Having recently gone through this same confusion, perhaps some of what I
figured out might help. The first column of the master.cf file is the port
number for each of the ports that postfix will listen to, or the name of an
internal postfix process. In the distributed file, the names from the
/etc/services file are used rather than the port numbers. For example, smtp is
port 25. However, looking down you will see one line for port 628 (commented
out though).
The last argument on each line tells postfix which process to send the request
to. Thats why postscreen replaces the smtp line with the postscreen process.
Postscreen is smart - it injects messages into the system by sending them to
smtpd. There is an entry for smtpd (the postfix process) that lets you add
restrictions for smptd.
Here is a portion of my master.cf:
smtpd pass - - n - 50 smtpd
-o smtpd_recipient_restrictions=$incoming_smtpd_restrictions
smtp inet n - n - 1 postscreen
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - 10 smtpd
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix-submission
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f
${sender} -d ${recipient}
I use macros defined in main.cf for the restrictions on port 25 (smtp after
postscreen) and port 587 (submission). dnsblog and tlsproxy are internal
postscript processes. dovecot is a local delivery via dovecot.
It's a bit difficult at first to see the forrest through the trees as the
documentation is detailed and complete. However, once you discover the
forrest, then the documentation will be quite helpful.
-- Doug
> On 9 June 2020, at 14:26, Scott A. Wozny <sawo...@hotmail.com> wrote:
>
> In the context of looking at implementing Postscreen, I’ve read through the
> postscreen readme, the master.cf man page, and postfix architectural overview
> docs, but I have some remaining service related questions I might appeal to
> one of the gurus on the list to help me with.
>
> In a default master.cf file’s first non-comment line, the smtp service uses
> the smtpd command. I’m not clear why the smtp (client) service would use the
> smtpd (server) binary. Is there an old convention that drives the naming to
> be apparently contradictory or am I missing something in my interpretation?
>
> In the postscreen instructions, one of the first steps is to comment out the
> smtp service line above and uncomment the one that uses the postscreen
> command instead. I get why, since postscreen is supposed to “screen” out bad
> clients before letting them talk to smtpd later. Is there anything in this
> configuration file that indicates this or is the handoff to smtpd built into
> postscreen itself?
>
> Why is there an smtpd service that gets enabled during a postscreen
> implementation when there wasn’t one before? More specifically, without an
> smtpd service before, what service was serving smtpd for new smtp
> connections? The “smtp” service (that seems to actually be smtpd) listed
> first in the file?
>
> In the smtpd service I just mentioned, this type is pass and not unix. When I
> looked up the 2 service types in the documentation, they both say, “The
> service listens on a UNIX-domain stream socket, and is accessible to local
> clients only.” but the pass type goes on to say, “It receives one open
> connection (file descriptor passing) per connection request.” I’ve done some
> further googling, but I can’t figure out what this means in terms of
> practical use. Can someone explain the practical difference between a unix
> type service and a pass type service?
>
> Finally, there is ANOTHER service named smtp further down the file between
> proxywrite and relay that ACTUALLY uses smtp as the command but is of type
> unix (which, for a client, makes sense). What is the purpose of this instance
> of service named smtp (like, is it the “real” smtp service used for packaging
> and sending smtp messages?) and how is it that it does not “conflict” with
> the instance of smtp service discussed above? Under what conditions am I
> allowed to create services that have names which conflict? Only when the
> types are different (and then, only with certain “different type”
> combinations)? Or is there a first use rule on services which means that the
> smtp service above is the only one that get used?
>
> I’m sorry if I’m being obtuse, but some elements of this file are a real
> head-scratcher for me. If this is covered somewhere outside of
> http://www.postfix.org/master.5.htmlhttp://www.postfix.org/OVERVIEW.html
> orhttp://www.postfix.org/POSTSCREEN_README.html or is discussed in more
> detail elsewhere on the Internet, please let me know and I’ll keep reading,
> but I’ve really tried to figure this out on my own to no success.
