Expand PMF_FN_* macros.
[netbsd-mini2440.git] / external / ibm-public / postfix / dist / proto / SMTPD_POLICY_README.html
blobe27d06541d3f2450cb993669a55e4e4d3d4792db
1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
4 <html>
6 <head>
8 <title>Postfix SMTP Access Policy Delegation </title>
10 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
12 </head>
14 <body>
16 <h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix SMTP Access Policy Delegation </h1>
18 <hr>
20 <h2>Purpose of Postfix SMTP access policy delegation</h2>
22 <p> The Postfix SMTP server has a number of built-in mechanisms to
23 block or accept mail at specific SMTP protocol stages. As of version
24 2.1, Postfix can delegate policy decisions to an external server
25 that runs outside Postfix. </p>
27 <p> With this policy delegation mechanism, a simple <a href="#greylist">
28 greylist </a> policy can be implemented with only a dozen lines of
29 Perl, as is shown at the end of this document. A complete example
30 can be found in the Postfix source code, in the directory
31 examples/smtpd-policy. </p>
33 <p> Another example of policy delegation is the SPF policy server
34 at http://www.openspf.org/Software. </p>
36 <p> Policy delegation is now the preferred method for adding policies
37 to Postfix. It's much easier to develop a new feature in few lines
38 of Perl, Python, Ruby, or TCL, than trying to do the same in C code.
39 The difference in
40 performance will be unnoticeable except in the most demanding
41 environments. On active systems a policy daemon process is used
42 multiple times, for up to $max_use incoming SMTP connections. </p>
44 <p> This document covers the following topics: </p>
46 <ul>
48 <li><a href="#protocol">Policy protocol description</a>
50 <li><a href="#client_config">Policy client/server configuration</a>
52 <li><a href="#greylist">Example: greylist policy server</a>
54 <li><a href="#frequent">Greylisting mail from frequently forged domains</a>
56 <li><a href="#all_mail">Greylisting all your mail</a>
58 <li><a href="#maintenance">Routine greylist maintenance</a>
60 <li><a href="#greylist_code">Example Perl greylist server</a>
62 </ul>
64 <h2><a name="protocol">Protocol description</a></h2>
66 <p> The Postfix policy delegation protocol is really simple. The
67 client request is a sequence of name=value attributes separated by
68 newline, and is terminated by an empty line. The server reply is
69 one name=value attribute and it, too, is terminated by an empty
70 line. </p>
72 <p> Here is an example of all the attributes that the Postfix SMTP
73 server sends in a delegated SMTPD access policy request: </p>
75 <blockquote>
76 <pre>
77 <b>Postfix version 2.1 and later:</b>
78 request=smtpd_access_policy
79 protocol_state=RCPT
80 protocol_name=SMTP
81 helo_name=some.domain.tld
82 queue_id=8045F2AB23
83 sender=foo@bar.tld
84 recipient=bar@foo.tld
85 recipient_count=0
86 client_address=1.2.3.4
87 client_name=another.domain.tld
88 reverse_client_name=another.domain.tld
89 instance=123.456.7
90 <b>Postfix version 2.2 and later:</b>
91 sasl_method=plain
92 sasl_username=you
93 sasl_sender=
94 size=12345
95 ccert_subject=solaris9.porcupine.org
96 ccert_issuer=Wietse+20Venema
97 ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
98 <b>Postfix version 2.3 and later:</b>
99 encryption_protocol=TLSv1/SSLv3
100 encryption_cipher=DHE-RSA-AES256-SHA
101 encryption_keysize=256
102 etrn_domain=
103 <b>Postfix version 2.5 and later:</b>
104 stress=
105 [empty line]
106 </pre>
107 </blockquote>
109 <p> Notes: </p>
111 <ul>
113 <li> <p> The "request" attribute is required. In this example
114 the request type is "smtpd_access_policy". </p>
116 <li> <p> The order of the attributes does not matter. The policy
117 server should ignore any attributes that it does not care about.
118 </p>
120 <li> <p> When the same attribute name is sent more than once,
121 the server may keep the first value or the last attribute value.
