run out of space. Postfix can
376 survive
"out of space" conditions with the mail queue and with the
377 mailbox store, but it cannot survive a corrupted greylist database.
378 If the file becomes corrupted you may not be able to receive mail
379 at all until you delete the file by hand.
</p>
381 <p> The greylist.pl Perl script can be run under control by
382 the Postfix master daemon. For example, to run the script as user
383 "nobody", using a UNIX-domain socket that is accessible by Postfix
388 1 /etc/postfix/master.cf:
389 2 policy unix - n n -
0 spawn
390 3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
392 5 /etc/postfix/main.cf:
393 6 policy_time_limit =
3600
401 <li> <p> Line
3: Specify
"greylist.pl -v" for verbose logging of
402 each request and reply.
</p>
404 <li> <p> Lines
2,
6: the Postfix spawn(
8) daemon by default kills
405 its child process after
1000 seconds. This is too short for a
406 policy daemon that may run for as long as an SMTP client is connected
407 to an SMTP server process. The default time limit is overruled in
408 main.cf with an explicit
"policy_time_limit" setting. The name of
409 the parameter is the name of the master.cf entry (
"policy")
410 concatenated with the
"_time_limit" suffix.
</p>
412 <li> <p> Line
2: specify a
"0" process limit instead of the default
413 "-", to avoid
"connection refused" and other problems when the smtpd
414 process limit exceeds the default_process_limit setting.
</p>
418 <p> On Solaris you must use inet: style sockets instead of unix:
419 style, as detailed in the
"<a href="#client_config
">Policy
420 client/server configuration</a>" section above.
</p>
424 1 /etc/postfix/master.cf:
425 2 127.0.0.1:
9998 inet n n n -
0 spawn
426 3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
428 5 /etc/postfix/main.cf:
429 6 127.0.0.1:
9998_time_limit =
3600
433 <p> To invoke this service you would specify
"check_policy_service
434 inet:127.0.0.1:9998".
</p>
436 <h2><a name=
"frequent">Greylisting mail from frequently forged domains
</a></h2>
438 <p> It is relatively safe to turn on greylisting for specific
439 domains that often appear in forged email. At some point
440 in cyberspace/time a list of frequently
441 forged MAIL FROM domains could be found at
442 http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
446 1 /etc/postfix/main.cf:
447 2 smtpd_recipient_restrictions =
448 3 reject_unlisted_recipient
450 5 reject_unauth_destination
451 6 check_sender_access hash:/etc/postfix/sender_access
453 8 smtpd_restriction_classes = greylist
454 9 greylist = check_policy_service unix:private/policy
456 11 /etc/postfix/sender_access:
458 13 hotmail.com greylist
459 14 bigfoot.com greylist
460 15 ...
<i>etcetera
</i> ...
468 <li> <p> Line
9: On Solaris you must use inet: style sockets
469 instead of unix: style, as detailed in the
"<a href="#greylist
">Example:
470 greylist policy server</a>" section above.
</p>
472 <li> <p> Line
6: Be sure to specify
"check_sender_access" AFTER
473 "reject_unauth_destination" or else your system could become an
474 open mail relay.
</p>
476 <li> <p> Line
3: With Postfix
2.0 snapshot releases,
477 "reject_unlisted_recipient" is called
"check_recipient_maps".
478 Postfix
2.1 understands both forms.
</p>
480 <li> <p> Line
3: The greylist database gets polluted quickly with
481 bogus addresses. It helps if you protect greylist lookups with
482 other restrictions that reject unknown senders and/or recipients.
487 <h2><a name=
"all_mail">Greylisting all your mail
</a></h2>
489 <p> If you turn on greylisting for all mail you will almost certainly
490 want to make exceptions for mailing lists that use one-time sender
491 addresses, because such mailing lists can pollute your greylist
492 database relatively quickly.
</p>
496 1 /etc/postfix/main.cf:
497 2 smtpd_recipient_restrictions =
498 3 reject_unlisted_recipient
500 5 reject_unauth_destination
501 6 check_sender_access hash:/etc/postfix/sender_access
502 7 check_policy_service unix:private/policy
505 10 /etc/postfix/sender_access:
506 11 securityfocus.com OK
515 <li> <p> Line
7: On Solaris you must use inet: style sockets
516 instead of unix: style, as detailed in the
"<a href="#greylist
">Example:
517 greylist policy server</a>" section above.
</p>
519 <li> <p> Lines
6-
7: Be sure to specify check_sender_access and
520 check_policy_service AFTER reject_unauth_destination or else your
521 system could become an open mail relay.
</p>
523 <li> <p> Line
3: The greylist database gets polluted quickly with
524 bogus addresses. It helps if you precede greylist lookups with
525 restrictions that reject unknown senders and/or recipients.
</p>
529 <h2><a name=
"maintenance">Routine greylist maintenance
</a></h2>
531 <p> The greylist database grows over time, because the greylist server
532 never removes database entries. If left unattended, the greylist
533 database will eventually run your file system out of space.
</p>
535 <p> When the status file size exceeds some threshold you can simply
536 rename or remove the file without adverse effects; Postfix
537 automatically creates a new file. In the worst case, new mail will
538 be delayed by an hour or so. To lessen the impact, rename or remove
539 the file in the middle of the night at the beginning of a weekend.
542 <h2><a name=
"greylist_code">Example Perl greylist server
</a></h2>
544 <p> This is the Perl subroutine that implements the example greylist
545 policy. It is part of a general purpose sample policy server that
546 is distributed with the Postfix source as
547 examples/smtpd-policy/greylist.pl.
</p>
551 # greylist status database and greylist time interval. DO NOT create the
552 # greylist status database in a world-writable directory such as /tmp
553 # or /var/tmp. DO NOT create the greylist database in a file system
554 # that can run out of space.
556 $
database_name=
"/var/mta/greylist.db";
560 # Auto-whitelist threshold. Specify
0 to disable, or the number of
561 # successful
"come backs" after which a client is no longer subject
564 $auto_whitelist_threshold =
10;
567 # Demo SMTPD access policy routine. The result is an action just like
568 # it would be specified on the right-hand side of a Postfix access
569 # table. Request attributes are available via the %attr hash.
571 sub smtpd_access_policy {
572 my($key, $time_stamp, $now);
574 # Open the database on the fly.
575 open_database() unless $database_obj;
577 # Search the auto-whitelist.
578 if ($auto_whitelist_threshold
> 0) {
579 $count = read_database($attr{
"client_address"});
580 if ($count
> $auto_whitelist_threshold) {
585 # Lookup the time stamp for this client/sender/recipient.
587 lc $attr{
"client_address"}.
"/".$attr{
"sender"}.
"/".$attr{
"recipient"};
588 $time_stamp = read_database($key);
591 # If new request, add this client/sender/recipient to the database.
592 if ($time_stamp ==
0) {
594 update_database($key, $time_stamp);
597 # The result can be any action that is allowed in a Postfix access(
5) map.
599 # To label the mail, return ``PREPEND headername: headertext''
601 # In case of success, return ``DUNNO'' instead of ``OK'', so that the
602 # check_policy_service restriction can be followed by other restrictions.
604 # In case of failure, return ``DEFER_IF_PERMIT optional text...'',
605 # so that mail can still be blocked by other access restrictions.
607 syslog $syslog_priority,
"request age %d", $now - $time_stamp if $verbose;
608 if ($now - $time_stamp
> $greylist_delay) {
609 # Update the auto-whitelist.
610 if ($auto_whitelist_threshold
> 0) {
611 update_database($attr{
"client_address"}, $count +
1);
615 return
"defer_if_permit Service temporarily unavailable";