In the context of looking at implementing Postscreen, I’ve read through the postscreen readme, the master.cf man page, and postfix architectural overview docs, but I have some remaining service related questions I might appeal to one of the gurus on the list to help me with.
In a default master.cf file’s first non-comment line, the smtp service uses the smtpd command. I’m not clear why the smtp (client) service would use the smtpd (server) binary. Is there an old convention that drives the naming to be apparently contradictory or am I missing something in my interpretation? In the postscreen instructions, one of the first steps is to comment out the smtp service line above and uncomment the one that uses the postscreen command instead. I get why, since postscreen is supposed to “screen” out bad clients before letting them talk to smtpd later. Is there anything in this configuration file that indicates this or is the handoff to smtpd built into postscreen itself? Why is there an smtpd service that gets enabled during a postscreen implementation when there wasn’t one before? More specifically, without an smtpd service before, what service was serving smtpd for new smtp connections? The “smtp” service (that seems to actually be smtpd) listed first in the file? In the smtpd service I just mentioned, this type is pass and not unix. When I looked up the 2 service types in the documentation, they both say, “The service listens on a UNIX-domain stream socket, and is accessible to local clients only.” but the pass type goes on to say, “It receives one open connection (file descriptor passing) per connection request.” I’ve done some further googling, but I can’t figure out what this means in terms of practical use. Can someone explain the practical difference between a unix type service and a pass type service? Finally, there is ANOTHER service named smtp further down the file between proxywrite and relay that ACTUALLY uses smtp as the command but is of type unix (which, for a client, makes sense). What is the purpose of this instance of service named smtp (like, is it the “real” smtp service used for packaging and sending smtp messages?) and how is it that it does not “conflict” with the instance of smtp service discussed above? Under what conditions am I allowed to create services that have names which conflict? Only when the types are different (and then, only with certain “different type” combinations)? Or is there a first use rule on services which means that the smtp service above is the only one that get used? I’m sorry if I’m being obtuse, but some elements of this file are a real head-scratcher for me. If this is covered somewhere outside of http://www.postfix.org/master.5.htmlhttp://www.postfix.org/OVERVIEW.html or http://www.postfix.org/POSTSCREEN_README.html or is discussed in more detail elsewhere on the Internet, please let me know and I’ll keep reading, but I’ve really tried to figure this out on my own to no success. Any assistance would be appreciated. Thanks, Scott P.S. Knowing that the default files drift from version to version and distro to distro, here is my default master.cf file. I put it down here since those who know the file best probably already know what it says. :) It came from a Centos7 minimal install. <pre> # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - n n - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - n n - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - n n - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} </pre>