122 </p>
124 <li> <p> When an attribute value is unavailable, the client
125 either does not send the attribute, sends the attribute with
126 an empty value ("name="), or sends a zero value ("name=0") in
127 the case of a numerical attribute. </p>
129 <li> <p> The "recipient" attribute is available in the "RCPT
130 TO" stage. It is also available in the "DATA" and "END-OF-MESSAGE"
131 stages if Postfix accepted only one recipient for the current
132 message. </p>
134 <li> <p> The "recipient_count" attribute (Postfix 2.3 and later)
135 is non-zero only in the "DATA" and "END-OF-MESSAGE" stages. It
136 specifies the number of recipients that Postfix accepted for
137 the current message. </p>
139 <li> <p> The client address is an IPv4 dotted quad in the form
140 1.2.3.4 or it is an IPv6 address in the form 1:2:3::4:5:6.
141 </p>
143 <li> <p> For a discussion of the differences between reverse
144 and verified client_name information, see the
145 reject_unknown_client_hostname discussion in the postconf(5)
146 document. </p>
148 <li> <p> An attribute name must not contain "=", null or newline,
149 and an attribute value must not contain null or newline. </p>
151 <li> <p> The "instance" attribute value can be used to correlate
152 different requests regarding the same message delivery. These
153 requests are sent over the same policy connection (unless the
154 policy daemon terminates the connection). Once Postfix sends
155 a query with a different instance attribute over that same
156 policy connection, the previous message delivery is either
157 completed or aborted. </p>
159 <li> <p> The "size" attribute value specifies the message size
160 that the client specified in the MAIL FROM command (zero if
161 none was specified). With Postfix 2.2 and later, it specifies
162 the actual message size when the client sends the END-OF-DATA
163 command.
164 </p>
166 <li> <p> The "sasl_*" attributes (Postfix 2.2 and later) specify
167 information about how the client was authenticated via SASL.
168 These attributes are empty in case of no SASL authentication.
169 </p>
171 <li> <p> The "ccert_*" attributes (Postfix 2.2 and later) specify
172 information about how the client was authenticated via TLS.
173 These attributes are empty in case of no certificate authentication.
174 As of Postfix 2.2.11 these attribute values are encoded as
175 xtext: some characters are represented by +XX, where XX is the
176 two-digit hexadecimal representation of the character value. With
177 Postfix 2.6 and later, the decoded string is an UTF-8 string
178 without non-printable ASCII characters. </p>
180 <li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
181 specify information about how the connection is encrypted. With
182 plaintext connections the protocol and cipher attributes are
183 empty and the keysize is zero. </p>
185 <li> <p> The "etrn_domain" attribute is defined only in the
186 context of the ETRN command, and specifies the ETRN command
187 parameter. </p>
189 <li> <p> The "stress" attribute is either empty or "yes". See
190 the STRESS_README document for further information. </p>
192 </ul>
194 <p> The following is specific to SMTPD delegated policy requests:
195 </p>
197 <ul>
199 <li> <p> Protocol names are ESMTP or SMTP. </p>
201 <li> <p> Protocol states are CONNECT, EHLO, HELO, MAIL, RCPT,
202 DATA, END-OF-MESSAGE, VRFY or ETRN; these are the SMTP protocol
203 states where
204 the Postfix SMTP server makes an OK/REJECT/HOLD/etc. decision.
205 </p>
207 </ul>
209 <p> The policy server replies with any action that is allowed in a
210 Postfix SMTPD access(5) table. Example: </p>
212 <blockquote>
213 <pre>
214 action=defer_if_permit Service temporarily unavailable
215 [empty line]
216 </pre>
217 </blockquote>
219 <p> This causes the Postfix SMTP server to reject the request with
220 a 450 temporary error code and with text "Service temporarily
221 unavailable", if the Postfix SMTP server finds no reason to reject
222 the request permanently. </p>
224 <p> In case of trouble the policy server must not send a reply.
225 Instead the server must log a warning and disconnect. Postfix will
226 retry the request at some later time. </p>
228 <h2><a name="client_config">Policy client/server configuration</a></h2>
230 <p> The Postfix delegated policy client can connect to a TCP socket
231 or to a UNIX-domain socket. Examples: </p>
233 <blockquote>
234 <pre>
235 inet:127.0.0.1:9998
236 unix:/some/where/policy
237 unix:private/policy
238 </pre>
239 </blockquote>
241 <p> The first example specifies that the policy server listens on
242 a TCP socket at 127.0.0.1 port 9998. The second example specifies
243 an absolute pathname of a UNIX-domain socket. The third example
244 specifies a pathname relative to the Postfix queue directory; use
245 this for policy servers that are spawned by the Postfix master
246 daemon. </p>
248 <p> To create a policy service that listens on a UNIX-domain socket
249 called "policy", and that runs under control of the Postfix spawn(8)
250 daemon, you would use something like this: </p>
252 <blockquote>
253 <pre>
254 1 /etc/postfix/master.cf:
255 2 policy unix - n n - 0 spawn
256 3 user=nobody argv=/some/where/policy-server
258 5 /etc/postfix/main.cf:
259 6 smtpd_recipient_restrictions =
260 7 ...
