Postfix snapshot 20091008 with postscreen

Thu, 08 Oct 2009 11:52:29 -0700 

Postfix snapshot 20091008 includes an updated version of the
postscreen daemon. This means it is no longer limited to the
non-production releases.

To make postscreen safe to deploy, it has a permanent whitelist
(default: $mynetworks) that avoids running SMTP protocol tests on
broken network appliances. It also has a permanent blacklist for
networks that you never want to talk to.

In the default "observation" mode, postscreen logs bad client
information but does not drop connections, and can be used to
"pre-fetch" DNSBL information in parallel.

In the non-default "enforcement mode", postscreen drops "bad"
clients, and thus off-loads the SMTP daemons. To make it generally
usable I still have to add the dummy SMTP protocol engine that logs
the senders and recipients of rejected connections. Hopefully that
will be in place later in the Postfix 2.7 development cycle.

        Wietse

HISTORY file entries:

20090918

        Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
        turned off, there was no automatic flush-before-read on
        the smtpd-to-milter stream, because the read was done on
        the cleanup-to-milter stream. Problem reported by Stephen
        Warren.  File: milter/milter8.c.

20091005

        Bugfix: core dump while printing error message for malformed
        %<letter> sequence in LDAP, MySQL or PostgreSQL configuration.
        File: global/db_common.c. Fix by Victor Duchovni.

20091006

        Feature: "postscreen_whitelist_networks = $mynetworks" (the
        default) to avoid problems with buggy SMTP implementations
        in network appliances.  Note: this feature never uses the
        remote SMTP client hostname.  Files: global/addr_match_list.[hc],
        postscreen/postscreen.c.

        Feature: postscreen_blacklist_networks (default: empty) to
        permanently blacklist hosts or networks. Address syntax is
        as with mynetworks. Note: this feature never uses the remote
        SMTP client hostname.  File: postscreen/postscreen.c.

        Feature: postscreen_blacklist_action (default: continue)
        to control what happens with a permanently blacklisted
        client.

20091007

        Feature: hostname-based check_client_{mx,ns}_access,
        check_reverse_client_hostname_{mx,ns}_access (the client
        IP address is not used). Rob Foehl.  Files: smtpd/smtpd_check.c,
        global/mail_params.h, proto/postconf.proto, mantools/postlink.

20091008

        Documentation: restructured the postscreen(8) manpage as
        a sequence of tests. File: postscreen/postscreen.c.

Reply via email to