>
> Any assistance would be appreciated.
>
> Thanks,
>
> Scott
>
> P.S. Knowing that the default files drift from version to version and distro
> to distro, here is my default master.cf file. I put it down here since those
> who know the file best probably already know what it says. :) It came from a
> Centos7 minimal install.
>
> <pre>
> # Postfix master process configuration file. For details on the format
> # of the file, see the master(5) manual page (command: "man 5 master").
> #
> # Do not forget to execute "postfix reload" after editing this file.
> #
> # ==========================================================================
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> # ==========================================================================
> smtp inet n - n - - smtpd
> #smtp inet n - n - 1 postscreen
> #smtpd pass - - n - - smtpd
> #dnsblog unix - - n - 0 dnsblog
> #tlsproxy unix - - n - 0 tlsproxy
> #submission inet n - n - - smtpd
> # -o syslog_name=postfix/submission
> # -o smtpd_tls_security_level=encrypt
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_reject_unlisted_recipient=no
> # -o smtpd_client_restrictions=$mua_client_restrictions
> # -o smtpd_helo_restrictions=$mua_helo_restrictions
> # -o smtpd_sender_restrictions=$mua_sender_restrictions
> # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> # -o milter_macro_daemon_name=ORIGINATING
> #smtps inet n - n - - smtpd
> # -o syslog_name=postfix/smtps
> # -o smtpd_tls_wrappermode=yes
> # -o smtpd_sasl_auth_enable=yes
> # -o smtpd_reject_unlisted_recipient=no
> # -o smtpd_client_restrictions=$mua_client_restrictions
> # -o smtpd_helo_restrictions=$mua_helo_restrictions
> # -o smtpd_sender_restrictions=$mua_sender_restrictions
> # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> # -o milter_macro_daemon_name=ORIGINATING
> #628 inet n - n - - qmqpd
> pickup unix n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr unix n - n 300 1 qmgr
> #qmgr unix n - n 300 1 oqmgr
> tlsmgr unix - - n 1000? 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq unix n - n - - showq
> error unix - - n - - error
> retry unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> #
> # ====================================================================
> # Interfaces to non-Postfix software. Be sure to examine the manual
> # pages of the non-Postfix software to find out what options it wants.
> #
> # Many of the following services use the Postfix pipe(8) delivery
> # agent. See the pipe(8) man page for information about ${recipient}
> # and other message envelope options.
> # ====================================================================
> #
> # maildrop. See the Postfix MAILDROP_README file for details.
> # Also specify in main.cf: maildrop_destination_recipient_limit=1
> #
> #maildrop unix - n n - - pipe
> # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> #
> # ====================================================================
> #
> # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
> #
> # Specify in cyrus.conf:
> # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
> #
> # Specify in main.cf one or more of the following:
> # mailbox_transport = lmtp:inet:localhost
> # virtual_transport = lmtp:inet:localhost
> #
> # ====================================================================
> #
> # Cyrus 2.1.5 (Amos Gouaux)
> # Also specify in main.cf: cyrus_destination_recipient_limit=1
> #
> #cyrus unix - n n - - pipe
> # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
> ${extension} ${user}
> #
> # ====================================================================
> #
> # Old example of delivery via Cyrus.
> #
> #old-cyrus unix - n n - - pipe
> # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension}
> ${user}
> #
> # ====================================================================
> #
> # See the Postfix UUCP_README file for configuration details.
> #
> #uucp unix - n n - - pipe
> # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> #
> # ====================================================================
> #
> # Other external delivery methods.
> #
> #ifmail unix - n n - - pipe
> # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> #
> #bsmtp unix - n n - - pipe
> # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
> #
> #scalemail-backend unix - n n - 2 pipe
> # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> # ${nexthop} ${user} ${extension}
> #
> #mailman unix - n n - - pipe
> # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> # ${nexthop} ${user}
>
> </pre>