261 8 reject_unauth_destination
262 9 check_policy_service unix:private/policy
263 10 ...
264 11 policy_time_limit = 3600
265 </pre>
266 </blockquote>
268 <p> NOTES: </p>
270 <ul>
272 <li> <p> Lines 2, 11: the Postfix spawn(8) daemon by default kills
273 its child process after 1000 seconds. This is too short for a
274 policy daemon that may need to run for as long as the SMTP server
275 process that talks to it. The default time limit is overruled in
276 main.cf with an explicit "policy_time_limit" setting. The name of
277 the parameter is the name of the master.cf entry ("policy")
278 concatenated with the "_time_limit" suffix. See spawn(8) for
279 more information about the time limit parameter. </p>
281 <li> <p> Line 2: specify a "0" process limit instead of the default
282 "-", to avoid "connection refused" and other problems when the smtpd
283 process limit exceeds the default_process_limit setting. </p>
285 <li> <p> Lines 8, 9: always specify "check_policy_service" AFTER
286 "reject_unauth_destination" or else your system could become an
287 open relay. </p>
289 <li> <p> Solaris UNIX-domain sockets do not work reliably. Use
290 TCP sockets instead: </p>
292 </ul>
294 <blockquote>
295 <pre>
296 1 /etc/postfix/master.cf:
297 2 127.0.0.1:9998 inet n n n - 0 spawn
298 3 user=nobody argv=/some/where/policy-server
300 5 /etc/postfix/main.cf:
301 6 smtpd_recipient_restrictions =
302 7 ...
303 8 reject_unauth_destination
304 9 check_policy_service inet:127.0.0.1:9998
305 10 ...
306 11 127.0.0.1:9998_time_limit = 3600
307 </pre>
308 </blockquote>
310 <p> Other configuration parameters that control the client side of
311 the policy delegation protocol: </p>
313 <ul>
315 <li> <p> smtpd_policy_service_max_idle (default: 300s): The amount
316 of time before the Postfix SMTP server closes an unused policy
317 client connection. </p>
319 <li> <p> smtpd_policy_service_max_ttl (default: 1000s): The amount
320 of time before the Postfix SMTP server closes an active policy
321 client connection. </p>
323 <li> <p> smtpd_policy_service_timeout (default: 100s): The time
324 limit to connect to, send to or receive from a policy server. </p>
326 </ul>
328 <h2><a name="greylist">Example: greylist policy server</a></h2>
330 <p> Greylisting is a defense against junk email that is described at
331 http://www.greylisting.org/. The idea was discussed on the
332 postfix-users mailing list <a
333 href="http://archives.neohapsis.com/archives/postfix/2002-03/0846.html">
334 one year before it was popularized</a>. </p>
336 <p> The file examples/smtpd-policy/greylist.pl in the Postfix source
337 tree implements a simplified greylist policy server. This server
338 stores a time stamp for every (client, sender, recipient) triple.
339 By default, mail is not accepted until a time stamp is more than
340 60 seconds old. This stops junk mail with randomly selected sender
341 addresses, and mail that is sent through randomly selected open
342 proxies. It also stops junk mail from spammers that change their
343 IP address frequently. </p>
345 <p> Copy examples/smtpd-policy/greylist.pl to /usr/libexec/postfix
346 or whatever location is appropriate for your system. </p>
348 <p> In the greylist.pl Perl script you need to specify the
349 location of the greylist database file, and how long mail will
350 be delayed before it is accepted. The default settings are:
351 </p>
353 <blockquote>
354 <pre>
355 $database_name="/var/mta/greylist.db";
356 $greylist_delay=60;
357 </pre>
358 </blockquote>
360 <p> The /var/mta directory (or whatever you choose) should be
361 writable by "nobody", or by whatever username you configure below
362 in master.cf for the policy service. </p>
364 <p> Example: </p>
366 <blockquote>
367 <pre>
368 # mkdir /var/mta
369 # chown nobody /var/mta
370 </pre>
371 </blockquote>
373 <p> Note: DO NOT create the greylist database in a world-writable
374 directory such as /tmp or /var/tmp, and DO NOT create the greylist
375 database in a file system that may run out of space. Postfix can
376 survive "out of space" conditions with the mail queue and with the
377 mailbox store, but it cannot survive a corrupted greylist database.
