Wietse Venema:
> Postfix snapshot 20091008 includes an updated version of the
> postscreen daemon. This means it is no longer limited to the
> non-production releases.
In case you haven't seen earlier posts on this topic, postscreen
was released first in a number of Postfix non-production snapshots
over the past summer. Below is a summary, taken from the release
notes.
Wietse
postscreen(8) is a server that is turned off by default. When
enabled it runs a number of time-consuming checks in parallel for
all incoming SMTP connections, before clients are allowed to talk
to a real Postfix SMTP server. It detects clients that start
talking too soon, or clients that appear on DNS blocklists, or
clients that hang up without sending any command.
By doing these checks in a single postscreen(8) process, Postfix
can avoid wasting one SMTP server process per connection. A side
benefit of postscreen(8)'s DNSBL lookups is that DNS records are
already cached before the Postfix SMTP server looks them up later.
postscreen(8) maintains a temporary whitelist of positive decisions.
Once an SMTP client is whitelisted, it is immediately forwarded
to a real Postfix SMTP server process without further checking.
By default, the program logs only statistics, and it does not run
any checks on clients in mynetworks (primarily, to avoid problems
with buggy SMTP implementations in network appliances). The logging
function alone is already useful for research.
postscreen(8) can be configured to drop clients that start talking
too soon, or clients that appear on DNS blocklists. For details,
see the release notes.