378 If the file becomes corrupted you may not be able to receive mail
379 at all until you delete the file by hand. </p>
381 <p> The greylist.pl Perl script can be run under control by
382 the Postfix master daemon. For example, to run the script as user
383 "nobody", using a UNIX-domain socket that is accessible by Postfix
384 processes only: </p>
386 <blockquote>
387 <pre>
388 1 /etc/postfix/master.cf:
389 2 policy unix - n n - 0 spawn
390 3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
392 5 /etc/postfix/main.cf:
393 6 policy_time_limit = 3600
394 </pre>
395 </blockquote>
397 <p> Notes: </p>
399 <ul>
401 <li> <p> Line 3: Specify "greylist.pl -v" for verbose logging of
402 each request and reply. </p>
404 <li> <p> Lines 2, 6: the Postfix spawn(8) daemon by default kills
405 its child process after 1000 seconds. This is too short for a
406 policy daemon that may run for as long as an SMTP client is connected
407 to an SMTP server process. The default time limit is overruled in
408 main.cf with an explicit "policy_time_limit" setting. The name of
409 the parameter is the name of the master.cf entry ("policy")
410 concatenated with the "_time_limit" suffix. </p>
412 <li> <p> Line 2: specify a "0" process limit instead of the default
413 "-", to avoid "connection refused" and other problems when the smtpd
414 process limit exceeds the default_process_limit setting. </p>
416 </ul>
418 <p> On Solaris you must use inet: style sockets instead of unix:
419 style, as detailed in the "<a href="#client_config">Policy
420 client/server configuration</a>" section above. </p>
422 <blockquote>
423 <pre>
424 1 /etc/postfix/master.cf:
425 2 127.0.0.1:9998 inet n n n - 0 spawn
426 3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
428 5 /etc/postfix/main.cf:
429 6 127.0.0.1:9998_time_limit = 3600
430 </pre>
431 </blockquote>
433 <p> To invoke this service you would specify "check_policy_service
434 inet:127.0.0.1:9998". </p>
436 <h2><a name="frequent">Greylisting mail from frequently forged domains</a></h2>
438 <p> It is relatively safe to turn on greylisting for specific
439 domains that often appear in forged email. At some point
440 in cyberspace/time a list of frequently
441 forged MAIL FROM domains could be found at
442 http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
444 <blockquote>
445 <pre>
446 1 /etc/postfix/main.cf:
447 2 smtpd_recipient_restrictions =
448 3 reject_unlisted_recipient
449 4 ...
450 5 reject_unauth_destination
451 6 check_sender_access hash:/etc/postfix/sender_access
452 7 ...
453 8 smtpd_restriction_classes = greylist
454 9 greylist = check_policy_service unix:private/policy
456 11 /etc/postfix/sender_access:
457 12 aol.com greylist
458 13 hotmail.com greylist
459 14 bigfoot.com greylist
460 15 ... <i>etcetera</i> ...
461 </pre>
462 </blockquote>
464 <p> NOTES: </p>
466 <ul>
468 <li> <p> Line 9: On Solaris you must use inet: style sockets
469 instead of unix: style, as detailed in the "<a href="#greylist">Example:
470 greylist policy server</a>" section above. </p>
472 <li> <p> Line 6: Be sure to specify "check_sender_access" AFTER
473 "reject_unauth_destination" or else your system could become an
474 open mail relay. </p>
476 <li> <p> Line 3: With Postfix 2.0 snapshot releases,
477 "reject_unlisted_recipient" is called "check_recipient_maps".
478 Postfix 2.1 understands both forms. </p>
480 <li> <p> Line 3: The greylist database gets polluted quickly with
481 bogus addresses. It helps if you protect greylist lookups with
482 other restrictions that reject unknown senders and/or recipients.
483 </p>
485 </ul>
487 <h2><a name="all_mail">Greylisting all your mail</a></h2>
489 <p> If you turn on greylisting for all mail you will almost certainly
490 want to make exceptions for mailing lists that use one-time sender
491 addresses, because such mailing lists can pollute your greylist
492 database relatively quickly. </p>
494 <blockquote>
495 <pre>
496 1 /etc/postfix/main.cf:
497 2 smtpd_recipient_restrictions =
498 3 reject_unlisted_recipient
499 4 ...
500 5 reject_unauth_destination
501 6 check_sender_access hash:/etc/postfix/sender_access
502 7 check_policy_service unix:private/policy
503 8 ...
505 10 /etc/postfix/sender_access:
506 11 securityfocus.com OK
507 12 ...
508 </pre>
509 </blockquote>
511 <p> NOTES: </p>
513 <ul>
515 <li> <p> Line 7: On Solaris you must use inet: style sockets
516 instead of unix: style, as detailed in the "<a href="#greylist">Example:
517 greylist policy server</a>" section above. </p>
519 <li> <p> Lines 6-7: Be sure to specify check_sender_access and
520 check_policy_service AFTER reject_unauth_destination or else your
521 system could become an open mail relay. </p>
523 <li> <p> Line 3: The greylist database gets polluted quickly with
524 bogus addresses. It helps if you precede greylist lookups with
525 restrictions that reject unknown senders and/or recipients. </p>
527 </ul>
529 <h2><a name="maintenance">Routine greylist maintenance</a></h2>
531 <p> The greylist database grows over time, because the greylist server
532 never removes database entries. If left unattended, the greylist
533 database will eventually run your file system out of space. </p>
535 <p> When the status file size exceeds some threshold you can simply
536 rename or remove the file without adverse effects; Postfix
537 automatically creates a new file. In the worst case, new mail will
538 be delayed by an hour or so. To lessen the impact, rename or remove
539 the file in the middle of the night at the beginning of a weekend.
540 </p>
542 <h2><a name="greylist_code">Example Perl greylist server</a></h2>
544 <p> This is the Perl subroutine that implements the example greylist
545 policy. It is part of a general purpose sample policy server that
546 is distributed with the Postfix source as
547 examples/smtpd-policy/greylist.pl. </p>
549 <pre>
551 # greylist status database and greylist time interval. DO NOT create the
552 # greylist status database in a world-writable directory such as /tmp
553 # or /var/tmp. DO NOT create the greylist database in a file system
554 # that can run out of space.
556 $database_name="/var/mta/greylist.db";
557 $greylist_delay=60;
560 # Auto-whitelist threshold. Specify 0 to disable, or the number of
561 # successful "come backs" after which a client is no longer subject
562 # to greylisting.
564 $auto_whitelist_threshold = 10;
567 # Demo SMTPD access policy routine. The result is an action just like
568 # it would be specified on the right-hand side of a Postfix access
569 # table. Request attributes are available via the %attr hash.
571 sub smtpd_access_policy {
572 my($key, $time_stamp, $now);
574 # Open the database on the fly.
575 open_database() unless $database_obj;
577 # Search the auto-whitelist.
578 if ($auto_whitelist_threshold &gt; 0) {
579 $count = read_database($attr{"client_address"});
580 if ($count &gt; $auto_whitelist_threshold) {
581 return "dunno";
585 # Lookup the time stamp for this client/sender/recipient.
586 $key =
587 lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
588 $time_stamp = read_database($key);
589 $now = time();
591 # If new request, add this client/sender/recipient to the database.
592 if ($time_stamp == 0) {
593 $time_stamp = $now;
594 update_database($key, $time_stamp);
597 # The result can be any action that is allowed in a Postfix access(5) map.
599 # To label the mail, return ``PREPEND headername: headertext''
601 # In case of success, return ``DUNNO'' instead of ``OK'', so that the
602 # check_policy_service restriction can be followed by other restrictions.
604 # In case of failure, return ``DEFER_IF_PERMIT optional text...'',
605 # so that mail can still be blocked by other access restrictions.
607 syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose;
608 if ($now - $time_stamp &gt; $greylist_delay) {
609 # Update the auto-whitelist.
610 if ($auto_whitelist_threshold &gt; 0) {
611 update_database($attr{"client_address"}, $count + 1);
613 return "dunno";
614 } else {
615 return "defer_if_permit Service temporarily unavailable";
618 </pre>
620 </body>
622 </html>